Reverse engineering RBAC policies using ILP
by Kishor Datar
Tuesday, December 2, 2008, 10:30am - Tuesday, December 2, 2008, 12:00pm
ITE 325
RBAC (Role Based Access Control [1]) is a predominant model used for
advanced access control. A variety of IT vendors have provided RBAC
implementations in their systems. RBAC provides great flexibility and
breadth of application. System administrators can control access at
a level of abstraction that is natural to the way that enterprises
typically conduct business. These features of RBAC make it suitable
for deployment over a variety of web applications like social
networks, academic suits etc.
As use of RBAC on the web is increasing, it becomes important for an attacker to know the details of RBAC policies like role hierarchy, constraints in place to effectively attack the system. The question is: can we infer the RBAC details given the access attempts by users of the system?
In Inductive Logic Programming (ILP), background knowledge and negative and positive examples are specified in a logic language. The ILP system generates a hypothesis in logic language that best represents the given set of examples and background knowledge.
If access attempts by the users of RBAC system are stated as facts, and with some background knowledge about the organization's structure, ILP systems should be able to tell the underlying RBAC characteristics of the system. In this talk I will introduce a possible approach towards identifying RBAC policies using ILP systems like Progol [3].
[1] http://en.wikipedia.org/wiki/Rbac
[2] http://en.wikipedia.org/wiki/Inductive_logic_programming
[3] http://en.wikipedia.org/wiki/PROGOL
As use of RBAC on the web is increasing, it becomes important for an attacker to know the details of RBAC policies like role hierarchy, constraints in place to effectively attack the system. The question is: can we infer the RBAC details given the access attempts by users of the system?
In Inductive Logic Programming (ILP), background knowledge and negative and positive examples are specified in a logic language. The ILP system generates a hypothesis in logic language that best represents the given set of examples and background knowledge.
If access attempts by the users of RBAC system are stated as facts, and with some background knowledge about the organization's structure, ILP systems should be able to tell the underlying RBAC characteristics of the system. In this talk I will introduce a possible approach towards identifying RBAC policies using ILP systems like Progol [3].
[1] http://en.wikipedia.org/wiki/Rbac
[2] http://en.wikipedia.org/wiki/Inductive_logic_programming
[3] http://en.wikipedia.org/wiki/PROGOL