基于角色的访问控制中的数据流安全

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-04-08 DOI:10.1016/j.jisa.2025.103997

Luigi Logrippo

{"title":"基于角色的访问控制中的数据流安全","authors":"Luigi Logrippo","doi":"10.1016/j.jisa.2025.103997","DOIUrl":null,"url":null,"abstract":"<div><div>We show how data security concepts such as data flow, secrecy (or confidentiality) and integrity can be defined for RBAC, Role-Based Access Control. In contrast to the prevailing literature that uses a lattice model to express such concepts, we demonstrate the use of a partial order model that is more general. This is done by using the concepts of “partial order of equivalence classes” and of “security labels” that can be associated with RBAC subjects and objects and determine their mutual data flows, as well as their secrecy and integrity properties. Our model allows to reason on RBAC configurations with different assignments of roles to subjects. On the converse, we demonstrate a method for obtaining RBAC configurations from data security requirements or security label assignments. These results are supported by a proof showing that three methods for defining data flow: by access control matrices or lists, by labels and by roles, are equivalent and mutually convertible by efficient algorithms. We show how RBAC state changes, or “reconfigurations” can be defined in this framework, and what are the effects of elementary reconfigurations on data flow, secrecy and integrity of data.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"90 ","pages":"Article 103997"},"PeriodicalIF":3.8000,"publicationDate":"2025-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Data flow security in Role-based access control\",\"authors\":\"Luigi Logrippo\",\"doi\":\"10.1016/j.jisa.2025.103997\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>We show how data security concepts such as data flow, secrecy (or confidentiality) and integrity can be defined for RBAC, Role-Based Access Control. In contrast to the prevailing literature that uses a lattice model to express such concepts, we demonstrate the use of a partial order model that is more general. This is done by using the concepts of “partial order of equivalence classes” and of “security labels” that can be associated with RBAC subjects and objects and determine their mutual data flows, as well as their secrecy and integrity properties. Our model allows to reason on RBAC configurations with different assignments of roles to subjects. On the converse, we demonstrate a method for obtaining RBAC configurations from data security requirements or security label assignments. These results are supported by a proof showing that three methods for defining data flow: by access control matrices or lists, by labels and by roles, are equivalent and mutually convertible by efficient algorithms. We show how RBAC state changes, or “reconfigurations” can be defined in this framework, and what are the effects of elementary reconfigurations on data flow, secrecy and integrity of data.</div></div>\",\"PeriodicalId\":48638,\"journal\":{\"name\":\"Journal of Information Security and Applications\",\"volume\":\"90 \",\"pages\":\"Article 103997\"},\"PeriodicalIF\":3.8000,\"publicationDate\":\"2025-04-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Information Security and Applications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2214212625000353\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625000353","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

我们将展示如何为RBAC（基于角色的访问控制）定义数据流、保密性（或机密性）和完整性等数据安全概念。与使用格模型来表达这些概念的流行文献相反，我们演示了更一般的偏序模型的使用。这是通过使用“等价类的偏序”和“安全标签”的概念来实现的，这些概念可以与RBAC主题和对象相关联，并确定它们的相互数据流，以及它们的保密性和完整性属性。我们的模型允许对RBAC配置进行推理，并为受试者分配不同的角色。相反，我们演示了一种从数据安全需求或安全标签分配中获取RBAC配置的方法。这些结果得到一个证明的支持，证明了定义数据流的三种方法：通过访问控制矩阵或列表、通过标签和通过角色，是等价的，并且可以通过有效的算法相互转换。我们展示了如何在这个框架中定义RBAC状态变化或“重新配置”，以及基本重新配置对数据流、数据保密性和完整性的影响。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Data flow security in Role-based access control

We show how data security concepts such as data flow, secrecy (or confidentiality) and integrity can be defined for RBAC, Role-Based Access Control. In contrast to the prevailing literature that uses a lattice model to express such concepts, we demonstrate the use of a partial order model that is more general. This is done by using the concepts of “partial order of equivalence classes” and of “security labels” that can be associated with RBAC subjects and objects and determine their mutual data flows, as well as their secrecy and integrity properties. Our model allows to reason on RBAC configurations with different assignments of roles to subjects. On the converse, we demonstrate a method for obtaining RBAC configurations from data security requirements or security label assignments. These results are supported by a proof showing that three methods for defining data flow: by access control matrices or lists, by labels and by roles, are equivalent and mutually convertible by efficient algorithms. We show how RBAC state changes, or “reconfigurations” can be defined in this framework, and what are the effects of elementary reconfigurations on data flow, secrecy and integrity of data.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.