Ac Access Control Sy Synthesis fo for Physical Spaces Petar - - PowerPoint PPT Presentation

Ac Access Control Sy Synthesis fo for Physical Spaces

Petar Tsankov, Mohammad Torabi Dashti, David Basin Institute of Information Security, ETH Zurich

Airports

Corporate buildings

Sport centers

Setting

Lobby Meeting room Office Locks

Setting

Lobby Meeting room Office Locks Global requirement “Employees can access the

• ffice from the main entrance”

Eric Local Policy “Only employees can enter”

Setting

Lobby Meeting room Office Local Policy “Only employees can enter” Global requirements “Employees can access the

• ffice from the main entrance”

Wrong deny! Eric

Setting

Lobby Meeting room Office Local Policy “Only employees can enter” Global requirements “Employees can access the

• ffice from the main entrance”

Wrong deny! Eric

Ch Challenge

Come up with local policies that enforce all global requirements

Current Practice

Manual policy writing Requirements

Policie s

Local policies Physical space No policies yet Global requirements

Problems

Cannot satisfy requirements one-by-one

No policies yet Local policies Physical space

Current Practice

Manual Policy Writing Requirements Global requirements

Problems

Cannot satisfy requirements one-by-one

Example

Lobby Meeting room Office R1: Visitors can access the meeting room

No policies yet Local policies Physical space

Current Practice

Manual Policy Writing Requirements Global requirements

Problems

Cannot satisfy requirements one-by-one

Example

Lobby Meeting room Office Victor R1: Visitors can access the meeting room

No policies yet Local policies Physical space

Current Practice

Manual Policy Writing Requirements Global requirements

Problems

Cannot satisfy requirements one-by-one

Example

Lobby Meeting room Office Victor R1: Visitors can access the meeting room R2: Visitors cannot access the meeting room if they have not passed through the lobby

No policies yet Local policies Physical space

Current Practice

Manual Policy Writing Requirements Global requirements

Problems

Cannot satisfy requirements one-by-one

Example

Lobby Meeting room Office Victor R1: Visitors can access the meeting room R2: Visitors cannot access the meeting room if they have not passed through the lobby Wrong permit!

No policies yet Local policies Physical space

Current Practice

Manual Policy Writing Requirements Global requirements

Problems

Cannot satisfy requirements one-by-one

Example

Lobby Meeting room Office Victor R1: Visitors can access the meeting room R2: Visitors cannot access the meeting room if they have not passed through the lobby

No policies yet Local policies Physical space

Current Practice

Manual Policy Writing Requirements Global requirements

Problems

Cannot satisfy requirements one-by-one

Example

Lobby Meeting room Office Victor R1: Visitors can access the meeting room R2: Visitors cannot access the meeting room if they have not passed through the lobby

Current Practice

Manual policy writing Requirements Physical space

Policies

Local policies

Problems

Cannot satisfy requirements one-by-one Rewrite policies upon changes to the physical space or requirements

Current Practice

Problems

Manual policy writing Requirements Cannot satisfy requirements one-by-one

No security guarantees

Physical space Rewrite policies upon changes to the physical space or requirements

Policies

Correct?

Automated policy synthesis Requirements Physical space

Po Policy Synthesis

Current Practice

Manual policy writing Requirements Physical space

Goal

§ Formalization of physical access control § Expressive declarative language for specifying global requirements § Efficient synthesis algorithm based on SMT solving § Demonstration of the approach on realistic case studies

Automatically compute correct local policies for a given physical space and its global requirements

Contributions

Formalizing Physical Spaces

Formalizing Physical Spaces

formalize

lobby corridor

• ffice

meeting room entry

Enclosed space Node = Lock = Edge

Formalizing Physical Spaces

formalize

lobby corridor

• ffice

meeting room entry

Enclosed space Node = Lock = Edge

Formalizing Physical Spaces

formalize

lobby corridor

• ffice

meeting room entry

Enclosed space Node = Lock = Edge Label physical spaces with attributes (e.g., to mark security zones)

Local Policies

Subject attributes (e.g. 𝑠𝑝𝑚𝑓𝑡) Contextual attributes (e.g. 𝑢𝑗𝑛𝑓)

Attribute-based policies with:

𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ∧ (8 ≤ 𝑢𝑗𝑛𝑓 ≤ 20)

Local policy semantics

§ An access request maps attributes to values § A lock grants an access request if the access request satisfies the lock’s local policy

lobby corridor

• ffice

meeting room entry

Semantics of Physical Access Control

An access request is authorized along a path if all locks along the path grant it

Example

𝐵𝑑𝑑𝑆𝑓𝑟D = 𝑏 𝑐 𝑠𝑝𝑚𝑓 ↦ 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 𝑢𝑗𝑛𝑓 ↦ 6

𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ∧ (8 ≤ 𝑢𝑗𝑛𝑓 ≤ 20)

lobby corridor

• ffice

meeting room entry

Semantics of Physical Access Control

An access request is authorized along a path if all locks along the path grant it

Example

𝐵𝑑𝑑𝑆𝑓𝑟D = 𝑏 𝑐 𝑠𝑝𝑚𝑓 ↦ 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 𝑢𝑗𝑛𝑓 ↦ 6 A subgraph of the physical space

lobby corridor meeting room entry

Specifying Global Requirements

Requirement Examples

Lobby Meeting room Office

Visitors can access the meeting room

Requirement Examples

Lobby Meeting room Office

Visitors can access the meeting room Non-employees cannot access the office

Requirement Examples

Lobby Meeting room Office

Visitors can access the meeting room Visitors cannot access the meeting room if they have not passed through the lobby Non-employees cannot access the office

