280 likes | 407 Views
Vincent C. Hu (National Institute of Standards and Technology) Evan Martin, JeeHyun Hwang, Tao Xie (North Carolina State University). Conformance Checking of Access Control Policies Specified in XACML. Outline. Motivation Background Access Control XACML Conformance Checking
E N D
Vincent C. Hu (National Institute of Standards and Technology)Evan Martin, JeeHyun Hwang, Tao Xie (North Carolina State University) Conformance Checking of Access Control Policies Specified in XACML
Outline Motivation Background Access Control XACML Conformance Checking Policy Verification & Testing Conclusion
Motivation Digital information is easy to access and search Sensitive information requires access control mechanisms A growing trend is to specify access control policies in a generic specification language such as XACML + Flexibility, expressiveness Complexity, verbosity Lack of desirable-property enforcement
Problem How to ensure the correct specification of access control policies? What you specify is what you get, but not necessarily what you want Conformance checking: checking policies against properties (models or specifications) Systematic testing of access control policies Complements policy verification, which may not support full policy features or complex properties Just like software testing + software verification
Background: Access Control System Model Access Control policy 1:0~n 1:n 1:1 Access Control algorithm Access Control mechanism Access Control model 1:n n:n Access Control rules access states At an elementary level an access control system consists of the space of states and the space of rules
Background: Access Control Three primary objectives: Determining which subjects are entitled to have access to which objects (Authorization); Determining the access rights permitted (a combination of access modes such as read, write, execute, delete, and append); Enforcing the access rights. Access control policy describes how to achieve these three goals. Subject: An active entity, generally in the form of a person, process, or devices that causes information to flow among objects Object: A passive entity that contains or receives information. Access to an object potentially implies access to the information it contains.
Background: XACML eXtensible Access Control Markup Language OASIS standard XML syntax for specifying policies, requests, and responses A flexible and expressive language but complex and verbose • A Subject who wishes to perform an Action on a Resource (Object) must do so through a PEP. • The PEP forms the XACML request and sends it to the PDP. • The PDP checks the request against the Policy and returns an XACML response. • The PEP either Permits or Denies access to the resource.
Background: XACML Key Concepts A PolicySet holds other policies or policy sets. A Policy is expressed as a set of rules. ARule have targets and a set of conditions that determine if the rule applies to a given request. Both rule and policy Combining Algorithms exist to reconcile conflicts.
XACML Example <?xml version="1.0" encoding="UTF-8"?> <PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy" PolicySetId="college" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides"> <Description>A College Policy on Grades</Description> <Target> <Subjects><AnySubject /></Subjects> <Resources><AnyResource /></Resources> <Actions><AnyAction /></Actions> </Target> <Policy PolicyId="fac" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <Description>Faculty Policy</Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> Faculty </AttributeValue> <SubjectAttributeDesignator AttributeId="role" DataType="http://www.w3.org/2001/XMLSchema#string" /> </SubjectMatch> </Subject> </Subjects> <Resources> <AnyResource /> </Resources> <Actions> <AnyAction /> </Actions> </Target> Policy Set Target Policy Target
XACML Example <Rule RuleId="fac-assign-view-grades" Effect="Permit"> <Target> <Subjects><AnySubject /></Subjects> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ExternalGrades</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-class" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InternalGrades</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-class" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Assign</AttributeValue> <ActionAttributeDesignator AttributeId="command" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Receive</AttributeValue> <ActionAttributeDesignator AttributeId="command" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ActionMatch> </Action> </Actions> </Target> </Rule> </Policy> Rule Target
XACML Example <Policy PolicyId="stu" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <Description>Student Policy</Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Student</AttributeValue> <SubjectAttributeDesignator AttributeId="role" DataType="http://www.w3.org/2001/XMLSchema#string" /> </SubjectMatch> </Subject> </Subjects> <Resources><AnyResource /></Resources> <Actions><AnyAction /></Actions> </Target> <Rule RuleId="stu-recieve-extgrades" Effect="Permit"> <Target> <Subjects><AnySubject /></Subjects> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ExternalGrades</AttributeValue> <ResourceAttributeDesignator AttributeId="resource-class" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Receive</AttributeValue> <ActionAttributeDesignator AttributeId="command" DataType="http://www.w3.org/2001/XMLSchema#string" /> </ActionMatch> </Action> </Actions> </Target> </Rule> </Policy> </PolicySet> Rules can have a more complicated condition tag here
Policy Conformance Checking Check XACML Policies against Properties Rule binding (properties of encoded access control models) Access control features (e.g., safety, separation of duty) Access Control policy 1:0~n 1:n 1:1 Access Control algorithm Access Control mechanism Access Control model 1:n n:n Access Control rules access states
Model: Bell-LaPadula [1973] Subjects Objects Top Secret Top Secret Read OK Read OK Secret Secret Read OK Unclassified Unclassified
Model: Bell-LaPadula [1973] Subjects Objects Top Secret Top Secret Read Forbidden Secret Secret Read OK Read OK Unclassified Unclassified
Model: Bell-LaPadula [1973] Subjects Objects Top Secret Top Secret Write OK Write Forbidden Secret Secret Write Forbidden Unclassified Unclassified
Model: Bell-LaPadula [1973] Subjects Objects Top Secret Top Secret Write OK Secret Secret Write OK Write Forbidden Unclassified Unclassified
Model: Chinese Wall [Brewer&Nash 89] • Group X & Group Y are conflict-of-interest groups • If a subject has accessed an object in Group X, the subject will not be granted access to an object in Group Y subject X Y ox oy
Model: Role-Based Access Control (RBAC)[Ferraiolo&Kuhn 92] • Express an access control policy in terms of the roles that individuals play within the organization. • Can support a variety of policies through its configuration. • XACML profile for RBAC [2004]
Access Control Features • Safety • Whether there is any leaking of privilege that the access is granted through the XACML specification • Separation of Duties (SOD) • Role-centric: 1 user cannot fill 2 conflicting roles • User-centric: 2 conflicting users cannot collectively fill 2 roles in conflict • Others…
Proposed Conformance Checking Implementation • Some properties are enforced by XACML profiles • Some simple properties can be formulated to feed to Margrave (a policy verification tool [Fisler et al. 05]) • More complicated properties can be dynamically checked with policy testing
Software Testing Test Inputs Test Outputs Expected Outputs Program Policy Testing Software Testing Requests Responses Expected Responses Policy
Systematic Policy Testing Structural coverage criteria/measurement [ICICS 06] Policy coverage Rule coverage Condition coverage Request generation [ICICS 06, SESS 07] Mutation testing [WWW 07] Application in conformance checking Identify likely policy locations related to properties and then generate requests to cover these locations Investigate the relationship between conformance checking and structural coverage or fault types
Structural Coverage Criteria Rationale: like in program testing, when the policy part containing a fault is not “covered”, the error is often not exposed. Given a request q and a policy P, we say qcovers a rule m in P if m contributes to the decision of q. The rule mcontributes to the decision of q if all Cond are satisfied by q. The sequence of rules and combining algorithms may also affect coverage. Rule coverage of P by requests Q = #rules covered by at least one request in Q #rules in P Similarly define policy coverage/condition coverage [ICICS 06]
Request Generation via Change-Impact Analysis (Cirg) [SESS 07] Synthesize versions (all-to-negate-one) for Margrave [Kisler et al. 05] Access Control Policy Policy Versions 1. Version Synthesis Requests 2. Change-impact analysis Counter examples 3. Request generation
Fault Model and Mutation Testing Fault model used to model things that could go wrong when constructing a policy Fault model is the underlying foundation of mutation testing [DeMillo et al. 78] (similar to fault injection): Policy is iteratively mutated to produce numerous mutants – each containing one fault Usages Measure fault-detection effectiveness of test generation or test selection Select tests [WWW 07]
Policy Mutation Testing [WWW 07] Requests Responses Policy Mutation Operators Mutator Differ? Mutant Killed! Mutant Responses Mutant Policy
Conclusions XACML provides freedom in specifying policies but induces complexity, verbosity, lack of desirable-property enforcement We propose to conduct conformance checking of policies against Access control model’s properties (rule binding) Access control features Checking is conducted based on policy verification and testing (structural coverage, request generation, mutation testing)