PhD Dissertation International Doctorate School in Information and Communication Technologies DISI - University of Trento Efficient Automated Security Analysis of Complex Authorization Policies Anh Tuan Truong Advisors: Dr Silvio Ranise and Prof Alessandro Armando Security and Trust Unit, FBK-Irst, Trento, Italia March 2015 Committee Members: Professor Pierangela Samarati Department of Computer Science, University of Milano, Italia pierangela.samarati@unimi.it Professor Luca Vigan` o Department of Informatics, King’s College London, United Kingdom luca.vigano@kcl.ac.uk Professor Armando Tacchella DIBRIS Department, University of Genoa, Italia armando.tacchella@unige.it Abstract Access Control is becoming increasingly important for today’s ubiquitous systems Sophisticated security requirements need to be ensured by authorization policies for increasingly complex and large applications As a consequence, designers need to understand such policies and ensure that they meet the desired security constraints while administrators must also maintain them so as to comply with the evolving needs of systems and applications These tasks are greatly complicated by the expressiveness and the dimensions of the authorization policies It is thus necessary to provide policy designers and administrators with automated analysis techniques that are capable to foresee if, and under what conditions, security properties may be violated For example, some analysis techniques have already been proposed in the literature for Role-Based Access Control (RBAC) policies RBAC is a security model for access control that has been widely adopted in real-world applications Although RBAC simplifies the design and management of policies, modifications of RBAC policies in complex organizations are difficult and error prone activities due to the limited expressiveness of the basic RBAC model For this reason, RBAC has been extended in several directions to accommodate various needs arising in the real world such as Administrative RBAC (ARBAC) and Temporal RBAC (TRBAC) This Dissertation presents our research efforts to find the best trade-off between scalability and expressiveness for the design and benchmarking of analysis techniques for authorization policies We review the state-of-theart of automated analysis for authorization policies, identify limitations of available techniques and then describe our approach that is based on recently developed symbolic model checking techniques based on Satisfiability Modulo Theories (SMT) solving (for expressiveness) and carefully tuned heuristics (for scalability) Particularly, we present the implementation of the techniques on the automated analysis of ARBAC and ATRBAC policies and discuss extensive experiments that show that the proposed approach is superior to other state-of-the-art analysis techniques Finally, we discuss directions for extensions Keywords Access Control, Administration, Temporal Access Control, Automated Analysis, Safety Analysis, Security Analysis Problems, Model checking, Heuristics to Avoid the State Space Explosion Problems Acknowledgment Many other people contribute to this Dissertation First of all, I would like to express my special appreciation and thanks to my beloved advisors: Dr Silvio Ranise and Professor Alessandro Armando, for everything you have done to me Indeed, words cannot express enough how much thanks I want to send to you I cannot imagine what my PhD research would has been without your encouragement, support, advice, and patience Honestly, I was very lucky to meet and research under your supervision I would also like to thank Professor Pierangela Samarati, Professor Luca Vigan`o, and Professor Armando Tacchella, for your acceptance to be my PhD Committee members I really appreciate brilliant comments and great encouragement you gave me during the defense Also, I want to thank you for letting my defense be an enjoyable discussion and one of the happiest moments in my life The good results in this Dissertation cannot be obtained without great support from all my colleagues at the Security & Trust unit, Fondazione Bruno Kessler (FBK): Roberto, Clara, Laura, Riccardo, Annibale, Luca, Eliana, Matteo, Hari, Alessio, Avinash, Nadia, Daniel, Giada, Mojtaba, Stanislav, Federico, Eyasu, Harendra, Fatih and many former members of the unit Thank you all for creating the motivating working environment and friendly community at the unit One of the main contributions of this Dissertation has been made during my visit to King’s College London, United Kingdom and joint work with Professor Luca Vigan`o Thank you for your guidance, valuable advice, and friendliness I also want to thank Davide Guardini and Michele Peroli for making my stay at the UK enjoyable I also want to thank a lot of wonderful friends from Vietnam and other countries around the world (I cannot mention all of them here !) We had a lot of parties, discussion, and travel together These make me feel happy and balance my work and life Lastly, this Dissertation is dedicated to my family: my grandfathers, grandmothers, my father, mother, sisters and brothers Words cannot express how grateful I am to you all Thank you for your trust in me, your prayer for my life, and your time whenever I need Thank you All very much, Anh Tuan Truong Trento, March 2015 10 8.5 EXPERIMENTS CHAPTER PROB WITH HIERARCHIES Rules of administrative actions, and a given number of time slots TS (the triples Roles/Rules/TS shown on the x-axis of the plots) The two plots clearly show the superiority of the last security mapping—namely, τH2M — over the other two It is also clear that τH2F is the less scalable of the three The reason is the reduced number of administrative actions generated by τH2M in comparison with τH2F On the benchmarks in the Hospital class, the number of actions generated by τH2M is between 1.2 and 2.1 times the number of actions in the original policy while those generated by τH2F is between 2.3 and 63.1 times On the benchmarks in the University class, the gap is even wider with the number of actions generated by τH2M between 1.4 and 1.7 times the number of actions in the original policy and those generated by τH2F between 3.8 and 56.3 times Instead, the better behavior of τH2M over τH2L is due to the fact that the former generates actions whose effect combines those of several actions generated by the latter, as explained in Section 8.4.3 Figure 8.2 shows the behavior of asaspTIME using the three security mappings when the depth of the temporal role hierarchy increases For Figure 8.2: Behavior for increasing the depth of TRH this experiment, we picked one test problem from the benchmark consid168 CHAPTER PROB WITH HIERARCHIES 8.6 CONCLUSIONS ered above and add randomly generated temporal hierarchies of increasing depth, from 50 to 500 For each value of the depth |TRH | of the temporal role hierarchy, we generated 15 different temporal role hierarchies and added them to the policy The average time (in seconds) taken to solve each resulting problem is plotted in Figure 8.2 The blue diamond line reports the behavior of τH2F , the green squares line identifies the performance of τH2L , and the violet triangles line is the behavior of τH2M Again, τH2M performs much better than the other two and seems to have a linear (rather than an exponential) growth We conclude by observing that, to the best of our knowledge, it is not possible to perform a comparison with any other tool since temporal role hierarchies are not supported Even the approach described in [64], which is more general than the one presented in this paper given its dynamic role hierarchies, has not been implemented yet 8.6 Conclusions We have defined three mappings τH2F , τH2L , and τH2M that transform security analysis problems in presence of static temporal role hierarchies to problems without them We have shown the application of the mappings for automated policy analysis and implemented them in the tool asaspTIME The experimental evaluation shows the superiority of τH2M over τH2F and τH2L since it allows for the generation of problems with smaller state spaces To the best of our knowledge, asaspTIME is the first tool capable of reasoning in presence of temporal role hierarchies 169 8.6 CONCLUSIONS CHAPTER PROB WITH HIERARCHIES 170 Chapter Conclusions and Extensions This Dissertation presents our research