1 / 20

Security Analysis of Role-based Access Control through

Security Analysis of Role-based Access Control through Program Verification. Anna Lisa Ferrara University of Bristol, UK. Gennaro Parlato University of Southampton, UK. P. Madhusudan University of Illinois, USA. Access Control Policies.

wren
Download Presentation

Security Analysis of Role-based Access Control through

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Analysis of Role-based Access Control through Program Verification Anna Lisa Ferrara University of Bristol, UK Gennaro Parlato University of Southampton, UK P. Madhusudan University of Illinois, USA

  2. Access Control Policies • Access control policies are designed to support authorized accesses to protected resources

  3. Role-based Access Control (RBAC) • Most used access control model - standardized by the NIST - ease of administration Users Roles Permissions Permissions are pairs (object, operation) UA = Users X Roles PA = Roles X Permissions

  4. RBAC Example: Hospital Roles: Doctor, Manager, Nurse, Patient, PrimaryD, Receptionist,… Permissions: p1= (Create, Appointment) p2=(View, OldMedicalRecord) p3=(View, RecentMedicalRecords) … UA: (Mary, Receptionist) (John, Doctor), (John, PrimaryD) (Jenny, Patient) (Tim, Doctor) … PA: (Receptionist, p1) (Doctor, p2) (Doctor, p3) …

  5. Uses the concept of role itself to administer RBAC policies: Assign(admin_role, precondition, target_role) - if admin user A has admin_role, then she can assign any user u who satisfies precondition the target_role Revoke(admin_role, precondition, target_role) Administrative RBAC (ARBAC) Roles Permissions Users Admin Actions Admins Admins Roles Users any boolean condition over the roles of u

  6. Example of ARBAC Policy Admins: Manager, Patient, Receptionist,… Assign Actions - assign( Manager, ¬Doctor, Receptionist ) - assign( Manager, true, Nurse ) - assign( Patient, Doctor∧¬Patient, PrimaryDoctor ) … Revoke Actions - revoke( Manager, true, Receptionist ) - revoke( Manager, true, Nurse ) …

  7. Security Requirements Designer have security properties in mind while designing their policies • Availability properties - A doctor must always be able to access patients’ record • Escalation of privileges - A receptionist cannot access patients’ records • Separation of duties - A doctor cannot be also a receptionist

  8. Importance of Security Analysis … … … . . . . . . . . . . . . . . . state of the system Assign/Revoke actions • Policies are difficult to inspect by hand • Monitoring strategies are not acceptable

  9. Our Contribution • Propose a way to automaticallyprovecorrectness - abstractionstechniques • Show that our solutionscalesin practice • BuildVAC,a tool publicly available RBAC

  10. Role-reachability Problem - availability - separation of duties, - escalation of privileges, - … each reduces to • Role-reachability Problem Can any user reach a particular role goal during the evolution of the system?

  11. Equivalent Representation • The cardinalities of all Venn regions determines the precise state of the ARBAC system modulo user identities number of users in each combination of roles … #comb1 = 0 #comb2 = 20 #comb2n = 35 … . . … . . . . . . . . . . . . . . equivalent modulo identities . . state of the system state of the system • The ARBAC system can purely be simulated using Venn region cardinalities r1 r2 r3 • Role-reachability:Is there a reachablestate where #combi >0, for some combi containinggoal?

  12. Abstraction • We use abstraction: - over-approximations (correctness) abstract function A C s (s)  abstract transition s’ (s’) real domain abstract domain • Soundness: •  s. initC(s) ⇒ initA((s)) •  s,s’. (s s’) ⇒ ( (s) (s’))

  13. Our Solution A’ A” C 1 1 2 2 Numerical Abstraction Numerical Abstraction Set Abstraction Set Abstraction

  14. Set Abstraction (Abstract Domain) • Given the set of roles, track only the number of users in a subset Track of role-combinations Example Roles: Manager, Nurse, Patient, PrimaryD, Receptionist, Doctor Track: ManagerNursePatient ManagerDoctorReceptionist DoctorReceptionist Patient May or may not be a Doctor

  15. Set Abstraction (Abstract Transition) • Must soundly update the abstract state after any Assign and Revoke action • Without knowing the exact number of users in each Venn region it is difficult to update the states • Intuition: Choose non-deterministically the user role-combination and update subsets accordingly Consider Assign(Manager, ¬Receptionist, Doctor) - Difficulty: ManagerNursePatient ManagerDoctorReceptionist ManagerDoctorReceptionist Patient ManagerDoctor Is the user a manager or not? Track =

  16. Abstract Transition as a Program while ( true ) do //----- Choose a user consistent with the current configuration ------// b_Admin=random; assume b_Admin>=0 and b_Admin<=1; b_Doctor=random; assume b_Doctor>=0 and b_Doctor<=1; b_Manager=random; assume b_Manager>=0 and b_Manager<=1; b_Patient=random; assume b_Patient>=0 and b_Patient<=1; b_PrimaryDoctor=random; assume b_PrimaryDoctor>=0 and b_PrimaryDoctor<=1; b_Receptionist=random; assume b_Receptionist>=0 and b_Receptionist<=1; b_target=random; assume b_target>=0 and b_target<=1; //----- CanAssign(Manager, !Receptionist , Doctor ) if (brandom and (ADMIN_Manager>0) and b_Receptionist==0 and b_Doctor==0 ) then tmpAdmin=0; //----- Xt n_Doctor_0Patient ------// if (b_Patient==0 ) then n_Doctor_0Patient=n_Doctor_0Patient+1; tmpAdmin=1; endif; if (tmpAdmin>0) then ADMIN_Doctor=ADMIN_Doctor+1; endif; endif; //---- ERROR -------------- if (n_target>0) then skip; endif; done; . . .

  17. Numerical Abstraction • Interval abstractions of programs for numerical domains • each value in Track • in each point of the program 2 • Interval Range Security of RBAC policies does not depend on the exact number of users in a configuration!

  18. Our tool Policy Security Query slicing set-abstraction encode in a program interval-abstractions using INTERPROC NO: policy correct Yes: may be a false error

  19. Experimental Results After Slicing VAC Line of code Total time Time to trasform INTERPROC time #actions #roles #actions #roles Policy Hospital University Bank1 Bank2 Bank3 Bank4

  20. Conclusion • Provecorrectnessof policies automatically(abstractions) • set abstraction • interval abstraction • Experimentally proved thescalabilityof our approach • VACis available at • http://users.ecs.soton.ac.uk/gp4/VAC.html

More Related