Severity Level of Permissions in Role-Based Access Control

S.V. Belim, N.F. Bogachenko, A.N. Kabanov

Dostoevsky Omsk State University, Omsk, Russia

Abstract

The analysis of hidden channels of information leakage with respect to role-based access control includes monitoring of excessive permissions among users. It is not always possible to completely eliminate redundancy. The problem of ranking permissions arises in order to identify the most significant, for which redundancy is most not desirable. A numerical characteristic that reflects the value or importance of permissions is called the ”severity level”. A number of heuristic assumptions have been formulated that make it possible to establish the dependence of the severity level of permissions on the structure of the role hierarchy. A methodology for solving the problem is proposed, using analytic hierarchy process and taking into account these assumptions. The main idea is that the decision tree of the process will be the role graph.

Keywords: role structure; analytic hierarchy process; severity level of permissions.

## 1 Introduction

The concept of roles has become widespread in the field of information security [1, 2]. At the heart of the role-based access control is the idea of distributing rights and privileges (we will call them permissions) between users not directly, but through assigning certain roles to them. In the process of authorizing a user for a certain role, he receives a set of permissions assigned to the given role.

One of the most difficult problems encountered in the construction of access control systems is the problem of covert channels of information leakage. A covert channel of information leakage is a mechanism by which a computer system can transmit information between entities bypassing the access control policy. At the same time, any model of access control should provide proof, including formal one, of the impossibility of inadmissible information flows. But such proofs are mostly based on a single security criterion. For example, such a criterion may be ”the impossibility of accessing subjects to objects outside explicit permissions”. Outside the proof, there are implicit information flows, which are caused by covert channels of information leakage. Thus, proof of the absence of ”dangerous” accesses and analysis of covert channels of information leakage are two components of any access control system.

In the context of a role-based access control, for which many modifications and extensions have been proposed [3, 4, 5, 6, 7, 8, 9, 10], first of all an analysis of the problem of users’ excessive permissions is needed. Obviously, this indicator is decisive in assessing the possibility of unauthorized transmission of information. As part of the solution of the problem, permissions should be ranked ”according to the level of danger of information leakage” or ”according to the degree of preference from the point of view of the attacker”. The quantitative characteristics that meet the qualitative criteria are called ”the severity level” of permissions. The term used is understood as the significance or value of the corresponding rights and privileges in terms of information security of the system: the higher the severity level of permission, the greater the loss in case of its misuse (leakage).

In this paper, we consider systems with a hierarchical organization of a set of roles that contain in their description an oriented (role) graph, which is most often used only to control the inheritance of the permissions assigned to roles. It is suggested, on the basis of the role graph, to obtain additional information necessary for analyzing the security of the system. Most approaches to analyzing graphs of access to information resources are connected with the study of attack graphs of models with discretionary access control [11]. In a more general case, the threats realization graph can be constructed to analyze the security of information systems [12]. Unfortunately, most of the work is devoted to the synthesis of such graphs and only a few to formal models of their analysis. Most often this is the use of standard methods of analysis of oriented graphs [13], or other search algorithms, for example, recursive algebraic analysis [14]. As will be shown below, the hierarchical organization of the set of roles in a system with role-based access control makes it possible to apply the analytic hierarchy process, used to quantify the phenomena of a qualitative nature, to determine the severity level and rank permissions [15, 16]. In the future, when reconstructing the role hierarchy in order to reduce the number of excessive permissions, it is first necessary to analyze roles that have permissions with a higher severity level.

## 2 Formulation of the problem

The role-based access control is determined by a set of four sets: – the set of users, – the set of roles, – the set of permissions (rights, privileges), – the set of users’ sessions in the system. Along with the role, the user receives a certain set (list) of permissions assigned to the given role. There are three main issues in the organization of role-based access:

1. How many and which roles can be assigned to one user.

2. How many and which roles a user can use in a single session with the system (to which roles the user can be authorized).

