Abstract: 

The use of blockchain technology has been proposed to provide auditable access control for individual resources. Unlike the case where all resources are owned by a single organization, this work focuses on distributed applications such as business processes and distributed workflows. These applications are often composed of multiple resources/services that are subject to the security and access control policies of different organizational domains. Here, blockchains provide an attractive decentralized solution to provide auditability. However, the underlying access control policies may be overlapping in terms of the component conditions/rules as well as events. Existing work cannot handle event-driven constraints and does not sufficiently account for overlaps in the policy leading to significant overhead in terms of cost and computation time for evaluating authorizations over the blockchain.

In this dissertation, we develop an integrated framework for access control management of distributed business processes over blockchain. This framework allows generation of a composite access control policy for a given distributed business process based on the local policies of component services and reduces the policy evaluation cost over the blockchain. The local access control policies of component services may include both attribute-based and event-driven policies. The composite access control policy includes one or more smart contracts, which can be deployed on the blockchain for access control enforcement.

The proposed framework supports composition and management of both attribute-based as well as event-driven access control policies. For attribute-based policies, we formulate a constraint optimization problem to generate an optimal composite access control policy. For event driven policies, we have developed an automata-theoretic approach that generates a cost-efficient composite access control policy. We reduce this composite policy generation problem to the standard weighted set cover problem, which is an NP-complete problem for which several approximation techniques exist. We show that the composite policy correctly captures all the local access control policies and reduces the policy evaluation cost over the blockchain. We have also proposed a game-theoretic approach for auditing access control enforcement in an efficient and cost-effective manner while incentivizing honest behavior of all parties.

We have implemented the initial prototype of our approach using Ethereum as the underlying blockchain and empirically validated the effectiveness and efficiency of our approach. We have also conducted ablation studies to determine the impact of changes in individual service policies on the overall cost..

Final Defense Committee (FDC):

• Dr. Basit Shafiq (Advisor)

• Dr. Jaideep Vaidya (Member)

• Dr. Shafay Shamail (Member)

• Dr. Muhammad Fareed Zaffar (Member)

• Dr. Zartash Afzal Uzmi (Member)

• Dr. Ammar Masood (External Examiner)

List of Publications:

• Ahmed Akhtar, Masoud Barati, Basit Shafiq, Omer Rana, Ayesha Afzal, Jaideep Vaidya, and Shafay Shamail. “Blockchain Based Auditable Access Control For Business ProcessesWith Event Driven Policies”. IEEE Transactions on Dependable and Secure Computing, 2024. DOI:10.1109/TDSC.2024.3356811

• Ahmed Akhtar, Basit Shafiq, Jaideep Vaidya, Ayesha Afzal, Shafay Shamail, and Omer Rana. “Blockchain Based Auditable Access Control for Distributed Business Processes.” 2020 IEEE 40th International Conference on Distributed Computing Systems (ICDCS), 2020, pp. 12-22., DOI:10.1109/ICDCS47774.2020.00015.