Abstract
Existing access policy languages like Cedar equipped with SMT-based automated reasoning capabilities are effective in providing formal guarantees about the policies. However, this scheme only supports access control based on deterministic information. Observing that certain information useful for access control can be described by random variables, we are motivated to develop a new paradigm of access control in which access policies contain rules about uncertainty, or more precisely, probabilities of random events. To compute these probabilities, we rely on probabilistic programming languages. Additionally, we show that the probabilistic part of these policies can be encoded in linear real arithmetic, which enables practical automated reasoning tasks such as proving relative permissiveness between policies. We demonstrate the advantages of the proposed probabilistic policies over the existing paradigm through two case studies on real-world datasets with a prototype implementation.
You have full access to this open access chapter, Download conference paper PDF
Keywords
- access policy
- access control
- domain-specific language
- probability theory
- uncertainty
- automated reasoning
- SMT
1 Introduction
Policy based access control is used by major cloud service providers such as Amazon Web Services, necessitating customers to write correct access policies to secure their services and data. Incorrectly specified policies have led to major issues like exposure of private data [2, 4], which motivate research on automated reasoning techniques that can automatically identify issues with the policies [9, 10, 22]. It has been shown that SMT-based techniques are effective in detecting issues in real policies and formally verifying properties of access policies. In the current access control and SMT-based policy verification paradigm, access decisions are made based on deterministic information in access requests, such as user identity, role, IP address, or other attributes. For example, we could implement an access policy that only allows an access request if it comes from a certain IP range.
Emerging application domains call for new schemes of access control that consider uncertainty, e.g., augmented reality (AR) applications have raised security and privacy concerns under a unique context [5, 15, 19, 46]. In addition to deterministic attributes, prior work has explored access control based on information such as user location [6, 7, 17, 30], or the type of environment the user is currently in [47]. For example, one might want to disable video recording features when entering private property, or when the user seems to be in a sensitive or private space such as a restroom. Information like the precise indoor location of the user, or the type of room where user currently resides is usually not readily available as a deterministic attribute to the access control system. This information could be supplied by annotating the rooms through posted QR code or wireless signaling [47], yet a more natural and general method would be to infer essential information from observations such as video streams or other sensor readings based on techniques like simultaneous location and mapping (SLAM) [41] and scene classification [47]. Uncertainty is inherent to these inference processes, and should be taken into consideration when evaluating information for the purpose of access control. In this work, we consider such uncertain attributes to be supplied as a random variable drawn from a probability distribution. Methods that provide such distributions include Bayesian filter, which estimates a probability density function over time based on observations and a process model, and probabilistic (Bayesian) machine learning, which is a machine learning (ML) framework that combines ML techniques and Bayesian methods that can reason about uncertainty. In particular, Bayesian neural networks (BNNs) [27, 40] could be viewed as a generalization of ordinary neural networks to have stochastic weights that are learned using a Bayesian paradigm, which yield predictions as well as uncertainty associated with the predictions.
Enriching current policy languages with the notion of uncertainty represented by probabilities is also beneficial when incorporating machine learning based access control (MLBAC) [14, 18, 33, 35, 37, 43, 44] into the current policy-based access control paradigm. MLBAC uses ML models to implement access control systems that learn from data such as access logs, which offers an alternative to the potentially costly and error-prone process of manual policy engineering [11, 23, 49]. However, MLBAC poses new challenges in interpretability, policy adaptability [43], and formal guarantees of correctness. Based on the Bayesian interpretation of probability as degree of belief that an ML prediction is correct, we can think of the following scenarios where MLBAC could benefit from our proposed policy language equipped with probabilities:
-
1.
We can consider only trusting the ML predictions for access rights if the amount of uncertainty in their predictions is low, which would be useful to guard against out-of-distribution access requests.
-
2.
ML could be used along with traditional policy-based approaches for various decision problems. In certain applications such as spam filtering or firewalls, we can maintain deterministic and explicit rules that encode the allow-lists and deny-lists created by the user, and let an ML model decide what to do with the rest. Using our proposed policy language, one can encode all these rules into one policy so that we could automatically reason about their combined effects.
-
3.
We might want to write policies that reflect our prior knowledge of the problem and combine existing models. For example, consider a scenario where access rights of company employees depend on the role \(r = 1, \dots , n\) of the employee and we have trained n ML models \(M_1, \dots , M_n\) that predict access rights for employees with each role. It might be infeasible to retrain a large ML model that works well for all roles, due to not having access to historic access data, or the insufficient amount of data for each role. Using our proposed policy language, one can create a set of n allow policies “allow if the user has role r and \(M_r\) predicts allow with low uncertainty”. Furthermore, one could even deploy a hierarchical prediction model that predicts the role r first, and grants access if all probabilistic ML predictions have low uncertainty.
The aforementioned paradigms require us to enrich the semantics of our policy languages with a notion of uncertainty that is absent from current languages such as Cedar [1] or XACML [3, 52]. We thus introduce a new probabilistic access policy language PAPL with the intuition that some access rules are best implemented using the traditional, deterministic rule-based access control scheme, while some other rules may benefit from the capability of specifying the probability of random events, i.e., predicates over variables whose values are sampled from some probability distributions. The idea of combining symbolic and probabilistic/neural reasoning is not new, and has been studied extensively in many adjacent fields like neurosymbolic reasoning [24, 25] or statistical relational learning [8, 26]. Our work specifically focuses on adapting this philosophy to the application domain of access control, and also enabling automated reasoning to formally verify properties of the resulting probabilistic access policies. The theory of probability normally requires nonlinear reasoningFootnote 1, and it is not immediately clear whether we can implement practical SMT-based automated reasoning procedures for these policies. The key observation here is that we need an “interface” for the probabilistic part of the policy that restrains the form of probabilities that could be specified, so that we could reason about them using linear arithmetic. Specifically, we achieve this by allowing deterministic rules that involve probabilities of random events defined by logical formulas rather than probabilistic policies, which allows us to capture the semantics of probability theory axioms using linear arithmetic reasoning.
We implemented a prototype system that can parse and evaluate access requests against PAPL policies, and a sound and complete encoding of PAPL policies into linear integer and real arithmetic (LIRA) for automated reasoning with SMT solvers. We demonstrate the practicality of the language through two case studies, focusing on the potential improvement it could bring over MLBAC and existing deterministic policy languages.
The rest of the paper is organized as follows: an overview of access control process with PAPL policies (Sect. 2), the formalization of PAPL and the encoding of policies into SMT formulas decision (Sect. 3), implementation details and case studies (Sect. 4), and finally related work (Sect. 5).
2 Overview of the Probabilistic Access Control Paradigm
In this section, we provide intuitions on the semantics of PAPL access policies and the automated reasoning process through a hypothetical use case. Consider AR3D, an augmented reality (AR) service for AR glasses, that renders user-defined virtual objects and also provides an indoor navigation service akin to GPS-based applications like Apple Maps or Google Maps. These functionalities involve potentially private or proprietary virtual objects, visual features of the environment, and other sensitive data. This information could be safeguarded by location-based access control [6, 7, 17, 30], similar to how similar information is secured through physical access control in reality. The access control system infers the user’s location based on sensor data and checks access rights against relevant access policies accordingly.
Access Control Requirements. Imagine a company M wants to implement an access policy that only its employees can use AR3D within its buildings, also excluding private areas like restricted offices or conference rooms. Traditional methods like GPS are inadequate for indoor localization; instead, AR3D employs WiFi-based localization using the received signal strength intensity (RSSI) from wireless access points (WAPs). This localization procedure, effectively a regression problem in a high-dimensional space that involves complex nonlinearity, is usually implemented using ML. Here we suppose that a probabilistic ML model nondeterministically predicts user location and the variance in its predictions could be seen as a measure of uncertainty. We visualize the uncertain predictions of user trajectory using a model trained on a real-world indoor localization dataset [51] in Fig. 1. Given the variance in the predictions, considering uncertainty when making access decisions is essential for the robustness of the access control system. PAPL addresses this by enabling access policies to define access rights while referring to probabilities that a user is in some space. This approach is intuitively more robust than the deterministic predicate mean predicted location of the user is in some space, since mean can be affected by extreme values and also two predictions with the same mean but different variance can be treated differently by the access control system (in Sect. 4 we demonstrate that this can indeed be useful).
Evaluating Access Requests. When a user Alice requests access to some resource M::internal::data::visual, the access control system constructs an access request by collecting relevant attributes from the user. Here, suppose that the system collects a boolean indicating whether Alice is an M employee, and a vector for the RSSI of each WAP. The system then invokes the trained probabilistic ML models to infer the 3D location of the user. The output of these models are probability distributions (essentially conditioned on the training data and observations), e.g., PredictX.posterior(rssi), and the predicted location of the user is modeled as random variables x, y, z sampled from these distributions. This access request is given in Fig. 2cFootnote 2. After the access request is constructed, it is evaluated against all relevant policies that may apply. Suppose that Figs. 2a and 2b are the only two relevant policies. To evaluate against these policies, the system needs to calculate probabilities of random events based on the a posteriori knowledge about the user location given in the access request. The system synthesizes a NumPyro program to estimate the probabilities (Fig. 2d) for all random events that appear in the policies. This program is constructed to collect the source code of the probabilistic ML model (in this case PredictX), run a large number of inferences given a new observation (the rssi vector), assign the values to variables based on information given in the access request context, and compute how many times the boolean predicates that correspond to the random events in the policies evaluate to true in order to estimate the probability of these events.
Automated Reasoning. Over time, the company M and other users may have implemented complicated access policies that involve various buildings and spaces owned by M and other parties. Suppose that M wants formal guarantees that other existing allow policies in the system do not conflict with the company policy on its buildings, e.g., are not allowing principals without the isMEmployee attribute to access any portion of the buildings that M owns. This could be ensured by encoding the relevant policies into SMT formulas and invoke SMT solvers to do automated reasoning, which we will cover in the next section.
Threat Model. In this work, we focus on the semantics and automated verification of the probabilistic access policies. We thus assume that the device that collects attributes such as RSSI are uncompromised and trusted; the access policies are authentic; all communications are properly protected by cryptographic protocols; procedures include ML inferences, the construction of NumPyro programs, and the evaluation of policies are all executed on a trusted and secure server.
3 Formalization and SMT Encoding of PAPL Policies
In this section, we first define the formal syntax and semantics of requests and PAPL policies. Then we present a sound and complete encoding of PAPL policies into linear arithmetic formulas, and discuss how this could be useful to formally prove properties of policies.
3.1 Syntax and Semantics of Access Requests and Policies
Encoding of String Literals. Handling string literals and encoding conditions involving predicates on strings is not central for the purpose of this work. To simplify the presentation, we assume all string literals are encoded as integers and attributes include Principal, Action, and Resource are encoded as integer-typed variables. This limitation is not fundamental to the constructions in this paper and possible extensions to other SMT theories including strings have been explored by previous work [10].
Example 1
For the rest of this section, we assume the following integer encoding of string literals:
Access Requests. The syntax of access requests is given in Fig. 3a, assuming the encoding for string literals has been applied. A request is parsed into a 4-tuple \(\langle R_P, R_A, R_R, (M, D) \rangle \) containing information for Principal, Action, and Resource, and Context. The Context part contains a map M of deterministic variables to their values and the field D is a joint distribution from which the random variables are drawnFootnote 3. Since attributes like Principal are also deterministic variables, we merge these into M and simply write (M, D) to represent an access request.
Example 2
Figure 2c gives a request (M, D) where M contains a boolean attribute \(\texttt {isMEmployee} \mapsto \top \), and three integer attributes \( principal \mapsto 0\), \( action \mapsto 1\), and \( resource \mapsto 2\). D gives the predicted user location as continuous, real-typed, independent random variables x, y, z, e.g., prediction for dimension x is given by a probabilistic ML model that takes as input \(\texttt {rssi}\) and generates predictions by sampling from a posterior distribution PredictX(rssi).
Random Events. Syntax for random events e is given in Fig. 3b. Each event is a ground LIRA formula \(e(V \cup X)\) over a set of free deterministic variables V and a set of free random variables XFootnote 4. Given a map M containing valuations of all deterministic variables in e and a probability distribution D from which all random variables in e are drawn from, we use notation \(e[v \mapsto M[v]: v \in \textit{dom}(M)]\) or more succinctly e[M] to denote the formula obtained by substituting all e variables that appear in M with their valuations. Assuming this substitution, we use \(\Pr _{X \sim D}[e[M] = \top ]\) to denote the probability for the random event to be evaluated to true when the random variables X is drawn from distribution D.
Example 3
The random event \(e_1\) in Fig. 2a is given by the formula
where x, y, z are real-typed free random variables (M.building1.xmin, etc. are real constants).
Probability Distributions. In this work, instead of pursuing a measure-theoretic formalization, we regard a probability distribution \(\mathcal {D}\) as a function that maps random events described by LIRA formulas to rational numbers in [0, 1]. More concretely, given a set of arbitrary LIRA formulas \(F = \{e_1, \dots , e_n\}\), let \(U = \{ f_1 \wedge \dots \wedge f_n : f_i \in \{e_i, \lnot e_i\}\}\) be the set of all random events for which we care about their probabilities. We require that distribution \(\mathcal {D}\) satisfies (c.f. Kolmogorov axioms of probability [34])
Access Policies. Full syntax for PAPL access policies is given in Fig. 3b. An access policy is parsed into a 5-tuple \(P = \langle E, V_P, V_A, V_R, C \rangle \). The Effect E indicates whether a policy is an allow or deny policy. The fields \(V_P, V_A, V_R\) represent Principal, Action, and Resource. Notably, C describes the Condition under which this policy takes effect, represented by an LIRA formula with an uninterpreted function that intends to represent the probability of random events. For convenience, we define a procedure \(\textit{randEvents}(P)\) that extracts the set of all random events mentioned in P, i.e., all e such that P contains an expression in its Condition field. We define \(\mathcal {I}\llbracket C\rrbracket (M, D)\), or the interpretation of some condition formula C given access request \(R = (M, D)\) as follows. Let the interpretation of the function symbol for some random event \(e(V \cup X)\) be
while the interpretation \(\mathcal {I}\llbracket \cdot \rrbracket \) of other constructs in C are defined as if we are interpreting an LIRA formula according to an LIRA model M. We further define \(\mathcal {I}\llbracket P\rrbracket (M, D)\), or the interpretation of a (deny or allow) policy P given request \(R =(M, D)\) as
where the second clause of the conjunction simply checks if the principal, action, and resource fields in the policy matches the request. We say a policy P applies to a request \(R= (M, D)\) if \(\mathcal {I}\llbracket P\rrbracket (M, D)\) is true. An access reqeust R is allowed by a set of policies S (denoted by \(R \models S\)) if and only if some allow policy in S applies to R and no deny policy in S applies to R [10].
Probabilistic Programs. Let E be a set of random events, \(R = (M, D)\) be a request. A probabilistic program \(\mathcal{P}\mathcal{P}(E, R)\) estimates (or computes symbolically) the probability of random events in E given R. More precisely, it returns a mapping \(PP(\cdot )\) from E to a rational number in [0, 1] such that for each \(e \in E\)
We mostly take a black-box view on probabilistic programs in this work. In practice, the probabilistic program may be implemented by either symbolic methods such as the sum-product probabilistic language (SPPL) [48] or sampling based methods such as Discrete Gibbs sampling or Mixed-HMC [38, 53]. For the access control use cases (Sect. 4), it is difficult to train an SPPL model that performs as well as more expressive models like BNNs. Although we have an interesting observation that if the distribution from which the random variables are sampled can be written as an SPPL program, then we can use queries in SPPL to compute the probability of any random event exactly [48]. The sampling based methods only require that we could sample from distribution \(\mathcal {D}\).
3.2 Automated Reasoning About Policies with Probabilities
Having defined the semantics of access requests and policies, we now encode policies as SMT formulas to enable automated reasoning about their behaviors. For a policy \(P = \langle E, V_P, V_A, V_R, C \rangle \), we define its LIRA encoding \(\llbracket P\rrbracket \) as
For \(\llbracket V_P\rrbracket \), we introduce a fresh integer symbol \( principal \) and define
The encodings \(\llbracket V_A\rrbracket , \llbracket V_C\rrbracket , \llbracket V_R\rrbracket \) are defined similarly. To define \(\llbracket C\rrbracket \), we first introduce fresh real symbols \( prob _e\) for each \(e \in \textit{randEvents}(P)\) and then define \(\llbracket C\rrbracket \) as , i.e., with all uninterpreted function terms substituted with \( prob _e\). The combined effect of a set of policies S is described by formula [10]
Example 4
The LIRA encodings for the allow and deny policies in Fig. 2a and 2b are written as formulas \(P_1\) and \(P_2\), where
The effect of these two policies is encoded by \(P_1 \wedge \lnot P_2\).
The LIRA encoding \(\llbracket P\rrbracket \) above simply introduces fresh real symbols \( prob _e\) for the event probabilities in P but ignores the fact that these are probabilities of events that might relate to each other in nontrivial ways. For example, given that \(\Pr [x \ge 1 \wedge y = 0] \ge 0.5\), we should be able to deduce \(\Pr [x \ge 0 \wedge y \ge 0] \ge 0.5\) according to the probability theory axioms. Algorithm 1 describes a procedure for discovering additional constraints these probabilities must satisfy. The algorithm works by computing a set U containing the probability of disjoint events, and then decomposing the probability \( prob _e \) for each random event \(e \in \textit{randEvents}(P)\) as a sum of elements in U.
Example 5
Consider a bijective map between events and symbols \(K = \{ (x < l \vee x \ge r) \leftrightarrow prob _1, (m \le x < r) \leftrightarrow prob _2\}\) and an LIRA formula \(C = l \le r \wedge prob _1 \ge 0.6 \wedge (l \le m \le r) \wedge prob _2 > 0.5\), where l, m, r are real-typed deterministic variables and x is a real-typed random variable. Let \(e_1 = (x < l \vee x \ge r), e_2 = (m \le x < r)\). Given as input (K, C), Algorithm 1 enumerates the combinations \(\{e_1 \wedge e_2, \lnot e_1 \wedge e_2, e_1 \wedge \lnot e_2, \lnot e_1 \wedge \lnot e_2\}\) and finds out that only \(e_1 \wedge e_2\) is UNSAT given C. The algorithm returns a set of symbols that represents probabilities of disjoint events \(U = \{u_1, u_2, u_3\}\) and a constraint on the probabilities \(Q = 0 \le u_1 \le 1 \wedge 0 \le u_2 \le 1 \wedge 0 \le u_3 \le 1 \wedge u_1 + u_2 + u_3 = 1 \wedge prob _1 = u_1 \wedge prob _2 = u_2\).
Denotation of Policies. Following previous work [9], we define the denotation of a policy set S as the set of requests it allows: \(\gamma (S) \triangleq \{R : R \models S\}\). Consider an LIRA formula F(Y, X, U) over sets of variables \(Y, X, U = \{u_1, \dots , u_N\}\), and a bijective map \(K: E \rightarrow Y\) that maps a set of random events E to a set of real symbols Y that represent their probabilities, where every \(e \in E\) is a ground formula over a set of deterministic variables V and random variables X. For any \(y \in Y\), let \(K^{-1}_y\) be the random event whose probability is represented by y. We define an abstract denotation \(\gamma ^{\sharp }(F, K)\) as a set of requests (M, D) such that the domain of M is V and
holds. Intuitively, each symbol \(y \in Y\) is intended to represent the probability of some random event, and F includes constraints on the auxiliary variables \(u_1, \dots , u_N\) and \(y \in Y\) so that they behave like probabilities.
We now prove the soundness and completeness of our encoding algorithm (Algorithm 1).
Theorem 1
(Correctness of LIRA encoding). Consider a policy P with LIRA encoding \(\llbracket P\rrbracket \). Let E be the set of random events in P. Let K be a bijective map such that \(e \mapsto prob _e\), where \( prob _e\) is the symbol introduced in the encoding \(\llbracket P\rrbracket \) for the probability of \(e \in E\). Let \(U, Q = \texttt {constraints}(K, \llbracket P\rrbracket )\) and \(U = \{u_1, \dots , u_N\}\). Then \(\exists u_1, \dots , u_N. (\llbracket P\rrbracket \wedge Q)\) is satisfiable modulo LIRA if and only if there exists a request (M, D) such that \((M, D) \models P\).
Corollary 1
Given a set of policies \(S = \{P_1, \dots , P_n\}\). Let E be the set of all random events that appear in S. Let K be a bijective map from E to the set of probability symbols introduced in \(\llbracket S\rrbracket \). Then
where \(U, Q = \texttt {constraints}\left( K, \llbracket S\rrbracket \right) \).
Given Corollary 1, we can reason about the set of requests allowed by a policy P through an SMT formula to fulfill the requirements laid out in 2. Suppose we want to prove that a user policy \(P_1\) is not more permissive than some company policy \(P_2\), i.e., \(\gamma (P_1) \subseteq \gamma (P_2)\). We first construct K, a bijective map between the random events in \(P_1\) and \(P_2\) and the introduced symbols in their encodings \(\llbracket P_1\rrbracket \) and \(\llbracket P_2\rrbracket \). Let \(U, Q = \texttt {constraints}(K, \llbracket P_1\rrbracket \wedge \lnot \llbracket P_2\rrbracket )\), we check if \(\llbracket P_1\rrbracket \wedge \lnot \llbracket P_2\rrbracket \wedge Q\) is unsatisfiable using an LIRA theory solver.
Example 6
Consider policies with non-trivial conditions and , for which a bijective map \(K = \{ (x < l \vee x \ge r) \leftrightarrow prob _1, (m \le x < r) \leftrightarrow prob _2\}\) could be constructed along with the encodings \(\llbracket P_1\rrbracket = l \le r \wedge prob _1 \ge 0.6 \) and \(\llbracket P_2\rrbracket = \lnot (l \le m \le r) \vee prob _2 \le 0.5\). We construct \(C = \llbracket P_1\rrbracket \wedge \lnot \llbracket P_2\rrbracket \) and obtain \(U, Q = \texttt {constraints}(K, C)\) as in Example 5. Then
which is unsatisfiable modulo LIRA, since \( prob _1 + prob _2 = u_1 + u_2 \le 1\) by the last line of the formula but that contradicts the first two lines. We have thus proved that policy \(P_1\) is not more permissive than \(P_2\).
In the worst case, Algorithm 1 introduces \(2^n\) additional real symbols when there are n random events in a policy P, resulting in large SMT formulas. Here we show that the number of additional auxiliary symbols will not be too large for particular kinds of condition formulas that are useful for reasoning about PAPL policies that implement location-based access control.
Theorem 2
Given a policy P such that every probability term refers to the probability for a point to be in a 3D space represented by a boolean combination of axis-aligned bounding boxes. If there are N bounding boxes in total in P, then the number of auxiliary symbols introduced in Algorithm 1 for P is bounded by \(O(N^3)\).
4 Implementation and Evaluation
We implemented a parser for access requests and policies in PAPL that could perform access control as outlined in Fig. 2. For evaluating requests against policies, we use the probabilistic programming language NumPyro [12, 45] as the backend probabilistic programming language. We also implemented the procedure that encodes policies and the constraints on the fresh symbols that represent random event probabilities (Algorithm 1), and a procedure for checking relative permissivenss based on this encoding. We use z3 [20] as the backend SMT solver for LIRA and the probabilistic programming language NumPyro [12, 45] as the backend probabilistic programming language.
To demonstrate the usefulness and practicality of the PAPL language, we present two case studies to show that a combination of symbolic and deterministic rules and the ability to reason about uncertainty could lead to better outcomes.
Threats to Validity and Limitations. Due to the lack of access policy datasets available to the public [22] and also the novel nature of our proposed policy language, we have considered synthetic access control scenarios and policies in the case studies. Although such practices are standard in access control literature [43, 44], this poses questions on whether the proposed solution is useful or performs as well in practice for real-world access control tasks. Also, we do not claim any contribution on the ML methods in this work. Thus, the ML model we have implemented in the case study might not be optimal for the datasets considered.
4.1 Case Study: Location-Based Access Control with Uncertainty
In this case study, we implement a system for location-based access control using WiFi-based indoor localization (see Sect. 2) using the PAPL policy language that considers uncertainty in the predications of user location. The key question we want to answer here is RQ: Are PAPL policies more robust than deterministic policies for location-based access control?
Dataset and Probabilistic ML Models. We use a WiFi localization dataset [51] comprised of trajectories of cellphone positions in terms of latitude, longitude, and floor levels, along with the RSSI collected from a fixed set of WAPs. We use Bayesian neural networks [27] to provide predictions of user location with uncertainty. We train three BNNs, each predicting the latitude, longitude, and floor level of the cellphone at each time step, given the observed RSSI as features. Each BNN model has two hidden layers of 128 and 64 units, and outputs both the mean and standard deviation of a prediction. The prior distribution of each network weight in the BNN models is initialized as a normal distribution N(0, 1). All BNN models are trained to optimize the evidence lower bound (ELBO) through stochastic variance inference (SVI).
Access Control Tasks and Policies. We consider two access control tasks: (1) allow the user when the user is probably in a space, and (2) deny the user when the user might be in a space. For both tasks, we assume it is desirable to have high accuracy (the proportion of correct access decisions among all decisions), and err on the safe side. In other words, it is desirable to minimize the number of “false positives” in granting access, i.e., allowing what should have been denied, while not denying access too often for those that should have been allowed. For these tasks, we specify the following PAPL policies “allow the user when the probability for the user to be in a bounding box (BB) exceeds 0.7”, and “deny the user when the probability for the user to be in a BB exceeds 0.2”. Further investigation is needed for how to set the probability thresholds optimally for each access control context and the particular probabilistic ML models used. Basically, the thresholds could be used to balance security and usability of the access control system, i.e., the number of “false positives” (FP) and “false negatives” (FN).
Experimental Setup. We randomly generate 300 axis-aligned BBs and assess the access decisions made by the PAPL policy and the deterministic policy. We approximate the probability for the user to be in a BB by the empirical frequency of the event “predictions sampled from the posterior distribution of the BNN fall inside a BB” among 2000 samples. For a deterministic policy language, we could not make use of the uncertainty information and the best we could do is to compute the most probable location given the BNN’s predictions by taking the mean of all predictions, and check if the mean location falls inside the BB.
Results. The overall accuracies for deciding access rights on the test set using both PAPL policies (0.9778 for task 1, 0.9681 for task 2) and deterministic policies (0.9787 for task 1, 0.9787 for task 2) are high. We then focus on comparing the number of “false positives”. For task 1, an FP is a user location that is actually outside the allowing BB but is predicted to be in the BB and thus allowed by the access control system. For task 2, an FP is a user location that is actually inside the denying BB but is predicted to be outside and thus allowed by the system. The comparison of PAPL policies versus deterministic policies is shown in Fig. 4. Results show that compared to a deterministic policies language, using PAPL leads to more robust access control without sacrificing usability, i.e., it reduces FPs while maintaining the overall accuracy in its decisions.
Latency in Making Access Decisions. We have observed that the current implementation of the access control system on a Laptop needs up to a few seconds to evaluate an access request, which is inadequate for real-time access control. The main latency bottleneck is within the NumPyro programs that perform BNN inference and sampling to estimate random event probabilities. We have not tried to optimize the current proof-of-concept implementation for inference speed, and we conjecture that this overhead in performing access control could be reduced by running on customized hardware accelerators and batch-processing of access requests.
Scalability for Automated Reasoning. To demonstrate the scalability of the LIRA encoding procedure presented in Sect. 3 for reasoning about location policies, we create two PAPL policies that involve a variable number of BBs and record the time needed to prove relative permissivenss between these policies. Each policy is an allow policy containing a disjunction of bounding boxes. For “structured” comparisons, we generate the BBs and the policies such that the one policy is guaranteed to be less permissive than the other. And for “random” comparisons, we generate random BBs. The scaling of the average running time across 10 executions is shown in Fig. 5. It shows that the procedure usually finishes in a few minutes for policies involving up to a few thousand BBs on a Macbook Pro with M1 Pro processor.
4.2 Case Study: Administering Deny-Lists for Machine Learning Based Access Control
For the second case study, we consider a problem that involves access control policy administration, in particular implementing a deny-list in a machine learning based access control (MLBAC) system. Specifically, we have an MLBAC system running but we would like to implement changes in the access control rules to deny certain accesses when new requests are received. This problem is studied in literature [43], and ML based methods are proposed to fulfill this requirement. The key research question is RQ: Can PAPL policies help reduce the number of mistakes made by MLBAC when implementing a deny-list?
