Formal Methods in System Design

, Volume 43, Issue 3, pp 450–492 | Cite as

Verification and enforcement of access control policies

  • Antonio CauEmail author
  • Helge Janicke
  • Ben Moszkowski


Access control mechanisms protect critical resources of systems from unauthorized access. In a policy-based management approach, administrators define user privileges as rules that determine the conditions and the extent of users’ access rights. As rules become more complex, analytical skills are required to identify conflicts and interactions within the rules that comprise a system policy—especially when rules are stateful and depend on event histories. Without adequate tool support such an analysis is error-prone and expensive. In consequence, many policy specifications are inconsistent or conflicting that render the system insecure. The security of the system, however, does not only depend on the correct specification of the security policy, but in a large part also on the correct interpretation of those rules by the system’s enforcement mechanism.

In this paper, we show how policy rules can be formalized in Fusion Logic, a temporal logic for the specification of behavior of systems. A symbolic decision procedure for Fusion Logic based on Binary Decision Diagrams (BDDs) is provided and we introduce a novel technique for the construction of enforcement mechanisms of access control policy rules that uses a BDD encoded enforcement automaton based on input traces which reflect state changes in the system. We provide examples of verification of policy rules, such as absence of conflicts, and dynamic separation of duty and of the enforcement of policies using our prototype implementation (FLCheck) for which we detail the underlying theory.


Access control policy Policy enforcement Policy verification Binary decision diagram 



The authors would like to thank the anonymous reviewers for their comments that were very helpful for shaping the manuscript.


  1. 1.
    Abadi M, Fournet C (2003) Access control based on execution history. In: 10th annual network and distributed system symposium (NDSS’03). The Internet Society, Reston, pp 1–15 Google Scholar
  2. 2.
    Antimirov VM (1996) Partial derivatives of regular expressions and finite automaton constructions. Theor Comput Sci 155(2):291–319. doi: 10.1016/0304-3975(95)00182-4 MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Bahrak B, Deshpande A, Whitaker M, Park JM (2010) Bresap: a policy reasoner for processing spectrum access policies represented by binary decision diagrams. In: 2010 IEEE symposium on new frontiers in dynamic spectrum, pp 1–12. doi: 10.1109/DYSPAN.2010.5457867 CrossRefGoogle Scholar
  4. 4.
    Bandara AK, Lupu EC, Sloman M (2007) Policy-based management. In: Burgess M, Bergstra J (eds) Handbook of network and system administration. Elsevier, Amsterdam Google Scholar
  5. 5.
    Bertino E, Bonatti PA, Ferrari E (2001) TRBAC: a temporal role-based access control model. ACM Trans Inf Syst Secur 4(3):191–233. doi: 10.1145/501978.501979 CrossRefGoogle Scholar
  6. 6.
    Bryant RE (1986) Graph-based algorithms for boolean function manipulation. IEEE Trans Comput 35(8):677–691. doi: 10.1109/TC.1986.1676819 CrossRefzbMATHGoogle Scholar
  7. 7.
    Bryant RE (1992) Symbolic boolean manipulation with ordered binary-decision diagrams. ACM Comput Surv 24(3):293–318. doi: 10.1145/136035.136043 CrossRefGoogle Scholar
  8. 8.
    Brzozowski JA (1964) Derivatives of regular expressions. J ACM 11:481–494. doi: 10.1145/321239.321249 MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Burch JR, Clarke EM, McMillan KL, Dill DL, Hwang LJ (1992) Symbolic model checking: 1020 states and beyond. Inf Comput 98(2):142–170. doi: 10.1016/0890-5401(92)90017-A MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Chaochen Z, Hoare CAR, Ravn AP (1991) A calculus of durations. Inf Process Lett 40(5):269–276. doi: 10.1016/0020-0190(91)90122-X MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Cimatti A, Clarke EM, Giunchiglia E, Giunchiglia F, Pistore M, Roveri M, Sebastiani R, Tacchella A (2002) NuSMV 2: an opensource tool for symbolic model checking. In: Brinksma E, Larsen KG (eds) CAV. Lecture notes in computer science, vol 2404. Springer, Berlin, pp 359–364 Google Scholar
  12. 12.
    Cimatti A, Roveri M, Tonetta S (2008) Symbolic compilation of PSL. IEEE Trans Comput-Aided Des Integr Circuits Syst 27(10):1737–1750. doi: 10.1109/TCAD.2008.2003303 CrossRefGoogle Scholar
  13. 13.
    Clarke EM Jr, Grumberg O, Peled DA (1999) Model checking. MIT Press, Cambridge Google Scholar
  14. 14.
    Coudert O, Berthet C, Madre JC (1989) Verification of sequential machines using boolean functional vectors. In: Claesen L (ed) Proceedings of the IFIP international workshop on applied formal methods for correct VLSI design, Leuven, Belgium, pp 111–128 Google Scholar
  15. 15.
    Coudert O, Berthet C, Madre JC (1989) Verification of synchronous sequential machines based on symbolic execution. In: Sifakis J (ed) Automatic verification methods for finite state systems, international workshop, Grenoble, France. LNCS, vol 407. Springer, Berlin, pp 365–373 CrossRefGoogle Scholar
  16. 16.
    Coudert O, Berthet C, Madre JC (1990) A unified framework for the formal verification of sequential circuits. In: Proceedings of the IEEE international conference on computer aided design, pp 126–129 Google Scholar
  17. 17.
    Damianou N, Dulay N, Lupu E, Sloman M (2001) The Ponder specification language. In: Workshop on policies for distributed systems and networks (Policy2001) Google Scholar
  18. 18.
    Duan Z, Tian C, Zhang L (2008) A decision procedure for propositional projection temporal logic with infinite models. Acta Inform 45:43–78. doi: 10.1007/s00236-007-0062-z MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Elgaard J, Klarlund N, Møller A (1998) MONA 1.x: new techniques for WS1S and WS2S. In: Proceedings of the 10th international conference on computer-aided verification, CAV ’98. LNCS, vol 1427. Springer, Berlin, pp 516–520 CrossRefGoogle Scholar
  20. 20.
    Fisher M, Dixon C, Peim M (2001) Clausal temporal resolution. ACM Trans Comput Log 2(1):12–56. doi: 10.1145/371282.371311 MathSciNetCrossRefGoogle Scholar
  21. 21.
    Gomez R, Bowman H (2004) PITL2MONA: implementing a decision procedure for propositional interval temporal logic. J Appl Non-Class Log 14(1–2):105–148. Issue on Interval temporal logics and duration calculi. V Goranko and A Montanari guest eds CrossRefzbMATHGoogle Scholar
  22. 22.
