Formal Verification of Liferay RBAC

  • Stefano Calzavara
  • Alvise Rabitti
  • Michele Bugliesi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8978)


Liferay is the leading opensource portal for the enterprise, implementing a role-based access control (RBAC) mechanism for user and content management. Despite its critical importance, however, the access control system implemented in Liferay is poorly documented and lacks automated tools to assist portal administrators in configuring it correctly. To make matters worse, although strongly based on the RBAC model and named around it, the access control mechanism implemented in Liferay has a number of unconventional features, which significantly complicate verification. In this paper we introduce a formal semantics for Liferay RBAC and we propose a verification technique based on abstract model-checking, discussing sufficient conditions for the soundness and the completeness of the analysis. We then present a tool, called LifeRBAC, which implements our theory to verify the security of real Liferay portals. We show that the tool is effective at proving the absence of security flaws, while efficient enough to be of practical use.


Formal Semantic Parametrized Role Access Control Mechanism Abstract Semantic Abstraction Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Armando, A., Carbone, R., Compagna, L.: SATMC: A SAT-based model checker for security-critical systems. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014 (ETAPS). LNCS, vol. 8413, pp. 31–45. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  2. 2.
    Armando, A., Ranise, S.: Automated symbolic analysis of ARBAC-policies. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 17–34. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  3. 3.
    Bugliesi, M., Calzavara, S., Focardi, R., Squarcina, M.: Gran: Model checking grsecurity RBAC policies. In: Computer Security Foundations (CSF), pp. 126–138 (2012)Google Scholar
  4. 4.
    Calzavara, S., Rabitti, A., Bugliesi, M.: Formal verification of Liferay RBAC (full version),
  5. 5.
    Clarke, E.M., Emerson, E.A., Sistla, A.P.: Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Trans. Program. Lang. Syst. 8(2), 244–263 (1986)CrossRefzbMATHGoogle Scholar
  6. 6.
    Cousot, P., Cousot, R.: Refining model checking by abstract interpretation. Autom. Softw. Eng. 6(1), 69–95 (1999)CrossRefGoogle Scholar
  7. 7.
    Ferraiolo, D.F., Sandhu, R.S., Gavrila, S.I., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)CrossRefGoogle Scholar
  8. 8.
    Ferrara, A.L., Madhusudan, P., Nguyen, T.L., Parlato, G.: vac - verifier of administrative role-based access control policies. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 184–191. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  9. 9.
    Ferrara, A.L., Madhusudan, P., Parlato, G.: Security analysis of role-based access control through program verification. In: Computer Security Foundations (CSF), pp. 113–125 (2012)Google Scholar
  10. 10.
    Giuri, L., Iglio, P.: Role templates for content-based access control. In: ACM Workshop on Role-Based Access Control, pp. 153–159 (1997)Google Scholar
  11. 11.
    Gofman, M.I., Luo, R., Solomon, A.C., Zhang, Y., Yang, P., Stoller, S.D.: RBAC-PAT: A policy analysis tool for role based access control. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 46–49. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    Guha, A., Saftoiu, C., Krishnamurthi, S.: The essence of JavaScript. In: D’Hondt, T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 126–150. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Jayaraman, K., Ganesh, V., Tripunitara, M.V., Rinard, M.C., Chapin, S.J.: Automatic error finding in access-control policies. In: ACM Conference on Computer and Communications Security (CCS), pp. 163–174 (2011)Google Scholar
  14. 14.
    Jayaraman, K., Tripunitara, M.V., Ganesh, V., Rinard, M.C., Chapin, S.J.: Mohawk: Abstraction-refinement and bound-estimation for verifying access control policies. ACM Trans. Inf. Syst. Secur. 15(4), 18 (2013)CrossRefGoogle Scholar
  15. 15.
    Li, N., Mitchell, J.C.: A role-based trust-management framework. In: DARPA Information Survivability Conference and Exposition (DISCEX), pp. 201–212 (2003)Google Scholar
  16. 16.
    Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9(4), 391–420 (2006)CrossRefGoogle Scholar
  17. 17.
    Liferay Inc.: Liferay clients and case studies,
  18. 18.
    Mödersheim, S.: Deciding security for a fragment of ASLan. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 127–144. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  19. 19.
    Ranise, S., Truong, A., Armando, A.: Boosting model checking to analyse large ARBAC policies. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 273–288. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  20. 20.
    Sandhu, R.S., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based administration of roles. ACM Trans. Inf. Syst. Secur. 2(1), 105–135 (1999)CrossRefGoogle Scholar
  21. 21.
    Sasturkar, A., Yang, P., Stoller, S.D., Ramakrishnan, C.R.: Policy analysis for administrative role-based access control. Theor. Comput. Sci. 412(44), 6208–6234 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  22. 22.
    Stoller, S.D., Yang, P., Gofman, M.I., Ramakrishnan, C.R.: Symbolic reachability analysis for parameterized administrative role-based access control. Computers & Security 30(2-3), 148–164 (2011)CrossRefGoogle Scholar
  23. 23.
    Stoller, S.D., Yang, P., Ramakrishnan, C.R., Gofman, M.I.: Efficient policy analysis for administrative role based access control. In: ACM Conference on Computer and Communications Security (CCS), pp. 445–455 (2007)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Stefano Calzavara
    • 1
  • Alvise Rabitti
    • 1
  • Michele Bugliesi
    • 1
  1. 1.Università Ca’ Foscari VeneziaItaly

Personalised recommendations