Computer Science
Conformance Checking of Access Control
Policies Specified in XACML
Vincent C. Hu
(National Institute of Standards and Technology)
Evan Martin, JeeHyun Hwang,
Tao Xie
(North Carolina State University)
Outline
• Motivation
• Background
– Access Control
– XACML
• Conformance Checking
• Policy Verification & Testing
• Conclusion
Computer Science
2
Motivation
• Digital information is easy to access and
search
• Sensitive information requires access control
mechanisms
• A growing trend is to specify access control
policies in a generic specification language
such as XACML
+ Flexibility, expressiveness
– Complexity, verbosity
– Lack of desirable-property enforcement
Computer Science
3
Problem
• How to ensure the correct specification of
access control policies?
– What you specify is what you get, but not
necessarily what you want
• Conformance checking: checking policies
against properties (models or specifications)
• Systematic testing of access control policies
– Complements policy verification, which may not
support full policy features or complex properties
– Just like software testing + software verification
Computer Science
4
Background: Access Control System Model
1:0~n
Access
Control
policy
1:n
Access
Control
model
Access
Control
mechanism
1:n
1:1
n:n
access
states
Access
Control
algorithm
Access
Control
rules
At an elementary level
an access control system consists of the space of states and
the space of rules
Computer Science
5
Background: Access Control
• Three primary objectives:
– Determining which subjects are entitled to have access to which objects
(Authorization);
– Determining the access rights permitted (a combination of access
modes such as read, write, execute, delete, and append);
– Enforcing the access rights.
• Access control policy describes how to achieve these three
goals.
• Subject: An active entity, generally in the form of a person,
process, or devices that causes information to flow among
objects
• Object: A passive entity that contains or receives information.
Access to an object potentially implies access to the
information it contains.
Computer Science
6
Background: XACML
• eXtensible Access Control Markup Language
– OASIS standard XML syntax for specifying policies, requests, and
responses
– A flexible and expressive language but complex and verbose
• A Subject who wishes to perform an
Action on a Resource (Object) must
do so through a PEP.
• The PEP forms the XACML request
and sends it to the PDP.
• The PDP checks the request against
the Policy and returns an XACML
response.
• The PEP either Permits or Denies
access to the resource.
Computer Science
7
Background: XACML Key Concepts
• A Policy Set holds other policies or policy sets.
• A Policy is expressed as a set of rules.
• A Rule have targets and a set of conditions that determine if
the rule applies to a given request.
• Both rule and policy Combining Algorithms exist to reconcile
conflicts.
Computer Science
8
XACML Example
<?xml version="1.0" encoding="UTF-8"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:1.0:policy" PolicySetId="college"
Policy Set
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:permit-overrides">
<Description>A College Policy on Grades</Description>
<Target>
<Subjects> <AnySubject /> </Subjects>
Target
<Resources> <AnyResource /> </Resources>
<Actions> <AnyAction /> </Actions>
Policy
</Target>
<Policy PolicyId="fac"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>Faculty Policy</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">
Faculty
Target
</AttributeValue>
<SubjectAttributeDesignator AttributeId="role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<AnyResource />
</Resources>
<Actions>
<AnyAction />
</Actions>
</Target>
Computer Science
9
XACML Example
<Rule RuleId="fac-assign-view-grades" Effect="Permit">
<Target>
Rule
<Subjects> <AnySubject /> </Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ExternalGrades</AttributeValue>
<ResourceAttributeDesignator AttributeId="resource-class"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InternalGrades</AttributeValue>
<ResourceAttributeDesignator AttributeId="resource-class"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ResourceMatch>
</Resource>
Target
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Assign</AttributeValue>
<ActionAttributeDesignator AttributeId="command"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Receive</AttributeValue>
<ActionAttributeDesignator AttributeId="command"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
Computer Science
10
XACML Example
<Policy PolicyId="stu" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-override
<Description>Student Policy</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Student</AttributeValue>
<SubjectAttributeDesignator AttributeId="role" DataType="http://www.w3.org/2001/XMLSchema#string" />
</SubjectMatch>
</Subject>
</Subjects>
<Resources><AnyResource /></Resources>
<Actions><AnyAction /></Actions>
</Target>
<Rule RuleId="stu-recieve-extgrades" Effect="Permit">
<Target>
