220 likes | 354 Views
Policy Evaluation Testbed. Vincent Hu Tom Karygiannis Steve Quirolgico. NIST ITL PET Report May 4, 2010. AC Policy Composing Problems. No structure model framework to support policy authoring.
E N D
Policy Evaluation Testbed Vincent Hu Tom Karygiannis Steve Quirolgico NIST ITL PET Report May 4, 2010
AC Policy Composing Problems • No structure model framework to support policy authoring. • No tool to check correct policy rule specifications, which are hand crafted by administrators. • No tool for checking the effect (conflicts of rules) when combining more than one polices. • No efficient ways to generate exhaust test cases for the correctness of an access control system. 2
Access Control Policy Tool (ACPT) ACPT is a tool for composing access control models (such as RBAC and Multi-Level models) Features: • Allows specification of policy combinations, rules and properties through model templates • Allows testing and verification of policies against specified properties and reports problems that may lead to security holes • Generates efficient test suites (by applying NIST’s combinatorial testing technology) for testing of access control implementation • Test suites can be applied to any access control implementation • Ensures the safety and flexibility in composing access control policies • XACML policy generation 3
ACPT Architecture Administrator GUI allows specification of users, groups, attributes, roles, rules, policies, and resources optional functions API/mechanism to consume/acquire external data related to policies Access Control Policy Tool GUI User, attribute, resource, role, etc. data Data Acquisition AC Model Templates XACML Generates encoded policies Validates access control policy models Model Checker Policy Generator .xml Generates test suites Generates combinatorial test array Test suite Combinatorial Array Generator Test Suite Generator 4
ACPT 5
ACPT 6
ACPT Demo Policy B (excerpt from Govt. Category, Remote Access, and OMB/NIST Assurance) Policy A (excerpt from 28 CFR Part 23 Statutes and Govt. Category) 7
ACPT Demo Property to test: A request withthe attributes: * “Current” for 28 CFR Part 23 Training, * “Federal”forGovernment Category, * “ 1” for Assurance Level, * “True” for Remote Access, to “read” data with * “ISE” Privacy Category attribute should not be allowed. The rules say: Rule number 1 of Policy A grants the request of the property, but no rule in Policy B grants such request. 8
ACPT Demo Property specification in ACPT 9
ACPT Demo Test the property against Policy A, the result return false with counterexample. 10
ACPT Demo Test the property against Policy B, the result return true. 11
ACPT Demo Test the property against Policy A merged with Policy B, the result return false for Policy A but true for Policy B. Note that for merged policies there is no priorities between policies 12
ACPT Demo Test the property against Policy A combined with Policy B. Combined polices has the priorities of the combined rules. This slide shows the combination of policies, where Policy B has higher priority than policy A 13
ACPT Demo Test the property against Policy A combined with Policy B, and we set the “Default Deny” rules for both policies, the verification result return true for the combined policy. 14
ACPT Demo Test cases generation: 15
ACPT Demo XACML generation: 16
Live Demo Live Demo 17
Compare ACPT with commercial AC tools • So far, a commercial AC policy management tool does not have all the following capabilities that NIST ACPT has: • AC (access control) model templates for entering polices: RBAC, Multi-Level, RuBAC (rule based), and Workflow, even some (such as IBM Tivoli) claims provide RuBAC, RBAC, and ABAC templates which are only simulated by using rules, in other words, there is no Role or Attribute relation (hierarchy) building capability, • Combining different AC models into one. (e.g. combine RBAC policy with RuBAC and ABAC policies) • AC Property (described by Boolean predicate) verification (IBM has limited SOD (Separation of Duty) check) to ensure the created policy can satisfy any combination of rule constraints. • Test case (suite) generator for testing in real operation environment to assure there is no privilege leakage caused by faults other than the AC policy. 18
ACPT Future Work • Policy (or rule) priority configuration for combining different models or rules (e.g., combinations of global and local policies) • White-box model/properties verification to verify coverage and confinement of access control rules • Generate XACML policies derived from verified access control model or rules • Additional access control policy templates including dynamic and historical access control models • API or mechanism for acquiring or consuming information about users, attributes, resources, etc. • Web-ACPT allowing convenient web-based policy composition 19
Progress Report • PET • State-to-State policy scenarios defined • XACML and PEP coding to support new scenario • Numerous software enhancements • Preparing demo for Fusion Center conference • DHS/JHUAPL • Identity Provider Service • Privacy Policy Matrix • DoJ and HHS Presentations • Computer Associates CRADA • Policy Expression and Automated Extraction • National Security Agency • Quarterly Technical Exchanges 20
Progress Report (cont.) • Presentation and Demo, 2010 Fusion Center Technology Workshop, June 8th and 9th, 2010 • Decentralized Information Group, Computer Science & Artificial Intelligence Lab, Massachusetts Institute of Technology • Nationwide Health Information Network (NHIN), CONNECT, HHS – ACPT Tool 21
Contact Information • Vincent Hu – vincent.hu@nist.gov • Tom Karygiannis – karygiannis@nist.gov • Steve Quirolgico – steveq@nist.gov 22