1

Author :Graham Hughes , Tevfi k Bul tan

Computer Sc ience Department , Univers i ty o f Cal i forn ia , Santa Barbara , CA 93106, USA

Source :Internat ional Journal on Sof tware Tools for Technology

Transfer (STTT)Volume 10 Issue 6 , October 2008

10.1007/s10009-008-0087-9

Presented by Ju i -Lung Yao, Master Student o f CSIE, CCU

Automated verification of access control policies using a SAT solver

2

Outline

IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion

3

Outline

IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion

4

Introduction

Flow chart

Described

Language of

XACML

PolicyTransformation

withFormal model

Booleanformula

in CNF

SAT solver

Boolean logic

formula

Convert toConjunctive

Normal Form(CNF)

5

Outline

IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion

6

A simple XACML policy

EXtensible Access Control Markup Language

OASIS standard (Organization for the Advancement of Structured Information Standards)

7

Example

The policy states that to be able to vote a person must be at least 18 years old and a person who has voted already cannot vote.

8

Age

At least 18 years old

9

Voted-yet

Voted already

10

Action

Vote

11

Environment

Our environment, the set of information we are interested in.

12

Outline

IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion

13

Formal model

R = {Permit, Deny, NotApp, Indet} be the set of valid results.

P: define the set of valid policies

14

Semantics of policies

To formalize the semantics of policies, we define a function

15

Notation

We can now model our example as follows:

16

Normal form

Define an equivalence relation:

Function f that takes a policy and returns another policy an eff-preserving transformation

17

Shorthand

Define a shorthand 〈 S, R, T 〉 , where S, R and T are pairwise disjoint, as follows:

For any policy p a triple pT that is equivalent to it exists: the triple is just

18

〈 S, R, T 〉 reduction

Function g

19

Example

Applying f and g to policy

20

Outline

IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion

21

Basic predicates

BP is a set of basic predicates

Non-terminal C

22

Translation to Boolean logic formula

23

Conversion to CNF

Creates an auxiliary variable for each sub-expression, and then combines the auxiliary variables.

Example

24

Example

Let P1 = 〈 S1, R1, T1 〉 and let P2 = 〈 S2, R2, T2 〉 be two policies. We define the following partial orders:

Define:

25

Example (cont’)

Generate a formula F,

Send the property ¬F to the SAT solver.

26

Outline

IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion

27

Experiments

Use the Continue example, encoded into XACML by Fisler et al.. Continue is a Web-based conference management tool, aiding paper submission, review, discussion and notification.

Use the Medico example from the XACML specification, which models a simple medical database meant to be accessed by physicians.

Encoded voting example

28

Experiments (cont’)

Property C1 tests that the conference manager correctly denies program committee chairs the ability to review papers he/she has a conflict with.

Property C2 and C7 test that the conference manager permits program committee members to edit reviews they own.

Property C3 and C8 test that the conference manager denies access to users without a defined role.

Property C4 and C5 test that the conference manager will permit a program committee member who has called a meeting to read documents concerning the meeting, but not other arbitrary documents.

Property C6 tests whether the conference manager permits program committee members to read all parts of a review.

29

Experiments (cont’)

Property C9 tests whether the conference manager permits unauthorized user roles to set meetings.

Property C10 and C11 test that the conference manager permits program committee members who have filed their review to read the reviews of others, and denies program committee members that have not yet filed their review from reading other reviews.

Property M1 and M2 test whether the unified Medico policy permits a physician to edit the medical records of their patients.

Property V1 is just the voting property.

30

Margrave

Margrave is a change impact analysis tool for XACML language.

The CONTINUE example only runs under Margrave 1-1 and XACML 1.0.

Margrave parses the XACML and converts it into a form suitable for analysis only once, and then can check as many properties as is desired. Margrave manages this by using a binary decision diagram (BDD) for analysis.

31

Table 1: Verification performance under this work

32

Table 2: Verification performance under Margrave

33

Outline

IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion

34

Conclusion

We have presented a formal model for access control policies, and shown how to verify interesting properties about such models in an automated way.

We translate queries about access control policies to Boolean satisfiability problems and use a sat solver to obtain an answer.

For finite state specifications our approach is sound and complete as long as the user chooses a sufficiently large bound and the complex XACML functions are not used in the specification.

35

Thanks for your listening