Probabilistic Access Policies with Automated Reasoning Support

Abstract

Existing access policy languages like Cedar equipped with SMT-based automated reasoning capabilities are effective in providing formal guarantees about the policies. However, this scheme only supports access control based on deterministic information. Observing that certain information useful for access control can be described by random variables, we are motivated to develop a new paradigm of access control in which access policies contain rules about uncertainty, or more precisely, probabilities of random events. To compute these probabilities, we rely on probabilistic programming languages. Additionally, we show that the probabilistic part of these policies can be encoded in linear real arithmetic, which enables practical automated reasoning tasks such as proving relative permissiveness between policies. We demonstrate the advantages of the proposed probabilistic policies over the existing paradigm through two case studies on real-world datasets with a prototype implementation.

1 Introduction

Policy based access control is used by major cloud service providers such as Amazon Web Services, necessitating customers to write correct access policies to secure their services and data. Incorrectly specified policies have led to major issues like exposure of private data [2, 4], which motivate research on automated reasoning techniques that can automatically identify issues with the policies [9, 10, 22]. It has been shown that SMT-based techniques are effective in detecting issues in real policies and formally verifying properties of access policies. In the current access control and SMT-based policy verification paradigm, access decisions are made based on deterministic information in access requests, such as user identity, role, IP address, or other attributes. For example, we could implement an access policy that only allows an access request if it comes from a certain IP range.

Emerging application domains call for new schemes of access control that consider uncertainty, e.g., augmented reality (AR) applications have raised security and privacy concerns under a unique context [5, 15, 19, 46]. In addition to deterministic attributes, prior work has explored access control based on information such as user location [6, 7, 17, 30], or the type of environment the user is currently in [47]. For example, one might want to disable video recording features when entering private property, or when the user seems to be in a sensitive or private space such as a restroom. Information like the precise indoor location of the user, or the type of room where user currently resides is usually not readily available as a deterministic attribute to the access control system. This information could be supplied by annotating the rooms through posted QR code or wireless signaling [47], yet a more natural and general method would be to infer essential information from observations such as video streams or other sensor readings based on techniques like simultaneous location and mapping (SLAM) [41] and scene classification [47]. Uncertainty is inherent to these inference processes, and should be taken into consideration when evaluating information for the purpose of access control. In this work, we consider such uncertain attributes to be supplied as a random variable drawn from a probability distribution. Methods that provide such distributions include Bayesian filter, which estimates a probability density function over time based on observations and a process model, and probabilistic (Bayesian) machine learning, which is a machine learning (ML) framework that combines ML techniques and Bayesian methods that can reason about uncertainty. In particular, Bayesian neural networks (BNNs) [27, 40] could be viewed as a generalization of ordinary neural networks to have stochastic weights that are learned using a Bayesian paradigm, which yield predictions as well as uncertainty associated with the predictions.

Enriching current policy languages with the notion of uncertainty represented by probabilities is also beneficial when incorporating machine learning based access control (MLBAC) [14, 18, 33, 35, 37, 43, 44] into the current policy-based access control paradigm. MLBAC uses ML models to implement access control systems that learn from data such as access logs, which offers an alternative to the potentially costly and error-prone process of manual policy engineering [11, 23, 49]. However, MLBAC poses new challenges in interpretability, policy adaptability [43], and formal guarantees of correctness. Based on the Bayesian interpretation of probability as degree of belief that an ML prediction is correct, we can think of the following scenarios where MLBAC could benefit from our proposed policy language equipped with probabilities:

1. 1.

   We can consider only trusting the ML predictions for access rights if the amount of uncertainty in their predictions is low, which would be useful to guard against out-of-distribution access requests.

2. 2.

   ML could be used along with traditional policy-based approaches for various decision problems. In certain applications such as spam filtering or firewalls, we can maintain deterministic and explicit rules that encode the allow-lists and deny-lists created by the user, and let an ML model decide what to do with the rest. Using our proposed policy language, one can encode all these rules into one policy so that we could automatically reason about their combined effects.

3. 3.

   We might want to write policies that reflect our prior knowledge of the problem and combine existing models. For example, consider a scenario where access rights of company employees depend on the role \(r = 1, \dots , n\) of the employee and we have trained n ML models \(M_1, \dots , M_n\) that predict access rights for employees with each role. It might be infeasible to retrain a large ML model that works well for all roles, due to not having access to historic access data, or the insufficient amount of data for each role. Using our proposed policy language, one can create a set of n allow policies “allow if the user has role r and \(M_r\) predicts allow with low uncertainty”. Furthermore, one could even deploy a hierarchical prediction model that predicts the role r first, and grants access if all probabilistic ML predictions have low uncertainty.

