Efficient symbolic automated analysis of administrative attribute-based RBAC-policies

Automated techniques for the security analysis of Role-Based Access Control (RBAC) access control policies are crucial for their design and maintenance. The definition of administrative domains by means of attributes attached to users makes the RBAC model easier to use in real scenarios but complicates the development of security analysis techniques, that should be able to modularly reason about a wide range of attribute domains. In this paper, we describe an automated symbolic security analysis technique for administrative attribute-based RBAC policies. A class of formulae of first-order logic is used as an adequate symbolic representation for the policies and their administrative actions. State-of-the-art automated theorem proving techniques are used (off-the-shelf) to mechanize the security analysis procedure. Besides discussing the assumptions for the effectiveness and termination of the procedure, we demonstrate its efficiency through an extensive empirical evaluation.

[1]  Jack Minker,et al.  Logic and Databases: A Deductive Approach , 1984, CSUR.

[2]  Ruzica Piskac,et al.  Deciding Effectively Propositional Logic Using DPLL and Substitution Sets , 2010, Journal of Automated Reasoning.

[3]  Ninghui Li,et al.  Towards Formal Verification of Role-Based Access Control Policies , 2008, IEEE Transactions on Dependable and Secure Computing.

[4]  Alessandro Armando,et al.  Automated Symbolic Analysis of ARBAC-Policies , 2010, STM.

[5]  Silvio Ghilardi,et al.  Towards SMT Model Checking of Array-Based Systems , 2008, IJCAR.

[6]  C. R. Ramakrishnan,et al.  Symbolic reachability analysis for parameterized administrative role-based access control , 2011, Comput. Secur..

[7]  C. R. Ramakrishnan,et al.  Policy Analysis for Administrative Role Based Access Control , 2006, CSFW.

[8]  Silvio Ghilardi,et al.  MCMT: A Model Checker Modulo Theories , 2010, IJCAR.

[9]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[10]  Herbert B. Enderton,et al.  A mathematical introduction to logic , 1972 .

[11]  Somesh Jha,et al.  Model checking SPKI/SDSI , 2004, J. Comput. Secur..

[12]  Jason Crampton Understanding and developing role-based administrative models , 2005, CCS '05.

[13]  Christoph Weidenbach,et al.  Superposition for Finite Domains , 2007 .

[14]  Sofia Cassel,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 2012 .

[15]  Ninghui Li,et al.  Administration in role-based access control , 2007, ASIACCS '07.

[16]  C. R. Ramakrishnan,et al.  Efficient policy analysis for administrative role based access control , 2007, CCS '07.

[17]  Andreas Schaad,et al.  An administration concept for the enterprise role-based access control model , 2003, SACMAT '03.

[18]  Mark Ryan,et al.  Evaluating Access Control Policies Through Model Checking , 2005, ISC.

[19]  Andreas Schaad,et al.  A model-checking approach to analysing organisational controls in a loan origination process , 2006, SACMAT '06.