Parameterized Verification goes Safety Analysis of Access Control - - PowerPoint PPT Presentation
Parameterized Verification goes Safety Analysis of Access Control Policies Silvio Ranise , Riccardo Traverso, Anh Truong FBK-Irst, Trento, Italy Metodi dichiarativi nella verifica di sistemi parametrici Milano, 25-26 Settembre, 2014 Ranise
Silvio Ranise, Riccardo Traverso, Anh Truong
FBK-Irst, Trento, Italy
Metodi dichiarativi nella verifica di sistemi parametrici Milano, 25-26 Settembre, 2014
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 1 / 40
The process of
◮ mediating requests to resources and data maintained by a system
and
◮ determining whether a request should be granted or denied
Crucial role in system security Usually separation between
◮ policies specified by a language with an underlying model ◮ mechanisms enforcing policies
Separation implies
◮ protection requirements are independent of their implementation ◮ analysis of policies can be done abstractly Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 2 / 40
User Permission Alice GrantTenure Alice AssignGrades Alice ReceiveHBenefits Alice UseGym Bob GrantTenure Bob AssignGrades Bob UseGym Charlie GrantTenure Charlie AssignGrades Charlie UseGym David AssignHWScores David Register4Courses David UseGym Eve ReceiveHBenefits Eve UseGym Fred Register4Courses Fred UseGym Greg UseGym
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 3 / 40
role = indirection between users and permissions a role corresponds to a job function and/or qualifications users are made members of roles
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 4 / 40
User Assignment (UA) User Role Alice PCMember Bob Faculty Charlie Faculty David TA David Student Eve UEmployee Fred Student Greg UMember Permission Assignment (PA) Role Permission PCMember GrantTenure PCMember AssignGrades PCMember ReceiveHBenefits PCMember UseGym Faculty AssignGrades Faculty ReceiveHBenefits Faculty UseGym TA AssignHWScores TA Register4Courses TA UseGym UEmployee ReceiveHBenefits UEmployee UseGym Student Register4Courses Student UseGym UMember UseGym
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 5 / 40
role = indirection between users and permissions a role corresponds to a job function and/or qualifications users are made members of roles roles are organized in a role hierarchy “more senior than” relation permission “inheritance”
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 6 / 40
User Assignment (UA) User Role Alice PCMember Bob Faculty Charlie Faculty David TA David Student Eve UEmployee Fred Student Greg UMember Permission Assignment (PA) Role Permission PCMember GrantTenure Faculty AssignGrades TA AssignHWScores UEmployee ReceiveHBenefits Student Register4Courses UMember UseGym Role Hierarchy ()
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 7 / 40
In a large, possibly distributed, system (e.g., Dresdner bank: 40,000 users and 1,400 permissions), a single security officer cannot administer the entire system Several security officers
◮ One the one hand, offer the flexibility and scalability to cope with
large, complex, and distributed systems
◮ On the other hand, imply reduced control and security: ⋆ arbitrary modifications of policies can give untrusted users access
permissions to sensitive resources
⋆ to what degree can we trust administrators?
SOLUTION: administrative modification of policies is subject to constraints
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 8 / 40
Only certain administrators can perform a given set of permitted administrative actions:
◮ assigning a role to a user ◮ revoking a role from a user
Conditions on the execution of administrative actions: administrative domains identifying administrators that can take the responsibility to execute an action on certain users In the literature, several ways to define administrative domains Most popular: administrative domains as (combinations of) roles In other words: use RBAC policies to regulate modifications to RBAC policies
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 9 / 40
The ARBAC97 Model for Role-Based Administra- tion of Roles. ACM Transactions on Information and System Se- curity (TISSEC), 2(1): 105-135, Feb. 1999.
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 10 / 40
Administrative actions:
◮
Ca|C → r assigning role r to a user in the administrative domain C can be performed by administrator in domain Ca
◮
Ca → r revoking role r from a user assigned to it can be performed by an administrator in domain Ca
What are C and Ca? Finite sets of signed roles:
◮ positive: +r (requiring user/admin. belongs to r) ◮ negative: −r (requiring user/admin. does not belong to r)
Meaning:
◮ C = {+r1, +r2, −r3} requires user assigned to r1 and r2 but not to r3 ◮ Ca = {−r1, +r4} requires administrator assigned to r4 but not to r1 Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 11 / 40
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 12 / 40
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 13 / 40
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 14 / 40
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 15 / 40
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 16 / 40
Only the user-role assignment relation UA is modified since this, by design, is the one that is most frequently updated ... ... while the permission-assignment PA and the role hierarchy are rarely changed This is standard in the literature about the analysis of ARBAC policies ... ... and also reasonable in practice
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 17 / 40
. Yang, S. D. Stoller, and C.R. Ramakrishnan. Policy Analysis for Administrative Role Based Access Control. Theoretical Computer Science 412(44):6208-6234, October 2011.
