Embed Size (px)
Citation preview
1
Author :Graham Hughes , Tevfi k Bul tan
Computer Sc ience Department , Univers i ty o f Cal i forn ia , Santa Barbara , CA 93106, USA
Source :Internat ional Journal on Sof tware Tools for Technology
Transfer (STTT)Volume 10 Issue 6 , October 2008
10.1007/s10009-008-0087-9
Presented by Ju i -Lung Yao, Master Student o f CSIE, CCU
Automated verification of access control policies using a SAT solver
2
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
3
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
4
Introduction
Flow chart
Described
Language of
XACML
PolicyTransformation
withFormal model
Booleanformula
in CNF
SAT solver
Boolean logic
formula
Convert toConjunctive
Normal Form(CNF)
5
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
6
A simple XACML policy
EXtensible Access Control Markup Language
OASIS standard (Organization for the Advancement of Structured Information Standards)
7
Example
The policy states that to be able to vote a person must be at least 18 years old and a person who has voted already cannot vote.
8
Age
At least 18 years old
9
Voted-yet
Voted already
10
Action
Vote
11
Environment
Our environment, the set of information we are interested in.
12
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
13
Formal model
R = {Permit, Deny, NotApp, Indet} be the set of valid results.
P: define the set of valid policies
14
Semantics of policies
To formalize the semantics of policies, we define a function
15
Notation
We can now model our example as follows:
16
Normal form
Define an equivalence relation:
Function f that takes a policy and returns another policy an eff-preserving transformation
17
Shorthand
Define a shorthand 〈 S, R, T 〉 , where S, R and T are pairwise disjoint, as follows:
For any policy p a triple pT that is equivalent to it exists: the triple is just
18
〈 S, R, T 〉 reduction
Function g
19
Example
Applying f and g to policy
20
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
21
Basic predicates
BP is a set of basic predicates
Non-terminal C
22
Translation to Boolean logic formula
23
Conversion to CNF
Creates an auxiliary variable for each sub-expression, and then combines the auxiliary variables.
Example
24
Example
Let P1 = 〈 S1, R1, T1 〉 and let P2 = 〈 S2, R2, T2 〉 be two policies. We define the following partial orders:
Define:
25
Example (cont’)
Generate a formula F,
Send the property ¬F to the SAT solver.
26
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
27
Experiments
Use the Continue example, encoded into XACML by Fisler et al.. Continue is a Web-based conference management tool, aiding paper submission, review, discussion and notification.
Use the Medico example from the XACML specification, which models a simple medical database meant to be accessed by physicians.
Encoded voting example
28
Experiments (cont’)
Property C1 tests that the conference manager correctly denies program committee chairs the ability to review papers he/she has a conflict with.
Property C2 and C7 test that the conference manager permits program committee members to edit reviews they own.
Property C3 and C8 test that the conference manager denies access to users without a defined role.
Property C4 and C5 test that the conference manager will permit a program committee member who has called a meeting to read documents concerning the meeting, but not other arbitrary documents.
Property C6 tests whether the conference manager permits program committee members to read all parts of a review.
29
Experiments (cont’)
Property C9 tests whether the conference manager permits unauthorized user roles to set meetings.
Property C10 and C11 test that the conference manager permits program committee members who have filed their review to read the reviews of others, and denies program committee members that have not yet filed their review from reading other reviews.
Property M1 and M2 test whether the unified Medico policy permits a physician to edit the medical records of their patients.
Property V1 is just the voting property.
30
Margrave
Margrave is a change impact analysis tool for XACML language.
The CONTINUE example only runs under Margrave 1-1 and XACML 1.0.
Margrave parses the XACML and converts it into a form suitable for analysis only once, and then can check as many properties as is desired. Margrave manages this by using a binary decision diagram (BDD) for analysis.
31
Table 1: Verification performance under this work
32
Table 2: Verification performance under Margrave
33
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
34
Conclusion
We have presented a formal model for access control policies, and shown how to verify interesting properties about such models in an automated way.
We translate queries about access control policies to Boolean satisfiability problems and use a sat solver to obtain an answer.
For finite state specifications our approach is sound and complete as long as the user chooses a sufficiently large bound and the complex XACML functions are not used in the specification.
35
Thanks for your listening
