Security Analysis of Role-based - PowerPoint PPT Presentation

About This Presentation
Title:

Security Analysis of Role-based

Description:

Security Analysis of Role-based Access Control through Program Verification Anna Lisa Ferrara University of Bristol, UK Gennaro Parlato – PowerPoint PPT presentation

Number of Views:179
Avg rating:3.0/5.0
Slides: 21
Provided by: pip146
Category:

less

Transcript and Presenter's Notes

Title: Security Analysis of Role-based


1

Security Analysis of Role-based
Access Control through Program
Verification
Anna Lisa Ferrara University of Bristol, UK

Gennaro Parlato University of
Southampton, UK
P. Madhusudan University of Illinois,
USA
2

Access Control Policies
  • Access control policies are designed to support
    authorized accesses to protected
  • resources

3

Role-based Access Control (RBAC)
  • Most used access control model
  • - standardized by the NIST
  • - ease of administration

Users
Roles
Permissions
Permissions are pairs (object, operation)
UA Users X Roles
PA Roles X Permissions
4

RBAC Example Hospital
Roles Doctor, Manager, Nurse, Patient, PrimaryD,
Receptionist,
Permissions p1 (Create, Appointment)
p2(View, OldMedicalRecord)
p3(View, RecentMedicalRecords)

UA (Mary, Receptionist) (John,
Doctor), (John, PrimaryD) (Jenny,
Patient) (Tim, Doctor)
PA (Receptionist, p1) (Doctor, p2)
(Doctor, p3)
5

Administrative RBAC
(ARBAC)
  • Uses the concept of role itself to administer
    RBAC policies
  • Assign(admin_role, precondition, target_role)
  • - if admin user A has admin_role, then she
    can assign any user u who
  • satisfies precondition the target_role

Roles
Permissions
Users
Admin Actions
Admins
Admins Roles
Users
any boolean condition over the roles of u
6

Example of ARBAC Policy
Admins Manager, Patient, Receptionist,
Assign Actions - assign( Manager, Doctor,
Receptionist ) - assign( Manager, true,
Nurse ) - assign( Patient,
Doctor?Patient, PrimaryDoctor )
Revoke Actions - revoke( Manager, true,
Receptionist ) - revoke( Manager, true,
Nurse )
7

Security Requirements
  • Designer have security properties in mind while
  • designing their policies
  • Availability properties
  • - A doctor must always be able to access
    patients record
  • Escalation of privileges
  • - A receptionist cannot access patients
    records
  • Separation of duties
  • - A doctor cannot be also a receptionist

8

Importance of Security Analysis

r1 r2 rn

1 0 0
0 0 1

u1
u2


.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
state of the system
Assign/Revoke actions
  • Policies are difficult to inspect by hand
  • Monitoring strategies are not acceptable

9

Our Contribution
  • Propose a way to automatically prove correctness
  • - abstractions techniques
  • Show that our solution scales in practice
  • Build VAC, a tool publicly available

RBAC
10

Role-reachability Problem
- availability - separation of duties, -
escalation of privileges, -
each reduces to
  • Role-reachability Problem

Can any user reach a particular role goal during
the evolution of the system?
11

Equivalent Representation
  • The cardinalities of all Venn regions determines
    the precise state of the ARBAC
  • system modulo user identities

number of users in each combination of roles

comb1 0 comb2 20 comb2n 35
r1 r2 rn

u1
u2

1 0 0
0 0 1

.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
equivalent modulo identities
.
.
state of the system
state of the system
  • The ARBAC system can purely be simulated using
    Venn region cardinalities

r1
r2
r3
  • Role-reachability Is there a reachable state
    where combi gt0, for some combi
  • containing goal?