    Harel D (1987) Statecharts: a visual formalism for complex systems. Sci Comput Program 8(3):231–274. doi: 10.1016/0167-6423(87)90035-9 MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    Harel D, Kozen D, Tiuryn J (2000) Dynamic logic. MIT Press, Cambridge zbMATHGoogle Scholar
  24. 24.
    Holzmann GJ (1997) The model checker SPIN. IEEE Trans Softw Eng 23(5):279–295 MathSciNetCrossRefGoogle Scholar
  25. 25.
    Hu H, Ahn GJ, Kulkarni K (2011) Anomaly discovery and resolution in web access control policies. In: Proceedings of the 16th ACM symposium on access control models and technologies. SACMAT ’11. ACM, New York, pp 165–174. doi: 10.1145/1998441.1998472 CrossRefGoogle Scholar
  26. 26.
    IBM Cooperation (2003) Enterprise privacy authorisation language (EPAL) version 1.2. Submitted to the W3C.
  27. 27.
    IEEE (2005) IEEE standard for property specification language (PSL), std 1850-2005. Tech rep, IEEE. doi: 10.1109/IEEESTD.2005.97780
  28. 28.
    ISO/IEC (2006) ISO/IEC 10181-3:1996 information technology—open systems interconnection—security frameworks for open systems: access control framework.
  29. 29.
    Jajodia S, Samarati P, Sapino ML, Subrahmanian VS (2001) Flexible support for multiple access control policies. ACM Trans Database Syst 26(2):214–260. doi: 10.1145/383891.383894 CrossRefzbMATHGoogle Scholar
  30. 30.
    Janicke H, Cau A, Siewe F, Zedan H, Jones K (2006) A compositional event & time-based policy model. In: Proceedings of POLICY2006, London, Ontario, Canada. IEEE Computer Society, London, pp 173–182 Google Scholar
  31. 31.
    Janicke H, Cau A, Siewe F, Zedan H (2007) Deriving enforcement mechanisms from policies. In: Proceedings of the 8th IEEE international workshop on policies for distributed systems (POLICY2007), pp 161–170 CrossRefGoogle Scholar
  32. 32.
    Janicke H, Cau A, Siewe F, Zedan H (2012) Dynamic access control policies: specification and verification. Comput J. doi: 10.1093/comjnl/bxs102 Google Scholar
  33. 33.
    Joshi J, Bertino E, Ghafoor A (2005) An analysis of expressiveness and design issues for the generalized temporal role-based access control model. IEEE Trans Dependable Secure Comput 2(2):157–175. doi: 10.1109/TDSC.2005.18 CrossRefGoogle Scholar
  34. 34.
    Joshi J, Bertino E, Latif U, Ghafoor A (2005) A generalized temporal role-based access control model. IEEE Trans Knowl Data Eng 17(1):4–23. doi: 10.1109/TKDE.2005.1 CrossRefGoogle Scholar
  35. 35.
    Klarlund N, Møller A (2001) MONA version 1.4 user manual. Notes series NS-01-1, BRICS, Department of Computer Science, Aarhus University. Available from Revision of BRICS NS-98-3
  36. 36.
    Kolovski V (2008) Logic-based framework for web access control policies. PhD thesis, Computer Science Department of University of Maryland, College Park Google Scholar
  37. 37.
    Kono S (1995) A combination of clausal and non-clausal temporal logic programs. In: Fisher M, Owens R (eds) Executable modal and temporal logics. Lecture notes in artificial intelligence, Cambery, France, vol 897. Springer, Berlin, pp 40–57 CrossRefGoogle Scholar
  38. 38.
    Kozen D (1992) Private commuication Google Scholar
  39. 39.
    Kropf T (1999) Introduction to formal hardware verification: methods and tools for designing correct circuits and systems, 1st edn. Springer, New York CrossRefGoogle Scholar
  40. 40.
    Lamport L (1994) The temporal logic of actions. ACM Trans Program Lang Syst 16(3):872–923. doi: 10.1145/177492.177726 CrossRefGoogle Scholar
  41. 41.
    Lampson BW (1974) Protection. Oper Syst Rev 8(1):18–24. doi: 10.1145/775265.775268 CrossRefGoogle Scholar
  42. 42.
    Leucker M, Sánchez C (2010) Regular linear-time temporal logic. In: Markey N, Wijsen J (eds) TIME. IEEE Computer Society, Los Alamitos, pp 3–5. doi: 10.1109/TIME.2010.29 Google Scholar
  43. 43.
    Lupu EC, Sloman M (1999) Conflicts in policy-based distributed systems management. IEEE Trans Softw Eng 25(6):852–869. doi: 10.1109/32.824414 CrossRefGoogle Scholar
  44. 44.
    Manna Z, Pnueli A (1992) The temporal logic of reactive and concurrent systems: specification. Springer, New York CrossRefGoogle Scholar
  45. 45.
    Masood A, Ghafoor A, Mathur AP (2010) Conformance testing of temporal role-based access control systems. IEEE Trans Dependable Secure Comput 7(2):144–158. doi: 10.1109/TDSC.2008.41 CrossRefGoogle Scholar
  46. 46.
    McMillan KL (1993) Symbolic model checking. Kluwer Academic, Norwell CrossRefzbMATHGoogle Scholar
  47. 47.
    Moszkowski B (1983) Reasoning about digital circuits. PhD thesis, Department of Computer Science, Stanford University, technical report STAN-CS-83-970 Google Scholar
  48. 48.
