Scalable automated symbolic analysis of administrative role-based access control policies by SMT solving

Administrative Role Based Access Control ARBAC is one of the most widespread framework for the management of access-control policies. Several automated analysis techniques have been proposed to help maintaining desirable security properties of ARBAC policies. One of the main limitation of available analysis techniques is that the set of users is bounded. In this paper, we propose a symbolic framework to overcome this limitation. We design an automated analysis technique that can handle both a bounded and an unbounded number of users by adapting recent methods for the symbolic model checking of infinite state systems that use first-order logic and SMT solving techniques. An extensive experimental evaluation confirms the scalability of the proposed technique.

[1]  Ninghui Li,et al.  Administration in role-based access control , 2007, ASIACCS '07.

[2]  Alessandro Armando,et al.  Efficient symbolic automated analysis of administrative attribute-based RBAC-policies , 2011, ASIACCS '11.

[3]  Alessandro Armando,et al.  ASASP: Automated Symbolic Analysis of Security Policies , 2011, CADE.

[4]  Chen C. Chang,et al.  Model Theory: Third Edition (Dover Books On Mathematics) By C.C. Chang;H. Jerome Keisler;Mathematics , 1966 .

[5]  Ninghui Li,et al.  Security analysis in role-based access control , 2004, SACMAT '04.

[6]  Mikhail I. Gofman,et al.  RBAC-PAT: A Policy Analysis Tool for Role Based Access Control , 2009, TACAS.

[7]  Parosh Aziz Abdulla,et al.  Model checking of systems with many identical timed processes , 2003, Theor. Comput. Sci..

[8]  C. R. Ramakrishnan,et al.  Efficient policy analysis for administrative role based access control , 2007, CCS '07.

[9]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[10]  Moritz Y. Becker Specification and Analysis of Dynamic Authorisation Policies , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[11]  Jeremy L. Jacob,et al.  The role-based access control system of a European bank: a case study and discussion , 2001, SACMAT '01.

[12]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[13]  Silvio Ranise On the verification of security-aware E-services , 2012, J. Symb. Comput..

[14]  L. Dickson Finiteness of the Odd Perfect and Primitive Abundant Numbers with n Distinct Prime Factors , 1913 .

[15]  Jason Crampton Understanding and developing role-based administrative models , 2005, CCS '05.

[16]  Johann Eder,et al.  Logic and Databases , 1992, Advanced Topics in Artificial Intelligence.

[17]  Zohar Manna,et al.  Temporal Verification of Reactive Systems , 1995, Springer New York.

[18]  Herbert B. Enderton,et al.  A mathematical introduction to logic , 1972 .

[19]  Luca Viganò,et al.  Verifying the Interplay of Authorization Policies and Workflow in Service-Oriented Architectures , 2009, 2009 International Conference on Computational Science and Engineering.

[20]  Frank Plumpton Ramsey,et al.  On a Problem of Formal Logic , 1930 .

[21]  Elena Pagani,et al.  Universal Guards, Relativization of Quantifiers, and Failure Models in Model Checking Modulo Theories , 2012, J. Satisf. Boolean Model. Comput..

[22]  Calogero G. Zarba,et al.  Combining Nonstably Infinite Theories , 2005, Journal of Automated Reasoning.

[23]  Calogero G. Zarba,et al.  Combining Non-Stably Infinite Theories , 2003, FTP.

[24]  Sushil Jajodia,et al.  Access control policies and languages , 2007, Int. J. Comput. Sci. Eng..

[25]  K. Taira Proof of Theorem 1.3 , 2004 .

[26]  Andreas Schaad,et al.  A lightweight approach to specification and analysis of role-based access control extensions , 2002, SACMAT '02.

[27]  Silvio Ghilardi,et al.  Backward Reachability of Array-based Systems by SMT solving: Termination and Invariant Synthesis , 2010, Log. Methods Comput. Sci..

[28]  C. R. Ramakrishnan,et al.  Symbolic reachability analysis for parameterized administrative role based access control , 2009, SACMAT '09.

[29]  Harry R. Lewis,et al.  Complexity Results for Classes of Quantificational Formulas , 1980, J. Comput. Syst. Sci..

[30]  Alessandro Armando,et al.  Automated Symbolic Analysis of ARBAC-Policies , 2010, STM.

[31]  Silvio Ghilardi,et al.  Towards SMT Model Checking of Array-Based Systems , 2008, IJCAR.

[32]  Zijiang Yang,et al.  Policy analysis for administrative role based access control , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[33]  Jason Alexis Valentine Crampton Authorization and antichains , 2002 .