Abstract
Verifying that access-control systems maintain desired security properties is recognized as an important problem in security. Enterprise access-control systems have grown to protect tens of thousands of resources, and there is a need for verification to scale commensurately. We present techniques for abstraction-refinement and bound-estimation for bounded model checkers to automatically find errors in Administrative Role-Based Access Control (ARBAC) security policies. ARBAC is the first and most comprehensive administrative scheme for Role-Based Access Control (RBAC) systems. In the abstraction-refinement portion of our approach, we identify and discard roles that are unlikely to be relevant to the verification question (the abstraction step). We then restore such abstracted roles incrementally (the refinement steps). In the bound-estimation portion of our approach, we lower the estimate of the diameter of the reachability graph from the worst-case by recognizing relationships between roles and state-change rules. Our techniques complement one another, and are used with conventional bounded model checking. Our approach is sound and complete: an error is found if and only if it exists. We have implemented our technique in an access-control policy analysis tool called Mohawk. We show empirically that Mohawk scales well to realistic policies, and provide a comparison with prior tools.
- Ammann, P. and Sandhu, R. 1991. Safety analysis for the extended schematic protection model. In Proceedings of the IEEE Symposium on Security and Privacy. 87--97.Google Scholar
- Aveksa. 2012. What is business-driven identity and access management? http://www.aveksa.com/ what-we-do/What-Is-Business-Driven-Identity-and-Access-Management.cfm.Google Scholar
- Ball, T. and Rajamani, S. K. 2002. The SLAM project: Debugging system software via static analysis. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’02). ACM, New York, 1--3. Google Scholar
Digital Library
- Budd, T. A. 1983. Safety in grammatical protection systems. Int. J. Paral. Prog. 12, 6, 413--431.Google Scholar
- Clarke, E., Biere, A., Raimi, R., and Zhu, Y. 2001. Bounded model checking using satisfiability solving. Form. Methods Syst. Des. 19, 1, 7--34. Google Scholar
Digital Library
- Clarke, E., Grumberg, O., Jha, S., Lu, Y., and Veith, H. 2003. Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50, 5, 752--794. Google Scholar
Digital Library
- Clarke, E., Kroening, D., Ouaknine, J., and Strichman, O. 2005. Computational challenges in bounded model checking. Softw. Tools Tech. Trans. 7, 2, 174--183.Google Scholar
Digital Library
- Clarke, E. M., Grumberg, O., and Peled, D. A. 1999. Model Checking. The MIT Press. Google Scholar
Digital Library
- Crampton, J. and Loizou, G. 2003. Administrative scope: A foundation for role-based administrative models. ACM Trans. Inf. Syst. Secur. 6, 2, 201--231. Google Scholar
Digital Library
- Ferraiolo, D. F., Kuhn, D. R., and Chandramouli, R. 2003. Role-Based Access Control. Artech House, Inc., Norwood, MA. Google Scholar
Digital Library
- Ferrara, A. L., Madhusudan, P., and Parlato, G. 2012. Security analysis of access control through program verification. In Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF’12). IEEE Computer Society, Cambridge, MA. Google Scholar
Digital Library
- Fisler, K., Krishnamurthi, S., Meyerovich, L. A., and Tschantz, M. C. 2005. Verification and change-impact analysis of access-control policies. In Proceedings of the 27th International Conference on Software Engineering (ICSE’05). ACM, New York, 196--205. Google Scholar
Digital Library
- Ganesh, V. and Dill, D. L. 2007. A decision procedure for bitvectors and arrays. In Proceedins of the 19th International Conference on Computer-Aided Verification. Lecture Notes in Computer Science, Springer, Berlin, 519--531. Google Scholar
Digital Library
- Gofman, M. I., Luo, R., Solomon, A. C., Zhang, Y., Yang, P., and Stoller, S. D. 2009. Rbac-pat: A policy analysis tool for role based access control. In Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Lecture Notes in Computer Science, vol. 5505, Springer-Verlag, 46--49. Google Scholar
Digital Library
