Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal.

Slides:

Advertisements

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Advertisements

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

UIUC CS 497: Section EA Lecture #2 Reasoning in Artificial Intelligence Professor: Eyal Amir Spring Semester 2004.

Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Software Failure: Reasons Incorrect, missing, impossible requirements * Requirement validation. Incorrect specification * Specification verification. Faulty.

Of 27 lecture 7: owl - introduction. of 27 ece 627, winter ‘132 OWL a glimpse OWL – Web Ontology Language describes classes, properties and relations.

New Kind of Logic The first step to approch this questions consists of a new definition of logic operators able to explain the richness of the events happened.

Efficient Query Evaluation on Probabilistic Databases

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

CS 290C: Formal Models for Web Software Lectures 16: Modeling and Analyzing Access Control Policies Instructor: Tevfik Bultan.

Interpolants [Craig 1957] G(y,z) F(x,y)

1 Boolean Satisfiability in Electronic Design Automation (EDA ) By Kunal P. Ganeshpure.

1 8. Safe Query Languages Safe program – its semantics can be at least partially computed on any valid database input. Safety is tied to program verification,

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

Developing Verifiable Concurrent Software Tevfik Bultan Department of Computer Science University of California, Santa Barbara

Computers: Tools for an Information Age

Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.

Outline Chapter 1 Hardware, Software, Programming, Web surfing, … Chapter Goals –Describe the layers of a computer system –Describe the concept.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.

Daniel Kroening and Ofer Strichman 1 Decision Procedures in First Order Logic Decision Procedures for Equality Logic.

Daniel Kroening and Ofer Strichman Decision Procedure

CS 290C: Formal Models for Web Software Lectures 12: Modeling and Analyzing Access Control Policies Instructor: Tevfik Bultan.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

S.P.L.O.T. - Software Product Lines Online Tools ( Marcilio Mendonca, Moises Branco, Donald Cowan, University of Waterloo, Canada.

ANSWERING CONTROLLED NATURAL LANGUAGE QUERIES USING ANSWER SET PROGRAMMING Syeed Ibn Faiz.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

Copyright © 2003 by Prentice Hall Computers: Tools for an Information Age Chapter 14 Systems Analysis and Design: The Big Picture.

MBSat Satisfiability Program and Heuristics Brief Overview VLSI Testing B Marc Boulé April 2001 McGill University Electrical and Computer Engineering.

1 Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework ¹ Dep. of Information and Communication Technology,

Week 10Complexity of Algorithms1 Hard Computational Problems Some computational problems are hard Despite a numerous attempts we do not know any efficient.

Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.

Verification of behavioural elements of UML models using B Truong, Ninh-Thuan and Souquieres, Jeanine In Proceedings of the 2005 ACM Symposium on.

Propositional Calculus CS 270: Mathematical Foundations of Computer Science Jeremy Johnson.

Architectural Point Mapping for Design Traceability Naoyasu Ubayashi and Yasutaka Kamei Kyushu University, Japan March 26, 2012 FOAL 2012 (AOSD Workshop)

Efficient Synthesis of Feature Models Article Review By: Sigal Berkovitz & Yohai Vidergor.

Model Checking Grid Policies JeeHyun Hwang, Mine Altunay, Tao Xie, Vincent Hu Presenter: tanya levshina International Symposium on Grid Computing (ISGC.

NP-Complete Problems. Running Time v.s. Input Size Concern with problems whose complexity may be described by exponential functions. Tractable problems.

Computer Science Conformance Checking of Access Control Policies Specified in XACML Vincent C. Hu (National Institute of Standards and Technology) Evan.

On the Relation between SAT and BDDs for Equivalence Checking Sherief Reda Rolf Drechsler Alex Orailoglu Computer Science & Engineering Dept. University.

Recognizing safety and liveness Presented by Qian Huang.

Computer Science 1 Detection of Multiple-Duty-Related Security Leakage in Access Control Policies JeeHyun Hwang 1, Tao Xie 1, and Vincent Hu 2 North Carolina.

Author: Alex Groce, Daniel Kroening, and Flavio Lerda Computer Science Department, Carnegie Mellon University Pittsburgh, PA Source: R. Alur and.

Verification of Synchronization in SpecC Description with the Use of Difference Decision Diagrams Thanyapat Sakunkonchak Masahiro Fujita Department of.

1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 9: Test Generation from Models.

SAT-Based Model Checking Without Unrolling Aaron R. Bradley.

Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.

A Portrait of the Semantic Web in Action Jeff Heflin and James Hendler IEEE Intelligent Systems December 6, 2010 Hyewon Lim.

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,

Error Explanation with Distance Metrics Authors: Alex Groce, Sagar Chaki, Daniel Kroening, and Ofer Strichman International Journal on Software Tools for.

1/20 Arrays Changki PSWLAB Arrays Daniel Kroening and Ofer Strichman Decision Procedure.

1 Boolean Satisfiability (SAT) Class Presentation By Girish Paladugu.

Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View Basic Concepts and Background.

NP-complete Languages

Knowledge Repn. & Reasoning Lecture #9: Propositional Logic UIUC CS 498: Section EA Professor: Eyal Amir Fall Semester 2005.

2009/6/30 CAV Quantifier Elimination via Functional Composition Jie-Hong Roland Jiang Dept. of Electrical Eng. / Grad. Inst. of Electronics Eng.

© 2006 Carnegie Mellon University Introduction to CBMC: Part 1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Arie Gurfinkel,

Access Control Policy Languages in XML Lê Anh Vũ Võ Thành Vinh

© 2012 IBM Corporation Perfect Hashing and CNF Encodings of Cardinality Constraints Yael Ben-Haim Alexander Ivrii Oded Margalit Arie Matsliah SAT 2012.

CENG 424-Logic for CS Introduction Based on the Lecture Notes of Konstantin Korovin, Valentin Goranko, Russel and Norvig, and Michael Genesereth.

Validating Access Control Policies with Alloy

Relatively Complete Refinement Type System for Verification of Higher-Order Non-deterministic Programs Hiroshi Unno (University of Tsukuba) Yuki Satake.

ece 720 intelligent web: ontology and beyond

CSE 6408 Advanced Algorithms.

PPT4: Requirement analysis

Program correctness Model-checking CTL

Real-Time Systems, COSC , Lecture 18

Presentation transcript:

Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal on Software Tools for Technology Transfer (STTT) Volume 10 Issue 6, October /s Presented by Jui-Lung Yao, Master Student of CSIE, CCU Automated verification of access control policies using a SAT solver 1

Outline Introduction A simple XACML policy Formal model Boolean logic formula Experiments Conclusion 2

Outline Introduction A simple XACML policy Formal model Boolean logic formula Experiments Conclusion 3

Introduction Flow chart 4 Described Language of XACML Policy Transformation with Formal model Boolean formula in CNF SAT solver Boolean logic formula Convert to Conjunctive Normal Form (CNF)

Outline Introduction A simple XACML policy Formal model Boolean logic formula Experiments Conclusion 5

A simple XACML policy EXtensible Access Control Markup Language OASIS standard (Organization for the Advancement of Structured Information Standards) 6

Example The policy states that to be able to vote a person must be at least 18 years old and a person who has voted already cannot vote. 7

Age At least 18 years old 8

Voted-yet Voted already 9

Action Vote 10

Environment Our environment, the set of information we are interested in. 11

Outline Introduction A simple XACML policy Formal model Boolean logic formula Experiments Conclusion 12

Formal model R = {Permit, Deny, NotApp, Indet} be the set of valid results. P: define the set of valid policies 13

14 Semantics of policies To formalize the semantics of policies, we define a function

Notation We can now model our example as follows: 15

Normal form Define an equivalence relation: Function f that takes a policy and returns another policy an eff-preserving transformation 16

Shorthand Define a shorthand 〈 S, R, T 〉, where S, R and T are pairwise disjoint, as follows: For any policy p a triple p T that is equivalent to it exists: the triple is just 17

〈 S, R, T 〉 reduction Function g 18

Example Applying f and g to policy 19

Outline Introduction A simple XACML policy Formal model Boolean logic formula Experiments Conclusion 20

Basic predicates BP is a set of basic predicates Non-terminal C 21

Translation to Boolean logic formula 22

Conversion to CNF Creates an auxiliary variable for each sub-expression, and then combines the auxiliary variables. Example 23

Example Let P1 = 〈 S1, R1, T1 〉 and let P2 = 〈 S2, R2, T2 〉 be two policies. We define the following partial orders: Define: 24

Example (cont’) Generate a formula F, Send the property ¬F to the SAT solver. 25

Outline Introduction A simple XACML policy Formal model Boolean logic formula Experiments Conclusion 26

Experiments Use the Continue example, encoded into XACML by Fisler et al.. Continue is a Web-based conference management tool, aiding paper submission, review, discussion and notification. Use the Medico example from the XACML specification, which models a simple medical database meant to be accessed by physicians. Encoded voting example 27

Experiments (cont’) Property C1 tests that the conference manager correctly denies program committee chairs the ability to review papers he/she has a conflict with. Property C2 and C7 test that the conference manager permits program committee members to edit reviews they own. Property C3 and C8 test that the conference manager denies access to users without a defined role. Property C4 and C5 test that the conference manager will permit a program committee member who has called a meeting to read documents concerning the meeting, but not other arbitrary documents. Property C6 tests whether the conference manager permits program committee members to read all parts of a review. 28

Experiments (cont’) Property C9 tests whether the conference manager permits unauthorized user roles to set meetings. Property C10 and C11 test that the conference manager permits program committee members who have filed their review to read the reviews of others, and denies program committee members that have not yet filed their review from reading other reviews. Property M1 and M2 test whether the unified Medico policy permits a physician to edit the medical records of their patients. Property V1 is just the voting property. 29

Margrave Margrave is a change impact analysis tool for XACML language. The CONTINUE example only runs under Margrave 1-1 and XACML 1.0. Margrave parses the XACML and converts it into a form suitable for analysis only once, and then can check as many properties as is desired. Margrave manages this by using a binary decision diagram (BDD) for analysis. 30

Table 1: Verification performance under this work 31

Table 2: Verification performance under Margrave 32

Outline Introduction A simple XACML policy Formal model Boolean logic formula Experiments Conclusion 33

Conclusion We have presented a formal model for access control policies, and shown how to verify interesting properties about such models in an automated way. We translate queries about access control policies to Boolean satisfiability problems and use a sat solver to obtain an answer. For finite state specifications our approach is sound and complete as long as the user chooses a sufficiently large bound and the complex XACML functions are not used in the specification. 34

Thanks for your listening 35