430 likes | 574 Views
Margrave: XACML Verification and Change-Impact Analysis. Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown. Running Example. Roles: Faculty , Student Resources: InternalGrades , ExternalGrades Actions: Assign , View , Receive.
E N D
Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown
Running Example Roles: Faculty, Student Resources: InternalGrades, ExternalGrades Actions: Assign, View, Receive
Properties • There do not exist members of Student who can AssignExternalGrades • Faculty can Assign both InternalGrades and ExternalGrades • No combination of roles exists whose user can both Receive and AssignExternalGrades
Policy 1 • Requests for Students to ReceiveExternalGrades succeed • Requests for Faculty to Assign or ViewExternalGrades succeed
Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed There do not exist members of Student who can AssignExternalGrades Faculty can Assign both InternalGrades and ExternalGrades No combination of roles exists whose user can both Receive and AssignExternalGrades Policy 1, Properties 1-3
Output Error! Counterexample: Student simultaneously requests to • ReceiveExternalGrade • AssignExternalGrade XACML: attributes represent sets
Policy 2 • Requests for Students to ReceiveExternalGrades succeed • Requests for Faculty to Assign or ViewExternalGrades succeed • Attributes for action and requested resources are constrained as singletons
Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed Attributes for action and requested resources are constrained as singletons There do not exist members of Student who can AssignExternalGrades Faculty can Assign both InternalGrades and ExternalGrades No combination of roles exists whose user can both Receive and AssignExternalGrades Policy 2, Properties 1-3
Output Error! Counterexample: Faculty - Student requests … But a Faculty isn’t also a Student
Policy 3 • Requests for Students to ReceiveExternalGrades succeed • Requests for Faculty to Assign or ViewExternalGrades succeed • Attributes for action and requested resources are constrained as singletons • Faculty are disjoint from Students
Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students There do not exist members of Student who can AssignExternalGrades Faculty can Assign both InternalGrades and ExternalGrades No combination of roles exists whose user can both Receive and AssignExternalGrades Policy 3, Properties 1-3
Output Success!
Policy 4 • Requests for Students to ReceiveExternalGrades succeed • Requests for Faculty to Assign or ViewExternalGrades succeed • TAs have the same privileges as Faculty • Attributes for action and requested resources are constrained as singletons • Faculty are disjoint from Students
Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs have the same privileges as Faculty Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students There do not exist members of Student who can AssignExternalGrades Faculty can Assign both InternalGrades and ExternalGrades No combination of roles exists whose user can both Receive and AssignExternalGrades Policy 4, Properties 1-3
Output Error! Counterexample: • Student - TA can AssignExternalGrades • Student - TA is not a Faculty TAs are tricky!
Policy 5 • Requests for Students to ReceiveExternalGrades succeed • Requests for Faculty to Assign or ViewExternalGrades succeed • TAs can View and AssignInternalGrades but not ExternalGrades • Attributes for action and requested resources are constrained as singletons • Faculty are disjoint from Students
Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs can View and AssignInternalGrades but not ExternalGrades Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students There do not exist members of Student who can AssignExternalGrades Faculty can Assign both InternalGrades and ExternalGrades No combination of roles exists whose user can both Receive and AssignExternalGrades Policy 5, Properties 1-3
Output Success!
Policy 6 • Requests for Students to ReceiveExternalGrades succeed • Requests for Faculty to Assign or ViewExternalGrades succeed • TAs can View and AssignInternalGrades but not ExternalGrades • FacultyFamily can ReceiveExternalGrades • Singleton and disjointness constraints
Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs can View and AssignInternalGrades but not ExternalGrades FacultyFamily can ReceiveExternalGrades Singleton and disjointness constraints There do not exist members of Student who can AssignExternalGrades Faculty can Assign both InternalGrades and ExternalGrades No combination of roles exists whose user can both Receive and AssignExternalGrades Policy 6, Properties 1-3
Output Error! Counterexample: • Faculty can AssignExternalGrades • FacultyFamily can ReceiveExternalGrades • The same person generates both
Design Flow • Verification catches subtle corner-cases • Testing without the test cases: property represents a set of test cases • The disadvantage is usually cost (there’s another one we’ll get to later…)
Performance • Parsing: 355ms (cold cache) – 70ms (warm) • Longest verification: 10ms; most were faster than timer could measure • Memory: baseline of 4.7Mb, no increase [Athlon XP 1800+, 1.5GHz, 512Mb]
Faculty (f) can assign (a) grades (g) Students (s) can receive (r) grades (g) Multi-Terminal Decision Diagrams
Constraints • Represented by boolean expressions • Easy to combine booleans with MTDDs • Adds new terminal: EC (Excluded by Constraint)
Policies Without Properties • Working policy P1 • Modified policy P2 • Testing reveals intended change • But…
Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs have the same privileges as Faculty Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students Policy 4 – Policy 3
Output • Eight combinations grant access • Four involve ExternalGrades • Adding TAs should not have affected this!
Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs can View and AssignInternalGrades but not ExternalGrades Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students Policy 5 – Policy 3
Output All changes involve only • TAs • InternalGrades Therefore, we can be confident about the edit
Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs can View and AssignInternalGrades but not ExternalGrades FacultyFamily can ReceiveExternalGrades Singleton and disjointness constraints Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs can View and AssignInternalGrades but not ExternalGrades Singleton and disjointness constraints Policy 6 – Policy 5
Output All changes involve Receiving grades Some changes involve the Faculty role Is there an error?
Exploring Changes • We can query and verify differenceseg: Did a change affect ExternalGrades? • Properties of differences may be stronger than properties of the entire system • Exploration may eventually lead to identifying system properties
Application Continue: paper submission and review Softvis 2005, CSFW 2005, FOAL 2005, ISSTA 2004, LMO 2005, TAV-WEB 2004, PADL 2004/3/2/1, FDPE 2003, Scheme 2003/2, ... • Roles: Admin, Chair, PC Member, Subrev… • Actions: Submit, Review, Broadcast, … • Resources: Papers, Reviews, Configurations
Performance • Policy has 50 MTDD variables • Raw policy has 1268 MTDD nodes • Constraints shrink it to 817 nodes • Parsing/constraining: 2.07s • Twelve properties: each < 10ms • Memory: 316,288 bytes over baseline • Change: 2ms, 1133 nodes, 16.3Kb memory
Tool Output 1:/Subject, role, Faculty/ 2:/Subject, role, Student/ 3:/Resource, resource-class, ExternalGrades/ 4:/Resource, resource-class, InternalGrades/ 5:/Action, command, Assign/ 6:/Action, command, View/ 7:/Action, command, Receive/ 8:/Subject, role, TA/ 12345678 { 00010101 N->P 00011001 N->P 00100101 N->P 00101001 N->P 01010101 N->P 01011001 N->P 01100101 N->P 01101001 N->P }
Perspective • Verification can be cheap enough to fit into the design flow and encourage policy exploration • Change impact • useful in itself finds some errors without properties • query/verif. is a bonus lightweight formal method • Think about continuous verification and change impact reports
XACML analysis: http://www.cs.brown.edu/research/plt/software/margrave/ Conference manager: http://continue.cs.brown.edu/