Verification and change-impact analysis of access-control policies

Fisler, Kathi; Krishnamurthi, Shriram; Meyerovich, Leo A.; Tschantz, Michael Carl

doi:10.1145/1062455.1062502

Cited by 246 publications

(148 citation statements)

References 28 publications

Supporting

Mentioning

147

Contrasting

Order By: Relevance

“…Such methods are often based on formally specifying system requirements or design, including security aspects, then either generating the system or verifying that the system (or a model of the system) conforms to the specification. Notable examples of this approach include Event-B [44] (in which systems are generated from Event-B specifications); Secure Tropos [45], which extends the Tropos [46] agent-oriented software development method with security-related models and activities; UMLSec [47]; various approaches for specifying and analyzing security protocols, access control policies and other system properties [48,49,50,51,52,53].…”

Section: Related Workmentioning

confidence: 99%

An advanced approach for modeling and detecting software vulnerabilities

Shahmehri

Mammar

et al. 2012

Information and Software Technology

View full text Add to dashboard Cite

Context. Passive testing is a technique in which traces collected from the execution of a system under test are examined for evidence of flaws in the system.Objective. In this paper we present a method for detecting the presence of security vulnerabilities by detecting evidence of their causes in execution traces. This is a new approach to security vulnerability detection.Method. Our method uses formal models of vulnerability causes, known as security goal models and vulnerability detection conditions (VDCs). The former are used to identify the causes of vulnerabilities and model their dependencies, and the latter to give a formal interpretation that is suitable for vulnerability detection using passive testing techniques. We have implemented modeling tools for security goal models and vulnerability detection conditions, as well as TestInv-Code, a tool that checks execution traces of compiled programs for evidence of VDCs.Results. We present the full definitions of security goal models and vulnerability detection conditions, as well as structured methods for creating both. We describe the design and implementation of TestInv-Code. Finally we show results obtained from running TestInv-Code to detect typical vulnerabilities in several open source projects. By testing versions with known vulnerabilities, we can quantify the effectiveness of the approach.Conclusion. Although the current implementation has some limitations, passive testing for vulnerability detection works well, and using models as the basis for testing ensures that users of the testing tool can easily extend it to handle new vulnerabilities.

show abstract

Section: Related Workmentioning

confidence: 99%

An advanced approach for modeling and detecting software vulnerabilities

Shahmehri

Mammar

et al. 2012

Information and Software Technology

View full text Add to dashboard Cite

show abstract

“…Existing approaches to the policy similarity analysis are mostly based on graph, model checking or SAT-solver techniques [1,3,8,13,16,19]. Koch et al [13] use graph transformations to represent policy change and integration, which may be used to detect differences among policies.…”

Section: Related Work On Policy Analysismentioning

confidence: 99%

“…A more practical approach is by Fisler et al [8], who have developed a software tool known as Margrave for the analysis of role-based access-control policies in XACML. Margrave represents policies using the Multi-Terminal Binary Decision Diagram (MTBDD), which can explicitly represent all variable assignments that satisfy a Boolean expression and hence provides a good representation for the relationships among policies.…”

Section: Related Work On Policy Analysismentioning

confidence: 99%

“…The main task of the PSA module is to determine all variable assignments that can satisfy the Boolean formulae corresponding to one or more policies, and also variable assignments that lead to different decisions for different policies. The basic idea is to combine functionalities of the policy ratification technique [1] and MTBDD technique [8] by using a divide-and-conquer strategy. Figure 3 shows the architecture of PSA.…”

Section: Architecture Of Psamentioning

confidence: 99%

“…2.2). Common limitations concern: policy conditions, in that only policies with simple conditions can be analyzed [8]; and relationship characterization, in that for example one can only determine whether two policies authorize some common request, but no characterization of such request is provided.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

EXAM: a comprehensive environment for the analysis of access control policies

Lin

Rao

Bertino

et al. 2010

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Policy integration and inter-operation is often a crucial requirement when parties with different access control policies need to participate in collaborative applications and coalitions. Such requirement is even more difficult to address for dynamic large-scale collaborations, in which the number of access control policies to analyze and compare can be quite large. An important step in policy integration and inter-operation is to analyze the similarity of policies. Policy similarity can sometimes also be a pre-condition for establishing a collaboration, in that a party may enter a collaboration with another party only if the policies enforced by the other party match or are very close to its own policies. Existing approaches to the problem of analyzing and comparing access control policies are very limited, in that they only deal with some special cases. By recognizing that a suitable approach to the policy analysis and comparison requires combining different approaches, we propose in this paper a comprehensive environment-EXAM. The environment supports various types of analysis query, which we categorize in the paper. A key component of such environment, on which we focus in the paper, is the policy analyzer able to perform several types of analysis. Specifically, our policy analyzer combines the advantages of existing MTBDD-based and SAT-solver-based techniques. Our experimental results, also reported in the paper, demonstrate the efficiency of our analyzer.

show abstract

Reasoning about security in sensor networks

Peralta

Mukhopadhyay

Bharadwaj

2015

Concurrency and Computation

View full text Add to dashboard Cite

Summary We present a formal framework for reasoning about security concerns in the context of embedded sensor networks. We first provide an agent‐based programming model for sensor networks. A logical framework enables reasoning about security, safety, and integrity with respect to usage of resources in this model. Embedded sensor networks often operate in rapidly changing mission‐critical environments where both functional and nonfunctional requirements can alter dynamically in an unforeseen manner. The network may need to be reconfigured and reprogrammed in response to changes in its operating conditions. We provide a framework based on counterfactual logic to formally represent changes to the system and perform what‐if reasoning about their impact on security and safety even before they have been applied. Copyright © 2015 John Wiley & Sons, Ltd.

show abstract

Verification and change-impact analysis of access-control policies

Cited by 246 publications

References 28 publications

An advanced approach for modeling and detecting software vulnerabilities

An advanced approach for modeling and detecting software vulnerabilities

EXAM: a comprehensive environment for the analysis of access control policies

Reasoning about security in sensor networks

Contact Info

Product

Resources

About