verification and change-impact analysis of access-control policies kathi fisler, shriram...
TRANSCRIPT
Verification and Change-Impact Analysis of Verification and Change-Impact Analysis of Access-Control PoliciesAccess-Control Policies
Kathi Fisler, Shriram Krishnamurthi, Leo Meyerovich, and Michael TschantzKathi Fisler, Shriram Krishnamurthi, Leo Meyerovich, and Michael TschantzICSE’05ICSE’05
Presented by Presented by Barry DemchakBarry Demchak
CSE 294CSE 294Winter 2006Winter 2006
22
Background – Data and Privilege ManagementBackground – Data and Privilege Management
Checkpoint Financial exposed 163,000 Checkpoint Financial exposed 163,000 records in 2005. Penalty: records in 2005. Penalty: $15M$15M
Ameriprise exposed 226,000 records Ameriprise exposed 226,000 records this weekthis week
California SB1386 effective July 2003 California SB1386 effective July 2003 requires disclosurerequires disclosure
33
Background – Policy ObjectivesBackground – Policy Objectives
AllowAllow access only to proper parties access only to proper parties under proper conditionsunder proper conditions
DenyDeny access to those that should not access to those that should not have ithave it
44
Background – Economics of ScaleBackground – Economics of Scale
One-size-fits-all applications One-size-fits-all applications (security-(security-neutral)neutral)
Tracking increasing subjects/ Tracking increasing subjects/ resources/actions needs automationresources/actions needs automation
Tracking interactions seems Tracking interactions seems hopelesshopeless
Tracking exceptions seems Tracking exceptions seems hopelesshopeless
55
Background – Economics of ScaleBackground – Economics of Scale
Time
Complexity
Budget $
66
Background – XACML PropositionBackground – XACML Proposition
Common language to express policiesCommon language to express policies
Hierarchy of definition to match Hierarchy of definition to match hierarchy of organizationhierarchy of organization
Disconnect policies from mainstream Disconnect policies from mainstream application design application design (separation of concerns)(separation of concerns)
Model to specify policies, query Model to specify policies, query access, and resultsaccess, and results
Vendor-neutral mechanismsVendor-neutral mechanisms
77
Background – User RequirementsBackground – User Requirements
WritingWriting ReviewingReviewing TestingTesting ApprovingApproving DeployingDeploying CombiningCombining
AnalyzingAnalyzing ModifyingModifying WithdrawingWithdrawing RetrievingRetrieving EnforcingEnforcing
88
Background – Basic ConstructionBackground – Basic Construction
Rule:Rule:{{subjectsubject}* {}* {actionaction}* {}* {resourceresource}* {}* {conditionalconditional}*}*
Rules are combined to make Rules are combined to make policiespolicies
Policies are combined to make Policies are combined to make policy policy setssets
99
1010
Background – Basic ConstructionBackground – Basic Construction
Policy:Policy: TargetTarget
Rule combining algorithmRule combining algorithm
{rules}*{rules}*
{obligations}*{obligations}*
1111
Background – Basic FlowBackground – Basic Flow
1.1. Application creates XACML-based Application creates XACML-based queryquery
2.2. Application chooses {policy}*Application chooses {policy}*
3.3. XACML engine compares query to XACML engine compares query to {policy}* and produces reply:{policy}* and produces reply:
PermitPermit DenyDeny InapplicableInapplicable
4.4. Application fulfills {obligations}*Application fulfills {obligations}*
1212
1313
Background – Engine CapabilitiesBackground – Engine Capabilities
Combining rules Combining rules (first applicable, only-one applicable, etc)(first applicable, only-one applicable, etc)
Multiple subjectsMultiple subjects
Subject and resource attributes (e.g., Subject and resource attributes (e.g., LDAP-maintained)LDAP-maintained)
Multi-valued attributesMulti-valued attributes
Operator libraryOperator library
XQuery conditionalsXQuery conditionals
