Abstract
Novel computing paradigms, e.g., the Cloud, introduce new requirements with regard to access control such as utilization of historical information and continuity of decision. However, these concepts may introduce an additional level of complexity to the underpinning model, rendering its definition and verification a cumbersome and prone to errors process. Using a formal language to specify a model and formally verify it may lead to a rigorous definition of the interactions amongst its components, and the provision of formal guarantees for its correctness. In this paper, we consider a case study where we specify a formal model in TLA\(^+\) for both a policy-neutral and policy-specific UseCON usage control model. Through that, we anticipate to shed light in the analysis and verification of usage control models and policies by sharing our experience when using TLA\(^+\) specific tools.
Similar content being viewed by others
Notes
The non-determinism property is implied by the use of the \(\exists \) operator. For comprehensive information refer to [15].
The determination of the exact interval is left open as an implementation issue.
The time period in which the ongoing predicates are evaluated is implementation-specific by the UseCON model
Since the specification of attributes is not present in the current model, we express the different categories of users through their IDs.
Termination is successful if, for all behaviors, the specification ends.
References
Andoni, A., Daniliuc, D., Khurshid, S., Marinov, D.: Evaluating the “small scope hypothesis”. In: In Popl, vol. 2. Citeseer (2003)
Backes, J., Bolignano, P., Cook, B., Dodge, C., Gacek, A., Luckow, K., Rungta, N., Tkachuk, O., Varming, C.: Semantic-based automated reasoning for aws access policies using smt. In: 2018 Formal Methods in Computer Aided Design (FMCAD), pp. 1–9. IEEE (2018)
Cau, A., Moszkowski, B., Zedan, H.: Interval temporal logic. https://www.cms.dmu.ac.uk/cau/itlhomepage/itlhomepage.html (2006)
Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: Nusmv 2: An opensource tool for symbolic model checking. In: International Conference on Computer Aided Verification, pp. 359–364. Springer (2002)
Gouglidis, A., Grompanopoulos, C., Mavridou, A.: Formal verification of usage control models: A case study of usecon using tla+. arXiv preprint arXiv:1806.09848 (2018)
Gouglidis, A., Mavridis, I., Hu, V.C.: Security policy verification for multi-domains in cloud systems. Int. J. Inf. Sec. 13(2), 97–111 (2014). https://doi.org/10.1007/s10207-013-0205-x
Grompanopoulos, C., Gouglidis, A.: UseCON specification. https://github.com/agouglidis/UseCON-TLA_PLUS (2020)
Grompanopoulos, C., Gouglidis, A., Mavridis, I.: A use-based approach for enhancing UCON. In: Security and Trust Management - 8th International Workshop, STM 2012, Pisa, Italy, September 13-14, 2012, Revised Selected Papers, pp. 81–96 (2012). https://doi.org/10.1007/978-3-642-38004-4_6
Holzmann, G.J.: The SPIN model checker: Primer and reference manual, vol. 1003. Addison-Wesley, Reading (2004)
Hu, V., Iorga, M., Bao, W., Li, A., Li, Q., Gouglidis, A.: General access control guidance for cloud systems. Tech. rep, National Institute of Standards and Technology (2020)
Hu, V.C., Kuhn, R., Yaga, D.: Verification and test methods for access control policies/models. NIST Spec. Publ. 800, 192 (2017). https://doi.org/10.6028/NIST.SP.800-192
Jackson, D.: Software Abstractions: Logic, Language, and Analysis. MIT press, Cambridge (2012)
Janicke, H., Cau, A., Zedan, H.: A note on the formalisation of UCON. In: Proceedings of the 12th ACM symposium on Access control models and technologies, SACMAT ’07, pp. 163–168. ACM, New York, NY, USA (2007)
Lamport, L.: The temporal logic of actions. ACM Trans. Progr. Lang. Syst. (TOPLAS) 16(3), 872–923 (1994)