3. Is it possible to delegate (transfer) permissions from one role to another.

Depending on the methods of solving the questions posed, there are several types of role models. The most common is a model with a hierarchical organization of multiple roles. In this case, the senior in the hierarchy role gets the permissions of the roles directly subordinate to it.

We denote the set of permissions assigned to some role as . Then the model with a hierarchical role system is determined by the following refinements and additions:

1. A partial order relation is introduced on the role set specifying the dominant / subordinate operator of the roles ””: if , then the role is higher in the hierarchy than the role and the set of permissions includes the set of permissions .

2. If the role is assigned to the user , then all roles subordinate to are automatically assigned to him. If the user is authorized for the role in the current session of the system, then he is automatically authorized for all roles that are subordinate to . The set of permissions that are available to the user for all roles for which he is authorized in the current session of the system is determined by taking into account the subordinate roles.

It is convenient to describe the hierarchy of roles with a labeled oriented graph (we call it role), in which the vertices correspond to the roles existing in the system, the vertex labels represent the sets of permissions for these roles, the edges define the dominance / subordination of roles. As a rule, it is considered that the role graph is an oriented tree. In fact, this is not so obvious, and in a more general case it is sufficient to require that the hierarchy be described by an oriented acyclic graph [17]. But within the framework of this article, we need the tree role graph. It is worth noting that the authors of [9, 17] studied the problem of transforming an arbitrary oriented graph without cycles describing the hierarchy of roles into an equivalent tree and presented algorithms for its solution.

So, let the hierarchy of roles be given by the oriented tree – the role tree. At this stage of the problem analysis, we assume that in the role hierarchy, only leaf nodes directly receive the permissions, and then the permissions are distributed according to the principle of inheritance (using the leaf approach to the distribution of permissions [17]).

By the severity level of the permission we call the numerical characteristic characterizing the significance or value of from the point of view of system’s information security. We require that : , (summation is over all from 1 to , where is the number of permissions).

Obviously, the value of should depend both on the prevalence of the permission in the system, and on the significance of the roles to which this permission is assigned (that is, on the hierarchical organization of the set ). The task is set for each element of the permission set to calculate its severity level . We will proceed from the following heuristic assumptions.

Assumption 1. The more permissions this role contains, the more likely it will be attacked, the greater is the severity level of permissions assigned to the role.

Assumption 2. The more often this permission appears in the list of roles permissions, the more likely it is to leak, the greater is its severity level.

Assumption 3. The higher the role in the hierarchy, the more likely it will be attacked, the greater is the severity level of permissions assigned to the role.

## 3 Hierarchy of roles and analytic hierarchy process

Let’s estimate the severity level of permissions using the analytic hierarchy process (AHP), well-known from decision support theory [15, 16]. The main difficulty of AHP is the search for quantitative indicators for constructing a numerical scale of preferences for possible alternatives. Often, a mechanism of expert assessments is used to do this. In turn, subjectivism and inconsistency of expert judgments are the main sources of criticism of the method [18]. In this paper, we propose to use the hierarchical organization of the set of roles to construct the AHP decision tree, and calculate the coefficients of the pairwise comparison matrices based on the distribution of permissions in the system, without involving external subjective expert assessments.

The proposed approach consists of several stages. The first one preprocesses the role hierarchy: each leaf node of the original role tree is appended with additional vertices, each of which contains exactly one permission from the set of permissions of the vertex . Thus, an extended role tree is constructed. The decision tree (or hierarchy) of the AHP will be the tree .

