ASASPXL: New Clother for Analysing ARBAC Policies

  • Anh TruongEmail author
  • Silvio Ranise
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10018)


Access Control is becoming increasingly important for today’s ubiquitous systems. In access control models, the administration of access control policies is an important task that raises a crucial analysis problem: if a set of administrators can give a user an unauthorized access permission. In this paper, we consider the analysis problem in the context of the Administrative Role-Based Access Control (ARBAC), one of the most widespread administrative models. We describe how we design heuristics to enable an analysis tool, called asaspXL, to scale up to handle large and complex ARBAC policies. An extensive experimentation shows that the proposed heuristics play a key role in the success of the analysis tool over the state-of-the-art analysis tools.


User-role reachability problem Administration Safety analysis Access control Model checking Heuristics Security 


  1. 1.
  2. 2.
  3. 3.
    Alberti, F., Armando, A., Ranise, S.: Efficient symbolic automated analysis of administrative role-based access control policies. In: Proceeding of ASIACCS, pp. 165–175. ACM Press (2011)Google Scholar
  4. 4.
    Alberti, F., Armando, A., Ranise, S.: ASASP: automated symbolic analysis of security policies. In: Bjørner, N., Sofronie-Stokkermans, V. (eds.) CADE 2011. LNCS (LNAI), vol. 6803, pp. 26–33. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22438-6_4 Google Scholar
  5. 5.
    Armando, A., Ranise, S.: Automated symbolic analysis of ARBAC policies. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 17–34. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22444-7_2 Google Scholar
  6. 6.
    Crampton, J.: Understanding and developing role-based administrative models. In: Proceedings of 12th CCS, pp. 158–167. ACM Press (2005)Google Scholar
  7. 7.
    Capitani, D., di Vimercati, S., Foresti, S., Jajodia, S., Samarati, P.: Access control policies and languages. Int. J. Comput. Sci. Eng. (IJCSE) 3(2), 94–102 (2007)CrossRefGoogle Scholar
  8. 8.
    Ferrara, A.L., Madhusudan, P., Nguyen, T.L., Parlato, G.: Vac - verifier of administrative role-based access control policies. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 184–191. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-08867-9_12 Google Scholar
  9. 9.
    Ghilardi, S., Ranise, S.: Backward reachability of array-based systems by SMT solving: termination and invariant synthesis. Logical Methods Comput. Sci. (LMCS) 6(4), 1–48 (2010)MathSciNetzbMATHGoogle Scholar
  10. 10.
    Jayaraman, K., Ganesh, V., Tripunitara, M., Rinard, M., Chapin, S.: Automatic error finding for access control policies. In: Proceedings of 18th CCS, pp. 163–174. ACM (2011)Google Scholar
  11. 11.
    Jha, S., Li, N., Tripunitara, M.V., Wang, Q., Winsborough, H.: Towards Formal Verification of Role-Based Access Control Policies. IEEE Trans. Dependable Secure Comput. 5(4), 242–255 (2008). IEEECrossRefGoogle Scholar
  12. 12.
    Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. (TISSEC) 9(4), 391–420 (2006). ACM PressCrossRefGoogle Scholar
  13. 13.
    Ranise, S., Truong, A., Armando, A.: Boosting model checking to analyse large ARBAC policies. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 273–288. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38004-4_18 CrossRefGoogle Scholar
  14. 14.
    Sandhu, R., Coyne, E., Feinstein, H., Youmann, C.: Role-based access control models. IEEE Comput. 2(29), 38–47 (1996). IEEECrossRefGoogle Scholar
  15. 15.
    Sasturkar, A., Yang, P., Stoller, S.D., Ramakrishnan, C.: Policy analysis for administrative role-based access control. Theor. Comput. Sci. 412(44), 6208–6234 (2011). ElsevierMathSciNetCrossRefzbMATHGoogle Scholar
  16. 16.
    Stoller, S.D., Yang, P., Ramakrishnan, C., Gofman, M.I.: Efficient policy analysis for administrative role-based access control. In: Proceedings of 14th CCS, pp. 445–455. ACM Press (2007)Google Scholar
  17. 17.
    Yang, P., Gofman, M., Yang, Z.: Policy analysis for administrative role based access control without separate administration. In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 49–64. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-39256-6_4 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Faculty of Computer Science and EngineeringHo Chi Minh City University of TechnologyHo Chi Minh CityVietnam
  2. 2.Security and Trust Unit, FBK-IrstTrentoItaly

Personalised recommendations