Role-Based Access Control Models
Computer
The ARBAC97 model for role-based administration of roles
ACM Transactions on Information and System Security (TISSEC) - Special issue on role-based access control
Model checking
On the decidability of accessibility problems (extended abstract)
STOC '00 Proceedings of the thirty-second annual ACM symposium on Theory of computing
The role-based access control system of a European bank: a case study and discussion
SACMAT '01 Proceedings of the sixth ACM symposium on Access control models and technologies
The SLAM project: debugging system software via static analysis
POPL '02 Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Bounded Model Checking Using Satisfiability Solving
Formal Methods in System Design
Safety Analysis of the Dynamic-Typed Access Matrix Model
ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Administrative scope: A foundation for role-based administrative models
ACM Transactions on Information and System Security (TISSEC)
Advanced Features for Enterprise-Wide Role-Based Access Control
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Role-Based Access Control
Counterexample-guided abstraction refinement for symbolic model checking
Journal of the ACM (JACM)
Security analysis in role-based access control
Proceedings of the ninth ACM symposium on Access control models and technologies
Verification and change-impact analysis of access-control policies
Proceedings of the 27th international conference on Software engineering
Beyond proof-of-compliance: security analysis in trust management
Journal of the ACM (JACM)
Policy Analysis for Administrative Role Based Access Control
CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
Security analysis in role-based access control
ACM Transactions on Information and System Security (TISSEC)
A fault model and mutation testing of access control policies
Proceedings of the 16th international conference on World Wide Web
Analyzing web access control policies
Proceedings of the 16th international conference on World Wide Web
POLICY '07 Proceedings of the Eighth IEEE International Workshop on Policies for Distributed Systems and Networks
Journal of Computer Security - Special issue on CSFW15
Efficient policy analysis for administrative role based access control
Proceedings of the 14th ACM conference on Computer and communications security
Synthesising verified access control systems through model checking
Journal of Computer Security
Enabling verification and conformance testing for access control model
Proceedings of the 13th ACM symposium on Access control models and technologies
Analyzing and Managing Role-Based Access Control Policies
IEEE Transactions on Knowledge and Data Engineering
Automated verification of access control policies using a SAT solver
International Journal on Software Tools for Technology Transfer (STTT)
Towards Formal Verification of Role-Based Access Control Policies
IEEE Transactions on Dependable and Secure Computing
Property Verification for Generic Access Control Models
EUC '08 Proceedings of the 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing - Volume 02
RBAC-PAT: A Policy Analysis Tool for Role Based Access Control
TACAS '09 Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems: Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009,
Computing Over-Approximations with Bounded Model Checking
Electronic Notes in Theoretical Computer Science (ENTCS)
A decision procedure for bit-vectors and arrays
CAV'07 Proceedings of the 19th international conference on Computer aided verification
User-role reachability analysis of evolving administrative role based access control
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Policy analysis for Administrative Role-Based Access Control
Theoretical Computer Science
Automatic error finding in access-control policies
Proceedings of the 18th ACM conference on Computer and communications security
Representation and reasoning on RBAC: a description logic approach
ICTAC'05 Proceedings of the Second international conference on Theoretical Aspects of Computing
Weighted pushdown systems and trust-management systems
TACAS'06 Proceedings of the 12th international conference on Tools and Algorithms for the Construction and Analysis of Systems
Security Analysis of Role-Based Access Control through Program Verification
CSF '12 Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium
Hi-index | 0.00 |
Verifying that access-control systems maintain desired security properties is recognized as an important problem in security. Enterprise access-control systems have grown to protect tens of thousands of resources, and there is a need for verification to scale commensurately. We present techniques for abstraction-refinement and bound-estimation for bounded model checkers to automatically find errors in Administrative Role-Based Access Control (ARBAC) security policies. ARBAC is the first and most comprehensive administrative scheme for Role-Based Access Control (RBAC) systems. In the abstraction-refinement portion of our approach, we identify and discard roles that are unlikely to be relevant to the verification question (the abstraction step). We then restore such abstracted roles incrementally (the refinement steps). In the bound-estimation portion of our approach, we lower the estimate of the diameter of the reachability graph from the worst-case by recognizing relationships between roles and state-change rules. Our techniques complement one another, and are used with conventional bounded model checking. Our approach is sound and complete: an error is found if and only if it exists. We have implemented our technique in an access-control policy analysis tool called Mohawk. We show empirically that Mohawk scales well to realistic policies, and provide a comparison with prior tools.