Automated Analysis of Access Control Policies Based on Model Checking

Abstract

Access control is becoming increasingly important for today’s ubiquitous systems which provide mechanism to prevent sensitive resources against unauthorized users. In access control models, the administration of access control policies is a task of paramount importance for distributed systems. A crucial analysis problem is to foresee if a set of administrators can give a user an unauthorized access permission. In this paper, we consider the analysis problem in the context of the administrative role-based access control (ARBAC) and its extension, the administrative temporal role-based access control (ATRBAC). More details, we present how to design analysis techniques, namely asasp2.1 and asaspTIME2.0 for ARBAC and ATRBAC, respectively, which are based on the ideas of a framework to analyze infinite state-transition systems. Moreover, we describe how we design heuristics to enable the analysis techniques to scale up to handle large and complex authorization policies. An extensive experimentation shows that the proposed techniques are scalability and the heuristics play a key role in the success of the analysis tools over well-known analysis techniques.

Change history

• 28 September 2023

  A Correction to this paper has been published: https://doi.org/10.1007/s42979-023-02168-3

Appendices

Appendix

Extending MCMT to the Analysis of TRBAC Policies

Symbolic Representation of TRBAC Configurations

We now show how to formalize TRBAC configurations by extending the approach proposed in [30]. The main idea is to use the models of certain sets of first-order formulae, called theories, to represent TRBAC configurations. In particular, we first identify finite sets of formulae that constraint the interpretation of a finite set of symbols that represent the set U, R, TS, and the relations TUA. Then, we will show how first-order formulae can represent the initial TRBAC configurations, the goals, and administrative actions. The symbolic representation of U and R can be found in [30]. The idea is to use an enumerated data-type for the set of roles (and also for the set of users) and then formalize the data-type to first-order formulae. In a similar way, we use an enumerated data-type for the set of time slots and encode the data-type in first-order logic.

Let \(\varSigma _U\) be a signature containing the sort symbol User and countably many constant symbol \({\mathsf {u}}_i\) for \(i \le 0\). We consider the theory \(T_U\) axiomatized by a finite (possibly empty) set of universal sentences. For example, when the set of axioms of \(T_U\) contains those of an enumerated data-type with \(u_1, \ldots , u_n\) values, every structure in \(Mod(T_U)\) has the set \(U := \{u_1, \ldots , u_n\}\) as domain and the constants in \(\varSigma _U\) are interpreted as elements of U. Interestingly, when the set of axioms of \(T_U\) is empty, we can consider the domain of any structure in \(Mod(T_U)\) as a finite subset U (but unknown cardinality) of an infinite set and interpret the constants in \(\varSigma _U\) as elements of U. In a similar way, we have \(\varSigma _R\), \(\varSigma _{TS}\) be the signatures containing the sort symbol Role and n constant symbols \({\mathsf {r}}_1, \ldots , {\mathsf {r}}_n\), and the sort symbol TimeSlot, and m constant symbols \(\mathsf {ts}_1, \ldots , \mathsf {ts}_m\), respectively. The theories \(T_{R}\) and \(T_{TS}\) are finite sets of formulae that constraint the interpretation of a finite set of symbols in the corresponding signatures. We now show how to formalize the other elements of TRBAC.

Recall that a configuration of a (sub) TRBAC system is a tuple \(( TUA , t)\). We assume that the execution of an administrative action \((C_\mathrm{a}, tsl_1, C, tsl_2,r)\) is instant (\(tsl_1\) and \(tsl_2\) are time slots). If an action can be fired at time instant \(t \in tsl_1\), it also means that the action can be fired during the time slot \(tsl_1\) (e.g., see Section “Temporal Role-Based Access Control”). It is thus sufficient to consider t as current time slot of the system rather than an exact value of time. In other words, we consider time slot as “unit time” rather than the time instant. The configurations of the system now have form (TUA, ts) where ts holds the current time slot of the system.

Symbolic representation of TRBAC configurations Let us now consider the \(\varSigma _{TRBAC}\) theory \(T_{TRBAC} := T_U \cup T_R \cup T_{TS}\) where \(\varSigma _{TRBAC} := \varSigma _{U} \cup \varSigma _{R} \cup \varSigma _{TS} \cup \{ua : User \times Role \times 2^{TimeSlot}\} \cup \{cl : TimeSlot\}\). Intuitively, the interpretations of the predicate symbol ua are all the temporal user-role assignments \(TUA \subseteq U \times R \times 2^{TS}\). The predicate symbol cl can be interpreted as current time slot of the system. Therefore, any structure in \(Mod(T_{TRBAC})\) represents a TRBAC configuration \(( TUA , ts)\), because the components U, R, TS are constrained by axioms of \(T_{TRBAC}\).

We now consider how to represent the goals and initial TRBAC state of the (timed) user-role reachability problem. x, y (and \(y_1\), ..., \(y_k\)), z (and \(z_1\), ..., \(z_l\), t) are variables of sort User, Role, and TimeSlot, respectively:

Symbolic representation of initial TRBAC configuration An initial configuration of a TRBAC system is a tuple \(( TUA_0 , ts_0)\). Typically, \(TUA_0\) contains finitely many tuples user-role-timeslot. We can represent the (initial) configuration \(( TUA_0 , ts_0)\) where \(ts_0\) is one time slot in TS by means of the following formula:

$$\begin{aligned}&\forall x, y, z, t . \nonumber \\&\left[ (ua(x, y, z) \Leftrightarrow \bigvee _{(u, r, s) \in TUA_0 }{(x = {\mathsf {u}} \wedge y = {\mathsf {r}} \wedge z = {\mathsf {s}})})\right. \nonumber \\&\left. \wedge (cl(t) \Leftrightarrow t = ts_0) \right] , \end{aligned}$$

(1)

where \({\mathsf {u}}\), \({\mathsf {r}}\), and \({\mathsf {s}}\) are constants in \(\varSigma _{TRBAC}\) whose interpretation is \(u \in U\), \(r \in R\), and \(s \in TS\), respectively.

Symbolic representation of TRBAC goals. Recall that a goal of the (timed) user-role reachability is a tuple \((u_\mathrm{g}, R_g, tc_g)\) where \(u_g\) is a user, \(R_\mathrm{g} = \{r_{i1}, \ldots , r_{ik}\}\) is a finite set of roles, and \(tc_\mathrm{g} = \{ts_{i1}, \ldots , ts_{il}\}\) is a time schedule. The goal is satisfied if the exists a configuration whose the relation TUA is such that the user \(u_g\) is a member of each role in \(R_g\) in all time slots in \(tc_g\). We can use the following formula to represent the goal:

$$\begin{aligned}&\exists x, y_1, \ldots , y_k, z_1, \ldots , z_l, t .\nonumber \\&\left[ \begin{array}{l} x = \mathsf {u_\mathrm{g}} \wedge y_1 = \mathsf {r_{i1}} \wedge \cdots \wedge y_k = \mathsf {r_{ik}} \wedge z_1 = \mathsf {ts_{i1}} \wedge \cdots \wedge z_l = \mathsf {ts_{il}} \wedge \\ ua(x, y_1, z_1) \wedge \cdots \wedge ua(x, y_1, z_l) \wedge \cdots \wedge \\ ua(x, y_n, z_1) \wedge \cdots \wedge ua(x, y_n, z_l) \wedge cl(t) \end{array} \right] , \end{aligned}$$

(2)

where \(\mathsf {u_\mathrm{g}}\), \(\mathsf {r_{i1}}\), ..., \(\mathsf {r_{ik}}\), \(\mathsf {ts_{i1}}\), ..., \(\mathsf {ts_{il}}\) are constants in \(\varSigma _{TRBAC}\) whose interpretation is \(u_\mathrm{g} \in U\), \(r_{i1}, \ldots , r_{ik} \in R\), and \(ts_{i1}, \ldots , ts_{il} \in TS\), respectively. Note that with our approach, it is easily to treat the problem with a timed goal (e.g., see Section “Role-Based Access Control and Administration”) by adding constraints on the predicate cl.

Example 3

Consider the hospital in Example 1: \(U = \{{\mathsf {A}}, {\mathsf {B}}, {\mathsf {C}}\}\), \(R = \{\mathsf {EMP}, \mathsf {DDR},\) \(\mathsf {NDR}, \mathsf {PRC},\) \(\mathsf {NRS}, \mathsf {SEC}, \mathsf {CHR}\}\), and \(TS = \{\mathsf {ts_1}, \mathsf {ts_2}, \mathsf {ts_3}\}\).

The axiom of \(T_U\) is those of an enumerated data-type for the values \({\mathsf {A}}\), \({\mathsf {B}}\), and \({\mathsf {C}}\). Similarly, we use theories of an enumerated data-type with seven values \(\mathsf {EMP}\), \(\mathsf {DDR}\), \(\mathsf {NDR}\), \(\mathsf {PRC}\), \(\mathsf {NRS}\), \(\mathsf {SEC}\), and \(\mathsf {CHR}\) for roles and of an enumerated data-type with three values \(\mathsf {ts_1}\), \(\mathsf {ts_2}\), \(\mathsf {ts_3}\) for time slots.

Let us consider the theory \(T_{TRBAC}\) obtained by taking the union of above theories and expanding their signature with the relations \(ua: User \times Roles \times TimeSlot\) and cl : TimeSlot. We represent the initial configuration \((UA_0, ts)\) where \(UA_0 = \{(A, CHR, \{ts_1, ts_2, ts_3\}),\) \((B, EMP, \{ts_1, ts_2\})\}\) and \(ts = ts_1\) as follows:

$$\begin{aligned}&\forall x, y, z, t . (ua(x, y, z)\nonumber \\&\Leftrightarrow \left( \begin{array}{l} (x = {\mathsf {A}} \wedge y = \mathsf {CHR} \wedge z = \mathsf {ts_1}) \vee \\ (x = {\mathsf {A}} \wedge y = \mathsf {CHR} \wedge z = \mathsf {ts_2}) \vee \\ (x = {\mathsf {A}} \wedge y = \mathsf {CHR} \wedge z = \mathsf {ts_3}) \vee \\ (x = {\mathsf {B}} \wedge y = \mathsf {EMP} \wedge z = \mathsf {ts_1}) \vee \\ (x = {\mathsf {B}} \wedge y = \mathsf {EMP} \wedge z = \mathsf {ts_2}) \end{array} \right) \wedge (cl(t) \Leftrightarrow t = \mathsf {ts_1})), \end{aligned}$$

(3)

where \({\mathsf {A}}\), \({\mathsf {B}}\), \(\mathsf {CHR}\), \(\mathsf {EMP}\), \(\mathsf {ts_{1}}\), ..., \(\mathsf {ts_{3}}\) are constants in \(\varSigma _\mathrm{TRBAC}\) whose interpretation is A, \(B \in U\), CHR, \(EMP \in R\), and \(ts_{1}, \ldots , ts_{3} \in TS\), respectively.

Symbolic Representation of TRBAC Actions

In this section, we show how to symbolically represent the actions in the TRBAC system. The actions include administrative actions and time-passing actions. We assume that \(\varSigma _\mathrm{TRBAC}\) theory \(T_\mathrm{TRBAC}\) has been already constructed as explained in Section “Symbolic Representation of TRBAC Configurations"

We use ua (and cl) and \(ua'\) (and \(cl'\)) to denote the value of the relation TUA (and the current time slot) immediately before and after the execution of the action, respectively. Below, w denotes a variable of sort User; y denotes the variable of sort Role; and z, v are variables of sort TimeSlot.

Symbolic Representation of Administrative Actions We now represent administrative actions such as \(can\_assign\) and \(can\_revoke\) actions. Such actions have the form \((C_\mathrm{a}, tsl_1, C, tsl_2, r)\) where \(tsl_1\) and \(tsl_2\) are time slots. Notice that we adopt separate administration assumption, so, we do not care about the administrative pre-condition \(C_\mathrm{a}\).

Symbolic representation of pre-condition Let C be a pre-condition, \(tsl_2\) be a time slot in the action. Recall that C is a set of expressions of the form r or \({\overline{r}}\) where r is a role in R. We use the following formula to represent the pre-condition (together the time slot \(tsl_2\)): \(\exists x. \bigwedge _{l \in C}{[l]_{x}}\) where x be a variable of sort User and:

$$\begin{aligned}{}[l]_x := \left\{ \begin{array}{rclcl} ua(x, {\mathsf {r}}, \mathsf {tsl_2})&{}\text{ if } &{} l \equiv r &{} \text{ for } \text{ some } &{} r \in R \\ \lnot ua(x, {\mathsf {r}}, \mathsf {tsl_2})&{}\text{ if } &{} l \equiv {\overline{r}} &{} \text{ for } \text{ some } &{} r \in R \end{array} \right. \end{aligned}$$

(4)

\(\equiv\) denotes syntactic identity, \({\mathsf {r}}\) represents r, and \(\mathsf {tsl_2}\) represents \(tsl_2\). Moreover, there is a condition to fire the action (e.g., it requires the current time slot of the system is \(tsl_1\)). This condition is represented by \(\exists t. cl(t) \wedge t = \mathsf {tsl_1}\) where t is a variable of sort TimeSlot and \(\mathsf {tsl_1}\) represents \(tsl_1\).

Symbolic representation of \(can\_assign\) actions Given a tuple \((C_a, tsl_1, C, tsl_2\) , r) in \(can\_assign\), the symbolic representation of the \(can\_assign\) action is the following formula:

$$\begin{aligned}&\exists x,t. \nonumber \\&\left( \begin{array}{l} \bigwedge _{l \in C}{[l]_{x}} \wedge cl(t) \wedge t = \mathsf {tsl_1} \wedge \\ \forall w,y,z. (ua'(w,y,z) \Leftrightarrow (ua(w,y,z) \vee (w = x \wedge y = {\mathsf {r}} \wedge z =\mathsf {tsl_2}))) \wedge \\ \forall v. (cl'(v) \Leftrightarrow cl(v)) \end{array} \right) , \end{aligned}$$

(5)

where x is a variable of sort User, t is a variable of sort TimeSlot.

Symbolic representation of \(can\_revoke\) actions. The \(can\_revoke\) actions have the same form as \(can\_assign\) actions, but the pre-condition is empty (or contains only the target role if we just revoke the target role r from a user who currently has this role). Thus, we use the same way to represent the \(can\_revoke\) actions:

$$\begin{aligned} \exists x,t. \left( \begin{array}{l} ua(x, {\mathsf {r}}, \mathsf {tsl_2}) \wedge cl(t) \wedge t = \mathsf {tsl_1} \wedge \\ \forall w,y,z. (ua'(w,y,z) \Leftrightarrow (ua(w,y,z) \wedge \lnot (w = x \wedge y = {\mathsf {r}} \wedge z =\mathsf {tsl_2}))) \wedge \\ \forall v. (cl'(v) \Leftrightarrow cl(v)) \end{array} \right) , \end{aligned}$$

(6)

where x is a variable of sort User, t is a variable of sort TimeSlot.

Example 4

Consider the hospital in Example 1. We formalize the action (CHR,  \(\{ts_1\}, \{EMP,\) \({\overline{NRS}}\}, \{ts_2\}, DDR) \in can\_assign\) as follows:

\(\exists x,t. \left( \begin{array}{l} ua(x, \mathsf {EMP}, \mathsf {ts_2}) \wedge \lnot ua(x, \mathsf {NRS}, \mathsf {ts_2}) \wedge cl(t) \wedge t = \mathsf {ts_1} \wedge \\ \forall w,y,z. (ua'(w,y,z) \Leftrightarrow (ua(w,y,z) \vee (w = x \wedge y = \mathsf {DDR} \wedge z =\mathsf {ts_2}))) \wedge \\ \forall v. (cl'(v) \Leftrightarrow cl(v)) \end{array} \right)\),

where x, t are variables of sort User and TimeSlot, respectively; \(\mathsf {EMP}\) represents EMP; \(\mathsf {NRS}\) represents NRS.

The action \((CHR, \{ts_2\}, \emptyset , \{ts_2\}, SEC) \in can\_revoke\) is formalized as follows:

\(\exists x,t. \left( \begin{array}{l} ua(x, \mathsf {SEC}, \mathsf {ts_2}) \wedge cl(t) \wedge t = \mathsf {ts_2} \wedge \\ \forall w,y,z. (ua'(w,y,z) \Leftrightarrow (ua(w,y,z) \wedge \lnot (w = x \wedge y = \mathsf {SEC} \wedge z =\mathsf {ts_2}))) \\ \forall v. (cl'(v) \Leftrightarrow cl(v)) \end{array} \right)\),

where x, t are explained above, \(\mathsf {SEC}\) represents EMP, and \(\mathsf {ts_2}\) represents \(ts_2\).

Symbolic Representation of Time-Passing Actions

As mentioned in Section “Symbolic Representation of TRBAC Configurations”, we will process time passing on time slots. The system jumps to next time slot if it reaches the end of previous time slot. For instance, consider the Example 1, time slot \(ts_2 = [4\,\mathrm{pm},12\,\mathrm{am})\) is the next time slot of \(ts_1 = [8\,\mathrm{am},4\,\mathrm{pm})\), because at the end of \(ts_1\) (i.e., at 4 pm), the system will jump to time slot \(ts_2\). A tuple \((ts_1, ts_2, ts_3)\) forms an order of time slots of a system in which \(ts_2\) is the next time slot of \(ts_1\) and \(ts_3\) is the next time slot of \(ts_2\). At the end of time slot \(ts_3\), the system will repeat at time slot \(ts_1\).

As shown in “Symbolic Representation of TRBAC Configurations”, we use the predicate cl in \(\varSigma _\mathrm{TRBAC}\) to hold the current time slot of the system. The time-passing actions changes current configuration (TUA, ts) to a new configuration \((TUA', ts')\) where \(TUA = TUA'\) and \(ts'\) is the next time slot of ts. We formalize the time-passing actions for an order of time slot \((ts_1, ts_2, ..., ts_n)\) of a system as follows:

For each pair \((ts_i, ts_{i+1})\) in the order where \(1 \le i \le (n-1)\), we have a formula:

$$\begin{aligned} \left( \begin{array}{l} \exists t. (cl(t) \wedge t = \mathsf {ts_i} \wedge \forall v. (cl'(v) \Leftrightarrow (v = \mathsf {ts_{i+1}})) \wedge \\ \forall w, y, z. (ua'(w, y,z) \Leftrightarrow ua(w,y,z))) \end{array} \right) , \end{aligned}$$

(7)

where \(\mathsf {ts_i}\) represents \(ts_i\) and \(\mathsf {ts_{i+1}}\) represents \(ts_{i+1}\).

Moreover, at the time slot \(ts_n\), the system will repeat at time slot \(ts_1\), this will be formalized as:

\(\exists t. (cl(t) \wedge t = \mathsf {ts_n} \wedge \forall v. (cl'(v) \Leftrightarrow (v = \mathsf {ts_{1}})) \wedge \forall w, y, z. (ua'(w, y,z) \Leftrightarrow ua(w,y,z)))\)

Example 5

Consider the system in Example 1; the order of time slots is \((ts_1, ts_2, ts_3)\). The time-passing actions are following formulae:

1. (i)

   \(\exists t. (cl(t) \wedge t = \mathsf {ts_1} \wedge \forall x. (cl'(x) \Leftrightarrow (x = \mathsf {ts_{2}})) \wedge \forall w, y, z. (ua'(w, y,z) \Leftrightarrow ua(w,y,z)) )\)

2. (ii)

   \(\exists t. (cl(t) \wedge t = \mathsf {ts_2} \wedge \forall x. (cl'(x) \Leftrightarrow (x = \mathsf {ts_{3}})) \wedge \forall w, y, z. (ua'(w, y,z) \Leftrightarrow ua(w,y,z)))\)

3. (iii)

   \(\exists t. (cl(t) \wedge t = \mathsf {ts_3} \wedge \forall x. (cl'(x) \Leftrightarrow (x = \mathsf {ts_{1}})) \wedge \forall w, y, z. (ua'(w, y,z) \Leftrightarrow ua(w,y,z)))\).