Seminar: Current Topics in Information Security

1. ANALYZING FIRST ORDER ROLE BASED ACCESS CONTROL
BY CARLOS COTRINI, THILO WEGHORN, DAVID BASIN AND MANUEL CLAVEL
Presenter:
JINANK JAIN
ETH Zurich
Seminar: Current Topics in Information Security

2. MOTIVATION

3. ACCESS CONTROL
Complex Access Control Mechanism
Source: https://hitachi-id.com

4. ROLE BASED ACCESS CONTROL
Simpler and Cleaner Role Based Access Control
Source: https://hitachi-id.com

5. ROLE BASED ACCESS CONTROL
Role-based access control (RBAC) is a popular access control model for
specifying policies in large organizations.
Unlike access control policies that assign permissions to subjects, RBAC
associates permissions with roles within an organization.
A role is a collection of job functions (e.g. president, manager, trainer,
teller, auditor, janitor)

6. PREVIOUS WORK
Efficiency of
Policy Analysis
Expressiveness of
Policy Specification
Sweet Spot
FORBAC Sweet Spot

7. CONTRIBUTIONS
FORBAC is framework that tries to find sweet spot between
expressiveness in policy specification and efficiency in policy analysis
for first-order RBAC
FORBAC
Expressiveness Efficiency

8. CONTRIBUTIONS
Expressiveness
• Specifying policies using complete First Order Logic (FOL) could
be really challenging to analyze.
• FORBAC uses an expressive fragment of FOL for policy
specification
• Allows simple policies of the form:
𝑃1 𝑥 ∧ … ∧ 𝑃 𝑘 𝑥 ∧ ¬ 𝑄1 𝑥 ∧ … ∧ ¬𝑄𝑛(𝑥)

9. CONTRIBUTIONS
Efficiency
• Deciding the satisfiability of a FORBAC formula is NP-Complete
• Why NP-Complete?
• Satisfiability of a FORBAC formula can be reduced to the
Boolean satisfiability problem.
• If there is a model satisfying a FORBAC-formula, then there is a
model that is polynomial in the size of the formula.

10. DEFINITION OF FORBAC SIGNATURE
FORBAC signature is a triple ∑ = {S, A1, A2} where
S = SRBAC ∪ {Integer, String}
SRBAC = {Users, Roles1, Roles2, ….., RolesT, Perms}
A1 denotes single valued attributes
A2 denotes set valued attributes

11. USER ASSIGNMENTS (UA)
Users are assigned roles according to their attribute values.
Attributes can be single or set valued.
The assignment of role instance to users is defined by a family of FORBAC-
formulas:
UA = {UAR(u, r): R ∈ RT(𝜮)}
Example: Consider a bank which has two types of account: Student and
Employee.
UARstudent(u, r) ≡ 𝑎𝑔𝑒 𝑢 ≤ 25 ∧ 𝑐𝑜𝑢𝑛𝑡𝑟𝑦 𝑟 = 𝑛𝑎𝑡𝑖𝑜𝑛𝑎𝑙𝑖𝑡𝑦 𝑢 , “𝑈𝑆𝐴”
UARemployee(u, r) ≡ (𝑠𝑎𝑙𝑎𝑟𝑦 𝑢 > $1500 ∧ 𝑙𝑖𝑚𝑖𝑡 𝑟 = 𝑠𝑎𝑙𝑎𝑟𝑦(𝑢))

12. PERMISSION ASSIGNMENTS (PA)
Roles are assigned permissions according to their attribute values.
The assignment of permissions to role instances is defined by a family of
FORBAC-formulas:
PA = {PAR(r, p): R ∈ RT(𝜮)}
Example: Consider a bank which has two types of account: Student and
Employee.
PARstudent(r, p) ≡ ( 𝑎𝑐𝑡𝑖𝑜𝑛 𝑝 ∈ “𝑤𝑖𝑡ℎ𝑑𝑟𝑎𝑤” ∧ 𝑎𝑚𝑜𝑢𝑛𝑡 𝑝 ≤ 1000 ∧ 𝑙𝑜𝑐𝑎𝑡𝑖𝑜𝑛 ∈

13. FORBAC POLICIES
A FORBAC-policy is a triple (Σ, 𝑈𝐴, 𝑃𝐴) where
𝜮 is FORBAC-signature
𝑼𝑨 is user assignment specification
𝑷𝑨 is permission assignment specification

