Access Control Synthesis for Physical Spaces

2016 IEEE 29th Computer Security Foundations Symposium (CSF) Pub Date : 2016-05-05 DOI:10.1109/CSF.2016.38

Petar Tsankov, M. Dashti, D. Basin

{"title":"Access Control Synthesis for Physical Spaces","authors":"Petar Tsankov, M. Dashti, D. Basin","doi":"10.1109/CSF.2016.38","DOIUrl":null,"url":null,"abstract":"Access-control requirements for physical spaces, like office buildings and airports, are best formulated from a global viewpoint in terms of system-wide requirements. For example, \"there is an authorized path to exit the building from every room.\" In contrast, individual access-control components, such as doors and turnstiles, can only enforce local policies, specifying when the component may open. In practice, the gap between the system-wide, global requirements and the many local policies is bridged manually, which is tedious, error-prone, and scales poorly. We propose a framework to automatically synthesize local access control policies from a set of global requirements for physical spaces. Our framework consists of an expressive language to specify both global requirements and physical spaces, and an algorithm for synthesizing local, attribute-based policies from the global specification. We empirically demonstrate the framework's effectiveness on three substantial case studies. The studies demonstrate that access control synthesis is practical even for complex physical spaces, such as airports, with many interrelated security requirements.","PeriodicalId":6500,"journal":{"name":"2016 IEEE 29th Computer Security Foundations Symposium (CSF)","volume":"24 1","pages":"443-457"},"PeriodicalIF":0.0000,"publicationDate":"2016-05-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE 29th Computer Security Foundations Symposium (CSF)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSF.2016.38","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

Access-control requirements for physical spaces, like office buildings and airports, are best formulated from a global viewpoint in terms of system-wide requirements. For example, "there is an authorized path to exit the building from every room." In contrast, individual access-control components, such as doors and turnstiles, can only enforce local policies, specifying when the component may open. In practice, the gap between the system-wide, global requirements and the many local policies is bridged manually, which is tedious, error-prone, and scales poorly. We propose a framework to automatically synthesize local access control policies from a set of global requirements for physical spaces. Our framework consists of an expressive language to specify both global requirements and physical spaces, and an algorithm for synthesizing local, attribute-based policies from the global specification. We empirically demonstrate the framework's effectiveness on three substantial case studies. The studies demonstrate that access control synthesis is practical even for complex physical spaces, such as airports, with many interrelated security requirements.

查看原文本刊更多论文

物理空间的访问控制综合

物理空间(如办公楼和机场)的访问控制需求最好从系统范围需求的全局角度来制定。例如，“每个房间都有一条授权的通道可以离开大楼。”相反，单独的访问控制组件(如门和旋转门)只能执行本地策略，指定组件何时可以打开。在实践中，系统范围内的全局需求和许多本地策略之间的差距是手动弥合的，这是乏味的、容易出错的，而且伸缩性很差。我们提出了一个框架，从物理空间的一组全局需求中自动合成本地访问控制策略。我们的框架包括一种表达性语言，用于指定全局需求和物理空间，以及一种算法，用于从全局规范中综合本地的、基于属性的策略。我们在三个实质性的案例研究中实证地证明了该框架的有效性。研究表明，即使对于复杂的物理空间，如机场，具有许多相互关联的安全需求，访问控制综合也是实用的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 IEEE 29th Computer Security Foundations Symposium (CSF)

自引率

0.00%

发文量