Automated Policy Analysis

Static analysis of access-control policies is becoming increasingly important. Such analysis can reveal errors and vulnerabilities in the policies, as well as logical inconsistencies, unintended effects, and discrepancies between different policies or different versions of the same policy. In the process, it helps policy developers to better understand the effects of their policies. Policy analysis has typically been done by hand. For instance, when a bug is discovered and corrected, the resulting policy is manually inspected to ensure that the fix works and that it does not introduce any new problems. But when the policies are large or their logical structure non-trivial, performing such analysis manually is tedious and error-prone. In this paper we show how to automate a wide array of useful policy analyses. This is accomplished by representing policies as logical formulas in the SMT (satisfiability-modulo-theory) subset of first-order logic, and couching analysis questions as SMT problems, which are then solved by efficient off-the-shelf SMT solvers. Because SMT solvers can reason about arithmetic and inductive data types, in addition to Boolean constraints, our system can handle many policies that cannot be analyzed by existing policy engines. We describe the formulation of a number of useful analyses (consistency, completeness, and observational equivalence), and report experimental results on the efficiency of our implementation for analyzing policies of various sizes and kinds of logical structure.

[1]  Arosha K. Bandara A formal approach to analysis and refinement of policies , 2005 .

[2]  Wolfgang Nejdl,et al.  Rule-based Policy Specification , 2007, Secure Data Management in Decentralized Systems.

[3]  Tevfik Bultan,et al.  Automated verification of access control policies using a SAT solver , 2008, International Journal on Software Tools for Technology Transfer.

[4]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[5]  Elisa Bertino,et al.  A logical framework for reasoning about access control models , 2001, SACMAT '01.

[6]  Daniel Jackson,et al.  Alloy: a lightweight object modelling notation , 2002, TSEM.

[7]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[8]  Ritu Chadha,et al.  An Application of Formal Methods to Cognitive Radios , 2011, DIFTS@FMCAD.

[9]  Elisa Bertino,et al.  An algebra for fine-grained integration of XACML policies , 2009, SACMAT '09.

[10]  Natarajan Shankar,et al.  A Tutorial on Satisfiability Modulo Theories , 2007, CAV.

[11]  Andreas Schaad,et al.  A lightweight approach to specification and analysis of role-based access control extensions , 2002, SACMAT '02.

[12]  Alessandra Russo,et al.  Using event calculus to formalise policy specification and analysis , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[13]  Joseph Y. Halpern,et al.  Using First-Order Logic to Reason about Policies , 2008, TSEC.

[14]  Jorge Lobo,et al.  Expressive policy analysis with enhanced system dynamicity , 2009, ASIACCS '09.

[15]  Tevfik Bultan,et al.  Automated Verification of XACML Policies Using a SAT Solver ? , 2007 .

[16]  Jorge Lobo,et al.  Policy ratification , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[17]  Chen Zhao,et al.  Representation and Reasoning on RBAC: A Description Logic Approach , 2005, ICTAC.

[18]  Nikolaj Bjørner,et al.  Satisfiability modulo theories , 2011, Commun. ACM.