ACPT : A Tool for Modeling and Verifying Access Control Policies
-
Upload
jennifer-doyle -
Category
Documents
-
view
35 -
download
1
description
Transcript of ACPT : A Tool for Modeling and Verifying Access Control Policies
Computer Science
1
ACPT: A Tool for Modeling and Verifying Access Control Policies
JeeHyun Hwang1, Tao Xie1, Vincent Hu2 and Mine Altunay 3
North Carolina State University1
National Institute of Standards and Technology2
Fermi National Laboratory3
(Policy 2010)
Automated Software Engineering Research Group 2
Access Control Policy Mechanism
• Access control mechanisms control which subjects (such as users or processes) have access to which resources.
• Access control policies often combine multiple policies with a large number of rules
• Misconfiguration and mistakes in access control policies lead to security problems
PolicyRequest Response
(Permit, Deny, or Not-applicable)
Automated Software Engineering Research Group 3
Motivation
• Need to support correct policy modelling– Various policy model templates (e.g., RBAC
and MSL)– Combining multiple policies
• Need to ensure the correct behaviours of policies– Static verification: check whether properties
are satisfied by a policy• Confidence on policy correctness is
dependent on the quality of specified properties
– Dynamic verification: evaluate requests and check whether their evaluated decisions are correct• Consider test effort and their effectiveness
together• Complement static verification
Automated Software Engineering Research Group 4
ACPT Features
• Help specifying policies, rules and properties through model templates
• Support various policy combining algorithms (e.g., first applicable or permit-overrides)
• Generate an enforceable XACML policy
ACPT is a tool for composing access control models (such as Rule Based and Multi-Level policy models)
Automated Software Engineering Research Group 5
ACPT Features (cont.)
• Verify policies against specified properties to detect violations using NuSMV [Cimatti et al. CAV 2002]
• Generate test inputs for testing of policy implementation• Test inputs based on structural coverage
[Martin et al. ICICS 2006]• Test inputs based on combinatorial coverage
[Hu et al. IJSEKE 2010]
To ensure policy correctness, ACPT supports both static and dynamic verification of a policy
Automated Software Engineering Research Group 6
ACPT Architecture
GUI
AC Model Templates
DataAcquisition
PolicyGeneratorStatic Verification
DynamicVerification
Test inputs basedon structural or
combinatorial coverage
User,attribute,resource,
role,etc. data
GUI allows specification of users, groups, attributes, roles, rules, policies, and resources
Generate enforceable
policies
.xml
Generate and evaluate test inputs
Verify access control policies
API/mechanism to consume/acquire external data related to policies
Generate test inputs Test
inputs with their evaluated
decisions
Administrator
XACML
Automated Software Engineering Research Group 7
Questions?
Automated Software Engineering Research Group 8
8
Property specification in ACPT
ACPT Demo
Automated Software Engineering Research Group 9
9
Verify the property against Policy A, the result return false with counterexample.
Static Verification
Automated Software Engineering Research Group 10
10
Verify the property against Policy B, the result return true.
Static Verification (cont.)
Automated Software Engineering Research Group 11
11
Test Input Generation and Evaluation
Automated Software Engineering Research Group 12
12
XACML Generation