Formal Verification of Liferay RBAC
Liferay is the leading opensource portal for the enterprise, implementing a role-based access control (RBAC) mechanism for user and content management. Despite its critical importance, however, the access control system implemented in Liferay is poorly documented and lacks automated tools to assist portal administrators in configuring it correctly. To make matters worse, although strongly based on the RBAC model and named around it, the access control mechanism implemented in Liferay has a number of unconventional features, which significantly complicate verification. In this paper we introduce a formal semantics for Liferay RBAC and we propose a verification technique based on abstract model-checking, discussing sufficient conditions for the soundness and the completeness of the analysis. We then present a tool, called LifeRBAC, which implements our theory to verify the security of real Liferay portals. We show that the tool is effective at proving the absence of security flaws, while efficient enough to be of practical use.
KeywordsFormal Semantic Parametrized Role Access Control Mechanism Abstract Semantic Abstraction Function
Unable to display preview. Download preview PDF.
- 3.Bugliesi, M., Calzavara, S., Focardi, R., Squarcina, M.: Gran: Model checking grsecurity RBAC policies. In: Computer Security Foundations (CSF), pp. 126–138 (2012)Google Scholar
- 4.Calzavara, S., Rabitti, A., Bugliesi, M.: Formal verification of Liferay RBAC (full version), www.dais.unive.it/~calzavara/papers/essos15-full.pdf
- 9.Ferrara, A.L., Madhusudan, P., Parlato, G.: Security analysis of role-based access control through program verification. In: Computer Security Foundations (CSF), pp. 113–125 (2012)Google Scholar
- 10.Giuri, L., Iglio, P.: Role templates for content-based access control. In: ACM Workshop on Role-Based Access Control, pp. 153–159 (1997)Google Scholar
- 13.Jayaraman, K., Ganesh, V., Tripunitara, M.V., Rinard, M.C., Chapin, S.J.: Automatic error finding in access-control policies. In: ACM Conference on Computer and Communications Security (CCS), pp. 163–174 (2011)Google Scholar
- 15.Li, N., Mitchell, J.C.: A role-based trust-management framework. In: DARPA Information Survivability Conference and Exposition (DISCEX), pp. 201–212 (2003)Google Scholar
- 17.Liferay Inc.: Liferay clients and case studies, https://www.liferay.com/it/products/liferay-portal/stories
- 23.Stoller, S.D., Yang, P., Ramakrishnan, C.R., Gofman, M.I.: Efficient policy analysis for administrative role based access control. In: ACM Conference on Computer and Communications Security (CCS), pp. 445–455 (2007)Google Scholar