Vincent C. Hu,D. Richard Kuhn,Tao Xie

DOI: https://doi.org/10.1109/euc.2008.22

2008-01-01

Abstract:To formally and precisely capture the security properties that access control should adhere to, access control models are usually written to bridge the rather wide gap in abstraction between policies and mechanisms. In this paper, we propose a new general approach for property verification for access control models. The approach defines a standardized structure for access control models, providing for both property verification and automated generation of test cases. The approach expresses access control models in the specification language of a model checker and expresses generic access control properties in the property language. Then the approach uses the model checker to verify these properties for the access control models and generates test cases via combinatorial covering array for the system implementations of the models.

JeeHyun Hwang,Tao Xie,Vincent Hu,Mine Altunay

DOI: https://doi.org/10.1109/POLICY.2010.22

2010-01-01

Abstract:Access control mechanisms are a widely adopted technology for information security. Since access decisions (i.e., permit or deny) on requests are dependent on access control policies, ensuring the correct modeling and implementation of access control policies is crucial for adopting access control mechanisms. To address this issue, we develop a tool, called ACPT (Access Control Policy Testing), that helps to model and implement policies correctly during policy modeling, implementation, and verification.

Vincent C. Hu,Evan Martin,JeeHyun Hwang,Tao Xie

DOI: https://doi.org/10.1109/compsac.2007.96

2007-01-01

Abstract:Access control is one of the most fundamental and widely used security mechanisms. Access control mechanisms control which principals such as users or processes have access to which resources in a system. To facilitate managing and maintaining access control, access control policies are increasingly written in specification languages such as XACML. The specification of access control policies itself is often a challenging problem. Furthermore, XACML is intentionally designed to be generic: it provides the freedom in describing access control policies, which are well-known or invented ones. But the flexibility and expressiveness provided by XACML come at the cost of complexity, verbosity, and lack of desirable-property enforcement. Often common properties for specific access control policies may not be satisfied when these policies are specified in XACML, causing the discrepancy between what the policy authors intend to specify and what the actually specified XACML policies reflect. In this position paper, we propose an approach for conducting conformance checking of access control policies specified in XACML based on existing verification and testing tools for XACML policies.

Vincent C. Hu,D. Richard Kuhn,Tao Xie,Jeehyun Hwang

DOI: https://doi.org/10.1142/s021819401100513x

IF: 1.007

2011-01-01

International Journal of Software Engineering and Knowledge Engineering

Abstract:Mandatory access control (MAC) mechanisms control which users or processes have access to which resources in a system. MAC policies are increasingly specified to facilitate managing and maintaining access control. However, the correct specification of the policies is a very challenging problem. To formally and precisely capture the security properties that MAC should adhere to, MAC models are usually written to bridge the rather wide gap in abstraction between policies and mechanisms. In this paper, we propose a general approach for property verification for MAC models. The approach defines a standardized structure for MAC models, providing for both property verification and automated generation of test cases. The approach expresses MAC models in the specification language of a model checker and expresses generic access control properties in the property language. Then the approach uses the model checker to verify the integrity, coverage, and confinement of these properties for the MAC models and finally generates test cases via combinatorial covering array for the system implementations of the models.

Antonios Gouglidis,Anna Kagia,Vincent C. Hu

DOI: https://doi.org/10.48550/arXiv.2303.16688

2023-03-29

Abstract:Authoring access control policies is challenging and prone to misconfigurations. Access control policies must be conflict-free. Hence, administrators should identify discrepancies between policy specifications and their intended function to avoid violating security principles. This paper aims to demonstrate how to formally verify access control policies. Model checking is used to verify access control properties against policies supported by an access control model. The authors consider Google's Cloud Identity and Access Management (IAM) as a case study and follow NIST's guidelines to verify access control policies automatically. Automated verification using model checking can serve as a valuable tool and assist administrators in assessing the correctness of access control policies. This enables checking violations against security principles and performing security assessments of policies for compliance purposes. The authors demonstrate how to define Google's IAM underlying role-based access control (RBAC) model, specify its supported policies, and formally verify a set of properties through three examples.

Cryptography and Security

Lianshan Sun,Gang Huang,Hong Mei

DOI: https://doi.org/10.1007/978-3-540-87891-9_5

2008-01-01

Abstract:Access control is a means to achieve information security. When we build large-scale systems based on commercial component middleware platforms, such as those compliant to J2EE, a usual way to enforce access control is to define Access Control Configurations (ACCs) for components in a declarative manner. These ACCs can be enforced by the J2EE security service to grant or deny access requests to components. However, it is difficult for the developers to define correct ACCs according to complex and sometimes ambiguous real-world access control requirements. Faults of ACCs in large-scale J2EE applications may inevitably occur due to various reasons, for example ad hoc mistakes of the developers. This paper identifies three kinds of faults specific to ACCs of J2EE applications as incompleteness, inconsistency, and redundancy, presents validation algorithms for identifying these faults according to access control requirements, illustrates these faults and the validation algorithms with an online bank application.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ebiss.2009.5138002

2009-01-01

Abstract:Access control becomes more and more essential for safe and security access to the system resources. Role based access control policy widely used in industry enterprise systems nowadays is a statement which specifies the rules about how to setup the process for granting or denying authorizations. It is extremely important to make sure that there is no inconsistency of an access control policy, since otherwise it may conceal the security danger or even break down the entire access control system. In this paper, we analyze the inconsistencies of role based access control policy, and give the formal definition for the inconsistency. We then propose an inconsistency checking algorithm to detect the inconsistencies of a role based access control policy.

Francesco Restuccia,Andres Meza,Ryan Kastner

DOI: https://doi.org/10.48550/arXiv.2106.13263

2021-06-25

Abstract:Modern systems on a chip (SoCs) utilize heterogeneous architectures where multiple IP cores have concurrent access to on-chip shared resources. In security-critical applications, IP cores have different privilege levels for accessing shared resources, which must be regulated by an access control system. AKER is a design and verification framework for SoC access control. AKER builds upon the Access Control Wrapper (ACW) -- a high performance and easy-to-integrate hardware module that dynamically manages access to shared resources. To build an SoC access control system, AKER distributes the ACWs throughout the SoC, wrapping controller IP cores, and configuring the ACWs to perform local access control. To ensure the access control system is functioning correctly and securely, AKER provides a property-driven security verification using MITRE common weakness enumerations. AKER verifies the SoC access control at the IP level to ensure the absence of bugs in the functionalities of the ACW module, at the firmware level to confirm the secure operation of the ACW when integrated with a hardware root-of-trust (HRoT), and at the system level to evaluate security threats due to the interactions among shared resources. The performance, resource usage, and security of access control systems implemented through AKER is experimentally evaluated on a Xilinx UltraScale+ programmable SoC, it is integrated with the OpenTitan hardware root-of-trust, and it is used to design an access control system for the OpenPULP multicore architecture.

Cryptography and Security,Hardware Architecture

Jason Crampton,Charles Morisset

DOI: https://doi.org/10.48550/arXiv.1204.2342

2014-07-31

Abstract:There have been many proposals for access control models and authorization policy languages, which are used to inform the design of access control systems. Most, if not all, of these proposals impose restrictions on the implementation of access control systems, thereby limiting the type of authorization requests that can be processed or the structure of the authorization policies that can be specified. In this paper, we develop a formal characterization of the features of an access control model that imposes few restrictions of this nature. Our characterization is intended to be a generic framework for access control, from which we may derive access control models and reason about the properties of those models. In this paper, we consider the properties of monotonicity and completeness, the first being particularly important for attribute-based access control systems. XACML, an XML-based language and architecture for attribute-based access control, is neither monotonic nor complete. Using our framework, we define attribute-based access control models, in the style of XACML, that are, respectively, monotonic and complete.

Cryptography and Security,Logic in Computer Science

DING Hongda,ZENG Qingkai,BAO Bixian

DOI: https://doi.org/10.3969/j.issn.1000-3428.2007.01.056

2007-01-01

Abstract:Test and validation of access control is a crucial part of the security evaluation of the system.A testing approach by extending GFAC is proposed,automatically to test the access control service according to requirements of security evaluation based on common criteria.The implementation of testing on Linux+RSBAC demonstrates the approach available.

Lianshan Sun,Gang Huang

DOI: https://doi.org/10.1016/j.sysarc.2010.11.001

IF: 5.836

2011-01-01

Journal of Systems Architecture

Abstract:Access control is a common concern in most software applications. In component-based systems, although developers can implement access control requirements (ACRs) by simply declaring role-based access control configurations (ACCs) of components, it is still difficult for them to define and evolve ACCs accurately implementing ACRs due to the gap between the complex high-level ACRs and the voluminous ACCs enforced by underlying middleware platforms, and the ad hoc mistakes of human. This paper introduces and clarifies the concept of accuracy of ACCs relative to ACRs, and presents a set of metrics and algorithms which can be used to automatically evaluate and improve accuracy of ACCs by evaluating and reconfiguring the software architecture with ACCs. We apply our achievements in a composed e-shop application.

Bingyu Shen

DOI: https://doi.org/10.48550/arXiv.2304.07704

2023-04-16

Cryptography and Security

Abstract:Access control mechanisms have been adopted in many real-world systems to control resource sharing for the principals in the system. An error in the access control policy (misconfiguration) can easily cause severe data leakage and system exploitation. Researchers have developed several methodologies to detect the access control misconfigurations through data mining, testing, and verification for various applications. This survey will study the line of works to detect access control misconfigurations and discuss some future research directions.

Evan Martin,JeeHyun Hwang,Tao Xie,Vincent Hu

DOI: https://doi.org/10.1109/acsac.2008.48

2008-01-01

Abstract:Access control policies are often specified in declarative languages. In this paper, we propose a novel approach, called mutation verification, to assess the quality of properties specified for a policy and, in doing so, the quality of the verification itself. In our approach, given a policy and a set of properties, we first mutate the policy to generate various mutant policies, each with a single seeded fault. We then verify whether the properties hold for each mutant policy. If the properties still hold for a given mutant policy, then the quality of these properties is determined to be insufficient in guarding against the seeded fault, indicating that more properties are needed to augment the existing set of properties to provide higher confidence of the policy correctness. We have implemented Mutaver, a mutation verification tool for XACML, and applied it to policies and properties from a real-world software system.

Yvo Desmedt,Arash Shaghaghi

DOI: https://doi.org/10.48550/arXiv.1609.04514

2016-09-15

Abstract:Security researchers have stated that the core concept behind current implementations of access control predates the Internet. These assertions are made to pinpoint that there is a foundational gap in this field, and one should consider revisiting the concepts from the ground up. Moreover, Insider threats, which are an increasing threat vector against organizations are also associated with the failure of access control. Access control models derived from access control matrix encompass three sets of entities, Subjects, Objects and Operations. Typically, objects are considered to be files and operations are regarded as Read, Write, and Execute. This implies an `open sesame' approach when granting access to data, i.e. once access is granted, there is no restriction on command executions. Inspired by Functional Encryption, we propose applying access authorizations at a much finer granularity, but instead of an ad-hoc or computationally hard cryptographic approach, we postulate a foundational transformation to access control. From an abstract viewpoint, we suggest storing access authorizations as a three-dimensional tensor, which we call Access Control Tensor (ACT). In Function-based Access Control (FBAC), applications do not give blind folded execution right and can only invoke commands that have been authorized for data segments. In other words, one might be authorized to use a certain command on one object, while being forbidden to use exactly the same command on another object. The theoretical foundations of FBAC are presented along with Policy, Enforcement and Implementation (PEI) requirements of it. A critical analysis of the advantages of deploying FBAC, how it will result in developing a new generation of applications, and compatibility with existing models and systems is also included. Finally, a proof of concept implementation of FBAC is presented.

Cryptography and Security

Michael Benedikt,Pierre Bourhis,Clemens Ley

DOI: https://doi.org/10.48550/arXiv.1203.6403

2012-03-29

Databases

Abstract:We study verification of systems whose transitions consist of accesses to a Web-based data-source. An access is a lookup on a relation within a relational database, fixing values for a set of positions in the relation. For example, a transition can represent access to a Web form, where the user is restricted to filling in values for a particular set of fields. We look at verifying properties of a schema describing the possible accesses of such a system. We present a language where one can describe the properties of an access path, and also specify additional restrictions on accesses that are enforced by the schema. Our main property language, AccLTL, is based on a first-order extension of linear-time temporal logic, interpreting access paths as sequences of relational structures. We also present a lower-level automaton model, Aautomata, which AccLTL specifications can compile into. We show that AccLTL and A-automata can express static analysis problems related to "querying with limited access patterns" that have been studied in the database literature in the past, such as whether an access is relevant to answering a query, and whether two queries are equivalent in the accessible data they can return. We prove decidability and complexity results for several restrictions and variants of AccLTL, and explain which properties of paths can be expressed in each restriction.

Tanjila Mawla,Maanak Gupta,Ravi Sandhu

DOI: https://doi.org/10.1145/3532105.3535017

2022-05-18

Abstract:Cyber physical ecosystem connects different intelligent devices over heterogeneous networks. Various operations are performed on smart objects to ensure efficiency and to support automation in smart environments. An Activity (defined by Gupta and Sandhu) reflects the current state of an object, which changes in response to requested operations. Due to multiple running activities on different objects, it is critical to secure collaborative systems considering run-time decisions impacted due to related activities (and other parameters) supporting active enforcement of access control decision. Recently, Gupta and Sandhu proposed Activity-Centric Access Control (ACAC) and discussed the notion of activity as a prime abstraction for access control in collaborative systems. The model provides an active security approach that considers activity decision factors such as authorizations, obligations, conditions, and dependencies among related device activities. This paper takes a step forward and presents the core components of an ACAC model and compares with other security models differentiating novel properties of ACAC. We highlight how existing models do not (or in limited scope) support `active' decision and enforcement of authorization in collaborative systems. We propose a hierarchical structure for a family of ACAC models by gradually adding the properties related to notion of activity and discuss states of an activity. We highlight the convergence of ACAC with Zero Trust tenets to reflect how ACAC supports necessary security posture of distributed and connected smart ecosystems. This paper aims to gain a better understanding of ACAC in collaborative systems supporting novel abstractions, properties and requirements.

Cryptography and Security,Systems and Control

JeeHyun Hwang,Evan Martin,Tao Xie,Vincent C Hu

2010-01-01

Abstract:As software systems become more and more complex, and are deployed to manage a large amount of sensitive information and resources, specifying and managing correct access control policies is critical and yet challenging. Policy testing is an important means to increasing confidence in the correctness of specified policies and their implementations for access control. There are two types of policy testing. In the first type, the artifacts under test are policy specifications and the main testing goal is to assure the correctness of the policy specifications. In the second type, the artifacts under test are policy implementations and the main testing goal is to assure the conformance between the policy specifications and implementations. Both types of policy testing supply typical test inputs (requests) to the artifacts under test and subsequently check test outputs (responses) against expected ones. This article presents recent approaches on policy testing in five main categories: fault models, testing criteria, test generation, test oracles, and model-based testing.

Litian Xiao,Mengyuan Li,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/icsess.2014.6933545

2014-01-01

Abstract:The correctness verification of embedded control software has become an important research topic in embedded system field. The paper analyses the present situation on correctness verification of control software as well as the limitations of existing technologies. In order to the high reliability and high security requirements of control software, the paper proposes a hierarchical framework and architecture of control software (PLC program) verification. The framework combines the technologies of testing, model checking and theorem proving. The paper introduces the construction, flow and key elements of the architecture.

Jason Crampton,James Sellwood

DOI: https://doi.org/10.48550/arXiv.1505.07945

2015-09-19

Abstract:Recent work on relationship-based access control has begun to show how it can be applied to general computing systems, as opposed to simply being employed for social networking applications. The use of relationships to determine authorization policies enables more powerful policies to be defined than those based solely on the commonly used concept of role membership. The relationships, paths and principal matching (RPPM) model described here is a formal access control model using relationships and a two-stage request evaluation process. We make use of path conditions, which are similar to regular expressions, to define policies. We then employ non-deterministic finite automata to determine which policies are applicable to a request. The power and robustness of the RPPM model allows us to include contextual information in the authorization process (through the inclusion of logical entities) and allows us to support desirable policy foundations such as separation of duty and Chinese Wall. Additionally, the RPPM model naturally supports a caching mechanism which has significant impact on request evaluation performance.

Cryptography and Security

Malik Imran-Daud

DOI: https://doi.org/10.48550/arXiv.1612.09527

2016-12-30

Cryptography and Security

Abstract:Thanks to the advent of the Internet, it is now possible to easily share vast amounts of electronic information and computer resources (which include hardware, computer services, etc.) in open distributed environments. These environments serve as a common platform for heterogeneous users (e.g., corporate, individuals etc.) by hosting customized user applications and systems, providing ubiquitous access to the shared resources and requiring less administrative efforts; as a result, they enable users and companies to increase their productivity. Unfortunately, sharing of resources in open environments has significantly increased the privacy threats to the users. Indeed, shared electronic data may be exploited by third parties, such as Data Brokers, which may aggregate, infer and redistribute (sensitive) personal features, thus potentially impairing the privacy of the individuals. A way to palliate this problem consists on controlling the access of users over the potentially sensitive resources. Specifically, access control management regulates the access to the shared resources according to the credentials of the users, the type of resource and the privacy preferences of the resource/data owners. The efficient management of access control is crucial in large and dynamic environments. Moreover, in order to propose a feasible and scalable solution, we need to get rid of manual management of rules/constraints (in which most available solutions rely) that constitutes a serious burden for the users and the administrators. Finally, access control management should be intuitive for the end users, who usually lack technical expertise, and they may find access control mechanism more difficult to understand and rigid to apply due to its complex configuration settings.