The second stage calculates the relative weights of all vertices (except the root) of the tree . Calculation of weights occurs when moving from the root to the leaf vertices. At each step, a subset of the roles , subordinate to one role of the previous level, is considered. In the AHP terminology, the selected vertices are the matched factors or alternatives for the criterion. For each such subset a pairwise comparison matrix M is constructed. The dimension of the matrix M is equal to the cardinality of the allocated subset of the subordinate roles. The element in the pairwise comparison matrix corresponding to the pair is equal to the ratio of the number of permissions of role to the number of permissions of role :

Taking into account Assumption 1, the value characterizes the degree of significance of the role in comparison with the role from the point of view of the severity level of permissions. The diagonal elements are equal to one. Then the columns of the matrix M are normalized, and the elements of the new normalized matrix are calculated by the formula: . The weight of each role is calculated as the arithmetic mean of the corresponding row role in the normalized matrix : .

Since the elements of the pairwise comparison matrix are calculated automatically, the ideal consistency of the matrix M is ensured: its elements are connected by the equalities (for any , , ). Indeed,

Since the matrix M is ideal consistent, after normalization the columns of the matrix become the same. Hence, for any . Without loss of generality, we will continue to work with the elements of the first column of the matrix M, then

for . Thus, the relative weight coefficients can be calculated without constructing a pairwise comparison matrix, only on the basis of knowledge of some numerical characteristics attributed to the compared factors (roles). In our case, this is the number of permissions. Thus, in the problem under consideration, AHP is based only on the properties of the system itself, which frees it from the ”model” error that arises from the inconsistency of expert assessments [18].

At the third stage, the combined weights of the leaf vertices of the tree are calculated. These values will be the severity level of permissions. The severity level of each permission is equal to the sum of the products of the relative weight coefficients of the vertices along all the paths from the root to the leaves containing this permission. Note that : . Therefore, at this stage, Assumption 2 is taken into account: the more items, the greater is , and Assumption 3: the shorter the path, the larger is product, the larger is the contribution to .

## 4 Algorithm for calculating the severity level of permissions

Let’s write out formally the algorithm for calculating the severity level of permissions. Let use the leaf principle of distribution of permissions; the role tree , which defines the hierarchy of roles, contains vertices ; permissions are defined in the system. The algorithm for steps can be written in the following form.

1. To each vertex of the role tree , assign the value equal to the number of permissions assigned to this vertex.

2. Construct an extended role tree : add as many permission vertices to each leaf node of the role tree , as contained in its permission set ; assign to each of the new vertices one permission from the set of permissions and assign to it a numerical characteristic (see step 1) equal to one.

3. For each non-leaf vertex of the tree , starting from the root, consider a subset of the vertices subordinate to it: . For the vertices of this subset, calculate the relative weights by the formula:

4. For each permission , , calculate its severity level:

The sum is taken over all oriented paths in the tree , leading from the root to that leaf , the list of permissions of which contains the single permission (obviously, these are the permission vertices that were added to the original role tree and which correspond to the permission ). In each product, there are the relative weight coefficients from step 3 of those vertices that compose the oriented path (excluding the root , because the weight is not defined for it).

Note that è , . Thus, the numerical characteristics found are relative values and allow a comparative analysis of the permissions.

It is easy to understand that the computational complexity of the presented algorithm depends polynomially on the number of roles and the number of permissions in the original role tree and does not exceed O.

## 5 Example

Consider the hierarchy of roles represented by the unbalanced tree T (see fig. 1).

Let the permissions of leaf roles are represented by the following sets: , , , , , , , and for other roles, the permissions are determined from the inheritance condition: , , , The expanded role tree is shown in fig. 2.

For this example , . Hence, , . In vector form:

The coordinates of the vector are determined by the number of permissions assigned to the roles , , ; the coordinates of the vector are determined by the relative weight coefficients of these roles.

Similarly, the coordinates of the remaining vectors are calculated:

For leaf nodes, we will index the weight coefficients by the number of the parent role and the number of permission assigned to the leaf: , , , , , , . In fig. 3, the leaves of the tree that correspond to the same permission are replaced by a single vertex, with the edges being assigned weights corresponding to their terminal vertices.

