UNIVERSIT DE SHERBROOKE Introduction SGAC Formalization - - PowerPoint PPT Presentation

universit de sherbrooke
SMART_READER_LITE
LIVE PREVIEW

UNIVERSIT DE SHERBROOKE Introduction SGAC Formalization - - PowerPoint PPT Presentation

Apr 12, 2023 189 likes •439 views

Validating SGAC Access Control Policies with Alloy and ProB Nghi Huynh, Marc Frappier, Amel Mammar and R egine Laleau FA 2018, April 30th UNIVERSIT DE SHERBROOKE Introduction SGAC Formalization Automated verification Conclusion

slide-1
SLIDE 1

Validating SGAC Access Control Policies with Alloy and ProB

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau FA 2018, April 30th

UNIVERSITÉ DE

SHERBROOKE

slide-2
SLIDE 2

Introduction SGAC Formalization Automated verification Conclusion

1

Introduction

2

SGAC

3

Formalization

4

Automated verification

5

Conclusion

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 2 / 20

slide-3
SLIDE 3

Introduction SGAC Formalization Automated verification Conclusion

Motivation

Consent Management in Electronic Health Records Hospital of Universit´ e de Sherbrooke (CHUS) in Qu´ ebec, Canada. Two major stakes in access control (healthcare) : 1) patient privacy → consent 2) patient safety → ???????

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 3 / 20

slide-4
SLIDE 4

Introduction SGAC Formalization Automated verification Conclusion Presentation Example Behaviour

Presentation of SGAC

SGAC = Automated Consent Management System Designed to meet CHUS requirements Features:

hierarchy among users; hierarchy among data; explicit prohibitions; automated conflict resolutions.

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 4 / 20

slide-5
SLIDE 5

Introduction SGAC Formalization Automated verification Conclusion Presentation Example Behaviour

Example

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 5 / 20

slide-6
SLIDE 6

Introduction SGAC Formalization Automated verification Conclusion Presentation Example Behaviour

Conflict Resolution Strategy

ra has precedence over rb iff:

1

ra’s priority value is lower;

ex: r2 has precedence over r3.

  • r

2

same priority and ra’s subject is more specific;

ex: r1 has precedence over r2.

  • r

3

same priority and incomparable subjects, and ra.m = − rb.m = +.

ex: r1 has precedence over r4.

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 6 / 20

slide-7
SLIDE 7

Introduction SGAC Formalization Automated verification Conclusion Presentation Example Behaviour

Conflict Resolution Strategy

ra has precedence over rb iff:

1

ra’s priority value is lower;

ex: r2 has precedence over r3.

  • r

2

same priority and ra’s subject is more specific;

ex: r1 has precedence over r2.

  • r

3

same priority and incomparable subjects, and ra.m = − rb.m = +.

ex: r1 has precedence over r4.

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 6 / 20

slide-8
SLIDE 8

Introduction SGAC Formalization Automated verification Conclusion Presentation Example Behaviour

Conflict Resolution Strategy

ra has precedence over rb iff:

1

ra’s priority value is lower;

ex: r2 has precedence over r3.

  • r

2

same priority and ra’s subject is more specific;

ex: r1 has precedence over r2.

  • r

3

same priority and incomparable subjects, and ra.m = − rb.m = +.

ex: r1 has precedence over r4.

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 6 / 20

slide-9
SLIDE 9

Introduction SGAC Formalization Automated verification Conclusion Presentation Example Behaviour

Conflict Resolution Strategy

ra has precedence over rb iff:

1

ra’s priority value is lower;

ex: r2 has precedence over r3.

  • r

2

same priority and ra’s subject is more specific;

ex: r1 has precedence over r2.

  • r

3

same priority and incomparable subjects, and ra.m = − rb.m = +.

ex: r1 has precedence over r4.

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 6 / 20

slide-10
SLIDE 10

Introduction SGAC Formalization Automated verification Conclusion Properties Formalization Request Evaluation

Properties

The properties we want to check are: access: can health worker W have access to the document D ? ineffective rule detection: what are the rules that are never taken into account when evaluating a request ? important hidden data detection: are there important data that are unreachable by any health worker ? granting context detection: in which contexts is a given request granted ?

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 7 / 20

slide-11
SLIDE 11

Introduction SGAC Formalization Automated verification Conclusion Properties Formalization Request Evaluation

Formalization

Huynh et al., SGAC: A patient-centered access control method, (RCIS’16).

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 8 / 20

slide-12
SLIDE 12

Introduction SGAC Formalization Automated verification Conclusion Properties Formalization Request Evaluation

Rule ordering

ra has precedence over rb iff:

1

ra’s priority value is lower;

ex: r2 has precedence over r3.

  • r

2

same priority and ra’s subject is more specific;

ex: r1 has precedence over r2.

  • r

3

same priority and incomparable subjects, and ra.m = − rb.m = +.

ex: r1 has precedence over r4.

Two steps : introduction of ’≺’: ordering with priority and subject specificity (phase 1-2); introduction of ’<’: final

  • rdering (phase 3).

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 9 / 20

slide-13
SLIDE 13

Introduction SGAC Formalization Automated verification Conclusion Properties Formalization Request Evaluation

Why two steps? Only maximal elements of ≺ must be compared with their modality.

ex: without the maximal element condition, r1 < r2, r3 < r4, r2 < r3 and r4 < r1 .

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 10 / 20

slide-14
SLIDE 14

Introduction SGAC Formalization Automated verification Conclusion Properties Formalization Request Evaluation

Request Evaluation

In order to evaluate a request in a given context :

1 we select all applicable rules to the request; 2 we order the applicable rules; 3 we analyse the graph made of the ordered rules : the sinks of

the graph determine the result of the request.

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 11 / 20

slide-15
SLIDE 15

Introduction SGAC Formalization Automated verification Conclusion Alloy ProB Performance test

Automated verification

We use first order logic based tools : Alloy and ProB. Alloy Alloy is a model finder that offers a graphical interface and evaluator that are very useful to debug and help understandings counter-examples. ProB ProB is a model checker and animator for the B method. Its constraint solving capability allows it to do model finding.

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 12 / 20

slide-16
SLIDE 16

Introduction SGAC Formalization Automated verification Conclusion Alloy ProB Performance test

Let’s get started : simplifications first !

In order to be able to conduct tractable verification with the tools, we have to make some adjustments: reduce the size of the graphs: verification is done for each patient, thus resource graph can be cut ; ignore the actions: the approach taken for each action is the same; reduce computational burden: with the current approach, a graph is built for each context+request → 1 request = 1 graph.

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 13 / 20

slide-17
SLIDE 17

Introduction SGAC Formalization Automated verification Conclusion Alloy ProB Performance test

Alloy

Difficulty Alloy cannot handle the number of requests (|PERSON × DOCUMENTS|). Solution Explicitly define one request at a time. The others target also persons and documents but are left undetermined. Results Alloy can conduct the verification, but some properties cannot be directly verified.

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 14 / 20

slide-18
SLIDE 18

Introduction SGAC Formalization Automated verification Conclusion Alloy ProB Performance test

ProB

Difficulty ProB does not manage to process and order the rules for all the requests. Solution Program and guide the variable calculus order. Ex: process ≺ et < successively and separately. Results ProB finally manages to order the rules, and this solution provides a way to reduce further the processing time.

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 15 / 20

slide-19
SLIDE 19

Introduction SGAC Formalization Automated verification Conclusion Alloy ProB Performance test

ProB

Difficulty How can we encode efficiently the properties ? Solution Properties are encoded into the operations of each machine. For instance, access(req,con) precondition : arguments req and con are a request and a context. postcondition : result of req within the context con. Results Verification is done for all possible combinations; All properties are verified in only one run.

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 16 / 20

slide-20
SLIDE 20

Introduction SGAC Formalization Automated verification Conclusion Alloy ProB Performance test

Performance Test

Process Set all parameters except one which we vary. For each configuration (number of vertices, of rules, of contexts) :

1 Generation of random graphs and random rules; 2 For each graph, random requests are picked; 3 For each request :

access property in random contexts; detection of granting contexts; detection hidden documents; detection ineffective rules.

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 17 / 20

slide-21
SLIDE 21

Introduction SGAC Formalization Automated verification Conclusion Alloy ProB Performance test

500 1000 1500 2000 2500 3000 3500 25 50 75 100 Solving time (seconds)

Alloy ProB

13 rules, 10 contexts : linear processing time

10000 20000 30000 40000 50000 60000 70000 80000 90000 100000 20 40 60 80 100 120 140 160 Solving Time (seconds)

Alloy ProB

100 vertices, 30 contexts : exponential processing time

100 200 300 400 500 600 700 20 40 60 80 100 120 140 160 180 200 Solving time (seconds)

Alloy ProB

30 vertices, 12 rules : quasi-constant processing time

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 18 / 20

slide-22
SLIDE 22

Introduction SGAC Formalization Automated verification Conclusion

Conclusion

ProB outperforms Alloy thanks to the ability to ’program’ how the computations are done Automated verification in real cases can be conducted (offline) with ProB

300 vertices, 160 rules, 100 contexts with 200 requests in about 15 minutes with ProB

Alloy is better than ProB in brute force in several cases, but it is insufficient here Need similar ability in Alloy to program the model finding

Integrate αRuby in Alloy

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 19 / 20

slide-23
SLIDE 23

Introduction SGAC Formalization Automated verification Conclusion

Questions

Thanks for your attention !

Nghi Huynh, Marc Frappier, Amel Mammar and R´ egine Laleau SGAC policy verification using Alloy and ProB 20 / 20