Towards Formal, Risk Aware Authorization
Page Content
Principal Investigator: David Yau
Traditional authorization decisions are black and white: a user either does or does not satisfy a given access policy. This rigidity is a handicap in our complex, dynamic, and unpredictable world. Proposals for risk-based access control address this problem by allocating principals a budget of risk tokens that can be used to buy access to sensitive resources. While this gives flexibility, pricing accesses to resources is non-trivial. Further, it is difficult to distinguish good and bad risk takers, and abandoning the formal proofs of authorization by traditional systems can lead to a lack of understanding of the actions taken in the system. The design of an adaptive access control system that is amenable to formal analysis thus remains an important open problem. To address this problem, we propose to develop a hybrid authorization approach that augments the strong formal guarantees of traditional attribute-based access control with more adaptive, risk-aware capabilities: risk-aware authorization (RAA).
To realize RAA, we willl design efficient, scalable methods to construct the best alternate proofs of authorization when a user cannot completely satisfy an ABAC access policy. We will automatically determine the minimum distance between these best alternate proofs and the traditional exact proofs for the desire access. We will use this minimum distance to determine the access price. We will use decision theory to justify the prices charged for risky accesses
and underpin the feedback loops in the system, which will use game theoretic methods to ensure that good risk takers are rewarded, bad risk takers are penalized, and everyone has an incentive to participate in the system. We will log the best alternate proofs to provide an audit trail justifying actions taken in the system. We will evaluate our results using case studies, formal proofs of correctness and optimality, and games that compare our automated strategies with those used by human players.
Personnel
Other PIs: Adam Lee (University of Pittsburgh) Marianne Winslett (University of Illinois Urbana-Champaign)
Students: Naoki Tanaka Heyu Xiong
Footer
RSS Feeds
Combined XML Feed
News XML Feed Events XML Feed Weblogs XML Feed Security Seminar Podcast
Twitter: @cerias, @ceriasarchive, #cerias
CERIAS, Purdue University / Recitation Building / 656 Oval Drive / West Lafayette IN 47907-2086
phone (765)494-7841 / fax (765)496-3181
Copyright © 2013, Purdue University, all rights reserved. Purdue University is an equal access/equal opportunity university.
If you have trouble accessing this page because of a disability, please contact the CERIAS webmaster at webmaster@cerias.purdue.edu. Some content on this site may require the use of a special plug-in or application. Please visit our plug-ins page for links to download these applications.
Privacy Policy