According to step 4 of the algorithm, the severity level of permission is calculated by the formula:

Similarly:

Let us analyze the results obtained. As we can see from table 1, permissions and have the highest severity level, although their prevalence in the system is not maximal (Assumption 2). This is explained by the fact that the proposed approach takes into account also the location of the roles to which the interesting permission is assigned in the given hierarchy (Assumption 3). Indeed, the permissions and occur from the 2nd level of the role tree, whereas the most common in the system permissions and are present in the system, starting at level 3. Thus, in the example considered, the criterion of ”proximity to the administrator” is more significant than the ”prevalence in the system” criterion.

Severity level | What roles are assigned | Number of roles | Levels of tree | |
---|---|---|---|---|

, , , , , , | – | |||

0.26 | – | |||

0.25 | – | |||

– | ||||

– |

## 6 Conclusions

Most often, because there is no possibility to obtain quantitative estimates of the severity of certain processes, in practice a qualitative scale is used, for example: critical / high / medium / low. The article defines the algorithm for calculating the numerical indicators of the severity of the leakage of permissions in the role-based access control policy.

It follows from the proposed methodology that AHP makes it possible to automate the process of ranking permissions by significance or value from the point of view of information security. And the decision is made only on the basis of the features of the system itself, without involving the mechanism of expert assessments. This use of the method is new. Indeed, at present AHP is developing in the direction of using the theory of fuzzy sets, including within the framework of constructing a comprehensive information security system [19, 20, 21, 22, 23]. But in the vast majority of works the method still relies on the mechanism of expert assessments.

The advantage and novelty of the proposed solution lies precisely in the ”bundle” of AHP and the role tree of the access control system. This, on the one hand, allows you to obtain additional information in a situation where alternative solutions can not be linked by any precise functional dependencies, and on the other hand, relieves the method of inconsistency and subjectivism of expert judgments.

According to [24], the information security risk is an assessment of the possible damage to an organization or an asset as a result of a certain threat implementation. The main way to assess risks is to combine the probability of an event and its consequences:

where is the probability of implementing the threat through a given vulnerability (for a two–factor risk assessment method) or the product of the probability of implementing the threat and exploiting vulnerability (for the three–factor risk assessment method), is the damage from the implementation of the threat [25]. The main difficulty in solving the problems of quantitative assessment of information security risks is the qualitative nature of most indicators that affect the probability of the implementation of threats and the use of vulnerabilities, as well as determine the damage. The quantitative characteristics of permissions suggested in the article can be the basis for determining the probability of the implementation of information security threats through the vulnerabilities generated by the structure of roles of the access control policy.

