A Robust Implementation of a Building Resources Access Rights Management System
Authors: E. Neagoe, V. Balanica
Abstract:
A Smart Building Controller (SBC) is a server software that offers secured access to a pool of building specific resources, executes monitoring tasks and performs automatic administration of a building, thus optimizing the exploitation cost and maximizing comfort. This paper brings to discussion the issues that arise with the secure exploitation of the SBC administered resources and proposes a technical solution to implement a robust secure access system based on roles, individual rights and privileges (special rights).
Keywords: Access authorization, smart building controller, software security, access rights.
Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1100324
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1906References:
[1] “Basics of BACnet”, http://kargs.net, 2014.
[2] ANSI/ASHRAE STANDARD Addendum 135-2001, “BACnet ® — A Data Communication Protocol for Building Automation,” 2004.
[3] Contemporary Control Systems Inc., “BAS automation - Building on BACnet,” 2013.
[4] Z. W. Z. Wang, X. L. X. Liu, and S. W. S. Wu, BACnet intelligent home supervisory control system based on multi-agent, vol. 2. 2005, pp. 761– 764.
[5] W. Kastner, G. Neugschwandtner, S. Soucek, and H. M. Newman, “Communication Systems for Building Automation and Control,” vol. 93, no. 6, 2005.
[6] R. H. Weber, “Internet of Things – New security and privacy challenges,” Comput. Law Secur. Rev., vol. 26, no. 1, pp. 23–30, Jan. 2010.
[7] R. Ausanka-Cures, “Methods for access control: advances and limitations,” Harvey Mudd Coll., 2001.
[8] E. Lee, “Cyber Physical Systems: Design Challenges,” 2008 11th IEEE Int. Symp. Object Component-Oriented Real-Time Distrib. Comput., pp. 363–369, May 2008.
[9] D. Basin, M. Clavel, J. Doser, and M. Egea, “Automated analysis of security-design models,” Inf. Softw. Technol., vol. 51, no. 5, pp. 815– 831, May 2009.
[10] S. D. Gribble, “Robustness in complex systems,” Proc. Eighth Work. Hot Top. Oper. Syst., pp. 21–26.
[11] D. Ferraiolo and D. Kuhn, “Role-based access controls,” Natl. Comput. Secur. Conf., no. 15, pp. 554–563, 1992.
[12] R. S. Sandhu, D. Ferraiolo, and R. Kuhn, “The NIST Model for Role- Based Access Control: Towards A Unified Standard,” in 5th ACM Workshop on Role Based Access Control, 2012, pp. 47–63.
[13] R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, “Role- Based Access Control Models,” IEEE Comput., vol. 29, no. 2, pp. 38– 47, 1996.
[14] M. Nyanchama and S. Osborn, “Access Rights Administration in Role- Based Security Systems,” DBSec, pp. 1–23, 1994.
[15] S. Osborn, R. Sandhu, and Q. Munawer, “Configuring role-based access control to enforce mandatory and discretionary access control policies,” ACM Trans. Inf. Syst. Secur., vol. 3, no. 2, pp. 85–106, May 2000.
[16] M. Nyanchama and S. Osborn, “Modeling Mandatory Access Control in Role-Based Security Systems,” DBSec, no. 1990, 1995.
[17] D. R. Kuhn, E. J. Coyne, and T. R. Weil, “Adding Attributes to Role- Based Access Control,” Computer (Long. Beach. Calif)., vol. 43, no. 6, pp. 79–81, Jun. 2010.
[18] D. Kuhn, “Vulnerability hierarchies in access control configurations,” Safe Config, IEEE, 2011.
[19] G. Stoneburner, C. Hayden, and A. Feringa, “Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A”, 2004.
[20] K. M. Khan and J. Han, “Assessing security properties of software components: a software engineer’s perspective,” Aust. Softw. Eng. Conf. ASWEC06, p. 10 pp.–210, 2006.
[21] H. A. Weber, “Role-Based Access Control: The NIST Solution,” InfoSec Read. Room, SANS Inst., 2003.
[22] N. Kern, C. Kesavan, and A. Daswani, “Foundations of Security,” Foundations of Security. Apress, pp. 3–24, 2007.
[23] A. Josang, B. AlFayyadh, T. Grandison, M. AlZomai, and J. McNamara, Security Usability Principles for Vulnerability Analysis and Risk Assessment, no. December. Ieee, 2007, pp. 269–278.
[24] D. R. Raymond and S. F. Midkiff, Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses, vol. 7, no. 1. IEEE, 2008, pp. 74–81.
[25] L. Meyer and W. T. Penzhorn, Denial of service and distributed denial of service-today and tomorrow, vol. 2. 2004.
[26] R. K. Guha, Z. Furqan, and S. Muhammad, Discovering Man-in-the- Middle Attacks in Authentication Protocols. Ieee, 2007, pp. 1–7.
[27] B. Aziz and G. Hamilton, Detecting Man-in-the-Middle Attacks by Precise Timing, vol. 0. Ieee, 2009, pp. 81–86.
[28] A. M. Hagalisletto, Errors in Attacks on Authentication Protocols. 2007, pp. 223 –229.
[29] P. R. Babu, D. L. Bhaskari, and C. Satyanarayana, “A Comprehensive Analysis of Spoofing,” Int. J. Adv. Comput. Sci. Appl., vol. 1, no. 6, pp. 157–162, 2010.
[30] R. Weber and R. Weber, Internet of things: legal perspectives. Springer- Verlag Berlin Heidelberg, 2010.