Real-Time Access Control Rule Fault Detection Using a Simulated Logic Circuit

Access control (AC) policies can be implemented based on different AC models, which are fundamentally composed by semantically independent AC rules in expressions of privilege assignments described by attributes of subjects/attributes, actions, objects/attributes, and environment variables of the protected systems. Incorrect implementations of AC policies result in faults that not only leak but also disable access of information, and faults in AC policies are difficult to detect without support of verification or automatic fault detection mechanisms. This research proposes an automatic method through the construction of a simulated logic circuit that simulates AC rules in AC policies or models. The simulated logic circuit allows real-time detection of policy faults including conflicts of privilege assignments, leaks of information, and conflicts of interest assignments. Such detection is traditionally done by tools that perform verification or testing after all the rules of the policy/model are completed, and it provides no information about the source of verification errors. The real-time fault detecting capability proposed by this research allows a rule fault to be detected and fixed immediately before the next rule is added to the policy/model, thus requiring no later verification and saving a significant amount of fault fixing time.

[1]  Tao Xie,et al.  A fault model and mutation testing of access control policies , 2007, WWW '07.

[2]  Tao Xie,et al.  Property Verification for Generic Access Control Models , 2008, 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing.

[3]  Tevfik Bultan,et al.  Automated verification of access control policies using a SAT solver , 2008, International Journal on Software Tools for Technology Transfer.

[4]  Karen A. Scarfone,et al.  Guidelines for Access Control System Evaluation Metrics , 2012 .

[5]  Kathi Fisler,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[6]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[7]  Tsuneo Katsuyama,et al.  Policy Verification and Validation Framework Based on Model Checking Approach , 2007, Fourth International Conference on Autonomic Computing (ICAC'07).

[8]  R. Sandhu,et al.  Access control: principles and practice , 1994, IEEE Commun. Mag..

[9]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[10]  Ninghui Li,et al.  Towards Formal Verification of Role-Based Access Control Policies , 2008, IEEE Transactions on Dependable and Secure Computing.

[11]  David F. Ferraiolo,et al.  Assessment of Access Control Systems , 2006 .

[12]  Luigi V. Mancini,et al.  Conflict Detection and Resolution in Access Control Policy Specifications , 2002, FoSSaCS.

[13]  Vincent C. Hu,et al.  Attribute Relations Specifications and Constraints Using Attribute Based Mechanism of Policy Machine , 2011 .

[14]  Vladimir A. Oleshchuk,et al.  Conformance Checking of RBAC Policy and its Implementation , 2005, ISPEC.

[15]  Gail-Joon Ahn,et al.  Enabling verification and conformance testing for access control model , 2008, SACMAT '08.

[16]  Attribute based access control definition and considerations (NIST special publication 800-162) and attribute assurance , 2014, 2014 IT Professional Conference.

[17]  Jeffrey D. Ullman,et al.  On protection in operating systems , 1975, SOSP.

[18]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[19]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[20]  Tao Xie,et al.  Model Checking for Verification of Mandatory Access Control Models and Properties , 2011, Int. J. Softw. Eng. Knowl. Eng..

[21]  Andreas Schaad,et al.  A model-checking approach to analysing organisational controls in a loan origination process , 2006, SACMAT '06.

[22]  Mark Ryan,et al.  Evaluating Access Control Policies Through Model Checking , 2005, ISC.

[23]  Martin C. Rinard,et al.  Automatic error finding in access-control policies , 2011, CCS '11.

[24]  Vincent C. Hu,et al.  Verification of Secure Inter-operation Properties in Multi-domain RBAC Systems , 2013, 2013 IEEE Seventh International Conference on Software Security and Reliability Companion.