Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policy Analysis for Self-administrated Role-based Access Control Gennaro Parlato U. Southampton, UK Anna Lisa Ferrara P. Madhusudan U. Bristol, UK UIUC,

Published byScarlett Roberts Modified over 9 years ago

Similar presentations

Presentation on theme: "Policy Analysis for Self-administrated Role-based Access Control Gennaro Parlato U. Southampton, UK Anna Lisa Ferrara P. Madhusudan U. Bristol, UK UIUC,"— Presentation transcript:

1 Policy Analysis for Self-administrated Role-based Access Control Gennaro Parlato U. Southampton, UK Anna Lisa Ferrara P. Madhusudan U. Bristol, UK UIUC, USA

2 RBAC is an access control model - for large organization - standard (NIST) - supported by: Microsoft SQL Servers, Microsoft Active Directory, SELinux, Oracle DBMS Role-based Access Control (RBAC) Users RolesPermissions Permissions are pairs (object, operation) UA = Users X Roles PA = Roles X Permissions

3 RBAC Example: Hospital Roles: Doctor, Manager, Nurse, Patient, PrimaryD, Receptionist,… Permissions: p 1 = Create_Appointment p 2 = View_OldMedicalRecord p 3 = View_RecentMedicalRecords … PA: (p 1, Receptionist) (p 2, Doctor) (p 3, Doctor) … UA: (Mary, Receptionist) (John, Doctor), (John, PrimaryD) (Jenny, Patient) (Tim, Doctor) …

4 UA and PA relations may change by means of administrative rules: Assign(admin_role, precondition, target_role) - if admin user A has admin_role, then A can assign any user u who satisfies precondition to target_role Revoke(admin_role, precondition, target_role) Administrative RBAC (ARBAC) Admins Users Admin Actions Users Permissions conjunction of literals over the set of Roles Admins Roles Roles UA PA

5 Example of ARBAC Policy Assign Rules - assign( Manager, ¬Doctor, Receptionist ) - assign( Manager, true, Nurse ) - assign( Patient, Doctor ∧ ¬Patient, PrimaryDoctor ) … Revoke Rules - revoke( Manager, true, Receptionist ) - revoke( Manager, true, Nurse ) … Admins: Manager, Patient, Receptionist,…

6 Designers have security properties in mind while designing the set of assignment/revocation rules Security Requirements Availability properties - A doctor must always be able to access patients’ record Escalation of privileges - A receptionist cannot be granted doctors’ permissions Separation of duties - A doctor cannot be also a receptionist

7 Role-reachability Problem - availability - separation of duties, - escalation of privileges - … Role-reachability Problem each reduces to Can any user gain access to a given role goal using the ARBAC rules?

8 Importance of Automated Analysis 1 00 0 01 r 1 r 2 rnrn configuration of the system Assign/Revoke actions u1u1 u2u2...... … … …......... Monitoring strategies are not acceptable: denial-of-service Verification is essential Policies are difficult to inspect by hand: state space = O ( (2 #roles ) #users )

9 State-of-the-art Reachability problem is - PSPACE-complete [CSFW’06] -fixed parameter tractable in # roles [CCS’07] Restricted scenarios to tackle reachability separate administration (limits expressiveness) administrative roles and regular roles are disjoint assignment/revocation admin roles is not allowed allows to track only one user as opposed to tracking all users [CCS’07] under-approximation techniques (under separate administration) error-finding (shallow errors) not appropriate for correctness [CCS’11]

10 State-of-the-art (beyond separate administration) Proving correctness [Ferrara, Madhusudan, Parlato, Security Analysis of RBAC through Program Verification – CSF’12] Idea: - simulate precisely the system with a program with integers - each variable tracks the # of users in a role combination - exponential # of variables Over-approximation (effective) - create a program that tracks only few role combinations - analysis with Interproc with box domain - scalable analysis (correctness) - we cannot generate security attacks

11 Our Contribution Achieving completeness and correctness without any restriction Fundamental Theorem : It is enough to track only k users at any time, where k is the # of admin roles - leads to a significant trimming procedure (much smaller # of users, admin roles) Novel Pruning technique : Transform the policy in a smaller one preserving role-reachability (effective also for separate administration) Tool: V AC Verifier of Access Control http://users.ecs.soton.ac.uk/gp4/VAC.html Experiments on realistic policies from the literature hospital, university, bank, and three suites of complex policies

