Presentation is loading. Please wait.

Presentation is loading. Please wait.

VAC - Verifier of Administrative Role-based Access Control Policies

Published bySurya Gunardi Modified over 6 years ago

Similar presentations

Presentation on theme: "VAC - Verifier of Administrative Role-based Access Control Policies"— Presentation transcript:

1 VAC - Verifier of Administrative Role-based Access Control Policies
Anna Lisa Ferrara University of Bristol, UK P. Madhusudan University of Illinois, USA Truc Lam Nguyen Gennaro Parlato VAC is a verifier of administrative role-based access control policies. This is a joint work with Anna Lisa Ferrara, from University of Bristol, Madhu from University of Illinois, and my PhD supervisor Gennaro Parlato from University of Southampton. University of Southampton, UK

2 Role-based Access Control Policies (RBAC)
Professor p2 Dean p3 Student p4 PERMISSIONS ROLES USERS In role based access control (RBAC), rather than assigning permissions directly to users, users are grouped into roles and permissions are assigned to roles such that all users of a role will have all permissions associated to that role.

3 Role-based Access Control Policies (RBAC)
Professor p2 Dean p3 Student p4 PERMISSIONS ROLES USERS suitable for large organizations implemented in several software: Microsoft SQL Servers Microsoft Active Directory SELinux Oracle DBMS ... standardized by NIST This feature considerably easier the access control management and it is suitable for large organizations. Also, RBAC has been standardized by NIST and supported by several software, such as: Microsoft SQL Servers, SELinux, and Oracle DBMS.

4 Administrative RBAC (ARBAC) Systems
... rn u1 1 u2 Assign / Revoke rules Rules Assign (admin_role, precondition, target_role) Revoke (admin_role, precondition, target_role) An Administrative RBAC is an evolving system where a configuration describes the role membership of each user. With a transition we can either assign or revoke a role from a user. There are two kinds of rules: Here, an administrator that is member of admin_role can assign any user who satisfies the precondition to the role target role. Similarly, an administrator can also revoke a role from a user. conjunction of literals over the set of Roles

5 Security Properties Designers have security requirements availability
- A doctor must always be able to access patients’ record separation of duties - A doctor cannot be also a receptionist escalation of privileges - A receptionist cannot be granted doctors’ permissions ... Policies must meet certain security properties such as: availability, escalation of privileges, or separation of duties

6 Security Properties Enforcing security requirements
Designers have security properties in mind availability properties - A doctor must always be able to access patients’ record separation of duties - A doctor cannot be also a receptionist escalation of privileges - A receptionist cannot be granted doctors’ permissions ... Enforcing security requirements Monitoring may lead to denial-of-service attacks => policies correct by design (Automatic) verification is essential! Enforcing security requirements could be done using monitoring. However, this can lead to denial-of-service attacks. For example, it is not acceptable that a doctor cannot access patients’ data. Therefore, policies must be correct by design, and verification is essential.

7 Security properties as Role-reachability
availability properties - A doctor must always be able to access patients’ record separation of duties - A doctor cannot be also a receptionist escalation of privileges - A receptionist cannot be granted doctors’ permissions ... can be rephrased as Role-reachability Problem Can any user gain access to a given target role using Administrative RBAC rules? Most of the security properties of interest can be rephrased as a role-reachability problem. which asks whether any user can gain access to given target role using administrative RBAC rules?

8 Security properties as Role-reachability
availability properties - A doctor must always be able to access patients’ record separation of duties - A doctor cannot be also a receptionist escalation of privileges - A receptionist cannot be granted doctors’ permissions ... can be rephrased as Role-reachability Problem Can any user gain access to a given target role using Administrative RBAC rules? This problem is well known to be PSPACE-complete, and approximation techniques are required to get scalable solutions. PSPACE-complete!

9 VAC tool architecture No Error Unknown No Error Error Unknown
Abstract Transformer Integer Pgm Interproc YES Unknown Input File Precise Transformer µZ (Z3) Horn Pgm HSF No Error Pruning Eldarica NO Boolean Pgm Getafix YES Moped Error NuSMV Pgm NuSMV C Pgm NO CBMC Unknown YES We have developed the full-fledged tool, called VAC (Verifier of Access Control), that automatically solves the role-reachability problem of Administrative RBAC systems. Here is VAC’s architecture. Counter Example Error Trace Policy-to-Program TRANSFORMER

10 No Error Unknown No Error Error Unknown Error Trace
Abstract Transformer NO Integer Pgm Interproc YES Unknown Input File Precise Transformer µZ (Z3) Horn Pgm HSF No Error Pruning Eldarica NO Boolean Pgm Getafix YES Moped Error NuSMV Pgm [Ferrara, Madhusudan, Parlato - TACAS’13] - Remove roles rules, users - 90% policy size reduction NuSMV C Pgm NO CBMC Unknown YES The pruning module implements a heuristic presented in a recent TACAS paper that aims at reducing the state space, by removing redundant roles, rules, and users. This is one of the most important component of VAC for scalability. Counter Example Error Trace Policy-to-Program TRANSFORMER

11 No Error Unknown No Error Error Unknown Error Trace
Abstract Transformer NO No Error Integer Pgm Interproc YES Unknown Input File Precise Transformer µZ (Z3) Horn Pgm HSF No Error Pruning Eldarica NO Boolean Pgm Getafix YES Moped Error NuSMV Pgm NuSMV C Pgm NO CBMC Unknown YES After pruning, we transform the policy into a “program” that non-deterministically simulates the system behaviours. This allows us to reuse off-the-shelf tools for the analysis. Counter Example Error Trace Policy-to-Program TRANSFORMER

12 No Error Unknown No Error Error Unknown Error Trace
[Ferrara, Madhusudan, Parlato - CSF’12] Abstractly simulate the system No Error Abstract Transformer NO Integer Pgm over- approximation Interproc YES Unknown Input File Precise Transformer µZ (Z3) Horn Pgm HSF No Error Pruning Eldarica NO Boolean Pgm Getafix YES Moped Error NuSMV Pgm NuSMV C Pgm NO CBMC Unknown YES we have implemented an abstract transformer proposed in a CSF paper by Ferrara et al, that translates the policy into integer program that abstractly simulates the system, and then we use Interproc (with box domain) to analyze it. Since this approach is based on over-approximation, we can use it only to prove absence of security breaches. Counter Example Error Trace Policy-to-Program TRANSFORMER

13 No Error Unknown No Error Error Unknown Error Trace
Abstract Transformer NO Integer Pgm Interproc YES Unknown Input File Precise Transformer µZ (Z3) Horn Pgm HSF No Error Pruning Eldarica NO complete analysis Boolean Pgm Getafix Precisely simulates the system Fundamental theorem (track k users) k = # of admin roles [Ferrara, Madhusudan, Parlato - TACAS’13] YES Moped Error NuSMV Pgm NuSMV C Pgm NO CBMC Unknown YES We also have a transformer from the policy to a program that precisely simulates the system. This translation is based on a fundamental theorem that shows that it is sufficient to track at most k users where k is the number of administrative roles We can then translate the obtained program into Horn clauses, or Boolean programs or NuSMV. We support several backends for the verification. This approach leads to complete analysis. Counter Example Error Trace Policy-to-Program TRANSFORMER

14 No Error Unknown No Error Error Unknown Error Trace
Abstract Transformer NO Integer Pgm Interproc YES Unknown Input File Precise Transformer µZ (Z3) Horn Pgm HSF No Error Pruning Eldarica NO Boolean Pgm Getafix Precisely simulates the system Fundamental theorem (track k users) k = # of admin roles [Ferrara, Madhusudan, Parlato - TACAS’13] YES Moped Error NuSMV Pgm NuSMV C Pgm NO CBMC Unknown under- approximation YES The same program can be analysed using a Bounded model checking tool, and we support CBMC. If CBMC finds a counterexample, we also have a module that converts the CBMC counterexample to the counterexample of the original policy. Counter Example Error Trace Policy-to-Program TRANSFORMER

15 Experimental Results (Realistic policies & Case studies)
ORIGINAL POLICIES AFTER PRUNING ANALYSIS #roles #users #rules Time Violation 21 50 88 3 2 1 0.099s Yes 41 100 176 4 201 500 872 0.101s 501 1000 2201 0.100s 4001 10000 17536 0.239s 20000 50000 81210 0.844s 30000 70000 127713 1.288s 40001 100000 176062 1.586s Hospital Policies University Policies Bank Policies (case studies) Three suites of complex policies We have evaluated VAC on all benchmarks that we know from the literature, which comprise policies for an Hospital, a university, a bank with several branches, and three suites of complex policies. Here we just show the experiments on the first suite of complex policies. Each row represents a policy. For the column we report the number of roles rules and users of the original policy and after pruning. The table shown that the proning is very effective reducing considerably the state space. And this is true for all experiments we have done. This allows to analyze all benchmarks in less than 2 seconds.

16 VAC is a full-fledged tool
Conclusion VAC is a full-fledged tool main components: pruning and translation modules various back-ends: CBMC, Eldarica, Getafix, Interproc, Moped, NuSMV, HSF, and Z3 counterexample generation Availability: users.ecs.soton.ac.uk/gp4/VAC.html source code, benchmarks, static Linux binaries Related tools ASASP [Alberti, Armando, Ranise, Truong - CADE’11, STM’10] Mohawk [Jayaraman, Tripunitara, Ganesh, Rinard, Chapin - CCS’11, TISSEC’13] So to conclude, I have presented Vac, an automatic and efficient tool for verifying role reachability problem of administrative RBAC systems. The main components of Vac are a pruning module which is essential for scalability, and a policy-to-program translation module that reduces the role-reachability problem to program verification problems. VAC supports many backends for the analysis. Furthermore, it can provide counterexamples. Among the state-of-the-art tools for the analysis of administrative RBAC systems. Vac is the only tool that can provide: (1) complete analysis (2) counterexample generation, and (3) scalable analysis on large policies VAC is available online, you can find benchmarks, experiments on the website. You can also download the source code or static version of VAC.

17 Thank you! Thank you for your attention.

18 Q&A Why the policies need to be correct by design? How the administrator do not handle their job? Why monitoring lead to denial of service attacks? Can you show me how to rephrase security properties to role reachability? Can you show me what is the application of administrative RBAC policies?

Download ppt "VAC - Verifier of Administrative Role-based Access Control Policies"

Similar presentations

Operating System Security

Operating System Security
MSc IT UFCE8K-15-M Data Management Prakash Chatterjee Room 2Q18

MSc IT UFCE8K-15-M Data Management Prakash Chatterjee Room 2Q18
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Security Analysis of Role-based Access Control through Program Verification Anna Lisa Ferrara University of Bristol, UK P. Madhusudan University of Illinois,

Security Analysis of Role-based Access Control through Program Verification Anna Lisa Ferrara University of Bristol, UK P. Madhusudan University of Illinois,
Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais.

Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
The Theory of NP-Completeness

The Theory of NP-Completeness
CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 13: Bounded Model Checking Instructor: Tevfik Bultan.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
The Data Attribution Abdul Saboor PhD Research Student Model Base Development and Software Quality Assurance Research Group Freie.

The Data Attribution Abdul Saboor PhD Research Student Model Base Development and Software Quality Assurance Research Group Freie.
1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.

1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.
Lecture 7 Integrity & Veracity UFCE8K-15-M: Data Management.

Lecture 7 Integrity & Veracity UFCE8K-15-M: Data Management.
An Investigation on Testing RBAC Constraints Presented by Jiao Chen 04/29/2003.

An Investigation on Testing RBAC Constraints Presented by Jiao Chen 04/29/2003.
Introduction Algorithms and Conventions The design and analysis of algorithms is the core subject matter of Computer Science. Given a problem, we want.

Introduction Algorithms and Conventions The design and analysis of algorithms is the core subject matter of Computer Science. Given a problem, we want.
Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal.

Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Policy Analysis for Self-administrated Role-based Access Control Gennaro Parlato U. Southampton, UK Anna Lisa Ferrara P. Madhusudan U. Bristol, UK UIUC,

Policy Analysis for Self-administrated Role-based Access Control Gennaro Parlato U. Southampton, UK Anna Lisa Ferrara P. Madhusudan U. Bristol, UK UIUC,
Database Design and Management CPTG 424. 10/23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,

Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
1 The Theory of NP-Completeness 2 Cook ’ s Theorem (1971) Prof. Cook Toronto U. Receiving Turing Award (1982) Discussing difficult problems: worst case.

1 The Theory of NP-Completeness 2 Cook ’ s Theorem (1971) Prof. Cook Toronto U. Receiving Turing Award (1982) Discussing difficult problems: worst case.

Similar presentations

Ads by Google