author: graham hughes, tevfik bultan computer science department, university of california, santa...
TRANSCRIPT
![Page 1: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/1.jpg)
1
Author :Graham Hughes , Tevfi k Bul tan
Computer Sc ience Department , Univers i ty o f Cal i forn ia , Santa Barbara , CA 93106, USA
Source :Internat ional Journal on Sof tware Tools for Technology
Transfer (STTT)Volume 10 Issue 6 , October 2008
10.1007/s10009-008-0087-9
Presented by Ju i -Lung Yao, Master Student o f CSIE, CCU
Automated verification of access control policies using a SAT solver
![Page 2: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/2.jpg)
2
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
![Page 3: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/3.jpg)
3
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
![Page 4: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/4.jpg)
4
Introduction
Flow chart
Described
Language of
XACML
PolicyTransformation
withFormal model
Booleanformula
in CNF
SAT solver
Boolean logic
formula
Convert toConjunctive
Normal Form(CNF)
![Page 5: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/5.jpg)
5
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
![Page 6: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/6.jpg)
6
A simple XACML policy
EXtensible Access Control Markup Language
OASIS standard (Organization for the Advancement of Structured Information Standards)
![Page 7: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/7.jpg)
7
Example
The policy states that to be able to vote a person must be at least 18 years old and a person who has voted already cannot vote.
![Page 8: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/8.jpg)
8
Age
At least 18 years old
![Page 9: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/9.jpg)
9
Voted-yet
Voted already
![Page 10: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/10.jpg)
10
Action
Vote
![Page 11: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/11.jpg)
11
Environment
Our environment, the set of information we are interested in.
![Page 12: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/12.jpg)
12
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
![Page 13: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/13.jpg)
13
Formal model
R = {Permit, Deny, NotApp, Indet} be the set of valid results.
P: define the set of valid policies
![Page 14: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/14.jpg)
14
Semantics of policies
To formalize the semantics of policies, we define a function
![Page 15: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/15.jpg)
15
Notation
We can now model our example as follows:
![Page 16: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/16.jpg)
16
Normal form
Define an equivalence relation:
Function f that takes a policy and returns another policy an eff-preserving transformation
![Page 17: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/17.jpg)
17
Shorthand
Define a shorthand 〈 S, R, T 〉 , where S, R and T are pairwise disjoint, as follows:
For any policy p a triple pT that is equivalent to it exists: the triple is just
![Page 18: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/18.jpg)
18
〈 S, R, T 〉 reduction
Function g
![Page 19: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/19.jpg)
19
Example
Applying f and g to policy
![Page 20: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/20.jpg)
20
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
![Page 21: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/21.jpg)
21
Basic predicates
BP is a set of basic predicates
Non-terminal C
![Page 22: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/22.jpg)
22
Translation to Boolean logic formula
![Page 23: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/23.jpg)
23
Conversion to CNF
Creates an auxiliary variable for each sub-expression, and then combines the auxiliary variables.
Example
![Page 24: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/24.jpg)
24
Example
Let P1 = 〈 S1, R1, T1 〉 and let P2 = 〈 S2, R2, T2 〉 be two policies. We define the following partial orders:
Define:
![Page 25: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/25.jpg)
25
Example (cont’)
Generate a formula F,
Send the property ¬F to the SAT solver.
![Page 26: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/26.jpg)
26
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
![Page 27: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/27.jpg)
27
Experiments
Use the Continue example, encoded into XACML by Fisler et al.. Continue is a Web-based conference management tool, aiding paper submission, review, discussion and notification.
Use the Medico example from the XACML specification, which models a simple medical database meant to be accessed by physicians.
Encoded voting example
![Page 28: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/28.jpg)
28
Experiments (cont’)
Property C1 tests that the conference manager correctly denies program committee chairs the ability to review papers he/she has a conflict with.
Property C2 and C7 test that the conference manager permits program committee members to edit reviews they own.
Property C3 and C8 test that the conference manager denies access to users without a defined role.
Property C4 and C5 test that the conference manager will permit a program committee member who has called a meeting to read documents concerning the meeting, but not other arbitrary documents.
Property C6 tests whether the conference manager permits program committee members to read all parts of a review.
![Page 29: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/29.jpg)
29
Experiments (cont’)
Property C9 tests whether the conference manager permits unauthorized user roles to set meetings.
Property C10 and C11 test that the conference manager permits program committee members who have filed their review to read the reviews of others, and denies program committee members that have not yet filed their review from reading other reviews.
Property M1 and M2 test whether the unified Medico policy permits a physician to edit the medical records of their patients.
Property V1 is just the voting property.
![Page 30: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/30.jpg)
30
Margrave
Margrave is a change impact analysis tool for XACML language.
The CONTINUE example only runs under Margrave 1-1 and XACML 1.0.
Margrave parses the XACML and converts it into a form suitable for analysis only once, and then can check as many properties as is desired. Margrave manages this by using a binary decision diagram (BDD) for analysis.
![Page 31: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/31.jpg)
31
Table 1: Verification performance under this work
![Page 32: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/32.jpg)
32
Table 2: Verification performance under Margrave
![Page 33: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/33.jpg)
33
Outline
IntroductionA simple XACML policyFormal modelBoolean logic formulaExperimentsConclusion
![Page 34: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/34.jpg)
34
Conclusion
We have presented a formal model for access control policies, and shown how to verify interesting properties about such models in an automated way.
We translate queries about access control policies to Boolean satisfiability problems and use a sat solver to obtain an answer.
For finite state specifications our approach is sound and complete as long as the user chooses a sufficiently large bound and the complex XACML functions are not used in the specification.
![Page 35: Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal](https://reader033.vdocuments.us/reader033/viewer/2022042822/56649eb55503460f94bbe49a/html5/thumbnails/35.jpg)
35
Thanks for your listening