skip to main content
research-article

Model Checking Distributed Mandatory Access Control Policies

Published:15 July 2015Publication History
Skip Abstract Section

Abstract

This work examines the use of model checking techniques to verify system-level security properties of a collection of interacting virtual machines. Specifically, we examine how local access control policies implemented in individual virtual machines and a hypervisor can be shown to satisfy global access control constraints. The SAL model checker is used to model and verify a collection of stateful domains with protected resources and local MAC policies attempting to access needed resources from other domains. The model is described along with verification conditions. The need to control state-space explosion is motivated and techniques for writing theorems and limiting domains explored. Finally, analysis results are examined along with analysis complexity.

References

  1. Myla Archer. 2000. TAME: Using PVS strategies for special purpose theorem proving. Annals of Mathematics and Artificial Intelligence 29, 1--4, 139--181. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Myla Archer, Elizabeth Leonard, and Matteo Pradella. 2003. Modeling security-enhanced linux policy specifications for analysis. In Proceedings of the DARPA Information Survivability Conferences and Exhibition (DISCEX’00).Google ScholarGoogle ScholarCross RefCross Ref
  3. Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pragg, and Andrew Warfield. 2003. Xen and the art of virtualization. In Proceedings of the ACM Symposium on Operating Systems Principles (SOSP’03). Boldon Landing, NY, USA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Saddek Bensalem, Vijay Ganesh, Yassine Lakhnech, Cesar Munoz, Sam Owre, Harald Rueb, John Rushby, Vlad Rusu, Hassen Saidi, N. Shankar, Eli Singerman, and Ashish Tiwari. 2000. An overview of SAL. In Proceedings of the 5th NASA Langley Formal Methods Workshop, C. Michael Holloway (Ed.). Williamsburg, VA.Google ScholarGoogle Scholar
  5. Stefan Berger, Ramón Cáceres, Kenneth A. Goldman, Ronald Perez, Reiner Sailer, and Leendert Doorn. 2006. vTPM: Virtualizing the Trusted Platform Module. IBM T. J. Watson Research Center, Hawthorne, NY. 10532 USA. Retrieved from http://www.kiskeya.net/ramon/work/pubs/security06.pdf. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Joseph Cihula. 2006. Intel’s Xen Security Update. Presentation at Xen Summit. (January 17-18, 2006). http://www.xen.org/files/xs0106_intel_xen_security.pdf.Google ScholarGoogle Scholar
  7. Alessandro Cimatti, Edmund Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore, Marco Roveri, Roberto Sebastiani, and Armando Tacchella. 2002. NuSMV 2: An opensource tool for symbolic model checking. In Proceedings of the 14th International Conference on Computer-Aided Verification (CAV’02). Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. George Coker. 2007. Xen Security Modules (XSM). Presentation at Xen Summit. Retrieved from http://www.xen.org/files/xensummit_4/xsm-summit-041707_Coker.pdf.Google ScholarGoogle Scholar
  9. George Coker, Joshua Guttman, Peter Loscocco, Amy Herzog, Jonathan Millen, Brian O’Hanlon, John Ramsdell, Ariel Segall, Justin Sheehy, and Brian Sniffen. 2011. Principles of remote attestation. International Journal of Information Security 10, 2 (June 2011), 63--81. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. George S. Coker, Joshua D. Guttman, Peter A. Loscocco, Justin Sheehy, and Brian T. Sniffen. 2008. Attestation: Evidence and trust. In Proceedings of the International Conference on Information and Communications Security, Vol. LNCS 5308. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Daryl Dieckman, Perry Alexander, and Philip A. Wilsey. 1998. ActiveSPEC: A framework for the specification and verification of active network services and security policies. In Proceedings of Formal Methods in Security Protocols. Indianapolis, IN.Google ScholarGoogle Scholar
  12. Danny Dolev and Andrew C. Yao. 1983. On the security of public key protocols. IEEE Transactions on Information Theory 29, 2 (March 1983), 198--208. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Daniel J. Dougherty, Kathi Fisler, and Shriram Krishnamurthi. 2006. Specifying and reasoning about dynamic access control policies. In Proceedings of the International Joint Conference on Automated Reasoning (IJCAR’06). Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Kathi Fisler, Shriram Krishnamurthi, Leo A. Meyerovich, and Michael Carl Tschantz. 2005. Verification and change-impact analysis of access-control policies. In Proceedings of the International Conference on Software Engineering (ICSE’05). Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Peter Frey, Radharamanan Radhakrishnan, Harold W. Carter, Philip A. Wilsey, and Perry Alexander. 2002. A formal specification and verification framework for time warp-based parallel simulation. IEEE Transactions on Software Engineering 28, 1 (January 2002), 58--78. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Dimitar P. Guelev, Mark D. Ryan, and Pierre-Yves Schobbens. 2004. Model-checking access control policies. In Proceedings of the 7th Information Security Conference (ISC’04) (Lecture Notes in Computer Science). Springer--Verlag.Google ScholarGoogle ScholarCross RefCross Ref
  17. Joshua D. Guttman, Amy L. Herzog, John D. Ramsdell, and Clement W. Skorupka. 2004. Verifying information flow goals in security-enhanced Linux. Journal of Computer Security 13, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Vivek Haldar, Deepak Chandra, and Michael Franz. 2004. Semantic remote attestation -- a virtual machine directed approach to trusted computing. In Proceedings of the 3rd Virtual Machine Research and Technology Symposium. San Jose, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Boniface Hicks, Sandra Rueda, Luke St. Clair, Trent Jaeger, and Patrick McDaniel. 2007. A logical specification and analysis for SELinux MLS policy. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT’07). ACM, New York, NY, USA, 91--100. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Daniel Jackson. 2011. Software Abstractions: Logic, Language and Analysis. MIT Press. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Trent Jaeger, Reiner Sailer, and Xiaolan Zhang. 2003. Analyzing integrity protection in the SELinux example policy. In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12 (SSYM’03). USENIX Association, Berkeley, CA, USA, 59--74. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Cindy Kong and Perry Alexander. 2000. Formal modeling of active network nodes using PVS. In Proceedings of Formal Methods in Software Practice (FMSP’00). Portland, OR. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Nancy A. Lynch and Mark R. Tuttle. 1989. An introduction to input/output automaton. CWI Quarterly 2, 3 (September 1989), 219--246.Google ScholarGoogle Scholar
  24. Frank Mayer, Karl MacMillan, and David Caplan. 2007. SELinux by Example. Prentice Hall.Google ScholarGoogle Scholar
  25. Tim Moses. 2003. eXtensible Access Control Markup Language Version 1.0. Technical report. OASIS.Google ScholarGoogle Scholar
  26. Sanjai Narain, Gary Levin, Sharad Malik, and Vikram Kaul. 2008. Declarative infrastructure configuration synthesis and debugging. Journal of Network and Systems Management 16, 3 (September 2008), 235--258. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Timothy Nelson, Christopher Barratt, Daniel J. Dougherty, Kathi Fisler, and Shriram Krishnamurthi. 2010. The margrave tool for firewall analysis. In Proceedings of Large Installation System Administration. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Sam Owre, John Rushby, and Natarajan Shankar. 1992. PVS: A prototype verification system. In Proceedings of 11th International Conference on Automated Deduction (Lecture Notes in Artificial Intelligence), D. Kapur (Ed.), Vol. 607. Springer--Verlag, Saratoga, NY, 748--752. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Sandra Rueda, Hayaward Vijayakumar, and Trent Jaeger. 2009. Analysis of virtual machine system policies. In Proceedings of the Symposium on Access Control Models and Technologies (SACMAT’09). Stresa, Italy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Andreas Schaad and D. Moffett, Jonathan. 2002. A lightweight approach to specification and analysis of role-based access control extensions. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies. ACM, New York, NY, USA, 13--22. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Ray Spencer, Stephen Smalley, Peter Loscocco, Mike Hibler, David Andersen, and Jay Lepreau. 1999. The flask security architecture: System support for diverse security policies. In Proceedings of the 8th USENIX Security Symposium. 123--139. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Trusted Computing Group. 2007. TCG TPM Specification (version 1.2 revision 103 ed.). Trusted Computing Group, 3885 SW 153rd Drive, Beaverton, OR 97006. Retrieved from https://www.trustedcomputinggroup.org/resources/tpm_main_specification/.Google ScholarGoogle Scholar
  33. Giorgio Zanin and Luigi Vincenzo Mancini. 2004. Towards a formal model for security policies specification and validation in the SELinux system. In Proceedings of the 9th ACM Symposium on Access Control Models and Technologies (SACMAT’04). ACM, New York, NY, USA, 136--145. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Nan Zhang, Mark Ryan, and Dimitar P. Guelev. 2004. Synthesising verified access control systems in XACML. In Proceedings of the 2004 ACM Workshop on Formal Methods in Security Engineering. ACM, 56--65. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Nan Zhang, Mark D. Ryan, and Dimitar P. Guelev. 2005. Evaluating access control policies through model checking. In Proceedings of the 8th Information Security Conference (ISC’05) (Lecture Notes in Computer Science). Springer--Verlag. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Model Checking Distributed Mandatory Access Control Policies

              Recommendations

              Comments

              Login options

              Check if you have access through your login credentials or your institution to get full access on this article.

              Sign in

              Full Access

              • Published in

                cover image ACM Transactions on Information and System Security
                ACM Transactions on Information and System Security  Volume 18, Issue 2
                December 2015
                118 pages
                ISSN:1094-9224
                EISSN:1557-7406
                DOI:10.1145/2807425
                Issue’s Table of Contents

                Copyright © 2015 ACM

                Publisher

                Association for Computing Machinery

                New York, NY, United States

                Publication History

                • Published: 15 July 2015
                • Accepted: 1 May 2015
                • Revised: 1 March 2015
                • Received: 1 October 2014
                Published in tissec Volume 18, Issue 2

                Permissions

                Request permissions about this article.

                Request Permissions

                Check for updates

                Qualifiers

                • research-article
                • Research
                • Refereed

              PDF Format

              View or Download as a PDF file.

              PDF

              eReader

              View online with eReader.

              eReader
              About Cookies On This Site

              We use cookies to ensure that we give you the best experience on our website.

              Learn more

              Got it!