Skip to main content
Log in

Specifying and verifying usage control models and policies in TLA\(^+\)

  • General
  • Special Issue: MeTRID
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

Novel computing paradigms, e.g., the Cloud, introduce new requirements with regard to access control such as utilization of historical information and continuity of decision. However, these concepts may introduce an additional level of complexity to the underpinning model, rendering its definition and verification a cumbersome and prone to errors process. Using a formal language to specify a model and formally verify it may lead to a rigorous definition of the interactions amongst its components, and the provision of formal guarantees for its correctness. In this paper, we consider a case study where we specify a formal model in TLA\(^+\) for both a policy-neutral and policy-specific UseCON usage control model. Through that, we anticipate to shed light in the analysis and verification of usage control models and policies by sharing our experience when using TLA\(^+\) specific tools.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. The non-determinism property is implied by the use of the \(\exists \) operator. For comprehensive information refer to [15].

  2. The determination of the exact interval is left open as an implementation issue.

  3. The time period in which the ongoing predicates are evaluated is implementation-specific by the UseCON model

  4. Since the specification of attributes is not present in the current model, we express the different categories of users through their IDs.

  5. Termination is successful if, for all behaviors, the specification ends.

References

  1. Andoni, A., Daniliuc, D., Khurshid, S., Marinov, D.: Evaluating the “small scope hypothesis”. In: In Popl, vol. 2. Citeseer (2003)

  2. Backes, J., Bolignano, P., Cook, B., Dodge, C., Gacek, A., Luckow, K., Rungta, N., Tkachuk, O., Varming, C.: Semantic-based automated reasoning for aws access policies using smt. In: 2018 Formal Methods in Computer Aided Design (FMCAD), pp. 1–9. IEEE (2018)

  3. Cau, A., Moszkowski, B., Zedan, H.: Interval temporal logic. https://www.cms.dmu.ac.uk/cau/itlhomepage/itlhomepage.html (2006)

  4. Cimatti, A., Clarke, E., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: Nusmv 2: An opensource tool for symbolic model checking. In: International Conference on Computer Aided Verification, pp. 359–364. Springer (2002)

  5. Gouglidis, A., Grompanopoulos, C., Mavridou, A.: Formal verification of usage control models: A case study of usecon using tla+. arXiv preprint arXiv:1806.09848 (2018)

  6. Gouglidis, A., Mavridis, I., Hu, V.C.: Security policy verification for multi-domains in cloud systems. Int. J. Inf. Sec. 13(2), 97–111 (2014). https://doi.org/10.1007/s10207-013-0205-x

    Article  Google Scholar 

  7. Grompanopoulos, C., Gouglidis, A.: UseCON specification. https://github.com/agouglidis/UseCON-TLA_PLUS (2020)

  8. Grompanopoulos, C., Gouglidis, A., Mavridis, I.: A use-based approach for enhancing UCON. In: Security and Trust Management - 8th International Workshop, STM 2012, Pisa, Italy, September 13-14, 2012, Revised Selected Papers, pp. 81–96 (2012). https://doi.org/10.1007/978-3-642-38004-4_6

  9. Holzmann, G.J.: The SPIN model checker: Primer and reference manual, vol. 1003. Addison-Wesley, Reading (2004)

    Google Scholar 

  10. Hu, V., Iorga, M., Bao, W., Li, A., Li, Q., Gouglidis, A.: General access control guidance for cloud systems. Tech. rep, National Institute of Standards and Technology (2020)

  11. Hu, V.C., Kuhn, R., Yaga, D.: Verification and test methods for access control policies/models. NIST Spec. Publ. 800, 192 (2017). https://doi.org/10.6028/NIST.SP.800-192

    Article  Google Scholar 

  12. Jackson, D.: Software Abstractions: Logic, Language, and Analysis. MIT press, Cambridge (2012)

    Google Scholar 

  13. Janicke, H., Cau, A., Zedan, H.: A note on the formalisation of UCON. In: Proceedings of the 12th ACM symposium on Access control models and technologies, SACMAT ’07, pp. 163–168. ACM, New York, NY, USA (2007)

  14. Lamport, L.: The temporal logic of actions. ACM Trans. Progr. Lang. Syst. (TOPLAS) 16(3), 872–923 (1994)

    Article  Google Scholar 

  15. Lamport, L.: Specifying Systems, The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley, Boston (2002)

    Google Scholar 

  16. Lazouski, A., Martinelli, F., Mori, P.: Usage control in computer security: A survey. Comput. Sci. Rev. 4(2), 81–99 (2010). https://doi.org/10.1016/j.cosrev.2010.02.002

