Towards Automatic Repair of XACML Policies

In a complex information system, controlling the access to resources is challenging. As a new generation of access control techniques, Attribute-Based Access Control (ABAC) can provide more flexible and fine-grained access control than Role-Based-Access Control (RBAC). XACML (eXtensible Access Control Markup Language) is an industrial standard for specifying ABAC policies. XACML policies tend to be complex because of the great variety of attribute types for fine-grained access control. This means that XACML policies are prone to errors and difficult to debug. This paper presents a first attempt at automating the debugging process of XACML policies. Two techniques are used for this purpose: fault localization and mutation-based policy repair. Fault localization produces an ordered list of suspicious policy elements by correlating the test results and the test coverage information. Mutation-based policy repair searches for potential fixes by mutating suspicious policy elements with predefined mutation operators. Empirical studies show that the proposed approach is able to repair various faulty XACML policies with one or two seeded faults. Among the scoring methods for fault localization that are studied in the experiment, Naish2 and CBI-Inc are the most efficient

ACCESSIBLE ACCESS CONTROL: A VISUALIZATION SYSTEM FOR ACCESS CONTROL POLICY MANAGEMENT

Attacks on computers today present in many different forms, causing malfunction of operating systems, information leakage and loss of business and public trust. Access control is a technique that stands as the last line of protection restricting the access of users or processes to resources on computers. Throughout the years, many access control models have been implemented to accommodate security requirements under different circumstances. However, the learning of access control models and the management of access control policies are still challenging given its abstract nature, the lack of an environment for practice, and the intricacy of fulfilling complex security goals. These problems seriously reduce the usability of access control models. In this dissertation, we present a set of pedagogical systems that facilitates the teaching and studying of access control models and a visualization system that aids the authoring and analysis of access control policies. These systems are designed to tackle the usability problems in two steps. First, the pedagogical systems were designed for new learners to overcome the obstacles of learning access control and the lack of practicing environment at the very beginning. Contrary to the traditional lecture and in-paper homework method, the tool allows users to write/import a policy file, follow the visual steps to understand the concepts and access mechanisms of a model and conduct self-evaluation through Quiz and Query modules. Each of the four systems is specifically designed for a model of the Domain Type Enforcement, Multi-level Security, Role-based Access Control, or UNIX permissions. Through these systems, users are able to take an active role in exploring the effect of a policy with a safe and intact underlying operating systems. Second, writing and evaluating the effect of a policy could also be challenging and tedious even for security professionals when there are thousands of lines of rules. We believe that writing an access control policy should not include the complexity of learning a new language, and managing the policies should never be manual when automatic examination could take the place. In the aspect of policy writing, the visualization system kept the least number of key elements for specifying a rule: user, object, and action. They describe the active entity who takes the action, the file or directory which the action is applied to, and the type of accesses allowed, respectively. Because of its simple form without requiring the learning of a programming-like language, we hope that specifying policies using our language could be accomplished effortlessly not only by security professionals but also by anyone who is interested in access control. Moreover, policies can often be left unexamined when deployed. This is similar to releasing program which was untested and could lead to dangerous results. Therefore, the visualization system provides ways to explore and analyze access control policies to help confirm the effect of the policies. Through interactive textual and graphical illustrations, users could specify the accesses to check, and be notified when problems exist

A Prototype for Transforming Role-Based Access Control Models

Rollipõhine juurdepääsukontroll on arvutisüsteemides laialtkasutatav mehhanism – see tagab turvalisuse, lubades ligipääsu ressurssidele vaid nendele kasutajatele, kel on selleks vastavad õigused. Rollipõhise juurdepääsukontrolli lahendusi on võimalik välja töötada selliste modelleerimiskeelte abil, nagu SecureUML ning UMLsec, mis mõlemad esitavad süsteemi disaini erinevatest vaatepunktidest. Mitme kooskõlalise mudeli koostamine võib aga osutuda keeruliseks ning aeganõudvaks ülesandeks. See võib omakorda vähendada rollipõhise juurdepääsukontrolli mudelite loomise motivatsiooni. Ühe lahendusena võib pakkuda arendajale tööriista, mis kasutaks ühes keeles loodud mudelit, et selle põhjal automaatselt konstrueerida mudel teises keeles. Teisendatud mudel aga ei oleks täielik, kuna eelmainitud keeli kasutatakse osalt erineva informatsiooni kandmiseks. Tööriista eesmärk oleks vähendada vajadust teist mudelit koostades käsitsi informatsiooni kopeerida. Selle töö raames arendatakse tööriista prototüüp, mis teisendab SecureUML mudeli UMLsec mudeliks ning vastupidi. See teostatakse Java programmeerimiskeeles ning pistikprogrammina professionaalsele UML modelleerimistööriistale MagicDraw. Rakendusele lisatakse menüüpunktid, millele vajutades käivitatakse teisendused: SecureUML keelest UMLsec keelde või vastupidi. Lisafunktsioonina arendatakse ka mõlema mudeli täielikkuse kontrollid, mille abil antakse kasutajale teada, kas kõik vajalikud elemendid on olemas. Need annavad kasutajale juhtnööre, kuidas teisendatud mudelit täiendada, kuna on teada, et pärast teisendust on teatud info uuelt mudelilt puudu. Teine lisakomponent võimaldab töödelda UMLsec märgendeid (ingl. k. association tags), mis on SecureUML ning UMLsec vaheliste teisenduste tähtis osa. Käesoleva töö raames on koostatud ka pistikprogrammi dokumentatsioon – nõuete analüüs, koodi dokumentatsioon ning kasutusjuhend – mille eesmärk on tagada prototüübi mõistmine ning aidata kaasa selle edasiarendamisele tulevikus.Role-based access control is a widely-used mechanism in computer systems – it ensures security by restricting resource access to only the system users with respective rights. The RBAC solutions can be engineered with the aid of modelling languages, such as SecureUML and UMLsec, which both present the system design from different viewpoints. Creating multiple coherent models, however, may turn out to be a non-trivial and time-consuming task. This, in turn, may dramatically lessen the motivation to create role-based access control models altogether. As a solution to the problem above, developers could be provided a software tool, which inputs a model in one language and transforms it into the model of another. The transformed model, however, would not be complete, since the two languages are used to represent somewhat different information. The aim of such a tool would be to diminish the necessity to manually copy information, when creating a second model. With this thesis, a prototype tool is developed, which enables the transformation of a SecureUML model to a UMLsec model and vice versa. The tool is implemented in the Java programming language, as a plug-in to the professional UML modelling tool MagicDraw. Menu items are added to the application, which trigger transformations: information is collected from a model in the UMLsec or SecureUML language and, based on that, a new model in the other language is created. As an additional function, completion checks are developed for both models to inform the user of whether all necessary language elements are present. They should act as guides for the user on how to improve the transformed model, since after transformations some information is known to be absent from the new model. Another additional component is the support for manipulating UMLsec association tags, which are an integral part of transformations between the SecureUML and UMLsec languages. The documentation – requirements, code documentation and user manual – is also provided in this paper and are supposed to contribute to the further development as well as understanding of the prototype

Towards Model-Driven Development of Access Control Policies for Web Applications

We introduce a UML-based notation for graphically modeling systems’ security aspects in a simple and intuitive way and a model-driven process that transforms graphical specifications of access control policies in XACML. These XACML policies are then translated in FACPL, a policy language with a formal semantics, and the resulting policies are evaluated by means of a Java-based software tool

On Properties of Policy-Based Specifications

The advent of large-scale, complex computing systems has dramatically increased the difficulties of securing accesses to systems' resources. To ensure confidentiality and integrity, the exploitation of access control mechanisms has thus become a crucial issue in the design of modern computing systems. Among the different access control approaches proposed in the last decades, the policy-based one permits to capture, by resorting to the concept of attribute, all systems' security-relevant information and to be, at the same time, sufficiently flexible and expressive to represent the other approaches. In this paper, we move a step further to understand the effectiveness of policy-based specifications by studying how they permit to enforce traditional security properties. To support system designers in developing and maintaining policy-based specifications, we formalise also some relevant properties regarding the structure of policies. By means of a case study from the banking domain, we present real instances of such properties and outline an approach towards their automatised verification.Comment: In Proceedings WWV 2015, arXiv:1508.0338

Towards alignment of architectural domains in security policy specifications

Large organizations need to align the security architecture across three different domains: access control, network layout and physical infrastructure. Security policy specification formalisms are usually dedicated to only one or two of these domains. Consequently, more than one policy has to be maintained, leading to alignment problems. Approaches from the area of model-driven security enable creating graphical models that span all three domains, but these models do not scale well in real-world scenarios with hundreds of applications and thousands of user roles. In this paper, we demonstrate the feasibility of aligning all three domains in a single enforceable security policy expressed in a Prolog-based formalism by using the Law Governed Interaction (LGI) framework. Our approach alleviates the limitations of policy formalisms that are domain-specific while helping to reach scalability by automatic enforcement provided by LGI