Elsevier

Computers & Security

Volume 66, May 2017, Pages 185-203
Computers & Security

Formal analysis of XACML policies using SMT

https://doi.org/10.1016/j.cose.2017.01.009Get rights and content

Abstract

The eXtensible Access Control Markup Language (XACML) has attracted significant attention from both industry and academia, and has become the de facto standard for the specification of access control policies. However, its XML-based verbose syntax and rich set of constructs make the authoring of XACML policies difficult and error-prone. Several automated tools have been proposed to analyze XACML policies before their actual deployment. However, most of the existing tools either cannot efficiently reason about non-Boolean attributes, which often appear in XACML policies, or restrict the analysis to a small set of properties. This work presents a policy analysis framework for the verification of XACML policies based on SAT modulo theories (SMT). We show how XACML policies can be encoded into SMT formulas, along with a query language able to express a variety of well-known security properties, for policy analysis. By being able to reason over non-Boolean attributes, our SMT-based policy analysis framework allows a fine-grained policy analysis while relieving policy authors of the burden of defining an appropriate level of granularity of the analysis. An evaluation of the framework shows that it is computationally efficient and requires less memory compared to existing approaches.

Introduction

Data and other digital resources have become a valuable asset for most organizations. Their protection is thus of utmost importance. Access control is a widely adopted technology for information security and, in particular, to ensure that sensitive information can only be accessed by authorized users.

In the last decades, several access control models and languages have been proposed for the specification and enforcement of access control policies. Among these languages, the eXtensible Access Control Markup Language (XACML) (OASIS XACML Technical Committee, 2013) provides an expressive and extensible syntax in XML for the specification of attribute-based access control policies as well as means to combine policies possibly specified by independent authorities. XACML has been widely used in academia and adopted by many enterprises such as IBM (Buecker et al., 2009), becoming the de facto standard for access control.

However, due to its rich set of constructs and XML-based verbose syntax, policy specification in XACML is known to be difficult and error-prone (Hughes, Bultan, 2008, Nelson et al, 2010). For instance, when a policy is updated to address new requirements, it becomes difficult to determine whether the revised policy works as intended. Even small errors can lead to large data breaches. Ensuring the correctness of access control policies, especially in the error-prone setting of XACML policy specification, is thus a crucial task for protecting sensitive data.

To assist security administrators in the definition of their policies, several methods and tools have been developed for the verification of access control policies at design time using formal reasoning (Backes et al, 2004, Crampton, Morisset, 2012, Hu et al, 2013, Hughes, Bultan, 2008, Nelson et al, 2010, Turkmen et al, 2013). These tools aim to verify whether an access control policy (or a set of policies) satisfies certain properties. A property can vary from checking the (types of) access requests that should be allowed (or denied) by a policy to the analysis of the relation between two policies such as being as permissive/restrictive as another policy (i.e., policy refinement (Backes et al., 2004). However, many of the existing approaches can only analyze a restricted set of security properties due to limits of the expressiveness of the policy formalization used. Moreover, exiting policy analysis tools often do not naturally support reasoning over non-Boolean variables and functions, which often appear in XACML policies. As a consequence, they are not able to analyze access control policies at a fine level of granularity or the performance of the analysis deteriorates very quickly.

To address these issues, in a previous work (Turkmen et al., 2015), we have introduced a framework that employs SAT modulo theories (SMT) (Barrett et al., 2008) as the underlying reasoning method for the formal analysis of XACML policies. SMT is a natural extension to propositional satisfiability (SAT) (Gomes et al., 2008) in which SMT solvers employ tailored reasoners when solving non-Boolean predicates in the input formula. In particular, SMT enables the use of background theories, such as linear arithmetic and equality, to reason about the satisfiability of many-sorted first order formulas. In Turkmen et al. (2015), we provided the intuition of how XACML policies can be encoded into SMT formulas and presented a powerful query language that allows the specification and analysis of a vast range of security properties that have been proposed in the literature. However, given the complex syntax of XACML, it is desirable to have an automated translation of XACML policies into SMT formulas while preserving the semantics of the original policy. Moreover, although SMT provides a powerful approach to problem verification including policy analysis, the problem of checking the satisfiability of arbitrary many-sorted first order logic formulas can be undecidable.

In this paper, we extend the work in Turkmen et al. (2015) by providing the following contributions:

  • We provide a complete procedure for the automated translation of XACML policies into SMT formulas for policy analysis. Specifically, we present an encoding of XACML policies that flattens the hierarchical structure of a policy. To support the translation, we provide an encoding of XACML combining algorithms and a mapping between the most common XACML functions and the available SMT background theories.

