Policy Analysis for Self-administrated Role-based Access Control Gennaro Parlato U. Southampton, UK Anna Lisa Ferrara P. Madhusudan U. Bristol, UK UIUC,

Slides:



Advertisements
Similar presentations
Model Checking Base on Interoplation
Advertisements

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Access Control RBAC Database Activity Monitoring.
Security Analysis of Role-based Access Control through Program Verification Anna Lisa Ferrara University of Bristol, UK P. Madhusudan University of Illinois,
ISBN Chapter 3 Describing Syntax and Semantics.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
The Language Theory of Bounded Context-Switching Gennaro Parlato (U. of Illinois, U.S.A.) Joint work with: Salvatore La Torre (U. of Salerno, Italy) P.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.
On Sequentializing Concurrent Programs Ahmed Bouajjani LIAFA, University of Paris 7, France LIAFA, University of Paris 7, France Michael Emmi LIAFA, University.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
Synergy: A New Algorithm for Property Checking
1 Predicate Abstraction of ANSI-C Programs using SAT Edmund Clarke Daniel Kroening Natalia Sharygina Karen Yorav (modified by Zaher Andraus for presentation.
Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
*Department of Computing Science University of Newcastle upon Tyne **Institut für Informatik, Universität Augsburg Canonical Prefixes of Petri Net Unfoldings.
Describing Syntax and Semantics
Application of Formal Verification Methods to the analysis of Bearings-only Ballistic Missile Interception Algorithms Eli Bendersky Michael Butvinnik Supervisor:
On Solving Presburger and Linear Arithmetic with SAT Ofer Strichman Carnegie Mellon University.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
By D. Beyer et. al. Simon Fraser University (Spring 09) Presentation By: Pashootan Vaezipoor.
Regular Model Checking Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili Moran Ben Tulila
An Investigation of Oracle and SQL Server with respect to Integrity, and SQL Language standards Presented by: Paul Tarwireyi Supervisor: John Ebden Date:
On Bridging Simulation and Formal Verification Eugene Goldberg Cadence Research Labs (USA) VMCAI-2008, San Francisco, USA.
11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.
An Investigation on Testing RBAC Constraints Presented by Jiao Chen 04/29/2003.
Computer Security: Principles and Practice
February 18, 2015CS21 Lecture 181 CS21 Decidability and Tractability Lecture 18 February 18, 2015.
Scope-bounded Multistack Pushdown Systems: - fixed-point - sequentialization - tree-width 1 Salvatore La Torre Gennaro Parlato (U. Salerno, Italy) (U.
October Efficient Policy Analysis for Administrative Role-Based Access Control Scott D. Stoller Ping Yang C.R. Ramakrishnan Mikhail I. Gofman.
ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.
Checking Reachability using Matching Logic Grigore Rosu and Andrei Stefanescu University of Illinois, USA.
G53SEC 1 Access Control principals, objects and their operations.
Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.
© Andrew IrelandDependable Systems Group Static Analysis and Program Proof Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt University.
Program analysis with dynamic change of precision. Philippe Giabbanelli CMPT 894 – Spring 2008.
Predicate Abstraction. Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)
SAT 2009 Ashish Sabharwal Backdoors in the Context of Learning (short paper) Bistra Dilkina, Carla P. Gomes, Ashish Sabharwal Cornell University SAT-09.
Policy Evaluation Testbed Vincent Hu Tom Karygiannis Steve Quirolgico NIST ITL PET Report May 4, 2010.
Compositionality Entails Sequentializability Pranav Garg, P. Madhusudan University of Illinois at Urbana-Champaign.
Understand Audit Policies LESSON Security Fundamentals.
Protection & Security Greg Bilodeau CS 5204 October 13, 2009.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
Quantified Data Automata on Skinny Trees: an Abstract Domain for Lists Pranav Garg 1, P. Madhusudan 1 and Gennaro Parlato 2 1 University of Illinois at.
Generalized Point Based Value Iteration for Interactive POMDPs Prashant Doshi Dept. of Computer Science and AI Institute University of Georgia
C HAPTER 3 Describing Syntax and Semantics. D YNAMIC S EMANTICS Describing syntax is relatively simple There is no single widely acceptable notation or.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
Computability Examples. Reducibility. NP completeness. Homework: Find other examples of NP complete problems.
Bernd Fischer RW714: SAT/SMT-Based Bounded Model Checking of Software.
Introducing User’s Role concept Group Name: WG2(ARC) and WG4(SEC) Source: Shingo Fujimoto, FUJITSU, Meeting Date:
Types for Programs and Proofs
Inference and search for the propositional satisfiability problem
On the Size of Pairing-based Non-interactive Arguments
Modular verification of multithreaded shared-memory programs
VAC - Verifier of Administrative Role-based Access Control Policies
Lecture 5 Floyd-Hoare Style Verification
Over-Approximating Boolean Programs with Unbounded Thread Creation
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Presentation transcript:

Policy Analysis for Self-administrated Role-based Access Control Gennaro Parlato U. Southampton, UK Anna Lisa Ferrara P. Madhusudan U. Bristol, UK UIUC, USA

RBAC is an access control model - for large organization - standard (NIST) - supported by: Microsoft SQL Servers, Microsoft Active Directory, SELinux, Oracle DBMS Role-based Access Control (RBAC) Users RolesPermissions Permissions are pairs (object, operation) UA = Users X Roles PA = Roles X Permissions

RBAC Example: Hospital Roles: Doctor, Manager, Nurse, Patient, PrimaryD, Receptionist,… Permissions: p 1 = Create_Appointment p 2 = View_OldMedicalRecord p 3 = View_RecentMedicalRecords … PA: (p 1, Receptionist) (p 2, Doctor) (p 3, Doctor) … UA: (Mary, Receptionist) (John, Doctor), (John, PrimaryD) (Jenny, Patient) (Tim, Doctor) …

UA and PA relations may change by means of administrative rules: Assign(admin_role, precondition, target_role) - if admin user A has admin_role, then A can assign any user u who satisfies precondition to target_role Revoke(admin_role, precondition, target_role) Administrative RBAC (ARBAC) Admins Users Admin Actions Users Permissions conjunction of literals over the set of Roles Admins Roles Roles UA PA

Example of ARBAC Policy Assign Rules - assign( Manager, ¬Doctor, Receptionist ) - assign( Manager, true, Nurse ) - assign( Patient, Doctor ∧ ¬Patient, PrimaryDoctor ) … Revoke Rules - revoke( Manager, true, Receptionist ) - revoke( Manager, true, Nurse ) … Admins: Manager, Patient, Receptionist,…

Designers have security properties in mind while designing the set of assignment/revocation rules Security Requirements Availability properties - A doctor must always be able to access patients’ record Escalation of privileges - A receptionist cannot be granted doctors’ permissions Separation of duties - A doctor cannot be also a receptionist

Role-reachability Problem - availability - separation of duties, - escalation of privileges - … Role-reachability Problem each reduces to Can any user gain access to a given role goal using the ARBAC rules?

Importance of Automated Analysis r 1 r 2 rnrn configuration of the system Assign/Revoke actions u1u1 u2u … … … Monitoring strategies are not acceptable: denial-of-service Verification is essential Policies are difficult to inspect by hand: state space = O ( (2 #roles ) #users )

State-of-the-art Reachability problem is - PSPACE-complete [CSFW’06] -fixed parameter tractable in # roles [CCS’07] Restricted scenarios to tackle reachability separate administration (limits expressiveness) administrative roles and regular roles are disjoint assignment/revocation admin roles is not allowed allows to track only one user as opposed to tracking all users [CCS’07] under-approximation techniques (under separate administration) error-finding (shallow errors) not appropriate for correctness [CCS’11]

State-of-the-art (beyond separate administration) Proving correctness [Ferrara, Madhusudan, Parlato, Security Analysis of RBAC through Program Verification – CSF’12] Idea: - simulate precisely the system with a program with integers - each variable tracks the # of users in a role combination - exponential # of variables Over-approximation (effective) - create a program that tracks only few role combinations - analysis with Interproc with box domain - scalable analysis (correctness) - we cannot generate security attacks

Our Contribution Achieving completeness and correctness without any restriction Fundamental Theorem : It is enough to track only k users at any time, where k is the # of admin roles - leads to a significant trimming procedure (much smaller # of users, admin roles) Novel Pruning technique : Transform the policy in a smaller one preserving role-reachability (effective also for separate administration) Tool: V AC Verifier of Access Control Experiments on realistic policies from the literature hospital, university, bank, and three suites of complex policies

Experimental Results (hospital, university policies) #roles #admin #rules After Pruning Hospital University Bank 4 Policy #users Complete analysis without separate admin restriction! 0.3sNo 0.0sNo 0.0sYes 0.0sYes 0.2sNo 0.2sYes 0.2sNo 0.2sYes 0.2sYes Time Reach #roles #admin #rules #users

Experimental Results k20k 80k 30k120k 40k200k #roles #rules After Pruning Size Policy Complete analysis on complex policies! 110.0s s s 113m24s 118m14s 1114m50s Time #rules #roles Time #rules 350.0s s s s 113m32s 118m33s 1118m7s Time #rules #roles Time #rules 350.0s s 110.1s s 116.3s 113m20s 117m47s 1121m1s Time #rules #roles Time #rules First Suite Second SuiteThird Suite only error-finding tools were successful