12 Experimental Results (hospital, university policies) 122561092 122561092 122561092 122561092 321309943 321309943 321309943 321309943 321309943 #roles #admin #rules After Pruning Hospital University Bank 4 Policy #users Complete analysis without separate admin restriction! 0.3sNo 0.0sNo 0.0sYes 0.0sYes 0.2sNo 0.2sYes 0.2sNo 0.2sYes 0.2sYes Time Reach 3529 59319 3529 68316 3211 1111 1216223 1113221 1425334 #roles #admin #rules #users

13 Experimental Results 315 525 20100 40200 1000 5002500 4k20k 80k 30k120k 40k200k #roles #rules After Pruning Size Policy Complete analysis on complex policies! 110.0s 11 11 11 110.1s 11 116.0s 113m24s 118m14s 1114m50s Time #rules #roles Time #rules 350.0s 11 11260.0s 11 110.1s 11 116.0s 113m32s 118m33s 1118m7s Time #rules #roles Time #rules 350.0s 11 11260.0s 110.1s 11 110.2s 116.3s 113m20s 117m47s 1121m1s Time #rules #roles Time #rules First Suite Second SuiteThird Suite only error-finding tools were successful

14 Experimental Results 61259300 61259321 612118621 612118600 612177900 612177921 61223724083285 61223724623272 3s 2s 0s 0.1s #roles #rules Bank 1 Bank 2 Bank 3 Bank 4 Policy #rules Time only error-finding tools were successful After Pruning

15 Our Contribution Achieving completeness and correctness without any restriction Fundamental Theorem : It is enough to track only k users at any time, where k is the # of admin roles - leads to a significant trimming procedure (much smaller # of users, admin roles, roles) Novel Pruning technique : Transform the policy in a smaller one preserving role-reachability (effective also for separate administration) Tool: V AC Verifier of Access Control http://users.ecs.soton.ac.uk/gp4/VAC.html Experiments on realistic policies from the literature hospital, university, bank, and three suites of complex policies ✔

16 Finite Model Property Theorem: The role-reachability problem can be solved by tracking at most k+1 users where k is the # of administrative roles

17 Idea of the proof 1/3 π = c1c1 c2c2 … cici c i+1 m1m1 m2m2 mimi Rule made by Admin i cncn c n+1 mnmn … 1 00 0 01 r 1 r 2 rnrn u1u1 u2u2...... … … …......... A user u is engaged if u’s configuration changes along the run essential if there is index i in which u is the only user in Admin i at configuration c i ci=ci=

18 Idea of the proof 2/3 π = c1c1 c2c2 … cici c i+1 m1m1 m2m2 mimi Rule made by Admin i cncn c n+1 mnmn … Simplification rules pick a non essential user u and remove all transitions changing u’s configuration if all users are essential then pick an engaged user and remove all transitions changing u’s configuration after the last configuration in which u is essential … termination is guaranteed

19 Idea of the proof 3/3 π = c1c1 c2c2 … cici c i+1 m1m1 m2m2 mimi cncn c n+1 mnmn … For each 2 distinct engaged users u1 and u2 if u1 is essential for role admin1 (the last time) u2 is essential for role admin2 (the last time) then admin1 ≠ admin2 There are at most k engaged users in the run π, where k = # admin roles

20 Exploiting the Theorem Can we track less users??? NO Theoretically the k+1 bound is tight !!! Heuristics??? REMOVE ADMIN ROLES An admin role A is immaterial if there are more than k+1 users in role A. Transform immaterial roles into regular ones. REMOVE USERS for each role-combination we need at most k+1 users.