effort in developing automated techniques for the security analysis of access control policies, especially focusing on RBAC policies and its extensions with administration and temporal constraints In particular, we have described a general technique for solving the user-role reachability problems of ARBAC and ATRBAC policies that uses Bernays-Shăonfinkel-Ramsey fragment to symbolically represent the problems and a symbolic backward reachability procedure to solve them The proposed analysis techniques give us many advantages with respect to available solutions such as supporting the analysis of: policies with finite but unknown number of users; policies with no separate administration assumption; and policies with no restriction in the cardinality of the administrative precondition of actions These are currently the most stringent restrictions imposed by all available analysis techniques We have extended our technique by providing an incremental version of the symbolic procedure that is efficient for the analysis of security problems in which the set of administrative actions tends to evolve over time We also perform exhaustive experiments in Chapter to compare our incremental technique with the only one available technique [23] supporting the analysis of such important problem The experiments confirm the superior of our 171 CHAPTER CONCLUSIONS AND EXTENSIONS technique over the technique in [23] We have also integrated a set of heuristics into the analysis techniques to alleviate the state space explosion problem These heuristics are crucial for scalability and allow us to consider a sub-problem, which is a substantial subset of the original one, during the analysis without loosing precision The security analysis of policies with temporal role hierarchies is also an important problem that is considered in the Dissertation We have introduced three strategies with the main aim at reducing the problem containing policies with hierarchies to (a set of) problems without them By this approach, we are able to reuse (with a little modification) available analysis techniques proposed to solve the problem without hierarchies We have implemented the analysis techniques and conducted extensive experimental analysis of the performances of them The experiments confirm the scalability and better behavior of our approach in comparison with state-of-the-art approaches in the security analysis area As a remark, we would like to point out the problem of finding adequate benchmark sets that we have faced several times in our efforts for the design of safety analysis techniques in access control As in many other research in the literature (see, e.g., [59, 30, 19]), the evaluation is based on benchmarks derived from synthetic policies In many cases, these are generated by identifying a realistic policy (e.g., for a bank or a hospital) together with some parameters that can be increased so that larger and larger instances of the same policy can be generated Indeed, the goal is to evaluate the scalability of the proposed techniques Unfortunately, the significance of the experimental results obtained in this way is debatable The results reported in this Dissertation suffer from the same problem We believe that a community effort is needed to build up a common database of benchmarks, derived from real-world policies, that can be used to evaluate and compare old and new analysis techniques Similar initiative in other 172 CHAPTER CONCLUSIONS AND EXTENSIONS 9.1 FUTURE WORKS fields (e.g., SAT/SMT solving,1 Planning,2 and Verification3 ) have greatly contributed to their advance We believe this is a great opportunity also for increasing the impact of the safety analysis of access control policies in security We hope that these remarks will stimulate further discussion and work in the community 9.1 Future Works An interesting line of research for future work is to consider the combination of backward and forward reachability procedure to speed up the analysis To this, we will design a new forward reachability procedure that computes the set of reachable sates from the initial state (Note that we not require the forward procedure terminates) We then use two