CS590U: Access Control: Theory and Practice

CS590U

Access Control: Theory and Practice

Instructor: Ninghui Li

Prerequisites:

Theory of computation: CS483 or equivalent required. CS584 a plus but not necessary.
Information security: CS526 or equivalent required; taking CS526 concurrently is sufficient.
Database systems: CS448 or equivalent highly recommended.

Please contact the instructor if there is any question about prerequisites.

General Info:

This course is aimed towards graduate students in Computer Science and ECE. Undergraduate students interested in taking the course should contact the instructor. In addition to covering established results in this area, we will also investigate the state of art of access control theory and techniques both in research literature and in commercial systems.

The goals of this course are the following.

Give students a systematic and deep understanding of access control theory and techniques. The focus of this course is not on giving an listing of the various models and techniques developed for access control, but rather on understanding the effectiveness and limitation of these models and techniques. While examining research results, we ask the following questions: What are the problems this piece of work tries to solve? To what extent does it solve the problems? Are these the right problems to solve? How could this result be used in practice? What other problems can be asked? While examining existing systems, we ask similar questions about the access control features in these systems.
Give students (especially beginning graduate students) some exposure to research activities such as literature research, independent thinking and analysis, interacting with the instructor and peer students, and organizing and presenting materials and results.
Help interested students to develop long term research interests in this area.

This course will be divided into three parts.

The first part, about first half of the course, will be lectures given by the instructor.
The second part, about one-third of the course, will be lectures given by students on a topic related to their projects.
The final part will be presentation of the result of the project.

Topics to be covered (tentative) include:

General theory and models for access control: access control matrix, the HRU model, the take-grant model, etc.
Lattice-based mandatory access control, noninterference, nondeducibility, etc.
Access control in distributed systems, trust management
Role-Based Access Control
Access control in operating systems
Access control in database systems, including concepts such as grant-revoke, roles, views, virtual private databases, etc.
Access control requirements and examples in real life, e.g., in healthcare, financial industry, universities
Access control for XML documents
Access control in networks, e.g., firewall
Digital rights management languages
Human factors in access control

Students will have a semester-long medium-size project that will be related to the above topics and that will have a research flavor. A list of project topics will be provided in class. Students are also welcome to come up with project ideas.

A typical project involves

some combination of literature research, product investigation, programming, and possible interviewing users and domain experts
a mid-course presentation on papers related to the project
a presentation about the result of the project
a final report

Textbook/References

No textbook is required; the main source of reference will be papers, lecture notes, and slides. Everyone is expected to read a core set of papers. Each student also needs to read and present papers related to their project. The following is an incomplete list of required readings.

Jerome H. Saltzer and Michael D. Schroeder, The Protection of Information in Computer Systems. Proceedings of the IEEE, 63(9):1278-1308, 1975.
- Part IA is required reading. The rest is recommended, especially for those interested in operating system security.
Carl E. Landwehr, Formal Models for Computer Security. ACM Computing Surveys, 13(3):247--278, 1981.
David D. Clark and David R. Wilson, A Comparison of Commercial and Military Computer Security Policies, in Proceedings of the 1987 IEEE Symposium on Security and Privacy, pp. 184--194, IEEE Computer Society Press, Los Alamitos, CA, 1987.
Robert W. Baldwin. Naming and grouping privileges to simplify security management in large databases. In Proc. IEEE Symposium on Research in Security and Privacy, pages 116-132, 1990.
John McLean. Security Models. In J. Marciniak, editor, Encyclopedia of Software Engineering. Wiley & Sons, 1994.
Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, February 1996.

Although no textbook is require, the following books are helpful references. The first three are popular textbooks; and they overlap to a certain degree. Reading the chapters related to access control in some of the following books could be helpful:

Computer Security: Art and Science by Matt Bishop
Computer Security by Dieter Gollmann
Security in Computing, Third Edition by Charles P. Pfleeger, Shari Lawrence Pfleeger, and Willis H. Ware.
Security Engineering by Ross A. Anderson
- This book is not very related to this course; however, it is a very good book on practical aspects of security, highly recommended for anyone interested in security.
Cryptography and Data Security by Dorothy Denning
- This cryptography part of this book is a bit out of date; however, the discussion of access control is nevertheless still very good.
Role-Based Access Control by David F. Ferraiolo, D. Richard Kuhn, Ramaswamy Chandramouli
- This book provides a fairly comprehensive survey of researches in RBAC. It is a very good source of information for those interested in doing research related to RBAC.