Abstract

Separation of duty (SoD) is a fundamental principle of computer security that has not been addressed sufficiently in multi-level security (MLS) mandatory access control (MAC) models, as realized through the adoption of the Bell-LaPadula (BLP) model. This is due to the lack of means at present to express SoD constraints in MAC. The primary objective of this paper is to overcome this but within a framework that allows for rigour and linguistic features to express SoD constraints, while retaining the core security properties of BLP, namely the Simple Security Property and |$\bigstar $|-Property. To this end, we propose a formal framework which bridges the BLP model with the more general hierarchical role-based access control (RBAC) model. Our framework is based on a hierarchy of permissions that is founded on a novel concept of permission capacity, determined on the basis of the security levels that characterize objects in MLS models. Such a hierarchy naturally provides a solid basis for defining role seniority and deriving a hierarchical ordering on roles within MLS models. SoD constraints are expressed by means of conflicting permissions that give rise to mutually exclusive roles.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.