Formal analysis of XACML policies using SMT
Introduction
Data and other digital resources have become a valuable asset for most organizations. Their protection is thus of utmost importance. Access control is a widely adopted technology for information security and, in particular, to ensure that sensitive information can only be accessed by authorized users.
In the last decades, several access control models and languages have been proposed for the specification and enforcement of access control policies. Among these languages, the eXtensible Access Control Markup Language (XACML) (OASIS XACML Technical Committee, 2013) provides an expressive and extensible syntax in XML for the specification of attribute-based access control policies as well as means to combine policies possibly specified by independent authorities. XACML has been widely used in academia and adopted by many enterprises such as IBM (Buecker et al., 2009), becoming the de facto standard for access control.
However, due to its rich set of constructs and XML-based verbose syntax, policy specification in XACML is known to be difficult and error-prone (Hughes, Bultan, 2008, Nelson et al, 2010). For instance, when a policy is updated to address new requirements, it becomes difficult to determine whether the revised policy works as intended. Even small errors can lead to large data breaches. Ensuring the correctness of access control policies, especially in the error-prone setting of XACML policy specification, is thus a crucial task for protecting sensitive data.
To assist security administrators in the definition of their policies, several methods and tools have been developed for the verification of access control policies at design time using formal reasoning (Backes et al, 2004, Crampton, Morisset, 2012, Hu et al, 2013, Hughes, Bultan, 2008, Nelson et al, 2010, Turkmen et al, 2013). These tools aim to verify whether an access control policy (or a set of policies) satisfies certain properties. A property can vary from checking the (types of) access requests that should be allowed (or denied) by a policy to the analysis of the relation between two policies such as being as permissive/restrictive as another policy (i.e., policy refinement (Backes et al., 2004). However, many of the existing approaches can only analyze a restricted set of security properties due to limits of the expressiveness of the policy formalization used. Moreover, exiting policy analysis tools often do not naturally support reasoning over non-Boolean variables and functions, which often appear in XACML policies. As a consequence, they are not able to analyze access control policies at a fine level of granularity or the performance of the analysis deteriorates very quickly.
To address these issues, in a previous work (Turkmen et al., 2015), we have introduced a framework that employs SAT modulo theories (SMT) (Barrett et al., 2008) as the underlying reasoning method for the formal analysis of XACML policies. SMT is a natural extension to propositional satisfiability (SAT) (Gomes et al., 2008) in which SMT solvers employ tailored reasoners when solving non-Boolean predicates in the input formula. In particular, SMT enables the use of background theories, such as linear arithmetic and equality, to reason about the satisfiability of many-sorted first order formulas. In Turkmen et al. (2015), we provided the intuition of how XACML policies can be encoded into SMT formulas and presented a powerful query language that allows the specification and analysis of a vast range of security properties that have been proposed in the literature. However, given the complex syntax of XACML, it is desirable to have an automated translation of XACML policies into SMT formulas while preserving the semantics of the original policy. Moreover, although SMT provides a powerful approach to problem verification including policy analysis, the problem of checking the satisfiability of arbitrary many-sorted first order logic formulas can be undecidable.
In this paper, we extend the work in Turkmen et al. (2015) by providing the following contributions:
- •
We provide a complete procedure for the automated translation of XACML policies into SMT formulas for policy analysis. Specifically, we present an encoding of XACML policies that flattens the hierarchical structure of a policy. To support the translation, we provide an encoding of XACML combining algorithms and a mapping between the most common XACML functions and the available SMT background theories.
- •
We provide a proof of the correctness of the proposed encoding, thus guaranteeing that the semantics of the original policy is preserved.
- •
We confirm the expressive power of our query language by encoding a new set of properties, namely separation of duty constraints.
- •
We study under which conditions SMT solvers are capable of tacking policy analysis problems. To the best of our knowledge, this is the first work that provides a detailed study of the complexity of policy analysis in SMT.
- •
We complement the study of the complexity with an evaluation of the framework through a more extensive set of experiments compared to Turkmen et al. (2015). In particular, we compare our SMT-based approach with SAT-based approaches using different SAT solvers, thus providing a more comprehensive comparison between the two approaches. Moreover, we evaluate our framework using additional realistic policies.
The paper is structured as follows. The next section provides background about XACML and SMT. Section 3 presents our encoding of XACML policies as SMT formulas. Section 4 introduces a query language for the specification of security properties and demonstrates this language by encoding a number of well-known security properties from the literature. Section 5 discusses the complexity of policy analysis in SMT. Section 6 presents an experimental evaluation of our framework. Finally, Section 7 discusses related work, and Section 8 concludes the paper providing directions for future work.
Section snippets
Preliminaries
This section introduces the basic notions underlying XACML and SMT.
Encoding XACML policies in SMT
This section presents our encoding of XACML policies into SMT formulas. We first present a transformation of XACML policies that flattens the hierarchical structure of an XACML policy while preserving the semantics of the original policy. We then discuss the encoding of the transformed policies into SMT formulas.
XACML policy analysis
The previous section presented an encoding of XACML policies as SMT formulas. In this section we use this encoding to represent policy analysis problems. We first present a query language for the specification of policy properties, and then we give example query formulas for various policy properties.
