Skip to main content

Vac - Verifier of Administrative Role-Based Access Control Policies

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNTCS,volume 8559)

Abstract

In this paper we present Vac, an automatic tool for verifying security properties of administrative Role-based Access Control (RBAC). RBAC has become an increasingly popular access control model, particularly suitable for large organizations, and it is implemented in several software. Automatic security analysis of administrative RBAC systems is recognized as an important problem, as an analysis tool can help designers check whether their policies meet expected security properties. Vac converts administrative RBAC policies to imperative programs that simulate the policies both precisely and abstractly and supports several automatic verification back-ends to analyze the resulting programs. In this paper, we describe the architecture of Vac and overview the analysis techniques that have been implemented in the tool. We also report on experiments with several benchmarks from the literature.

Keywords

  • Access Control
  • Model Checker
  • Horn Clause
  • Input Format
  • Access Control Model

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. Alberti, F., Armando, A., Ranise, S.: ASASP: Automated Symbolic Analysis of Security Policies. In: Bjørner, N., Sofronie-Stokkermans, V. (eds.) CADE 2011. LNCS, vol. 6803, pp. 26–33. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  2. Cimatti, A., Clarke, E.M., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: NuSMV: A New Symbolic Model Checker, http://nusmv.fbk.eu

  3. Cimatti, A., Clarke, E.M., Giunchiglia, E., Giunchiglia, F., Pistore, M., Roveri, M., Sebastiani, R., Tacchella, A.: NuSMV 2: An OpenSource Tool for Symbolic Model Checking. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 359–364. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  4. de Moura, L., Berdine, J., Bjorner, N.: Z3 High-performance Theorem Prover, http://z3.codeplex.com

  5. Ferraiolo, D., Kuhn, R.: Role-Based Access Control. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563. Springer (1992)

    Google Scholar 

  6. Ferrara, A.L., Fuchsbauer, G., Warinschi, B.: Cryptographically Enforced RBAC. In: CSF, pp. 115–129. IEEE (2013)

    Google Scholar 

  7. Ferrara, A.L., Madhusudan, P., Parlato, G.: Security Analysis of Role-Based Access Control through Program Verification. In: CSF, pp. 113–125 (2012)

    Google Scholar 

  8. Ferrara, A.L., Madhusudan, P., Parlato, G.: Policy Analysis for Self-administrated Role-Based Access Control. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013 (ETAPS 2013). LNCS, vol. 7795, pp. 432–447. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  9. Ghilardi, S., Ranise, S.: MCMT: A Model Checker Modulo Theories. In: Giesl, J., Hähnle, R. (eds.) IJCAR 2010. LNCS, vol. 6173, pp. 22–29. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  10. Gofman, M.I., Luo, R., Solomon, A.C., Zhang, Y., Yang, P., Stoller, S.D.: RBAC-PAT: A Policy Analysis Tool for Role Based Access Control. In: Kowalewski, S., Philippou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 46–49. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  11. Grebenshchikov, S., Gupta, A., Lopes, N.P., Popeea, C., Rybalchenko, A.: HSF(C): A Software Verifier based on Horn Clauses, http://www7.in.tum.de/tools/hsf

  12. Grebenshchikov, S., Gupta, A., Lopes, N.P., Popeea, C., Rybalchenko, A.: HSF(C): A Software Verifier Based on Horn Clauses. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 549–551. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  13. Hoder, K., Bjørner, N., de Moura, L.: μZ– An Efficient Engine for Fixed Points with Constraints. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 457–462. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  14. Hojjat, H., Konečný, F., Garnier, F., Iosif, R., Kuncak, V., Rümmer, P.: A Verification Toolkit for Numerical Transition Systems. In: Giannakopoulou, D., Méry, D. (eds.) FM 2012. LNCS, vol. 7436, pp. 247–251. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  15. Hojjat, H., Rümmer, P., Konecny, F.: A Predicate Abstraction Engine, http://lara.epfl.ch/w/eldarica

  16. Jayaraman, K., Ganesh, V., Tripunitara, M.V., Rinard, M.C., Chapin, S.J.: Automatic Error Finding in Access-Control Policies. In: CCS, pp. 163–174 (2011)

    Google Scholar 

  17. Jayaraman, K., Tripunitara, M.V., Ganesh, V., Rinard, M.C., Chapin, S.J.: Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies. ACM Trans. Inf. Syst. Secur. 15(4), 18 (2013)

    CrossRef  Google Scholar 

  18. Jeannet, B., Lalire, G., Argoud, M.: The Interproc Analyzer, http://pop-art.inrialpes.fr/interproc/interprocweb.cgi

  19. Jha, S., Li, N., Tripunitara, M., Wang, Q., Winsborough, W.: Towards Formal Verification of Role-Based Access Control Policies. IEEE Transactions on Dependable and Secure Computing 5(4), 242–255 (2008)

    CrossRef  Google Scholar 

  20. Kiefer, S., Schwoon, S., Suwimonteerabuth, D.: A Model Checker for Pushdown Systems, http://www2.informatik.uni-stuttgart.de/fmi/szs/tools/moped

  21. Kroening, D., Clarke, E.: CBMC - Bounded Model Checking for ANSI-C, http://www.cprover.org/cbmc

  22. Kroening, D., Tautschnig, M.: CBMC – C Bounded Model Checker - (Competition Contribution). In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 389–391. Springer, Heidelberg (2014)

    Google Scholar 

  23. La Torre, S., Madhusudan, P., Parlato, G.: Getafix: A Symbolic Model-checker for Recursive Programs, http://www.cs.uiuc.edu/~madhu/getafix

  24. La Torre, S., Madhusudan, P., Parlato, G.: Analyzing Recursive Programs using a Fixed-point Calculus. In: Hind, M., Diwan, A. (eds.) PLDI, pp. 211–222. ACM (2009)

    Google Scholar 

  25. Li, N., Tripunitara, M.V.: Security Analysis in Role-Based Access Control. ACM Trans. Inf. Syst. Secur. 9(4), 391–420 (2006)

    CrossRef  Google Scholar 

  26. Ranise, S., Truong, A., Armando, A.: Boosting Model Checking to Analyse Large ARBAC Policies. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 273–288. Springer, Heidelberg (2013)

    CrossRef  Google Scholar 

  27. Sandhu, R.S., Bhamidipati, V., Munawer, Q.: The ARBAC97 Model for Role-Based Administration of Roles. ACM Trans. Inf. Syst. Secur. 2(1), 105–135 (1999)

    CrossRef  Google Scholar 

  28. Sasturkar, A., Yang, P., Stoller, S.D., Ramakrishnan, C.: Policy analysis for Administrative Role-Based Access Control. Theoretical Computer Science 412(44), 6208–6234 (2011)

    CrossRef  MATH  MathSciNet  Google Scholar 

  29. Schwoon, S.: Model-Checking Pushdown Systems. Ph.D. Thesis, Technische Universität München (June 2002)

    Google Scholar 

  30. Stoller, S.D., Yang, P., Ramakrishnan, C.R., Gofman, M.I.: Efficient Policy Analysis for Administrative Role Based Access Control. In: CCS, pp. 445–455 (2007)

    Google Scholar 

  31. Uzun, E., Atluri, V., Sural, S., Vaidya, J., Parlato, G., Ferrara, A.L., Madhusudan, P.: Analyzing temporal role based access control models. In: Atluri, V., Vaidya, J., Kern, A., Kantarcioglu, M. (eds.) SACMAT, pp. 177–186. ACM (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Ferrara, A.L., Madhusudan, P., Nguyen, T.L., Parlato, G. (2014). Vac - Verifier of Administrative Role-Based Access Control Policies. In: Biere, A., Bloem, R. (eds) Computer Aided Verification. CAV 2014. Lecture Notes in Computer Science, vol 8559. Springer, Cham. https://doi.org/10.1007/978-3-319-08867-9_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-08867-9_12

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-08866-2

  • Online ISBN: 978-3-319-08867-9

  • eBook Packages: Computer ScienceComputer Science (R0)