12

Abstraction
  • We use abstraction
  • - over-approximations (correctness)

abstract function
A
C
s
?(s)
?
abstract transition
s
?(s)
real domain
abstract domain
  • Soundness
  • ? s. initC(s) ? initA(?(s))
  • ? s,s. (s s) ? ( ?(s) ?(s))

13

Our Solution
A
A
C
?1
?2
?1
?2
Numerical Abstraction
Numerical Abstraction
Set Abstraction
Set Abstraction
14

Set Abstraction (Abstract
Domain)
  • Given the set of roles, track only the number of
    users in a subset Track of role-combinations

Example Roles Manager, Nurse, Patient,
PrimaryD, Receptionist, Doctor
Track ManagerNursePatient
ManagerDoctorReceptionist
DoctorReceptionist Patient
May or may not be a Doctor
15

Set Abstraction (Abstract
Transition)
  • Must soundly update the abstract state after any
    Assign and Revoke action
  • Without knowing the exact number of users in each
    Venn region it is difficult to update the states
  • Intuition Choose non-deterministically the user
    role-combination and update subsets accordingly

Consider Assign(Manager, Receptionist, Doctor)
- Difficulty
ManagerNursePatient ManagerDoctorReceptionist
ManagerDoctorReceptionist Patient ManagerDoctor
Is the user a manager or not?
Track
16
Abstract
Transition as a Program
while ( true ) do //----- Choose a user
consistent with the current configuration
------// b_Adminrandom assume
b_Admingt0 and b_Adminlt1
b_Doctorrandom assume b_Doctorgt0 and
b_Doctorlt1 b_Managerrandom assume
b_Managergt0 and b_Managerlt1
b_Patientrandom assume b_Patientgt0 and
b_Patientlt1 b_PrimaryDoctorrandom
assume b_PrimaryDoctorgt0 and b_PrimaryDoctorlt1
b_Receptionistrandom assume
b_Receptionistgt0 and b_Receptionistlt1
b_targetrandom assume b_targetgt0 and
b_targetlt1 //----- CanAssign(Manager,
!Receptionist , Doctor ) if (brandom and
(ADMIN_Managergt0) and b_Receptionist0
and b_Doctor0 ) then
tmpAdmin0 //----- Xt
n_Doctor_0Patient ------// if
(b_Patient0 ) then
n_Doctor_0Patientn_Doctor_0Patient1
tmpAdmin1 endif
if (tmpAdmingt0) then
ADMIN_DoctorADMIN_Doctor1 endif
endif //---- ERROR --------------
if (n_targetgt0) then skip
endif done
.
.
.
17

Numerical Abstraction
  • Interval abstractions of programs for numerical
    domains
  • each value in Track
  • in each point of the program

?2
  • Interval Range
  • Security of RBAC policies does not depend on the
    exact number of users in a configuration!

18

Our tool
Policy
Security Query
slicing
set-abstraction
encode in a program
interval-abstractions using
INTERPROC
NO policy correct
Yes may be a false error
19

Experimental Results
After Slicing
VAC
Line of code
Total time

Time to trasform

INTERPROC time
actions
roles
roles
actions
Policy
12 24 3 4
12 24 5 8
32 132 5 9
32 132 13 37
32 132 15 43
34 593 34 593
68 1186 68 1186
68 1186 68 1186
102 1779 102 1779
102 1779 102 1779
136 2372 136 2372
136 2372 136 2372
73 0.3s 0s 0.3s
134 0.3s 0.01s 0.3s
162 0.5s 0.1s 0.6s
541 0.6s 0.2s 0.8s
535 0.6s 0.2s 0.8s
13,356 7s 44s 51s
26,684 9s 3m 0.2s 3m 11s
26,705 9s 3m 0.3s 3m 12s
40,012 11s 7m 0.8s 7m 19s
40,045 10s 7m 08s 7m 18s
53,340 11s 13m 16s 13m 27s
53,383 9s 13m 15s 13m 24s






Hospital
University
Bank1
Bank2
Bank3
Bank4
20

Conclusion
  • Prove correctness of policies automatically
    (abstractions)
  • set abstraction
  • interval abstraction
  • Experimentally proved the scalability of our
    approach
  • VAC is available at
  • http//users.ecs.soton.ac.uk/gp4/VAC.ht
    ml
Write a Comment
User Comments (0)
About PowerShow.com