论文信息 - Stratified Abstraction of Access Control Policies

Stratified Abstraction of Access Control Policies

The shift to cloud-based APIs has made application security critically depend on understanding and reasoning about policies that regulate access to cloud resources. We present stratified predicate abstraction, a new approach that summarizes complex security policies into a compact set of positive and declarative statements that precisely state who has access to a resource. We have implemented stratified abstraction and deployed it as the engine powering AWS’s IAM Access Analyzer service, and hence, demonstrate how formal methods and SMT can be used for security policy explanation .

[1] Pauline Bolignano,et al. Semantic-based Automated Reasoning for AWS Access Policies using SMT , 2018, 2018 Formal Methods in Computer Aided Design (FMCAD).

[2] Chen-Nee Chuah,et al. FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3] Nikolaj Bjørner,et al. Z3: An Efficient SMT Solver , 2008, TACAS.

[4] Danfeng Zhang,et al. Ironclad Apps: End-to-End Security via Automated Full-System Verification , 2014, OSDI.

[5] Kathi Fisler,et al. The Margrave Tool for Firewall Analysis , 2010, LISA.

[6] Nikolaj Bjørner,et al. Automated Analysis and Debugging of Network Connectivity Policies , 2014 .

[7] Nikolaj Bjørner,et al. Checking Cloud Contracts in Microsoft Azure , 2015, ICDCIT.

[8] Jayadev Misra,et al. Assertion Graphs for Verifying and Synthesizing Programs , 1978 .

[9] Hassen Saïdi,et al. Construction of Abstract State Graphs with PVS , 1997, CAV.