21 Our Contribution Achieving completeness and correctness without any restriction Fundamental Theorem : It is enough to track only k users at any time, where k is the # of admin roles - leads to a significant trimming procedure (much smaller # of users, admin roles, roles) Novel Pruning technique : Transform the policy in a smaller one preserving role-reachability (effective also for separate administration) Tool: V AC Verifier of Access Control http://users.ecs.soton.ac.uk/gp4/VAC.html Experiments on realistic policies from the literature hospital, university, bank, and three suites of complex policies ✔ ✔

22 Our tool interval-abstractions using INTERPROC Policyrole NO: policy correct Yes: may be a false error integer program ad hoc-abstraction model-checking GetaFix NO: policy correct boolean program encoding Yes error pruning CSF’12 TACAS’13

23 Conclusions & Future work

24 Conclusions - foundation of reasoning with ARBAC policies (no separate administration) - small model property: tracking a bounded # of users suffices for role-reachability - developed heuristics to effectively reduce ARBAC systems on real-world policies. - VAC : Verifier of Access Control http://users.ecs.soton.ac.uk/gp4/VAC.html - developped Apply our techniques to systems supporting RBAC - OS, Microsoft SQL Servers, Microsoft Active Directory, SELinux, Oracle DBMS - Extend our results to more expressive specs (e.g., info flow, data leakage) - Provide a counter-example guided abstraction scheme

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84 Future Work Automated analysis of access control policies - Apply our techniques to systems supporting RBAC - Microsoft SQL Servers, Microsoft Active Directory, SELinux, Oracle DBMS - Extend our results to more expressive specs (e.g., data leakage) - Provide a counter-example guided abstraction scheme - combine with over-approximation we developed (CSF’12)

85 Experimental Results (CSF’12) 3459326535 3459325434 681186521070 68118650868 1021779781605 1021779751302 13623721042140 13623721001736 7s43s50s 7s44s51s 9s3m 0.2s3m 11s 9s3m 0.3s3m 12s 11s7m 0.8s7m 19s 10s7m 08s7m 18s 11s13m 16s13m 27s 9s13m 15s13m 24s #roles #actions Total time INTERPROC time Bank 1 Bank 2 Bank 3 Bank 4 Policy #actions Time to trasform We can prove correctness! only error-finding tools were successful After Pruning

86 Our Contribution Achieving completeness and correctness without any restriction Fundamental Theorem : It is enough to track only k users at any time, where k is the # of admin roles - leads to a significant trimming procedure (much smaller # of users, admin roles, roles) Novel Pruning technique : Transform the policy in a smaller one preserving role-reachability (effective also for separate administration) Tool: V AC Verifier of Access Control http://users.ecs.soton.ac.uk/gp4/VAC.html Experiments on realistic policies from the literature hospital, university, bank, and three suites of complex policies ✔ ✔ ✔

87 State-of-the-art Experiments Standardized realistic set of benchmarks - hospital policy - university policy - bank policy - three suites of complex policies complete analysis under sep. admin. error-finding only (shallow errors)

Download ppt "Policy Analysis for Self-administrated Role-based Access Control Gennaro Parlato U. Southampton, UK Anna Lisa Ferrara P. Madhusudan U. Bristol, UK UIUC,"

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.

Software Model Checking with SMT Ken McMillan Microsoft Research TexPoint fonts used in EMF: A A A A A.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.

Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Access Control RBAC Database Activity Monitoring.

Access Control RBAC Database Activity Monitoring.
Security Analysis of Role-based Access Control through Program Verification Anna Lisa Ferrara University of Bristol, UK P. Madhusudan University of Illinois,

Security Analysis of Role-based Access Control through Program Verification Anna Lisa Ferrara University of Bristol, UK P. Madhusudan University of Illinois,
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
The Language Theory of Bounded Context-Switching Gennaro Parlato (U. of Illinois, U.S.A.) Joint work with: Salvatore La Torre (U. of Salerno, Italy) P.

The Language Theory of Bounded Context-Switching Gennaro Parlato (U. of Illinois, U.S.A.) Joint work with: Salvatore La Torre (U. of Salerno, Italy) P.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.

A Semantic Characterization of Unbounded-Nondeterministic Abstract State Machines Andreas Glausch and Wolfgang Reisig 1.
On Sequentializing Concurrent Programs Ahmed Bouajjani LIAFA, University of Paris 7, France LIAFA, University of Paris 7, France Michael Emmi LIAFA, University.

On Sequentializing Concurrent Programs Ahmed Bouajjani LIAFA, University of Paris 7, France LIAFA, University of Paris 7, France Michael Emmi LIAFA, University.

Similar presentations

Ads by Google