Security Analysis of Role-Based Access Control through Program Verification

We propose a novel scheme for proving administrative role-based access control (ARBAC) policies correct with respect to security properties using the powerful abstraction-based tools available for program verification. Our scheme uses a combination of abstraction and reduction to program verification to perform security analysis. We convert ARBAC policies to imperative programs that simulate the policy abstractly, and then utilize further abstract-interpretation techniques from program analysis to analyze the programs in order to prove the policies secure. We argue that the aggressive set-abstractions and numerical-abstractions we use are natural and appropriate in the access control setting. We implement our scheme using a tool called VAC that translates ARBAC policies to imperative programs followed by an interval-based static analysis of the program, and show that we can effectively prove access control policies correct. The salient feature of our approach are the abstraction schemes we develop and the reduction of role-based access control security (which has nothing to do with programs) to program verification problems.

[1]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[2]  Ninghui Li,et al.  Beyond proof-of-compliance: security analysis in trust management , 2005, JACM.

[3]  Bertrand Jeannet,et al.  Apron: A Library of Numerical Abstract Domains for Static Analysis , 2009, CAV.

[4]  Ravi S. Sandhu The typed access matrix model , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Martin C. Rinard,et al.  ARBAC Policy for a Large Multi-National Bank , 2011, ArXiv.

[6]  Ravi S. Sandhu,et al.  The ARBAC99 model for administration of roles , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[7]  Richard J. Lipton,et al.  A Linear Time Algorithm for Deciding Subject Security , 1977, JACM.

[8]  Martin C. Rinard,et al.  Automatic error finding in access-control policies , 2011, CCS '11.

[9]  Jeffrey D. Ullman,et al.  On protection in operating systems , 1975, SOSP.

[10]  Alessandro Armando,et al.  Automated Symbolic Analysis of ARBAC-Policies , 2010, STM.

[11]  Steven S. Muchnick,et al.  Advanced Compiler Design and Implementation , 1997 .

[12]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[13]  C. R. Ramakrishnan,et al.  Policy Analysis for Administrative Role Based Access Control , 2006, CSFW.

[14]  Alan C. O'Connor,et al.  2010 economic analysis of role-based access control. Final report , 2010 .

[15]  C. R. Ramakrishnan,et al.  Symbolic reachability analysis for parameterized administrative role-based access control , 2011, Comput. Secur..

[16]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[17]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[18]  Ninghui Li,et al.  Towards Formal Verification of Role-Based Access Control Policies , 2008, IEEE Transactions on Dependable and Secure Computing.

[19]  Ninghui Li,et al.  On safety in discretionary access control , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[20]  Sriram K. Rajamani,et al.  SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft , 2004, IFM.

[21]  Mikhail I. Gofman,et al.  RBAC-PAT: A Policy Analysis Tool for Role Based Access Control , 2009, TACAS.

[22]  C. R. Ramakrishnan,et al.  Efficient policy analysis for administrative role based access control , 2007, CCS '07.

[23]  Jon A. Solworth,et al.  A layered design of discretionary access controls with decidable safety properties , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.