Secrecy Resilience of Authorization Policies and Its Application to Role Mining

Abstract

We propose and study a new property that we call secrecy resilience in the context of authorization policies that are used to secure information systems. An authorization policy expresses whether a principal (e.g., a user or process) is allowed to exercise a privilege (e.g., read or write) on a resource (e.g., a device or file). Access control is a process by which authorizations are enforced. We address the problem that disclosure of portions of an authorization policy is a threat that needs to be mitigated and argue that the ease with which an adversary can learn such portions of a policy can be a property of the policy itself. We then introduce the term secrecy resilience as a quantitative measure of the computational hardness that such an adversary encounters. We instantiate secrecy resilience for authorization policy which could be expressed as access control policy and Role-Based Access Control (RBAC) policy, and more specifically, consider the problem of role mining, in which a policy expressed as an access matrix is converted to a RBAC policy. We present a number of analytical results while highlighting that underlying assumptions we make, with regards to a priori knowledge an adversary has, is an important consideration in any such analysis. We present also our results from an empirical study of role mining algorithms from the literature and two new ”baseline” algorithms we propose. The results of our study suggest that when secrecy resilience is the objective, a role mining algorithm that performs well along a different criterion for goodness, e.g., minimization of roles (e.g., RBAC policy generated by User-Role Miner), does not necessarily perform well for some disclosure events. Moreover, under the assumptions we made for empirical study, for the disclosure event that the victim user has a role from the adversary, Permission-Role Miner is the best role mining algorithm from the standpoint of secrecy resilience.