The aforementioned paradigms require us to enrich the semantics of our policy languages with a notion of uncertainty that is absent from current languages such as Cedar [1] or XACML [3, 52]. We thus introduce a new probabilistic access policy language PAPL with the intuition that some access rules are best implemented using the traditional, deterministic rule-based access control scheme, while some other rules may benefit from the capability of specifying the probability of random events, i.e., predicates over variables whose values are sampled from some probability distributions. The idea of combining symbolic and probabilistic/neural reasoning is not new, and has been studied extensively in many adjacent fields like neurosymbolic reasoning [24, 25] or statistical relational learning [8, 26]. Our work specifically focuses on adapting this philosophy to the application domain of access control, and also enabling automated reasoning to formally verify properties of the resulting probabilistic access policies. The theory of probability normally requires nonlinear reasoning¹, and it is not immediately clear whether we can implement practical SMT-based automated reasoning procedures for these policies. The key observation here is that we need an “interface” for the probabilistic part of the policy that restrains the form of probabilities that could be specified, so that we could reason about them using linear arithmetic. Specifically, we achieve this by allowing deterministic rules that involve probabilities of random events defined by logical formulas rather than probabilistic policies, which allows us to capture the semantics of probability theory axioms using linear arithmetic reasoning.

We implemented a prototype system that can parse and evaluate access requests against PAPL policies, and a sound and complete encoding of PAPL policies into linear integer and real arithmetic (LIRA) for automated reasoning with SMT solvers. We demonstrate the practicality of the language through two case studies, focusing on the potential improvement it could bring over MLBAC and existing deterministic policy languages.

The rest of the paper is organized as follows: an overview of access control process with PAPL policies (Sect. 2), the formalization of PAPL and the encoding of policies into SMT formulas decision (Sect. 3), implementation details and case studies (Sect. 4), and finally related work (Sect. 5).

2 Overview of the Probabilistic Access Control Paradigm

In this section, we provide intuitions on the semantics of PAPL access policies and the automated reasoning process through a hypothetical use case. Consider AR3D, an augmented reality (AR) service for AR glasses, that renders user-defined virtual objects and also provides an indoor navigation service akin to GPS-based applications like Apple Maps or Google Maps. These functionalities involve potentially private or proprietary virtual objects, visual features of the environment, and other sensitive data. This information could be safeguarded by location-based access control [6, 7, 17, 30], similar to how similar information is secured through physical access control in reality. The access control system infers the user’s location based on sensor data and checks access rights against relevant access policies accordingly.

Access Control Requirements. Imagine a company M wants to implement an access policy that only its employees can use AR3D within its buildings, also excluding private areas like restricted offices or conference rooms. Traditional methods like GPS are inadequate for indoor localization; instead, AR3D employs WiFi-based localization using the received signal strength intensity (RSSI) from wireless access points (WAPs). This localization procedure, effectively a regression problem in a high-dimensional space that involves complex nonlinearity, is usually implemented using ML. Here we suppose that a probabilistic ML model nondeterministically predicts user location and the variance in its predictions could be seen as a measure of uncertainty. We visualize the uncertain predictions of user trajectory using a model trained on a real-world indoor localization dataset [51] in Fig. 1. Given the variance in the predictions, considering uncertainty when making access decisions is essential for the robustness of the access control system. PAPL addresses this by enabling access policies to define access rights while referring to probabilities that a user is in some space. This approach is intuitively more robust than the deterministic predicate mean predicted location of the user is in some space, since mean can be affected by extreme values and also two predictions with the same mean but different variance can be treated differently by the access control system (in Sect. 4 we demonstrate that this can indeed be useful).

Fig. 1.

Predicting user location based on RSSI of WAPs. Transparent boxes represent three buildings. The ground truth location and trajectory of the user at each time step is given by the red dots connected with red lines. At each time step, the RSSI from nearby WAPs is used to predict the user location in this 3D space. The blue dots are the mean prediction of the BNN and the thin blue lines emanating from the blue dots are randomly sampled predictions for each time step. The green lines connecting red and blue dots visualize errors of the mean predictions. The visualization clearly shows there is a varying degree of uncertainty in the predictions made by the BNN. (Color figure online)

Evaluating Access Requests. When a user Alice requests access to some resource M::internal::data::visual, the access control system constructs an access request by collecting relevant attributes from the user. Here, suppose that the system collects a boolean indicating whether Alice is an M employee, and a vector for the RSSI of each WAP. The system then invokes the trained probabilistic ML models to infer the 3D location of the user. The output of these models are probability distributions (essentially conditioned on the training data and observations), e.g., PredictX.posterior(rssi), and the predicted location of the user is modeled as random variables x, y, z sampled from these distributions. This access request is given in Fig. 2c². After the access request is constructed, it is evaluated against all relevant policies that may apply. Suppose that Figs. 2a and 2b are the only two relevant policies. To evaluate against these policies, the system needs to calculate probabilities of random events based on the a posteriori knowledge about the user location given in the access request. The system synthesizes a NumPyro program to estimate the probabilities (Fig. 2d) for all random events that appear in the policies. This program is constructed to collect the source code of the probabilistic ML model (in this case PredictX), run a large number of inferences given a new observation (the rssi vector), assign the values to variables based on information given in the access request context, and compute how many times the boolean predicates that correspond to the random events in the policies evaluate to true in order to estimate the probability of these events.

Fig. 2.

Performing access control for a particular access request based on access policies written in the PAPL language.

Automated Reasoning. Over time, the company M and other users may have implemented complicated access policies that involve various buildings and spaces owned by M and other parties. Suppose that M wants formal guarantees that other existing allow policies in the system do not conflict with the company policy on its buildings, e.g., are not allowing principals without the isMEmployee attribute to access any portion of the buildings that M owns. This could be ensured by encoding the relevant policies into SMT formulas and invoke SMT solvers to do automated reasoning, which we will cover in the next section.

Threat Model. In this work, we focus on the semantics and automated verification of the probabilistic access policies. We thus assume that the device that collects attributes such as RSSI are uncompromised and trusted; the access policies are authentic; all communications are properly protected by cryptographic protocols; procedures include ML inferences, the construction of NumPyro programs, and the evaluation of policies are all executed on a trusted and secure server.

3 Formalization and SMT Encoding of PAPL Policies

In this section, we first define the formal syntax and semantics of requests and PAPL policies. Then we present a sound and complete encoding of PAPL policies into linear arithmetic formulas, and discuss how this could be useful to formally prove properties of policies.

Fig. 3.

Syntax for PAPL policies and requests.

3.1 Syntax and Semantics of Access Requests and Policies

Encoding of String Literals. Handling string literals and encoding conditions involving predicates on strings is not central for the purpose of this work. To simplify the presentation, we assume all string literals are encoded as integers and attributes include Principal, Action, and Resource are encoded as integer-typed variables. This limitation is not fundamental to the constructions in this paper and possible extensions to other SMT theories including strings have been explored by previous work [10].

Example 1

For the rest of this section, we assume the following integer encoding of string literals:

$$ \texttt {"Alice"} \mapsto 0, \texttt {"AR3D::read"} \mapsto 1, \texttt {"M::internal::data::visual"} \mapsto 2 \ . $$

Access Requests. The syntax of access requests is given in Fig. 3a, assuming the encoding for string literals has been applied. A request is parsed into a 4-tuple \(\langle R_P, R_A, R_R, (M, D) \rangle \) containing information for Principal, Action, and Resource, and Context. The Context part contains a map M of deterministic variables to their values and the field D is a joint distribution from which the random variables are drawn³. Since attributes like Principal are also deterministic variables, we merge these into M and simply write (M, D) to represent an access request.

Example 2

Figure 2c gives a request (M, D) where M contains a boolean attribute \(\texttt {isMEmployee} \mapsto \top \), and three integer attributes \( principal \mapsto 0\), \( action \mapsto 1\), and \( resource \mapsto 2\). D gives the predicted user location as continuous, real-typed, independent random variables x, y, z, e.g., prediction for dimension x is given by a probabilistic ML model that takes as input \(\texttt {rssi}\) and generates predictions by sampling from a posterior distribution PredictX(rssi).

Random Events. Syntax for random events e is given in Fig. 3b. Each event is a ground LIRA formula \(e(V \cup X)\) over a set of free deterministic variables V and a set of free random variables X⁴. Given a map M containing valuations of all deterministic variables in e and a probability distribution D from which all random variables in e are drawn from, we use notation \(e[v \mapsto M[v]: v \in \textit{dom}(M)]\) or more succinctly e[M] to denote the formula obtained by substituting all e variables that appear in M with their valuations. Assuming this substitution, we use \(\Pr _{X \sim D}[e[M] = \top ]\) to denote the probability for the random event to be evaluated to true when the random variables X is drawn from distribution D.

Example 3

The random event \(e_1\) in Fig. 2a is given by the formula

$$\begin{aligned} \texttt {M.building1.xmin} \le x &\wedge x \le \texttt {M.building1.xmax} \\ {}\wedge \texttt {M.building1.ymin} \le y &\wedge y \le \texttt {M.building1.ymax} \\ {}\wedge \texttt {M.building1.zmin} \le z &\wedge z \le \texttt {M.building1.zmax} \end{aligned}$$

where x, y, z are real-typed free random variables (M.building1.xmin, etc. are real constants).

