%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
Verification and change impact analysis of access-control policies
1. Verification and Change-Impact Analysis ofVerification and Change-Impact Analysis of
Access-Control PoliciesAccess-Control Policies
Kathi Fisler, Shriram Krishnamurthi, Leo Meyerovich, and Michael TschantzKathi Fisler, Shriram Krishnamurthi, Leo Meyerovich, and Michael Tschantz
ICSE’05ICSE’05
Presented byPresented by
Barry DemchakBarry Demchak
CSE 294CSE 294
Winter 2006Winter 2006
2. 2
Background – Data and Privilege ManagementBackground – Data and Privilege Management
Checkpoint Financial exposed 163,000Checkpoint Financial exposed 163,000
records in 2005. Penalty:records in 2005. Penalty: $15M$15M
Ameriprise exposed 226,000 recordsAmeriprise exposed 226,000 records
this weekthis week
California SB1386 effective July 2003California SB1386 effective July 2003
requires disclosurerequires disclosure
3. 3
Background – Policy ObjectivesBackground – Policy Objectives
AllowAllow access only to proper partiesaccess only to proper parties
under proper conditionsunder proper conditions
DenyDeny access to those that should notaccess to those that should not
have ithave it
6. 6
Background – XACML PropositionBackground – XACML Proposition
Common language to express policiesCommon language to express policies
Hierarchy of definition to matchHierarchy of definition to match
hierarchy of organizationhierarchy of organization
Disconnect policies from mainstreamDisconnect policies from mainstream
application designapplication design (separation of concerns)(separation of concerns)
Model to specify policies, queryModel to specify policies, query
access, and resultsaccess, and results
Vendor-neutral mechanismsVendor-neutral mechanisms
8. 8
Background – Basic ConstructionBackground – Basic Construction
Rule:Rule:
{{subjectsubject}* {}* {actionaction}* {}* {resourceresource}* {}* {conditionalconditional}*}*
Rules are combined to makeRules are combined to make policiespolicies
Policies are combined to makePolicies are combined to make policypolicy
setssets
14. 14
Background – Policy DistributionBackground – Policy Distribution
Policies are stored in databases orPolicies are stored in databases or
anywhere elseanywhere else
Policies apply to particular targetPolicies apply to particular target
(subjects, actions, resources)(subjects, actions, resources)
Engine can fetch multiple policies toEngine can fetch multiple policies to
evaluateevaluate
15. 15
Background – CovenantBackground – Covenant
Policies contain obligations thatPolicies contain obligations that
applications must:applications must:
promise to understandpromise to understand
act on when Permit is returnedact on when Permit is returned
16. 16
Background – Trivial Policy ExampleBackground – Trivial Policy Example
AllowAllow any subjectany subject to performto perform anyany
actionaction onon any resourceany resource so long as theso long as the
domaindomain name is medico.comname is medico.com
21. 21
Rule DescriptionRule Description
[p25] <Description>[p25] <Description>
[p26] Any subject with an e-mail name in the[p26] Any subject with an e-mail name in the
medico.com domainmedico.com domain
[p27] can perform any action on any resource.[p27] can perform any action on any resource.
[p28] </Description>[p28] </Description>
29. 29
MargraveMargrave
(markgraf in German)(markgraf in German)
A lord or keeper of borders: aA lord or keeper of borders: a
medieval access control managermedieval access control manager
30. 30
ObjectivesObjectives
Detect ill-formed or inconsistentDetect ill-formed or inconsistent
policiespolicies
Identify differences between policyIdentify differences between policy
generationsgenerations
31. 31
ObservationsObservations (relative to straight coding)(relative to straight coding)
Policy implementations oftenPolicy implementations often
scattered across modulesscattered across modules
Sharing/changing policies is hard andSharing/changing policies is hard and
sometimes subtlesometimes subtle
Offloading access control logicOffloading access control logic
reduces complexity for automatedreduces complexity for automated
program checkersprogram checkers
32. 32
ObservationsObservations (relative to straight coding)(relative to straight coding)
Automated reasoning about policiesAutomated reasoning about policies
is hard and is not amenable tois hard and is not amenable to
automated program checkingautomated program checking
Testing isn’t exhaustive … testingTesting isn’t exhaustive … testing
cost model is out of whack relative tocost model is out of whack relative to
security breach cost modelsecurity breach cost model
34. 34
IssuesIssues
Visualization of XACML policiesVisualization of XACML policies
Visualization of propertiesVisualization of properties
Visualization of policy diffsVisualization of policy diffs
Expanding Margrave to cover more ofExpanding Margrave to cover more of
XACMLXACML
35. 35
Basic Verification - PropertiesBasic Verification - Properties
Margrave adds properties: a logicalMargrave adds properties: a logical
predicate involving subjects, actions, andpredicate involving subjects, actions, and
resourcesresources
Consider aConsider a policy Pol1policy Pol1: “Requests for Students: “Requests for Students
to Receive ExternalGrades, and for Faculty toto Receive ExternalGrades, and for Faculty to
Assign and View both InternalGrades andAssign and View both InternalGrades and
ExternalGrades, will succeed.”ExternalGrades, will succeed.”
Consider aConsider a property Pr1property Pr1: “There do not exist: “There do not exist
members of Student who can Assignmembers of Student who can Assign
ExternalGrades.”ExternalGrades.”
The verifier willThe verifier will acceptaccept Pol1/Pr1 because Pr1Pol1/Pr1 because Pr1
doesn’t address any part of Pol1.doesn’t address any part of Pol1.
