Preserving User Privacy and Security in Context-Aware Mobile Platforms

Background

Access control generally refers to the process of determining what actions are allowed by a given subject upon objects and resources (Sandhu & Samarati, 1996). The security domain has seen the emergence of various access control models over the years. The most popular models include Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC). DAC refers to access control mechanisms where it is at the “discretion” of the owner of an object. On the other hand, MAC “mandates” control based on security labels assigned to an object. RBAC is a model that uses “roles” to determine access control and in this model permissions are associated with roles, and users are made members of appropriate roles. RBAC suffers from issues of setting up initial role structure and inflexibility in dynamic domains (Kuhn, D. R., Coyne, E. J., & Weil, T. R., 2010). A pure RBAC solution will not consider dynamic attributes like time of day, which could be critical for determining user permissions. Essentially, it does not take into consideration the context aspect that we so often see, especially in the mobile domain. ABAC models are better equipped in handling access control for such dynamic systems. When it comes to using ABAC models one of the standard system implementations created by (Godik, S., Anderson, A., Parducci, B., Humenn, P., & Vajjhala, S., 2002) is XACML. The XACML standard defines a declarative access control policy language implemented in XML and provides a processing model on how to evaluate access requests. The access control mechanisms that we will discuss are modeled on ABAC.