    Moszkowski B (1985) A temporal logic for multilevel reasoning about hardware. IEEE Trans Comput 18(2):10–19 Google Scholar
  49. 49.
    Moszkowski B (2004) A hierarchical completeness proof for propositional interval temporal logic with finite time. J Appl Non-Class Log 14(1–2):55–104. Special issue on Interval temporal logics and duration calculi CrossRefzbMATHGoogle Scholar
  50. 50.
    Moszkowski B (2005) A hierarchical analysis of propositional temporal logic based on intervals. In: Artemov S, Barringer H, d’Avila Garcez AS, Lamb LC, Woods J (eds) We will show them: essays in honour of Dov Gabbay, vol 2. King’s College, London, pp 371–440 Google Scholar
  51. 51.
    Moszkowski B (2011) Compositional reasoning using intervals and time reversal. In: International syposium on temporal representation and reasoning, pp 107–114. doi: 10.1109/TIME.2011.25 Google Scholar
  52. 52.
    OASIS (2005) eXtensible access control markup language (XACML) version 2.0.
  53. 53.
    Pandya PK (2001) Specifying and deciding quantified discrete-time duration calculus formulae using DCVALID. In: Pattersson P, Yovine S (eds) Proceedings of workshop on real-time tools (RT-TOOL’2001). Affiliated with CONCUR 2001, Uppsala University, Sweden, technical report 2001-14, full version available as technical report TCS-00-PKP-1, Tata Institute of Fundamental Research, 2000 Google Scholar
  54. 54.
    Park J, Sandhu RS (2004) The UCONABC usage control model. ACM Trans Inf Syst Secur 7(1):128–174. doi: 10.1145/984334.984339 CrossRefGoogle Scholar
  55. 55.
    Park J, Zhang X, Sandhu RS (2004) Attribute mutability in usage control. In: Farkas C, Samarati P (eds) Proceedings of IFIP TC11/WG 11.3 eighteenth annual conference on data and applications security, Sitges, Catalonia, Spain. Kluwer, Dordrecht, pp 15–29 Google Scholar
  56. 56.
    Prior AN (1967) Past, present and future. Oxford University Press, Oxford CrossRefzbMATHGoogle Scholar
  57. 57.
    Rao P, Lin D, Bertino E, Li N, Lobo J (2009) An algebra for fine-grained integration of xacml policies. In: Proceedings of the 14th ACM symposium on access control models and technologies, SACMAT ’09. ACM, New York, pp 63–72. doi: 10.1145/1542207.1542218 CrossRefGoogle Scholar
  58. 58.
    Sandhu R, Park J (2003) The UCONABC usage control model. In: Proceeding of the second international workshop on mathematical method, models and architectures for computer networks security Google Scholar
  59. 59.
    Schaad A, Lotz V, Sohr K (2006) A model-checking approach to analysing organisational controls in a loan origination process. In: Ferraiolo DF, Ray I (eds) SACMAT. ACM, New York, pp 139–149. doi: 10.1145/1133058.1133079 Google Scholar
  60. 60.
    Schneider FB (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3(1):30–50. doi: 10.1145/353323.353382 CrossRefGoogle Scholar
  61. 61.
    Siewe F, Cau A, Zedan H (2003) A compositional framework for access control policies enforcement. In: Proceedings of the ACM workshop on formal methods in security engineering: from specifications to code Google Scholar
  62. 62.
    Sloman M (1994) Policy driven management for distributed systems. J Netw Syst Manag 2:333–360 CrossRefGoogle Scholar
  63. 63.
    Somenzi F (1998) CUDD: Colorado University decision diagram package. University of Colorado at Boulder.
  64. 64.
    Woo TYC, Lam SS (1993) Authorization in distributed systems: a new approach. J Comput Secur 2(2(3):107–136 Google Scholar
  65. 65.
    Zhang X, Park J, Parisi-Presicce F, Sandhu R (2004) A logical specification for usage control. In: SACMAT ’04: proceedings of the ninth ACM symposium on access control models and technologies. ACM, New York, pp 1–10. doi: 10.1145/990036.990038 CrossRefGoogle Scholar
  66. 66.
    Zhang X, Parisi-Presicce F, Sandhu RS, Park J (2005) Formal model and policy specification of usage control. ACM Trans Inf Syst Secur 8(4):351–387. doi: 10.1145/1108906.1108908 CrossRefGoogle Scholar
  67. 67.
    Zhang X, Sandhu RS, Parisi-Presicce F (2006) Safety analysis of usage control authorization models. In: Lin FC, Lee DT, Lin BS, Shieh S, Jajodia S (eds) ASIACCS. ACM, New York, pp 243–254. doi: 10.1145/1128817.1128853 CrossRefGoogle Scholar
  68. 68.
    Zhang X, Seifert JP, Sandhu RS (2008) Security enforcement model for distributed usage control. In: Singhal M, Serugendo GDM, Tsai JJP, Lee W, Römer K, Tseng YC, Hsiao HCW (eds) SUTC. IEEE Computer Society, Los Alamitos, pp 10–18. doi: 10.1109/SUTC.2008.79 Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.Software Technology Research LaboratoryDe Montfort UniversityLeicesterUK

Personalised recommendations