Article

Analysis of XACML Policies with SMT

Authors:

Nicola ZannoneAuthors Info & Claims

Proceedings of the 4th International Conference on Principles of Security and Trust - Volume 9036

Pages 115 - 134

https://doi.org/10.1007/978-3-662-46666-7_7

Published: 11 April 2015 Publication History

Abstract

The eXtensible Access Control Markup Language XACML is an extensible and flexible XML language for the specification of access control policies. However, the richness and flexibility of the language along with the verbose syntax of XML come with a price: errors are easy to make and difficult to detect when policies grow in size. If these errors are not detected and rectified, they can result in serious data leakage and/or privacy violations leading to significant legal and financial consequences. To assist policy authors in the analysis of their policies, several policy analysis tools have been proposed based on different underlying formalisms. However, most of these tools either abstract away functions over non-Boolean domains hence they cannot provide information about them or produce very large encodings which hinder the performance. In this paper, we present a generic policy analysis framework that employs SMT as the underlying reasoning mechanism. The use of SMT does not only allow more fine-grained analysis of policies but also improves the performance. We demonstrate that a wide range of security properties proposed in the literature can be easily modeled within the framework. A prototype implementation and its evaluation are also provided.

References

[1]

Balana: Open source xacml 3.0 implementation January 2013, http://xacmlinfo.org/category/balana/

[2]

Ahn, G.J., Hu, H., Lee, J., Meng, Y.: Representing and reasoning about web access control policies. In: COMPSAC, pp. 137---146 2010

Digital Library

[3]

Arkoudas, K., Chadha, R., Chiang, C.J.: Sophisticated access control via SMT and logical frameworks. ACM TISSEC 164, 17 2014

Digital Library

[4]

Armando, A., Ranise, S.: Automated and efficient analysis of role-based access control with attributes. In: Cuppens-Boulahia, N., Cuppens, F., Garcia-Alfaro, J. eds. DBSec 2012. LNCS, vol. 7371, pp. 25---40. Springer, Heidelberg 2012

Digital Library

[5]

Backes, M., Karjoth, G., Bagga, W., Schunter, M.: Efficient comparison of enterprise privacy policies. In: SAC, pp. 375---382 2004

Digital Library

[6]

Barrett, C.W., Sebastiani, R., Seshia, S.A., Tinelli, C.: Satisfiability modulo theories. In: Handbook of Satisfiability, pp. 825---885. IOS Press 2008

[7]

Biere, A.: Lingeling essentials, A tutorial on design and implementation aspects of the the SAT solver lingeling. In: POS, p. 88 2014

[8]

Crampton, J., Morisset, C.: PTaCL: A Language for Attribute-Based Access Control in Open Systems. In: Degano, P., Guttman, J.D. eds. POST 2012. LNCS, vol. 7215, pp. 390---409. Springer, Heidelberg 2012

Digital Library

[9]

Enderton, H.B.: A Mathematical Introduction to Logic. Academic Press 1972

[10]

Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: ICSE, pp. 196---205 2005

Digital Library

[11]

Gomes, C.P., Kautz, H., Sabharwal, A., Selman, B.: Satisfiability Solvers. In: Handbook of Knowledge Representation, Foundations of Artificial Intelligence, vol. 3, pp. 89---134. Elsevier 2008

[12]

Hu, H., Ahn, G.J., Kulkarni, K.: Discovery and Resolution of Anomalies in Web Access Control Policies. TDSC 106, 341---354 2013

Digital Library

[13]

Hughes, G., Bultan, T.: Automated verification of access control policies using a SAT solver. STTT 106, 503---520 2008

[14]

Kolovski, V., Hendler, J.A., Parsia, B.: Analyzing web access control policies. In: WWW, pp. 677---686 2007

Digital Library

[15]

Kröning, D., Weissenbacher, G.: A Proposal for a Theory of Finite Sets, Lists, and Maps for the SMT-Lib Standard. In: Pro. International Workshop on Satisfiability Modulo Theories 2009

[16]

Lin, D., Rao, P., Bertino, E., Li, N., Lobo, J.: Exam: A comprehensive environment for the analysis of access control policies. Int. J. Inf. Sec. 94, 253---273 2010

Digital Library

[17]

Moskewicz, M.W., Madigan, C.F., Zhao, Y., Zhang, L., Malik, S.: Chaff: Engineering an efficient SAT solver. In: DAC, pp. 530---535 2001

Digital Library

[18]

de Moura, L., BjØrner, N.S.: Z3: An Efficient SMT Solver. In: Ramakrishnan, C.R., Rehof, J. eds. TACAS 2008. LNCS, vol. 4963, pp. 337---340. Springer, Heidelberg 2008

Digital Library

[19]

Nelson, T.: First-order Models For Configuration Analysis. Ph.D. thesis, Worcester Polytechnic Institute 2013

[20]

OASIS XACML Technical Committee: eXtensible Access Control Markup Language XACML 2013

[21]

Petke, J., Jeavons, P.: The Order Encoding: From Tractable CSP to Tractable SAT. In: Sakallah, K.A., Simon, L. eds. SAT 2011. LNCS, vol. 6695, pp. 371---372. Springer, Heidelberg 2011

Digital Library

[22]

Pratt, V.R.: Two easy theories whose combination is hard. Tech. rep. MIT 1977

[23]

Kencana Ramli, C.D.P., Nielson, H.R., Nielson, F.: XACML 3.0 in Answer Set Programming. In: Albert, E. ed. LOPSTR 2012. LNCS, vol. 7844, pp. 89---105. Springer, Heidelberg 2013

[24]

