Adventures in the Analysis of Access Control Policies

  • Anh TruongEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11814)


Access Control is becoming increasingly important for today’s ubiquitous systems which provide mechanism to prevent sensitive resources against unauthorized users. In access control models, the administration of access control policies is an important task that raises a crucial analysis problem: if a set of administrators can give a user an unauthorized access permission. In this paper, we consider the analysis problem in the context of the Administrative Role-Based Access Control (ARBAC), one of the most widespread administrative models. We describe how we design heuristics to enable an analysis tool, called asaspXL, to scale up to handle large and complex ARBAC policies and a sequence of analysis problems. An extensive experimentation shows that the proposed heuristics play a key role in the success of the analysis tool over the state-of-the-art analysis tools.


Access control Security analysis Automated verification Model checking Role-Based Access Control 



This work was funded by Vietnam National University-Ho Chi Minh City under the research project C2018-20-10.


  1. 1.
    Alberti, F., Armando, A., Ranise, S.: ASASP: automated symbolic analysis of security policies. In: Bjørner, N., Sofronie-Stokkermans, V. (eds.) CADE 2011. LNCS (LNAI), vol. 6803, pp. 26–33. Springer, Heidelberg (2011). Scholar
  2. 2.
    Alberti, F., Armando, A., Ranise, S.: Efficient symbolic automated analysis of administrative role based access control policies. In: ASIACCS. ACM Pr. (2011)Google Scholar
  3. 3.
    Crampton, J.: Understanding and developing role-based administrative models. In: Proceedings 12th ACM Conference on Computer and Communication Security (CCS), pp. 158–167. ACM Press (2005)Google Scholar
  4. 4.
    De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Samarati, P.: Access control policies and languages. Int. J. Comput. Sci. Eng. (IJCSE), 3(2), 94–102 (2007)Google Scholar
  5. 5.
    Ferrara, A.L., Madhusudan, P., Nguyen, T.L., Parlato, G.: Vac - verifier of administrative role-based access control policies. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 184–191. Springer, Cham (2014). Scholar
  6. 6.
    Ghilardi, S., Ranise, S.: Backward reachability of array-based systems by SMT solving: termination and invariant synthesis. LMCS 6(4) (2010)Google Scholar
  7. 7.
    Ghilardi, S., Ranise, S.: MCMT: a model checker modulo theories. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS (LNAI), vol. 6173, pp. 22–29. Springer, Heidelberg (2010). Scholar
  8. 8.
    Gofman, M.I., Luo, R., Solomon, A.C., Zhang, Y., Yang, P., Stoller, S.D.: RBAC-PAT: a policy analysis tool for role based access control. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 46–49. Springer, Heidelberg (2009). Scholar
  9. 9.
    Jayaraman, K., Ganesh, V., Tripunitara, M., Rinard, M., Chapin, S.: Automatic error finding for access-control policies. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS). ACM (2011Google Scholar
  10. 10.
    Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 9(4), 391–420 (2006)CrossRefGoogle Scholar
  11. 11.
    Ranise, S., Truong, A., Armando, A.: Boosting model checking to analyse large ARBAC policies. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 273–288. Springer, Heidelberg (2013). Scholar
  12. 12.
    Sandhu, R., Coyne, E., Feinstein, H., Youmann, C.: Role-based access control models. IEEE Comput. 2(29), 38–47 (1996)CrossRefGoogle Scholar
  13. 13.
    Sasturkar, A., Yang, P., Stoller, S.D., Ramakrishnan, C.R.: Policy analysis for administrative role based access control. In: Proceedings of the 19th Computer Security Foundations (CSF) Workshop. IEEE Computer Society Press, July 2006Google Scholar
  14. 14.
    Stoller, S.D., Yang, P., Gofman, M.I., Ramakrishnan, C.R.: Symbolic reachability analysis for parameterized administrative role based access control. In: Proceedings of SACMAT 2009, pp. 445–454 (2007)Google Scholar
  15. 15.
    Stoller, S.D., Yang, P., Ramakrishnan, C.R., Gofman, M.I.: Efficient policy analysis for administrative role based access control. In: Proceedings of the 14th Conference on Computer and Communications Security (CCS). ACM Press (2007)Google Scholar
  16. 16.
    Yang, P., Gofman, M.L., Stoller, S., Yang, Z.: Policy analysis for administrative role based access control without separate administration. J. Comput. Secur. (2014)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Ho Chi Minh City University of Technology, VNU-HCMHo Chi Minh CityVietnam

Personalised recommendations