ABSTRACT
In this paper, we present an access control verification approach for Role-Based Access Control (RBAC) mechanisms. Given a specification that models security boundaries (e.g., obtained from a threat model, best practices etc.), we verify that a change to an RBAC state adheres to the specification (i.e., remains within the security boundaries). We demonstrate the practical utility of our approach by instantiating it for Microsoft's Azure AD. We have realized our technique in a tool called Ambit which leverages SMT (Satisfiability Modulo Theory) solvers to efficiently encode and solve the resulting verification problem. We demonstrate the scalability and applicability of our approach with a set of generated benchmarks that attempt to simulate real world RBAC configurations
- 2022 (accessed Jan 21, 2022). Amazon IAM Policy Grammar. https://docs.aws. amazon.com/IAM/latest/UserGuide/reference_policies_grammar.htmlGoogle Scholar
- 2022 (accessed Jan 21, 2022). CyberArk: Hunting Azure Blobs Exposes Millions of Sensitive Files. https://www.cyberark.com/resources/threat-research-blog/ hunting-azure-blobs-exposes-millions-of-sensitive-filesGoogle Scholar
- John Backes, Sam Bayless, Byron Cook, Catherine Dodge, Andrew Gacek, Alan J. Hu, Temesghen Kahsai, Bill Kocik, Evgenii Kotelnikov, Jure Kukovec, Sean McLaughlin, Jason Reed, Neha Rungta, John Sizemore, Mark A. Stalzer, Preethi Srinivasan, Pavle Subotic, Carsten Varming, and Blake Whaley. 2019. Reachability Analysis for AWS-Based Networks. In Computer Aided Verification - 31st International Conference, CAV 2019, New York City, NY, USA, July 15--18, 2019, Proceedings, Part II (Lecture Notes in Computer Science, Vol. 11562), Isil Dillig and Serdar Tasiran (Eds.). Springer, 231--241. https://doi.org/10.1007/978--3-030--25543--5_14Google ScholarCross Ref
- John Backes, Pauline Bolignano, Byron Cook, Catherine Dodge, Andrew Gacek, Kasper Søe Luckow, Neha Rungta, Oksana Tkachuk, and Carsten Varming. 2018. Semantic-based Automated Reasoning for AWS Access Policies using SMT. In 2018 Formal Methods in Computer Aided Design, FMCAD 2018, Austin, TX, USA, October 30 - November 2, 2018, Nikolaj S. Bjørner and Arie Gurfinkel (Eds.). IEEE, 1--9. https://doi.org/10.23919/FMCAD.2018.8602994Google ScholarCross Ref
- Nikolaj S. Bjørner. 2018. Z3 and SMT in Industrial R&D. In Formal Methods - 22nd International Symposium, FM 2018, Held as Part of the Federated Logic Conference, FloC 2018, Oxford, UK, July 15--17, 2018, Proceedings (Lecture Notes in Computer Science, Vol. 10951), Klaus Havelund, Jan Peleska, Bill Roscoe, and Erik P. de Vink (Eds.). Springer, 675--678. https://doi.org/10.1007/978--3--319--95582--7_44Google ScholarCross Ref
- Samuel R. Buss and Jakob Nordström. 2021. Proof Complexity and SAT Solving. In Handbook of Satisfiability.Google Scholar
- Leonardo Mendonça de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS).Google ScholarCross Ref
- William Eiers, Ganesh Sankaran, Albert Li, Emily O'Mahony, Benjamin Prince, and Tevfik Bultan. 2022. Quantifying Permissiveness of Access Control Policies. https://dl.acm.org/doi/10.1145/3510003.3510233Google Scholar
- Anna Lisa Ferrara, P. Madhusudan, and Gennaro Parlato. 2012. Security Analysis of Role-Based Access Control through Program Verification. 2012 IEEE 25th Computer Security Foundations Symposium (2012), 113--125.Google ScholarDigital Library
- Kathi Fisler, Shriram Krishnamurthi, Leo A. Meyerovich, and Michael Carl Tschantz. 2005. Verification and Change-Impact Analysis of Access-Control Policies. https://dl.acm.org/doi/10.1145/1062455.1062502Google Scholar
- Yoshihiko Futamura. 1982. Parital Computation of Programs. In RIMS Symposium on Software Science and Engineering, Kyoto, Japan, 1982, Proceedings (Lecture Notes in Computer Science, Vol. 147), Eiichi Goto, Koichi Furukawa, Reiji Nakajima, Ikuo Nakata, and Akinori Yonezawa (Eds.). Springer, 1--35. https://doi.org/10.1007/3- 540--11980--9_13Google ScholarCross Ref
- Vijay Ganesh and Moshe Y. Vardi. 2020. On the Unreasonable Effectiveness of SAT Solvers. In Beyond the Worst-Case Analysis of Algorithms.Google Scholar
- Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman. 1976. Protection in Operating Systems. Commun. ACM 19, 8 (aug 1976), 461--471. https://doi.org/ 10.1145/360303.360333Google ScholarDigital Library
- Graham Hughes and Tevfik Bultan. 2008. Automated Verification of Access Control Policies Using a SAT Solver. Int. J. Softw. Tools Technol. Transf. 10, 6 (dec 2008), 503--520.Google ScholarCross Ref
- Karthick Jayaraman, Nikolaj Bjørner, Geoff Outhred, and Charlie Kaufman. 2014. Automated Analysis and Debugging of Network Connectivity Policies. Technical Report MSR-TR-2014--102. Microsoft. https://www.microsoft.com/en-us/research/publication/automated-analysisand-debugging-of-network-connectivity-policies/Google Scholar
- Karthick Jayaraman, Mahesh V. Tripunitara, Vijay Ganesh, Martin C. Rinard, and Steve J. Chapin. 2013. Mohawk: Abstraction-Refinement and Bound-Estimation for Verifying Access Control Policies. ACM Trans. Inf. Syst. Secur. 15 (2013), 18:1--18:28.Google ScholarDigital Library
- Jérôme Leroux, Philipp Rümmer, and Pavle Subotic. 2016. Guiding Craig interpolation with domain-specific abstractions. Acta Informatica 53, 4 (2016), 387--424. https://doi.org/10.1007/s00236-015-0236-zGoogle ScholarDigital Library
- Silvio Ranise, Anh Tuan Truong, and Riccardo Traverso. 2016. Parameterized model checking for security policy analysis. International Journal on Software Tools for Technology Transfer 18 (2016), 559--573.Google ScholarDigital Library
- Philipp Rümmer and Pavle Subotic. 2013. Exploring interpolants. In Formal Methods in Computer-Aided Design, FMCAD 2013, Portland, OR, USA, October 20--23, 2013. IEEE, 69--76. https://ieeexplore.ieee.org/document/6679393/Google Scholar
- Ehtesham Zahoor, Zubaria Asma, and Olivier Perrin. 2017. A Formal Approach for the Verification of AWS IAM Access Control Policies. In Service-Oriented and Cloud Computing - 6th IFIP WG 2.14 European Conference, ESOCC 2017, Oslo, Norway, September 27--29, 2017, Proceedings (Lecture Notes in Computer Science, Vol. 10465), Flavio De Paoli, Stefan Schulte, and Einar Broch Johnsen (Eds.). Springer, 59--74. https://doi.org/10.1007/978--3--319--67262--5_5Google ScholarCross Ref
- Aolong Zha, Qiong Chang, and Itsuki Noda. 2023. An incremental SAT-based approach for solving the real-time taxi-sharing service problem. Discrete Applied Mathematics 335 (2023), 131--145. https://doi.org/10.1016/j.dam.2022.08.008 Emerging Applications, Models and Algorithms in Combinatorial Optimization.Google ScholarDigital Library
Index Terms
- Ambit: Verification of Azure RBAC
Recommendations
Verification of Secure Inter-operation Properties in Multi-domain RBAC Systems
SERE-C '13: Proceedings of the 2013 IEEE Seventh International Conference on Software Security and Reliability CompanionThe increased complexity of modern access control (AC) systems stems partly from the need to support diverse and multiple administrative domains. Systems engineering is a key technology to manage this complexity since it is capable of assuring that an ...
A fine-grained, controllable, user-to-user delegation method in RBAC
SACMAT '05: Proceedings of the tenth ACM symposium on Access control models and technologiesThis paper addresses the issues surrounding user-to-user delegation in RBAC. We show how delegations can be incorporated into the RBAC model in a simple and straightforward manner. A special feature of the model is that it allows fine-grained control ...
ABAC and RBAC: Scalable, Flexible, and Auditable Access Management
Is it possible to obtain the flexibility and advantages of attribute-based access control while maintaining role-based access control's advantages for analysis and risk control?
Comments