Command Dependencies in Heuristic Safety Analysis of Access Control Models

Amthor, Peter; Rabe, Martin

doi:10.1007/978-3-030-45371-8_13

Peter Amthor¹³ &
Martin Rabe¹³

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12056))

Included in the following conference series:

International Symposium on Foundations and Practice of Security

645 Accesses
1 Citations

Abstract

The principle merits of access control models lie in the ability to precisely reason about their security properties in lineage of the safety problem. It formalizes the question if future changes in a model’s protection state may eventually violate a security requirement, thereby falsifying model correctness. One fundamental problem of safety analysis is that, as proven in the seminal HRU model calculus, this property is undecidable for the most expressive class of models. To tackle this problem in practical security engineering, a heuristic approach has proven useful that exploits the fact that model commands share dependencies, which are assumed to be (1) one-dimensional and (2) static. In complex models for modern application domains, such as type enforcement in operating systems, both assumptions cannot be made. This paper studies both problems and provides a heuristic solution approach for the problem of dynamic dependencies. Based on our heuristic, we demonstrate the practical impact of this analysis problem and discuss the general implications on model design and analysis strategies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
To formally comply with set algebra, we treat mappings equally to relations.
2.
We use the Kleene operator to indicate that multiple parameters may be passed.
3.
For the sake of a more concise discussion, we ignore the SELinux-concept of entrypoints.
4.
Note that “spam” is a right value, not a variable.
5.
All right variables not assigned in this step may be randomly assigned with values.
6.
The runtime is also influenced by the number of right variables (\(| X_\textsf {PRE}\cup X_\textsf {POST}|\)). However for a static set R this means that: \(\forall c \in \varSigma _c: | c.X_\textsf {PRE}| \le | R |\) (analogous for \(c.X_\textsf {POST}\)). Therefore this impact can be assumed as constant.
7.
Note that this implication of the command classification holds for HRU\(^\star \) only.
8.
A machine with an Intel i5 CPU at 2.90 GHz and 8 GB RAM was used.

References

Amthor, P.: The entity labeling pattern for modeling operating systems access control. In: Obaidat, M.S., Lorenz, P. (eds.) ICETE 2015. CCIS, vol. 585, pp. 270–292. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30222-5_13
Chapter Google Scholar
Amthor, P.: Efficient heuristic safety analysis of core-based security policies. In: Proceedings of the 14th International Conference on Security and Cryptography. SECRYPT 2017, pp. 384–392 (2017). https://doi.org/10.5220/0006477103840392
Amthor, P.: Aspect-Oriented Security Engineering. Cuvillier Verlag, Göttingen (2019), ISBN 978-3-7369-9980-0
Google Scholar
Amthor, P., Kühnhauser, W.E., Pölck, A.: Model-based safety analysis of SELinux security policies. In: Samarati, P., Foresti, S., Hu, J., Livraga, G. (eds.) Proceedings of 5th International Conference on Network and System Security, pp. 208–215. IEEE (2011)
Google Scholar
Amthor, P., Kühnhauser, W.E., Pölck, A.: Heuristic safety analysis of access control models. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies, SACMAT 2013, pp. 137–148. ACM, New York (2013). http://doi.acm.org/10.1145/2462410.2462413
Amthor, P., Kühnhauser, W.E., Pölck, A.: WorSE: a workbench for model-based security engineering. Comput. Secur. 42, 40–55 (2014). https://doi.org/10.1016/j.cose.2014.01.002. http://www.sciencedirect.com/science/article/pii/S0167404814000066
Article Google Scholar
Fischer, A., Kühnhauser, W.E.: Efficient algorithmic safety analysis of HRU security models. In: Katsikas, S., Samarati, P. (eds.) Proceedings of the International Conference on Security and Cryptography (SECRYPT 2010), pp. 49–58. SciTePress (2010)
Google Scholar
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976). http://doi.acm.org/10.1145/360303.360333
Kühnhauser, W.E., Pölck, A.: Towards access control model engineering. In: Jajodia, S., Mazumdar, C. (eds.) ICISS 2011. LNCS, vol. 7093, pp. 379–382. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25560-1_27
Chapter Google Scholar
Lipton, R.J., Snyder, L.: A linear time algorithm for deciding subject security. J. ACM 24(3), 455–464 (1977)
Article MathSciNet Google Scholar
Masoumzadeh, A.: Security analysis of relationship-based access control policies. In: Proceedings of the 8th ACM Conference on Data and Application Security and Privacy, CODASPY 2018, pp. 186–195. ACM, New York (2018). http://doi.acm.org/10.1145/3176258.3176323
Pölck, A.: Small TCBs of policy-controlled operating systems. Universitätsverlag Ilmenau, May 2014
Google Scholar
Rajkumar, P.V., Sandhu, R.: Safety decidability for pre-authorization usage control with finite attribute domains. IEEE Trans. Dependable Secure Comput. 13(5), 582–590 (2016). https://doi.org/10.1109/TDSC.2015.2427834
Article Google Scholar
Sandhu, R.S.: The typed access matrix model. In: Proceedings of the 1992 IEEE Symposium on Security and Privacy, SP 1992, pp. 122–136. IEEE Computer Society, Washington, DC (1992). http://dl.acm.org/citation.cfm?id=882488.884182
Stoller, S.D., Yang, P., Gofman, M., Ramakrishnan, C.R.: Symbolic reachability analysis for parameterized administrative role based access control. Comput. Secur. 30(2–3), 148–164 (2011)
Article Google Scholar
Tripunitara, M.V., Li, N.: A theory for comparing the expressive power of access control models. J. Comput. Secur. 15(2), 231–272 (2007). http://dl.acm.org/citation.cfm?id=1370659.1370662
Article Google Scholar
Tripunitara, M.V., Li, N.: The foundational work of Harrison-Ruzzo-Ullman revisited. IEEE Trans. Dependable Secur. Comput. 10(1), 28–39 (2013). https://doi.org/10.1109/TDSC.2012.77
Article Google Scholar

Download references

Author information

Authors and Affiliations

Technische Universität Ilmenau, P.O. Box 100565, 98684, Ilmenau, Germany
Peter Amthor & Martin Rabe

Authors

Peter Amthor
View author publications
You can also search for this author in PubMed Google Scholar
Martin Rabe
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Peter Amthor .

Editor information

Editors and Affiliations

Université Paul Sabatier (CNRS IRIT), Toulouse, France
Abdelmalek Benzekri
Carleton University, Ottawa, ON, Canada
Michel Barbeau
University of Waterloo, Waterloo, ON, Canada
Guang Gong
Université Paul Sabatier (CNRS IRIT), Toulouse, France
Romain Laborde
Telecom SudParis, IMT, Palaiseau, France
Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Amthor, P., Rabe, M. (2020). Command Dependencies in Heuristic Safety Analysis of Access Control Models. In: Benzekri, A., Barbeau, M., Gong, G., Laborde, R., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2019. Lecture Notes in Computer Science(), vol 12056. Springer, Cham. https://doi.org/10.1007/978-3-030-45371-8_13

Download citation

DOI: https://doi.org/10.1007/978-3-030-45371-8_13
Published: 17 April 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45370-1
Online ISBN: 978-3-030-45371-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics