Security Analysis of Role-based Access Control through Program Verification Anna Lisa Ferrara University of Bristol, UK P. Madhusudan University of Illinois, USA Gennaro Parlato University of Southampton, UK Access Control Policies • Access control policies are designed to support authorized accesses to protected resources Role-based Access Control (RBAC) • Most used access control model - standardized by the NIST - ease of administration Users Roles Permissions Permissions are pairs (object, operation) UA = Users X Roles PA = Roles X Permissions RBAC Example: Hospital Roles: Doctor, Manager, Nurse, Patient, PrimaryD, Receptionist,… Permissions: p1= (Create, Appointment) p2=(View, OldMedicalRecord) p3=(View, RecentMedicalRecords) … UA: (Mary, Receptionist) (John, Doctor), (John, PrimaryD) (Jenny, Patient) (Tim, Doctor) … PA: (Receptionist, p1) (Doctor, p2) (Doctor, p3) … Administrative RBAC (ARBAC) • Uses the concept of role itself to administer RBAC policies: Users Admins Roles Admins Roles Permissions Admin Actions Users • Assign(admin_role, precondition, target_role) - if admin user A has admin_role, then she can assign any user u who satisfies precondition the target_role any boolean condition over the roles of u • Revoke(admin_role, precondition, target_role) Example of ARBAC Policy Admins: Manager, Patient, Receptionist,… Assign Actions - assign( Manager, ¬Doctor, Receptionist ) - assign( Manager, true, Nurse ) - assign( Patient, Doctor∧¬Patient, PrimaryDoctor ) … Revoke Actions - revoke( Manager, true, Receptionist ) - revoke( Manager, true, Nurse ) … Security Requirements Designer have security properties in mind while designing their policies • Availability properties - A doctor must always be able to access patients’ record • Escalation of privileges - A receptionist cannot access patients’ records • Separation of duties - A doctor cannot be also a receptionist Importance of Security Analysis r1 r2 u1 1 0 u2 0 ... ... … rn … 0 0 … 1 ... ... ... state of the system Assign/Revoke actions • Policies are difficult to inspect by hand • Monitoring strategies are not acceptable Our Contribution • Propose a way to automatically prove correctness - abstractions techniques • Show that our solution scales in practice • Build VAC, a tool publicly available RBAC Role-reachability Problem - availability - separation of duties, - escalation of privileges, -… each reduces to Role-reachability Problem Can any user reach a particular role goal during the evolution of the system? Equivalent Representation • The cardinalities of all Venn regions determines the precise state of the ARBAC system modulo user identities number of users r1 r2 u1 1 0 u2 0 ... ... … #comb1 = 0 #comb2 = 20 rn … 0 0 … 1 ... ... ... in each combination of roles . .. equivalent modulo identities state of the system #comb2n = 35 state of the system • The ARBAC system can purely be simulated using Venn region cardinalities r1 r2 r3 • Role-reachability: Is there a reachable state where #combi >0, for some combi containing goal? Abstraction • We use abstraction: - over-approximations (correctness) C s abstract function (s) A abstract transition s’ (s’) real domain abstract domain Soundness: • s. initC(s) ⇒ initA((s)) • s,s’. (s s’) ⇒ ( (s) (s’)) Our Solution C 1 Set Abstraction A’ 2 Numerical Abstraction A” Set Abstraction (Abstract Domain) • Given the set of roles, track only the number of users in a subset Track of role-combinations Example Roles: Manager, Nurse, Patient, PrimaryD, Receptionist, Doctor Track: ManagerNursePatient ManagerDoctorReceptionist DoctorReceptionist Patient May or may not be a Doctor Set Abstraction (Abstract Transition) • Must soundly update the abstract state after any Assign and Revoke action • Without knowing the exact number of users in each Venn region it is difficult to update the states - Difficulty: Consider Assign(Manager, ManagerNursePatient ManagerDoctorReceptionist Track = ManagerDoctorReceptionist Patient ManagerDoctor ¬Receptionist, Doctor) Is the user a manager or not? • Intuition: Choose non-deterministically the user role-combination and update subsets accordingly Abstract Transition as a Program while ( true ) do //----- Choose a user consistent with the current configuration ------// b_Admin=random; assume b_Admin>=0 and b_Admin<=1; b_Doctor=random; assume b_Doctor>=0 and b_Doctor<=1; b_Manager=random; assume b_Manager>=0 and b_Manager<=1; b_Patient=random; assume b_Patient>=0 and b_Patient<=1; b_PrimaryDoctor=random; assume b_PrimaryDoctor>=0 and b_PrimaryDoctor<=1; b_Receptionist=random; assume b_Receptionist>=0 and b_Receptionist<=1; b_target=random; assume b_target>=0 and b_target<=1; //----- CanAssign(Manager, !Receptionist if (brandom and (ADMIN_Manager>0) and b_Doctor==0 ) then tmpAdmin=0; and , Doctor ) b_Receptionist==0 //----- Xt n_Doctor_0Patient ------// if (b_Patient==0 ) then n_Doctor_0Patient=n_Doctor_0Patient+1; tmpAdmin=1; endif; if (tmpAdmin>0) then ADMIN_Doctor=ADMIN_Doctor+1; endif; endif; . . . //---- ERROR -------------if (n_target>0) then skip; endif; done; Numerical Abstraction • Interval abstractions of programs for numerical domains each value in Track in each point of the program 2 Interval Range Security of RBAC policies does not depend on the exact number of users in a configuration! Our tool Policy Security Query slicing set-abstraction encode in a program interval-abstractions using INTERPROC NO: policy correct Yes: may be a false error Experimental Results After Slicing Policy Hospital University Bank1 Bank2 Bank3 Bank4 #roles #actions #roles VAC #actions Line of code Time to INTERPROC Total time trasform time 12 24 3 4 73 0.3s 0s 0.3s 12 24 5 8 134 0.3s 0.01s 0.3s 32 132 5 9 162 0.5s 0.1s 0.6s 32 132 13 37 541 0.6s 0.2s 0.8s 32 132 15 43 535 0.6s 0.2s 0.8s 34 593 34 593 13,356 7s 44s 51s 68 1186 68 1186 26,684 9s 3m 0.2s 3m 11s 68 1186 68 1186 26,705 9s 3m 0.3s 3m 12s 102 1779 102 1779 40,012 11s 7m 0.8s 7m 19s 102 1779 102 1779 40,045 10s 7m 08s 7m 18s 136 2372 136 2372 53,340 11s 13m 16s 13m 27s 136 2372 136 2372 53,383 9s 13m 15s 13m 24s Conclusion • Prove correctness of policies automatically (abstractions) • set abstraction • interval abstraction • Experimentally proved the scalability of our approach • VAC is available at http://users.ecs.soton.ac.uk/gp4/VAC.html
© Copyright 2026 Paperzz