PhD Research
My doctoral research at the University of Western Ontario involved topics relating to foundational aspects of Attribute-Based Access Control (ABAC), including incorporating delegation and hierarchical attribute groups. My research was conducted under the supervision of Sylvia L. Osborn and Michael Bauer from the Department of Computer Science.
Attribute-Based Access Control (ABAC) is a promising alternative to traditional models of access control (i.e. Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role-Based Access control (RBAC)) that has drawn attention in both recent academic literature and industry application. However, formalization of a foundational model of ABAC and large-scale adoption is still in its infancy. The relatively recent popularity of ABAC still leaves a number of problems unexplored. Issues like delegation, administration, auditability, scalability, hierarchical representations, etc. have been largely ignored or left to future work. This thesis seeks to aid in the adoption of ABAC by filling in several of these gaps.
The core contribution of this work is the Hierarchical Group and Attribute-Based Access Control (HGABAC) model, a novel formal model of ABAC which introduces the concept of hierarchical user and object attribute groups to ABAC. It is shown that HGABAC is capable of representing the traditional models of access control (MAC, DAC and RBAC) using this group hierarchy and that in many cases it's use simplifies both attribute and policy administration. HGABAC serves as the basis upon which extensions are built to incorporate delegation into ABAC.
Several potential strategies for introducing delegation into ABAC are proposed, categorized into families and the trade-offs of each are examined. One such strategy is formalized into a new User-to-User Attribute Delegation model, built as an extension to the HGABAC model. Attribute Delegation enables users to delegate a subset of their attributes to other users in an "off-line" manner (not requiring connecting to a third party).
Finally, a supporting architecture for HGABAC is detailed including descriptions of services, high-level communication protocols and a new low-level attribute certificate format for exchanging user and connection attributes between independent services. Particular emphasis is placed on ensuring support for federated and distributed systems. Critical components of the architecture are implemented and evaluated with promising preliminary results.
It is hoped that the contributions in this research will further the acceptance of ABAC in both academia and industry by solving the problem of delegation as well as simplifying administration and policy authoring through the introduction of hierarchical user groups.
Traditionally, access control policies have been based on the direct assignment of permissions or roles to users based on the user's identity. For example, Alice is granted permission to use the printer or Bob is grated the role of "Manager" and mangers can view employee salaries. Attribute-Based Access Control (ABAC) is a new take on access control that is identityless (i.e. the identity of the user is unknown at the time of policy creation). Instead, ABAC bases access control decisions on the attributes of the users (e.g. age, year level, certificates, etc.), the environment (e.g. date/time, number of users on-line, etc.) and objects being access (e.g. author, date created, security level, etc.). These attributes are related by an access control policies, for example, if the user is 18 years old or older they can read a book with an adult rating".
Basing access control decisions on attributes allows for increased flexibility when creating policies and enables new users to be placed into the system without assigning permissions or roles manually beforehand. However, as ABAC is relatively new, there are a number of issues that must be resolved before ABAC can see wider acceptance outside of academia. These issues include, but are not limited to, a lack of a delegation model, no support for user and object groups and no single agreement on a standard formal model of ABAC. The goal of this thesis is to produce potential solutions to these problems and thus aid in the adoption of ABAC.
A new ABAC model, entitled Hierarchical Group and Attribute-Based Access Control (HGABAC), is introduced which adds user and object groups to ABAC. It is shown that these groups can help both simplify administration of ABAC systems and allow HGABAC to be backwards compatible with traditional identity based policies. A delegation model is added that allows users to delegate a number of their attributes to other users. This delegation ability is important in many real-world scenarios including continuing business functions when an employee is absent. Lastly, a supporting architecture is provided to fill in the gaps and act as a bridge between the theoretical HGABAC model and a real-world implementation.
Local PDF: Hierarchical Group and Attribute-Based Access Control.pdf
Thesis Repository: https://ir.lib.uwo.ca/etd/6855
Recommended Citation:
Servos, Daniel, "Hierarchical Group and Attribute-Based Access Control: Incorporating Hierarchical Groups and Delegation into Attribute-Based Access Control" (2020). Electronic Thesis and Dissertation Repository. 6855. https://ir.lib.uwo.ca/etd/6855
Defended Successfully on March 12th, 2020
Announcement of Public Lecture for the Degree of Ph.D.
Examiners:
- Dr. Abdelkader Ouda (Extra-Departmental, ECE)
- Dr. Ravi Sandhu (External, Univ of Texas at S.A.)
- Dr. Hanan Lutfiyya
- Dr. Kostas Kontogiannis
Slides
Presentations given by me relating to my dissertation research at peer reviewed conferences.
- FPS'2019: Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control
- 2018 ACM Workshop on ABAC: HGAA An Architecture to Support Hierarchical Group and Attribute-Based Access Control
- FPS'2016: Strategies for Incorporating Delegation into ABAC
- FPS'2014: HGABAC Towards a Formal Model of Hierarchical Attribute-Based Access Control
HGABAC Project on GitHub
Implementations of some of the Herarchical Group Attribute Architecture (HGAA) services, attribute certificate format and HGPLv2 parser and interpreter.
Daniel Servos and Michael Bauer. Incorporating Off-Line Attribute Delegation into Hierarchical Group and Attribute-Based Access Control The 12th International Symposium on Foundations & Practice of Security FPS'2019. (November 5, 2019). Forthcoming publication in Springer Lecture Notes in Computer Science. Presentation Slides (PDF)
Daniel Servos and Sylvia L. Osborn. HGAA: An Architecture to Support Hierarchical Group and Attribute-Based Access Control. Proceedings of the Third ACM Workshop on Attribute-Based Access Control, 1-12 (March 21, 2018). DOI: 10.1145/3180457.3180459. Presentation Slides (PDF)
Daniel Servos and Sylvia L. Osborn. Current Research and Open Problems in Attribute-Based Access Control. ACM Computing Surveys (CSUR) 49, 4, Article 65 (January 2017), 45 pages. DOI: 10.1145/3007204
Daniel Servos and Sylvia L. Osborn. Strategies for Incorporating Delegation into Attribute-Based Access Control (ABAC). The 9th International Symposium on Foundations & Practice of Security FPS'2016. (October 24, 2016). DOI: 10.1007/978-3-319-51966-1_21. Presentation Slides (PDF)
Daniel Servos and Sylvia L. Osborn. HGABAC: Towards a Formal Model of Hierarchical Attribute-Based Access Control. The 7th International Symposium on Foundations & Practice of Security FPS'2014. (November 5, 2014). DOI: 10.1007/978-3-319-17040-4_12. Presentation Slides (PDF)
Full list of my publications are available on CV page.