<Subjects><AnySubject /></Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ExternalGrades</AttributeValue>
<ResourceAttributeDesignator AttributeId="resource-class"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Receive</AttributeValue>
<ActionAttributeDesignator AttributeId="command"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
</PolicySet>
Rules can have a more complicated condition tag here
Computer Science
11
Policy Conformance Checking
1:0~n
Access
Control
policy
1:n
Access
Control
model
Access
Control
mechanism
1:n
1:1
n:n
access
states
Access
Control
algorithm
Access
Control
rules
Check XACML Policies against
Properties
– Rule binding (properties of encoded access control models)
– Access control features (e.g., safety, separation of duty)
Computer Science
12
Model: Bell-LaPadula [1973]
Subjects
Top Secret
Objects
Read OK
Top Secret
Secret
Secret
Unclassified
Unclassified
Computer Science
13
Model: Bell-LaPadula [1973]
Subjects
Objects
Top Secret
Secret
Unclassified
Computer Science
Top Secret
Read OK
Secret
Unclassified
14
Model: Bell-LaPadula [1973]
Subjects
Top Secret
Objects
Write OK
Top Secret
Secret
Secret
Unclassified
Unclassified
Computer Science
15
Model: Bell-LaPadula [1973]
Subjects
Objects
Top Secret
Secret
Top Secret
Write OK
Unclassified
Computer Science
Secret
Unclassified
16
Model: Chinese Wall [Brewer&Nash 89]
• Group X & Group Y are conflict-of-interest groups
• If a subject has accessed an object in Group X, the
subject will not be granted access to an object in Group Y
subject
ox
X
Computer Science
oy
Y
17
Model: Role-Based Access Control (RBAC)
[Ferraiolo&Kuhn 92]
• Express an access control policy in terms of
the roles that individuals play within the
organization.
• Can support a variety of policies through its
configuration.
• XACML profile for RBAC [2004]
Computer Science
18
Access Control Features
• Safety
• Whether there is any leaking of privilege that the
access is granted through the XACML specification
• Separation of Duties (SOD)
• Role-centric: 1 user cannot fill 2 conflicting roles
• User-centric: 2 conflicting users cannot
collectively fill 2 roles in conflict
• Others…
Computer Science
19
Proposed Conformance Checking
Implementation
• Some properties are enforced by XACML
profiles
• Some simple properties can be formulated to
feed to Margrave (a policy verification tool
[Fisler et al. 05])
• More complicated properties can be
dynamically checked with policy testing
Computer Science
20
Software Testing
Policy Testing
Software Testing
Test
Inputs
Requests
Program
Policy
Computer Science
Test
Outputs
Expected
Outputs
Responses
Expected
Responses
21
Systematic Policy Testing
• Structural coverage criteria/measurement [ICICS 06]
– Policy coverage
– Rule coverage
– Condition coverage
• Request generation [ICICS 06, SESS 07]
• Mutation testing [WWW 07]
Application in conformance checking
• Identify likely policy locations related to properties
and then generate requests to cover these locations
• Investigate the relationship between conformance
checking and structural coverage or fault types
Computer Science
22
Structural Coverage Criteria
[ICICS 06]
• Rationale: like in program testing, when the policy
part containing a fault is not “covered”, the error is
often not exposed.
• Given a request q and a policy P, we say q covers a
rule m in P if m contributes to the decision of q.
• The rule m contributes to the decision of q if all
Cond are satisfied by q.
– The sequence of rules and combining algorithms may also
affect coverage.
• Rule coverage of P by requests Q =
#rules covered by at least one request in Q
#rules in P
• Similarly define policy coverage/condition coverage
Computer Science
23
Request Generation via Change-Impact
[SESS 07]
Analysis (Cirg)
Access
Control
Policy
1. Version
Synthesis
Requests
2. Change-impact
analysis
3. Request
generation
Counter
examples
Synthesize versions
(all-to-negate-one)
for Margrave
[Kisler et al. 05]
Computer Science
Policy
Versions
24
Fault Model and Mutation Testing
[WWW 07]
• Fault model used to model things that could go
wrong when constructing a policy
• Fault model is the underlying foundation of
mutation testing [DeMillo et al. 78] (similar to fault
injection):
– Policy is iteratively mutated to produce numerous
mutants – each containing one fault
• Usages
– Measure fault-detection effectiveness of test
generation or test selection
– Select tests
Computer Science
25
Policy Mutation Testing
Policy
Requests
Mutation
Operators
Computer Science
[WWW 07]
Responses
Mutator
Differ?
Mutant
Policy
Mutant
Responses
Mutant
Killed!
26
Conclusions
• XACML provides freedom in specifying
policies but induces complexity, verbosity, lack
of desirable-property enforcement
• We propose to conduct conformance checking
of policies against
– Access control model’s properties (rule binding)
– Access control features
• Checking is conducted based on policy
verification and testing (structural coverage,
request generation, mutation testing)
Computer Science
27
Computer Science
Questions?
28