Safety and Consistency of Mutable Attributes Using Quotas: A Formal Analysis

Attribute-based Access Control (ABAC) systems make access decisions utilizing attributes of subjects, objects and environment with respect to a policy. Acquiring real-time values of these attributes is not practical in distributed multi-authority environments due to cost and performance considerations as well as intrinsic delays of distributed systems. So it is possible to make decisions based on outdated policy and attribute values resulting in access violations. This is known as the safety and consistency problem. This problem has been previously studied in trust negotiation and ABAC context. Previous works have assumed attributes to be immutable, to wit their values could be changed only via administrative actions. However, so far there is no research carried out in the context of mutable attributes, values of which could be changed as a result of users access. In this paper we investigate safety and consistency in the context of mutable subject attributes which introduces additional complexity to the problem. In particular, there might be multiple concurrent sessions manipulating the same mutable attribute. Therefore, in addition to exposure of the decision point to stale attribute values, safety and consistency can be compromised due to concurrent utilization of the same attribute. While the general consistency problem has vast literature in distributed systems arena, practical solutions are typically dependent on the specific application domain. We identify two categories of use cases of practical benefit in context of ABAC, which turn out to be amenable to quota-based solutions. We provide a formal analysis of the resulting solutions.