Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi,...

Margrave: XACML Verification and Change-Impact Analysis

Kathi Fisler, WPIShriram Krishnamurthi, Brown

Leo Meyerovich, BrownMichael Carl Tschantz, Brown

Running Example

Roles:Faculty, Student

Resources:InternalGrades, ExternalGrades

Actions:Assign, View, Receive

Properties

1. There do not exist members of Student who can Assign ExternalGrades

2. Faculty can Assign both InternalGrades and ExternalGrades

3. No combination of roles exists whose user can both Receive and Assign ExternalGrades

Policy 1

• Requests for Students to Receive ExternalGrades succeed

• Requests for Faculty to Assign or View ExternalGrades succeed

Policy 1, Properties 1-3






Output

Error!

Counterexample:Student simultaneously requests to – Receive ExternalGrade – Assign ExternalGrade

XACML: attributes represent sets

Policy 2



• Attributes for action and requested resources are constrained as singletons

Output

Error!

Counterexample:Faculty - Student requests …

But a Faculty isn’t also a Student

Policy 3




• Faculty are disjoint from Students

Output

Success!

Policy 4



• TAs have the same privileges as Faculty



Output

Error!

Counterexample:• Student - TA can Assign

ExternalGrades• Student - TA is not a Faculty

TAs are tricky!

Policy 5



• TAs can View and Assign InternalGrades but not ExternalGrades



Output

Success!

Policy 6




• FacultyFamily can Receive ExternalGrades

• Singleton and disjointness constraints

Policy 6, Properties 1-3• Requests for Students to

Receive ExternalGrades succeed








Output

Error!

Counterexample:• Faculty can Assign ExternalGrades• FacultyFamily can Receive

ExternalGrades• The same person generates both

Design Flow

• Verification catches subtle corner-cases

• Testing without the test cases: property represents a set of test cases

• The disadvantage is usually cost (there’s another one we’ll get to later…)

Performance

• Parsing: 355ms (cold cache) – 70ms (warm)

• Longest verification: 10ms; most were faster than timer could measure

• Memory: baseline of 4.7Mb, no increase

[Athlon XP 1800+, 1.5GHz, 512Mb]

Implementation

Multi-Terminal Decision Diagrams

• Faculty (f) can assign (a) grades (g)• Students (s) can receive (r) grades (g)

Rules and Rule Combination

Constraints

• Represented by boolean expressions

• Easy to combine booleans with MTDDs

• Adds new terminal: EC (Excluded by Constraint)

Properties?!?

Policies Without Properties

• Working policy P1

• Modified policy P2

• Testing reveals intended change

• But…

Policy 4 – Policy 3










Output

• Eight combinations grant access

• Four involve ExternalGrades

• Adding TAs should not have affected this!

Policy 5 – Policy 3










Output

All changes involve only

• TAs• InternalGrades

Therefore, we can be confident about the edit

Policy 6 – Policy 5• Requests for Students to

Receive ExternalGrades succeed









Output

All changes involve Receiving grades

Some changes involve the Faculty role

Is there an error?

Exploring Changes

• We can query and verify differenceseg: Did a change affect ExternalGrades?

• Properties of differences may be stronger than properties of the entire system

• Exploration may eventually lead to identifying system properties

Case Study

Application

Continue: paper submission and reviewSoftvis 2005, CSFW 2005, FOAL 2005, ISSTA 2004, LMO

2005, TAV-WEB 2004, PADL 2004/3/2/1, FDPE 2003, Scheme 2003/2, ...

• Roles: Admin, Chair, PC Member, Subrev…• Actions: Submit, Review, Broadcast, …• Resources: Papers, Reviews,

Configurations

Performance

• Policy has 50 MTDD variables• Raw policy has 1268 MTDD nodes• Constraints shrink it to 817 nodes• Parsing/constraining: 2.07s• Twelve properties: each < 10ms• Memory: 316,288 bytes over baseline• Change: 2ms, 1133 nodes, 16.3Kb

memory

Conclusion

Tool Output1:/Subject, role, Faculty/ 2:/Subject, role, Student/ 3:/Resource, resource-class, ExternalGrades/ 4:/Resource, resource-class, InternalGrades/ 5:/Action, command, Assign/ 6:/Action, command, View/7:/Action, command, Receive/ 8:/Subject, role, TA/12345678{00010101 N->P00011001 N->P00100101 N->P00101001 N->P01010101 N->P01011001 N->P01100101 N->P01101001 N->P}

Perspective

• Verification can be cheap enough to fit into the design flow and encourage policy exploration

• Change impact– useful in itself finds some errors without

properties– query/verif. is a bonus lightweight formal method

• Think about continuous verification and change impact reports

XACML analysis:http://www.cs.brown.edu/research/plt/software/margrave/

Conference manager:http://continue.cs.brown.edu/

Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi,...

Documents

Transcript of Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi,...