parallel threads/processes for the backward and forward procedures: each process produces the set of reachable states (that is represented by a BSR formulae) Another process is needed to read the formuae and use SMT solver to check the satisfiability of the conjunction of the formulae The technique terminates when: (i) the intersection of the sets of backward and forward states is not empty, we say that the goal state is reachable; otherwise, the algorithm terminates when the backward reachability reaches its fix-point A study on how to incorporate in our approach the notion of dynamic temporal role hierarchies in which the structure of role hierarchies is changed by administrative actions [64] could be another future work A challenge for our analysis techniques, which use a decidable fragment of first-order logic for symbolic representation of policies, is the representation of the transitiveness of role hierarchies (i.e., a senior role of a role is also a senior http://www.satlive.org and http://www.smtlib.org http://ipc.icaps-conference.org http://sv-comp.sosy-lab.org/2014 173 9.1 FUTURE WORKS CHAPTER CONCLUSIONS AND EXTENSIONS role of all its junior roles) and must be considered carefully Finally, considering the analysis of the spatial and spatio-temporal access control policies is also interesting future work As seen through the Dissertation, we have successfully extended our approach to the analysis of temporal polices We strongly believe that our approach can also be extended to the analysis of spatial policies in a similar way because location attribute in spatial models can be treated in a similar way as time attribute in temporal models (see, e.g., [60, 15]) The combination of time and space attributes rises a new challenge for our analysis techniques In this case, the idea to divide the problem with temporal and spatial attributes to a set of sub-problems in which only temporal or spatial attribute is considered separately should be carefully examined 174 Bibliography [1] Coloured Petri Nets, http://www.daimi.au.dk/designCPN/ [2] ML Language, http://www.lfcs.inf.ed.ac.uk/software/ML/ [3] UPPAAL Tool, http://www.uppaal.org/ [4] Z3, http://research.microsoft.com/en-us/um/redmond/ projects/z3 [5] E M Clarke O Strichman Y Zhu A Biere, A Cimatti Bounded Model Checking Advances in Computers, 58:117–148, 2003 [6] F Alberti, A Armando, and S Ranise ASASP: Automated Symbolic Analysis of Security Policies In CADE, volume 6803 of LNCS, pages 26–34 Springer, 2011 [7] F Alberti, A Armando, and S Ranise Efficient Symbolic Automated Analysis of Administrative Role Based Access Control Policies In ASIACCS, pages 165–175 ACM Press, 2011 [8] R Alur and D Dill A Theory of Timed Automata Theoretical Computer Science, 126:183–285, 1994 [9] P Ammann, R Lipton, and R Sandhu The Expressive Power of Multi-parent Creation in Monotonic Access Control Models Journal of Computer Security, 4(2&3):149–196, 1996 175 BIBLIOGRAPHY BIBLIOGRAPHY [10] P Ammann and R Sandhu Safety Analysis for the Extended Schematic Protection Model In Proc of Symp on Secur & Privacy, pages 87–97 IEEE, 1991 [11] A Armando and S Ranise Automated Symbolic Analysis of ARBAC Policies In 6th STM Workshop, volume 6710 of LNCS, pages 17–33 Springer, 2010 [12] A Armando and S Ranise Scalable Automated Symbolic Analysis of ARBAC Policies by SMT Solving JCS, 20(4):309–352, 2012 [13] B Beckert, C A R Hoare, R Hăahnle, R Smith, D R Green, S Ranise, C Tinelli, T Ball, and S K Rajamani Intelligent Systems and Formal Methods in Software Engineering IEEE Int Sys., 21(6):71–81, 2006 [14] E Bertino, P Bonatti, and E Ferrari TRBAC: A Temporal Role Based Access Control Model ACM TISSEC, 4(3):191–233, 2001 [15] L Chen and J Crampton On Spatio-Temporal Constraints and Inheritance in Role-Based Access Control In Proc of the 2008 ACM Symposium on Information, Computer and Communications Security, pages 205–216 ACM, 2008 [16] J Crampton Understanding and Developing Role-Based Administrative Models In Proc 12th CCS, pages 158–167 ACM Press, 2005 [17] S De Capitani di Vimercati, S Foresti, S Jajodia, and P Samarati Access Control Policies and Languages Int Journal of Computational Science and