Abstract
In this paper we present Vac, an automatic tool for verifying security properties of administrative Role-based Access Control (RBAC). RBAC has become an increasingly popular access control model, particularly suitable for large organizations, and it is implemented in several software. Automatic security analysis of administrative RBAC systems is recognized as an important problem, as an analysis tool can help designers check whether their policies meet expected security properties. Vac converts administrative RBAC policies to imperative programs that simulate the policies both precisely and abstractly and supports several automatic verification back-ends to analyze the resulting programs. In this paper, we describe the architecture of Vac and overview the analysis techniques that have been implemented in the tool. We also report on experiments with several benchmarks from the literature.
Chapter PDF
References
Alberti, F., Armando, A., Ranise, S.: ASASP: Automated Symbolic Analysis of Security Policies. In: Bjørner, N., Sofronie-Stokkermans, V. (eds.) CADE 2011. LNCS, vol. 6803, pp. 26–33. Springer, Heidelberg (2011)
Cimatti, A., Clarke, E.M., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: NuSMV: A New Symbolic Model Checker, http://nusmv.fbk.eu
Cimatti, A., Clarke, E.M., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: NuSMV 2: An OpenSource Tool for Symbolic Model Checking. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 359–364. Springer, Heidelberg (2002)
de Moura, L., Berdine, J., Bjorner, N.: Z3 High-performance Theorem Prover, http://z3.codeplex.com
Ferraiolo, D., Kuhn, R.: Role-Based Access Control. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563. Springer (1992)
Ferrara, A.L., Fuchsbauer, G., Warinschi, B.: Cryptographically Enforced RBAC. In: CSF, pp. 115–129. IEEE (2013)
Ferrara, A.L., Madhusudan, P., Parlato, G.: Security Analysis of Role-Based Access Control through Program Verification. In: CSF, pp. 113–125 (2012)
Ferrara, A.L., Madhusudan, P., Parlato, G.: Policy Analysis for Self-administrated Role-Based Access Control. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013 (ETAPS 2013). LNCS, vol. 7795, pp. 432–447. Springer, Heidelberg (2013)
Ghilardi, S., Ranise, S.: MCMT: A Model Checker Modulo Theories. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS, vol. 6173, pp. 22–29. Springer, Heidelberg (2010)
Gofman, M.I., Luo, R., Solomon, A.C., Zhang, Y., Yang, P., Stoller, S.D.: RBAC-PAT: A Policy Analysis Tool for Role Based Access Control. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 46–49. Springer, Heidelberg (2009)
Grebenshchikov, S., Gupta, A., Lopes, N.P., Popeea, C., Rybalchenko, A.: HSF(C): A Software Verifier based on Horn Clauses, http://www7.in.tum.de/tools/hsf
Grebenshchikov, S., Gupta, A., Lopes, N.P., Popeea, C., Rybalchenko, A.: HSF(C): A Software Verifier Based on Horn Clauses. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 549–551. Springer, Heidelberg (2012)
Hoder, K., Bjørner, N., de Moura, L.: μZ– An Efficient Engine for Fixed Points with Constraints. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 457–462. Springer, Heidelberg (2011)
Hojjat, H., Konečný, F., Garnier, F., Iosif, R., Kuncak, V., Rümmer, P.: A Verification Toolkit for Numerical Transition Systems. In: Giannakopoulou, D., Méry, D. (eds.) FM 2012. LNCS, vol. 7436, pp. 247–251. Springer, Heidelberg (2012)
Hojjat, H., Rümmer, P., Konecny, F.: A Predicate Abstraction Engine, http://lara.epfl.ch/w/eldarica
Jayaraman, K., Ganesh, V., Tripunitara, M.V., Rinard, M.C., Chapin, S.J.: Automatic Error Finding in Access-Control Policies. In: CCS, pp. 163–174 (2011)
Jayaraman, K., Tripunitara, M.V., Ganesh, V., Rinard, M.C., Chapin, S.J.: Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies. ACM Trans. Inf. Syst. Secur. 15(4), 18 (2013)
Jeannet, B., Lalire, G., Argoud, M.: The Interproc Analyzer, http://pop-art.inrialpes.fr/interproc/interprocweb.cgi
Jha, S., Li, N., Tripunitara, M., Wang, Q., Winsborough, W.: Towards Formal Verification of Role-Based Access Control Policies. IEEE Transactions on Dependable and Secure Computing 5(4), 242–255 (2008)
Kiefer, S., Schwoon, S., Suwimonteerabuth, D.: A Model Checker for Pushdown Systems, http://www2.informatik.uni-stuttgart.de/fmi/szs/tools/moped
Kroening, D., Clarke, E.: CBMC - Bounded Model Checking for ANSI-C, http://www.cprover.org/cbmc
Kroening, D., Tautschnig, M.: CBMC – C Bounded Model Checker - (Competition Contribution). In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 389–391. Springer, Heidelberg (2014)
La Torre, S., Madhusudan, P., Parlato, G.: Getafix: A Symbolic Model-checker for Recursive Programs, http://www.cs.uiuc.edu/~madhu/getafix
La Torre, S., Madhusudan, P., Parlato, G.: Analyzing Recursive Programs using a Fixed-point Calculus. In: Hind, M., Diwan, A. (eds.) PLDI, pp. 211–222. ACM (2009)
Li, N., Tripunitara, M.V.: Security Analysis in Role-Based Access Control. ACM Trans. Inf. Syst. Secur. 9(4), 391–420 (2006)
Ranise, S., Truong, A., Armando, A.: Boosting Model Checking to Analyse Large ARBAC Policies. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 273–288. Springer, Heidelberg (2013)
Sandhu, R.S., Bhamidipati, V., Munawer, Q.: The ARBAC97 Model for Role-Based Administration of Roles. ACM Trans. Inf. Syst. Secur. 2(1), 105–135 (1999)
Sasturkar, A., Yang, P., Stoller, S.D., Ramakrishnan, C.: Policy analysis for Administrative Role-Based Access Control. Theoretical Computer Science 412(44), 6208–6234 (2011)
Schwoon, S.: Model-Checking Pushdown Systems. Ph.D. Thesis, Technische Universität München (June 2002)
Stoller, S.D., Yang, P., Ramakrishnan, C.R., Gofman, M.I.: Efficient Policy Analysis for Administrative Role Based Access Control. In: CCS, pp. 445–455 (2007)
Uzun, E., Atluri, V., Sural, S., Vaidya, J., Parlato, G., Ferrara, A.L., Madhusudan, P.: Analyzing temporal role based access control models. In: Atluri, V., Vaidya, J., Kern, A., Kantarcioglu, M. (eds.) SACMAT, pp. 177–186. ACM (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Ferrara, A.L., Madhusudan, P., Nguyen, T.L., Parlato, G. (2014). Vac - Verifier of Administrative Role-Based Access Control Policies. In: Biere, A., Bloem, R. (eds) Computer Aided Verification. CAV 2014. Lecture Notes in Computer Science, vol 8559. Springer, Cham. https://doi.org/10.1007/978-3-319-08867-9_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-08867-9_12
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08866-2
Online ISBN: 978-3-319-08867-9
eBook Packages: Computer ScienceComputer Science (R0)