Security policy verification for multi-domains in cloud systems

  • Antonios Gouglidis
  • Ioannis Mavridis
  • Vincent C. Hu


The cloud is a modern computing paradigm with the ability to support a business model by providing multi-tenancy, scalability, elasticity, pay as you go and self-provisioning of resources by using broad network access. Yet, cloud systems are mostly bounded to single domains, and collaboration among different cloud systems is an active area of research. Over time, such collaboration schemas are becoming of vital importance since they allow companies to diversify their services on multiple cloud systems to increase both uptime and usage of services. The existence of an efficient management process for the enforcement of security policies among the participating cloud systems would facilitate the adoption of multi-domain cloud systems. An important issue in collaborative environments is secure inter-operation. Stemmed from the absence of relevant work in the area of cloud computing, we define a model checking technique that can be used as a management service/tool for the verification of multi-domain cloud policies. Our proposal is based on NIST’s (National Institute of Standards and Technology) generic model checking technique and has been enriched with RBAC reasoning. Current approaches, in Grid systems, are capable of verifying and detect only conflicts and redundancies between two policies. However, the latter cannot overcome the risk of privileged user access in multi-domain cloud systems. In this paper, we provide the formal definition of the proposed technique and security properties that have to be verified in multi-domain cloud systems. Furthermore, an evaluation of the technique through a series of performance tests is provided.


Cloud computing Collaboration  Multi-domain RBAC Secure inter-operation Verification 



This work has been (partially) funded by the Research Committee of the University of Macedonia, Greece.


