You are viewing a javascript disabled version of the site. Please enable Javascript for this site to function properly.
Go to headerGo to navigationGo to searchGo to contentsGo to footer
In content section. Select this link to jump to navigation

Synthesising verified access control systems through model checking

Article type: Other

Authors: Zhang, Nana | Ryan, Marka; * | Guelev, Dimitar P.b

Affiliations: [a] School of Computer Science, University of Birmingham. E-mail: [email protected], [email protected] | [b] Institute of Mathematics and Informatics, Bulgarian Academy of Sciences. E-mail: [email protected]

Correspondence: [*] Corresponding author: Mark Ryan, School of Computer Science, University of Birmingham, Birmingham B15 2TT, UK. Tel.: +44 121 414 7361; Fax: +44 121 414 4281. E-mail: M.D.Ryan@ cs.bham.ac.uk

DOI: 10.3233/JCS-2008-16101

Journal: Journal of Computer Security, vol. 16, no. 1, pp. 1-61, 2008

Published: 1 January 2008
Get PDF

Abstract

We present a framework for evaluating and generating access control policies. The framework contains a modelling formalism called RW, which is supported by a model checking tool. RW is designed for modelling access control policies, and verifying their properties. The RW language is very expressive, allowing us to model complex access conditions which can depend on data values, other permissions, and agent roles.

A property expresses the capability of a coalition of agents to achieve a goal, which may include reading and overwriting certain information. Given a model built based on a policy and a property, the model-checking algorithm decides whether the goal defined by the property is achievable by the coalition within the permissions the policy provides. In the case that the goal is achievable, the algorithm outputs strategies which may be used by the coalition to achieve the goal.

The unachievability of legitimate goals may suggest that the policy does not provide the users enough permissions to carry out their actions. The achievability of malicious goals may reveal certain security holes in the policy. When malicious goals are achievable, the resulting strategies help to provide clues on amending the policy. The tool implements the algorithm and thus performs the RW model-checking. It can also convert a policy written in the RW language into a policy file in XACML. An access control system can then be built on the converted policy file.

Show more