Engineering (IJCSE), 3(2):94–102, 2007 [18] H B Enderton A Mathematical Introduction to Logic Academic Press, Inc., 1972 176 BIBLIOGRAPHY BIBLIOGRAPHY [19] A L Ferrara, P Madhusudan, T L Nguyen, and G Parlato VAC Verifier of Administrative Role-based Access Control Policies In Proc of 26th Int’l Conference on Computer Aided Verification (CAV), pages 184–191 Springer Berlin Heidelberg, 2014 [20] A L Ferrara, P Madhusudan, and G Parlato Policy Analysis for Self-administrated Role-Based Access Control In TACAS’13, pages 432–447 Springer, 2013 [21] S Ghilardi and S Ranise Backward Reachability of Array-based Systems by SMT Solving: Termination and Invariant Synthesis In LMCS, Vol 6, Issue 4, pages 1–48, 2010 [22] S Ghilardi and S Ranise MCMT: a Model Checker Modulo Theories In Proc of IJCAR’10, LNCS, pages 22–29, 2010 [23] M Gofman and P Yang Efficient Policy Analysis for Evolving Administrative Role Based Access Control Int J of Software and Informatics, 8(1):95–131, 2014 [24] M I Gofman, R Luo, A C Solomon, Y Zhang, P Yang, and S D Stoller RBAC-PAT: A Policy Analysis Tool for Role Based Access Control In TACAS, volume 5505 of LNCS, pages 46–49 Springer, 2009 [25] M.I Gofman, R Luo, and P Yang User-Role Reachability Analysis of Evolving Administrative Role Based Access Control In ESORICS, volume 6345 of LNCS, pages 455–471 Springer, 2010 [26] P Gupta, S D Stoller, and Z Xu Abductive Analysis of Administrative Policies in Rule-based Access Control In ICISS, volume 7093 of LNCS, pages 116–130 Springer, 2011 177 BIBLIOGRAPHY BIBLIOGRAPHY [27] M A Harrison, W L Ruzzo, and J D Ullman On Protection in Operating Systems In Proc of Symposium on Operating System Principles, pages 461–471 ACM Press, 1975 [28] M A Harrison, W L Ruzzo, and J D Ullman Protection in Operating Systems Communications of ACM, 19(8):461–471, 1976 [29] M Huth and M Ryan Logic in Computer Science (Second Edition) Cambridge University Press, 2004 [30] K Jayaraman, V Ganesh, M Tripunitara, M Rinard, and S Chapin Automatic Error Finding in Access-Control Policies In CCS, pages 163–174 ACM, 2011 [31] K Jayaraman, M V Tripunitara, V Ganesh, M C Rinard, and S J Chapin Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies In ACM Trans Information System Security, 15(4):1–28, 2013 [32] S Jha, N Li, M Tripunitara, Q Wang, and W Winsborough Towards Formal Verification of Role-Based Access Control Policies In IEEE Trans Dependable Secur Comput., 5(4):242–255, 2008 [33] S Jha, N Li, M V Tripunitara, Q Wang, and H Winsborough Towards Formal Verification of Role-Based Access Control Policies IEEE TDSC, 5(4):242–255, 2008 [34] A K Jones, R J Lipton, and L Snyder A Linear Time Algorithm for Deciding Security In Symp on Found of Comp Science, pages 33–41 IEEE, 1976 [35] J B D Joshi, E Bertino, U Latif, and A Ghafoor The Schematic Protection Model: its Definition and Analysis for Acyclic Attenuating Schemes In Journal of the ACM, 35(2):404–432, 1988 178 BIBLIOGRAPHY BIBLIOGRAPHY [36] J B D Joshi, E Bertino, U Latif, and A Ghafoor A Generalized Temporal Role-Based Access Control Model In IEEE Trans on Knowledge and Data Engineering, 7(1):4–23, 2005 [37] M Koch, L V Mancini, and F Parisi-Presicce Decidability of Safety in Graph-Based Models for Access Control In ESORICS, volume 2502 of LNCS, pages 229–244 2002 [38] B W Lampson Protection In Proc of Princeton Sym on Info Science and Systems, pages 437–443, 1971 [39] N Li and Z Mao Administration in Role Based Access Control In Proc ACM Symp on Information, Computer, and Communication Security (ASIACCS), pages 127–138 ACM, 2007 [40] N Li and M V Tripunitara Security Analysis in Role-Based Access Control In Proc of ACM Symposium on Access Control Models and Technologies, pages 126–135 ACM Press, 2004 [41] N Li and M V Tripunitara Security Analysis in Role-Based Access Control ACM TISSEC, 9(4):391–420, 2006 [42] S Mondal, S Sural, and V Atluri Security Analysis of GTRBAC and its Variants using Model Checking J of Computer Security, 30(1):128–147, 2011 [43] R Piskac, L de Moura, and N Bjrner Deciding Effectively Propositional Logic Using DPLL and Substitution Sets J of Automated Reasoning, 44(4):401–424, 2010 [44] A Ramadan A Comparison