Probability Distributions. In this work, instead of pursuing a measure-theoretic formalization, we regard a probability distribution \(\mathcal {D}\) as a function that maps random events described by LIRA formulas to rational numbers in [0, 1]. More concretely, given a set of arbitrary LIRA formulas \(F = \{e_1, \dots , e_n\}\), let \(U = \{ f_1 \wedge \dots \wedge f_n : f_i \in \{e_i, \lnot e_i\}\}\) be the set of all random events for which we care about their probabilities. We require that distribution \(\mathcal {D}\) satisfies (c.f. Kolmogorov axioms of probability [34])

$$\begin{aligned} &\forall f \in U. \, 0 \le \mathcal {D}( f ) \le 1\\ &\forall f \in U. \, f \text { is unsat} \implies \mathcal {D}(f) = 0 \\ &\forall f_1, f_2 \in U. \, f_1 \wedge f_2 = \bot \implies (\mathcal {D}( f_1 \vee f_2 ) = \mathcal {D}(f_1) + \mathcal {D}(f_2)) \end{aligned}$$

Access Policies. Full syntax for PAPL access policies is given in Fig. 3b. An access policy is parsed into a 5-tuple \(P = \langle E, V_P, V_A, V_R, C \rangle \). The Effect E indicates whether a policy is an allow or deny policy. The fields \(V_P, V_A, V_R\) represent Principal, Action, and Resource. Notably, C describes the Condition under which this policy takes effect, represented by an LIRA formula with an uninterpreted function that intends to represent the probability of random events. For convenience, we define a procedure \(\textit{randEvents}(P)\) that extracts the set of all random events mentioned in P, i.e., all e such that P contains an expression in its Condition field. We define \(\mathcal {I}\llbracket C\rrbracket (M, D)\), or the interpretation of some condition formula C given access request \(R = (M, D)\) as follows. Let the interpretation of the function symbol for some random event \(e(V \cup X)\) be

while the interpretation \(\mathcal {I}\llbracket \cdot \rrbracket \) of other constructs in C are defined as if we are interpreting an LIRA formula according to an LIRA model M. We further define \(\mathcal {I}\llbracket P\rrbracket (M, D)\), or the interpretation of a (deny or allow) policy P given request \(R =(M, D)\) as

$$ \mathcal {I}\llbracket C\rrbracket (M, D) \wedge \mathcal {I}\llbracket principal = V_P \wedge action = V_A \wedge resource = V_R\rrbracket (M, D) $$

where the second clause of the conjunction simply checks if the principal, action, and resource fields in the policy matches the request. We say a policy P applies to a request \(R= (M, D)\) if \(\mathcal {I}\llbracket P\rrbracket (M, D)\) is true. An access reqeust R is allowed by a set of policies S (denoted by \(R \models S\)) if and only if some allow policy in S applies to R and no deny policy in S applies to R [10].

Probabilistic Programs. Let E be a set of random events, \(R = (M, D)\) be a request. A probabilistic program \(\mathcal{P}\mathcal{P}(E, R)\) estimates (or computes symbolically) the probability of random events in E given R. More precisely, it returns a mapping \(PP(\cdot )\) from E to a rational number in [0, 1] such that for each \(e \in E\)

$$ PP(e) \approx \Pr _{X \sim D}[e[M] = \top ] \ . $$

We mostly take a black-box view on probabilistic programs in this work. In practice, the probabilistic program may be implemented by either symbolic methods such as the sum-product probabilistic language (SPPL) [48] or sampling based methods such as Discrete Gibbs sampling or Mixed-HMC [38, 53]. For the access control use cases (Sect. 4), it is difficult to train an SPPL model that performs as well as more expressive models like BNNs. Although we have an interesting observation that if the distribution from which the random variables are sampled can be written as an SPPL program, then we can use queries in SPPL to compute the probability of any random event exactly [48]. The sampling based methods only require that we could sample from distribution \(\mathcal {D}\).

3.2 Automated Reasoning About Policies with Probabilities

Having defined the semantics of access requests and policies, we now encode policies as SMT formulas to enable automated reasoning about their behaviors. For a policy \(P = \langle E, V_P, V_A, V_R, C \rangle \), we define its LIRA encoding \(\llbracket P\rrbracket \) as

$$ \llbracket P\rrbracket \triangleq \llbracket V_P\rrbracket \wedge \llbracket V_A\rrbracket \wedge \llbracket V_R\rrbracket \wedge \llbracket C\rrbracket \ . $$

For \(\llbracket V_P\rrbracket \), we introduce a fresh integer symbol \( principal \) and define

$$ \llbracket V_P\rrbracket = \left\{ \begin{aligned} &\top , \quad \text {if }V_P = *\\ & principal = V_P \quad \text {otherwise} \end{aligned} \right. $$

The encodings \(\llbracket V_A\rrbracket , \llbracket V_C\rrbracket , \llbracket V_R\rrbracket \) are defined similarly. To define \(\llbracket C\rrbracket \), we first introduce fresh real symbols \( prob _e\) for each \(e \in \textit{randEvents}(P)\) and then define \(\llbracket C\rrbracket \) as , i.e., with all uninterpreted function terms substituted with \( prob _e\). The combined effect of a set of policies S is described by formula [10]

$$ \llbracket S\rrbracket = \bigvee _{p \in S \text { is allow}} \llbracket p\rrbracket \wedge \bigwedge _{q \in S \text { is deny}} \lnot \llbracket q\rrbracket \ . $$

