• DocumentCode
    2947635
  • Title

    Security Analysis of Role-Based Access Control through Program Verification

  • Author

    Ferrara, Anna Lisa ; Madhusudan, P. ; Parlato, Gennaro

  • Author_Institution
    Univ. of Bristol, Bristol, UK
  • fYear
    2012
  • fDate
    25-27 June 2012
  • Firstpage
    113
  • Lastpage
    125
  • Abstract
    We propose a novel scheme for proving administrative role-based access control (ARBAC) policies correct with respect to security properties using the powerful abstraction-based tools available for program verification. Our scheme uses a combination of abstraction and reduction to program verification to perform security analysis. We convert ARBAC policies to imperative programs that simulate the policy abstractly, and then utilize further abstract-interpretation techniques from program analysis to analyze the programs in order to prove the policies secure. We argue that the aggressive set-abstractions and numerical-abstractions we use are natural and appropriate in the access control setting. We implement our scheme using a tool called VAC that translates ARBAC policies to imperative programs followed by an interval-based static analysis of the program, and show that we can effectively prove access control policies correct. The salient feature of our approach are the abstraction schemes we develop and the reduction of role-based access control security (which has nothing to do with programs) to program verification problems.
  • Keywords
    authorisation; program diagnostics; program verification; ARBAC policies; VAC; abstract-interpretation techniques; abstraction schemes; abstraction-based tools; administrative role-based access control policy; aggressive set-abstractions; imperative programs; numerical-abstractions; program interval-based static analysis; program verification; security analysis; security properties; Computer security; Licenses; Access control; formal methods for security;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Computer Security Foundations Symposium (CSF), 2012 IEEE 25th
  • Conference_Location
    Cambridge, MA
  • ISSN
    1940-1434
  • Print_ISBN
    978-1-4673-1918-8
  • Electronic_ISBN
    1940-1434
  • Type

    conf

  • DOI
    10.1109/CSF.2012.28
  • Filename
    6266155