Dataset and Preparation. We use the Amazon employee access challenge dataset [29] from Kaggle for the case study. This dataset requires ML models to use eight features (encoded as integers) to predict whether an Amazon employee should be granted access to some resource, and evaluates models using AUC score, i.e., the area under the receiver operating characteristic (ROC) curve. We first divide the data available into training and testing sets. Since the integer features originally represent categorical variables, we apply target encoding on the training and test data. We notice that the dataset is highly imbalanced–the number of allowed accesses is much larger than the number of denied accesses, which might make the ML models bias towards predicting accesses as allowed. Thus, we also perform random oversampling on the training data.
Experiments. For the three experiments, we inject three synthetic deny-lists on top of the original dataset. Each deny-list is a predicate over the attributes, for example the first deny-list can be written as
where role_family, role_rollup_1, and role_rollup_2 are three features in access requests. A request is allowed only if it was allowed in the original dataset and is not included in the synthetic deny-list. Our main goal for this policy administration task is to enforce the deny-list, i.e., deny access requests if they conform to the injected deny rules, but we also observe how the system performs on the entire modified dataset. We implemented a random forest classifier and a BNN that predicts the allow probability for binary classification, based on which we considered four access control systems and we train them from scratch for each experiment. In the following, RF refers to the random forest classifier baseline considered by previous MLBAC work [43]. PAPL refers to a PAPL policy that first checks the access request using a symbolic deny rule that implements the deny-list. If the request is not governed by the rule, the system computes the empirical frequency of sampling a predicted probability of more 0.5 among all BNN predictions is greater than 0.8.
Results. Table 1 shows that in terms of AUC score for predicting access rights in this dataset, BNN offers comparable or even better predictions compared to RF. Table 2 shows that the PAPL-based access control system is effective in eliminating all false positives for the injected deny-list, and also for the whole synthetic dataset, at the cost of an increased number of FNs. A fundamental advantage of the PAPL-based access control system compared to RF is that the deny-list is guaranteed to be enforced correctly on all access requests. Also, as mentioned in the previous case study, we could adjust the probability thresholds in the policies to balance FPs and FNs in an interpretable way within the framework provided by PAPL.
5 Related Work
Reasoning About Policies. Automated reasoning about policies encodes policies as SMT formulas and then invokes SMT solver like Z3 [20] to prove properties of policies [10, 22, 28, 32, 52]. Our work extends this scheme by presenting a way of encoding clauses involving probabilities into LIRA formulas.
Machine Learning for Access Control. In additional to traditional access control schemes, an alternative is to use machine learning to make access decisions [14, 18, 33, 35, 37, 43, 44]. The survey [42] offers a more comprehensive overview on this subject. The PAPL language offers an extension to existing MLBAC work by allowing policy writers to refer to the uncertainty in the ML predictions. Furthermore, PAPL allows combinations of ML models and traditional access policies, which is difficult to achieve in existing MLBAC methods.
Probabilistic Machine Learning. In certain application domains, it is important to capture uncertainty in the ML predictions [39]. Our work provides a method for using uncertainty in the particular domain of MLBAC, where knowledge about uncertainty in the ML models can be crucial in making more robust decisions. Within the realm of probabilistic/bayesian ML, it has been shown that Bayesian neural networks [27, 40] could effectively accumulate domain knowledge (from similar tasks) in its prior to yield good uncertainty [36], and they can produce more robust predictions for out-of-distribution data [40], making it a good candidate model to be used in access control systems based on PAPL.
Probability and Programming. Research on probabilistic programming languages [8, 12, 13, 21, 45, 48] (PPL) aims to bridge probabilistic reasoning together with general purpose programming diagrams. In particular, [13] presents a programming abstraction for representing and using uncertainty. In general, PPL provides ways to specify probabilistic models, do inferencing, and compute probabilities. Our work provides a scheme to compute and reason about probabilities in the context of access control, utilizing the capability of an existing PPL NumPyro [12].
Access Control. Location-based [6, 7, 17, 30], risk-based [16, 35], and context-aware [31, 47, 50] access control paradigms involves uncertain information, and are useful for different application domains, including augmented reality (AR) devices and applications. PAPL could be used to implement these paradigms as long as the uncertain information involved in access control could be expressed as probabilities of random events.
Notes
- 1.
Consider two independent random events A and B where \(\Pr [A] = p\) and \(\Pr [B] = q\). Then \(\Pr [A \cap B] = pq\).
- 2.
Notice that in the current design, arrays can only be used to supply a feature vector as input to the probabilistic ML models to compute the posterior probability distribution. Other parts of the policy cannot refer to the arrays or their elements.
- 3.
The access control system defines the names and types of deterministic and random variables that are used consistently in both access requests and access policies.
- 4.
Syntax of random events in the policies actually does not distinguish between deterministic versus random variables.