Experimental Results s 2s 0s 0.1s #roles #rules Bank 1 Bank 2 Bank 3 Bank 4 Policy #rules Time only error-finding tools were successful After Pruning

Our Contribution Achieving completeness and correctness without any restriction Fundamental Theorem : It is enough to track only k users at any time, where k is the # of admin roles - leads to a significant trimming procedure (much smaller # of users, admin roles, roles) Novel Pruning technique : Transform the policy in a smaller one preserving role-reachability (effective also for separate administration) Tool: V AC Verifier of Access Control Experiments on realistic policies from the literature hospital, university, bank, and three suites of complex policies ✔

Finite Model Property Theorem: The role-reachability problem can be solved by tracking at most k+1 users where k is the # of administrative roles

Idea of the proof 1/3 π = c1c1 c2c2 … cici c i+1 m1m1 m2m2 mimi Rule made by Admin i cncn c n+1 mnmn … r 1 r 2 rnrn u1u1 u2u … … … A user u is engaged if u’s configuration changes along the run essential if there is index i in which u is the only user in Admin i at configuration c i ci=ci=

Idea of the proof 2/3 π = c1c1 c2c2 … cici c i+1 m1m1 m2m2 mimi Rule made by Admin i cncn c n+1 mnmn … Simplification rules pick a non essential user u and remove all transitions changing u’s configuration if all users are essential then pick an engaged user and remove all transitions changing u’s configuration after the last configuration in which u is essential … termination is guaranteed

Idea of the proof 3/3 π = c1c1 c2c2 … cici c i+1 m1m1 m2m2 mimi cncn c n+1 mnmn … For each 2 distinct engaged users u1 and u2 if u1 is essential for role admin1 (the last time) u2 is essential for role admin2 (the last time) then admin1 ≠ admin2 There are at most k engaged users in the run π, where k = # admin roles

Exploiting the Theorem Can we track less users??? NO Theoretically the k+1 bound is tight !!! Heuristics??? REMOVE ADMIN ROLES An admin role A is immaterial if there are more than k+1 users in role A. Transform immaterial roles into regular ones. REMOVE USERS for each role-combination we need at most k+1 users.

Our Contribution Achieving completeness and correctness without any restriction Fundamental Theorem : It is enough to track only k users at any time, where k is the # of admin roles - leads to a significant trimming procedure (much smaller # of users, admin roles, roles) Novel Pruning technique : Transform the policy in a smaller one preserving role-reachability (effective also for separate administration) Tool: V AC Verifier of Access Control Experiments on realistic policies from the literature hospital, university, bank, and three suites of complex policies ✔ ✔

Our tool interval-abstractions using INTERPROC Policyrole NO: policy correct Yes: may be a false error integer program ad hoc-abstraction model-checking GetaFix NO: policy correct boolean program encoding Yes error pruning CSF’12 TACAS’13

Conclusions & Future work

Conclusions - foundation of reasoning with ARBAC policies (no separate administration) - small model property: tracking a bounded # of users suffices for role-reachability - developed heuristics to effectively reduce ARBAC systems on real-world policies. - VAC : Verifier of Access Control - developped Apply our techniques to systems supporting RBAC - OS, Microsoft SQL Servers, Microsoft Active Directory, SELinux, Oracle DBMS - Extend our results to more expressive specs (e.g., info flow, data leakage) - Provide a counter-example guided abstraction scheme

Future Work Automated analysis of access control policies - Apply our techniques to systems supporting RBAC - Microsoft SQL Servers, Microsoft Active Directory, SELinux, Oracle DBMS - Extend our results to more expressive specs (e.g., data leakage) - Provide a counter-example guided abstraction scheme - combine with over-approximation we developed (CSF’12)

Experimental Results (CSF’12) s43s50s 7s44s51s 9s3m 0.2s3m 11s 9s3m 0.3s3m 12s 11s7m 0.8s7m 19s 10s7m 08s7m 18s 11s13m 16s13m 27s 9s13m 15s13m 24s #roles #actions Total time INTERPROC time Bank 1 Bank 2 Bank 3 Bank 4 Policy #actions Time to trasform We can prove correctness! only error-finding tools were successful After Pruning

Our Contribution Achieving completeness and correctness without any restriction Fundamental Theorem : It is enough to track only k users at any time, where k is the # of admin roles - leads to a significant trimming procedure (much smaller # of users, admin roles, roles) Novel Pruning technique : Transform the policy in a smaller one preserving role-reachability (effective also for separate administration) Tool: V AC Verifier of Access Control Experiments on realistic policies from the literature hospital, university, bank, and three suites of complex policies ✔ ✔ ✔

State-of-the-art Experiments Standardized realistic set of benchmarks - hospital policy - university policy - bank policy - three suites of complex policies complete analysis under sep. admin. error-finding only (shallow errors)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.