1 / 43

Margrave: XACML Verification and Change-Impact Analysis

Margrave: XACML Verification and Change-Impact Analysis. Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown. Running Example. Roles: Faculty , Student Resources: InternalGrades , ExternalGrades Actions: Assign , View , Receive.

wei
Download Presentation

Margrave: XACML Verification and Change-Impact Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown

  2. Running Example Roles: Faculty, Student Resources: InternalGrades, ExternalGrades Actions: Assign, View, Receive

  3. Properties • There do not exist members of Student who can AssignExternalGrades • Faculty can Assign both InternalGrades and ExternalGrades • No combination of roles exists whose user can both Receive and AssignExternalGrades

  4. Policy 1 • Requests for Students to ReceiveExternalGrades succeed • Requests for Faculty to Assign or ViewExternalGrades succeed

  5. Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed There do not exist members of Student who can AssignExternalGrades Faculty can Assign both InternalGrades and ExternalGrades No combination of roles exists whose user can both Receive and AssignExternalGrades Policy 1, Properties 1-3

  6. Output Error! Counterexample: Student simultaneously requests to • ReceiveExternalGrade • AssignExternalGrade XACML: attributes represent sets

  7. Policy 2 • Requests for Students to ReceiveExternalGrades succeed • Requests for Faculty to Assign or ViewExternalGrades succeed • Attributes for action and requested resources are constrained as singletons

  8. Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed Attributes for action and requested resources are constrained as singletons There do not exist members of Student who can AssignExternalGrades Faculty can Assign both InternalGrades and ExternalGrades No combination of roles exists whose user can both Receive and AssignExternalGrades Policy 2, Properties 1-3

  9. Output Error! Counterexample: Faculty - Student requests … But a Faculty isn’t also a Student

  10. Policy 3 • Requests for Students to ReceiveExternalGrades succeed • Requests for Faculty to Assign or ViewExternalGrades succeed • Attributes for action and requested resources are constrained as singletons • Faculty are disjoint from Students

  11. Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students There do not exist members of Student who can AssignExternalGrades Faculty can Assign both InternalGrades and ExternalGrades No combination of roles exists whose user can both Receive and AssignExternalGrades Policy 3, Properties 1-3

  12. Output Success!

  13. Policy 4 • Requests for Students to ReceiveExternalGrades succeed • Requests for Faculty to Assign or ViewExternalGrades succeed • TAs have the same privileges as Faculty • Attributes for action and requested resources are constrained as singletons • Faculty are disjoint from Students

  14. Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs have the same privileges as Faculty Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students There do not exist members of Student who can AssignExternalGrades Faculty can Assign both InternalGrades and ExternalGrades No combination of roles exists whose user can both Receive and AssignExternalGrades Policy 4, Properties 1-3

  15. Output Error! Counterexample: • Student - TA can AssignExternalGrades • Student - TA is not a Faculty TAs are tricky!

  16. Policy 5 • Requests for Students to ReceiveExternalGrades succeed • Requests for Faculty to Assign or ViewExternalGrades succeed • TAs can View and AssignInternalGrades but not ExternalGrades • Attributes for action and requested resources are constrained as singletons • Faculty are disjoint from Students

  17. Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs can View and AssignInternalGrades but not ExternalGrades Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students There do not exist members of Student who can AssignExternalGrades Faculty can Assign both InternalGrades and ExternalGrades No combination of roles exists whose user can both Receive and AssignExternalGrades Policy 5, Properties 1-3

  18. Output Success!

  19. Policy 6 • Requests for Students to ReceiveExternalGrades succeed • Requests for Faculty to Assign or ViewExternalGrades succeed • TAs can View and AssignInternalGrades but not ExternalGrades • FacultyFamily can ReceiveExternalGrades • Singleton and disjointness constraints

