Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Science Conformance Checking of Access Control Policies Specified in XACML Vincent C. Hu (National Institute of Standards and Technology) Evan.

Published byAlexander Cain Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Science Conformance Checking of Access Control Policies Specified in XACML Vincent C. Hu (National Institute of Standards and Technology) Evan."— Presentation transcript:

1 Computer Science Conformance Checking of Access Control Policies Specified in XACML Vincent C. Hu (National Institute of Standards and Technology) Evan Martin, JeeHyun Hwang, Tao Xie (North Carolina State University)

2 Computer Science 2 Outline Motivation Background –Access Control –XACML Conformance Checking Policy Verification & Testing Conclusion

3 Computer Science 3 Motivation Digital information is easy to access and search Sensitive information requires access control mechanisms A growing trend is to specify access control policies in a generic specification language such as XACML + Flexibility, expressiveness –Complexity, verbosity –Lack of desirable-property enforcement

4 Computer Science 4 Problem How to ensure the correct specification of access control policies? –What you specify is what you get, but not necessarily what you want Conformance checking: checking policies against properties (models or specifications) Systematic testing of access control policies –Complements policy verification, which may not support full policy features or complex properties –Just like software testing + software verification

5 Computer Science 5 Background: Access Control System Model Access Control policy Access Control model Access Control mechanism Access Control algorithm 1:0~n 1:n1:1 1:n access states Access Control rules n:n At an elementary level an access control system consists of the space of states and the space of rules

6 Computer Science 6 Background: Access Control Three primary objectives: –Determining which subjects are entitled to have access to which objects (Authorization); –Determining the access rights permitted (a combination of access modes such as read, write, execute, delete, and append); –Enforcing the access rights. Access control policy describes how to achieve these three goals. Subject: An active entity, generally in the form of a person, process, or devices that causes information to flow among objects Object: A passive entity that contains or receives information. Access to an object potentially implies access to the information it contains.

7 Computer Science 7 Background: XACML eXtensible Access Control Markup Language –OASIS standard XML syntax for specifying policies, requests, and responses –A flexible and expressive language but complex and verbose A Subject who wishes to perform an Action on a Resource (Object) must do so through a PEP. The PEP forms the XACML request and sends it to the PDP. The PDP checks the request against the Policy and returns an XACML response. The PEP either Permits or Denies access to the resource.

8 Computer Science 8 Background: XACML Key Concepts A Policy Set holds other policies or policy sets. A Policy is expressed as a set of rules. A Rule have targets and a set of conditions that determine if the rule applies to a given request. Both rule and policy Combining Algorithms exist to reconcile conflicts.

9 Computer Science 9 XACML Example <PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy" PolicySetId="college" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"> A College Policy on Grades <Policy PolicyId="fac" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> Faculty Policy <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Faculty <SubjectAttributeDesignator AttributeId="role" DataType="http://www.w3.org/2001/XMLSchema#string" /> Policy Set Target Policy Target

10 Computer Science 10 XACML Example ExternalGrades http://www.w3.org/2001/XMLSchema#string <ResourceAttributeDesignator AttributeId="resource-class" DataType="http://www.w3.org/2001/XMLSchema#string" /> InternalGrades http://www.w3.org/2001/XMLSchema#string <ResourceAttributeDesignator AttributeId="resource-class" DataType="http://www.w3.org/2001/XMLSchema#string" /> Assign http://www.w3.org/2001/XMLSchema#string <ActionAttributeDesignator AttributeId="command" DataType="http://www.w3.org/2001/XMLSchema#string" /> Receive http://www.w3.org/2001/XMLSchema#string <ActionAttributeDesignator AttributeId="command" DataType="http://www.w3.org/2001/XMLSchema#string" /> Target Rule

11 Computer Science 11 XACML Example Student Policy Student ExternalGrades <ResourceAttributeDesignator AttributeId="resource-class" DataType="http://www.w3.org/2001/XMLSchema#string" /> Receive <ActionAttributeDesignator AttributeId="command" DataType="http://www.w3.org/2001/XMLSchema#string" /> Rules can have a more complicated condition tag here

12 Computer Science 12 Policy Conformance Checking Check XACML Policies against Properties –Rule binding (properties of encoded access control models) –Access control features (e.g., safety, separation of duty) Access Control policy Access Control model Access Control mechanism Access Control algorithm 1:0~n 1:n1:1 1:n access states Access Control rules n:n

13 Computer Science 13 Model: Bell-LaPadula [1973] Top Secret Secret Unclassified Top Secret Secret Unclassified Read OK Subjects Objects

14 Computer Science 14 Model: Bell-LaPadula [1973] Top Secret Secret Unclassified Top Secret Secret Unclassified Subjects Objects Read OK Read Forbidden Read OK

15 Computer Science 15 Model: Bell-LaPadula [1973] Top Secret Secret Unclassified Top Secret Secret Unclassified Subjects Objects Write OK Write Forbidden

16 Computer Science 16 Model: Bell-LaPadula [1973] Top Secret Secret Unclassified Top Secret Secret Unclassified Subjects Objects Write OK Write Forbidden Write OK

17 Computer Science 17 Model: Chinese Wall [Brewer&Nash 89] X Y ox Group X & Group Y are conflict-of-interest groups If a subject has accessed an object in Group X, the subject will not be granted access to an object in Group Y oy subject

18 Computer Science 18 Model: Role-Based Access Control (RBAC) [Ferraiolo&Kuhn 92] Express an access control policy in terms of the roles that individuals play within the organization. Can support a variety of policies through its configuration. XACML profile for RBAC [2004]

19 Computer Science 19 Access Control Features Safety Whether there is any leaking of privilege that the access is granted through the XACML specification Separation of Duties (SOD) Role-centric: 1 user cannot fill 2 conflicting roles User-centric: 2 conflicting users cannot collectively fill 2 roles in conflict Others…

20 Computer Science 20 Proposed Conformance Checking Implementation Some properties are enforced by XACML profiles Some simple properties can be formulated to feed to Margrave (a policy verification tool [Fisler et al. 05] ) More complicated properties can be dynamically checked with policy testing

21 Computer Science 21 Software Testing Expected Outputs Test Outputs Test Inputs Program Expected Responses ResponsesRequests Policy Software Testing Policy Testing

22 Computer Science 22 Systematic Policy Testing Structural coverage criteria/measurement [ICICS 06] –Policy coverage –Rule coverage –Condition coverage Request generation [ICICS 06, SESS 07] Mutation testing [WWW 07] Application in conformance checking Identify likely policy locations related to properties and then generate requests to cover these locations Investigate the relationship between conformance checking and structural coverage or fault types

23 Computer Science 23 Structural Coverage Criteria Rationale: like in program testing, when the policy part containing a fault is not “covered”, the error is often not exposed. Given a request q and a policy P, we say q covers a rule m in P if m contributes to the decision of q. The rule m contributes to the decision of q if all Cond are satisfied by q. –The sequence of rules and combining algorithms may also affect coverage. Rule coverage of P by requests Q = #rules covered by at least one request in Q #rules in P Similarly define policy coverage/condition coverage [ICICS 06]

24 Computer Science 24 Request Generation via Change-Impact Analysis (Cirg) Access Control Policy 1. Version Synthesis Policy Versions 2. Change-impact analysis Counter examples 3. Request generation Requests [SESS 07] Synthesize versions (all-to-negate-one) for Margrave [Kisler et al. 05]

25 Computer Science 25 Fault Model and Mutation Testing Fault model used to model things that could go wrong when constructing a policy Fault model is the underlying foundation of mutation testing [DeMillo et al. 78] (similar to fault injection): –Policy is iteratively mutated to produce numerous mutants – each containing one fault Usages –Measure fault-detection effectiveness of test generation or test selection –Select tests [WWW 07]

26 Computer Science 26 Policy Mutation Testing ResponsesRequests Policy Mutator Mutant Policy Mutant Responses Differ? Mutant Killed! Mutation Operators [WWW 07]

27 Computer Science 27 Conclusions XACML provides freedom in specifying policies but induces complexity, verbosity, lack of desirable-property enforcement We propose to conduct conformance checking of policies against –Access control model’s properties (rule binding) –Access control features Checking is conducted based on policy verification and testing (structural coverage, request generation, mutation testing)

28 Computer Science 28 Questions?

Download ppt "Computer Science Conformance Checking of Access Control Policies Specified in XACML Vincent C. Hu (National Institute of Standards and Technology) Evan."

Similar presentations

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.

Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
Operating System Security

Operating System Security
1 Authorization XACML – a language for expressing policies and rules.

1 Authorization XACML – a language for expressing policies and rules.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.

Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.
Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais.

Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
1 Software Testing and Quality Assurance Lecture 9 - Software Testing Techniques.

1 Software Testing and Quality Assurance Lecture 9 - Software Testing Techniques.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.
User Domain Policies.

User Domain Policies.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Lecture 7 Access Control

Lecture 7 Access Control
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

Similar presentations

Ads by Google