Example 4

The LIRA encodings for the allow and deny policies in Fig. 2a and 2b are written as formulas \(P_1\) and \(P_2\), where

$$\begin{aligned} P_1 &\triangleq action = 1 \wedge resource = 2 \wedge isMEmployee \wedge 0.95 \le prob _1 \\ P_2 &\triangleq action = 1 \wedge 0.2 \le prob _2 \end{aligned}$$

The effect of these two policies is encoded by \(P_1 \wedge \lnot P_2\).

The LIRA encoding \(\llbracket P\rrbracket \) above simply introduces fresh real symbols \( prob _e\) for the event probabilities in P but ignores the fact that these are probabilities of events that might relate to each other in nontrivial ways. For example, given that \(\Pr [x \ge 1 \wedge y = 0] \ge 0.5\), we should be able to deduce \(\Pr [x \ge 0 \wedge y \ge 0] \ge 0.5\) according to the probability theory axioms. Algorithm 1 describes a procedure for discovering additional constraints these probabilities must satisfy. The algorithm works by computing a set U containing the probability of disjoint events, and then decomposing the probability \( prob _e \) for each random event \(e \in \textit{randEvents}(P)\) as a sum of elements in U.

Example 5

Consider a bijective map between events and symbols \(K = \{ (x < l \vee x \ge r) \leftrightarrow prob _1, (m \le x < r) \leftrightarrow prob _2\}\) and an LIRA formula \(C = l \le r \wedge prob _1 \ge 0.6 \wedge (l \le m \le r) \wedge prob _2 > 0.5\), where l, m, r are real-typed deterministic variables and x is a real-typed random variable. Let \(e_1 = (x < l \vee x \ge r), e_2 = (m \le x < r)\). Given as input (K, C), Algorithm 1 enumerates the combinations \(\{e_1 \wedge e_2, \lnot e_1 \wedge e_2, e_1 \wedge \lnot e_2, \lnot e_1 \wedge \lnot e_2\}\) and finds out that only \(e_1 \wedge e_2\) is UNSAT given C. The algorithm returns a set of symbols that represents probabilities of disjoint events \(U = \{u_1, u_2, u_3\}\) and a constraint on the probabilities \(Q = 0 \le u_1 \le 1 \wedge 0 \le u_2 \le 1 \wedge 0 \le u_3 \le 1 \wedge u_1 + u_2 + u_3 = 1 \wedge prob _1 = u_1 \wedge prob _2 = u_2\).

Denotation of Policies. Following previous work [9], we define the denotation of a policy set S as the set of requests it allows: \(\gamma (S) \triangleq \{R : R \models S\}\). Consider an LIRA formula F(Y, X, U) over sets of variables \(Y, X, U = \{u_1, \dots , u_N\}\), and a bijective map \(K: E \rightarrow Y\) that maps a set of random events E to a set of real symbols Y that represent their probabilities, where every \(e \in E\) is a ground formula over a set of deterministic variables V and random variables X. For any \(y \in Y\), let \(K^{-1}_y\) be the random event whose probability is represented by y. We define an abstract denotation \(\gamma ^{\sharp }(F, K)\) as a set of requests (M, D) such that the domain of M is V and

$$ \exists u_1, \dots , u_N. F[ y \mapsto \Pr _{X \sim D}[K^{-1}_y[M] = \top ]: y \in Y ][M] $$

holds. Intuitively, each symbol \(y \in Y\) is intended to represent the probability of some random event, and F includes constraints on the auxiliary variables \(u_1, \dots , u_N\) and \(y \in Y\) so that they behave like probabilities.

We now prove the soundness and completeness of our encoding algorithm (Algorithm 1).

Theorem 1

(Correctness of LIRA encoding). Consider a policy P with LIRA encoding \(\llbracket P\rrbracket \). Let E be the set of random events in P. Let K be a bijective map such that \(e \mapsto prob _e\), where \( prob _e\) is the symbol introduced in the encoding \(\llbracket P\rrbracket \) for the probability of \(e \in E\). Let \(U, Q = \texttt {constraints}(K, \llbracket P\rrbracket )\) and \(U = \{u_1, \dots , u_N\}\). Then \(\exists u_1, \dots , u_N. (\llbracket P\rrbracket \wedge Q)\) is satisfiable modulo LIRA if and only if there exists a request (M, D) such that \((M, D) \models P\).

Corollary 1

Given a set of policies \(S = \{P_1, \dots , P_n\}\). Let E be the set of all random events that appear in S. Let K be a bijective map from E to the set of probability symbols introduced in \(\llbracket S\rrbracket \). Then

$$ \gamma ^{\sharp }\left( \llbracket S\rrbracket \wedge Q, K \right) = \gamma (S) $$

where \(U, Q = \texttt {constraints}\left( K, \llbracket S\rrbracket \right) \).

Given Corollary 1, we can reason about the set of requests allowed by a policy P through an SMT formula to fulfill the requirements laid out in 2. Suppose we want to prove that a user policy \(P_1\) is not more permissive than some company policy \(P_2\), i.e., \(\gamma (P_1) \subseteq \gamma (P_2)\). We first construct K, a bijective map between the random events in \(P_1\) and \(P_2\) and the introduced symbols in their encodings \(\llbracket P_1\rrbracket \) and \(\llbracket P_2\rrbracket \). Let \(U, Q = \texttt {constraints}(K, \llbracket P_1\rrbracket \wedge \lnot \llbracket P_2\rrbracket )\), we check if \(\llbracket P_1\rrbracket \wedge \lnot \llbracket P_2\rrbracket \wedge Q\) is unsatisfiable using an LIRA theory solver.

Example 6

Consider policies with non-trivial conditions and , for which a bijective map \(K = \{ (x < l \vee x \ge r) \leftrightarrow prob _1, (m \le x < r) \leftrightarrow prob _2\}\) could be constructed along with the encodings \(\llbracket P_1\rrbracket = l \le r \wedge prob _1 \ge 0.6 \) and \(\llbracket P_2\rrbracket = \lnot (l \le m \le r) \vee prob _2 \le 0.5\). We construct \(C = \llbracket P_1\rrbracket \wedge \lnot \llbracket P_2\rrbracket \) and obtain \(U, Q = \texttt {constraints}(K, C)\) as in Example 5. Then

$$\begin{aligned} \llbracket P_1\rrbracket \wedge \lnot \llbracket P_2\rrbracket \wedge Q &= l \le r \wedge prob _1 \ge 0.6 \\ &\quad \wedge (l \le m \le r) \wedge prob _2 > 0.5 \\ &\quad \wedge 0 \le u_1 \le 1 \wedge 0 \le u_2 \le 1 \wedge 0 \le u_3 \le 1 \\ &\quad \wedge u_1 + u_2 + u_3 = 1 \wedge prob _1 = u_1 \wedge prob _2 = u_2 \end{aligned}$$

which is unsatisfiable modulo LIRA, since \( prob _1 + prob _2 = u_1 + u_2 \le 1\) by the last line of the formula but that contradicts the first two lines. We have thus proved that policy \(P_1\) is not more permissive than \(P_2\).

In the worst case, Algorithm 1 introduces \(2^n\) additional real symbols when there are n random events in a policy P, resulting in large SMT formulas. Here we show that the number of additional auxiliary symbols will not be too large for particular kinds of condition formulas that are useful for reasoning about PAPL policies that implement location-based access control.

Theorem 2

Given a policy P such that every probability term refers to the probability for a point to be in a 3D space represented by a boolean combination of axis-aligned bounding boxes. If there are N bounding boxes in total in P, then the number of auxiliary symbols introduced in Algorithm 1 for P is bounded by \(O(N^3)\).

4 Implementation and Evaluation

We implemented a parser for access requests and policies in PAPL that could perform access control as outlined in Fig. 2. For evaluating requests against policies, we use the probabilistic programming language NumPyro [12, 45] as the backend probabilistic programming language. We also implemented the procedure that encodes policies and the constraints on the fresh symbols that represent random event probabilities (Algorithm 1), and a procedure for checking relative permissivenss based on this encoding. We use z3 [20] as the backend SMT solver for LIRA and the probabilistic programming language NumPyro [12, 45] as the backend probabilistic programming language.

To demonstrate the usefulness and practicality of the PAPL language, we present two case studies to show that a combination of symbolic and deterministic rules and the ability to reason about uncertainty could lead to better outcomes.

Threats to Validity and Limitations. Due to the lack of access policy datasets available to the public [22] and also the novel nature of our proposed policy language, we have considered synthetic access control scenarios and policies in the case studies. Although such practices are standard in access control literature [43, 44], this poses questions on whether the proposed solution is useful or performs as well in practice for real-world access control tasks. Also, we do not claim any contribution on the ML methods in this work. Thus, the ML model we have implemented in the case study might not be optimal for the datasets considered.

4.1 Case Study: Location-Based Access Control with Uncertainty

In this case study, we implement a system for location-based access control using WiFi-based indoor localization (see Sect. 2) using the PAPL policy language that considers uncertainty in the predications of user location. The key question we want to answer here is RQ: Are PAPL policies more robust than deterministic policies for location-based access control?