14. BNF GRAMMAR FOR FORBAC FORMULA

15. POLICY ANALYSIS QUERIES (PAQ)
 Authorization Inspection can be used to verify that a policy does
not grant undesired access
 Assignment Simplification can be used to identify redundancies in
user-role assignment relation
 Role Subsumption can be used to identify relationships between
roles.
 Redundant Assignments can be used to identify implicit
redundancies of roles

16. POLICY ANALYSIS IN FORBAC
Policy
PAQ
Ψ
FROBAC
Formula SMT Solver
Counter
Model
Control Flow in FORBAC

17. AUTHORIZATION INSPECTION
This can be used to verify that a FORBAC-policy does not grant undesired
access
• Does there exists an accountant who has access to balance
sheets and can change make some fraudulent changes on
them?
• Does there exists a developer who can change the source code
for payment transaction process?
• Does exists an employee in Google who can read personal

18. AUTHORIZATION INSPECTION
Does there exists an accountant who has access to balance sheets and can make
fraudulent changes on them?
job: accountant
Balance Sheets
Access balance
sheets
Update balance
sheets for
fraudulent
activity

19. AUTHORIZATION INSPECTION
ψu(u) ≡
job(u) =
accountan
t
Ψ1(p1) ≡
action(p1) = read /
target(p1) = balance
sheets
Ψ2(p2) ≡
action(p2) = update /
target(p2) = balance
sheets
Does there exists an accountant who has access to balance sheets and
can make fraudulent changes on them?

20. AUTHORIZATION INSPECTION
ψu(u) ≡
job(u) =
accountan
t
Ψ1(p1) ≡
action(p1) = read /
target(p1) = balance
sheets
Ψ2(p2) ≡
action(p2) = update /
target(p2) = balance
sheets
∃𝑢, 𝑝1, 𝑝2: Ψ 𝑢 𝑢 ∧ Ψ1 𝑝1 ∧ Ψ2 𝑝2 ∧ 𝐴𝑢𝑡ℎ 𝑢, 𝑝1 ∧ 𝐴𝑢𝑡ℎ(𝑢, 𝑝2)

21. ASSIGNMENT SIMPLIFICATION
This can be used to identify redundancies in FORBAC formulas
Customer
Category
UA-Rule 1:
If age < 3 then
customer.categor
y = infant
UA-Rule 2:
If age == 2 and
height == 1m
then
customer.category
= infant
Special
Discounts
Special baby
care kit

22. ASSIGNMENT SIMPLIFICATION
UA-Rule 2:
If age == 2 and height == 1m
then
customer.category = infant
UA-Rule 2:
If age < 3 then
customer.category =
infant

23. ROLE SUBSUMPTION
This can be used to identify redundancies in the role
templates
Manager
Supervisor

24. ROLE SUBSUMPTION
Manager
Supervisor

25. REDUNDANT ASSIGNMENTS
This can be used to identify redundancies in the user-assignment
relation

26. LIMITATION OF FORBAC
Expressiveness Efficiency
• Rule based RBAC
• Numeric and String valued
attributes
• No transitive closure
• No multi valued decisions
• Manageable in daily business
• Low Complexity
• Policy Equivalence
• Conflict detection

27. EXPERIMENTAL RESULTS
 Analyzed the access control policies of 10 out 350 applications of a major
European bank
 Each policy manages access of 3490 – 85949 users
 The size of the policies ranges between 2,000 – 300,000 occurrences of atomic
sub formulas

28. EXPERIMENTAL RESULTS
Policy App1 App2 App3 App4 App5 App6 App7 App8 App9 App10
AI 357.87 >360 >360 >360 2.98 1.85 3.52 32.69 38.02 0.30
AS 0.61 0.63 0.57 0.54 NA 0.75 0.87 0.5 0.49 NA
RS 0.53 0.55 0.43 0.43 0.45 0.47 0.46 0.47 0.47 0.44
RA 0.73 0.47 0.46 0.49 NA 0.58 0.53 0.59 0.49 NA
Time (in seconds) needed by Z3 for a query on average
AI: Authorization Inspection
AS: Assignment Simplification
RS: Role Subsumption
RA: Redundant Assignment

