A Uniform Formal Approach to Business and Access Control Models, Policies and their Combinations by Vahid Reza Karimi A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Doctor of Philosophy in Computer Science Waterloo, Ontario, Canada, 2012 © Vahid Reza Karimi 2012 I hereby declare that I am the sole author of this thesis. This is a true copy of the thesis, including any required final revisions, as accepted by my examiners. I understand that my thesis may be made electronically available to the public. iii Abstract Access control represents an important part of security in software systems, since access control policies determine which users of a software system have access to what objects and operations and under what constraints. One can view access control models as providing the basis for access control rules. Further, an access control policy can be seen as a combination of one or more rules, and one or more policies can be combined into a set of access control policies that control access to an entire system. The rules and resulting policies can be combined in many different ways, and the combination of rules and policies are included in policy languages. Approaches to access control (AC) policy languages, such as XACML, do not provide a formal representation for specifying rule- and policy-combining algorithms or for classifying and verifying properties of AC policies. In addition, there is no connection between the rules that form a policy and the general access control and business models on which those rules are based. Some authors propose formal representations for rule- and policy-combining algorithms. However, the proposed models are not expressive enough to represent formally classes of algorithms related to history of policy outcomes including ordered-permit-overrides, ordered-deny-overrides, and only-one-applicable. In fact, they are not able to express formally any algorithm that involves history including the class related to consensus such as weak-consensus, weak-majority, strong-consensus, strong-majority, and super-majority- permit. In addition, some other authors propose a formal representation but do not present an approach and automated support for the formal verification of any classes of combining algorithms. The work presented in this thesis provides a uniform formal approach to business and access control models, policies and their combinations. The research involves a new formal representation for access control rules, policies, and their combination and supports formal verification. In addition, the approach explicitly connects the rules to the underlying access control model. Specifically, the approach • provides a common representation for systematically describing and integrating busi- ness processes, access control models, their rules and policies, • expresses access control rules using an underlying access control model based on an existing augmented business modeling notation, • can express and verify formally all known policy- and rule-combining algorithms, a result not seen in the literature, v • supports a classification of relevant access control properties that can be verified against policies and their combinations, and • supports automated formal verification of single policies and combined policy sets based on model checking. Finally, the approach is applied to an augmented version of the conference management system, a well-known example from the literature. Several properties, whose verification was not possible by prior approaches, such as ones involving history of policy outcomes, are verified in this thesis. vi Acknowledgements I would like to thank my supervisor Professor Donald Cowan for his guidance and fi- nancial support during my studies. I also acknowledge my Ph.D. committee members Pro- fessors Howard Armitage, Daniel Berry, Michael Godfrey, William McCarthy, and Grant Weddell for their time and efforts to be part of this committee. I would like to thank Research Professor Paulo Alencar for many discussions and his input at the later stage of this study. I am also thankful for financial support from the Ontario Graduate Scholarship in Science and Technology (OGSST) program. vii Table of Contents List of Tables xiii List of Figures xv 1 Introduction1 1.1 Contributions..................................2 1.2 Research Approach...............................2 1.3 Thesis Organization...............................6 2 Related Work9 2.1 Access Control.................................9 2.1.1 Access Control Models......................... 10 2.1.2 Access Control Policies and Policy Languages............ 13 2.2 Business Patterns and Business Processes................... 16 2.3 Formal Verification............................... 21 2.3.1 Formal Verification of Access Control Policies............ 23 2.3.2 Formal Verification of Business Processes............... 28 3 Access Control Models, Rules and Policies and their Combinations 31 3.1 Overview of Representing Classes of AC Models............... 34 3.2 Representing Classes of Access Control Models................ 36 ix 3.2.1 Modeling Roles and User Assignments................ 38 3.2.2 Modeling Permissions.......................... 44 3.2.3 A Core Access Control Model Formed by Combining Patterns... 46 3.2.4 Advantages of the Core Access Control Model............ 48 3.2.5 Modeling Constraints, Role Hierarchies, and Mutually Exclusive Roles 52 3.2.6 Extending the Approach to Describe DAC and MAC........ 56 3.3 Defining Access Control Rules based on Models............... 58 3.3.1 Access Control Rule Syntax...................... 59 3.3.2 Description of Access Control Rule Syntax.............. 64 3.3.3 Access Control Rule Examples..................... 70 3.3.4 Translation from EBNF to Predicate Logic.............. 73 3.4 Creating Access Control (AC) Policies from AC Rules............ 75 3.4.1 The Use of Algorithmic Forms..................... 76 3.4.2 The Use of State Machines....................... 76 3.5 Policy-combining Algorithms.......................... 80 3.6 An Advantage of the Presented Approach.................. 81 4 Specification of Properties for Access Control and Categorization 87 4.1 Background................................... 87 4.2 AC Property Specification and Categories.................. 88 4.2.1 Any Primitives of Agents, Events, and Resources Individually, and in Connection with AC Results.................... 92 4.2.2 Any Primitives of Agents, Events, and Resources Individually, and their Attributes, and in Connection with AC Results........ 94 4.2.3 A Combination of Agents, Events, Resources, and their Relation- ships, and in Connection with AC Results.............. 96 4.2.4 A Combination of Agents, Events, Resources, their Attributes, and their Relationships, and in Connection with AC Results....... 98 4.3 General Form of AC Property Specification.................. 98 4.4 Related Work on Property Specifications................... 101 x 5 Evaluation: Conference Management Case Study 103 5.1 CONTINUE, Policies, and Properties..................... 105 5.2 Business and AC Models, Rules and Combination.............. 106 5.2.1 Business and AC Models........................ 106 5.2.2 Access Control Rule.......................... 106 5.2.3 AC Rule Combination by Algorithmic Form and State Machine.. 109 5.2.4 An Advantage of the Thesis's Approach............... 116 5.3 Formal Analysis................................. 117 5.3.1 Formal Specification of AC Policies in PROMELA.......... 117 5.3.2 Formal Specification of AC Properties in LTL............ 119 5.3.3 Verification Results and Expressive Advantage............ 120 5.4 A Note on the Use of SPIN.......................... 123 6 Conclusion 125 6.1 Summary of Contributions........................... 125 6.2 Limitations................................... 126 6.3 Future Work................................... 127 6.3.1 Other Access Control Models and their Extensions......... 127 6.3.2 Rights, Delegations, and Obligations................. 128 6.3.3 Analysis and Formal Methods..................... 128 6.3.4 Privacy................................. 129 6.3.5 Different Domains............................ 129 APPENDICES 131 A An Overview of REA 133 A.1 REA as an Ontology.............................. 135 A.2 REA Patterns for Policy-level Specification.................. 137 xi B BNF and EBNF Definitions 139 B.1 Access Control Rule in BNF.......................... 139 B.2 Other BNF and EBNF Definitions....................... 143 C A Brief Background on Logic 159 C.1 Propositional Logic............................... 159 C.2 Predicate Logic................................. 161 C.3 Linear Temporal Logic............................. 163 D An Overview of SPIN and Alloy 165 D.1 SPIN....................................... 165 D.2 Alloy and Example............................... 168 E The CONTINUE Policies and Properties 179 E.1 The CONTINUE Policies............................ 179 E.2 The CONTINUE Properties.......................... 183 F Other Combining Access Control Algorithms 185 References 197 xii List of Tables 3.1 Entities and attributes of the role modeling and user assignments pattern in a table format................................ 43 3.2 Entities and attributes of permission modeling pattern........... 46 3.3 A table representation of policies for the banking example......... 48 3.4 Additional elements added to access control models............. 53 3.5 A static separation of duties representation for the banking example.... 54 3.6 An example