Synthesising verified access control systems through model checking

Nan Zhang, Mark Ryan, Dimitar P. Guelev
2008 Journal of Computer Security  
We present a framework for evaluating and generating access control policies. The framework contains a modelling formalism called RW, which is supported by a model checking tool. RW is designed for modelling access control policies, and verifying their properties. The RW language is very expressive, allowing us to model complex access conditions which can depend on data values, other permissions, and agent roles. A property expresses the capability of a coalition of agents to achieve a goal,
more » ... ch may include reading and overwriting certain information. Given a model built based on a policy and a property, the model-checking algorithm decides whether the goal defined by the property is achievable by the coalition within the permissions the policy provides. In the case that the goal is achievable, the algorithm outputs strategies which may be used by the coalition to achieve the goal. The unachievability of legitimate goals may suggest that the policy does not provide the users enough permissions to carry out their actions. The achievability of malicious goals may reveal certain security holes in the policy. When malicious goals are achievable, the resulting strategies help to provide clues on amending the policy. The tool implements the algorithm and thus performs the RW model-checking. It can also convert a policy written in the RW language into a policy file in XACML. An access control system can then be built on the converted policy file. 1. The chair of the PC assigns papers to PC members for reviewing. 2. PC member a can read PC member b's review for a paper p provided p is not assigned to a. 3. If two PC members, a and b, are both assigned paper p for reviewing, a can read b's review for p only if a has already submitted its own review for p. This is also true for b. 4. Having been assigned a paper p, PC member a can give up being reviewer for p before the reviewing is finished. The purpose of having these rules is to prevent a reviewer's opinion on a paper from influencing another reviewer's. Although each of these rules seems to be sound, the intention of rule 3 can be easily breached by several agents working together through multiple steps of actions. Given a paper p, three PC members a, b, and c, with c being the chair, see the following two strategies available for a and c to work together to breach the intention of rule 3. Strategy 1.1 1. c assigns p to b for reviewing. (permitted by rule 1) 2. a reads b's review for p. (permitted by rule 2) 3. c assigns p to a for reviewing. (permitted by rule 1) Strategy 1.2 1. c assigns p to both a and b for reviewing. (permitted by rule 1) 2. Before a submits his review for p, he resigns as reviewer for p. (permitted by rule 4) 3. a reads b's review for p. (permitted by rule 2) 4. c assigns p to a for reviewing again. (permitted by rule 1) Each single step of the above two strategies is legitimate. However, the strategies enable a behaviour which was not intended to be permitted by the rules. Three reasons have caused this problem: 1. Interactions of rules. Although rule 3 explicitly prohibits a reviewer from reading another reviewer's review for the same paper assigned to both of them, rule 2 and rule 4 provide opportunities for the agents to by-pass it. 2. Co-operations between agents. Although a cannot breach rule 3 by himself, with the help of c, they can act together through an indirect way to get around of rule 3. This co-operation involves the consignment of the privilege of reviewing p to a by c. 3. Multi-step actions. Although a cannot breach rule 3 in a single step, he, with the help of c, can violate it following a sequence of actions. The RW access control formalism. This is our modelling formalism, which is used to model access control policies. This formalism is based on propositional logic. A novelty of this formalism is its built-in abilities to express permissions about permissions (sometimes known as meta-policy [7]). The RW (Read and Write) formalism considers permissions as data the same way as it considers ordinary data in a system. Thus, permissions are objects of reading and writing actions just as other ordinary data are. The RW access control policy description and specification language. This is a machinereadable language which is used to express access control policies modelled in the RW formalism and properties to be verified against the model. A property is a query, asking, given a set of agents and a goal, whether the agents can achieve the goal by carrying out strategies consisting of permissible reading and overwriting actions in each step. Goals amount to either learning about the state of the system to which the policy applies, or changing it to satisfy certain conditions, or some logical combinations of these. The RW model-checking algorithm. This algorithm takes a model of a policy and a property as input and answers whether the property holds on the model. The algorithm uses the technique of symbolic model-checking [25] . If the property holds, which means the agents can achieve the goal, the algorithm outputs strategies that may be used by the agents to achieve the goal. For legitimate goals, the achievability shows that the policy provides enough permissions to the users. However, for malicious goals, the achievability may reveal certain weaknesses in the policy. In these cases, the strategies that are output provide clues regarding to how to amend the policy. AcPeg. This is a tool written in Java, which implements the above algorithm to perform the checking. The tool can be obtained from [33] . It can also translate the policy-description in the RW language into a policy file in XACML [15] . The policy file in XACML can then be used to implement a real access control system. A relational database, which is assumed to contain the access-control-relevant data of the system, must be set up for helping to make access decisions based on the translated XACML policy file. The RW formalism, the mathematical form of the description part of the RW language and a decision procedure are presented in [16] . Given a set of access control policy, a goal, and a set of agents, the decision procedure can figure out whether there are strategies available for the agents to achieve the goal, however, without demonstrating what the strategies are. The algorithm presented in Section 5 is developed on the basis of that decision procedure in order to extract the strategies. In the cases of malicious goals, the resulting strategies may give us clues that how the goals can be achieved and thus the policy can be amended accordingly. The algorithm, the specification part of the RW language, and AcPeg's model-checking ability are presented in [35] . The description-part of the RW language in machine-readable form, AcPeg's translating ability and related issues are presented in [34] . The current paper integrates the contents of the three papers plus some new developments and results that have not been presented before.
doi:10.3233/jcs-2008-16101 fatcat:qply7dverjg2peyaybigt6ln74