  20. Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs can View and AssignInternalGrades but not ExternalGrades FacultyFamily can ReceiveExternalGrades Singleton and disjointness constraints There do not exist members of Student who can AssignExternalGrades Faculty can Assign both InternalGrades and ExternalGrades No combination of roles exists whose user can both Receive and AssignExternalGrades Policy 6, Properties 1-3

  21. Output Error! Counterexample: • Faculty can AssignExternalGrades • FacultyFamily can ReceiveExternalGrades • The same person generates both

  22. Design Flow • Verification catches subtle corner-cases • Testing without the test cases: property represents a set of test cases • The disadvantage is usually cost (there’s another one we’ll get to later…)

  23. Performance • Parsing: 355ms (cold cache) – 70ms (warm) • Longest verification: 10ms; most were faster than timer could measure • Memory: baseline of 4.7Mb, no increase [Athlon XP 1800+, 1.5GHz, 512Mb]

  24. Implementation

  25. Faculty (f) can assign (a) grades (g) Students (s) can receive (r) grades (g) Multi-Terminal Decision Diagrams

  26. Rules and Rule Combination

  27. Constraints • Represented by boolean expressions • Easy to combine booleans with MTDDs • Adds new terminal: EC (Excluded by Constraint)

  28. Properties?!?

  29. Policies Without Properties • Working policy P1 • Modified policy P2 • Testing reveals intended change • But…

  30. Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs have the same privileges as Faculty Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students Policy 4 – Policy 3

  31. Output • Eight combinations grant access • Four involve ExternalGrades • Adding TAs should not have affected this!

  32. Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs can View and AssignInternalGrades but not ExternalGrades Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students Policy 5 – Policy 3

  33. Output All changes involve only • TAs • InternalGrades Therefore, we can be confident about the edit

  34. Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs can View and AssignInternalGrades but not ExternalGrades FacultyFamily can ReceiveExternalGrades Singleton and disjointness constraints Requests for Students to ReceiveExternalGrades succeed Requests for Faculty to Assign or ViewExternalGrades succeed TAs can View and AssignInternalGrades but not ExternalGrades Singleton and disjointness constraints Policy 6 – Policy 5

  35. Output All changes involve Receiving grades Some changes involve the Faculty role Is there an error?

  36. Exploring Changes • We can query and verify differenceseg: Did a change affect ExternalGrades? • Properties of differences may be stronger than properties of the entire system • Exploration may eventually lead to identifying system properties

  37. Case Study

  38. Application Continue: paper submission and review Softvis 2005, CSFW 2005, FOAL 2005, ISSTA 2004, LMO 2005, TAV-WEB 2004, PADL 2004/3/2/1, FDPE 2003, Scheme 2003/2, ... • Roles: Admin, Chair, PC Member, Subrev… • Actions: Submit, Review, Broadcast, … • Resources: Papers, Reviews, Configurations

  39. Performance • Policy has 50 MTDD variables • Raw policy has 1268 MTDD nodes • Constraints shrink it to 817 nodes • Parsing/constraining: 2.07s • Twelve properties: each < 10ms • Memory: 316,288 bytes over baseline • Change: 2ms, 1133 nodes, 16.3Kb memory

  40. Conclusion

  41. Tool Output 1:/Subject, role, Faculty/ 2:/Subject, role, Student/ 3:/Resource, resource-class, ExternalGrades/ 4:/Resource, resource-class, InternalGrades/ 5:/Action, command, Assign/ 6:/Action, command, View/ 7:/Action, command, Receive/ 8:/Subject, role, TA/ 12345678 { 00010101 N->P 00011001 N->P 00100101 N->P 00101001 N->P 01010101 N->P 01011001 N->P 01100101 N->P 01101001 N->P }

  42. Perspective • Verification can be cheap enough to fit into the design flow and encourage policy exploration • Change impact • useful in itself  finds some errors without properties • query/verif. is a bonus  lightweight formal method • Think about continuous verification and change impact reports

  43. XACML analysis: http://www.cs.brown.edu/research/plt/software/margrave/ Conference manager: http://continue.cs.brown.edu/

More Related