  1. 1.
    Alcaraz Calero, J., Edwards, N., Kirschnick, J., Wilcock, L., Wray, M.: Toward a multi-tenancy authorization system for cloud services. IEEE Secur. Priv. 8(6), 48–55 (2010)CrossRefGoogle Scholar
  2. 2.
    Alloy. A language and tool for relational models,
  3. 3.
    ANSI. ANSI INCITS 359–2004, role based access control, (2004)Google Scholar
  4. 4.
    Armando, A., Ranise, S.: Automated symbolic analysis of arbac-policies (extended version). arXiv, preprint arXiv:1012.5590, (2010)Google Scholar
  5. 5.
    Bacon, J., Evans, D., Eyers, D.M., Migliavacca, M., Pietzuch, P., Shand, B.: Enforcing end-to-end application security in the cloud (big ideas paper). In: Proceedings of the ACM/IFIP/USENIX 11th International Conference on Middleware, pp. 293–312. Springer, Berlin (2010)Google Scholar
  6. 6.
    Baier, C., Katoen, J.-P.: Principles of Model Checking. The MIT Press, Cambridge (2008)MATHGoogle Scholar
  7. 7.
    Boost. Boost c++ libraries,, 2011
  8. 8.
    Bryans, J.W., Fitzgerald, J.S.: Formal Engineering of XACML Access Control Policies in VDM++. Springer, Berlin (2007)Google Scholar
  9. 9.
    Capitani di Vimercati, S., Foresti, S., Samarati, P.: Authorization and access control. In: Petkovic, M., Jonker, W. (eds.) Security, Privacy, and Trust in Modern Data Management, Data-Centric Systems and Applications, pp. 39–53. Springer, Berlin (2007)Google Scholar
  10. 10.
    CITRIX. Available role based access control permissions for xenserver,, (2013)
  11. 11.
    Crampton, J., Loizou, G.: Administrative scope and role hierarchy operations. In: In Proceedings of Seventh ACM Symposium on Access Control Models and Technologies (SACMAT 2002), pp. 145–154, (2002)Google Scholar
  12. 12.
    Ferraiolo, D.F., Kuhn, D.R., Chandramouli, R.: Role-Based Access Control. Artech House, Inc., (2003)Google Scholar
  13. 13.
    Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: Proceedings of the 27th International Conference on Software Engineering, ICSE ’05, pp. 196–205. ACM, New York (2005)Google Scholar
  14. 14.
    Foster, I., Yong, Z., Raicu, I., Lu, S.: Cloud computing and grid computing 360-degree compared. In: Grid Computing Environments Workshop, 2008. GCE ’08, pp. 1–10, (2008)Google Scholar
  15. 15.
    Gong, L., Qian, X.: Computational issues in secure interoperation, (1996)Google Scholar
  16. 16.
    Gouglidis, A., Mavridis, I.: domRBAC: An access control model for modern collaborative systems. Comput. Secur. 31(4), 540–556 (2012)CrossRefGoogle Scholar
  17. 17.
    Hansen, F., Oleshchuk, V.: Conformance checking of RBAC policy and its implementation. In: Deng, R., Bao, F., Pang, H., Zhou, J. (eds.) Information Security Practice and Experience, volume 3439 of Lecture Notes in Computer Science, pp. 144–155. Springer, Berlin (2005)Google Scholar
  18. 18.
    Hu, H., Ahn, G.: Enabling verification and conformance testing for access control model. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, SACMAT ’08, pp. 195–204. ACM, New York (2008)Google Scholar
  19. 19.
    Hu, V.C., Kuhn, D.R., Xie, T.: Property verification for generic access control models. In: Proceedings of the 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, vol. 02, EUC ’08, pp. 243–250. IEEE Computer Society, Washington, DC (2008)Google Scholar
  20. 20.
    Hu, V.C., Kuhn, D.R., Xie, T., Hwang, J.: Model checking for verification of mandatory access control models and properties. Int. J. Softw. Eng. Knowl. Eng. 21(1), 103–127 (2011)CrossRefGoogle Scholar
  21. 21.
    Hughes, G., Bultan, T.: Automated verification of access control policies using a SAT solver. Int. J. Softw. Tools Technol. Transf. 10(6), 503–520 (2008)CrossRefGoogle Scholar
  22. 22.
    Hwang, J., Xie, T., Hu, V., Altunay, M.: ACPT: a tool for modeling and verifying access control policies. In: Proceedings of the 2010 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY ’10, pp. 40–43. IEEE Computer Society, Washington, DC (2010)Google Scholar
  23. 23.
    Jayaraman, K., Ganesh, V., Tripunitara, M., Rinard, M., Chapin, S.: Automatic error finding in access-control policies. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pp. 163–174. ACM, New York (2011)Google Scholar
  24. 24.
    JeeHyun, H., Mine, A., Tao, X., Vincent, H.. Model Checking Grid Policies.
  25. 25.
    Jha, S., Li, N., Tripunitara, M., Wang, Q., Winsborough, W.: Towards formal verification of role-based access control policies. IEEE Trans. Dependable Secur. Comput. 5, 242–255 (2008)CrossRefGoogle Scholar
  26. 26.
    Krapivsky, P., Redner, S.: Network growth by copying. Phys. Rev. E 71(3), 036118 (2005)CrossRefMathSciNetGoogle Scholar
  27. 27.
    Kuhn, D.R., Kacker, D.R.: Automated combinatorial test methods—beyond pairwise testing (2010)Google Scholar
  28. 28.
    Lamport, L.: Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers, 1st edn. Addison-Wesley Professional, Reading (2002)Google Scholar
  29. 29.
    Li, W., Wan, H., Ren, X., Li. S.: A refined rbac model for cloud computing. In: Computer and Information Science (ICIS), 2012 IEEE/ACIS 11th International Conference on, pp. 43–48, (2012)Google Scholar
  30. 30.
    Li, N., Byun, J.-W., Bertino, E.: A critique of the ANSI standard on role-based access control. IEEE Secur. Priv. 5(6), 41–49 (2007)CrossRefGoogle Scholar
  31. 31.
    Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. Oreilly & Associates Inc, (2009)Google Scholar
  32. 32.
    Microsoft. Windows azure security guidance,, (2013)
  33. 33.
    Migliavacca, M., Papagiannis, I., Eyers, D.M., Shand, B., Bacon, J., Pietzuch, P.: Distributed middleware enforcement of event flow security policy. In: Middleware 2010, pp. 334–354. Springer, Berlin (2010)Google Scholar
  34. 34.
    NASA. Nebula’s implementation of role based access control (RBAC),, (2010)
  35. 35.
    NetworkX. Networkx,, (2012)
  36. 36.
    NIST. Combinatorial and Pairwise Testing,, (2012)
  37. 37.
    NIST. Role based access control (RBAC) and role based security,
  38. 38.
    NuSMV. A New Symbolic Model Checker,
  39. 39.
    Nuutila, E.: Efficient transitive closure computation in large digraphs. PhD thesis, Acta Polytechnica Scandinavica. Helsinki University of Technology, (1995)Google Scholar
  40. 40.
    Oh, S., Sandhu, R.: A model for role administration using organization structure, (2002)Google Scholar
  41. 41.
  42. 42.
  43. 43.
    Peter, M., Timothy, G.: The NIST definition of cloud computing, September (2011)Google Scholar
  44. 44.
    Power, D., Slaymaker, M., Simpson, A.: Conformance checking of dynamic access control policies. In: Formal Methods and Software Engineering, pp. 227–242. Springer, Berlin (2011)Google Scholar
  45. 45.
    Purdom, P.: A transitive closure algorithm. BIT Numer. Math. 10, 76–94 (1970). doi: 10.1007/BF01940892 CrossRefMATHGoogle Scholar
  46. 46.
    Sandhu, R.S., Samarati, P.: Access control: principles and practice. IEEE Commun. Mag. 32, 40–48 (1994)CrossRefGoogle Scholar
  47. 47.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Comput. 29(2), 38–47 (1996)CrossRefGoogle Scholar
  48. 48.
    Sandhu, R., Bhamidipati, V., Munawer, Q.: The arbac97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2(1), 105–135 (1999)CrossRefGoogle Scholar
  49. 49.
    SAnToS Laboratory. Spec patterns, response property pattern,, (2012)
  50. 50.
    Schaad, A., Moffett, J., Jacob, J.: The role-based access control system of a european bank: a case study and discussion. In: Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies, pp. 3–9. ACM (2001)Google Scholar
  51. 51.
    Shafiq, B., Joshi, J.B.D., Bertino, E., Ghafoor, A.: Secure interoperation in a multidomain environment employing RBAC policies. IEEE Trans. Knowl. Data Eng. 17(11), 1557 (2005) Google Scholar
  52. 52.
    SPIN. The SPIN model checker,
  53. 53.
    Takabi, H., Joshi, J.B., Ahn, G.-J.: Security and privacy challenges in cloud computing environments. IEEE Secur. & Priv. 8(6), 24–31 (2010)CrossRefGoogle Scholar
  54. 54.
    Tang, Z., Wei, J., Sallam, A., Li, K., Li, R.: A new rbac based access control model for cloud computing. In: Li, R., Cao, J., Bourgeois, J. (eds.) Advances in Grid and Pervasive Computing, volume 7296 of Lecture Notes in Computer Science, pp. 279–288. Springer, Berlin (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Antonios Gouglidis
    • 1
  • Ioannis Mavridis
    • 1
  • Vincent C. Hu
    • 2
  1. 1.Department of Applied InformaticsUniversity of MacedoniaThessalonikiGreece
  2. 2.Computer Security DivisionNational Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations