Evaluating Access Control Policies Through Model Checking

  • Nan Zhang
  • Mark Ryan
  • Dimitar P. Guelev
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3650)


We present a model-checking algorithm which can be used to evaluate access control policies, and a tool which implements it. The evaluation includes not only assessing whether the policies give legitimate users enough permissions to reach their goals, but also checking whether the policies prevent intruders from reaching their malicious goals. Policies of the access control system and goals of agents must be described in the access control description and specification language introduced as RW in our earlier work. The algorithm takes a policy description and a goal as input and performs two modes of checking. In the assessing mode, the algorithm searches for strategies consisting of reading and writing steps which allow the agents to achieve their goals no matter what states the system may be driven into during the execution of the strategies. In the intrusion detection mode, a weaker notion of strategy is used, reflecting the willingness of intruders to guess the value of attributes which they cannot read.


access control access control model model checking verification access control policy access control policy language 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based access control models. IEEE Computer 29, 38–47 (1996)Google Scholar
  2. 2.
    Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., U.S.A. (2001)Google Scholar
  3. 3.
    Guelev, D.P., Ryan, M.D., Schobbens, P.Y.: Model-checking access control policies. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 219–230. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Zhang, N., Ryan, M., Guelev, D.P.: Synthesising verified access control systems in XACML. In: The 2004 ACM Workshop on Formal Methods in Security Engineering, Washington DC, USA, pp. 56–65. ACM Press, New York (2004)CrossRefGoogle Scholar
  5. 5.
    Godik, S., Moses, T.: eXtensible Access Control Markup Language. OASIS committee. 1.1 edn, Committee specification (2003)Google Scholar
  6. 6.
    Jackson, D.: Micromodels of Software: Lightweight Modelling and Analysis with Alloy. Software Design Group, MIT Lab for Computer Science (2002), This document and the tool can be obtained from
  7. 7.
    Whaley, J.: JavaBDD: Java BDD implementation (2004), Information about this implementation can be found at
  8. 8.
    Zhang, N.: Web site for the access control policy evaluator and generator (2005), The tool can be obtained from
  9. 9.
    Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and changeimpact analysis of access-control policies. In: ICSE 2005, St. Louis, Missouri, USA (2005)Google Scholar
  10. 10.
    Clarke, E., Fujita, M., McGeer, P., Yang, J., Zhao, X.: Multi-terminal binary decision diagrams: An efficient data structure for matrix representation. In: International Workshop on Logic Synthesis, Tahoe City (1993)Google Scholar
  11. 11.
    Ahmed, T., Tripathi, A.R.: Static verficiation of security requirements in role based CSCW systems. In: SACMAT 2003, Como, Italy (2003)Google Scholar
  12. 12.
    Chess, B.: Improving computer security using extended static checking. In: 2002 IEEE Symposium on Security and Privacy, Washington, DC, USA, IEEE Computer Society, Los Alamitos (2002)Google Scholar
  13. 13.
    Schaad, A., Moffett, J.: A lightweight approach to specification and analysis of role-based access control extensions. In: SACMAT 2002, Monterey, California, USA (2002)Google Scholar
  14. 14.
    Jackson, D., Schechter, I., Shlyahter, H.: Alcoa: the Alloy constraint analyzer. In: The 22nd international conference on Software engineering, pp. 730–733. ACM Press, New York (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Nan Zhang
    • 1
  • Mark Ryan
    • 1
  • Dimitar P. Guelev
    • 2
  1. 1.School of Computer ScienceUniversity of BirminghamBirminghamUK
  2. 2.Section of LogicInstitute of Mathematics and InformaticsSofiaBulgaria

Personalised recommendations