Computer Science

1

ACPT: A Tool for Modeling and Verifying Access Control Policies

JeeHyun Hwang1, Tao Xie1, Vincent Hu2 and Mine Altunay 3

North Carolina State University1

National Institute of Standards and Technology2

Fermi National Laboratory3

(Policy 2010)

Automated Software Engineering Research Group 2

Access Control Policy Mechanism

• Access control mechanisms control which subjects (such as users or processes) have access to which resources.

• Access control policies often combine multiple policies with a large number of rules

• Misconfiguration and mistakes in access control policies lead to security problems

PolicyRequest Response

(Permit, Deny, or Not-applicable)

Automated Software Engineering Research Group 3

Motivation

• Need to support correct policy modelling– Various policy model templates (e.g., RBAC

and MSL)– Combining multiple policies

• Need to ensure the correct behaviours of policies– Static verification: check whether properties

are satisfied by a policy• Confidence on policy correctness is

dependent on the quality of specified properties

– Dynamic verification: evaluate requests and check whether their evaluated decisions are correct• Consider test effort and their effectiveness

together• Complement static verification

Automated Software Engineering Research Group 4

ACPT Features

• Help specifying policies, rules and properties through model templates

• Support various policy combining algorithms (e.g., first applicable or permit-overrides)

• Generate an enforceable XACML policy

ACPT is a tool for composing access control models (such as Rule Based and Multi-Level policy models)

Automated Software Engineering Research Group 5

ACPT Features (cont.)

• Verify policies against specified properties to detect violations using NuSMV [Cimatti et al. CAV 2002]

• Generate test inputs for testing of policy implementation• Test inputs based on structural coverage

[Martin et al. ICICS 2006]• Test inputs based on combinatorial coverage

[Hu et al. IJSEKE 2010]

To ensure policy correctness, ACPT supports both static and dynamic verification of a policy

Automated Software Engineering Research Group 6

ACPT Architecture

GUI

AC Model Templates

DataAcquisition

PolicyGeneratorStatic Verification

DynamicVerification

Test inputs basedon structural or

combinatorial coverage

User,attribute,resource,

role,etc. data

GUI allows specification of users, groups, attributes, roles, rules, policies, and resources

Generate enforceable

policies

.xml

Generate and evaluate test inputs

Verify access control policies

API/mechanism to consume/acquire external data related to policies

Generate test inputs Test

inputs with their evaluated

decisions

Administrator

XACML

Automated Software Engineering Research Group 7

Questions?

Automated Software Engineering Research Group 8

8

Property specification in ACPT

ACPT Demo

Automated Software Engineering Research Group 9

9

Verify the property against Policy A, the result return false with counterexample.

Static Verification

Automated Software Engineering Research Group 10

10

Verify the property against Policy B, the result return true.

Static Verification (cont.)

Automated Software Engineering Research Group 11

11

Test Input Generation and Evaluation

Automated Software Engineering Research Group 12

12

XACML Generation