Lamport, L.: Specifying Systems, The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley, Boston (2002)
Lazouski, A., Martinelli, F., Mori, P.: Usage control in computer security: A survey. Comput. Sci. Rev. 4(2), 81–99 (2010). https://doi.org/10.1016/j.cosrev.2010.02.002
Lu, J., Li, R., Hu, J., Xu, D.: Static enforcement of static separation-of-duty policies in usage control authorization models. IEICE Trans. 95–B(5), 1508–1518 (2012)
Macedo, N., Cunha, A.: Alloy meets TLA+: An exploratory study. arXiv preprint arXiv:1603.03599 (2016)
Martinelli, F., Mori, P.: On usage control for grid systems. Future Gener. Comput. Syst. 26(7), 1032–1042 (2010). https://doi.org/10.1016/j.future.2009.12.005
Oetsch, J., Prischink, M., Pührer, J., Schwengerer, M., Tompits, H.: On the small-scope hypothesis for testing answer-set programs. In: Thirteenth International Conference on the Principles of Knowledge Representation and Reasoning (2012)
Pretschner, A., Ruesch, J., Schaefer, C., Walter, T.: Formal analyses of usage control policies. In: Availability, Reliability and Security, 2009. ARES ’09. International Conference on, pp. 98–105 (2009). https://doi.org/10.1109/ARES.2009.100
Rajkumar, P., Ghosh, S., Dasgupta, P.: Concurrent usage control implementation verification using the spin model checker. In: Meghanathan, N., Boumerdassi, S., Chaki, N., Nagamalai, D. (eds.) Recent Trends in Network Security and Applications, Communications in Computer and Information Science, vol. 89, pp. 214–223. Springer, Berlin Heidelberg (2010). https://doi.org/10.1007/978-3-642-14478-3_22
Ranise, S., Armando, A.: On the automated analysis of safety in usage control: A new decidability result. In: Xu, L., Bertino, E., Mu, Y. (eds.) Network and System Security. Lecture Notes in Computer Science, vol. 7645, pp. 15–28. Springer, Berlin Heidelberg (2012). https://doi.org/10.1007/978-3-642-34601-9_2
Samarati, P., de Vimercati, S.C.: Access control: Policies, models, and mechanisms. In: International School on Foundations of Security Analysis and Design, pp. 137–196. Springer (2000)
Yuan, D., Luo, Y., Zhuang, X., Rodrigues, G.R., Zhao, X., Zhang, Y., Jain, P.U., Stumm, M.: Simple testing can prevent most critical failures: An analysis of production failures in distributed data-intensive systems. In: 11th \(\{\)USENIX\(\}\) Symposium on Operating Systems Design and Implementation (\(\{\)OSDI\(\}\) 14), pp. 249–265 (2014)
Zave, P.: Using lightweight modeling to understand chord. ACM SIGCOMM Comput. Commun. Rev. 42(2), 49–57 (2012)
Zhang, X., Nakae, M., Covington, M.J., Sandhu, R.S.: Toward a usage-based security framework for collaborative computing systems. ACM Trans. Inf. Syst. Secur. 11(1), 3:1–3:36 (2008). https://doi.org/10.1145/1330295.1330298
Zhang, X., Parisi-Presicce, F., Sandhu, R., Park, J.: Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur. 8, 351–387 (2005)
Zhang, X., Sandhu, R., Parisi-Presicce, F.: Safety analysis of usage control authorization models. In: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, ASIACCS ’06, pp. 243–254. ACM, New York, NY, USA (2006)
Zhang, X., Sandhu, R.S., Parisi-Presicce, F.: Formal model and analysis of usage control. George Mason University, Fairfax (2006)
Acknowledgements
We would like to thank the anonymous reviewers for their helpful feedback that resulted in improving the overall quality of this paper.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Grompanopoulos, C., Gouglidis, A. & Mavridou, A. Specifying and verifying usage control models and policies in TLA\(^+\). Int J Softw Tools Technol Transfer 23, 685–700 (2021). https://doi.org/10.1007/s10009-020-00600-0
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10009-020-00600-0