An Effective Evolutionary Analysis Scheme for Industrial Software Access Control Models

Autor: Zhuobing Han, Naixue Xiong, Guangquan Xu, Xiaohong Li, Ettore Merlo, Eleni Stroulia
Rok vydání: 2020
Předmět:
Zdroj: IEEE Transactions on Industrial Informatics. 16:1024-1034
ISSN: 1941-0050
1551-3203
DOI: 10.1109/tii.2019.2925422
Popis: Access control is an essential feature of industrial software systems security mechanisms. Role-based access control (RBAC), which is likely the most popular access-control technique, specifies “user roles” and associates each role with “permissions” to access distinct system functionalities. These role-permissions assignment rules, as well as the types of system users and system functionalities, evolve over time. In this paper, we describe a methodology for analyzing and understanding the RBAC-configuration evolution, its relation to the overall evolutionary lifecycle of industrial systems, and its impact on security vulnerabilities from which the system may suffer. Our methodology considers two different sources of information regarding the RBAC-configuration evolution: 1) the role-permissions matrices of subsequent system versions; and 2) the corresponding concept lattices, implied by these matrices. By examining the evolution of these two system properties, developers can easily notice which versions involve more and more complex RBAC-configuration changes that may indicate higher security risks. We demonstrate our methodology using a study of four popular real-world systems: 1) MediaWiki; 2) Moodle; 3) Joomla; and 4) WordPress. Our findings show that the proposed metrics have strong, positive linear correlations with the security vulnerabilities’ properties.
Databáze: OpenAIRE
Externí odkaz: