1 / 25

Presenter: Prof. Tao Xie

ACPT: Access Control Policy Testing System National Institute of Standards and Technology Department of Computer Science North Carolina State University. Presenter: Prof. Tao Xie. ACPT Overview. Model Construction

jaunie
Download Presentation

Presenter: Prof. Tao Xie

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ACPT: Access Control Policy Testing SystemNational Institute of Standards and TechnologyDepartment of Computer Science North Carolina State University Presenter: Prof. Tao Xie

  2. ACPT Overview • Model Construction • composing and combining access control (AC) models (e.g., Multi-Level, RBAC ) • Model Verification • verifying AC models against given properties • Implementation Testing • testing AC implementation

  3. Model Construction Composing and Combining AC models (e.g., Multi-Level and RBAC) • Support mandatory AC models (e.g., Multi-Level and RBAC) popularly used in practice • Ensure safety (i.e., absence of leakage) and flexibility in composing and combining mandatory AC models and rules • Allow to use combination algorithms such as first-applicable, deny-overrides, permit-overrides..

  4. Model Verification • Verifying AC models against given properties • AC models can include a large number of attributes (e.g., roles, objects, clearance) • Conflicts among entities and their complexity may lead to misconfigurations • Detect discrepancies between AC models and their intended function (specified as properties) • Property verification is to check if AC models satisfy given properties (e.g., via model checking)

  5. Implementation Testing • Testing AC implementations for implementation faults • Generate test suite (access requests) based on AC models and properties • Evaluate generated test suite against AC implementations to find faults • Generated test suites can be applied to any AC implementations in deployment

  6. ACPT System Architecture AC Model Templates: Multi-Level, RBAC, Workflow, Chinese Wall, … GUI Model construction Model verification AC Properties e.g., model checker AC Models/Rules Implementation testing e.g., combinatorial tester AC Implementations • Goals • Model verification • - Model/rule correctness • Implementation testing • - Implementation conformance Test Suite

  7. Model Construction • Allow to compose mandatory AC models (as well as AC rules) through pre-defined model templates • Multi-Level, RBAC, Workflow, Chinese Wall models • Allow to specify model details by assigning attribute values • e.g., role subjects, resources, and actions for RBAC • Allow to combine different AC models or rules • specifying model (or rule) priority for combining models or rules, e.g., combine Multi-Level with RBAC models

  8. Model Verification • Conduct model verification to assure AC safety in composed/combined models • Convert composed/combined models and user-specified properties to input models and properties of a verification tool (e.g., a model checker) • Verify models against specified properties, and report detected property violations

  9. Implementation Testing Expected Decisions Decisions Access Requests AC Implementation • Assure AC implementation conformance by evaluating generated access requests • Test Generation: generate access requests (based on models/properties) • Test Execution: evaluate requests (against  AC implementation) and produce their decisions • Test-Result Evaluation: check if the decisions are consistent with expected decisions (from properties or manual inspection, etc.) • If inconsistent, review implementation faults

  10. Combinatorial Test Generation • Exhaustive testing is impractical (esp. when manual effort needed for test-result inspection) • Need to generate a small test suite with high fault-detection capability • Exploit NIST Advanced Combinatorial Testing Suite (ACTS): collect domain variables in AC models and generate efficient test suite automatically to detect faults, with • inputs: a domain of variables • outputs: t-way covering arrays as tests

  11. Combinatorial Test Generation Example • For example, domain of variables: • 2 subjects: Faculty and Student • 2 actions: write and view • 2 resources: grades and records • Given the domain, 4 and 8 tests are generated for 2-way and 3-way interactions, respectively • <Faculty, grades, write>, • <Faculty, records, view >, …

  12. Combinatorial Test Generation Example • Combinatorial tests based on 2-way interactions • Combinatorial tests based on 3-way interactions (being exhaustive tests)