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 18 / 40
Difficulties in considering
◮ all possible interleavings of permitted administrative actions
(usually very large number for complex and distributed systems)
◮ the effect of changes to permitted administrative actions due to
evolving requirements
Need of push-button safety analysis techniques for both
◮ first-time and ◮ evolving
administrative policies
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 19 / 40
Problem instance is identified by the following tuple: (ι, ψ, (ug, Cg)) ι: initial RBAC policy ψ = can_assign ∪ can_revoke: permitted administrative actions (ug, Cg): goal formed by a user ug and a condition Cg (set of signed roles) = ⇒ PSPACE-complete!
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 20 / 40
(ι, ψ, (ug, Cg)) Does there exist a sequence of administrative actions that can be applied to the initial RBAC policy ι so as to
ug satisfies condition Cg (i.e. ug is assigned to r if +r ∈ Cg and is not assigned to r if −r ∈ Cg)?
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 21 / 40
Symbolic backward reachability with effectively propo- sitional logic - Applications to security policy analysis. Formal Methods in System Design 42(1): 24-45 (2013)
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 22 / 40
ι: initial temporal RBAC policy ψ: all possible administrative actions (assigning/revoking roles) (u, C): goal encoding the following question “can user u satisfy condition C?” Answer: yes (reachable) / no (unreachable)
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 23 / 40
Translator Perform faithful symbolic encoding of safety problem: use first-order logic to represent
1
initial RBAC policy ι and goal (u, C) by formulae
2
administrative actions ∈ ψ by formulae τ1, ..., τn
3
goal (u, C) is reachable ⇐ ⇒ there exists k 0 such that Initι ∧ τi1 ∧ · · · ∧ τik ∧ Goal(u,C) is satisfiable
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 24 / 40
Goal (?, {+r1, −r3}): ∃u.(r1(u) ∧ ¬r3(u)) {+r3}|{+r1, −r4} → r2: ∃a, u.
r3(a) ∧ r1(u) ∧ ¬r4(u)∧ ∀x.r ′
2(x) ⇔ ((x = u) ∨ r2(u))∧
{+r1} → r3: ∃a, u.
r1(a) ∧ r3(u)∧ ∀x.r ′
3(x) ⇔ ((x = u) ∧ r3(u))∧
Initial RBAC empty:
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 25 / 40
MCMT
Perform symbolic backward reachability:
1
compute increasingly precise approximations of the set of Backward Reachable (BR) states from goal (u, C)
2
fix-point check by satisfiability checking between formulae representing approximations of the set of BR states
3
safety check by satisfiability checking between formulae representing current approximation of the set of BR states and set
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 26 / 40
ASASP
http://st.fbk.eu/technologies/asasp
Boosting Model Checking to Analyse Large ARBAC Policies. Security and Trust Management - 8th Internatio- nal Workshop, STM 2012, Revised Selected Papers. Springer 2013, Lecture Notes in Computer Science,
theory underlying MCMT
Backward Reachability of Array-based Systems by SMT solving: Termination and Invariant Synthesis. Logical Methods in Computer Science 6(4) (2010)
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 27 / 40
Crucial advantages Reachability with respect to a finite but unknown number of users When using effectively monadic Bernays-Shönfinkel-Ramsey (BSR1 or ∃∀1) ∃x1, ..., xn.∀y1, ..., ym.ϕ(x1, ..., xn, y1, ..., ym) where ϕ is quantifier-free, does not contain function symbols, and predicate symbols are (at most) unary, backward reachability is decidable, i.e.
◮ safety and fix-point checks are decidable (as BSR satisfiability is so) ◮ fix-point can always be computed Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 28 / 40
Goal formula is an ∃-formula Pre-image computation of ∃-formulae generates ∃-formulae (closure under pre-image computation) ⇒ simple logical manipulations Set of backward reachable states represented by ∃-formulae Intersection with initial state: satisfiability of ∃∀-formula obtained by conjoining ∀-formula for initial states and ∃-formula Fix-point check: validity of implication between two ∃-formulae ⇔ satisfiability of ∃∀-formula obtained by conjoining ∃-formula and negation of ∃-formula, i.e. a ∀-formula Satisfiability of ∃∀-formulae (BSR) is decidable
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 29 / 40
Why the fix-point check can always be computed? Semantic argument: models of formulae (representing configurations) can be well-ordered according to a particular homomorphism (called embedding) Roughly
◮ domains are ordered by sub-set relation and ◮ faithful interpretation of predicates: if element belongs to the
interpretation of a predicate in one model, then it also belongs to the interpretation of the predicate in the other model
Re-use results by Abdulla, Finkel, Schnoeblen about termination
For termination: crucial that arity of predicates is at most one
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 30 / 40
Theorem
The safety problem for ARBAC policies is decidable, even when considering a finite but unknown number of users! Proof Translator such that goal (u, C) is reachable with ψ ⇐ ⇒ there exists k 0 and Initι ∧ τi1 ∧ · · · ∧ τik ∧ Goal(u,C) is satisfiable
MCMT capable of automatically solving problem above since
formulae are all in BSR1
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 31 / 40
Benchmarks taken from reachability problems shipped with other systems
◮ Mohawk: (very) large, biased to debugging
https://code.google.com/p/mohawk
◮ VAC: medium/large/very large, both debugging and verification
http://users.ecs.soton.ac.uk/gp4/VAC.html
◮ PMS: small/medium, both debugging and verification
http://www.cs.binghamton.edu/~pyang & http://ecs.fullerton.edu/~mgofman
Separate vs Non-separate administration
◮ Mohawk: only separate ◮ VAC: both separate and non-separate (unbounded # users) ◮ PMS: non-separate (bounded number of users) Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 32 / 40
Test suite # Roles ⋄ Answer MOHAWK
VAC
PMS
ASASP VAC’s Slicer
Fwd Prll #Rules Time Time Time Time Time # Rules 40 ⋄ 200 Unsafe 0.94 0.66 0.48 0.53 0.32 1 200 ⋄ 1000 Unsafe 2.65 0.91 0.44 0.52 0.28 1 Test 500 ⋄ 2500 Unsafe 4.87 1.57 0.92 1.06 0.73 1 suite 1 4000 ⋄ 20000 Unsafe 16.90 1.89 33.51 22.33 1.24 1 20000 ⋄ 80000 Unsafe 51.56 2.52 TO TO 1.17 1 30000 ⋄ 120000 Unsafe 65.54 4.32 TO TO 1.68 1 40000 ⋄ 200000 Unsafe 131.14 9.84 TO TO 2.25 1 40 ⋄ 200 Unsafe 1.21 0.51 0.57 0.54 0.16 1 200 ⋄ 1000 Unsafe 2.54 0.73 0.49 0.61 0.14 1 Test 500 ⋄ 2500 Unsafe 5.02 1.02 1.14 0.73 0.43 1 suite 2 4000 ⋄ 20000 Unsafe 12.31 1.33 26.16 19.38 1.08 1 20000 ⋄ 80000 Unsafe 24.42 4.75 TO TO 1.01 1 30000 ⋄ 120000 Unsafe 94.85 6.77 TO TO 1.09 1 40000 ⋄ 200000 Unsafe 140.89 9.89 TO TO 1.49 1 40 ⋄ 200 Unsafe 0.87 0.57 0.38 0.47 0.17 1 200 ⋄ 1000 Unsafe 5.93 1.93 0.82 0.98 0.51 1 Test 500, 2500 Unsafe 3.78 0.93 0.64 0.86 0.12 1 suite 3 4000 ⋄ 20000 Unsafe 14.05 4.01 18.43 13.29 1.12 1 20000 ⋄ 80000 Unsafe 30.29 3.56 TO TO 2.65 1 30000 ⋄ 120000 Unsafe 109.16 9.13 TO TO 1.89 1 40000 ⋄ 200000 Unsafe 154.12 9.92 TO TO 2.15 1
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 33 / 40
Test case # Roles ⋄ Answer MOHAWK
VAC
PMS
ASASP VAC’s Slicer
Fwd Prll #Rules Time Time Time Time Time # Rules 10_branches_s 343 ⋄ 2225 Unsafe 2.42 0.39 0.35 0.32 0.17 2 20_branches_s 683 ⋄ 4445 Unsafe 3.59 0.42 0.60 0.52 0.49 2 30_branches_s 1023 ⋄ 6665 Unsafe 4.68 0.51 1.47 0.92 1.65 2 40_branches_s 1363 ⋄ 8885 Unsafe 5.70 0.63 2.13 1.98 2.01 2 10_branches_d 343 ⋄ 2225 Unsafe 19.93 0.40 TO TO 20.30 2 20_branches_d 683 ⋄ 4445 Unsafe 36.11 0.43 TO Err 32.08 2 30_branches_d 1023 ⋄ 6665 Unsafe 31.97 1.29 TO TO 46.01 2 40_branches_d 1363 ⋄ 8885 Unsafe 56.92 1.98 TO TO 52.45 2
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 34 / 40
Separate
Test case # Roles ⋄ Answer MOHAWK
VAC
PMS
ASASP VAC’s Slicer
Fwd Prll #Rules Time Time Time Time Time # Rules Bank1 531 ⋄ 5126 Safe Err 0.36 TO TO 6m10 Bank2 531 ⋄ 5126 Safe Err 0.48 TO TO 5m53 Bank3 531 ⋄ 5126 Unsafe Err 0.76 TO Err 21m12 2 Bank4 531 ⋄ 5126 Unsafe Err 1.97 TO TO 16m2 5
Non-separate
Test case # Roles ⋄ # Rules Answer
VAC
PMS
ASASP VAC’s Slicer
Fwd Prll Time Time Time Time # Rules Hospital1 13 ⋄ 37 Safe 0.06 0.71 Err 0.67 5 Hospital2 13 ⋄ 37 Safe 0.09 0.87 3m15.71 1.04 5 Hospital3 13 ⋄ 37 Unsafe 0.29 0.85 0.49 1.13 2 Hospital4 13 ⋄ 37 Unsafe 0.47 0.62 0.26 3.6 4 University1 32 ⋄ 449 Safe 0.09 0.89 Err 1.91 7 University2 32 ⋄ 449 Unsafe 0.68 0.67 0.56 0.60 8 University3 32 ⋄ 449 Safe 0.06 TO Err 10.17 5 University4 32 ⋄ 449 Unsafe 1.85 0.62 TO TO 12
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 35 / 40
Test case # Roles ⋄ # Rules Answer
VAC
PMS
ASASP
Fwd Prll Time Time Time Time Test 1 13 ⋄ 37 Unsafe 16.06 0.63 0.48 4.59 Test 2 13 ⋄ 37 Safe 0.19 0.67 0.45 0.53 Test 3 13 ⋄ 37 Unsafe 8.12 0.52 0.53 0.64 Test 4 13 ⋄ 37 Unsafe 7.81 0.55 42.38 0.39 Test 5 32 ⋄ 449 Unsafe 45.37 0.95 0.51 1.73 Test 6 32 ⋄ 449 Unsafe 25.63 0.75 0.46 8.24 Test 7 32 ⋄ 449 Unsafe 1m3.26 3.72 2.16 5.19 Test 8 32 ⋄ 449 Unsafe 1m10.64 4.18 2m11.86 3.95 Test 9 32 ⋄ 449 Unsafe 1m26.08 4.92 6m18.84 6.13 Test 10 32 ⋄ 449 Unsafe 27.14 0.35 0.53 2.65
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 36 / 40
For many benchmark problems, ASASP is the fastest tool In many other cases, ASASP is close to the fastest tool In some cases, ASASP is slower
◮ problems with a very particular structure
Scalability due to heuristics not discussed in this talk Our approach: more flexible as can be extended to
◮ evolving ARBAC problems: ASASP is faster than the only other
competitor (e.g., VAC heuristics cannot be adapted)
◮ temporal ARBAC problems: again, ASASP is faster than the only
◮ attribute-based ARBAC problems: ASASP is the only one capable of
tackling these problems competitor
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 37 / 40
Evolving ARBAC policies
Incremental Analysis of Evolving Administrative Role Based Ac- cess Control Policies. Data and Applications Security and Privacy XXVIII - 28th Annual IFIP WG 11.3 Working Conference, DBSec 2014, pp. 260-275
Temporal ARBAC policies
Scalable and precise automated analysis of administrative tem- poral role-based access control. 19th ACM Symposium on Access Control Models and Technolo- gies, SACMAT ’14, ACM, pp. 103-114
Attribute-based ARBAC policies
Efficient symbolic automated analysis of administrative attribute- based RBAC-policies. 6th ACM Symposium on Information, Computer and Communi- cations Security, ASIACCS 2011, ACM, pp. 165-175
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 38 / 40
Successful re-use of mature model checking techniques for infinite state systems in security analysis More systematic approach to benchmarking for comparing with
Ongoing/Future work
◮ security sensitive workflow systems (business processes): both
◮ towards practical re-use of available verification techniques for
security ⇒ ALPS: intermediate language for security analysis problems Example: re-use of Groove to analyze access control policies in smart spaces
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 39 / 40
ALPS
ALPS: An Action Language for Policy Specification and Au- tomated Safety Analysis . 10th International Workshop on Security and Trust Ma- nagement, STM14, Septmber 10-11, 2014. To appear in Springer LNCS.
Ranise (FBK) Parameterized Safety Analysis of AC Policies DMUM 40 / 40