Access-Control Policies via Belnap Logic: Effective and Efficient Composition and Analysis

It is difficult to develop and manage large, multi-author access control policies without a means to compose larger policies from smaller ones. Ideally, an access-control policy language will have a small set of simple policy combinators that allow for all desired policy compositions. In \cite{BH07}, a policy language was presented having policy combinators based on Belnap logic, a four-valued logic in which truth values correspond to policy results of "grant", "deny", "conflict", and "undefined". We show here how policies in this language can be analyzed, and study the expressiveness of the language. To support policy analysis, we define a query language in which policy analysis questions can be phrased. Queries can be translated into a fragment of first-order logic for which satisfiability and validity checks are computable by SAT solvers or BDDs. We show how policy analysis can then be carried out through model checking, validity checking, and assume-guarantee reasoning over such translated queries. We also present static analysis methods for the particular questions of whether policies contain gaps or conflicts. Finally, we establish expressiveness results showing that all {\em data independent} policies can be expressed in our policy language.

[1]  Stan Matwin,et al.  Formal correctness of conflict detection for firewalls , 2007, FMSE '07.

[2]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[3]  Matthew L. Ginsberg,et al.  Multivalued logics: a uniform approach to reasoning in artificial intelligence , 1988, Comput. Intell..

[4]  Rajeev Alur,et al.  A model-based approach to integrating security policies for embedded devices , 2004, EMSOFT '04.

[5]  Ranko S. Lazic,et al.  A semantic study of data independence with applications to model checking , 1999 .

[6]  Michael Huth,et al.  A simple and expressive semantic framework for policy composition in access control , 2007, FMSE '07.

[7]  André Zúquete,et al.  SPL: An Access Control Language for Security Policies and Complex Constraints , 2001, NDSS.

[8]  Joseph Y. Halpern,et al.  Using First-Order Logic to Reason about Policies , 2008, TSEC.

[9]  Raymond Reiter,et al.  A Logic for Default Reasoning , 1987, Artif. Intell..

[10]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[11]  Andrew William Roscoe,et al.  Proving security protocols with model checkers by data independence techniques , 1999 .

[12]  Carl A. Gunter,et al.  Defeasible security policy composition for web services , 2006, FMSE '06.

[13]  Nuel D. Belnap,et al.  A Useful Four-Valued Logic , 1977 .

[14]  Jeff Sedayao,et al.  Cisco Ios Access Lists , 2001 .

[15]  Arnon Avron,et al.  The Value of the Four Values , 1998, Artif. Intell..

[16]  Simon S. Lam,et al.  Authorizations in Distributed Systems: A New Approach , 1993, J. Comput. Secur..

[17]  Yuri Gurevich,et al.  The Classical Decision Problem , 1997, Perspectives in Mathematical Logic.

[18]  Melvin Fitting,et al.  Bilattices Are Nice Things , 2002 .

[19]  Ramaswamy Chandramouli,et al.  Role-Based Access Control, Second Edition , 2007 .

[20]  S. C. Kleene,et al.  Introduction to Metamathematics , 1952 .

[21]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[22]  Kathi Fisler,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..