Suter, P., Steiger, R., Kuncak, V.: Sets with cardinality constraints in satisfiability modulo theories. In: Jhala, R., Schmidt, D. eds. VMCAI 2011. LNCS, vol. 6538, pp. 403---418. Springer, Heidelberg 2011

Digital Library

[25]

Turkmen, F., den Hartog, J., Zannone, N.: Analyzing Access Control Policies with SMT. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 1508---1510. ACM 2014

Digital Library

[26]

Zheng, Y., Zhang, X., Ganesh, V.: Z3-str: A Z3-based string solver for web application analysis. In: ESEC/SIGSOFT FSE, pp. 114---124 2013

Digital Library

Cited By

Zhu SZhang Y(2024)Probabilistic Access Policies with Automated Reasoning SupportComputer Aided Verification10.1007/978-3-031-65633-0_20(443-466)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1007/978-3-031-65633-0_20
Abu Jabal ABertino ELobo JVerma DCalo SRusso AShehab MFernandez MLi N(2023)FLAP - A Federated Learning Framework for Attribute-based Access Control PoliciesProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583641(263-272)Online publication date: 24-Apr-2023
https://dl.acm.org/doi/10.1145/3577923.3583641
Kwashie SKang WSanthosh Kumar SJarrad GCamtepe SNepal S(2023)Acumen: Analysing the Impact of Organisational Change on Users’ Access EntitlementsComputer Security – ESORICS 202310.1007/978-3-031-51482-1_21(410-430)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51482-1_21
Show More Cited By

Recommendations

Formal analysis of XACML policies using SMT

The eXtensible Access Control Markup Language (XACML) has attracted significant attention from both industry and academia, and has become the de facto standard for the specification of access control policies. However, its XML-based verbose syntax and ...
Deriving XACML policies from business process models
WISE'07: Proceedings of the 2007 international conference on Web information systems engineering

The Business Process Modeling Notation (BPMN) has become a defacto standard for describing processes in an accessible graphical notation. The eXtensible Access Control Markup Language (XACML) is an OASIS standard to specify and enforce platform ...
Implementing ACL-Based Policies in XACML
ACSAC '08: Proceedings of the 2008 Annual Computer Security Applications Conference

XACML is commonly used as a policy exchange mechanism, decision engines are available, and verification tools are under development. However, no support for legacy access control systems exists yet. To explore the feasibility to support legacy systems, ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

Proceedings of the 4th International Conference on Principles of Security and Trust - Volume 9036

April 2015

348 pages

ISBN:9783662466650

Editors:
Riccardo Focardi
Ca' Foscari University, Venice, Italy
,
Andrew Myers
Cornell University, Ithaca, USA

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 11 April 2015

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

16
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhu SZhang Y(2024)Probabilistic Access Policies with Automated Reasoning SupportComputer Aided Verification10.1007/978-3-031-65633-0_20(443-466)Online publication date: 24-Jul-2024
https://dl.acm.org/doi/10.1007/978-3-031-65633-0_20
Abu Jabal ABertino ELobo JVerma DCalo SRusso AShehab MFernandez MLi N(2023)FLAP - A Federated Learning Framework for Attribute-based Access Control PoliciesProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583641(263-272)Online publication date: 24-Apr-2023
https://dl.acm.org/doi/10.1145/3577923.3583641
Kwashie SKang WSanthosh Kumar SJarrad GCamtepe SNepal S(2023)Acumen: Analysing the Impact of Organisational Change on Users’ Access EntitlementsComputer Security – ESORICS 202310.1007/978-3-031-51482-1_21(410-430)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51482-1_21
Walter MHeinrich RReussner R(2023)Architecture-Based Attack Path Analysis for Identifying Potential Security IncidentsSoftware Architecture10.1007/978-3-031-42592-9_3(37-53)Online publication date: 18-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-42592-9_3
Walter MReussner R(2022)Tool-Based Attack Graph Estimation and Scenario Analysis for Software ArchitecturesSoftware Architecture. ECSA 2022 Tracks and Workshops10.1007/978-3-031-36889-9_5(45-61)Online publication date: 19-Sep-2022
https://dl.acm.org/doi/10.1007/978-3-031-36889-9_5
Davari MZulkernine M(2021)Policy Modeling and Anomaly Detection in ABAC PoliciesRisks and Security of Internet and Systems10.1007/978-3-031-02067-4_9(137-152)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1007/978-3-031-02067-4_9
Gorjiara HXu GDemsky B(2020)Satune: synthesizing efficient SAT encodersProceedings of the ACM on Programming Languages10.1145/34282144:OOPSLA(1-32)Online publication date: 13-Nov-2020
https://dl.acm.org/doi/10.1145/3428214
Liu MLi MSun DShi ZLv BLiu PPalesi MPalermo GGraves CArima E(2020)TerminatorProceedings of the 17th ACM International Conference on Computing Frontiers10.1145/3387902.3392329(142-149)Online publication date: 11-May-2020
https://dl.acm.org/doi/10.1145/3387902.3392329
Cotrini CCorinzia LWeghorn TBasin DCavallaro LKinder JWang XKatz J(2019)The Next 700 Policy MinersProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3354196(95-112)Online publication date: 6-Nov-2019
https://dl.acm.org/doi/10.1145/3319535.3354196
Jabal ADavari MBertino EMakaya CCalo SVerma DRusso AWilliams C(2019)Methods and Tools for Policy AnalysisACM Computing Surveys10.1145/329574951:6(1-35)Online publication date: 4-Feb-2019
https://dl.acm.org/doi/10.1145/3295749
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents