Scalable Automated Analysis of Access Control and Privacy Policies

Part of the Lecture Notes in Computer Science book series (LNCS, volume 10720)


Access Control is becoming increasingly important for today ubiquitous systems. Sophisticated security requirements need to be ensured by authorization policies for increasingly complex and large applications. As a consequence, designers need to understand such policies and ensure that they meet the desired security constraints while administrators must also maintain them so as to comply with the evolving needs of systems and applications. These tasks are greatly complicated by the expressiveness and the dimensions of the authorization policies. It is thus necessary to provide policy designers and administrators with automated analysis techniques that are capable to foresee if, and under what conditions, security properties may be violated. In this paper, we consider this analysis problem in the context of the Role-Based Access Control (RBAC), one of the most widespread access control models. We describe how we design heuristics to enable an analysis tool, called asaspXL, to scale up to handle large and complex Administrative RBAC policies. We also discuss the capability of applying the techniques inside the tool to the analysis of location-based privacy policies. An extensive experimentation shows that the proposed heuristics play a key role in the success of the analysis tool over the state-of-the-art analysis tools.



This research is funded by Vietnam National University Ho Chi Minh City (VNU-HCM) under grant number C2017-20-17.


  1. 1.
  2. 2.
  3. 3.
    Alberti, F., Armando, A., Ranise, S.: ASASP: automated symbolic analysis of security policies. In: Bjørner, N., Sofronie-Stokkermans, V. (eds.) CADE 2011. LNCS (LNAI), vol. 6803, pp. 26–33. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  4. 4.
    Alberti, F., Armando, A., Ranise, S.: Efficient symbolic automated analysis of administrative role based access control policies. In: Proceedings of 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2011). ACM PR (2011)Google Scholar
  5. 5.
    Ardagna, C.A., Cremonini, M., Vimercati, S.D.C., Samarati, P.: Privacy-enhanced location-based access control. In: Gertz, M., Jajodia, S. (eds.) Handbook of Database Security Applications and Trends, pp. 531–552. Springer, Boston (2008). CrossRefGoogle Scholar
  6. 6.
    Armando, A., Ranise, S.: Automated symbolic analysis of ARBAC-policies. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 17–34. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  7. 7.
    Bellavista, P., Corradi, A., Giannelli, C.: Efficiently managing location information with privacy requirements in Wi-Fi networks, a middleware approach. In: Proceedings of the Second International Symposium on Wireless Communication Systems, pp. 1–8. IEEE (2005)Google Scholar
  8. 8.
    Crampton, J.: Understanding and developing role-based administrative models. In: Proceedings of 19th ACM Conference on Computer and Communications Security (CCS 2005), pp. 158–167. ACM PR (2005)Google Scholar
  9. 9.
    Cuellar, J.R.: Location information privacy. In: Sarikaya, B. (ed.) Geographic Location in the Internet, pp. 179–208. Kluwer Academic Publishers, Boston (2002)CrossRefGoogle Scholar
  10. 10.
    De Capitani di Vimercati, S., Foresti, S., Jajodia, S., Samarati, P.: Access control policies and languages. Int. J. Comput. Sci. Eng. (IJCSE) 3(2), 94–102 (2007)CrossRefGoogle Scholar
  11. 11.
    Ferrara, A.L., Madhusudan, P., Nguyen, T.L., Parlato, G.: Vac - verifier of administrative role-based access control policies. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 184–191. Springer, Cham (2014). Google Scholar
  12. 12.
    Ghilardi, S., Ranise, S.: Backward reachability of array-based systems by SMT solving: termination and invariant synthesis. Log. Methods Comput. Sci. (LMCS) 6(4), 1–48 (2010)MathSciNetzbMATHGoogle Scholar
  13. 13.
    Jayaraman, K., Ganesh, V., Tripunitara, M., Rinard, M., Chapin, S.: Automatic error finding for access-control policies. In: Proceedings of 18th ACM Conference on Computer and Communications Security (CCS 2011). ACM (2011)Google Scholar
  14. 14.
    Jha, S., Li, N., Tripunitara, M.V., Wang, Q., Winsborough, H.: Towards formal verification of role-based access control policies. IEEE Trans. Dependable Secure Comput. 5(4), 242–255 (2008)CrossRefGoogle Scholar
  15. 15.
    Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM Trans. Inf. Syst. Secur. 9(4), 391–420 (2006)CrossRefGoogle Scholar
  16. 16.
    Mohamed, F.M.: Privacy in location-based services: state-of-the-art and research directions. In: Proceedings of the 8th IEEE International Conference on Mobile Data Management (MDM 2007). IEEE (2007)Google Scholar
  17. 17.
    Ranise, S., Truong, A.: Incremental analysis of evolving administrative role based access control policies. In: Atluri, V., Pernul, G. (eds.) DBSec 2014. LNCS, vol. 8566, pp. 260–275. Springer, Heidelberg (2014). Google Scholar
  18. 18.
    Ranise, S., Truong, A., Armando, A.: Boosting model checking to analyse large ARBAC policies. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 273–288. Springer, Heidelberg (2013). CrossRefGoogle Scholar
  19. 19.
    Ranise, S., Truong, A., Armando, A.: Scalable and precise automated analysis of administrative temporal role-based access control. In: Proceedings of 19th Symposium on Access control Models and Technologies (SACMAT 2014), pp. 103–114. ACM (2014)Google Scholar
  20. 20.
    Ranise, S., Truong, A., Traverso, R.: Parameterized model checking for security policy analysis. Int. J. Softw. Tools Technol. Transfer (STTT) 18, 559–573 (2016)CrossRefGoogle Scholar
  21. 21.
    Ranise, S., Truong, A., Viganó, L.: Automated analysis of RBAC policies with temporal constraints and static role hierarchies. In: Proceedings of the 30th ACM Symposium on Applied Computing (SAC 2015), pp. 2177–2184. ACM (2015)Google Scholar
  22. 22.
    Sandhu, R., Coyne, E., Feinstein, H., Youmann, C.: Role-based access control models. IEEE Comput. 2(29), 38–47 (1996)CrossRefGoogle Scholar
  23. 23.
    Sasturkar, A., Yang, P., Stoller, S.D., Ramakrishnan, C.R.: Policy analysis for administrative role based access control. In: Proceedings of 19th IEEE Computer Security Foundations Symposium (CSF 2006). IEEE Press, July 2006Google Scholar
  24. 24.
    Stoller, S.D., Yang, P., Ramakrishnan, C.R., Gofman, M.I.: Efficient policy analysis for administrative role based access control. In: Proceedings of 21st ACM Conference on Computer and Communications Security (CCS 2007). ACM Press (2007)Google Scholar
  25. 25.
    Truong, A.T., Dang, T.K., Küng, J.: On guaranteeing k-anonymity in location databases. In: Hameurlain, A., Liddle, S.W., Schewe, K.-D., Zhou, X. (eds.) DEXA 2011. LNCS, vol. 6860, pp. 280–287. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  26. 26.
    Truong, A., Hai Ton That, D.: Solving the user-role reachability problem in ARBAC with role hierarchy. In: Proceedings of 2016 International Conference on Advanced Computing and Applications (ACOMP 2016), pp. 3–10. IEEE (2016)Google Scholar
  27. 27.
    Truong, A.T., Truong, Q.C., Dang, T.K.: An adaptive grid-based approach to location privacy preservation. In: Nguyen, N.T., Katarzyniak, R., Chen, S.M. (eds.) Advances in Intelligent Information and Database Systems. SCI, vol. 283, pp. 133–144. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  28. 28.
    Truong, Q.C., Truong, A.T., Dang, T.K.: Memorizing algorithm: protecting user privacy using historical information of location based services. Int. J. Mob. Comput. Multimedia Commun. 2, 65–86 (2010)CrossRefGoogle Scholar
  29. 29.
    Yang, P., Gofman, M.I., Stoller, S., Yang, Z.: Policy analysis for administrative role based access control without separate administration. J. Comput. Secur. 23, 1–9 (2014)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany 2017

Authors and Affiliations

  1. 1.Faculty of Computer Science and EngineeringHo Chi Minh City University of TechnologyHo Chi Minh CityVietnam
  2. 2.Security and Trust Unit, FBK-IrstTrentoItaly

Personalised recommendations