Presentation is loading. Please wait.

Presentation is loading. Please wait.

Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.

Published byConor Gurney Modified over 9 years ago

Similar presentations

Presentation on theme: "Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown."— Presentation transcript:

1 Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown

2 Running Example Roles: Faculty, Student Resources: InternalGrades, ExternalGrades Actions: Assign, View, Receive

3 Properties 1.There do not exist members of Student who can Assign ExternalGrades 2.Faculty can Assign both InternalGrades and ExternalGrades 3.No combination of roles exists whose user can both Receive and Assign ExternalGrades

4 Policy 1 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed

5 Policy 1, Properties 1-3 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed 1.There do not exist members of Student who can Assign ExternalGrades 2.Faculty can Assign both InternalGrades and ExternalGrades 3.No combination of roles exists whose user can both Receive and Assign ExternalGrades

6 Output Error! Counterexample: Student simultaneously requests to –Receive ExternalGrade –Assign ExternalGrade XACML: attributes represent sets

7 Policy 2 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed Attributes for action and requested resources are constrained as singletons

8 Policy 2, Properties 1-3 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed Attributes for action and requested resources are constrained as singletons 1.There do not exist members of Student who can Assign ExternalGrades 2.Faculty can Assign both InternalGrades and ExternalGrades 3.No combination of roles exists whose user can both Receive and Assign ExternalGrades

9 Output Error! Counterexample: Faculty - Student requests … But a Faculty isn’t also a Student

10 Policy 3 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students

11 Policy 3, Properties 1-3 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students 1.There do not exist members of Student who can Assign ExternalGrades 2.Faculty can Assign both InternalGrades and ExternalGrades 3.No combination of roles exists whose user can both Receive and Assign ExternalGrades

12 Output Success!

13 Policy 4 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed TAs have the same privileges as Faculty Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students

14 Policy 4, Properties 1-3 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed TAs have the same privileges as Faculty Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students 1.There do not exist members of Student who can Assign ExternalGrades 2.Faculty can Assign both InternalGrades and ExternalGrades 3.No combination of roles exists whose user can both Receive and Assign ExternalGrades

15 Output Error! Counterexample: Student - TA can Assign ExternalGrades Student - TA is not a Faculty TAs are tricky!

16 Policy 5 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed TAs can View and Assign InternalGrades but not ExternalGrades Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students

17 Policy 5, Properties 1-3 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed TAs can View and Assign InternalGrades but not ExternalGrades Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students 1.There do not exist members of Student who can Assign ExternalGrades 2.Faculty can Assign both InternalGrades and ExternalGrades 3.No combination of roles exists whose user can both Receive and Assign ExternalGrades

18 Output Success!

19 Policy 6 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed TAs can View and Assign InternalGrades but not ExternalGrades FacultyFamily can Receive ExternalGrades Singleton and disjointness constraints

20 Policy 6, Properties 1-3 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed TAs can View and Assign InternalGrades but not ExternalGrades FacultyFamily can Receive ExternalGrades Singleton and disjointness constraints 1.There do not exist members of Student who can Assign ExternalGrades 2.Faculty can Assign both InternalGrades and ExternalGrades 3.No combination of roles exists whose user can both Receive and Assign ExternalGrades

21 Output Error! Counterexample: Faculty can Assign ExternalGrades FacultyFamily can Receive ExternalGrades The same person generates both

22 Design Flow Verification catches subtle corner-cases Testing without the test cases: property represents a set of test cases The disadvantage is usually cost (there’s another one we’ll get to later…)

23 Performance Parsing: 355ms (cold cache) – 70ms (warm) Longest verification: 10ms; most were faster than timer could measure Memory: baseline of 4.7Mb, no increase [Athlon XP 1800+, 1.5GHz, 512Mb]

24 Implementation

25 Multi-Terminal Decision Diagrams Faculty (f) can assign (a) grades (g) Students (s) can receive (r) grades (g)

26 Rules and Rule Combination

27 Constraints Represented by boolean expressions Easy to combine booleans with MTDDs Adds new terminal: EC (Excluded by Constraint)

28 Properties?!?

29 Policies Without Properties Working policy P 1 Modified policy P 2 Testing reveals intended change But…

30 Policy 4 – Policy 3 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed TAs have the same privileges as Faculty Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students

31 Output Eight combinations grant access Four involve ExternalGrades Adding TAs should not have affected this!

32 Policy 5 – Policy 3 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed TAs can View and Assign InternalGrades but not ExternalGrades Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed Attributes for action and requested resources are constrained as singletons Faculty are disjoint from Students

33 Output All changes involve only TAs InternalGrades Therefore, we can be confident about the edit

34 Policy 6 – Policy 5 Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed TAs can View and Assign InternalGrades but not ExternalGrades FacultyFamily can Receive ExternalGrades Singleton and disjointness constraints Requests for Students to Receive ExternalGrades succeed Requests for Faculty to Assign or View ExternalGrades succeed TAs can View and Assign InternalGrades but not ExternalGrades Singleton and disjointness constraints

35 Output All changes involve Receiving grades Some changes involve the Faculty role Is there an error?

36 Exploring Changes We can query and verify differences eg: Did a change affect ExternalGrades? Properties of differences may be stronger than properties of the entire system Exploration may eventually lead to identifying system properties

37 Case Study

38 Application Continue: paper submission and review Softvis 2005, CSFW 2005, FOAL 2005, ISSTA 2004, LMO 2005, TAV-WEB 2004, PADL 2004/3/2/1, FDPE 2003, Scheme 2003/2,... Roles: Admin, Chair, PC Member, Subrev… Actions: Submit, Review, Broadcast, … Resources: Papers, Reviews, Configurations

39 Performance Policy has 50 MTDD variables Raw policy has 1268 MTDD nodes Constraints shrink it to 817 nodes Parsing/constraining: 2.07s Twelve properties: each < 10ms Memory: 316,288 bytes over baseline Change: 2ms, 1133 nodes, 16.3Kb memory

40 Conclusion

41 Tool Output 1:/Subject, role, Faculty/ 2:/Subject, role, Student/ 3:/Resource, resource-class, ExternalGrades/ 4:/Resource, resource-class, InternalGrades/ 5:/Action, command, Assign/ 6:/Action, command, View/ 7:/Action, command, Receive/ 8:/Subject, role, TA/ 12345678 { 00010101 N->P 00011001 N->P 00100101 N->P 00101001 N->P 01010101 N->P 01011001 N->P 01100101 N->P 01101001 N->P }

42 Perspective Verification can be cheap enough to fit into the design flow and encourage policy exploration Change impact –useful in itself  finds some errors without properties –query/verif. is a bonus  lightweight formal method Think about continuous verification and change impact reports

43 XACML analysis: http://www.cs.brown.edu/ research/plt/software/margrave/ Conference manager: http://continue.cs.brown.edu/

Download ppt "Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown."

Similar presentations

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
WARM UP  Use the Distributive Property to rewrite the expression without parentheses. 1. 5(y - 2) 2. -2(x - 6) 3. -1(1 + s) 4. -2(2 + t) 5. -3(x – 4)

WARM UP  Use the Distributive Property to rewrite the expression without parentheses. 1. 5(y - 2) 2. -2(x - 6) 3. -1(1 + s) 4. -2(2 + t) 5. -3(x – 4)
Verification and Change-Impact Analysis of Access-Control Policies Kathi Fisler, Shriram Krishnamurthi, Leo Meyerovich, and Michael Tschantz ICSE’05 Presented.

Verification and Change-Impact Analysis of Access-Control Policies Kathi Fisler, Shriram Krishnamurthi, Leo Meyerovich, and Michael Tschantz ICSE’05 Presented.
11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University.

11 P OLICY A NALYSIS U SING M ARGRAVE Shriram Krishnamurthi Brown University.
Re-Thinking Product Line Verification as a Constraints Problem Kathi Fisler (WPI) Shriram Krishnamurthi (Brown) Brown undergraduate collaborators: Harry.

Re-Thinking Product Line Verification as a Constraints Problem Kathi Fisler (WPI) Shriram Krishnamurthi (Brown) Brown undergraduate collaborators: Harry.
Putting the User in Usable Verification Kathi Fisler, WPI Joint work with Shriram Krishnamurthi.

Putting the User in Usable Verification Kathi Fisler, WPI Joint work with Shriram Krishnamurthi.
HELP GUIDE NEW USER REGISTRATION (SLIDE 2) TAKING A QUIZ (SLIDE 8) REVIEWING A QUIZ (SLIDE 17) GROUP MEMBERSHIP (SLIDE 26) CREATING QUIZZES (SLIDE 31)

HELP GUIDE NEW USER REGISTRATION (SLIDE 2) TAKING A QUIZ (SLIDE 8) REVIEWING A QUIZ (SLIDE 17) GROUP MEMBERSHIP (SLIDE 26) CREATING QUIZZES (SLIDE 31)
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
CS 290C: Formal Models for Web Software Lectures 16: Modeling and Analyzing Access Control Policies Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lectures 16: Modeling and Analyzing Access Control Policies Instructor: Tevfik Bultan.
Algorithms and Problem Solving-1 Algorithms and Problem Solving.

Algorithms and Problem Solving-1 Algorithms and Problem Solving.
Algorithms and Problem Solving. Learn about problem solving skills Explore the algorithmic approach for problem solving Learn about algorithm development.

Algorithms and Problem Solving. Learn about problem solving skills Explore the algorithmic approach for problem solving Learn about algorithm development.
Transaction Management and Concurrency Control

Transaction Management and Concurrency Control
Transaction Management and Concurrency Control

Transaction Management and Concurrency Control
Using Use Case Scenarios and Operational Variables for Generating Test Objectives Javier J. Gutiérrez María José Escalona Manuel Mejías Arturo H. Torres.

Using Use Case Scenarios and Operational Variables for Generating Test Objectives Javier J. Gutiérrez María José Escalona Manuel Mejías Arturo H. Torres.
Lecture 7 Access Control

Lecture 7 Access Control
Configuration Management

Configuration Management
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
[ §4 : 1 ] 4. Requirements Processes II Overview 4.1Fundamentals 4.2Elicitation 4.3Specification 4.4Verification 4.5Validation Software Requirements Specification.

[ §4 : 1 ] 4. Requirements Processes II Overview 4.1Fundamentals 4.2Elicitation 4.3Specification 4.4Verification 4.5Validation Software Requirements Specification.
CS 290C: Formal Models for Web Software Lectures 12: Modeling and Analyzing Access Control Policies Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lectures 12: Modeling and Analyzing Access Control Policies Instructor: Tevfik Bultan.
11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.

11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.

Similar presentations

Ads by Google