Complexity of policy analysis with SMT
The previous two sections have described our method to reduce a policy analysis problem into an SMT problem. Our experience shows that the formulas and the background theories in the resulting SMT problems share three common features: (F1) the encoding of the XACML combining algorithms discussed in Section 3.1 generates formulas with a complex Boolean structure; solving such problems is already NP-hard as it subsumes SAT solving; (F2) the required background theories are those shown in Table 2;
Evaluation
To validate our policy analysis framework, we have developed a prototype and evaluated its performance through two sets of experiments along the line of the experiments conducted in Turkmen et al. (2015). In the first set of experiment, we compared our approach and SAT-based techniques by analyzing the same policies at varying levels of granularity. In the second set, we analyzed realistic policies using SMT solving. The experiments were performed on a 64-bit machine with 16 GB RAM and 3.40GHz
Related work
Several policy analysis tools have been proposed to assist policy authors in the analysis of XACML policies. Many of these tools (e.g. Bahrak et al, 2010, Fisler et al, 2005, Hu et al, 2013) use binary decision diagrams (BDD) and multi-terminal binary decision diagrams (MTBDD) as the underlying representation of XACML policies and, in general, access control policies. The nodes of a decision diagram are used to represent Boolean variables encoding the attribute-values pairs in the policy. The
Conclusion
In this paper, we have presented a formal framework for the analysis XACML policies that supports the verification of a wide variety of well-known security properties. Our framework differs from existing approaches in that it uses SMT as the underlying reasoning mechanism. In particular, it reduced XACML policy analysis problems to SMT problems and uses a state-of-the-art SMT solver for solving such problems. The main advantage of SMT compared to other reasoning techniques lies in the ability
Acknowledgments
This work has been funded by the ITEA2 project M2MGrids (13011) and the Dutch national program COMMIT under the THeCS project.
Fatih Turkmen received his Ph.D. from the University of Trento and is currently a postdoctoral researcher at University of Amsterdam. He conducts research on specification, analysis and enforcement of security policies pertinent to distributed systems.
References (49)
- et al.
Satisfiability Solvers
Complexity, convexity and combinations of theories
Theor. Comput. Sci
(1980)- et al.
Representing and reasoning about web access control policies
- et al.
Sophisticated access control via SMT and logical frameworks
ACM Trans Inform Syst Secur
(2014) - et al.
Automated and efficient analysis of role-based access control with attributes
- et al.
Efficient comparison of enterprise privacy policies
- et al.
BRESAP: a policy reasoner for processing spectrum access policies represented by binary decision diagrams
- Balana: Open source XACML 3.0 implementation,...
- et al.
Satisfiability modulo theories
- et al.
Symbolic model checking using SAT procedures instead of BDDs
Efficient theory combination via Boolean search
Inform. Comput
IBM Tivoli Security Policy Manager, IBM red books
Automatic verification of pipelined microprocessor control
PTaCL: a language for attribute-based access control in open systems
On missing attributes in access control: non-deterministic and probabilistic attribute retrieval
Z3: an efficient SMT solver
An authorization service for collaborative situation awareness
A mathematical introduction to logic
Verification and change-impact analysis of access-control policies
Complete instantiation for quantified formulas in satisfiability modulo theories
Discovery and resolution of anomalies in web access control policies
IEEE Trans. Dependable Secure Comput
Automated verification of access control policies using a SAT solver
Int. J. Softw. Tools Technol. Transf
Alloy: a lightweight object modelling notation
ACM Trans. Softw. Eng. Methodol
SAFAX – an extensible authorization service for cloud environments
Front. ICT
Cited by (35)
Detecting conflict of heterogeneous access control policies
2022, Digital Communications and NetworksClustering and supervised response for XACML policy evaluation and management
2020, Knowledge-Based SystemsA rewriting system for the assessment of XACML policies relationship
2020, Computers and SecurityCitation Excerpt :The total time for our approach ranges from 18 ms up to 3925 ms. The results vary depending on the number of policy sets, policies, rules, and conditions. For Turkmen et al. (2017), the total time ranges from 249 ms to 3715 ms. The displayed table provides more details about the comparison, where the number of policy sets, policies and rules are shown for each policy. Figure 6.7 outlines the memory usage (in MB) of both approaches on the three aforementioned real world policies.
Establishment of rule dictionary for efficient XACML policy management
2019, Knowledge-Based SystemsCitation Excerpt :In order to meet the management needs of large-scale information systems, many organizations implement access control by managing the networks and distributed systems within the policies. Extensible Access Control Markup Language (XACML) which has been widely accepted and recognized to describe policy is generally used in distributed application systems in SOA environments [4]. However, the core specification of XACML believes that all policies are credible, which leads to the result that XACML cannot effectively detect conflicts and redundancy in the policy set itself [5].
Modeling adaptive access control policies using answer set programming
2019, Journal of Information Security and ApplicationsCitation Excerpt :XACML is the standard implementation for ABAC that incorporates a rich set of features and constructs and allows expressing policies and specifying policy combination mechanisms. However, according to several research, specifying policies in XACML is a difficult and error-prone task [34–36]. In other words, specifying correct and efficient policies in XACML depends on policy makers decisions [35,37].
Mitigating Privilege Misuse in Access Control through Anomaly Detection
2023, ACM International Conference Proceeding Series
Fatih Turkmen received his Ph.D. from the University of Trento and is currently a postdoctoral researcher at University of Amsterdam. He conducts research on specification, analysis and enforcement of security policies pertinent to distributed systems.
Jerry den Hartog received his Ph.D. in 2002 at the Vrije Universiteit Amsterdam and works at the Technical University of Eindhoven as Assistant Professor since 2008. Focusing on trustworthy collaborative systems, his research interests include distributed access control and network monitoring.
Silvio Ranise is a senior researcher at Fondazione Bruno Kessler since 2010. Before, he held a research position at INRIA in France and was a visiting professor at the University of Milan, Italy. His research focuses on security policy modeling, specification, analysis, and enforcement.
Nicola Zannone received his Ph.D. in 2007 at the University of Trento. Since 2016 he is an Associate Professor in the Security group at the Technical University of Eindhoven. His research interests include computer security, data protection, access control and formal methods.