36. 36
Basic Verification - PropertiesBasic Verification - Properties
Consider aConsider a policy Pol1policy Pol1: “Requests for: “Requests for
Students to Receive ExternalGrades, andStudents to Receive ExternalGrades, and
for Faculty to Assign and View bothfor Faculty to Assign and View both
InternalGrades and ExternalGrades, willInternalGrades and ExternalGrades, will
succeed.”succeed.”
Consider aConsider a property Pr2property Pr2: “All members of: “All members of
Faculty can Assign both InternalGradesFaculty can Assign both InternalGrades
and ExternalGrades”.and ExternalGrades”.
The verifier willThe verifier will acceptaccept Pol1/Pr2 becausePol1/Pr2 because
Pr2 affirms Pol1.Pr2 affirms Pol1.
37. 37
Basic Verification - PropertiesBasic Verification - Properties
Consider aConsider a policy Pol1policy Pol1: “Requests for: “Requests for
Students to Receive ExternalGrades, andStudents to Receive ExternalGrades, and
for Faculty to Assign and View bothfor Faculty to Assign and View both
InternalGrades and ExternalGrades, willInternalGrades and ExternalGrades, will
succeed.”succeed.”
Consider aConsider a property Pr3property Pr3: “No member of: “No member of
Faculty can View ExternalGrades.”Faculty can View ExternalGrades.”
The verifier willThe verifier will rejectreject Pol1/Pr3 becausePol1/Pr3 because
Pr3 conflicts with Pol1.Pr3 conflicts with Pol1.
38. 38
Representation of PoliciesRepresentation of Policies
Policies are represented as MTBDDsPolicies are represented as MTBDDs (multi-(multi-
terminal binary decision diagrams)terminal binary decision diagrams)
39. 39
Representation of PoliciesRepresentation of Policies
MTBDDs are constructed according to aMTBDDs are constructed according to a
fixed ordering of the variablesfixed ordering of the variables (easy(easy
comparison)comparison)
MTBDDs maximally share subtreesMTBDDs maximally share subtrees
MTBDDs collapse irrelevant variablesMTBDDs collapse irrelevant variables (where(where
all transitions are to the same node)all transitions are to the same node)
40. 40
Operations on MTBDDsOperations on MTBDDs
MTBDDs created for individual rules andMTBDDs created for individual rules and
then merged to create policiesthen merged to create policies according to theaccording to the
policy’s rule combining algorithmspolicy’s rule combining algorithms
Combining MTBDDs starts at the top ofCombining MTBDDs starts at the top of
both MTBDDs and executes a briefboth MTBDDs and executes a brief
recursive algorithmrecursive algorithm
Environmental constraints (e.g., “noEnvironmental constraints (e.g., “no
Faculty is also a Student”) get combined inFaculty is also a Student”) get combined in
a similar waya similar way
42. 42
ImplementationImplementation
Built on PLT SchemeBuilt on PLT Scheme
Properties are hand-assembled in SchemeProperties are hand-assembled in Scheme
A pseudo-code implementation of checkingA pseudo-code implementation of checking
“A student can assign ExternalGrades”:“A student can assign ExternalGrades”:
43. 43
ImplementationImplementation
Produces error reports (line 11 maskedProduces error reports (line 11 masked
with line 9 shows properties that caused awith line 9 shows properties that caused a
violation … i.e., a counter-example)violation … i.e., a counter-example)
45. 45
PerformancePerformance
Parsing a policy havingParsing a policy having 50 variables50 variables andand
1268 nodes1268 nodes tooktook 2050ms2050ms on desktopon desktop
computercomputer
CheckingChecking 12 properties12 properties was too quick towas too quick to
measuremeasure
Memory consumption wasMemory consumption was 316KB316KB
On another test, a compare tookOn another test, a compare took 2ms2ms andand
produced a tree containingproduced a tree containing 1133 nodes1133 nodes
takingtaking 16KB16KB
46. 46
AlternativesAlternatives
SELinux (Security-enhanced Linux)SELinux (Security-enhanced Linux)
produces BDDs, but they are orientedproduces BDDs, but they are oriented
toward determiningtoward determining information flowinformation flow in ain a
traditional model-checker activitytraditional model-checker activity
A complete solution would use bothA complete solution would use both
Margrave and information flow analysisMargrave and information flow analysis
48. 48
ConclusionsConclusions
Margrave is aMargrave is a work in progresswork in progress
XACML and Margrave are aboutXACML and Margrave are about managingmanaging
complexitycomplexity throughthrough separation of concernsseparation of concerns
Margrave adds the concept of properties toMargrave adds the concept of properties to
verify policiesverify policies
Margrave compares policies, whichMargrave compares policies, which
enablesenables incremental validationincremental validation
49. 49
ReferencesReferences
Verification and Change-Impact Analysis ofVerification and Change-Impact Analysis of
Access-Control PoliciesAccess-Control Policies by Kathi Fisler, Shriramby Kathi Fisler, Shriram
Krishnamurthi, Leo Meyerovich, and Michael Tschantz, ICSE’05Krishnamurthi, Leo Meyerovich, and Michael Tschantz, ICSE’05
OASIS eXtensible Access Control MarkupOASIS eXtensible Access Control Markup
Language (XACML),Language (XACML),
http://www.oasis-open.org/committees/xacml/repository/cs-xacml-specifichttp://www.oasis-open.org/committees/xacml/repository/cs-xacml-specific
, December 2002, December 2002