Property Verification for Generic Access Control Models


To formally and precisely capture the security properties that access control should adhere to, access control models are usually written to bridge the rather wide gap in abstraction between policies and mechanisms. In this paper, we propose a new general approach for property verification for access control models. The approach defines a standardized structure for access control models, providing for both property verification and automated generation of test cases. The approach expresses access control models in the specification language of a model checker and expresses generic access control properties in the property language. Then the approach uses the model checker to verify these properties for the access control models and generates test cases via combinatorial covering array for the system implementations of the models.

Vincent C. Hu, D. Richard Kuhn, and Tao Xie, "Property Verification for Generic Access Control Models", in Proc., the 2008 IEEE/IFIP International Symposium on Trust, Security and Privacy for Pervasive Applications, Shanghai China December, 2008.


Conformance Checking of Access Control Policies Specified in XACML


Access control is one of the most fundamental and widely used security mechanisms. Access control mechanisms control which principals such as users or processes have access to which resources in a system. To facilitate managing and maintaining access control, access control policies are increasingly written in specification languages such as XACML. The specification of access control policies itself is often a challenging problem. Furthermore, XACML is intentionally designed to be generic: it provides the freedom in describing access control policies, which are well-known or invented ones. But the flexibility and expressiveness provided by XACML come at the cost of complexity, verbosity, and lack of desirable-property enforcement. Often common properties for specific access control policies may not be satisfied when these policies are specified in XACML, causing the discrepancy between what the policy authors intend to specify and what the actually specified XACML policies reflect. In this position paper, we propose an approach for conducting conformance checking of access control policies specified in XACML based on existing verification and testing tools for XACML policies.

V. C. Hu, E. Martin, J. Hwang, and T. Xie, "Conformance Checking of Access Control Policies Specified in XACML", in Proc. 1st IEEE International Workshop on Security in Software Engineering (IWSSE 2007), Beijing, China, pp. 275–280, July 2007.



Model checking for verification of mandatory access control models and properties


Mandatory access control (MAC) mechanisms control which users or processes have access to which resources in a system. MAC policies are increasingly specified to facilitate managing and maintaining access control. However, the correct specification of the policies is a very challenging problem. To formally and precisely capture the security properties that MAC should adhere to, MAC models are usually written to bridge the rather wide gap in abstraction between policies and mechanisms. In this paper, we propose a general approach for property verification for MAC models. The approach defines a standardized structure for MAC models, providing for both property verification and automated generation of test cases. The approach expresses MAC models in the specification language of a model checker and expresses generic access control properties in the property language. Then the approach uses the model checker to verify the integrity, coverage, and confinement of these properties for the MAC models and finally generates test cases via combinatorial covering array for the system implementations of the models.

Vincent C. Hu, D. Richard Kuhn, Tao Xie, and JeeHyun Hwang, "Model checking for verification of mandatory access control models and properties", International Journal of Software Engineering and Knowledge Engineering (IJSEKE). 17-20 Dec. 2008.



Detection of Multiple-Duty-Related Security Leakage in Access Control Policies


Access control mechanisms control which subjects (such as users or processes) have access to which resources. To facilitate managing access control, policy authors increasingly write access control policies in XACML. Access control policies written in XACML could be amenable to multiple-duty-related security leakage, which grants unauthorized access to a user when the user takes multiple duties (e.g., multiple roles in role-based access control policies). To help policy authors detect multiple-duty-related security leakage, we develop a novel framework that analyzes policies and detects cases that potentially cause the leakage. In such cases, a user taking multiple roles (e.g., both r1 and r2) is given a different access decision from the decision given to a user taking an individual role (e.g., r1 and r2, respectively). We conduct experiments on 11 XACML policies and our empirical results show that our framework effectively pinpoints potential multiple-duty-related security leakage for policy authors to inspect.

JeeHyun Hwang, Tao Xie, and Vincent C. Hu, "Detection of Multiple-Duty-Related Security Leakage in Access Control Policies", in Proc. The third IEEE international Conference on Secure Software Integration and Reliability Improvement (SSIRI), Shanghai China July 2009.



Assessing Quality of Policy Properties in Verification of Access Control Policies


Access control policies are often specified in declarative languages. In this paper, we propose a novel approach, called mutation verification, to assess the quality of properties specified for a policy and, in doing so, the quality of the verification itself. In our approach, given a policy and a set of properties, we first mutate the policy to generate various mutant policies, each with a single seeded fault. We then verify whether the properties hold for each mutant policy. If the properties still hold for a given mutant policy, then the quality of these properties is determined to be insufficient in guarding against the seeded fault, indicating that more properties are needed to augment the existing set of properties to provide higher confidence of the policy correctness. We have implemented Mutaver, a mutation verification tool for XACML, and applied it to policies and properties from a real-world software system.

E. Martin, T. Xie, and V. C. Hu, "Assessing Quality of Policy Properties in Verification of Access Control Policies", North Carolina State University Department of Computer Science Technical report TR-2007-25, September 16, 2007.



Model Checking for Verification of Mandatory Access Control Models and Properties


Mandatory access control (MAC) mechanisms control which users or processes have access to which resources in a system. MAC policies are increasingly specified to facilitate managing and maintaining access control. However, the correct specification of the policies is a very challenging problem. To formally and precisely capture the security properties that MAC should adhere to, MAC models are usually written to bridge the rather wide gap in abstraction between policies and mechanisms. In this paper, we propose a general approach for property verification for MAC models. The approach defines a standardized structure for MAC models, providing for both property verification and automated generation of test cases. The approach expresses MAC models in the specification language of a model checker and expresses generic access control properties in the property language. Then the approach uses the model checker to verify the integrity, coverage, and confinement of these properties for the MAC models and finally generates test cases via combinatorial covering array for the system implementations of the models.

Vincent Hu, Rick Kuhn, Tao Xie, JeeHyun Hwang, "Model Checking for Verification of Mandatory Access Control Models and Properties", Int'l Journal of Software Engineering and Knowledge Engineering (IJSEKE) regular issue IJSEKE Vol. 21 No. 1. 2011.