1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du...
-
Upload
howard-newman -
Category
Documents
-
view
212 -
download
0
Transcript of 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du...
![Page 1: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/1.jpg)
1
Access Control Policies: Modeling and Validation
Luigi Logrippo&
Mahdi MankaiUniversité du Québec en Outaouais
![Page 2: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/2.jpg)
2
Overview
• Introduction
• XACML overview
• A Logical Model of XACML
• Modeling with Alloy
• Access Control Verification and Validation
• Related Work
• Conclusion
![Page 3: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/3.jpg)
3
Introduction
• Access control policies languages– XACML– EPAL– PONDER– …
• Possible inconsistencies within policies• How to solve inconsistencies at execution time
– Precedence rules– Priorities
• How to detect inconsistencies at design time– First-order logic– Model-checking tools
![Page 4: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/4.jpg)
4
An example
• A policy1. A professor can read or modify the file of course marks2. A student can read the file of course marks3. A student cannot modify the file of course marks
• Question:– A subject that is both student and professor wants to modify the
file of course marks– Will his request be accepted of refused?
• Users and administrators should know about these potential inconsistencies avoid security leaks, denial of service and unauthorized access
Subject
![Page 5: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/5.jpg)
5
XACML overview
• eXtensible Access Control Markup language : an OASIS standard
• Architecture, policies and messages
Policy Enforcement PointPolicy Decision Point
![Page 6: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/6.jpg)
6
XACML Request
![Page 7: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/7.jpg)
7
XACML Structures
• A syntax based on XML to define Access Control– Rules– Policies– Policy sets
Rule 13
Rule 11
Rule 12
Policy 1
Rule 23
Rule 21
Rule 22
Policy 2
PolicySet
![Page 8: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/8.jpg)
8
Targets and Conditions
• Not all policies are applied to a request• Targets define the applicability of policy sets, policies
and rules• Conditions are additional and more complex filters
Rule 1
Rule N
Policy1
Rule 1
Rule N
Policy2
Request
![Page 9: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/9.jpg)
9
Rules
• Rule– Rule Target– Effect– Condition (optional)
(Luigi): Je ne suis pas certain de la signification de ceci...
![Page 10: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/10.jpg)
10
Targets
• A policy1.A professor can read or modify the file of course
marks2.A student can read the file of course marks3.A student cannot modify the file of course marks
• Rule 2 is applied when (target)– Subject’s role is “student”– Resource’s name is “course marks”– Action’s name is “read”
• Request : a student Bob wants to read the file of course marks – Rule 2 is applied but not Rule1 nor Rule 3
![Page 11: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/11.jpg)
11
Targetsubject
resource
action
![Page 12: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/12.jpg)
12
Combining Algorithms
• Mechanisms to resolve conflicts online• Example:
– Bob is PhD student and an assistant professor, – he wants to modify the file of course marks
• Permit-overrides : Permit• Deny-Overrides : Deny• First-Applicable : Permit (Rule 1 appears before
Rule 3 in an xml file)• Only-one-applicable : Indeterminate (Error)
![Page 13: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/13.jpg)
13
A Logical Model of XACML
• Use of sets, relations and functions
• Structures and constraints
• use of Alloy syntax
• Alloy – Modeling language– Analyzer tool– Relational first-order logic
![Page 14: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/14.jpg)
14
Alloy
• Structural– Signature– Relation
• Declarative– first-order logic– facts, predicates, functions, and assertions
• Analyzable– Simulation and automatic verification– run predicate– check assertion
![Page 15: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/15.jpg)
15
Examples: Request
Sets
Relations
![Page 16: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/16.jpg)
16
Basic structures
Inheritance as subsetting
![Page 17: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/17.jpg)
17
Structures
Expliquer couleurs
![Page 18: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/18.jpg)
18
Constraints
• Use of functions and predicates
• First order logic
![Page 19: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/19.jpg)
19
Constraints
• a predicate that evaluates a request against a target to check whether the target matches the request
![Page 20: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/20.jpg)
20
Constraints
• A function that returns the response of a given rule regarding a given request
![Page 21: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/21.jpg)
21
Combining Algorithms
![Page 22: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/22.jpg)
22
Verification and Validation
• Check properties• Use of predicates and assertions• Examples
1. An example of a rule returning a permit response regarding a specific request an example?
2. Inconsistency: different rules within the same policy return different decisions (permit and deny) an example?
3. Access should always be granted to a professor requesting modification a counterexample?
![Page 23: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/23.jpg)
23
Access Control Policy
– Rule1 : • A professor can read or modify the file of course
marks
– Rule2 : • A student can read the file of course marks
– Rule3 : • A student cannot modify the file of course marks
![Page 24: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/24.jpg)
24
Example 1
• An example of a rule returning a permit response regarding a specific request
![Page 25: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/25.jpg)
25
Example 1
• Rule2 is applied and returns a permit when a students requests a read access on course marks file
![Page 26: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/26.jpg)
26
Example 2
• Inconsistency: different rules within the same policy return different decision (permit and deny)
![Page 27: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/27.jpg)
27
Example 2
• Both rule1 and rule3 are applied when– a subject with both
professor and student role tries to modify the file of course marks
– rule3's response is permit
– rule3's response is deny
![Page 28: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/28.jpg)
28
Example 3
• Access should always be granted to a professor (and not student requesting modification
• Alloy doesn't find any solution
![Page 29: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/29.jpg)
29
Related work
• MTBDDs to verify XACML policies
• Conflicts detection tools for PONDER
• RW verification XACML
• Other logical approaches
![Page 30: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/30.jpg)
30
Conclusion
• XACML validation and verification using model-checking and first-order logic
• Only a subset of XACML was covered
• A translation tool for transforming XACML policies to Alloy specifications
![Page 31: 1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.](https://reader035.fdocuments.us/reader035/viewer/2022070413/5697bff31a28abf838cbc39d/html5/thumbnails/31.jpg)
31
Future work
• GUI to permit clear visualization of XACML rules– More intuitive syntax than XACML
• GUI to permit editing XACML– Without touching XACML code directly
• GUI to display the results of the analysis in user-friendly format– Immediately after editing