skip to main content
research-article

Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies

Published:01 April 2013Publication History
Skip Abstract Section

Abstract

Verifying that access-control systems maintain desired security properties is recognized as an important problem in security. Enterprise access-control systems have grown to protect tens of thousands of resources, and there is a need for verification to scale commensurately. We present techniques for abstraction-refinement and bound-estimation for bounded model checkers to automatically find errors in Administrative Role-Based Access Control (ARBAC) security policies. ARBAC is the first and most comprehensive administrative scheme for Role-Based Access Control (RBAC) systems. In the abstraction-refinement portion of our approach, we identify and discard roles that are unlikely to be relevant to the verification question (the abstraction step). We then restore such abstracted roles incrementally (the refinement steps). In the bound-estimation portion of our approach, we lower the estimate of the diameter of the reachability graph from the worst-case by recognizing relationships between roles and state-change rules. Our techniques complement one another, and are used with conventional bounded model checking. Our approach is sound and complete: an error is found if and only if it exists. We have implemented our technique in an access-control policy analysis tool called Mohawk. We show empirically that Mohawk scales well to realistic policies, and provide a comparison with prior tools.

References

  1. Ammann, P. and Sandhu, R. 1991. Safety analysis for the extended schematic protection model. In Proceedings of the IEEE Symposium on Security and Privacy. 87--97.Google ScholarGoogle Scholar
  2. Aveksa. 2012. What is business-driven identity and access management? http://www.aveksa.com/ what-we-do/What-Is-Business-Driven-Identity-and-Access-Management.cfm.Google ScholarGoogle Scholar
  3. Ball, T. and Rajamani, S. K. 2002. The SLAM project: Debugging system software via static analysis. In Proceedings of the 29th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’02). ACM, New York, 1--3. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Budd, T. A. 1983. Safety in grammatical protection systems. Int. J. Paral. Prog. 12, 6, 413--431.Google ScholarGoogle Scholar
  5. Clarke, E., Biere, A., Raimi, R., and Zhu, Y. 2001. Bounded model checking using satisfiability solving. Form. Methods Syst. Des. 19, 1, 7--34. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Clarke, E., Grumberg, O., Jha, S., Lu, Y., and Veith, H. 2003. Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50, 5, 752--794. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Clarke, E., Kroening, D., Ouaknine, J., and Strichman, O. 2005. Computational challenges in bounded model checking. Softw. Tools Tech. Trans. 7, 2, 174--183.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Clarke, E. M., Grumberg, O., and Peled, D. A. 1999. Model Checking. The MIT Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Crampton, J. and Loizou, G. 2003. Administrative scope: A foundation for role-based administrative models. ACM Trans. Inf. Syst. Secur. 6, 2, 201--231. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Ferraiolo, D. F., Kuhn, D. R., and Chandramouli, R. 2003. Role-Based Access Control. Artech House, Inc., Norwood, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Ferrara, A. L., Madhusudan, P., and Parlato, G. 2012. Security analysis of access control through program verification. In Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF’12). IEEE Computer Society, Cambridge, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Fisler, K., Krishnamurthi, S., Meyerovich, L. A., and Tschantz, M. C. 2005. Verification and change-impact analysis of access-control policies. In Proceedings of the 27th International Conference on Software Engineering (ICSE’05). ACM, New York, 196--205. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Ganesh, V. and Dill, D. L. 2007. A decision procedure for bitvectors and arrays. In Proceedins of the 19th International Conference on Computer-Aided Verification. Lecture Notes in Computer Science, Springer, Berlin, 519--531. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Gofman, M. I., Luo, R., Solomon, A. C., Zhang, Y., Yang, P., and Stoller, S. D. 2009. Rbac-pat: A policy analysis tool for role based access control. In Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS). Lecture Notes in Computer Science, vol. 5505, Springer-Verlag, 46--49. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Gofman, M. I., Luo, R., and Yang, P. 2010. User-role reachability analysis of evolving administrative role based access control. In Proceedings of the 15th European Conference on Research in Computer Security (ESORICS’10). Springer-Verlag, Berlin, 455--471. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Graham, G. S. and Denning, P. J. 1972. Protection --- Principles and practice. In Proceedings of the AFIPS Spring Joint Computer Conference. Vol. 40, AFIPS Press, 417--429. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Harrison, M. A. and Ruzzo, W. L. 1978. Monotonic protection systems. In Proceedings of the Conference on Foundations of Secure Computation. 461--471.Google ScholarGoogle Scholar
  18. Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. 1975. On protection in operating systems. In Proceedings of the 5th ACM Symposium on Operating Systems Principles (SOSP’75). ACM, New York, 14--24. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Hu, H. and Ahn, G. 2008. Enabling verification and conformance testing for access control model. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SAC’08). ACM, New York, 195--204. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Hu, V. C., Kuhn, D. R., and Xie, T. 2008. Property verification for generic access control models. In Proceedings of the 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing. IEEE Computer Society, Los Alamitos, CA, 243--250. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Hughes, G. and Bultan, T. 2008. Automated verification of access control policies using a sat solver. Int. J. Softw. Tools Technol. Transf. 10, 6, 503--520.Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Jayaramam, K. 2012. Mohawk -- Automatic Verification of Access-Control Policies. http://code.google.com/p/mohawk/.Google ScholarGoogle Scholar
  23. Jayaraman, K., Ganesh, V., Tripunitara, M., Rinard, M., and Chapin, S. 2011. Automatic error finding in access-control policies. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, 163--174. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Jayaraman, K., Ganesh, V., Tripunitara, M., Rinard, M. C., and Chapin, S. J. 2012. Real-world case studies of using ARBAC to enforce separation-of-duty constraints. http://kjayaram.mysite.syr.edu/mohawk/casestudy.pdf.Google ScholarGoogle Scholar
  25. Jha, S. and Reps, T. W. 2004. Model Checking SPKI/SDSI. J. Comput. Sec. 12, 3--4, 317--353. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Jha, S., Schwoon, S., Wang, H., and Reps, T. 2006. Weighted Pushdown Systems and Trust-Management Systems. In Proceedings of TACAS. Springer-Verlag, Berlin. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Jha, S., Li, N., Tripunitara, M., Wang, Q., and Winsborough, W. 2008. Towards formal verification of role-based access control policies. IEEE Trans. Dependable Secur. Comput. 5, 4, 242--255. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Jones, A. K., Lipton, R. J., and Snyder, L. 1976. A linear time algorithm for deciding security. In Proceedings of the 17th Annual Symposium on Foundations of Computer Science (SFCS’76). IEEE Computer Society, Washington, DC, 33--41. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Kern, A. 2002. Advanced features for enterprise-wide role-based access control. In Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC’02). IEEE Computer Society, Washington, DC, 333. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Kolovski, V., Hendler, J., and Parsia, B. 2007. Analyzing web access control policies. In Proceedings of the 16th International Conference on World Wide Web (WWW’07). ACM, New York, 677--686. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Kroening, D. 2006. Computing over-approximations with bounded model checking. Electron. Notes Theor. Comput. Sci. 144, 79--92. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Li, N. and Tripunitara, M. V. 2004. Security analysis in role-based access control. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies (SACMAT’04). ACM, New York, 126--135. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Li, N. and Tripunitara, M. V. 2006. Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9, 4, 391--420. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Li, N., Mitchell, J. C., and Winsborough, W. H. 2005. Beyond proof-of-compliance: Security analysis in trust management. J. ACM 52, 3, 474--514. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Martin, E. and Xie, T. 2007. A fault model and mutation testing of access control policies. In Proceedings of the 16th International Conference on World Wide Web (WWW’07). ACM, New York, 667--676. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Motwani, R., Panigrahy, R., Saraswat, V., and Ventkatasubramanian, S. 2000. On the decidability of accessibility problems (extended abstract). In Proceedings of the 32nd Annual ACM Symposium on Theory of Computing (STOC’09). ACM, New York, 306--315. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. NuSMV. 2012. http://nusmv.irst.itc.it/.Google ScholarGoogle Scholar
