Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi,...
-
Upload
conor-gurney -
Category
Documents
-
view
215 -
download
1
Transcript of Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi,...
Margrave: XACML Verification and Change-Impact Analysis
Kathi Fisler, WPIShriram Krishnamurthi, Brown
Leo Meyerovich, BrownMichael Carl Tschantz, Brown
Running Example
Roles:Faculty, Student
Resources:InternalGrades, ExternalGrades
Actions:Assign, View, Receive
Properties
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
Policy 1
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
Policy 1, Properties 1-3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
Output
Error!
Counterexample:Student simultaneously requests to – Receive ExternalGrade – Assign ExternalGrade
XACML: attributes represent sets
Policy 2
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• Attributes for action and requested resources are constrained as singletons
Policy 2, Properties 1-3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• Attributes for action and requested resources are constrained as singletons
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
Output
Error!
Counterexample:Faculty - Student requests …
But a Faculty isn’t also a Student
Policy 3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
Policy 3, Properties 1-3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
Output
Success!
Policy 4
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs have the same privileges as Faculty
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
Policy 4, Properties 1-3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs have the same privileges as Faculty
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
Output
Error!
Counterexample:• Student - TA can Assign
ExternalGrades• Student - TA is not a Faculty
TAs are tricky!
Policy 5
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
Policy 5, Properties 1-3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
Output
Success!
Policy 6
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• FacultyFamily can Receive ExternalGrades
• Singleton and disjointness constraints
Policy 6, Properties 1-3• Requests for Students to
Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• FacultyFamily can Receive ExternalGrades
• Singleton and disjointness constraints
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
Output
Error!
Counterexample:• Faculty can Assign ExternalGrades• FacultyFamily can Receive
ExternalGrades• The same person generates both
Design Flow
• Verification catches subtle corner-cases
• Testing without the test cases: property represents a set of test cases
• The disadvantage is usually cost (there’s another one we’ll get to later…)
Performance
• Parsing: 355ms (cold cache) – 70ms (warm)
• Longest verification: 10ms; most were faster than timer could measure
• Memory: baseline of 4.7Mb, no increase
[Athlon XP 1800+, 1.5GHz, 512Mb]
Implementation
Multi-Terminal Decision Diagrams
• Faculty (f) can assign (a) grades (g)• Students (s) can receive (r) grades (g)
Rules and Rule Combination
Constraints
• Represented by boolean expressions
• Easy to combine booleans with MTDDs
• Adds new terminal: EC (Excluded by Constraint)
Properties?!?
Policies Without Properties
• Working policy P1
• Modified policy P2
• Testing reveals intended change
• But…
Policy 4 – Policy 3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs have the same privileges as Faculty
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
Output
• Eight combinations grant access
• Four involve ExternalGrades
• Adding TAs should not have affected this!
Policy 5 – Policy 3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
Output
All changes involve only
• TAs• InternalGrades
Therefore, we can be confident about the edit
Policy 6 – Policy 5• Requests for Students to
Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• FacultyFamily can Receive ExternalGrades
• Singleton and disjointness constraints
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• Singleton and disjointness constraints
Output
All changes involve Receiving grades
Some changes involve the Faculty role
Is there an error?
Exploring Changes
• We can query and verify differenceseg: Did a change affect ExternalGrades?
• Properties of differences may be stronger than properties of the entire system
• Exploration may eventually lead to identifying system properties
Case Study
Application
Continue: paper submission and reviewSoftvis 2005, CSFW 2005, FOAL 2005, ISSTA 2004, LMO
2005, TAV-WEB 2004, PADL 2004/3/2/1, FDPE 2003, Scheme 2003/2, ...
• Roles: Admin, Chair, PC Member, Subrev…• Actions: Submit, Review, Broadcast, …• Resources: Papers, Reviews,
Configurations
Performance
• Policy has 50 MTDD variables• Raw policy has 1268 MTDD nodes• Constraints shrink it to 817 nodes• Parsing/constraining: 2.07s• Twelve properties: each < 10ms• Memory: 316,288 bytes over baseline• Change: 2ms, 1133 nodes, 16.3Kb
memory
Conclusion
Tool Output1:/Subject, role, Faculty/ 2:/Subject, role, Student/ 3:/Resource, resource-class, ExternalGrades/ 4:/Resource, resource-class, InternalGrades/ 5:/Action, command, Assign/ 6:/Action, command, View/7:/Action, command, Receive/ 8:/Subject, role, TA/12345678{00010101 N->P00011001 N->P00100101 N->P00101001 N->P01010101 N->P01011001 N->P01100101 N->P01101001 N->P}
Perspective
• Verification can be cheap enough to fit into the design flow and encourage policy exploration
• Change impact– useful in itself finds some errors without
properties– query/verif. is a bonus lightweight formal method
• Think about continuous verification and change impact reports
XACML analysis:http://www.cs.brown.edu/research/plt/software/margrave/
Conference manager:http://continue.cs.brown.edu/