    Article  Google Scholar 

  17. Lu, J., Li, R., Hu, J., Xu, D.: Static enforcement of static separation-of-duty policies in usage control authorization models. IEICE Trans. 95–B(5), 1508–1518 (2012)

    Article  Google Scholar 

  18. Macedo, N., Cunha, A.: Alloy meets TLA+: An exploratory study. arXiv preprint arXiv:1603.03599 (2016)

  19. Martinelli, F., Mori, P.: On usage control for grid systems. Future Gener. Comput. Syst. 26(7), 1032–1042 (2010). https://doi.org/10.1016/j.future.2009.12.005

    Article  Google Scholar 

  20. Oetsch, J., Prischink, M., Pührer, J., Schwengerer, M., Tompits, H.: On the small-scope hypothesis for testing answer-set programs. In: Thirteenth International Conference on the Principles of Knowledge Representation and Reasoning (2012)

  21. Pretschner, A., Ruesch, J., Schaefer, C., Walter, T.: Formal analyses of usage control policies. In: Availability, Reliability and Security, 2009. ARES ’09. International Conference on, pp. 98–105 (2009). https://doi.org/10.1109/ARES.2009.100

  22. Rajkumar, P., Ghosh, S., Dasgupta, P.: Concurrent usage control implementation verification using the spin model checker. In: Meghanathan, N., Boumerdassi, S., Chaki, N., Nagamalai, D. (eds.) Recent Trends in Network Security and Applications, Communications in Computer and Information Science, vol. 89, pp. 214–223. Springer, Berlin Heidelberg (2010). https://doi.org/10.1007/978-3-642-14478-3_22

    Chapter  Google Scholar 

  23. Ranise, S., Armando, A.: On the automated analysis of safety in usage control: A new decidability result. In: Xu, L., Bertino, E., Mu, Y. (eds.) Network and System Security. Lecture Notes in Computer Science, vol. 7645, pp. 15–28. Springer, Berlin Heidelberg (2012). https://doi.org/10.1007/978-3-642-34601-9_2

    Chapter  Google Scholar 

  24. Samarati, P., de Vimercati, S.C.: Access control: Policies, models, and mechanisms. In: International School on Foundations of Security Analysis and Design, pp. 137–196. Springer (2000)

  25. Yuan, D., Luo, Y., Zhuang, X., Rodrigues, G.R., Zhao, X., Zhang, Y., Jain, P.U., Stumm, M.: Simple testing can prevent most critical failures: An analysis of production failures in distributed data-intensive systems. In: 11th \(\{\)USENIX\(\}\) Symposium on Operating Systems Design and Implementation (\(\{\)OSDI\(\}\) 14), pp. 249–265 (2014)

  26. Zave, P.: Using lightweight modeling to understand chord. ACM SIGCOMM Comput. Commun. Rev. 42(2), 49–57 (2012)

    Article  Google Scholar 

  27. Zhang, X., Nakae, M., Covington, M.J., Sandhu, R.S.: Toward a usage-based security framework for collaborative computing systems. ACM Trans. Inf. Syst. Secur. 11(1), 3:1–3:36 (2008). https://doi.org/10.1145/1330295.1330298

  28. Zhang, X., Parisi-Presicce, F., Sandhu, R., Park, J.: Formal model and policy specification of usage control. ACM Trans. Inf. Syst. Secur. 8, 351–387 (2005)

    Article  Google Scholar 

  29. Zhang, X., Sandhu, R., Parisi-Presicce, F.: Safety analysis of usage control authorization models. In: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, ASIACCS ’06, pp. 243–254. ACM, New York, NY, USA (2006)

  30. Zhang, X., Sandhu, R.S., Parisi-Presicce, F.: Formal model and analysis of usage control. George Mason University, Fairfax (2006)

Download references

Acknowledgements

We would like to thank the anonymous reviewers for their helpful feedback that resulted in improving the overall quality of this paper.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Christos Grompanopoulos.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Grompanopoulos, C., Gouglidis, A. & Mavridou, A. Specifying and verifying usage control models and policies in TLA\(^+\). Int J Softw Tools Technol Transfer 23, 685–700 (2021). https://doi.org/10.1007/s10009-020-00600-0

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-020-00600-0

Keywords

Navigation