TY - JOUR
T1 - MOHAWK
T2 - Abstraction-refinement and bound-estimation for verifying access control policies
AU - Jayaraman, Karthick
AU - Tripunitara, Mahesh
AU - Ganesh, Vijay
AU - Rinard, Martin
AU - Chapin, Steve
PY - 2013/4
Y1 - 2013/4
N2 - Verifying that access-control systems maintain desired security properties is recognized as an important problem in security. Enterprise access-control systems have grown to protect tens of thousands of resources, and there is a need for verification to scale commensurately. We present techniques for abstractionrefinement and bound-estimation for bounded model checkers to automatically find errors in Administrative Role-Based Access Control (ARBAC) security policies. ARBAC is the first and most comprehensive administrative scheme for Role-Based Access Control (RBAC) systems. In the abstraction- refinement portion of our approach, we identify and discard roles that are unlikely to be relevant to the verification question (the abstraction step). We then restore such abstracted roles incrementally (the refinement steps). In the boundestimation portion of our approach, we lower the estimate of the diameter of the reachability graph from the worst-case by recognizing relationships between roles and state-change rules. Our techniques complement one another, and are used with conventional bounded model checking. Our approach is sound and complete: an error is found if and only if it exists.We have implemented our technique in an access-control policy analysis tool called MOHAWK. We show empirically that MOHAWK scales well to realistic policies, and provide a comparison with prior tools.
AB - Verifying that access-control systems maintain desired security properties is recognized as an important problem in security. Enterprise access-control systems have grown to protect tens of thousands of resources, and there is a need for verification to scale commensurately. We present techniques for abstractionrefinement and bound-estimation for bounded model checkers to automatically find errors in Administrative Role-Based Access Control (ARBAC) security policies. ARBAC is the first and most comprehensive administrative scheme for Role-Based Access Control (RBAC) systems. In the abstraction- refinement portion of our approach, we identify and discard roles that are unlikely to be relevant to the verification question (the abstraction step). We then restore such abstracted roles incrementally (the refinement steps). In the boundestimation portion of our approach, we lower the estimate of the diameter of the reachability graph from the worst-case by recognizing relationships between roles and state-change rules. Our techniques complement one another, and are used with conventional bounded model checking. Our approach is sound and complete: an error is found if and only if it exists.We have implemented our technique in an access-control policy analysis tool called MOHAWK. We show empirically that MOHAWK scales well to realistic policies, and provide a comparison with prior tools.
UR - http://www.scopus.com/inward/record.url?scp=84878578416&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84878578416&partnerID=8YFLogxK
U2 - 10.1145/2445566.2445570
DO - 10.1145/2445566.2445570
M3 - Article
AN - SCOPUS:84878578416
SN - 1094-9224
VL - 15
JO - ACM Transactions on Information and System Security
JF - ACM Transactions on Information and System Security
IS - 4
M1 - 18
ER -