Abstract: Security analysis is an important verification technique for access control policy specification and management. In security analysis, we ask the fundamental question whether an access control system preserves a security policy invariant (which encodes desired security properties) across state changes. In this talk, we present recent results on security analysis in trust management and in Role Based Access Control (RBAC). Trust management is a form of distributed access control that allows one principal to delegate some access decisions to other principals.

Today, RBAC is the dominant access control model in enterprise security management. We show that in contrast to the undecidability of classical Harrison-Ruzzo-Ullman safety properties, the security analysis problems we considered are decidable. In particular, most properties we study are decidable in polynomial time. The computational complexity of containment analysis in a trust management language forms a complexity hierarchy based on the delegation features of the trust management language. We also show that security analysis in two special cases in RBAC can be reduced to the security analysis problem in trust management.

Short Bio: Ninghui Li joined Purdue University in August 2003 as an Assistant Professor in Computer Science. He received a Bachelor's degree from University of Science and Technology of China in 1993 and a Ph.D. in Computer Science from New York University in September 2000. Before joining Purdue, he was a Research Associate at Stanford University Computer Science Department for 3 years.

Prof. Li's research interests include access control, trust management, automated trust negotiation, applied cryptography, online privacy protection, reputations systems, and so on. His research is current supported by NSF ITR, Purdue Research Foundation, and CERIAS (Center for Education and Research in Information Assurance and Security).