  • We provide a proof of the correctness of the proposed encoding, thus guaranteeing that the semantics of the original policy is preserved.

  • We confirm the expressive power of our query language by encoding a new set of properties, namely separation of duty constraints.

  • We study under which conditions SMT solvers are capable of tacking policy analysis problems. To the best of our knowledge, this is the first work that provides a detailed study of the complexity of policy analysis in SMT.

  • We complement the study of the complexity with an evaluation of the framework through a more extensive set of experiments compared to Turkmen et al. (2015). In particular, we compare our SMT-based approach with SAT-based approaches using different SAT solvers, thus providing a more comprehensive comparison between the two approaches. Moreover, we evaluate our framework using additional realistic policies.

The paper is structured as follows. The next section provides background about XACML and SMT. Section 3 presents our encoding of XACML policies as SMT formulas. Section 4 introduces a query language for the specification of security properties and demonstrates this language by encoding a number of well-known security properties from the literature. Section 5 discusses the complexity of policy analysis in SMT. Section 6 presents an experimental evaluation of our framework. Finally, Section 7 discusses related work, and Section 8 concludes the paper providing directions for future work.

Section snippets

Preliminaries

This section introduces the basic notions underlying XACML and SMT.

Encoding XACML policies in SMT

This section presents our encoding of XACML policies into SMT formulas. We first present a transformation of XACML policies that flattens the hierarchical structure of an XACML policy while preserving the semantics of the original policy. We then discuss the encoding of the transformed policies into SMT formulas.

XACML policy analysis

The previous section presented an encoding of XACML policies as SMT formulas. In this section we use this encoding to represent policy analysis problems. We first present a query language for the specification of policy properties, and then we give example query formulas for various policy properties.

Complexity of policy analysis with SMT

The previous two sections have described our method to reduce a policy analysis problem into an SMT problem. Our experience shows that the formulas and the background theories in the resulting SMT problems share three common features: (F1) the encoding of the XACML combining algorithms discussed in Section 3.1 generates formulas with a complex Boolean structure; solving such problems is already NP-hard as it subsumes SAT solving; (F2) the required background theories are those shown in Table 2;

Evaluation

To validate our policy analysis framework, we have developed a prototype and evaluated its performance through two sets of experiments along the line of the experiments conducted in Turkmen et al. (2015). In the first set of experiment, we compared our approach and SAT-based techniques by analyzing the same policies at varying levels of granularity. In the second set, we analyzed realistic policies using SMT solving. The experiments were performed on a 64-bit machine with 16 GB RAM and 3.40GHz

Related work

Several policy analysis tools have been proposed to assist policy authors in the analysis of XACML policies. Many of these tools (e.g. Bahrak et al, 2010, Fisler et al, 2005, Hu et al, 2013) use binary decision diagrams (BDD) and multi-terminal binary decision diagrams (MTBDD) as the underlying representation of XACML policies and, in general, access control policies. The nodes of a decision diagram are used to represent Boolean variables encoding the attribute-values pairs in the policy. The

Conclusion

In this paper, we have presented a formal framework for the analysis XACML policies that supports the verification of a wide variety of well-known security properties. Our framework differs from existing approaches in that it uses SMT as the underlying reasoning mechanism. In particular, it reduced XACML policy analysis problems to SMT problems and uses a state-of-the-art SMT solver for solving such problems. The main advantage of SMT compared to other reasoning techniques lies in the ability

Acknowledgments

This work has been funded by the ITEA2 project M2MGrids (13011) and the Dutch national program COMMIT under the THeCS project.

Fatih Turkmen received his Ph.D. from the University of Trento and is currently a postdoctoral researcher at University of Amsterdam. He conducts research on specification, analysis and enforcement of security policies pertinent to distributed systems.

References (49)

  • C.P. Gomes et al.

    Satisfiability Solvers

  • D. Oppen

    Complexity, convexity and combinations of theories

    Theor. Comput. Sci

    (1980)
  • G.-J. Ahn et al.

    Representing and reasoning about web access control policies

  • K. Arkoudas et al.

    Sophisticated access control via SMT and logical frameworks

    ACM Trans Inform Syst Secur

    (2014)
  • A. Armando et al.

    Automated and efficient analysis of role-based access control with attributes

  • M. Backes et al.

    Efficient comparison of enterprise privacy policies

  • B. Bahrak et al.

    BRESAP: a policy reasoner for processing spectrum access policies represented by binary decision diagrams

  • Balana: Open source XACML 3.0 implementation,...
  • C.W. Barrett et al.

    Satisfiability modulo theories

  • A. Biere et al.

    Symbolic model checking using SAT procedures instead of BDDs

  • M. Bozzano et al.

    Efficient theory combination via Boolean search

    Inform. Comput

    (2006)
  • A. Buecker et al.

    IBM Tivoli Security Policy Manager, IBM red books

    (2009)
  • J.R. Burch et al.

    Automatic verification of pipelined microprocessor control

  • J. Crampton et al.

    PTaCL: a language for attribute-based access control in open systems

  • J. Crampton et al.

    On missing attributes in access control: non-deterministic and probabilistic attribute retrieval

  • L.M. de Moura et al.

    Z3: an efficient SMT solver

  • A.I. Egner et al.

    An authorization service for collaborative situation awareness

  • H.B. Enderton

    A mathematical introduction to logic

    (1972)
  • K. Fisler et al.

    Verification and change-impact analysis of access-control policies

  • GeY. et al.

    Complete instantiation for quantified formulas in satisfiability modulo theories

  • HuH. et al.

    Discovery and resolution of anomalies in web access control policies

    IEEE Trans. Dependable Secure Comput

    (2013)
  • G. Hughes et al.

    Automated verification of access control policies using a SAT solver

    Int. J. Softw. Tools Technol. Transf

    (2008)
  • D. Jackson

    Alloy: a lightweight object modelling notation

    ACM Trans. Softw. Eng. Methodol

    (2002)
  • S.P. Kaluvuri et al.

    SAFAX – an extensible authorization service for cloud environments

    Front. ICT

    (2015)
  • Cited by (35)

    • Detecting conflict of heterogeneous access control policies

      2022, Digital Communications and Networks
    • A rewriting system for the assessment of XACML policies relationship

      2020, Computers and Security
      Citation Excerpt :

      The total time for our approach ranges from 18 ms up to 3925 ms. The results vary depending on the number of policy sets, policies, rules, and conditions. For Turkmen et al. (2017), the total time ranges from 249 ms to 3715 ms. The displayed table provides more details about the comparison, where the number of policy sets, policies and rules are shown for each policy. Figure 6.7 outlines the memory usage (in MB) of both approaches on the three aforementioned real world policies.

    • Establishment of rule dictionary for efficient XACML policy management

      2019, Knowledge-Based Systems
      Citation Excerpt :

      In order to meet the management needs of large-scale information systems, many organizations implement access control by managing the networks and distributed systems within the policies. Extensible Access Control Markup Language (XACML) which has been widely accepted and recognized to describe policy is generally used in distributed application systems in SOA environments [4]. However, the core specification of XACML believes that all policies are credible, which leads to the result that XACML cannot effectively detect conflicts and redundancy in the policy set itself [5].

    • Modeling adaptive access control policies using answer set programming

      2019, Journal of Information Security and Applications
      Citation Excerpt :

      XACML is the standard implementation for ABAC that incorporates a rich set of features and constructs and allows expressing policies and specifying policy combination mechanisms. However, according to several research, specifying policies in XACML is a difficult and error-prone task [34–36]. In other words, specifying correct and efficient policies in XACML depends on policy makers decisions [35,37].

    • Mitigating Privilege Misuse in Access Control through Anomaly Detection

      2023, ACM International Conference Proceeding Series
    View all citing articles on Scopus

    Fatih Turkmen received his Ph.D. from the University of Trento and is currently a postdoctoral researcher at University of Amsterdam. He conducts research on specification, analysis and enforcement of security policies pertinent to distributed systems.

    Jerry den Hartog received his Ph.D. in 2002 at the Vrije Universiteit Amsterdam and works at the Technical University of Eindhoven as Assistant Professor since 2008. Focusing on trustworthy collaborative systems, his research interests include distributed access control and network monitoring.

    Silvio Ranise is a senior researcher at Fondazione Bruno Kessler since 2010. Before, he held a research position at INRIA in France and was a visiting professor at the University of Milan, Italy. His research focuses on security policy modeling, specification, analysis, and enforcement.

    Nicola Zannone received his Ph.D. in 2007 at the University of Trento. Since 2016 he is an Associate Professor in the Security group at the Technical University of Eindhoven. His research interests include computer security, data protection, access control and formal methods.

    View full text