Computer Science 1 Detection of Multiple-Duty-Related Security Leakage in Access Control Policies JeeHyun Hwang 1, Tao Xie 1, and Vincent Hu 2 North Carolina.

Slides:

Advertisements

Similar presentations

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.

Advertisements

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Authorization Brian Garback.

1 Authorization XACML – a language for expressing policies and rules.

© Devon M.Simmonds, 2007 CSC 550 Graduate Course in Software Engineering ______________________ Devon M. Simmonds Computer Science Department University.

Verification and Change-Impact Analysis of Access-Control Policies Kathi Fisler, Shriram Krishnamurthi, Leo Meyerovich, and Michael Tschantz ICSE’05 Presented.

Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

CS 290C: Formal Models for Web Software Lectures 16: Modeling and Analyzing Access Control Policies Instructor: Tevfik Bultan.

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

CS 290C: Formal Models for Web Software Lectures 12: Modeling and Analyzing Access Control Policies Instructor: Tevfik Bultan.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

XACML OASIS eXtensible Access Control Markup Language Steve Carmody July 10, 2003 Steve Carmody July 10, 2003.

XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.

Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.

An XPath-based Preference Language for P3P IBM Almaden Research Center Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu.

Authorization Infrastructure, a Standards View Hal Lockhart OASIS.

CSCE 548 Secure Software Development Test 1 Review.

Xusheng Xiao, Tao Xie North Carolina State University Amit Paradkar IBM T.J. Watson Research Center

CatBAC: A Generic Framework for Designing and Validating Hybrid Access Control Models Bernard Stepien, University of Ottawa Hemanth Khambhammettu Kamel.

Automated Software Engineering Research Group 1 Fix 12?: Title should be Limitations (?? Not Challenges) Slide 18: Verification -> counterexample collectoin.

Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal.

11 World-Leading Research with Real-World Impact! Risk-Aware RBAC Sessions Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security.

XACML – The Standard Hal Lockhart, BEA Systems. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.

1 Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework ¹ Dep. of Information and Communication Technology,

11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.

Extensible Access Control Framework for Cloud Applications KTH-SEECS Applied Information Security Lab SEECS NUST Implementation Perspective.

Computer Science Systematic Testing and Verification of Security Policies Tao Xie Department of Computer Science North Carolina State University

Proposal for RBAC Features for SDD James Falkner Sun Microsystems October 11, 2006.

Computer Science 1 Mining Likely Properties of Access Control Policies via Association Rule Mining JeeHyun Hwang 1, Tao Xie 1, Vincent Hu 2 and Mine Altunay.

Model Checking Grid Policies JeeHyun Hwang, Mine Altunay, Tao Xie, Vincent Hu Presenter: tanya levshina International Symposium on Grid Computing (ISGC.

Computer Science Conformance Checking of Access Control Policies Specified in XACML Vincent C. Hu (National Institute of Standards and Technology) Evan.

Secure Systems Research Group - FAU 1 A Trust Model for Web Services Ph.D Dissertation Progess Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.

Computer Science 1 Test Selection and Augmentation of Regression System Tests for Security Policy Evolution JeeHyun Hwang, Tao Xie, and collaborators at.

September XACML: Consistency analysis Luigi Logrippo Université du Québec University of Ottawa

1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.

Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:

Department of Computer Science PCL: A Policy Combining Language EXAM: Environment for Xacml policy Analysis & Management Access Control Policy Combining.

Introducing WI Proposal about Authorization Architecture and Policy Group Name: WG4 Source: Wei Zhou, Datang, Meeting Date: Agenda Item:

Policy Evaluation Testbed Vincent Hu Tom Karygiannis Steve Quirolgico NIST ITL PET Report May 4, 2010.

PolicyMorph: Interactive Policy Model Transformations for a Logical ABAC Framework Michael LeMay Omid Fatemieh Carl A. Gunter.

EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.

Computer Science 1 Systematic Structural Testing of Firewall Policies JeeHyun Hwang 1, Tao Xie 1, Fei Chen 2, and Alex Liu 2 North Carolina State University.

Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.

XACML Showcase RSA Conference What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation logic n.