References
Another misconfigured amazon s3 server leaks data of 50,000 Australian employees. https://www.scmagazine.com/news/breach/another-misconfigured-amazon-s3-server-leaks-data-of-50000-australian-employees
Cedar Language. https://www.cedarpolicy.com/en
Cloud leak: WSJ parent company dow jones exposed customer data | UpGuard. https://www.upguard.com/breaches/cloud-leak-dow-jones
eXtensible access control markup language (XACML) version 3.0 p. 154. https://www.oasis-open.org/standard/xacmlv3-0
Akter, T., Dosono, B., Ahmed, T., Kapadia, A., Semaan, B.: “i am uncomfortable sharing what i can’t see”: privacy concerns of the visually impaired with camera based assistive applications, pp. 1929–1948. https://www.usenix.org/conference/usenixsecurity20/presentation/akter
Ardagna, C., Cremonini, M., di Vimercati, S.D.C., Samarati, P.: Privacy-enhanced location-based access control. In: Gertz, M., Jajodia, S. (eds.) Handbook of Database Security, pp. 531–552. Springer, Boston (2022). https://doi.org/10.1007/978-0-387-48533-1_22
Ardagna, C.A., Cremonini, M., Damiani, E., di Vimercati, S.D.C., Samarati, P.: Supporting location-based conditions in access control policies. In: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security - ASIACCS ’06. p. 212. ACM Press (2006). https://doi.org/10.1145/1128817.1128850
Bach, S.H., Broecheler, M., Huang, B., Getoor, L.: Hinge-loss Markov random fields and probabilistic soft logic. J. Mach. Learn. Res. 18(1), 3846–3912 (2017)
Backes, J., et al.: Stratified abstraction of access control policies. In: Lahiri, S.K., Wang, C. (eds.) CAV 2020. LNCS, vol. 12224, pp. 165–176. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-53288-8_9
Backes, J., et al.: Semantic-based automated reasoning for AWS access policies using SMT. In: 2018 Formal Methods in Computer Aided Design (FMCAD), pp. 1–9 (2018). https://doi.org/10.23919/FMCAD.2018.8602994
Bauer, L., Cranor, L.F., Reeder, R.W., Reiter, M.K., Vaniea, K.: Real life challenges in access-control management. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. CHI ’09, pp. 899–908. Association for Computing Machinery (2009). https://doi.org/10.1145/1518701.1518838
Hamner, B., Kenmonta, Cukierski, W.: Amazon.com - employee access challenge (2013). https://kaggle.com/competitions/amazon-employee-access-challenge
Bingham, E., et al.: Pyro: deep universal probabilistic programming (2018). https://arxiv.org/abs/1810.09538v1
Bornholt, J., Mytkowicz, T., McKinley, K.S.: Uncertain\(<\)t\(>\): a first-order type for uncertain data. In: Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems. ASPLOS ’14, pp. 51–66. Association for Computing Machinery (2014). https://doi.org/10.1145/2541940.2541958
Cappelletti, L., Valtolina, S., Valentini, G., Mesiti, M., Bertino, E.: On the quality of classification models for inferring ABAC policies from access logs. In: 2019 IEEE International Conference on Big Data (Big Data), pp. 4000–4007 (2019). https://doi.org/10.1109/BigData47090.2019.9005959
Chen, S., Li, Z., Dangelo, F., Gao, C., Fu, X.: A case study of security and privacy threats from augmented reality (AR). In: 2018 International Conference on Computing, Networking and Communications (ICNC), pp. 442–446 (2018). https://doi.org/10.1109/ICCNC.2018.8390291
Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: 2007 IEEE Symposium on Security and Privacy (SP ’07), pp. 222–230 (2007). https://doi.org/10.1109/SP.2007.21, ISSN: 2375-1207
Cleeff, A.v., Pieters, W., Wieringa, R.: Benefits of location-based access control: a literature study. In: 2010 IEEE/ACM International Conference on Green Computing and Communications & Int’l Conference on Cyber, Physical and Social Computing, pp. 739–746 (2010). https://doi.org/10.1109/GreenCom-CPSCom.2010.148
Das, S., Mitra, B., Atluri, V., Vaidya, J., Sural, S.: Policy engineering in RBAC and ABAC. In: Samarati, P., Ray, I., Ray, I. (eds.) From Database to Cyber Security. LNCS, vol. 11170, pp. 24–54. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04834-1_2
De Guzman, J.A., Thilakarathna, K., Seneviratne, A.: Security and privacy approaches in mixed reality: a literature survey 52(6), 110:1–110:37. https://doi.org/10.1145/3359626
De Raedt, L., Kimmig, A., Toivonen, H.: ProbLog: a probabilistic prolog and its application in link discovery. In: Proceedings of the 20th International Joint Conference on Artificial Intelligence. IJCAI’07, San Francisco, CA, USA, pp. 2468–2473. Morgan Kaufmann Publishers Inc. (2007)
Eiers, W., Sankaran, G., Li, A., O’Mahony, E., Prince, B., Bultan, T.: Quantifying permissiveness of access control policies. In: Proceedings of the 44th International Conference on Software Engineering. ICSE ’22, pp. 1805–1817. Association for Computing Machinery (2022). https://doi.org/10.1145/3510003.3510233
Frank, M., Basin, D., Buhmann, J.M.: A class of probabilistic models for role engineering. In: Proceedings of the 15th ACM conference on Computer and communications security. CCS ’08, pp. 299–310. Association for Computing Machinery (2008). https://doi.org/10.1145/1455770.1455809
Garcez, A.D., et al.: Neural-symbolic learning and reasoning: a survey and interpretation. Neuro-Symbolic Artif. Intell. State Art 342(1), 327 (2022)
Garcez, A.D., Lamb, L.C.: Neurosymbolic AI: the 3rd wave. Artif. Intell. Rev. 56(11), 12387–12406 (2023). https://doi.org/10.1007/s10462-023-10448-w
Getoor, L., Taskar, B.: Introduction to Statistical Relational Learning. MIT Press, Cambridge (2007)
Goan, E., Fookes, C.: Bayesian neural networks: an introduction and survey. In: Mengersen, K.L., Pudlo, P., Robert, C.P. (eds.) Case Studies in Applied Bayesian Data Science. LNM, vol. 2259, pp. 45–87. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-42553-1_3
Guelev, D.P., Ryan, M., Schobbens, P.Y.: Model-checking access control policies. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 219–230. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30144-8_19
