Abstract
This work examines the use of model checking techniques to verify system-level security properties of a collection of interacting virtual machines. Specifically, we examine how local access control policies implemented in individual virtual machines and a hypervisor can be shown to satisfy global access control constraints. The SAL model checker is used to model and verify a collection of stateful domains with protected resources and local MAC policies attempting to access needed resources from other domains. The model is described along with verification conditions. The need to control state-space explosion is motivated and techniques for writing theorems and limiting domains explored. Finally, analysis results are examined along with analysis complexity.
- Myla Archer. 2000. TAME: Using PVS strategies for special purpose theorem proving. Annals of Mathematics and Artificial Intelligence 29, 1--4, 139--181. Google Scholar
Digital Library
- Myla Archer, Elizabeth Leonard, and Matteo Pradella. 2003. Modeling security-enhanced linux policy specifications for analysis. In Proceedings of the DARPA Information Survivability Conferences and Exhibition (DISCEX’00).Google Scholar
Cross Ref
- Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pragg, and Andrew Warfield. 2003. Xen and the art of virtualization. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP’03). Boldon Landing, NY, USA. Google Scholar
Digital Library
- Saddek Bensalem, Vijay Ganesh, Yassine Lakhnech, Cesar Munoz, Sam Owre, Harald Rueb, John Rushby, Vlad Rusu, Hassen Saidi, N. Shankar, Eli Singerman, and Ashish Tiwari. 2000. An overview of SAL. In Proceedings of the 5th NASA Langley Formal Methods Workshop, C. Michael Holloway (Ed.). Williamsburg, VA.Google Scholar
- Stefan Berger, Ramón Cáceres, Kenneth A. Goldman, Ronald Perez, Reiner Sailer, and Leendert Doorn. 2006. vTPM: Virtualizing the Trusted Platform Module. IBM T. J. Watson Research Center, Hawthorne, NY. 10532 USA. Retrieved from http://www.kiskeya.net/ramon/work/pubs/security06.pdf. Google Scholar
Digital Library
- Joseph Cihula. 2006. Intel’s Xen Security Update. Presentation at Xen Summit. (January 17-18, 2006). http://www.xen.org/files/xs0106_intel_xen_security.pdf.Google Scholar
- Alessandro Cimatti, Edmund Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore, Marco Roveri, Roberto Sebastiani, and Armando Tacchella. 2002. NuSMV 2: An opensource tool for symbolic model checking. In Proceedings of the 14th International Conference on Computer-Aided Verification (CAV’02). Google Scholar
Digital Library
- George Coker. 2007. Xen Security Modules (XSM). Presentation at Xen Summit. Retrieved from http://www.xen.org/files/xensummit_4/xsm-summit-041707_Coker.pdf.Google Scholar
- George Coker, Joshua Guttman, Peter Loscocco, Amy Herzog, Jonathan Millen, Brian O’Hanlon, John Ramsdell, Ariel Segall, Justin Sheehy, and Brian Sniffen. 2011. Principles of remote attestation. International Journal of Information Security 10, 2 (June 2011), 63--81. Google Scholar
Digital Library
- George S. Coker, Joshua D. Guttman, Peter A. Loscocco, Justin Sheehy, and Brian T. Sniffen. 2008. Attestation: Evidence and trust. In Proceedings of the International Conference on Information and Communications Security, Vol. LNCS 5308. Google Scholar
Digital Library
- Daryl Dieckman, Perry Alexander, and Philip A. Wilsey. 1998. ActiveSPEC: A framework for the specification and verification of active network services and security policies. In Proceedings of Formal Methods in Security Protocols. Indianapolis, IN.Google Scholar
- Danny Dolev and Andrew C. Yao. 1983. On the security of public key protocols. IEEE Transactions on Information Theory 29, 2 (March 1983), 198--208. Google Scholar
Digital Library
- Daniel J. Dougherty, Kathi Fisler, and Shriram Krishnamurthi. 2006. Specifying and reasoning about dynamic access control policies. In Proceedings of the International Joint Conference on Automated Reasoning (IJCAR’06). Google Scholar
Digital Library
- Kathi Fisler, Shriram Krishnamurthi, Leo A. Meyerovich, and Michael Carl Tschantz. 2005. Verification and change-impact analysis of access-control policies. In Proceedings of the International Conference on Software Engineering (ICSE’05). Google Scholar
Digital Library
- Peter Frey, Radharamanan Radhakrishnan, Harold W. Carter, Philip A. Wilsey, and Perry Alexander. 2002. A formal specification and verification framework for time warp-based parallel simulation. IEEE Transactions on Software Engineering 28, 1 (January 2002), 58--78. Google Scholar
Digital Library
- Dimitar P. Guelev, Mark D. Ryan, and Pierre-Yves Schobbens. 2004. Model-checking access control policies. In Proceedings of the 7th Information Security Conference (ISC’04) (Lecture Notes in Computer Science). Springer--Verlag.Google Scholar
Cross Ref
- Joshua D. Guttman, Amy L. Herzog, John D. Ramsdell, and Clement W. Skorupka. 2004. Verifying information flow goals in security-enhanced Linux. Journal of Computer Security 13, 2005. Google Scholar
Digital Library
- Vivek Haldar, Deepak Chandra, and Michael Franz. 2004. Semantic remote attestation -- a virtual machine directed approach to trusted computing. In Proceedings of the 3rd Virtual Machine Research and Technology Symposium. San Jose, CA. Google Scholar
Digital Library
- Boniface Hicks, Sandra Rueda, Luke St. Clair, Trent Jaeger, and Patrick McDaniel. 2007. A logical specification and analysis for SELinux MLS policy. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT’07). ACM, New York, NY, USA, 91--100. Google Scholar
Digital Library
- Daniel Jackson. 2011. Software Abstractions: Logic, Language and Analysis. MIT Press. Google Scholar
Digital Library
- Trent Jaeger, Reiner Sailer, and Xiaolan Zhang. 2003. Analyzing integrity protection in the SELinux example policy. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12 (SSYM’03). USENIX Association, Berkeley, CA, USA, 59--74. Google Scholar
Digital Library
- Cindy Kong and Perry Alexander. 2000. Formal modeling of active network nodes using PVS. In Proceedings of Formal Methods in Software Practice (FMSP’00). Portland, OR. Google Scholar
Digital Library
- Nancy A. Lynch and Mark R. Tuttle. 1989. An introduction to input/output automaton. CWI Quarterly 2, 3 (September 1989), 219--246.Google Scholar
- Frank Mayer, Karl MacMillan, and David Caplan. 2007. SELinux by Example. Prentice Hall.Google Scholar
- Tim Moses. 2003. eXtensible Access Control Markup Language Version 1.0. Technical report. OASIS.Google Scholar
- Sanjai Narain, Gary Levin, Sharad Malik, and Vikram Kaul. 2008. Declarative infrastructure configuration synthesis and debugging. Journal of Network and Systems Management 16, 3 (September 2008), 235--258. Google Scholar
Digital Library
- Timothy Nelson, Christopher Barratt, Daniel J. Dougherty, Kathi Fisler, and Shriram Krishnamurthi. 2010. The margrave tool for firewall analysis. In Proceedings of Large Installation System Administration. Google Scholar
Digital Library
- Sam Owre, John Rushby, and Natarajan Shankar. 1992. PVS: A prototype verification system. In Proceedings of 11th International Conference on Automated Deduction (Lecture Notes in Artificial Intelligence), D. Kapur (Ed.), Vol. 607. Springer--Verlag, Saratoga, NY, 748--752. Google Scholar
Digital Library
- Sandra Rueda, Hayaward Vijayakumar, and Trent Jaeger. 2009. Analysis of virtual machine system policies. In Proceedings of the Symposium on Access Control Models and Technologies (SACMAT’09). Stresa, Italy. Google Scholar
Digital Library
- Andreas Schaad and D. Moffett, Jonathan. 2002. A lightweight approach to specification and analysis of role-based access control extensions. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies. ACM, New York, NY, USA, 13--22. Google Scholar
Digital Library
- Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David Andersen, and Jay Lepreau. 1999. The flask security architecture: System support for diverse security policies. In Proceedings of the 8th USENIX Security Symposium. 123--139. Google Scholar
Digital Library
- Trusted Computing Group. 2007. TCG TPM Specification (version 1.2 revision 103 ed.). Trusted Computing Group, 3885 SW 153rd Drive, Beaverton, OR 97006. Retrieved from https://www.trustedcomputinggroup.org/resources/tpm_main_specification/.Google Scholar
- Giorgio Zanin and Luigi Vincenzo Mancini. 2004. Towards a formal model for security policies specification and validation in the SELinux system. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies (SACMAT’04). ACM, New York, NY, USA, 136--145. Google Scholar
Digital Library
- Nan Zhang, Mark Ryan, and Dimitar P. Guelev. 2004. Synthesising verified access control systems in XACML. In Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering. ACM, 56--65. Google Scholar
Digital Library
- Nan Zhang, Mark D. Ryan, and Dimitar P. Guelev. 2005. Evaluating access control policies through model checking. In Proceedings of the 8th Information Security Conference (ISC’05) (Lecture Notes in Computer Science). Springer--Verlag. Google Scholar
Digital Library
Index Terms
Model Checking Distributed Mandatory Access Control Policies
Recommendations
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Automatic error finding in access-control policies
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityVerifying that access-control systems maintain desired security properties is recognized as an important problem in security. Enterprise access-control systems have grown to protect tens of thousands of resources, and there is a need for verification to ...
Automated Analysis of Access Control Policies Based on Model Checking
AbstractAccess control is becoming increasingly important for today’s ubiquitous systems which provide mechanism to prevent sensitive resources against unauthorized users. In access control models, the administration of access control policies is a task ...






Comments