Computer Science Conformance Checking of Access Control Policies Specified in XACML Vincent C. Hu (National Institute of Standards and Technology) Evan Martin, JeeHyun Hwang, Tao Xie (North Carolina State University)

Computer Science 2 Outline Motivation Background –Access Control –XACML Conformance Checking Policy Verification & Testing Conclusion

Computer Science 3 Motivation Digital information is easy to access and search Sensitive information requires access control mechanisms A growing trend is to specify access control policies in a generic specification language such as XACML + Flexibility, expressiveness –Complexity, verbosity –Lack of desirable-property enforcement

Computer Science 4 Problem How to ensure the correct specification of access control policies? –What you specify is what you get, but not necessarily what you want Conformance checking: checking policies against properties (models or specifications) Systematic testing of access control policies –Complements policy verification, which may not support full policy features or complex properties –Just like software testing + software verification

Computer Science 5 Background: Access Control System Model Access Control policy Access Control model Access Control mechanism Access Control algorithm 1:0~n 1:n1:1 1:n access states Access Control rules n:n At an elementary level an access control system consists of the space of states and the space of rules

Computer Science 6 Background: Access Control Three primary objectives: –Determining which subjects are entitled to have access to which objects (Authorization); –Determining the access rights permitted (a combination of access modes such as read, write, execute, delete, and append); –Enforcing the access rights. Access control policy describes how to achieve these three goals. Subject: An active entity, generally in the form of a person, process, or devices that causes information to flow among objects Object: A passive entity that contains or receives information. Access to an object potentially implies access to the information it contains.

Computer Science 7 Background: XACML eXtensible Access Control Markup Language –OASIS standard XML syntax for specifying policies, requests, and responses –A flexible and expressive language but complex and verbose A Subject who wishes to perform an Action on a Resource (Object) must do so through a PEP. The PEP forms the XACML request and sends it to the PDP. The PDP checks the request against the Policy and returns an XACML response. The PEP either Permits or Denies access to the resource.

Computer Science 8 Background: XACML Key Concepts A Policy Set holds other policies or policy sets. A Policy is expressed as a set of rules. A Rule have targets and a set of conditions that determine if the rule applies to a given request. Both rule and policy Combining Algorithms exist to reconcile conflicts.

Computer Science 9 XACML Example <PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy" PolicySetId="college" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"> A College Policy on Grades <Policy PolicyId="fac" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> Faculty Policy <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=" Faculty <SubjectAttributeDesignator AttributeId="role" DataType=" /> Policy Set Target Policy Target

Computer Science 10 XACML Example ExternalGrades <ResourceAttributeDesignator AttributeId="resource-class" DataType=" /> InternalGrades <ResourceAttributeDesignator AttributeId="resource-class" DataType=" /> Assign <ActionAttributeDesignator AttributeId="command" DataType=" /> Receive <ActionAttributeDesignator AttributeId="command" DataType=" /> Target Rule

Computer Science 11 XACML Example Student Policy Student ExternalGrades <ResourceAttributeDesignator AttributeId="resource-class" DataType=" /> Receive <ActionAttributeDesignator AttributeId="command" DataType=" /> Rules can have a more complicated condition tag here

Computer Science 12 Policy Conformance Checking Check XACML Policies against Properties –Rule binding (properties of encoded access control models) –Access control features (e.g., safety, separation of duty) Access Control policy Access Control model Access Control mechanism Access Control algorithm 1:0~n 1:n1:1 1:n access states Access Control rules n:n

Computer Science 13 Model: Bell-LaPadula [1973] Top Secret Secret Unclassified Top Secret Secret Unclassified Read OK Subjects Objects

Computer Science 14 Model: Bell-LaPadula [1973] Top Secret Secret Unclassified Top Secret Secret Unclassified Subjects Objects Read OK Read Forbidden Read OK

Computer Science 15 Model: Bell-LaPadula [1973] Top Secret Secret Unclassified Top Secret Secret Unclassified Subjects Objects Write OK Write Forbidden

Computer Science 16 Model: Bell-LaPadula [1973] Top Secret Secret Unclassified Top Secret Secret Unclassified Subjects Objects Write OK Write Forbidden Write OK

Computer Science 17 Model: Chinese Wall [Brewer&Nash 89] X Y ox Group X & Group Y are conflict-of-interest groups If a subject has accessed an object in Group X, the subject will not be granted access to an object in Group Y oy subject

Computer Science 18 Model: Role-Based Access Control (RBAC) [Ferraiolo&Kuhn 92] Express an access control policy in terms of the roles that individuals play within the organization. Can support a variety of policies through its configuration. XACML profile for RBAC [2004]

Computer Science 19 Access Control Features Safety Whether there is any leaking of privilege that the access is granted through the XACML specification Separation of Duties (SOD) Role-centric: 1 user cannot fill 2 conflicting roles User-centric: 2 conflicting users cannot collectively fill 2 roles in conflict Others…

Computer Science 20 Proposed Conformance Checking Implementation Some properties are enforced by XACML profiles Some simple properties can be formulated to feed to Margrave (a policy verification tool [Fisler et al. 05] ) More complicated properties can be dynamically checked with policy testing

Computer Science 21 Software Testing Expected Outputs Test Outputs Test Inputs Program Expected Responses ResponsesRequests Policy Software Testing Policy Testing

Computer Science 22 Systematic Policy Testing Structural coverage criteria/measurement [ICICS 06] –Policy coverage –Rule coverage –Condition coverage Request generation [ICICS 06, SESS 07] Mutation testing [WWW 07] Application in conformance checking Identify likely policy locations related to properties and then generate requests to cover these locations Investigate the relationship between conformance checking and structural coverage or fault types

Computer Science 23 Structural Coverage Criteria Rationale: like in program testing, when the policy part containing a fault is not “covered”, the error is often not exposed. Given a request q and a policy P, we say q covers a rule m in P if m contributes to the decision of q. The rule m contributes to the decision of q if all Cond are satisfied by q. –The sequence of rules and combining algorithms may also affect coverage. Rule coverage of P by requests Q = #rules covered by at least one request in Q #rules in P Similarly define policy coverage/condition coverage [ICICS 06]

Computer Science 24 Request Generation via Change-Impact Analysis (Cirg) Access Control Policy 1. Version Synthesis Policy Versions 2. Change-impact analysis Counter examples 3. Request generation Requests [SESS 07] Synthesize versions (all-to-negate-one) for Margrave [Kisler et al. 05]

Computer Science 25 Fault Model and Mutation Testing Fault model used to model things that could go wrong when constructing a policy Fault model is the underlying foundation of mutation testing [DeMillo et al. 78] (similar to fault injection): –Policy is iteratively mutated to produce numerous mutants – each containing one fault Usages –Measure fault-detection effectiveness of test generation or test selection –Select tests [WWW 07]

Computer Science 26 Policy Mutation Testing ResponsesRequests Policy Mutator Mutant Policy Mutant Responses Differ? Mutant Killed! Mutation Operators [WWW 07]

Computer Science 27 Conclusions XACML provides freedom in specifying policies but induces complexity, verbosity, lack of desirable-property enforcement We propose to conduct conformance checking of policies against –Access control model’s properties (rule binding) –Access control features Checking is conducted based on policy verification and testing (structural coverage, request generation, mutation testing)

Computer Science 28 Questions?