Dataset and Probabilistic ML Models. We use a WiFi localization dataset [51] comprised of trajectories of cellphone positions in terms of latitude, longitude, and floor levels, along with the RSSI collected from a fixed set of WAPs. We use Bayesian neural networks [27] to provide predictions of user location with uncertainty. We train three BNNs, each predicting the latitude, longitude, and floor level of the cellphone at each time step, given the observed RSSI as features. Each BNN model has two hidden layers of 128 and 64 units, and outputs both the mean and standard deviation of a prediction. The prior distribution of each network weight in the BNN models is initialized as a normal distribution N(0, 1). All BNN models are trained to optimize the evidence lower bound (ELBO) through stochastic variance inference (SVI).

Access Control Tasks and Policies. We consider two access control tasks: (1) allow the user when the user is probably in a space, and (2) deny the user when the user might be in a space. For both tasks, we assume it is desirable to have high accuracy (the proportion of correct access decisions among all decisions), and err on the safe side. In other words, it is desirable to minimize the number of “false positives” in granting access, i.e., allowing what should have been denied, while not denying access too often for those that should have been allowed. For these tasks, we specify the following PAPL policies “allow the user when the probability for the user to be in a bounding box (BB) exceeds 0.7”, and “deny the user when the probability for the user to be in a BB exceeds 0.2”. Further investigation is needed for how to set the probability thresholds optimally for each access control context and the particular probabilistic ML models used. Basically, the thresholds could be used to balance security and usability of the access control system, i.e., the number of “false positives” (FP) and “false negatives” (FN).

Experimental Setup. We randomly generate 300 axis-aligned BBs and assess the access decisions made by the PAPL policy and the deterministic policy. We approximate the probability for the user to be in a BB by the empirical frequency of the event “predictions sampled from the posterior distribution of the BNN fall inside a BB” among 2000 samples. For a deterministic policy language, we could not make use of the uncertainty information and the best we could do is to compute the most probable location given the BNN’s predictions by taking the mean of all predictions, and check if the mean location falls inside the BB.

Results. The overall accuracies for deciding access rights on the test set using both PAPL policies (0.9778 for task 1, 0.9681 for task 2) and deterministic policies (0.9787 for task 1, 0.9787 for task 2) are high. We then focus on comparing the number of “false positives”. For task 1, an FP is a user location that is actually outside the allowing BB but is predicted to be in the BB and thus allowed by the access control system. For task 2, an FP is a user location that is actually inside the denying BB but is predicted to be outside and thus allowed by the system. The comparison of PAPL policies versus deterministic policies is shown in Fig. 4. Results show that compared to a deterministic policies language, using PAPL leads to more robust access control without sacrificing usability, i.e., it reduces FPs while maintaining the overall accuracy in its decisions.

Fig. 4.

PAPL vs deterministic policy in the number of FP for 2 tasks on a user trajectory. The first row visualizes results for task 1. In Fig. 4a, the x-axis is the difference in #FPs and y-axis is the count of the BBs on which the deterministic versus PAPL policies exhibit that difference. Notably, for 2 BBs, using PAPL leads to more than 10 fewer FPs. Figure 4b and 4c visualizes whether the system predicts a user location is in the box (red cross) or not (blue dot), by deterministic and PAPL policies on the BB that yields the largest difference in FPs. Here all the points are actually outside the yellow box, thus the fewer the red crosses are the better. The second row similarly visualizes comparison on the FPs for task 2.

Latency in Making Access Decisions. We have observed that the current implementation of the access control system on a Laptop needs up to a few seconds to evaluate an access request, which is inadequate for real-time access control. The main latency bottleneck is within the NumPyro programs that perform BNN inference and sampling to estimate random event probabilities. We have not tried to optimize the current proof-of-concept implementation for inference speed, and we conjecture that this overhead in performing access control could be reduced by running on customized hardware accelerators and batch-processing of access requests.

Scalability for Automated Reasoning. To demonstrate the scalability of the LIRA encoding procedure presented in Sect. 3 for reasoning about location policies, we create two PAPL policies that involve a variable number of BBs and record the time needed to prove relative permissivenss between these policies. Each policy is an allow policy containing a disjunction of bounding boxes. For “structured” comparisons, we generate the BBs and the policies such that the one policy is guaranteed to be less permissive than the other. And for “random” comparisons, we generate random BBs. The scaling of the average running time across 10 executions is shown in Fig. 5. It shows that the procedure usually finishes in a few minutes for policies involving up to a few thousand BBs on a Macbook Pro with M1 Pro processor.

Fig. 5.

Scalability for proving relative permissivenss of PAPL policies based on LIRA encodings.

4.2 Case Study: Administering Deny-Lists for Machine Learning Based Access Control

For the second case study, we consider a problem that involves access control policy administration, in particular implementing a deny-list in a machine learning based access control (MLBAC) system. Specifically, we have an MLBAC system running but we would like to implement changes in the access control rules to deny certain accesses when new requests are received. This problem is studied in literature [43], and ML based methods are proposed to fulfill this requirement. The key research question is RQ: Can PAPL policies help reduce the number of mistakes made by MLBAC when implementing a deny-list?