1414
Background – Policy DistributionBackground – Policy Distribution
Policies are stored in databases or Policies are stored in databases or anywhere elseanywhere else
Policies apply to particular target Policies apply to particular target (subjects, actions, resources)(subjects, actions, resources)
Engine can fetch multiple policies to Engine can fetch multiple policies to evaluate evaluate
1515
Background – CovenantBackground – Covenant
Policies contain obligations that Policies contain obligations that applications must:applications must: promise to understandpromise to understand
act on when Permit is returnedact on when Permit is returned
1616
Background – Trivial Policy ExampleBackground – Trivial Policy Example
Allow Allow any subjectany subject to perform to perform any actionany action on on any resourceany resource so long as the domain so long as the domain name is medico.comname is medico.com
1717
HeaderHeader [p01] <?xml version=1.0" encoding="UTF-8"?> [p01] <?xml version=1.0" encoding="UTF-8"?> [p02] <Policy [p02] <Policy
xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns="urn:oasis:names:tc:xacml:1.0:policy" [p03] [p03]
xmlns:xsi="http://www.w3.org/2001/XMLSchema-xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" instance"
[p04] [p04] xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:pxsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy olicy
[p05] http://www.oasis-open.org/tc/xacml/1.0/cs-[p05] http://www.oasis-open.org/tc/xacml/1.0/cs-xacml-schema-policy-01.xsd" xacml-schema-policy-01.xsd"
[p06] PolicyId="identifier:example:SimplePolicy1" [p06] PolicyId="identifier:example:SimplePolicy1" [p07] RuleCombiningAlgId="identifier:rule-[p07] RuleCombiningAlgId="identifier:rule-
combining-algorithm:deny-overrides">combining-algorithm:deny-overrides">
1818
DescriptionDescription [p08] <Description> [p08] <Description> [p09] Medi Corp access control policy [p09] Medi Corp access control policy [p10] </Description> [p10] </Description>
1919
TargetTarget [p11] <Target> [p11] <Target> [p12] <Subjects> [p12] <Subjects> [p13] [p13] <AnySubject/><AnySubject/> [p14] </Subjects> [p14] </Subjects> [p15] <Resources> [p15] <Resources> [p16] [p16] <AnyResource/><AnyResource/> [p17] </Resources> [p17] </Resources> [p18] <Actions> [p18] <Actions> [p19] [p19] <AnyAction/><AnyAction/> [p20] </Actions> [p20] </Actions> [p21] </Target> [p21] </Target>
2020
Rule HeaderRule Header [p22] <Rule [p22] <Rule [p23] RuleId= [p23] RuleId=
"urn:oasis:names:tc:xacml:1.0:example:SimpleRule1" "urn:oasis:names:tc:xacml:1.0:example:SimpleRule1" [p24] [p24] Effect="Permit"Effect="Permit"> >
2121
Rule DescriptionRule Description [p25] <Description> [p25] <Description> [p26] Any subject with an e-mail name in the [p26] Any subject with an e-mail name in the
medico.com domain medico.com domain [p27] can perform any action on any resource. [p27] can perform any action on any resource. [p28] </Description> [p28] </Description>
2222
Rule TargetRule Target [p29] <Target> [p29] <Target> [p30] <Subjects> [p30] <Subjects> [p31] <Subject> [p31] <Subject> [p32] <SubjectMatch MatchId=" [p32] <SubjectMatch MatchId=" urn:oasis:names:tc:xacml:1.0:function:urn:oasis:names:tc:xacml:1.0:function:rfc822Name-matchrfc822Name-match"> "> [p33] <SubjectAttributeDesignator [p33] <SubjectAttributeDesignator [p34] [p34] AttributeId="urn:oasis:names:tc:xacml:1.0:subject:AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-idsubject-id" " [p35] DataType="urn:oasis:names:tc:xacml:1.0:datatype:[p35] DataType="urn:oasis:names:tc:xacml:1.0:datatype: rfc822Namerfc822Name"/> "/> [p36] <AttributeValue [p36] <AttributeValue [p37] DataType="urn:oasis:names:tc:xacml:1.0:datatype:[p37] DataType="urn:oasis:names:tc:xacml:1.0:datatype: rfc822Name">rfc822Name">medico.commedico.com [p38] </AttributeValue> [p38] </AttributeValue> [p39] </SubjectMatch> [p39] </SubjectMatch> [p40] </Subject> [p40] </Subject> [p41] </Subjects> [p41] </Subjects> [p42] <Resources> [p42] <Resources> [p43] <AnyResource/> [p43] <AnyResource/> [p44] </Resources> [p44] </Resources> [p45] <Actions> [p45] <Actions> [p46] <AnyAction/> [p46] <AnyAction/> [p47] </Actions> [p47] </Actions> [p48] </Target> [p48] </Target>
