research-article

Automatic error finding in access-control policies

Authors:

Karthick Jayaraman,

Mahesh Tripunitara,

Steve ChapinAuthors Info & Claims

CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

Pages 163 - 174

https://doi.org/10.1145/2046707.2046727

Published: 17 October 2011 Publication History

Abstract

Verifying that access-control systems maintain desired security properties is recognized as an important problem in security. Enterprise access-control systems have grown to protect tens of thousands of resources, and there is a need for verification to scale commensurately. We present a new abstraction-refinement technique for automatically finding errors in Administrative Role-Based Access Control (ARBAC) security policies. ARBAC is the first and most comprehensive administrative scheme for Role-Based Access Control (RBAC) systems. Underlying our approach is a change in mindset: we propose that error finding complements verification, can be more scalable, and allows for the use of a wider variety of techniques. In our approach, we use an abstraction-refinement technique to first identify and discard roles that are unlikely to be relevant to the verification question (the abstraction step), and then restore such abstracted roles incrementally (the refinement steps). Errors are one-sided: if there is an error in the abstracted policy, then there is an error in the original policy. If there is an error in a policy whose role-dependency graph diameter is smaller than a certain bound, then we find the error. Our abstraction-refinement technique complements conventional state-space exploration techniques such as model checking. We have implemented our technique in an access-control policy analysis tool. We show empirically that our tool scales well to realistic policies, and is orders of magnitude faster than prior tools.

References

[1]

Aveska. http://www.aveksa.com/solutions/access-control-automation.cfm.

[2]

SailPoint. http://www.sailpoint.com/product/compliance-manager/policy-enforcement.php.

[3]

P. Ammann and R. Sandhu. Safety analysis for the extended schematic protection model. IEEE Symposium on Security and Privacy, 1991.

[4]

T. Ball and S. K. Rajamani. The SLAM project: debugging system software via static analysis. In POPL '02: Proc. of the 29th ACM symposium on Principles of programming languages, New York, NY, USA, 2002. ACM.

Digital Library

[5]

T. A. Budd. Safety in grammatical protection systems. Intl. Journal of Parallel Programming, 12(6):413--431, 1983.

[6]

E. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided abstraction refinement for symbolic model checking. J. ACM, 50(5):752--794, 2003.

Digital Library

[7]

E. Clarke, D. Kroening, J. Ouaknine, and O. Strichman. The completeness threshold for bounded model checking.

[8]

E. M. Clarke, O. Grumberg, and D. A. Peled. Model Checking. The MIT Press, 1999.

Digital Library

[9]

J. Crampton and G. Loizou. Administrative scope: A foundation for role-based administrative models. ACM Trans. Inf. Syst. Secur., 6(2):201--231, 2003.

Digital Library

[10]

D. F. Ferraiolo, D. R. Kuhn, and R. Chandramouli. Role-Based Access Control. Artech House, Inc., Norwood, MA, USA, 2003.

Digital Library

[11]

K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of access-control policies. In ICSE '05: Proc. of the 27th Intl. conference on Software engineering, 2005. ACM.

Digital Library

[12]

V. Ganesh and D. L. Dill. A decision procedure for bitvectors and arrays. In Computer Aided Verification,LNCS, 2007.

Digital Library

[13]

M. I. Gofman, R. Luo, A. C. Solomon, Y. Zhang, P. Yang, and S. D. Stoller. Rbac-pat: A policy analysis tool for role based access control. In Proc. of the 15th Intl. Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), volume 5505, Springer-Verlag, 2009.

Digital Library

[14]

M. I. Gofman, R. Luo, and P. Yang. User-role reachability analysis of evolving administrative role based access control. In Proc. of the 15th European conference on Research in computer security, Berlin, Heidelberg, 2010. Springer-Verlag.

Digital Library

[15]

G. S. Graham and P. J. Denning. Protection | principles and practice. In Proc. of the AFIPS Spring Joint Computer Conference, volume 40, AFIPS Press, May 1972.

Digital Library

[16]

M. A. Harrison and W. L. Ruzzo. Monotonic protection systems. Foundations of Secure Computation, 1978.

[17]

M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. On protection in operating systems. In SOSP '75: Proc. of the fifth ACM symposium on Operating systems principles, 1975. ACM.

Digital Library

[18]

H. Hu and G. Ahn. Enabling verification and conformance testing for access control model. In SACMAT '08: Proc. of the 13th ACM symposium on Access control models and technologies, New York, NY, USA, 2008. ACM.

Digital Library

[19]

V. C. Hu, D. R. Kuhn, and T. Xie. Property verification for generic access control models. In EUC '08: Proc. of the 2008 IEEE/IFIP Intl. Conference on Embedded and Ubiquitous Computing, 2008. IEEE Computer Society.

Digital Library

[20]

G. Hughes and T. Bultan. Automated verification of access control policies using a sat solver. Int. J. Softw. Tools Technol. Transf., 10(6):503--520, 2008.