## References

- [1] D.F. Ferraiolo and D.R. Kuhn, ”Role-Based Access Controls”, 15th National Computer Security Conference, Baltimore MD, 1992, pp. 554–563.
- [2] R.S. Sandhu, E.J. Coynek, H.L. Feinsteink and C.E. Youmank, ”Role-Based Access Control Models”, IEEE Computer, February 1996, vol. 29, no. 2, pp. 38-47.
- [3] L. Fuchs, G. Pernul and R. Sandhu, ”Roles in information security – A survey and classification of the research area”, Computers Security, November 2011, vol. 30, issue 8, pp. 748–769.
- [4] M. Toahchoodee and I. Ray, ”On the formalization and analysis of a spatio-temporal role-based access control model”, Journal of Computer Security, 2011, vol. 19, no. 3, pp. 399–452.
- [5] Y. Jung and J.B.D. Joshi, ”CRiBAC: Community-centric role interaction based access control model”, Computers Security, June 2012, vol. 31, issue 4, pp. 497–523.
- [6] A. Armando and S. Ranise, ”Scalable automated symbolic analysis of administrative role–based access control policies by SMT solving”, Journal of Computer Security, 2012, vol. 20, no. 4, pp. 309–352.
- [7] D.N. Kolegov, ”Hierarchical role-based access control development”, Applied Discrete Mathematics, 2012, no. 3(17), pp. 70–76 (In Russian).
- [8] F. Salim, J. Reid, U. Dulleck and E. Dawson, ”Budget–aware Role Based Access Control”, Computers Security, June 2013, vol. 35, pp. 37–50.
- [9] S. Belim, N. Bogachenko and E. Ilushechkin, ”An analysis of graphs that represent a role-based security policy hierarchy”, Journal of Computer Security, 2015, vol. 23, no. 5, pp. 641–657.
- [10] S.V. Belim, S.Yu. Belim, N.F. Bogachenko and A.N. Kabanov, ”User Authorization in a System with a Role-Based Access Control on the Basis of the Analytic Hierarchy Process”, IEEE Dynamics of Systems, Mechanisms and Machines (Dynamics), 14–16 Nov. 2017.
- [11] D.N. Kolegov, ”DP–model application for network security analysis”, Applied Discrete Mathematics, 2008, no. 1(1), pp. 71–87 (In Russian).
- [12] G.N. Maltsev and V.V. Telichko, ”Optimization of information protection means in the informational–command system with wireless channels access based on threats realization graph”, Information and Control Systems, 2008, no. 4(35), pp. 29–33 (In Russian).
- [13] C. Phillips and L.P. Swiler, ”A Graph-Based System for Network-Vulnerability Analysis”, Proceedings of the New Security Paradigms Workshop, 1998, pp. 71–79.
- [14] S. Noel, S. Jajodia and L. Wang, ”Singhal A. Measuring Security Risk of Networks Using Attack Graphs”, International Journal of Next-Generation Computing, July 2010, vol. 1, no. 1, pp. 135–146.
- [15] T.L. Saaty, ”The Analytic Hierarchy Process”. New York: McGraw Hill, 1980.
- [16] H.A. Taha, ”Operations Research: An Introduction”. Upper Saddle River, New Jersey, 2007, pp. 489–530.
- [17] N.F. Bogachenko, ”Local Optimization of the Role-Based Access Control Policy”, CEUR Workshop Proceedings, 2017, vol. 1965.
- [18] V.D. Nogin, ”A simplified variant of the hierarchy analysis on the ground of nonlinear convolution of criteria”, Computational Mathematics and Mathematical Physics, 2004, vol. 44, no. 7, pp. 1194–1202.
- [19] M. Dong, S. Li and H. Zang, ”Approaches to group decision making with incomplete information based on power geometric operators and triangular fuzzy AHP”, Expert Systems with Applications, 2015, vol. 42, issue 21, pp. 7846–7857.
- [20] S. Lee, ”Determination of Priority Weights under Multiattribute Decision-Making Situations: AHP versus Fuzzy AHP”, Journal of Construction Engineering and Management, 2015, vol. 141, issue 2.
- [21] X. Peng and J.Q. Cui, ”Network Security Risk Assessment Based on Fuzzy Analytical Hierarchy Process”, Applied Mechanics and Materials, 2014, vols. 631-632, pp. 971–975.
- [22] G. Radivojevic and V. Gajovic, ”Supply chain risk modeling by AHP and Fuzzy AHP methods”, Journal of Risk Research, 2014, vol. 17, issue 3, pp. 337–352.
- [23] C.–C. Sun, ”A performance evaluation model by integrating fuzzy AHP and fuzzy TOPSIS methods”, Expert Systems with Applications, 2010, vol. 37, issue 12. pp. 7745–7754.
- [24] ”NIST SP 800-30 Revision 1. Information Security. Guide for Conducting Risk Assessments”, September 2012, 95 p.
- [25] L.Yu. Emaletdinova and I.V. Anikin ”Risk assessment approaches in telecommunication networks”, Vestnik Kazanskogo gosudarstvennogo energeticheskogo universiteta, 2015, no. 1(25), pp. 55–67 (In Russian).