2323
Rule EndRule End [p49] </Rule> [p49] </Rule> [p50] </xacml:Policy> [p50] </xacml:Policy>
2424
Background – Trivial Query ExampleBackground – Trivial Query Example
[email protected]@simpsons.com wants to wants to read read /medico/record/patient/BartSimpson/medico/record/patient/BartSimpson
2525
HeaderHeader [c01] <?xml version="1.0" encoding="UTF-8"?> [c01] <?xml version="1.0" encoding="UTF-8"?> [c02] <Request xmlns="urn:oasis:names:tc:xacml:1.0:context" [c02] <Request xmlns="urn:oasis:names:tc:xacml:1.0:context" [c03] xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" [c03] xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" [c04] xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context [c04] xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context [c05] http://www.oasis-open.org/tc/xacml/1.0/cs-xacml-schema-context-[c05] http://www.oasis-open.org/tc/xacml/1.0/cs-xacml-schema-context-
01.xsd"> 01.xsd">
SubjectSubject [c06] <Subject> [c06] <Subject> [c07] <Attribute [c07] <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subjectidsubjectid"" [c08] DataType="urn:oasis:names:tc:xacml:1.0:data-[c08] DataType="urn:oasis:names:tc:xacml:1.0:data-
type:rfc822Name"> type:rfc822Name"> [c09] <AttributeValue>[c09] <AttributeValue>[email protected]@simpsons.com</AttributeValue> </AttributeValue> [c10] </Attribute> [c10] </Attribute> [c11] </Subject> [c11] </Subject>
2626
ResourceResource [c12] <Resource> [c12] <Resource> [c13] <Attribute [c13] <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:ufspath"AttributeId="urn:oasis:names:tc:xacml:1.0:resource:ufspath" [c14] DataType="http://www.w3.org/2001/XMLSchema#anyURI"> [c14] DataType="http://www.w3.org/2001/XMLSchema#anyURI"> [c15] [c15]
<AttributeValue><AttributeValue>/medico/record/patient/BartSimpson/medico/record/patient/BartSimpson</AttributeValue> </AttributeValue> [c16] </Attribute> [c16] </Attribute> [c17] </Resource> [c17] </Resource>
ActionAction [c18] <Action> [c18] <Action> [c19] <Attribute [c19] <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" [c20] DataType="http://www.w3.org/2001/XMLSchema#string"> [c20] DataType="http://www.w3.org/2001/XMLSchema#string"> [c21] <AttributeValue>[c21] <AttributeValue>readread</AttributeValue> </AttributeValue> [c22] </Attribute> [c22] </Attribute> [c23] </Action>[c23] </Action>
Query EndQuery End [c24] </Request> [c24] </Request>
2727
Background – Trivial Response ExampleBackground – Trivial Response Example
Response:Response: Not Applicable Not Applicable HeaderHeader [r01] <?xml version="1.0" encoding="UTF-8"?> [r01] <?xml version="1.0" encoding="UTF-8"?> [r02] <Response xmlns="urn:oasis:names:tc:xacml:1.0:context" [r02] <Response xmlns="urn:oasis:names:tc:xacml:1.0:context" [r03] xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context [r03] xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context [r04] http://www.oasis-open.org/tc/xacml/1.0/cs-xacml-schema-context-[r04] http://www.oasis-open.org/tc/xacml/1.0/cs-xacml-schema-context- 01.xsd"> 01.xsd">
ResultResult [r05] <Result> [r05] <Result> [r06] <Decision>[r06] <Decision>NotApplicableNotApplicable</Decision> </Decision> [r07] </Result>[r07] </Result>
EndEnd [r08] </Response> [r08] </Response>
2828
Background – Threat ModelBackground – Threat Model
Operating environment responsible forOperating environment responsible for AuthenticationAuthentication Communications securityCommunications security
forfor PoliciesPolicies Query engine executionQuery engine execution ClientClient
2929
MargraveMargrave
(markgraf in German)(markgraf in German)
A lord or keeper of borders: a A lord or keeper of borders: a medieval access control managermedieval access control manager
3030
ObjectivesObjectives
Detect ill-formed or inconsistent Detect ill-formed or inconsistent policiespolicies
Identify differences between policy Identify differences between policy generationsgenerations
3131
Observations Observations (relative to straight coding)(relative to straight coding)
Policy implementations often Policy implementations often scattered across modulesscattered across modules
Sharing/changing policies is hard and Sharing/changing policies is hard and sometimes subtlesometimes subtle
Offloading access control logic Offloading access control logic reduces complexity for automated reduces complexity for automated program checkersprogram checkers
3232
Observations Observations (relative to straight coding)(relative to straight coding)
Automated reasoning about policies Automated reasoning about policies is hard and is not amenable to is hard and is not amenable to automated program checkingautomated program checking
Testing isn’t exhaustive … testing Testing isn’t exhaustive … testing cost model is out of whack relative to cost model is out of whack relative to security breach cost modelsecurity breach cost model
3333
ContributionContribution
Verification system checks policies Verification system checks policies against propertiesagainst properties
Change impact analyzerChange impact analyzer
3434
IssuesIssues
Visualization of XACML policiesVisualization of XACML policies
Visualization of propertiesVisualization of properties
Visualization of policy diffsVisualization of policy diffs
Expanding Margrave to cover more of Expanding Margrave to cover more of XACMLXACML
3535
Basic Verification - PropertiesBasic Verification - Properties
Margrave adds properties: a logical Margrave adds properties: a logical predicate involving subjects, actions, and predicate involving subjects, actions, and resourcesresources
Consider a Consider a policy Pol1policy Pol1: “Requests for Students : “Requests for Students to Receive ExternalGrades, and for Faculty to to Receive ExternalGrades, and for Faculty to Assign and View both InternalGrades and Assign and View both InternalGrades and ExternalGrades, will succeed.” ExternalGrades, will succeed.”
Consider a Consider a property Pr1property Pr1: “There do not exist : “There do not exist members of Student who can Assign members of Student who can Assign ExternalGrades.” ExternalGrades.”
The verifier will The verifier will acceptaccept Pol1/Pr1 because Pr1 Pol1/Pr1 because Pr1 doesn’t address any part of Pol1.doesn’t address any part of Pol1.
3636
Basic Verification - PropertiesBasic Verification - Properties
Consider a Consider a policy Pol1policy Pol1: “Requests for : “Requests for Students to Receive ExternalGrades, and Students to Receive ExternalGrades, and for Faculty to Assign and View both for Faculty to Assign and View both InternalGrades and ExternalGrades, will InternalGrades and ExternalGrades, will succeed.” succeed.”
Consider a Consider a property Pr2property Pr2: “All members of : “All members of Faculty can Assign both InternalGrades Faculty can Assign both InternalGrades and ExternalGrades”. and ExternalGrades”.
The verifier will The verifier will acceptaccept Pol1/Pr2 because Pol1/Pr2 because Pr2 affirms Pol1.Pr2 affirms Pol1.
3737
Basic Verification - PropertiesBasic Verification - Properties
Consider a Consider a policy Pol1policy Pol1: “Requests for : “Requests for Students to Receive ExternalGrades, and Students to Receive ExternalGrades, and for Faculty to Assign and View both for Faculty to Assign and View both InternalGrades and ExternalGrades, will InternalGrades and ExternalGrades, will succeed.” succeed.”
Consider a Consider a property Pr3property Pr3: “No member of : “No member of Faculty can View ExternalGrades.”Faculty can View ExternalGrades.”
The verifier will The verifier will rejectreject Pol1/Pr3 because Pol1/Pr3 because Pr3 conflicts with Pol1.Pr3 conflicts with Pol1.
3838
Representation of PoliciesRepresentation of Policies
Policies are represented as MTBDDs Policies are represented as MTBDDs (multi-(multi-terminal binary decision diagrams)terminal binary decision diagrams)
3939
Representation of PoliciesRepresentation of Policies
MTBDDs are constructed according to a MTBDDs are constructed according to a fixed ordering of the variables fixed ordering of the variables (easy (easy comparison)comparison)
MTBDDs maximally share subtreesMTBDDs maximally share subtrees MTBDDs collapse irrelevant variables MTBDDs collapse irrelevant variables (where (where
all transitions are to the same node)all transitions are to the same node)
4040
Operations on MTBDDsOperations on MTBDDs
MTBDDs created for individual rules and MTBDDs created for individual rules and then merged to create policies then merged to create policies according to the according to the policy’s rule combining algorithmspolicy’s rule combining algorithms
Combining MTBDDs starts at the top of Combining MTBDDs starts at the top of both MTBDDs and executes a brief both MTBDDs and executes a brief recursive algorithmrecursive algorithm
Environmental constraints (e.g., “no Environmental constraints (e.g., “no Faculty is also a Student”) get combined in Faculty is also a Student”) get combined in a similar waya similar way
4141
Operations on MTBDDsOperations on MTBDDs
4242
ImplementationImplementation
Built on PLT SchemeBuilt on PLT Scheme
Properties are hand-assembled in SchemeProperties are hand-assembled in Scheme
A pseudo-code implementation of checking A pseudo-code implementation of checking “A student can assign ExternalGrades”:“A student can assign ExternalGrades”:
4343
ImplementationImplementation
Produces error reports (line 11 masked Produces error reports (line 11 masked with line 9 shows properties that caused a with line 9 shows properties that caused a violation … i.e., a counter-example)violation … i.e., a counter-example)
4444
ImplementationImplementation
Produces change analyses (N->P means Produces change analyses (N->P means non-applicable->Permit)non-applicable->Permit)
4545
PerformancePerformance
Parsing a policy having Parsing a policy having 50 variables50 variables and and 1268 nodes1268 nodes took took 2050ms2050ms on desktop on desktop computercomputer
Checking Checking 12 properties12 properties was too quick to was too quick to measuremeasure
Memory consumption was Memory consumption was 316KB316KB
On another test, a compare took On another test, a compare took 2ms2ms and and produced a tree containing produced a tree containing 1133 nodes1133 nodes taking taking 16KB16KB
4646
AlternativesAlternatives
SELinux (Security-enhanced Linux) SELinux (Security-enhanced Linux) produces BDDs, but they are oriented produces BDDs, but they are oriented toward determining toward determining information flowinformation flow in a in a traditional model-checker activitytraditional model-checker activity
A complete solution would use both A complete solution would use both Margrave and information flow analysisMargrave and information flow analysis
4747
DeficienciesDeficiencies
Visualization (obviously)Visualization (obviously)
Cannot reason about data valuesCannot reason about data values
Does not process complete XACMLDoes not process complete XACML
4848
ConclusionsConclusions
Margrave is a Margrave is a work in progresswork in progress
XACML and Margrave are about XACML and Margrave are about managing managing complexitycomplexity through through separation of concernsseparation of concerns
Margrave adds the concept of properties to Margrave adds the concept of properties to verify policiesverify policies
Margrave compares policies, which Margrave compares policies, which enables enables incremental validationincremental validation
4949
ReferencesReferences
Verification and Change-Impact Analysis of Verification and Change-Impact Analysis of Access-Control Policies Access-Control Policies by Kathi Fisler, Shriram by Kathi Fisler, Shriram Krishnamurthi, Leo Meyerovich, and Michael Tschantz, ICSE’05Krishnamurthi, Leo Meyerovich, and Michael Tschantz, ICSE’05
OASIS eXtensible Access Control Markup OASIS eXtensible Access Control Markup Language (XACML), Language (XACML), http://www.oasis-open.org/committees/xacml/repository/cs-xacml-specifihttp://www.oasis-open.org/committees/xacml/repository/cs-xacml-specification-01-1.pdfcation-01-1.pdf, December 2002, December 2002