  38. Rao, P., Lin, D., and Bertino, E. 2007. XACML function annotations. In Proceedings of the 8th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’07). IEEE Computer Society, Washington, DC, 178--182. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. SailPoint. 2012. Policy enforcement. http://www.sailpoint.com/products/identity-iq/compliance-manager/policy-enforcement.php.Google ScholarGoogle Scholar
  40. Saltzer, J. H. and Schroeder, M. D. 1975. The protection of information in computer systems. Proc. IEEE.Google ScholarGoogle Scholar
  41. Sandhu, R., Bhamidipati, V., and Munawer, Q. 1999. The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2, 1, 105--135. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Sandhu, R. S. 1992. The typed access matrix model. In Proceedings of the IEEE Symposium on Research in Security and Privacy. 122--136. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. 1996. Role-based access control models. IEEE Computer 29, 2, 38--47. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Sasturkar, A., Yang, P., Stoller, S. D., and Ramakrishnan, C. 2006. Policy analysis for administrative role based access control. In Proceedings of the 19th Computer Security Foundations Workshop. IEEE Computer Society Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Sasturkar, A., Yang, P., Stoller, S. D., and Ramakrishnan, C. 2011. Policy analysis for administrative role-based access control. Theoret. Comput. Sci. 412, 44, 6208--6234. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Schaad, A., Moffett, J., and Jacob, J. 2001. The role-based access control system of a European bank: A case study and discussion. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies. ACM, New York, 3--9. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Sohr, K., Drouineaud, M., Ahn, G.-J., and Gogolla, M. 2008. Analyzing and managing role-based access control policies. IEEE Trans. Knowl. Data Eng. 20, 924--939. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Solworth, J. A. and Sloan, R. H. 2004. A layered design of discretionary access controls with decidable safety properties. In Proceedings of the IEEE Symposium on Security and Privacy, 56.Google ScholarGoogle Scholar
  49. Soshi, M. 2000. Safety analysis of the dynamic-typed access matrix model. In Proceedings of the Computer Security (ESORICS 2000). Lecture Notes in Computer Science, Springer, Berlin, 106--121. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Stoller, S. D., Yang, P., Ramakrishnan, C. R., and Gofman, M. I. 2007. Efficient policy analysis for administrative role based access control. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, New York, 445--455. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Zhang, N., Ryan, M., and Guelev, D. P. 2008. Synthesising verified access control systems through model checking. J. Comput. Secur. 16, 1, 1--61. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Zhao, C., Heilili, N., Liu, S., and Lin, Z. 2005. Representation and reasoning on RBAC: A description logic approach. In Proceedings of the 2nd International Colloquium on Theoretical Aspects of Computing (ICTAC’05), (Hanoi, Vietnam, October 17--21, 2005). Lecture Notes in Computer Science, Springer, 381--393. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies

                Recommendations

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                • Published in

                  cover image ACM Transactions on Information and System Security
                  ACM Transactions on Information and System Security  Volume 15, Issue 4
                  April 2013
                  117 pages
                  ISSN:1094-9224
                  EISSN:1557-7406
                  DOI:10.1145/2445566
                  Issue’s Table of Contents

                  Copyright © 2013 ACM

                  Publisher

                  Association for Computing Machinery

                  New York, NY, United States

                  Publication History

                  • Published: 1 April 2013
                  • Accepted: 1 January 2013
                  • Revised: 1 October 2012
                  • Received: 1 April 2012
                  Published in tissec Volume 15, Issue 4

                  Permissions

                  Request permissions about this article.

                  Request Permissions

                  Check for updates

                  Qualifiers

                  • research-article
                  • Research
                  • Refereed

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!