JeeHyun Hwang North Carolina State University Verification and Testing of Security Policies
Background • Security policies are widely used mechanism to protect system/network (e.g., access control, firewall policies)
Access Control Policy Evaluation • Access control mechanisms control which subjects (such as users or processes) have access to which resources. Policy Request Response (Permit, Deny, or Not-applicable)
Problems • Factors for misconfiguration • Conflicts among rules, rule-set complexity, Mistakes in handling corner cases, constrains, etc. • Our goal is to improve quality of security policies • Modeling, Implementation, Verification, Testing • Firewall Policies (SRDS 08, 09) • Structural coverage criteria, test generation techniques, fault localization • Access Control Policies written in XACML (SSIRI 08, DBSec 09, Policy demo 10) • ACPT (Access Control Policy Tool) , test generation techniques to detect potential problems in policies • Policies in Code (In Progress)
ACPT (Access Control Policy Tool) • Collaborate with Dr. Vincent Hu (NIST) • Support correct policy modelling • Ensure the correct behaviours of policies • Static verification: check whether properties are satisfied by a policy • Dynamic verification (i.e., Testing): evaluate requests and check whether their evaluated decisions are correct
ACPT Features ACPT is a tool for composing access control models (such as Rule Based and Multi-Level policy models) • Help specifying policies, rules and properties through model templates • Support various policy combining algorithms (e.g., first applicable or permit-overrides) • Generate an enforceable XACML policy
ACPT Features (cont.) To ensure policy correctness, ACPT supports both static and dynamic verification of a policy • Verify policies against specified properties to detect violations using NuSMV [Cimatti et al. CAV 2002] • Generate test inputs for testing of policy implementation • Test inputs based on structural coverage [Martin et al. ICICS 2006] • Test inputs based on combinatorial coverage [Hu et al. IJSEKE 2010]
ACPT Architecture GUI allows specification of users, groups, attributes, roles, rules, policies, and resources Administrator API/mechanism to consume/acquire external data related to policies GUI User, attribute, resource, role, etc. data Data Acquisition AC Model Templates XACML Generate enforceable policies Verify access control policies Policy Generator Static Verification .xml Generate test inputs Generate and evaluate test inputs Test inputs based on structural or combinatorial coverage Test inputs with their evaluated decisions Dynamic Verification
Future Work • Improve ACPT with various features • Support various dynamic features in XACML • Extend our approach to security policies for polices in code • Extract access control policies in Code • Translate the policies into corresponding policies in XACML • .
Expected Decisions Policy Testing Actual Decisions Test Packets Firewall • Test Generation – Generate test packets • Test Execution – Evaluate the test packets against a firewall and capture their actual decisions • Test Results Evaluation – Check if the decisions are consistent with our expected decisions • If decisions are not consistent, faults cannot be revealed
12 ACPT Demo Property specification in ACPT
13 Static Verification Verify the property against Policy A, the result return false with counterexample.
14 Static Verification (cont.) Verify the property against Policy B, the result return true.
15 Test Input Generation and Evaluation
16 XACML Generation