of Security Analysis Techniques for RBAC Models In Proc of Ann Colorado Celeb Women in Comp., pages 30–36, 2010 179 BIBLIOGRAPHY BIBLIOGRAPHY [45] G Ramalingam and T Reps A Categorized Bibliography on Incremental Computation In Proc of POPL, pages 502–510 ACM, 1993 [46] F P Ramsey On a Problem of Formal Logic Proceedings of the London Mathematical Society, s2-30(1):264–286, 1930 [47] S Ranise Symbolic Backward Reachability with Effectively Propositional Logic—Applications to Security Policy Analysis FMSD, 42(1):24–45, 2013 [48] S Ranise, A Truong, and A Armando Scalable and Precise Automated Analysis of Administrative Temporal Role-Based Access Control In SACMAT, pages 103–114 ACM, 2014 [49] S Ranise, A T Truong, and A Armando Boosting Model Checking to Analyse Large ARBAC Policies In Chapter in Security and Trust Management (Audun Jsang, Pierangela Samarati, Marinella Petrocchi, eds.), LNCS vol 7783, pages 273–288 Springer Berlin Heidelberg, 2013 [50] S Ranise, T A Truong, and A Armando Boosting Model Checking to Analyse Large ARBAC Policies In STM’12, volume 7783 of LNCS, pages 273–288, 2012 [51] R Sandhu The Typed Access Matrix Model In Proc of IEEE Symposium on Research in Security and Privacy, pages 122–136 IEEE Press, 1992 [52] R Sandhu, V Bhamidipati, and Q Munawer The ARBAC97 Model for Role-Based Access Control Administration of Roles ACM TISSEC, 1(2):105–135, 1999 [53] R Sandhu, E Coyne, H Feinstein, and C Youmann Role-Based Access Control Models IEEE Computer, 2(29):38–47, 1996 180 BIBLIOGRAPHY BIBLIOGRAPHY [54] A Sasturkar, P Yang, S D Stoller, and C.R Ramakrishnan Policy Analysis for Administrative Role Based Access Control In CSF, pages 138–151 IEEE Press, July 2006 [55] A Sasturkar, P Yang, S D Stoller, and C.R Ramakrishnan Policy Analysis for Administrative Role Based Access Control TCS, 412(44):6208–6234, 2011 [56] B Shafiq, A Masood, J Joshi, and A Ghafoor A Role-Based Access Control Policy Verification Framework for Real-time Systems In Proc of IEEE Int Workshop on Object-Oriented Real-Time Dependable Systems, pages 13–20 IEEE Press, 2005 [57] J A Solworth and R H Sloan A Layered Design of Discretionary Access Controls with Decidable Safety Properties In Proc of IEEE Symposium on Security and Privacy, pages 56–67 IEEE Press, 2004 [58] M Soshi, M Maekawa, and E Okamoto The Dynamic-Typed Access Matrix Model and Decidability of the Safety Problem IEICE-TF, (1):1–14, 2004 [59] S D Stoller, P Yang, C.R Ramakrishnan, and M I Gofman Efficient Policy Analysis for Administrative Role Based Access Control In CCS, pages 445–455 ACM Press, 2007 [60] M Toahchoodee and I Ray On the Formal Analysis of a Spatiotemporal Role-Based Access Control Model In Proc of Working Conf on Data and App Security, pages 17–32 Springer-Verlag, 2008 [61] M V Tripunitara and N Li A Theory for Comparing the Expressive Power of Access Control Models J of Comp Sec., 15:231–272, 2007 [62] E Uzun Personal communication By email, October 29, 2013 181 BIBLIOGRAPHY BIBLIOGRAPHY [63] E Uzun, V Atluri, S Sural, J Vaidya, G Parlato, and A L Ferrara Analyzing Temporal Role Based Access Control Models In SACMAT, pages 177–186 ACM, 2012 [64] E Uzun, V Atluri, J Vaidya, and S Sural Analysis of TRBAC with Dynamic Temporal Role Hierarchies In DBSeC XXVII, LNCS 7964, pages 297–304 Springer, 2013 [65] P Yang, M.l Gofman, S Stoller, and Z Yang Policy Analysis for Administrative Role Based Access Control without Separate Administration J of Computer Security, 2014 To appear [66] A Pnueli Z Manna Temporal Verification of Reactive Systems Safety Springer, 1995 182 ... trade-off between scalability and expressiveness for the design and benchmarking of analysis techniques for authorization policies We review the state -of- theart of automated analysis for authorization. .. extensions of RBAC such as ARBAC 15 2.3 SECURITY ANALYSIS CHAPTER RBAC AND ITS EXTENSIONS 16 Chapter The Problem: Security Analysis of Access Control Policies 3.1 State of the Art The story of security. .. on security analysis of RBAC and its extensions 3.1.1 Security Analysis of ARBAC To the best of our knowledge, Li and Tripunitara are the first to introduce security analysis in the context of