- Gofman, M. I., Luo, R., and Yang, P. 2010. User-role reachability analysis of evolving administrative role based access control. In Proceedings of the 15th European Conference on Research in Computer Security (ESORICS’10). Springer-Verlag, Berlin, 455--471. Google Scholar
Digital Library
- Graham, G. S. and Denning, P. J. 1972. Protection --- Principles and practice. In Proceedings of the AFIPS Spring Joint Computer Conference. Vol. 40, AFIPS Press, 417--429. Google Scholar
Digital Library
- Harrison, M. A. and Ruzzo, W. L. 1978. Monotonic protection systems. In Proceedings of the Conference on Foundations of Secure Computation. 461--471.Google Scholar
- Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. 1975. On protection in operating systems. In Proceedings of the 5th ACM Symposium on Operating Systems Principles (SOSP’75). ACM, New York, 14--24. Google Scholar
Digital Library
- Hu, H. and Ahn, G. 2008. Enabling verification and conformance testing for access control model. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SAC’08). ACM, New York, 195--204. Google Scholar
Digital Library
- Hu, V. C., Kuhn, D. R., and Xie, T. 2008. Property verification for generic access control models. In Proceedings of the 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing. IEEE Computer Society, Los Alamitos, CA, 243--250. Google Scholar
Digital Library
- Hughes, G. and Bultan, T. 2008. Automated verification of access control policies using a sat solver. Int. J. Softw. Tools Technol. Transf. 10, 6, 503--520.Google Scholar
Digital Library
- Jayaramam, K. 2012. Mohawk -- Automatic Verification of Access-Control Policies. http://code.google.com/p/mohawk/.Google Scholar
- Jayaraman, K., Ganesh, V., Tripunitara, M., Rinard, M., and Chapin, S. 2011. Automatic error finding in access-control policies. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, 163--174. Google Scholar
Digital Library
- Jayaraman, K., Ganesh, V., Tripunitara, M., Rinard, M. C., and Chapin, S. J. 2012. Real-world case studies of using ARBAC to enforce separation-of-duty constraints. http://kjayaram.mysite.syr.edu/mohawk/casestudy.pdf.Google Scholar
- Jha, S. and Reps, T. W. 2004. Model Checking SPKI/SDSI. J. Comput. Sec. 12, 3--4, 317--353. Google Scholar
Digital Library
- Jha, S., Schwoon, S., Wang, H., and Reps, T. 2006. Weighted Pushdown Systems and Trust-Management Systems. In Proceedings of TACAS. Springer-Verlag, Berlin. Google Scholar
Digital Library
- Jha, S., Li, N., Tripunitara, M., Wang, Q., and Winsborough, W. 2008. Towards formal verification of role-based access control policies. IEEE Trans. Dependable Secur. Comput. 5, 4, 242--255. Google Scholar
Digital Library
- Jones, A. K., Lipton, R. J., and Snyder, L. 1976. A linear time algorithm for deciding security. In Proceedings of the 17th Annual Symposium on Foundations of Computer Science (SFCS’76). IEEE Computer Society, Washington, DC, 33--41. Google Scholar
Digital Library
- Kern, A. 2002. Advanced features for enterprise-wide role-based access control. In Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC’02). IEEE Computer Society, Washington, DC, 333. Google Scholar
Digital Library
- Kolovski, V., Hendler, J., and Parsia, B. 2007. Analyzing web access control policies. In Proceedings of the 16th International Conference on World Wide Web (WWW’07). ACM, New York, 677--686. Google Scholar
Digital Library
- Kroening, D. 2006. Computing over-approximations with bounded model checking. Electron. Notes Theor. Comput. Sci. 144, 79--92. Google Scholar
Digital Library
- Li, N. and Tripunitara, M. V. 2004. Security analysis in role-based access control. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies (SACMAT’04). ACM, New York, 126--135. Google Scholar
Digital Library
- Li, N. and Tripunitara, M. V. 2006. Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9, 4, 391--420. Google Scholar
Digital Library
- Li, N., Mitchell, J. C., and Winsborough, W. H. 2005. Beyond proof-of-compliance: Security analysis in trust management. J. ACM 52, 3, 474--514. Google Scholar
Digital Library
- Martin, E. and Xie, T. 2007. A fault model and mutation testing of access control policies. In Proceedings of the 16th International Conference on World Wide Web (WWW’07). ACM, New York, 667--676. Google Scholar
Digital Library
- Motwani, R., Panigrahy, R., Saraswat, V., and Ventkatasubramanian, S. 2000. On the decidability of accessibility problems (extended abstract). In Proceedings of the 32nd Annual ACM Symposium on Theory of Computing (STOC’09). ACM, New York, 306--315. Google Scholar
Digital Library
- NuSMV. 2012. http://nusmv.irst.itc.it/.Google Scholar
- Rao, P., Lin, D., and Bertino, E. 2007. XACML function annotations. In Proceedings of the 8th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’07). IEEE Computer Society, Washington, DC, 178--182. Google Scholar
Digital Library
- SailPoint. 2012. Policy enforcement. http://www.sailpoint.com/products/identity-iq/compliance-manager/policy-enforcement.php.Google Scholar
- Saltzer, J. H. and Schroeder, M. D. 1975. The protection of information in computer systems. Proc. IEEE.Google Scholar
- Sandhu, R., Bhamidipati, V., and Munawer, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2, 1, 105--135. Google Scholar
Digital Library
- Sandhu, R. S. 1992. The typed access matrix model. In Proceedings of the IEEE Symposium on Research in Security and Privacy. 122--136. Google Scholar
Digital Library
- Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-based access control models. IEEE Computer 29, 2, 38--47. Google Scholar
Digital Library
- Sasturkar, A., Yang, P., Stoller, S. D., and Ramakrishnan, C. 2006. Policy analysis for administrative role based access control. In Proceedings of the 19th Computer Security Foundations Workshop. IEEE Computer Society Press. Google Scholar
Digital Library
- Sasturkar, A., Yang, P., Stoller, S. D., and Ramakrishnan, C. 2011. Policy analysis for administrative role-based access control. Theoret. Comput. Sci. 412, 44, 6208--6234. Google Scholar
Digital Library
- Schaad, A., Moffett, J., and Jacob, J. 2001. The role-based access control system of a European bank: A case study and discussion. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies. ACM, New York, 3--9. Google Scholar
Digital Library
- Sohr, K., Drouineaud, M., Ahn, G.-J., and Gogolla, M. 2008. Analyzing and managing role-based access control policies. IEEE Trans. Knowl. Data Eng. 20, 924--939. Google Scholar
Digital Library
- Solworth, J. A. and Sloan, R. H. 2004. A layered design of discretionary access controls with decidable safety properties. In Proceedings of the IEEE Symposium on Security and Privacy, 56.Google Scholar
- Soshi, M. 2000. Safety analysis of the dynamic-typed access matrix model. In Proceedings of the Computer Security (ESORICS 2000). Lecture Notes in Computer Science, Springer, Berlin, 106--121. Google Scholar
Digital Library
- Stoller, S. D., Yang, P., Ramakrishnan, C. R., and Gofman, M. I. 2007. Efficient policy analysis for administrative role based access control. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, New York, 445--455. Google Scholar
Digital Library
- Zhang, N., Ryan, M., and Guelev, D. P. 2008. Synthesising verified access control systems through model checking. J. Comput. Secur. 16, 1, 1--61. Google Scholar
Digital Library
- Zhao, C., Heilili, N., Liu, S., and Lin, Z. 2005. Representation and reasoning on RBAC: A description logic approach. In Proceedings of the 2nd International Colloquium on Theoretical Aspects of Computing (ICTAC’05), (Hanoi, Vietnam, October 17--21, 2005). Lecture Notes in Computer Science, Springer, 381--393. Google Scholar
Digital Library
Index Terms
Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies
Recommendations
Mohawk+T: Efficient Analysis of Administrative Temporal Role-Based Access Control (ATRBAC) Policies
SACMAT '15: Proceedings of the 20th ACM Symposium on Access Control Models and TechnologiesSafety analysis is recognized as a fundamental problem in access control. It has been studied for various access control schemes in the literature. Recent work has proposed an administrative model for Temporal Role-Based Access Control (TRBAC) policies ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
A flexible role-based delegation model using characteristics of permissions
DEXA'05: Proceedings of the 16th international conference on Database and Expert Systems ApplicationsRole-Based Access Control(RBAC) has recently received considerable attention as a promising alternative to traditional discretionary and mandatory access controls.[7] RBAC ensures that only authorized users are given access to protected data or ...






Comments