He, W., Golla, M., Padhi, R., Ofek, J., Dürmuth, M., Fernandes, E., Ur, B.: Rethinking access control and authentication for the home internet of things. In: 27th USENIX Security Symposium (USENIX Security 18), pp. 255–272 (2018)
Jana, S., et al.: Enabling fine-grained permissions for augmented reality applications with recognizers. In: Proceedings of the 22nd USENIX Conference on Security. SEC’13, pp. 415–430. USENIX Association (2013)
Jeffrey, A., Samak, T.: Model checking firewall policy configurations. In: 2009 IEEE International Symposium on Policies for Distributed Systems and Networks, pp. 60–67. https://doi.org/10.1109/POLICY.2009.32
Karimi, L., Abdelhakim, M., Joshi, J.: Adaptive ABAC policy learning: a reinforcement learning approach (2021). https://doi.org/10.48550/arXiv.2105.08587
Kolmogoroff, A.: Grundbegriffe der wahrscheinlichkeitsrechnung (1933)
Krautsevich, L., Lazouski, A., Martinelli, F., Yautsiukhin, A.: Towards attribute-based access control policy engineering using risk. In: Bauer, T., Großmann, J., Seehusen, F., Stølen, K., Wendland, M.-F. (eds.) RISK 2013. LNCS, vol. 8418, pp. 80–90. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07076-6_6
Lacoste, A., Oreshkin, B., Chung, W., Boquet, T., Rostamzadeh, N., Krueger, D.: Uncertainty in multitask transfer learning. arXiv preprint arXiv:1806.07528 (2018)
Liu, A., Du, X., Wang, N.: Efficient access control permission decision engine based on machine learning. Secur. Commun. Networks 2021, e3970485 (2021). https://doi.org/10.1155/2021/3970485
LIU, J.S.: Peskun’s theorem and a modified discrete-state Gibbs sampler. Biometrika 83(3), 681–682 (1996). https://doi.org/10.1093/biomet/83.3.681
de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_24
Murphy, K.P.: Probabilistic Machine Learning: An Introduction. MIT Press, Cambridge (2022)
Murphy, K.P.: Probabilistic Machine Learning: Advanced Topics. MIT Press, Cambridge (2023)
Newcombe, R.A., Lovegrove, S.J., Davison, A.J.: DTAM: dense tracking and mapping in real-time. In: Proceedings of the 2011 International Conference on Computer Vision. ICCV ’11, USA, pp. 2320–2327. IEEE Computer Society (2011). https://doi.org/10.1109/ICCV.2011.6126513
Nobi, M.N., Gupta, M., Praharaj, L., Abdelsalam, M., Krishnan, R., Sandhu, R.: Machine Learning in Access Control: A Taxonomy and Survey (2022). https://doi.org/10.48550/arXiv.2207.01739
Nobi, M.N., Krishnan, R., Huang, Y., Sandhu, R.: Administration of machine learning based access control. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds.) Computer Security – ESORICS 2022. LNCS, vol. 13555, pp. 189–210. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-17146-8_10
Nobi, M.N., Krishnan, R., Huang, Y., Shakarami, M., Sandhu, R.: Toward deep learning based access control. In: Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy.. CODASPY ’22, pp. 143–154 Association for Computing Machinery (2022). https://doi.org/10.1145/3508398.3511497
Nobi, M.N., Krishnan, R., Huang, Y., Shakarami, M., Sandhu, R.: Toward Deep learning based access control. In: Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy, pp. 143–154 (2022). https://doi.org/10.1145/3508398.3511497
Phan, D., Pradhan, N., Jankowiak, M.: Composable effects for flexible and accelerated probabilistic programming in NumPyro (2019). https://doi.org/10.48550/arXiv.1912.11554
Roesner, F., Kohno, T., Molnar, D.: Security and privacy for augmented reality systems. Commun. ACM 57(4), 88–96 (2014). https://doi.org/10.1145/2580723.2580730
Roesner, F., Molnar, D., Moshchuk, A., Kohno, T., Wang, H.J.: World-driven access control for continuous sensing. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. CCS ’14, pp. 1169–1181. Association for Computing Machinery (2014). https://doi.org/10.1145/2660267.2660319, event-place: New York, NY, USA
Saad, F.A., Rinard, M.C., Mansinghka, V.K.: SPPL: probabilistic programming with fast exact symbolic inference. In: Proceedings of the 42nd ACM SIGPLAN International Conference on Programming Language Design and Implementation. PLDI 2021, pp. 804–819. Association for Computing Machinery (2021). https://doi.org/10.1145/3453483.3454078
Sinclair, S., Smith, S.W.: Preventative directions for insider threat mitigation via access control. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds.) Insider Attack and Cyber Security: Beyond the Hacker. AIC, pp. 165–194. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-77322-3_10
Templeman, R., Korayem, M., Crandall, D., Kapadia, A.: PlaceAvoider: Steering first-person cameras away from sensitive spaces. In: Proceedings 2014 Network and Distributed System Security Symposium. Internet Society (2014). https://doi.org/10.14722/ndss.2014.23014, https://www.ndss-symposium.org/ndss2014/programme/placeavoider-steering-first-person-cameras-away-sensitive-spaces/, event-place: San Diego, CA
Torres-Sospedra, J., et al.: UJIIndoorLoc: a new multi-building and multi-floor database for WLAN fingerprint-based indoor localization problems. In: 2014 International Conference on Indoor Positioning and Indoor Navigation (IPIN), pp. 261–270 (2014). https://doi.org/10.1109/IPIN.2014.7275492
Turkmen, F., den Hartog, J., Ranise, S., Zannone, N.: Analysis of XACML policies with SMT. In: Focardi, R., Myers, A. (eds.) POST 2015. LNCS, vol. 9036, pp. 115–134. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46666-7_7
Zhou, G.: Mixed Bamiltonian monte Carlo for mixed discrete and continuous variables (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2024 The Author(s)
About this paper
Cite this paper
Zhu, S., Zhang, Y. (2024). Probabilistic Access Policies with Automated Reasoning Support. In: Gurfinkel, A., Ganesh, V. (eds) Computer Aided Verification. CAV 2024. Lecture Notes in Computer Science, vol 14683. Springer, Cham. https://doi.org/10.1007/978-3-031-65633-0_20
Download citation
DOI: https://doi.org/10.1007/978-3-031-65633-0_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-65632-3
Online ISBN: 978-3-031-65633-0
eBook Packages: Computer ScienceComputer Science (R0)