Dataset and Preparation. We use the Amazon employee access challenge dataset [29] from Kaggle for the case study. This dataset requires ML models to use eight features (encoded as integers) to predict whether an Amazon employee should be granted access to some resource, and evaluates models using AUC score, i.e., the area under the receiver operating characteristic (ROC) curve. We first divide the data available into training and testing sets. Since the integer features originally represent categorical variables, we apply target encoding on the training and test data. We notice that the dataset is highly imbalanced–the number of allowed accesses is much larger than the number of denied accesses, which might make the ML models bias towards predicting accesses as allowed. Thus, we also perform random oversampling on the training data.

Experiments. For the three experiments, we inject three synthetic deny-lists on top of the original dataset. Each deny-list is a predicate over the attributes, for example the first deny-list can be written as

$$ \texttt {role\_family} = 19732 \vee \texttt {role\_rollup\_1} = 119062 \vee \texttt {role\_rollup\_2} = 118300 $$

where role_family, role_rollup_1, and role_rollup_2 are three features in access requests. A request is allowed only if it was allowed in the original dataset and is not included in the synthetic deny-list. Our main goal for this policy administration task is to enforce the deny-list, i.e., deny access requests if they conform to the injected deny rules, but we also observe how the system performs on the entire modified dataset. We implemented a random forest classifier and a BNN that predicts the allow probability for binary classification, based on which we considered four access control systems and we train them from scratch for each experiment. In the following, RF refers to the random forest classifier baseline considered by previous MLBAC work [43]. PAPL refers to a PAPL policy that first checks the access request using a symbolic deny rule that implements the deny-list. If the request is not governed by the rule, the system computes the empirical frequency of sampling a predicted probability of more 0.5 among all BNN predictions is greater than 0.8.

Table 1. RF vs BNN based on AUC score.

Table 2. Comparing the number of FPs within the injected deny-list, the number of FPs and FNs on the entire test set with the injected deny-list, and the overall accuracy (percentage of correct predictions within the test set) for access control systems based on RF and PAPL using three experiments.

Results. Table 1 shows that in terms of AUC score for predicting access rights in this dataset, BNN offers comparable or even better predictions compared to RF. Table 2 shows that the PAPL-based access control system is effective in eliminating all false positives for the injected deny-list, and also for the whole synthetic dataset, at the cost of an increased number of FNs. A fundamental advantage of the PAPL-based access control system compared to RF is that the deny-list is guaranteed to be enforced correctly on all access requests. Also, as mentioned in the previous case study, we could adjust the probability thresholds in the policies to balance FPs and FNs in an interpretable way within the framework provided by PAPL.

5 Related Work

Reasoning About Policies. Automated reasoning about policies encodes policies as SMT formulas and then invokes SMT solver like Z3 [20] to prove properties of policies [10, 22, 28, 32, 52]. Our work extends this scheme by presenting a way of encoding clauses involving probabilities into LIRA formulas.

Machine Learning for Access Control. In additional to traditional access control schemes, an alternative is to use machine learning to make access decisions [14, 18, 33, 35, 37, 43, 44]. The survey [42] offers a more comprehensive overview on this subject. The PAPL language offers an extension to existing MLBAC work by allowing policy writers to refer to the uncertainty in the ML predictions. Furthermore, PAPL allows combinations of ML models and traditional access policies, which is difficult to achieve in existing MLBAC methods.

Probabilistic Machine Learning. In certain application domains, it is important to capture uncertainty in the ML predictions [39]. Our work provides a method for using uncertainty in the particular domain of MLBAC, where knowledge about uncertainty in the ML models can be crucial in making more robust decisions. Within the realm of probabilistic/bayesian ML, it has been shown that Bayesian neural networks [27, 40] could effectively accumulate domain knowledge (from similar tasks) in its prior to yield good uncertainty [36], and they can produce more robust predictions for out-of-distribution data [40], making it a good candidate model to be used in access control systems based on PAPL.

Probability and Programming. Research on probabilistic programming languages [8, 12, 13, 21, 45, 48] (PPL) aims to bridge probabilistic reasoning together with general purpose programming diagrams. In particular, [13] presents a programming abstraction for representing and using uncertainty. In general, PPL provides ways to specify probabilistic models, do inferencing, and compute probabilities. Our work provides a scheme to compute and reason about probabilities in the context of access control, utilizing the capability of an existing PPL NumPyro [12].

Access Control. Location-based [6, 7, 17, 30], risk-based [16, 35], and context-aware [31, 47, 50] access control paradigms involves uncertain information, and are useful for different application domains, including augmented reality (AR) devices and applications. PAPL could be used to implement these paradigms as long as the uncertain information involved in access control could be expressed as probabilities of random events.