ACPT: Access Control Policy Testing System National Institute of Standards and Technology Department of Computer Science North Carolina State University - PowerPoint PPT Presentation

1 / 25
About This Presentation
Title:

ACPT: Access Control Policy Testing System National Institute of Standards and Technology Department of Computer Science North Carolina State University

Description:

ACPT: Access Control Policy Testing System National Institute of Standards and Technology Department of Computer Science North Carolina State University – PowerPoint PPT presentation

Number of Views:247
Avg rating:3.0/5.0

less

Transcript and Presenter's Notes

Title: ACPT: Access Control Policy Testing System National Institute of Standards and Technology Department of Computer Science North Carolina State University


1
ACPT Access Control Policy Testing
SystemNational Institute of Standards and
TechnologyDepartment of Computer Science North
Carolina State University
Presenter Prof. Tao Xie
2
ACPT Overview
  • Model Construction
  • composing and combining access control (AC)
    models (e.g., Multi-Level, RBAC )
  • Model Verification
  • verifying AC models against given properties
  • Implementation Testing
  • testing AC implementation

3
Model Construction
  • Composing and Combining AC models (e.g.,
    Multi-Level and RBAC)
  • Support mandatory AC models (e.g., Multi-Level
    and RBAC) popularly used in practice
  • Ensure safety (i.e., absence of leakage) and
    flexibility in composing and combining mandatory
    AC models and rules
  • Allow to use combination algorithms such as
    first-applicable, deny-overrides,
    permit-overrides..

4
Model Verification
  • Verifying AC models against given properties
  • AC models can include a large number of
    attributes (e.g., roles, objects, clearance)
  • Conflicts among entities and their complexity may
    lead to misconfigurations
  • Detect discrepancies between AC models and their
    intended function (specified as properties)
  • Property verification is to check if AC models
    satisfy given properties (e.g., via model
    checking)

5
Implementation Testing
  • Testing AC implementations for implementation
    faults
  • Generate test suite (access requests) based on AC
    models and properties
  • Evaluate generated test suite against AC
    implementations to find faults
  • Generated test suites can be applied to any AC
    implementations in deployment

6
ACPT System Architecture
AC Model Templates Multi-Level, RBAC, Workflow, C
hinese Wall,
GUI
Model construction
Model verification
AC Properties
e.g., model checker
AC Models/Rules
Implementation testing
e.g., combinatorial tester
AC Implementations
  • Goals
  • Model verification
  • - Model/rule correctness
  • Implementation testing
  • - Implementation conformance

Test Suite
7
Model Construction
  • Allow to compose mandatory AC models (as well as
    AC rules) through pre-defined model templates
  • Multi-Level, RBAC, Workflow, Chinese Wall models
  • Allow to specify model details by assigning
    attribute values
  • e.g., role subjects, resources, and actions for
    RBAC
  • Allow to combine different AC models or rules
  • specifying model (or rule) priority for combining
    models or rules, e.g., combine Multi-Level with
    RBAC models

8
Model Verification
  • Conduct model verification to assure AC safety in
    composed/combined models
  • Convert composed/combined models and
    user-specified properties to input models and
    properties of a verification tool (e.g., a model
    checker)
  • Verify models against specified properties, and
    report detected property violations

9
Implementation Testing
Expected Decisions
Decisions
Access Requests
AC Implementation
  • Assure AC implementation conformance by
    evaluating generated access requests
  • Test Generation generate access requests (based
    on models/properties)
  • Test Execution evaluate requests (against  AC
    implementation) and produce their decisions
  • Test-Result Evaluation check if the decisions
    are consistent with expected decisions (from
    properties or manual inspection, etc.)
  • If inconsistent, review implementation faults

10
Combinatorial Test Generation
  • Exhaustive testing is impractical (esp. when
    manual effort needed for test-result inspection)
  • Need to generate a small test suite with high
    fault-detection capability
  • Exploit NIST Advanced Combinatorial Testing
    Suite (ACTS) collect domain variables in AC
    models and generate efficient test suite
    automatically to detect faults, with
  • inputs a domain of variables
  • outputs t-way covering arrays as tests

11
Combinatorial Test Generation Example
  • For example, domain of variables
  • 2 subjects Faculty and Student
  • 2 actions write and view
  • 2 resources grades and records
  • Given the domain, 4 and 8 tests are generated
    for 2-way and 3-way
    interactions, respectively
  • ltFaculty, grades, writegt,
  • ltFaculty, records, view gt,

12
Combinatorial Test Generation Example
  • Combinatorial tests based on 2-way interactions
  • Combinatorial tests based on 3-way interactions
    (being exhaustive tests)

13
ACPT System Architecture
AC Model Templates Multi-Level, RBAC, Workflow, C
hinese Wall,
GUI
Model construction
Model verification
AC Properties
e.g., model checker
AC Models/Rules
Implementation testing
e.g., combinatorial tester
AC Implementations
  • Goals
  • Model verification
  • - Model/rule correctness
  • Implementation testing
  • - Implementation conformance