Key features

Subject & contextual attributes e.g. 𝑠𝑝𝑚𝑓,𝑢𝑗𝑛𝑓 Resource attributes e.g. 𝑡𝑓𝑑𝑣𝑠𝑗𝑢𝑧𝑎𝑝𝑜𝑓

Common patterns

Permission Prohibition Waypointing

A A A B

Example: (𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠)⋀ (8 ≤ 𝑢𝑗𝑛𝑓 ≤ 20)

• ⇒ 𝐹𝐺(𝑗𝑒 = 𝑛𝑠)

Quantification over paths

The SpCTL Language

Key features

Subject & contextual attributes e.g. 𝑠𝑝𝑚𝑓,𝑢𝑗𝑛𝑓 Resource attributes e.g. 𝑡𝑓𝑑𝑣𝑠𝑗𝑢𝑧𝑎𝑝𝑜𝑓

Common patterns

Permission Prohibition Waypointing

A A A B

Example: (𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠)⋀ (8 ≤ 𝑢𝑗𝑛𝑓 ≤ 20)

• ⇒ 𝐹𝐺(𝑗𝑒 = 𝑛𝑠)

Quantification over paths

Constraint over subject & contextual attributes CTL formula over resource attributes

The SpCTL Language

Policy Synthesis Problem

Policy Synthesis Problem

Requirements Physical space

𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ⇒ 𝐹𝐺 𝑗𝑒 = 𝑛𝑠 ...

(𝑠𝑝𝑚𝑓 = 𝑓𝑛𝑞𝑚𝑝𝑧𝑓𝑓)

Policy Synthesis Input

How hard is this problem?

Output Unsat

Complexity of Policy Synthesis

Theorem 1. The policy synthesis problem is decidable.

• Proof. We give a synthesis algorithm that uses CTL controller

synthesis as a subroutine

Theorem 2. The policy synthesis problem is NP-hard.

• Proof. Through reduction from propositional satisfiability to

policy synthesis

Complexity of Policy Synthesis

Theorem 1. The policy synthesis problem is decidable.

• Proof. We give a synthesis algorithm that uses CTL controller

synthesis as a subroutine

Theorem 2. The policy synthesis problem is NP-hard.

• Proof. Through reduction from propositional satisfiability to

policy synthesis Unfortunately, the running time

• f this algorithm is exponential

in the number of requirements

Policy Synthesis using SMT Solving

Requirements Physical space

SMT Solving

𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ⇒ 𝐹𝐺 𝑗𝑒 = 𝑛𝑠 ...

Unsat

Policy Synthesis using SMT Solving

Requirements Physical space

SMT Solving

Encode the requirements’ satisfaction using SMT constraints

𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ⇒ 𝐹𝐺 𝑗𝑒 = 𝑛𝑠 ...

Unsat

A model identifies correct local policies

Encode the requirements’ satisfaction using SMT constraints

Policy Synthesis Algorithm

Requirements Physical space

SMT Solving

𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ⇒ 𝐹𝐺 𝑗𝑒 = 𝑛𝑠 ...

Unsat

Local Policy Templates

𝜒

Encode the requirements’ satisfaction using SMT constraints

Policy Synthesis Algorithm

Requirements Physical space

SMT Solving

𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ⇒ 𝐹𝐺 𝑗𝑒 = 𝑛𝑠 ...

Unsat

Local Policy Templates

𝜒

Example Template ( = ) ∧ ( ≤ ≤ ) (𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠) ∧ (8 ≤ 𝑢𝑗𝑛𝑓 ≤ 20)

(example instantiation)

Encode the requirements’ satisfaction using SMT constraints

Policy Synthesis Algorithm

Requirements Physical space

SMT Solving

𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ⇒ 𝐹𝐺 𝑗𝑒 = 𝑛𝑠 ...

Unsat

Local Policy Templates

𝜒

Synthesize concise local policies Reduce search space

Implementation and Evaluation

Implementation

Physical space model Requirements (in SpCTL) Our system is publicly available

https://github.com/ptsankov/SpCTL

∃∀𝜒 ⋀∄ ZZ

SMT constraints

entry entry cor cor ≔ (8 ≤ 𝑢𝑗𝑛𝑓 ≤ 20) ∧ 𝑑𝑝𝑠𝑠𝑓𝑑𝑢𝑄𝐽𝑂 lob ≔ (8 ≤ 𝑢𝑗𝑛𝑓 ≤ 20)

• ff ≔ (𝑠𝑝𝑚𝑓 = 𝑓𝑛𝑞𝑚𝑝𝑧𝑓𝑓)

Local policies

⋯ Python translator from SpCTL to SMT-LIB v2

SMT solver

Evaluation: Case Studies

KABA Headquarters

Physical spaces 20 Locks 41 Requirements 10 Synthesis time 25s

ETH’s CS Department

Physical spaces 66 Locks 127 Requirements 14 Synthesis time 10s Physical spaces 13 Locks 32 Requirements 15 Synthesis time 2s

Airport Terminal

Global requirements vs local enforcement

Summary

Approach scales to realistic problems

“Only employees can enter” Employees can access the office from the main entrance

Policy synthesis framework