OASIS e Xtensible Access Control Markup Language (XACML) Hal Lockhart

1 XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment Brian Garback © Brian Garback 2005.

1 Ontology based Policy Interoperability Dr. Latifur Khan Tahseen Al-Khateeb Mohammad Alam Mohammad Farhan Husain.

Access Control Policy Languages in XML Lê Anh Vũ Võ Thành Vinh

UnifiedSec-1 CSE 5810 Integrated Secure Software Engr. Approach for Functional, Collaborative, and Information Concerns J. A. Pavlich-Mariscal, S. Berhe,

Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University Purdue University.

Building Trustworthy Semantic Webs

Institute for Cyber Security

XACML and the Cloud.

Validating Access Control Policies with Alloy

A Policy-Based Security Mechanism for Distributed Health Networks

Groups and Permissions

Access Control What’s New?

Presentation transcript:

Computer Science 1 Detection of Multiple-Duty-Related Security Leakage in Access Control Policies JeeHyun Hwang 1, Tao Xie 1, and Vincent Hu 2 North Carolina State University 1 National Institute of Standards and Technology 2 (SSIRI 2009)

Automated Software Engineering Research Group 2 Access Control Policy Evaluation Access control mechanisms control which subjects (such as users or processes) have access to which resources. Policy Request Response (Permit, Deny, or Not-applicable)

Automated Software Engineering Research Group 3 Motivation –Access control policies are increasingly written in specification languages such as XACML –Misconfiguration and mistakes in access control policies leads to security problems –Identifying discrepancies between policy and their intended function is necessary Security leakage in access control policies?

Automated Software Engineering Research Group 4 Problem Multiple-Duty-Related Security Leakage –In XACML, a subject can hold multiple roles (e.g., both TA and student) Mistakes in handling such requests introduces a security leakage Verification of access control policies to detect such leakage is necessary Can a faculty member write Grade? Yes Can a student write a Grade? No Can a person who holds both student and faculty roles give a Grade???

Automated Software Engineering Research Group 5 Outline Motivation Problem Background and Example Framework –Inconsistency Detection –Policy Fixing –Change Impact Analysis Evaluation Results Conclusion

Automated Software Engineering Research Group 6 May 12, 2007 WWW 2007, Banff, Alberta, Canada 6 XACML Policy Structure eXtensible Access Control Markup Language –OASIS standard XML syntax for specifying policies, requests, and responses A flexible and expressive language but complex and verbose Key concepts A Policy Set holds other policies or policy sets. A Policy is expressed as a set of rules. A Rule have targets and a set of conditions Both rule and policy Combining Algorithms exist to reconcile conflicts. –First-Applicable, Only-One-Applicable, Permit-Overrides, and Deny-Overrides algorithms Evaluated Decision can be Permit, Deny, Not-applicable, or Intermediate

Automated Software Engineering Research Group 7 May 12, 2007 WWW 2007, Banff, Alberta, Canada 7 XACML Example <PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy" PolicySetId="college" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm: first-applicable "> A College Policy on Grades <Policy PolicyId="fac" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm: first-applicable "> Faculty Policy <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType=" Faculty <SubjectAttributeDesignator AttributeId="role" DataType=" /> Policy Set Policy Target Subject

Automated Software Engineering Research Group 8 May 12, 2007 WWW 2007, Banff, Alberta, Canada 8 XACML Example ExternalGrades <ResourceAttributeDesignator AttributeId="resource-class" DataType=" /> InternalGrades <ResourceAttributeDesignator AttributeId="resource-class" DataType=" /> Assign <ActionAttributeDesignator AttributeId="command" DataType=" /> Receive <ActionAttributeDesignator AttributeId="command" DataType=" /> Target Resource Rule Target Action More Rules can be added

Automated Software Engineering Research Group 9 Example Policy and Request Evaluation Request: Member of Faculty role wishes to Write ExternalGrades Decision: Permit decision is evaluated (by satisfying 1 st Rule’s condition) If role = Faculty and resource = (ExternalGrades or InternalGrades) and action = (View or Write) then Permit If role = Student and resource = ExternalGrades and action = View then Permit If role = Student and resource = ExternalGrades and action = Write then Denyse Deny Request: Member of Student role wishes to Write ExternalGrades. Decision: Deny decision is evaluated (by satisfying 3rd Rule’s condition) Request: Member of Student and Faculty roles wishes to Write ExternalGrades. Decision: Permit decision is evaluated (1 st and 3 rd Rule’s conditions) considereing first applicable rule algorithm

Automated Software Engineering Research Group 10 Inconsistency and Potential Security Leakage Student can take an additional faculty role? Restriction on using conflicting roles in a request However, if multiple role assignment is allowed, Inspect that 3 rd request includes any potential security leakage Student can write his own grade !!! 3 rd Request is permitted: Member of Student (with an additional Faculty role) wishes to Write ExternalGrades. 2 nd Request is denied: Member of Student role wishes to Write ExternalGrades. Decision is inconsistent

Automated Software Engineering Research Group 11 Framework

Automated Software Engineering Research Group 12 Inconsistency Detection Candidate Request R 1 (Student, Write, ExternalGrades) Multiple-Duty Request R 2 (Student and Faculty, Write, ExternalGrades) Inconsistency check Manual inspection is required if a detected inconsistency causes real security leakage

Automated Software Engineering Research Group 13 Policy Fixing Example (1/3) If role = (Faculty and Student) then Deny If role = Faculty and resource = (ExternalGrades or InternalGrades) and action = (View or Write) then Permit If role = Student and resource = ExternalGrades and action = View then Permit If role = Student and resource = ExternalGrades and action = Write then Denyse Deny New Rule Addition The example policy fixed by static separation of duty

Automated Software Engineering Research Group 14 Policy Fixing Example (2/3) If role = Faculty and role != Student and resource = (ExternalGrades or InternalGrades) and action = (View or Write) then Permit If role = Student and resource = ExternalGrades and action = View then Permit If role = Student and resource = ExternalGrades and action = Write then Denyse Deny Rule Constraint The example policy fixed by adding constraint on the first rule

Automated Software Engineering Research Group 15 Policy Fixing Example (3/3) If role = Student and resource = ExternalGrades and action = Write then Denyse If role = Faculty and resource = (ExternalGrades or InternalGrades) and action = (View or Write) then Permit If role = Faculty and resource = (ExternalGrades or InternalGrades) and action = (View or Write) then Permit Deny Chane Rule Location The example policy fixed by moving the originally last rule to the top Chane Rule Location

Automated Software Engineering Research Group 16 Change Impact Analysis Revised policy may include unintended changes Change-impact analysis to avoid faults –Comparing two policies and check if there are unintended changes –Leverages an existing access control policy change impact analysis tool called Margrave Original Policy Revised Policy Compare

Automated Software Engineering Research Group 17 Evaluation A request includes at least 1 subject, 1 resource, and 1 action 3 Policy Structure Types –Permit (Deny) policy includes permit (deny) rules and a deny (permit) fall through rule –Hybrid policy includes both permit and deny rules 6 Inconsistency Types –dec i – dec j inconsistency (e.g., permit-deny) Two decisions are inconsistent A request r is evaluated to dec i and a request r’ (holding an additional role on r) is evaluated to dec j

Automated Software Engineering Research Group XACML Policy Subjects 6 Permit, 2 deny, and 3 hybrid XACML policies

Automated Software Engineering Research Group 19 Evaluation Results (1/2) In the gradeSheet policy, a student cannot write grades; however, a student (holding a TA) can write grades. In the health-care policy, a doctor can view private notes; however, a manager (holding a doctor) cannot view private notes.

Automated Software Engineering Research Group 20 Evaluation Results (2/2) NA (Not-applicable) to deny (permit) inconsistencies are detected; most of such inconsistencies are introduced by a single matching rule No deny (permit) to NA (Not-applicable) inconsistencies are detected

Automated Software Engineering Research Group 21 Conclusion XACML is designed to be flexible by allowing a request with multiple roles (duties) and this feature may cause multiple-duty-related security leakage We have developed a novel framework to detect such leakage Our empirical results show that our framework can effectively pinpoint potential multiple- duty-related security leakage

Automated Software Engineering Research Group 22 Questions?

Automated Software Engineering Research Group 23 Related Work Testing of XACML access control policies [Martin et al. ICICS 2006, WWW 2007] Change Impact Analysis of XACML access control policies [Fisler et al. ICSE 2005] Verification of access control policies using Alloy or RW specification language [Hughes et al. Tech Report 2004 and Zhang et al. ISC 2005 ] Analysis of Firewall policies [Yuan et al. S & P 2006 and El- Atawy et al. Infocomm 2007]

Automated Software Engineering Research Group 24 Discussion