A Robust Implementation of a Building Resources Access Rights Management System
A Smart Building Controller (SBC) is a server
software that offers secured access to a pool of building specific
resources, executes monitoring tasks and performs automatic
administration of a building, thus optimizing the exploitation cost and
maximizing comfort. This paper brings to discussion the issues that
arise with the secure exploitation of the SBC administered resources
and proposes a technical solution to implement a robust secure access
system based on roles, individual rights and privileges (special
rights).
[1] “Basics of BACnet”, http://kargs.net, 2014.
[2] ANSI/ASHRAE STANDARD Addendum 135-2001, “BACnet ® — A
Data Communication Protocol for Building Automation,” 2004.
[3] Contemporary Control Systems Inc., “BAS automation - Building on
BACnet,” 2013.
[4] Z. W. Z. Wang, X. L. X. Liu, and S. W. S. Wu, BACnet intelligent home
supervisory control system based on multi-agent, vol. 2. 2005, pp. 761–
764.
[5] W. Kastner, G. Neugschwandtner, S. Soucek, and H. M. Newman,
“Communication Systems for Building Automation and Control,” vol.
93, no. 6, 2005.
[6] R. H. Weber, “Internet of Things – New security and privacy
challenges,” Comput. Law Secur. Rev., vol. 26, no. 1, pp. 23–30, Jan.
2010. [7] R. Ausanka-Cures, “Methods for access control: advances and
limitations,” Harvey Mudd Coll., 2001.
[8] E. Lee, “Cyber Physical Systems: Design Challenges,” 2008 11th IEEE
Int. Symp. Object Component-Oriented Real-Time Distrib. Comput., pp.
363–369, May 2008.
[9] D. Basin, M. Clavel, J. Doser, and M. Egea, “Automated analysis of
security-design models,” Inf. Softw. Technol., vol. 51, no. 5, pp. 815–
831, May 2009.
[10] S. D. Gribble, “Robustness in complex systems,” Proc. Eighth Work.
Hot Top. Oper. Syst., pp. 21–26.
[11] D. Ferraiolo and D. Kuhn, “Role-based access controls,” Natl. Comput.
Secur. Conf., no. 15, pp. 554–563, 1992.
[12] R. S. Sandhu, D. Ferraiolo, and R. Kuhn, “The NIST Model for Role-
Based Access Control: Towards A Unified Standard,” in 5th ACM
Workshop on Role Based Access Control, 2012, pp. 47–63.
[13] R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, “Role-
Based Access Control Models,” IEEE Comput., vol. 29, no. 2, pp. 38–
47, 1996.
[14] M. Nyanchama and S. Osborn, “Access Rights Administration in Role-
Based Security Systems,” DBSec, pp. 1–23, 1994.
[15] S. Osborn, R. Sandhu, and Q. Munawer, “Configuring role-based access
control to enforce mandatory and discretionary access control policies,”
ACM Trans. Inf. Syst. Secur., vol. 3, no. 2, pp. 85–106, May 2000.
[16] M. Nyanchama and S. Osborn, “Modeling Mandatory Access Control in
Role-Based Security Systems,” DBSec, no. 1990, 1995.
[17] D. R. Kuhn, E. J. Coyne, and T. R. Weil, “Adding Attributes to Role-
Based Access Control,” Computer (Long. Beach. Calif)., vol. 43, no. 6,
pp. 79–81, Jun. 2010.
[18] D. Kuhn, “Vulnerability hierarchies in access control configurations,”
Safe Config, IEEE, 2011.
[19] G. Stoneburner, C. Hayden, and A. Feringa, “Engineering Principles for
Information Technology Security (A Baseline for Achieving Security),
Revision A”, 2004.
[20] K. M. Khan and J. Han, “Assessing security properties of software
components: a software engineer’s perspective,” Aust. Softw. Eng. Conf.
ASWEC06, p. 10 pp.–210, 2006.
[21] H. A. Weber, “Role-Based Access Control: The NIST Solution,” InfoSec
Read. Room, SANS Inst., 2003.
[22] N. Kern, C. Kesavan, and A. Daswani, “Foundations of Security,”
Foundations of Security. Apress, pp. 3–24, 2007.
[23] A. Josang, B. AlFayyadh, T. Grandison, M. AlZomai, and J. McNamara,
Security Usability Principles for Vulnerability Analysis and Risk
Assessment, no. December. Ieee, 2007, pp. 269–278.
[24] D. R. Raymond and S. F. Midkiff, Denial-of-Service in Wireless Sensor
Networks: Attacks and Defenses, vol. 7, no. 1. IEEE, 2008, pp. 74–81.
[25] L. Meyer and W. T. Penzhorn, Denial of service and distributed denial
of service-today and tomorrow, vol. 2. 2004.
[26] R. K. Guha, Z. Furqan, and S. Muhammad, Discovering Man-in-the-
Middle Attacks in Authentication Protocols. Ieee, 2007, pp. 1–7.
[27] B. Aziz and G. Hamilton, Detecting Man-in-the-Middle Attacks by
Precise Timing, vol. 0. Ieee, 2009, pp. 81–86.
[28] A. M. Hagalisletto, Errors in Attacks on Authentication Protocols. 2007,
pp. 223 –229.
[29] P. R. Babu, D. L. Bhaskari, and C. Satyanarayana, “A Comprehensive
Analysis of Spoofing,” Int. J. Adv. Comput. Sci. Appl., vol. 1, no. 6, pp.
157–162, 2010.
[30] R. Weber and R. Weber, Internet of things: legal perspectives. Springer-
Verlag Berlin Heidelberg, 2010.
[1] “Basics of BACnet”, http://kargs.net, 2014.
[2] ANSI/ASHRAE STANDARD Addendum 135-2001, “BACnet ® — A
Data Communication Protocol for Building Automation,” 2004.
[3] Contemporary Control Systems Inc., “BAS automation - Building on
BACnet,” 2013.
[4] Z. W. Z. Wang, X. L. X. Liu, and S. W. S. Wu, BACnet intelligent home
supervisory control system based on multi-agent, vol. 2. 2005, pp. 761–
764.
[5] W. Kastner, G. Neugschwandtner, S. Soucek, and H. M. Newman,
“Communication Systems for Building Automation and Control,” vol.
93, no. 6, 2005.
[6] R. H. Weber, “Internet of Things – New security and privacy
challenges,” Comput. Law Secur. Rev., vol. 26, no. 1, pp. 23–30, Jan.
2010. [7] R. Ausanka-Cures, “Methods for access control: advances and
limitations,” Harvey Mudd Coll., 2001.
[8] E. Lee, “Cyber Physical Systems: Design Challenges,” 2008 11th IEEE
Int. Symp. Object Component-Oriented Real-Time Distrib. Comput., pp.
363–369, May 2008.
[9] D. Basin, M. Clavel, J. Doser, and M. Egea, “Automated analysis of
security-design models,” Inf. Softw. Technol., vol. 51, no. 5, pp. 815–
831, May 2009.
[10] S. D. Gribble, “Robustness in complex systems,” Proc. Eighth Work.
Hot Top. Oper. Syst., pp. 21–26.
[11] D. Ferraiolo and D. Kuhn, “Role-based access controls,” Natl. Comput.
Secur. Conf., no. 15, pp. 554–563, 1992.
[12] R. S. Sandhu, D. Ferraiolo, and R. Kuhn, “The NIST Model for Role-
Based Access Control: Towards A Unified Standard,” in 5th ACM
Workshop on Role Based Access Control, 2012, pp. 47–63.
[13] R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, “Role-
Based Access Control Models,” IEEE Comput., vol. 29, no. 2, pp. 38–
47, 1996.
[14] M. Nyanchama and S. Osborn, “Access Rights Administration in Role-
Based Security Systems,” DBSec, pp. 1–23, 1994.
[15] S. Osborn, R. Sandhu, and Q. Munawer, “Configuring role-based access
control to enforce mandatory and discretionary access control policies,”
ACM Trans. Inf. Syst. Secur., vol. 3, no. 2, pp. 85–106, May 2000.
[16] M. Nyanchama and S. Osborn, “Modeling Mandatory Access Control in
Role-Based Security Systems,” DBSec, no. 1990, 1995.
[17] D. R. Kuhn, E. J. Coyne, and T. R. Weil, “Adding Attributes to Role-
Based Access Control,” Computer (Long. Beach. Calif)., vol. 43, no. 6,
pp. 79–81, Jun. 2010.
[18] D. Kuhn, “Vulnerability hierarchies in access control configurations,”
Safe Config, IEEE, 2011.
[19] G. Stoneburner, C. Hayden, and A. Feringa, “Engineering Principles for
Information Technology Security (A Baseline for Achieving Security),
Revision A”, 2004.
[20] K. M. Khan and J. Han, “Assessing security properties of software
components: a software engineer’s perspective,” Aust. Softw. Eng. Conf.
ASWEC06, p. 10 pp.–210, 2006.
[21] H. A. Weber, “Role-Based Access Control: The NIST Solution,” InfoSec
Read. Room, SANS Inst., 2003.
[22] N. Kern, C. Kesavan, and A. Daswani, “Foundations of Security,”
Foundations of Security. Apress, pp. 3–24, 2007.
[23] A. Josang, B. AlFayyadh, T. Grandison, M. AlZomai, and J. McNamara,
Security Usability Principles for Vulnerability Analysis and Risk
Assessment, no. December. Ieee, 2007, pp. 269–278.
[24] D. R. Raymond and S. F. Midkiff, Denial-of-Service in Wireless Sensor
Networks: Attacks and Defenses, vol. 7, no. 1. IEEE, 2008, pp. 74–81.
[25] L. Meyer and W. T. Penzhorn, Denial of service and distributed denial
of service-today and tomorrow, vol. 2. 2004.
[26] R. K. Guha, Z. Furqan, and S. Muhammad, Discovering Man-in-the-
Middle Attacks in Authentication Protocols. Ieee, 2007, pp. 1–7.
[27] B. Aziz and G. Hamilton, Detecting Man-in-the-Middle Attacks by
Precise Timing, vol. 0. Ieee, 2009, pp. 81–86.
[28] A. M. Hagalisletto, Errors in Attacks on Authentication Protocols. 2007,
pp. 223 –229.
[29] P. R. Babu, D. L. Bhaskari, and C. Satyanarayana, “A Comprehensive
Analysis of Spoofing,” Int. J. Adv. Comput. Sci. Appl., vol. 1, no. 6, pp.
157–162, 2010.
[30] R. Weber and R. Weber, Internet of things: legal perspectives. Springer-
Verlag Berlin Heidelberg, 2010.
@article{"International Journal of Information, Control and Computer Sciences:69575", author = "E. Neagoe and V. Balanica", title = "A Robust Implementation of a Building Resources Access Rights Management System", abstract = "A Smart Building Controller (SBC) is a server
software that offers secured access to a pool of building specific
resources, executes monitoring tasks and performs automatic
administration of a building, thus optimizing the exploitation cost and
maximizing comfort. This paper brings to discussion the issues that
arise with the secure exploitation of the SBC administered resources
and proposes a technical solution to implement a robust secure access
system based on roles, individual rights and privileges (special
rights).
", keywords = "Access authorization, smart building controller,
software security, access rights.", volume = "9", number = "4", pages = "946-6", }