Test Suite
14
Compare ACPT with Commercial AC Tools
  • A commercial AC management tool does not have all
    the following capabilities that NIST ACPT has
  • AC model templates for specifying models
    Multi-Level, RBAC, Workflow, Chinese Wall, etc.
  • Even some (such as IBM policy manager) claims to
    provide RBAC templates but they are only
    simulated by using rules, and provide no support
    for Role or Attribute relation (hierarchy)
  • Combination of multiple AC models
  • e.g., combine Multi-Level and RBAC models
  • AC model verification to detect faults in models
  • IBM policy manager has only limited SOD
    (Separation of Duty) check
  • Test-suite generation for testing AC
    implementations in deployment to detect faults in
    implementations

15
ACPT Future Work
  • Model (and rule) priority configuration for
    combining different models or rules
  • Generate deployable policies in XACML derived
    from verified AC model or rules
  • More AC model templates including dynamic and
    historical AC models
  • API or mechanism for acquiring or consuming
    information about users, attributes, resources,
    etc.
  • Web-ACPT allowing convenient web-based model
    composition

16
Conclusion
  • ACPT Access Control Policy Testing System
  • Enable users to conveniently compose and combine
    various models such as Multi-Level and RBAC
  • Provide high confidence of AC correctness
  • Model correctness via model verification
  • Implementation Conformance via implementation
    testing

17
Questions?
vhu_at_nist.gov xie_at_csc.ncsu.edu
18
Role-Based Access Control (RBAC)
  • Users are assigned to roles, e.g., doctor, nurse,
    patient.
  • Permissions are associated with roles.
  • A user has a permission if he is a member of some
    role with that permission.
  • RBAC is relatively simple and widely used.

User Assignment
Permission Assignment
Stoller et al. 07
19
(No Transcript)
20
(role_subject Doctor) (resource
OldMedicalRecords resource
RecentMedicalRecords resource
PrivateNotes) (action View) -gtdecision
Permit
21
(No Transcript)
22
Policy Synthesis
  • XACML (eXtensible Access Control Markup Language)
    is a generic XML-based language for specifying AC
    policies
  • Extensible and flexible policy specification
    language
  • Considered as de facto standard
  • ACPT takes a set of pre-defined XACML policy
    templates and synthesize XACML policies from
    composed/combined models
  • Different models use different XACML policy
    templates
  • Extensible support converting new models into
    XACML policies by adding new XACML policy
    templates

23
Synthesized XACML Policy Example
ltPolicySet PolicySetId"n" PolicyCombiningAlgIdF
irst-Applicable"gt ltTarget/gt ltPolicy
PolicyIdRBAC_school" RuleCombinationAlgIdFirst
-Applicable"gt ltTarget/gt ltRule
RuleId1" Effect"Deny"gt ltTargetgt
ltSubjectsgtltSubjectgt Student
lt/Subjectgt
ltSubjectgt Secretary lt/Subjectgtlt/Subjectsgt
ltResourcesgtltResourcegt Grades
lt/Resourcegtlt/Resourcesgt
ltActionsgtltActiongt Change
lt/Actiongtlt/Actionsgt lt/Targetgt
lt/Rulegt ltRule RuleId2"
Effect"Permit"gt ltTargetgt
ltSubjectsgtltSubjectgt Professor
lt/Subjectgt
ltSubjectgt Lecturer lt/Subjectgt
ltSubjectgt
Secretary lt/Subjectgtlt/Subjectsgt
ltResourcesgtltResourcegt Grades lt/Resourcegt
ltResourcegt
Records lt/Resourcegtlt/Resourcesgt
ltActionsgtltActiongt Change
lt/Actiongt lt/Actionsgt
lt/Targetgt lt/Rulegt lt/Policygt
ltPolicy PolicyIdABAC_school"
RuleCombinationAlgId"First-Applicable"gt
ltTarget/gt ltRule RuleId3"
Effect"Permit"gt ltTargetgt
ltSubjectsgtltSubjectgt Jim
lt/Subjectgtlt/Subjectsgt
ltResourcesgtltResourcegt Records
lt/Resourcegtlt/Resourcesgt
ltActionsgtltActiongt Change lt/Actiongt
ltActiongt
Read lt/Actiongtlt/Actionsgt
lt/Targetgt lt/Rulegt lt/Policygt lt/PolicySe
tgt

Rule 1 A student or secretary can not change
grades.
RBAC_school policy
Rule 2 A professor, lecturer, or secretary can
change grades or records.
Rule 3 Jim can change grades or records.
ABAC_school policy
24
Model Verification
ACPT currently uses the NuSMV model checker, a
well-structured, flexible, and efficient tool
(supporting CTL and LTL model checking)
Composed/Combined Models in NuSMV
NuSVM model checker
Detected Property Violations
Properties in NuSMV
25
Compare ACPT with Commercial/Research AC tools
Product Model Specification PropertyVerification PropertyAssessment Test-Suite Generation
ACPT (our proposed approach) static, dynamic, and historical policy model Yes Yes Yes
Model Checking tool (Zhang et al.) static policy model Yes No No
Model Checking tool (Kikuchi et al.) static policy model Yes No No
Model Checking tool (Schaad et al.) historical policy model Yes No No
IBM Security Policy Manager V7.0 No Yes(Separation of Duty) No No
Cisco Policy Manager No No No No
Write a Comment
User Comments (0)
About PowerShow.com