1、,ACPT: Access Control Policy Testing System National Institute of Standards and Technology Department of Computer Science North Carolina State University,Presenter: Prof. Tao Xie,ACPT Overview,Model Constructioncomposing and combining access control (AC) models (e.g., Multi-Level, RBAC )Model Verifi
2、cationverifying AC models against given propertiesImplementation Testing testing AC implementation,Model Construction,Composing and Combining AC models (e.g., Multi-Level and RBAC)Support mandatory AC models (e.g., Multi-Level and RBAC) popularly used in practice Ensure safety (i.e., absence of leak
3、age) and flexibility in composing and combining mandatory AC models and rules Allow to use combination algorithms such as first-applicable, deny-overrides, permit-overrides,Model Verification,Verifying AC models against given propertiesAC models can include a large number of attributes (e.g., roles,
4、 objects, clearance) Conflicts among entities and their complexity may lead to misconfigurationsDetect discrepancies between AC models and their intended function (specified as properties) Property verification is to check if AC models satisfy given properties (e.g., via model checking),Implementati
5、on Testing,Testing AC implementations for implementation faultsGenerate test suite (access requests) based on AC models and propertiesEvaluate generated test suite against AC implementations to find faultsGenerated test suites can be applied to any AC implementations in deployment,Model verification
6、,GUI,Implementation testing,AC Model Templates: Multi-Level, RBAC, Workflow, Chinese Wall, ,AC Models/Rules,Test Suite,ACPT System Architecture,Model construction,AC Properties,AC Implementations,GoalsModel verification- Model/rule correctnessImplementation testing- Implementation conformance,e.g.,
7、model checker,e.g., combinatorial tester,Model Construction,Allow to compose mandatory AC models (as well as AC rules) through pre-defined model templates Multi-Level, RBAC, Workflow, Chinese Wall modelsAllow to specify model details by assigning attribute values e.g., role subjects, resources, and
8、actions for RBACAllow to combine different AC models or rules specifying model (or rule) priority for combining models or rules, e.g., combine Multi-Level with RBAC models,Model Verification,Conduct model verification to assure AC safety in composed/combined models Convert composed/combined models a
9、nd user-specified properties to input models and properties of a verification tool (e.g., a model checker)Verify models against specified properties, and report detected property violations,Assure AC implementation conformance by evaluating generated access requests Test Generation: generate access
10、requests (based on models/properties) Test Execution: evaluate requests (against AC implementation) and produce their decisions Test-Result Evaluation: check if the decisions are consistent with expected decisions (from properties or manual inspection, etc.) If inconsistent, review implementation fa
11、ults,Implementation Testing,Expected Decisions,Decisions,Access Requests,AC Implementation,Combinatorial Test Generation,Exhaustive testing is impractical (esp. when manual effort needed for test-result inspection) Need to generate a small test suite with high fault-detection capabilityExploit NIST
12、Advanced Combinatorial Testing Suite (ACTS): collect domain variables in AC models and generate efficient test suite automatically to detect faults, with inputs: a domain of variables outputs: t-way covering arrays as tests,Combinatorial Test Generation Example,For example, domain of variables: 2 su
13、bjects: Faculty and Student 2 actions: write and view 2 resources: grades and recordsGiven the domain, 4 and 8 tests are generated for 2-way and 3-way interactions, respectively, , ,12,Combinatorial Test Generation Example,Combinatorial tests based on 2-way interactions,Combinatorial tests based on
14、3-way interactions (being exhaustive tests),Model verification,GUI,Implementation testing,AC Model Templates: Multi-Level, RBAC, Workflow, Chinese Wall, ,AC Models/Rules,Test Suite,ACPT System Architecture,Model construction,AC Properties,AC Implementations,GoalsModel verification- Model/rule correc
15、tnessImplementation testing- Implementation conformance,e.g., model checker,e.g., combinatorial tester,Compare ACPT with Commercial AC Tools,A commercial AC management tool does not have all the following capabilities that NIST ACPT has: AC model templates for specifying models: Multi-Level, RBAC, W
16、orkflow, Chinese Wall, etc. Even some (such as IBM policy manager) claims to provide RBAC templates but they are only simulated by using rules, and provide no support for Role or Attribute relation (hierarchy) Combination of multiple AC models e.g., combine Multi-Level and RBAC modelsAC model verifi
17、cation to detect faults in models IBM policy manager has only limited SOD (Separation of Duty) checkTest-suite generation for testing AC implementations in deployment to detect faults in implementations,ACPT Future Work,Model (and rule) priority configuration for combining different models or rules
18、Generate deployable policies in XACML derived from verified AC model or rules More AC model templates including dynamic and historical AC models API or mechanism for acquiring or consuming information about users, attributes, resources, etc. Web-ACPT allowing convenient web-based model composition,C
19、onclusion,ACPT: Access Control Policy Testing System Enable users to conveniently compose and combine various models such as Multi-Level and RBACProvide high confidence of AC correctness Model correctness via model verification Implementation Conformance via implementation testing,Questions?,vhunist
20、.gov xiecsc.ncsu.edu,Users are assigned to roles, e.g., doctor, nurse, patient. Permissions are associated with roles. A user has a permission if he is a member of some role with that permission. RBAC is relatively simple and widely used.,User Assignment,Permission Assignment,Stoller et al. 07,Role-
21、Based Access Control (RBAC),(role_subject = Doctor) & (resource = OldMedicalRecords | resource = RecentMedicalRecords | resource = PrivateNotes) & (action = View) -decision = Permit,Policy Synthesis,XACML (eXtensible Access Control Markup Language) is a generic XML-based language for specifying AC p
22、olicies Extensible and flexible policy specification language Considered as de facto standardACPT takes a set of pre-defined XACML policy templates and synthesize XACML policies from composed/combined models Different models use different XACML policy templates Extensible: support converting new mod
23、els into XACML policies by adding new XACML policy templates,Synthesized XACML Policy Example,Student Secretary Grades Change Professor Lecturer Secretary Grades Records Change Jim Records Change Read ,Rule 1: A student or secretary can not change grades.,Rule 2: A professor, lecturer, or secretary
24、can change grades or records.,Rule 3: Jim can change grades or records.,RBAC_school policy,ABAC_school policy,Model Verification,Detected Property Violations,Properties in NuSMV,Composed/Combined Models in NuSMV,ACPT currently uses the NuSMV model checker, a well-structured, flexible, and efficient tool (supporting CTL and LTL model checking),NuSVM model checker,Compare ACPT with Commercial/Research AC tools,