29. COMPARISON TO OTHER RELATED WORK

30. MARGRAVE: POLICY SPECIFICATION & ANALSYIS FRAMEWORK
Positive Aspects:
 It computes an exhaustive set of counterexamples, if the policy is
violated. In contrast, FORBAC computes only one counter
example.
 Supports reasoning about the combined effects of policies
written in different configuration languages

31. MARGRAVE: POLICY SPECIFICATION & ANALSYIS FRAMEWORK
Negative Aspects:
 Margrave cannot reason about integer constraints and therefore
cannot express policies like FORBAC “Alice can read a file if her
clearance level is greater than the file's clearance level”
 Margrave does not support set valued attributes and thus
everything has to mentioned explicitly. This makes Margrave
difficult to maintain

32. ATHENA + YICES
Positive aspects
 Merges functional programming with first-order logic for both
policy specification and property verification.
 In contrast to FORBAC, their language can express arithmetic
constraints and they can reason about XACML policies.
 Athena+Yices can reason about arithmetic constraints.

33. ATHENA + YICES
Negative aspects
 Cannot deal with set valued attributes
 They do not allow quantification when specifying policies.
 Authors do not provide complexity bounds for their policy analysis. In
contrast, FORBAC ensures that policy analysis is in NP

34. FUTURE WORK
 Extend FORBAC for role hierarchies, which define a partial order on a set of
roles
 Extend FORBAC for two types of constraints: static and dynamic separation-
of-duty constraints and cardinality constraints.

35. SOME COMMENTS
Strong Points
 Everything is formally verified in terms of policy analysis complexity
 The paper provides a balance between expressiveness and efficiency.
 The theory has been validated with experiments, illustrating the
applicability of FORBAC in realistic scenarios.
Weak Points
 Mathematical formulation in some sections is really complicated to
understand which could have simplified.
 Some examples are not precise. Better analogies could have been used to
make them clearer.

36. THANK YOU

37. QUESTIONS

38. BACK UP SLIDES

39. AUTHORIZATION INSPECTION FORMULA
∃𝑢 𝑝1, … 𝑝𝑘 .
Ψ 𝑢𝑠𝑒𝑟 𝑢 ∧
𝑖 ≤𝑘
(Ψ𝑖 𝑝𝑖 ∧ 𝐴𝑢𝑡ℎ 𝑢, 𝑝𝑖 )

40. ASSIGNMENT SIMPLIFICATION FORMULA
FORBAC formula Ψ(𝑥1, 𝑥2, … , 𝑥𝑘) is equivalent to another formula
Ψ′(𝑥1, 𝑥2, … , 𝑥𝑘), one can check this by determining whether the following
formula is valid
∀ 𝑥1, 𝑥2, … , 𝑥𝑘 Ψ 𝑥1, 𝑥2, … , 𝑥𝑘 ⟷ Ψ′(𝑥1, 𝑥2, … , 𝑥𝑘)
This is equivalent to determine whether the following existential FORBAC
formula is unsatisfiable:
∃ 𝑥1, 𝑥2, … , 𝑥𝑘 ¬Ψ 𝑥1, 𝑥2, … , 𝑥𝑘 ⟷ Ψ′(𝑥1, 𝑥2, … , 𝑥𝑘)

41. ROLE SUBSUMPTION FORMULA
Let R1 and R2 are two role templates. We says R1 subsumes R2 if R1 expands
R2 and the following formula is valid:
∀𝑟1: 𝑅1, 𝑟2: 𝑅2 ∧ 𝑓: 𝑅2 ⟶ 𝑊 𝑓 𝑟1 = 𝑓 𝑟2 ⟶ ∀𝑝. 𝑃𝐴𝑅2(
𝑟2, 𝑝) ⟶ 𝑃𝐴𝑅1(
𝑟1, 𝑝)
Here f ranges over attributes of type R2 ⟶ W, with W∈ 𝐒𝐭𝐫𝐢𝐧𝐠, 𝐈𝐧𝐭𝐞𝐠𝐞𝐫 .
This formula says the following Let r1 and r2 be two role instances of R1 and
R2 respectively. If f(r1) = f(r2), for every attribute f of type R2 ⟶ W, then
perimission assigned to r2 is also assigned to r1