Alexandre Miège




Ph.D. Infos
Title: Definition of a formal framework for specifying security policies.
The Or-BAC model and extensions.
Defended: june 27th, 2005 at Télécom Paris.
Keywords: Or-BAC, security policy, access control, context, conflict management, administration, AdOr-BAC, OToKit.
Download: PDF version

This thesis presents a new access control model called Or-BAC (Organization-Based Access Control). We aim at overcoming the limitations of the existing models while simplifying the security policy specification. We suggest a more expressive and modular model that enables us to make a distinction between the policy and its concrete implementation.
This is obtained by making an abstraction of the traditional access control entities subject, action and object. Actually, subjects are empowered in roles, objects are used in views and actions implement activities. Furthermore, the concept of organization is central in our model. This makes it possible to better analyze interporability between organizations and to model an organization structure by designing hierarchies of organization.
Three other features are tackled in this dissertation. First, in order to obtain dynamic security rules, we introduce the entity context. It enables us to define in which circumstances authorizations must be activated and deactivated. Second, we consider negative authorizations since it allows to more easily specifying complex policies. As conflicts might occur between positive and negative authorizations, we provide a parametric conflict management strategy that allows us to detect and resolve potential conflicts. Finally, we define an administration model called AdOr-BAC. This administration model is fully compliant with Or-BAC and offers convenient and flexible means to manage Or-BAC policies.
The last part of the dissertation is dedicated to two implementation works: The application to a network environment and the development of a prototype application, OToKit, used to design Or-BAC policies and to detect and solve conflicts.

Prof. Frédéric Cuppens.
Frédéric Cuppens is professor at ENST-Bretagne (Rennes campus) in the Network and Multimedia Services department (RSM). Frédéric Cuppens runs the security team SERES.
Ph.D. thesis of Télécom Paris (Ecole Nationale Supérieur des Télécommunications), carried out at the Network and Computer Science department (INFRES), under supervision of Michel Riguidel and Christine Potier.
The research took place at ONERA-Toulouse Research Center from Mars 2002 to December 2004, and at ENST-Bretagne (Rennes campus) from January 2004 to March 2005.
This thesis was funded by France Télécom Recherche & Développement (FTR&D). This research work was made in collaboration with DTL/ISS departement of FTR&D.