  13. ACPT System Architecture AC Model Templates: Multi-Level, RBAC, Workflow, Chinese Wall, … GUI Model construction Model verification AC Properties e.g., model checker AC Models/Rules Implementation testing e.g., combinatorial tester AC Implementations • Goals • Model verification • - Model/rule correctness • Implementation testing • - Implementation conformance Test Suite

  14. Compare ACPT with Commercial AC Tools A commercial AC management tool does not have all the following capabilities that NIST ACPT has: • AC model templates for specifying models: Multi-Level, RBAC, Workflow, Chinese Wall, etc. • Even some (such as IBM policy manager) claims to provide RBAC templates but they are only simulated by using rules, and provide no support for Role or Attribute relation (hierarchy) • Combination of multiple AC models • e.g., combine Multi-Level and RBAC models • AC model verification to detect faults in models • IBM policy manager has only limited SOD (Separation of Duty) check • Test-suite generation for testing AC implementations in deployment to detect faults in implementations

  15. ACPT Future Work • Model (and rule) priority configuration for combining different models or rules • Generate deployable policies in XACML derived from verified AC model or rules • More AC model templates including dynamic and historical AC models • API or mechanism for acquiring or consuming information about users, attributes, resources, etc. • Web-ACPT allowing convenient web-based model composition

  16. Conclusion • ACPT: Access Control Policy Testing System • Enable users to conveniently compose and combine various models such as Multi-Level and RBAC • Provide high confidence of AC correctness • Model correctness via model verification • Implementation Conformance via implementation testing

  17. Questions? vhu@nist.gov xie@csc.ncsu.edu

  18. UA PA User Role Permission Role-Based Access Control (RBAC) • Usersare assigned toroles, e.g., doctor, nurse, patient. • Permissions are associated with roles. • A user has a permission if he is a member of some role with that permission. • RBAC is relatively simple and widely used. User Assignment Permission Assignment [Stoller et al. 07]

  19. (role_subject = Doctor) & (resource = OldMedicalRecords | resource = RecentMedicalRecords | resource = PrivateNotes) & (action = View) ->decision = Permit

  20. Policy Synthesis • XACML (eXtensible Access Control Markup Language) is a generic XML-based language for specifying AC policies • Extensible and flexible policy specification language • Considered as de facto standard • ACPT takes a set of pre-defined XACML policy templates and synthesize XACML policies from composed/combined models • Different models use different XACML policy templates • Extensible: support converting new models into XACML policies by adding new XACML policy templates

  21. Synthesized XACML Policy Example <PolicySetPolicySetId="n" PolicyCombiningAlgId=“First-Applicable"> <Target/> <Policy PolicyId=“RBAC_school" RuleCombinationAlgId=“First-Applicable"> <Target/> <Rule RuleId=“1" Effect="Deny"> <Target> <Subjects><Subject> Student </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource></Resources> <Actions><Action> Change </Action></Actions> </Target> </Rule> <Rule RuleId=“2" Effect="Permit"> <Target> <Subjects><Subject> Professor </Subject> <Subject> Lecturer </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource> <Resource> Records </Resource></Resources> <Actions><Action> Change </Action> </Actions> </Target> </Rule> </Policy> <Policy PolicyId=“ABAC_school" RuleCombinationAlgId="First-Applicable"> <Target/> <Rule RuleId=“3" Effect="Permit"> <Target> <Subjects><Subject> Jim </Subject></Subjects> <Resources><Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy> </PolicySet> Rule 1: A student or secretary can not change grades. RBAC_school policy Rule 2: A professor, lecturer, or secretary can change grades or records. Rule 3: Jim can change grades or records. ABAC_school policy

  22. Model Verification • ACPT currently uses the NuSMV model checker, a well-structured, flexible, and efficient tool (supporting CTL and LTL model checking) Composed/Combined Models in NuSMV NuSVM model checker Detected Property Violations Properties in NuSMV

  23. Compare ACPT with Commercial/Research AC tools

More Related