Embed Size (px)
Citation preview
Policy Evaluation Testbed
Vincent Hu
Tom Karygiannis
Steve Quirolgico
NIST ITL PET Report
May 4, 2010
2
AC Policy Composing Problems
• No structure model framework to support policy authoring.
• No tool to check correct policy rule specifications, which are hand crafted by administrators.
• No tool for checking the effect (conflicts of rules) when combining more than one polices.
• No efficient ways to generate exhaust test cases for the correctness of an access control system.
3
Access Control Policy Tool (ACPT)
ACPT is a tool for composing access control models (such as RBAC and Multi-Level models)
Features:
• Allows specification of policy combinations, rules and properties through model templates
• Allows testing and verification of policies against specified properties and reports problems that may lead to security holes
• Generates efficient test suites (by applying NIST’s combinatorial testing technology) for testing of access control implementation
• Test suites can be applied to any access control implementation
• Ensures the safety and flexibility in composing access control policies
• XACML policy generation
4
ACPT Architecture
GUI
AC Model TemplatesData
Acquisition
Policy GeneratorModel Checker
Test SuiteGenerator
CombinatorialArray Generator
Access Control Policy Tool
User,attribute,
resource,role,
etc. data
GUI allows specification of users, groups, attributes, roles, rules, policies, and resources
Generates encoded policies
.xml
Generates test suites
Validates access control policy models
API/mechanism to consume/acquire
external data related to policies
Generates combinatorial test
array
Test suite
Administrator
optional functions
XACML
5
ACPT
6
ACPT
7
ACPT Demo
Policy A (excerpt from 28 CFR Part 23 Statutes and Govt. Category)
Subject Attributes Resource Attributes
Action
Rule number
28 CFR Part 23 Training
Government Category
Privacy Category
Read
1 Current Federal ISE Yes
2 Current State ISE Yes
3 Expired/None
Federal ISE Yes
4 Current Federal SLT Yes
5 Current State SLT Yes
6 Expired/None
State SLT Yes
Policy B (excerpt from Govt. Category, Remote Access, and OMB/NIST Assurance)
Subject Attributes Resource Attributes
Action
Rule number
Government Category
Remote Access
OMB/NIST Assurance Level
Privacy Category
Read
7 Federal Yes 2 ISE Yes
8 Federal Yes 3 or greater ISE Yes
9 Federal No 2 or greater ISE Yes
10 State Yes 3 or greater ISE Yes
11 State No 2 ISE Yes
12 Federal Yes 3 or greater SLT Yes
13 Federal No 2 or greater SLT Yes
14 State Yes 2 SLT Yes
15 State Yes 3 or greater SLT Yes
16 State No 2 SLT Yes
8
ACPT Demo
Property to test:
A request with the attributes: * “Current” for 28 CFR Part 23 Training, * “Federal” for Government Category, * “ 1” for Assurance Level, * “True” for Remote Access,to “read” data with * “ISE” Privacy Category attribute should not be allowed.
The rules say:
Rule number 1 of Policy A grants the request of the property, but no rule in Policy B grants such request.
9
ACPT Demo
Property specification in ACPT
10
ACPT Demo
Test the property against Policy A, the result return false with counterexample.
11
ACPT Demo
Test the property against Policy B, the result return true.
12
ACPT Demo
Test the property against Policy A merged with Policy B, the result return false for Policy A but true for Policy B. Note that for merged policies there is no priorities between policies
13
ACPT DemoTest the property against Policy A combined with Policy B. Combined polices has the priorities of
the combined rules. This slide shows the combination of policies, where Policy B has higher priority than policy A
14
ACPT Demo
Test the property against Policy A combined with Policy B, and we set the “Default Deny” rules for both policies, the verification result return true for the combined policy.
15
ACPT Demo
Test cases generation:
16
ACPT Demo
XACML generation:
17
Live Demo
Live Demo
18
Compare ACPT with commercial AC tools
So far, a commercial AC policy management tool does not have all the following capabilities that NIST ACPT has:
AC (access control) model templates for entering polices: RBAC, Multi-Level, RuBAC (rule based), and Workflow, even some (such as IBM Tivoli) claims provide RuBAC, RBAC, and ABAC templates which are only simulated by using rules, in other words, there is no Role or Attribute relation (hierarchy) building capability,
Combining different AC models into one. (e.g. combine RBAC policy with RuBAC and ABAC policies)
AC Property (described by Boolean predicate) verification (IBM has limited SOD (Separation of Duty) check) to ensure the created policy can satisfy any combination of rule constraints.
Test case (suite) generator for testing in real operation environment to assure there is no privilege leakage caused by faults other than the AC policy.
19
ACPT Future Work
Policy (or rule) priority configuration for combining different models or rules (e.g., combinations of global and local policies)
White-box model/properties verification to verify coverage and confinement of access control rules
Generate XACML policies derived from verified access control model or rules
Additional access control policy templates including dynamic and historical access control models
API or mechanism for acquiring or consuming information about users, attributes, resources, etc.
Web-ACPT allowing convenient web-based policy composition
20
Progress Report
PET• State-to-State policy scenarios defined• XACML and PEP coding to support new scenario• Numerous software enhancements• Preparing demo for Fusion Center conference
DHS/JHUAPL• Identity Provider Service• Privacy Policy Matrix
DoJ and HHS Presentations Computer Associates CRADA
• Policy Expression and Automated Extraction
National Security Agency• Quarterly Technical Exchanges
21
Progress Report (cont.)
Presentation and Demo, 2010 Fusion Center Technology Workshop, June 8th and 9th, 2010
Decentralized Information Group, Computer Science & Artificial Intelligence Lab, Massachusetts Institute of Technology
Nationwide Health Information Network (NHIN), CONNECT, HHS – ACPT Tool
22
Contact Information
Vincent Hu – [email protected]
Tom Karygiannis – [email protected]
Steve Quirolgico – [email protected]