Digital Library

[21]

S. Jha, N. Li, M. Tripunitara, Q. Wang, and W. Winsborough. Towards formal verification of role-based access control policies. IEEE Trans. Dependable Secur. Comput., 5(4):242--255, 2008.

Digital Library

[22]

S. Jha and T. W. Reps. Model Checking SPKI/SDSI. Journal of Computer Security, 12(3--4):317--353, 2004.

Digital Library

[23]

S. Jha, S. Schwoon, H. Wang, and T. Reps. Weighted Pushdown Systems and Trust-Management Systems. In Proc. of TACAS, New York, NY, USA, 2006. Springer-Verlag.

Digital Library

[24]

A. K. Jones, R. J. Lipton, and L. Snyder. A linear time algorithm for deciding security. In SFCS '76: Proc. of the 17th Annual Symposium on Foundations of Computer Science, Washington, DC, USA, 1976. IEEE Computer Society.

Digital Library

[25]

A. Kern. Advanced features for enterprise-wide role-based access control. In ACSAC '02: Proc. of the 18th Annual Computer Security Applications Conference, Washington, DC, USA, 2002. IEEE Computer Society.

Digital Library

[26]

V. Kolovski, J. Hendler, and B. Parsia. Analyzing web access control policies. In WWW '07: Proc. of the 16th Intl. conference on World Wide Web, 2007. ACM.

Digital Library

[27]

D. Kroening. Computing over-approximations with bounded model checking. Electron. Notes Theor. Comput. Sci., 144:79--92, January 2006.

Digital Library

[28]

N. Li, J. C. Mitchell, and W. H. Winsborough. Beyond proof-of-compliance: security analysis in trust management. J. ACM, 52(3):474--514, 2005.

Digital Library

[29]

N. Li and M. V. Tripunitara. Security analysis in role-based access control. In SACMAT '04: Proc. of the ninth ACM symposium on Access control models and technologies, New York, NY, USA, 2004. ACM.

Digital Library

[30]

N. Li and M. V. Tripunitara. Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur., 9(4):391--420, 2006.

Digital Library

[31]

E. Martin and T. Xie. A fault model and mutation testing of access control policies. In WWW '07: Proc. of the 16th Intl. conference on World Wide Web, 2007. ACM.

Digital Library

[32]

R. Motwani, R. Panigrahy, V. Saraswat, and S. Ventkatasubramanian. On the decidability of accessibility problems (extended abstract). In STOC '00: Proc. of the thirty-second annual ACM symposium on Theory of computing, New York, NY, USA, 2000. ACM.

Digital Library

[33]

NuSMV. http://nusmv.irst.itc.it/.

[34]

P. Rao, D. Lin, and E. Bertino. XACML function annotations. In POLICY '07: Proc. of the Eighth IEEE Intl. Workshop on Policies for Distributed Systems and Networks, Washington, DC, USA, 2007. IEEE Computer Society.

Digital Library

[35]

J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proc. of the IEEE, 1975.

[36]

R. Sandhu, V. Bhamidipati, and Q. Munawer. The arbac97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur., 2(1):105--135, 1999.

Digital Library

[37]

R. S. Sandhu. The typed access matrix model. In Proc. IEEE Symposium on Research in Security and Privacy, 1992.

Digital Library

[38]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38--47, 1996.

Digital Library

[39]

A. Sasturkar, P. Yang, S. D. Stoller, and C. Ramakrishnan. Policy analysis for administrative role based access control. In Proc. of the 19th Computer Security Foundations Workshop. IEEE Computer Society Press, July 2006.

Digital Library

[40]

A. Sasturkar, P. Yang, S. D. Stoller, and C. Ramakrishnan. Policy analysis for administrative role based access control. Technical report, Stony Brook University, 2006.

[41]

A. Schaad, J. Mo ett, and J. Jacob. The role-based access control system of a european bank: a case study and discussion. In SACMAT '01: Proc. of the sixth ACM symposium on Access control models and technologies, New York, NY, USA, 2001. ACM.

Digital Library

[42]

Security Architect of a Leading Bank. Personal communication, 2010.

[43]

K. Sohr, M. Drouineaud, G.-J. Ahn, and M. Gogolla. Analyzing and managing role-based access control policies. IEEE Transactions on Knowledge and Data Engineering, 20:924--939, 2008.

Digital Library

[44]

J. A. Solworth and R. H. Sloan. A layered design of discretionary access controls with decidable safety properties. IEEE Symposium on Security and Privacy, 2004.

[45]

M. Soshi. Safety analysis of the dynamic-typed access matrix model. In Computer Security - ESORICS 2000, LNCS, Springer Berlin / Heidelberg, 2000.

Digital Library

[46]

S. D. Stoller, P. Yang, C. R. Ramakrishnan, and M. I. Gofman. Efficient policy analysis for administrative role based access control. In CCS '07: Proc. of the 14th ACM conference on Computer and communications security, 2007. ACM.

Digital Library

[47]

N. Zhang, M. Ryan, and D. P. Guelev. Synthesising verified access control systems through model checking. J. Comput. Secur., 16(1):1--61, 2008.

Digital Library

[48]

C. Zhao, N. Heilili, S. Liu, and Z. Lin. Representation and reasoning on rbac: A description logic approach. In ICTAC'05: Proc. of the 2nd Intl. Colloquium on Theoretical Aspects of Computing, LNCS, Springer, 2005.

Digital Library

Cited By

Meng YKe CHuang Z(2024)A Model Transformation based Security Policy Automatic Management Framework for Software-defined NetworkingComputers & Security10.1016/j.cose.2024.103850(103850)Online publication date: Apr-2024
https://doi.org/10.1016/j.cose.2024.103850
Shen BShan TZhou YCalandrino JTroncoso C(2023)MultiviewProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620657(7499-7516)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620657
Shen BShan TZhou YCalandrino JTroncoso C(2023)Improving logging to reduce permission over-granting mistakesProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620261(409-426)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620261
Show More Cited By

Recommendations

Automated Analysis of Access Control Policies Based on Model Checking
Abstract
Access control is becoming increasingly important for today’s ubiquitous systems which provide mechanism to prevent sensitive resources against unauthorized users. In access control models, the administration of access control policies is a task ...
On the Decidability of the Safety Problem for Access Control Policies

An access control system regulates the rights of users to gain access to resources in accordance with a specified policy. The rules in this policy may interact in a way that is not obvious via human inspection; there is, therefore, a need for automated ...
Category-Based Administrative Access Control Policies
As systems evolve, security administrators need to review and update access control policies. Such updates must be carefully controlled due to the risks associated with erroneous or malicious policy changes. We propose a category-based access control (...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

October 2011

742 pages

ISBN:9781450309486

DOI:10.1145/2046707

General Chair:
Yan Chen
Northwestern University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Vitaly Shmatikov
University of Texas at Austin, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'11

Sponsor:

SIGSAC

CCS'11: the ACM Conference on Computer and Communications Security

October 17 - 21, 2011

Illinois, Chicago, USA

Acceptance Rates

CCS '11 Paper Acceptance Rate 60 of 429 submissions, 14%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

69
Total Citations
View Citations
638
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)4

Reflects downloads up to 06 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Meng YKe CHuang Z(2024)A Model Transformation based Security Policy Automatic Management Framework for Software-defined NetworkingComputers & Security10.1016/j.cose.2024.103850(103850)Online publication date: Apr-2024
https://doi.org/10.1016/j.cose.2024.103850
Shen BShan TZhou YCalandrino JTroncoso C(2023)MultiviewProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620657(7499-7516)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620657
Shen BShan TZhou YCalandrino JTroncoso C(2023)Improving logging to reduce permission over-granting mistakesProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620261(409-426)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620261
Akon MYang TDong YHussain SMeng WJensen CCremers CKirda E(2023)Formal Analysis of Access Control Mechanism of 5G Core NetworkProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623113(666-680)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623113
Parkinson SKhan S(2022)A Survey on Empirical Security Analysis of Access-control Systems: A Real-world PerspectiveACM Computing Surveys10.1145/353370355:6(1-28)Online publication date: 7-Dec-2022
https://dl.acm.org/doi/10.1145/3533703
Miller LMérindol PGallais APelsser C(2021)Securing Workflows Using Microservices and MetagraphsElectronics10.3390/electronics1024308710:24(3087)Online publication date: 11-Dec-2021
https://doi.org/10.3390/electronics10243087
Miller LMerindol PGallais APelsser C(2021)Verification of Cloud Security Policies2021 IEEE 22nd International Conference on High Performance Switching and Routing (HPSR)10.1109/HPSR52026.2021.9481870(1-5)Online publication date: 7-Jun-2021
https://doi.org/10.1109/HPSR52026.2021.9481870
Singh MSural SVaidya JAtluri V(2021)A Role-Based Administrative Model for Administration of Heterogeneous Access Control Policies and its Security AnalysisInformation Systems Frontiers10.1007/s10796-021-10167-zOnline publication date: 21-Jul-2021
https://doi.org/10.1007/s10796-021-10167-z
Truong A(2020)Automated Analysis of Access Control Policies Based on Model CheckingSN Computer Science10.1007/s42979-020-00307-81:6Online publication date: 10-Oct-2020
https://dl.acm.org/doi/10.1007/s42979-020-00307-8
Jabal ADavari MBertino EMakaya CCalo SVerma DRusso AWilliams C(2019)Methods and Tools for Policy AnalysisACM Computing Surveys10.1145/329574951:6(1-35)Online publication date: 4-Feb-2019
https://dl.acm.org/doi/10.1145/3295749
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten