A safety-checker for the ABAC_α model

Access control is a fundamental security requirement for computing environments: It controls the ability of a subject to use an object in some specific manner. A subject represents a user and any system process or entity that acts on behalf of a user. Users represent individuals who interact directly or indirectly with a system and have been authenticated and established their identities. Objects are the protected entities, and can represent either system abstractions (e.g., processes, files, or ports) or system resources (e.g., printers).

1 ABAC and ABAC_α

Attribute-based access control (ABAC) is a logical access control with great flexibility to specify access control policies as rules which get evaluated against the attributes of participating entities (user/subject or subject/object), operations, and the environment relevant to a request. Considerable work has been done and a number of formal models have been proposed recently for ABAC [Jin14, JKS12, PS04]. Among them, ABAC_α became popular because of its minimal set of features that make it powerful enough to configure the dominant traditional access control models DAC, MAC and RBAC.

A fundamental security problem in the design of ABAC models is safety. According to [HRU76], the safety problem for protection systems is to determine in a given situation whether a subject can acquire a particular right to an object. Recently, it was shown that safety of ABAC_αis decidable [AS17]. The proof was based on state-matching reduction of safety of ABAC_α to safety of the preauthorization model UCON ${}^{\rm finite}_{\rm preA}$ , which is known to be decidable [RS16].

ABAC_α is foundational model for attribute-based access control with a minimal set of capabilities to configure many access control models of interest, including the dominant traditional ones: discretionary (DAC), mandatory (MAC), and role-based (RBAC). A fundamental security problem in the design of ABAC is to ensure safety, that is, to guarantee that a certain subject can never gain certain permissions to access certain object(s).

This problem can be solved nicely in a rule-based framework based on the $\rho$ Log calculus. We have developed a tool built on top of the rule-based capabilities of RhoLog, which allows us to do the following:

1.

specify a configuration of interest for ABAC_α
2.
call the method
```
CheckSafety[cId, $s, o, p$ ]
```
to check if the configuration guarantees that subject s never gets authorization to exercise permission p on an object o. If yes, the method returns SAFE, otherwise it returns UNSAFE.

2 Preliminaries

ABAC_α is a formal model of ABAC with a minimal set of features to configure the traditional models DAC, MAC, and RBAC. Its core components are entities of three kinds: users, subjects, and objects. Users represent human beings who create and modify subjects, and access resources through subjects. Subjects represent processes created by users to perform some actions in the system. Objects represent system entities that should be protected.

Every kind of entity has a fixed set of attributes. Every attribute has a type, scope, and range of possible values. The sets of attributes specific to each kind of entity, together with their type, scope, and range, are specified in a configuration type of ABAC_α: there will be one configuration type for DAC, and others for MAC, RBAC, etc.

In ABAC_α, the type of an attribute is either atomic or set. The scope of each attribute $a t$ is a finite set of values SCOPE $(at)$ . If $a t$ is of atomic type then it can assume any value from SCOPE $(at)$ , otherwise it can assume any subset of values from SCOPE $(at)$ . Formally, this means that the range Range $(at)$ of possible values of $a t$ is SCOPE $(at)$ if $a t$ is of atomic type, and $2^{{\rm SCOPE}(at)}$ otherwise.

User creation, attribute value assignment of user at creation time, user deletion and modification of a user’s attribute values are operations done by the security administrator and are outside the scope of ABAC_α. Therefore, in a running configuration of ABAC_α, the set $U$ of existing users is fixed, but the sets $S$ of existing subjects and $O$ of existing objects may change. The identity of every user is specified by the value of a special attribute "id" of atomic type. In our system, configuration types are declared as follows:

DeclareCfgType[typeId,{"SA" $\to\{sAt_{1},\ldots,sAt_{n}\}$ ,"OA" $\to\{oAt_{1},\ldots,oAt_{p}\}$ ,
    "Scope" $\to\{at_{1}\to\bullet[sId_{1},\tau_{1}],\ldots,at_{r}\to\bullet[sId_{r},\tau_{% r}]\}$ }]

Such a declaration specifies a configuration type with unique identifier typeId (a string), where:

\{uAt_{1},\ldots,uAt_{m}\}

\${sAt_{1},\ldots,sAt_{n}}

, and

\{oAt_{1},\ldots,oAt_{p}\}

are the sets of attributes for users, subjects, and objects, respectively;

\{at_{1},\ldots,at_{r}\}

is their union; the scope of every attribute

at_{i}

(a string) is the set bound to identifier

sId_{i}

in a particular configuration (see below), and its type is

\tau_{i}\in\tt\{"Elem","Subset"\}

, where "Elem" stands for atomic and "Subset" for set.

For example, the configuration type of the discretionary access models DAC (discretionary), MAC (mandatory) and RBAC (role-based) are given by

DeclareCfgType["DAC",{"UA" $\to$ {"id"},"SA" $\to$ {"id"},"OA" $\to$ {"id","r","w"},
  "Scope" $\to$ {"id" $\to\bullet$ ["UId","Elem"],
    "r" $\to\bullet$ ["UId","Subset"],
    "w" $\to\bullet$ ["UId","Subset"]}}]

DeclareCfgType["MAC",{"UA" $\to$ {"id","clearance"},
    "SA" $\to$ {"id","clearance"},"OA" $\to$ {"sensitivity"},
  "Scope" $\to$ {"id" $\to\bullet$ ["UId","Elem"],
    "clearance" $\to\bullet$ ["level","Elem"],
    "sensitivity" $\to\bullet$ ["UId","Elem"]}}]

DeclareCfgType["RBAC",{"UA" $\to$ {"id","role"},
    "SA" $\to$ {"id","role"},"OA" $\to$ {"rrole","wrole"},
  "Scope" $\to$ {"id" $\to\bullet$ ["UId","Elem"],
    "role" $\to\bullet$ ["roleId","Subset"],
    "rrole" $\to\bullet$ ["roleId","Subset"],
    "wrole" $\to\bullet$ ["roleId","Subset"]}}]

We represent the system entities as first-order terms of the form

•

${\tt\bullet U}[uAt_{1}[v_{1}],\ldots,uAt_{m}[v_{m}]]$
•

${\tt\bullet S}[sAt_{1}[v_{1}],\ldots,sAt_{n}[v_{n}]]$
•

${\tt\bullet O}[oAt_{1}[v_{1}],\ldots,oAt_{p}[v_{p}]]$

where $v_{i}$ are the corresponding attribute values.

Every user has a unique ID, which is the string value of its "id" attribute. Subjects keep track of the ID of their creator in the value of their "id" attribute. We will assume without loss of generality that $\tt uAt=sAt="id"$ , and that there is a function ${\tt UId}[e]$ which returns the value of the attribute "id" of $e\in\ U\cup S$ .

A configuration of ABAC_α is an instance of a configuration type which specifies (1) the configuration type which it instantiates; the sets of values for the identifiers $sId_{i}$ from the specification of the configuration type; and (3) the initial sets $U, S$ , and $O$ of entities (users, subjects, objects) in the configuration. In our tool, the declaration of a concrete configuration of ABAC_α has the syntax

DeclareConfiguration[cId,
 {"CfgType" $\to$ typeId,
  "Users" $\to\{uId_{1}\to{u}_{1},\ldots,uId_{m}\to{u}_{m}\}$ ,
  "Range" $\to\{$ "UId" $\to\{uId_{1},\ldots,uId_{m}\}$ ,
              $sId_{1}\to{\rm{SCOPE}}[at_{1}],\ldots,sId_{r}\to{\rm{SCOPE}}[at_{r}]$ ,
  "Subjects" $\to\{s_{1},\ldots,s_{n}\}$ ,"Objects" $\to\{o_{1},\ldots,o_{q}\}$ }
]

Its side effect is to instantiate some globally visible entries:

•

CfgType[cId] with typeId,
•

Users[cId] with the set of users $\{u_{1},\ldots,u_{m}\}$ ,
•

every User[cId, $uId_{i}$ ] with user $u_{i}$ , Subjects[cId] with the set of subjects $\{s1,\ldots,s_{n}\}$ ,
•

Objects[cId] with the set of objects $\{o_{1},\ldots,o_{q}\}$ .

For example, the following is a declaration of a DAC configuration:

DeclareConfiguration["DAC-Cfg01",
  {"CfgType"->"DAC",
   "Users" $\to$ {"u1" $\to\bullet$ U["id"["u1"]],"u2" $\to\bullet$ U["id"["u2"]],
             "u3" $\to\bullet$ U["id"["u3"]]},
   "Range" $\to$ {"UId" $\to$ {"u1","u2","u3"}},
   "Subjects" $\to\{\bullet$ S["id"["u1"]], $\bullet$ S["id"["u3"]]},
   "Objects" $\to\{\bullet$ O["id"["u1"],"r"[{"u1","u3"}],"w"[{"u1","u2"}]],
                $\bullet$ O["id"["u1"],"r"[{"u1","u3"}],"w"[{"u2","u3"}]]}}]

It specifies an initial system state with three users identified by strings "u1", "u2", "u3"; two subjects; and two objects. The first object grants read access to subjects created by users "u1", "u3" and write access to subjects created by users "u1", "u2". The second object grants read access to subjects created by users "u1", "u3" and write access to subjects created by users "u2", "u3".

The following declaration is for a MAC configuration with five access levels:

DeclareConfiguration["MAC-Cfg01",
  {"CfgType"->"MAC",
   "Users" $\to$ {"u1" $\to\bullet$ U["id"["u1"],"clearance"[3]],
             "u2" $\to\bullet$ U["id"["u2"],"clearance"[4]]},
   "Range" $\to$ {"UId" $\to$ {"u1","u2"},"level"->{1,2,3,4,5}},
   "Subjects" $\to\{\bullet$ S["id"["u1"],"clearance"[3]],
                 $\bullet$ S["id"["u2"],"clearance"[4]]},
   "Objects" $\to\{\bullet$ O["sensitivity"[1]], $\bullet$ O["sensitivity"[4]]}}]

Feel free to download the notebook ABAC.nb from

staff.fmi.uvt.ro/~mircea.marin/rholog/ABAC.nb

which contains the implementation of our tool, together with some illustrated examples.

3 A state transition system for ABAC_α

A system with an initial configuration cId is a state transition system: states are triples $\{U,S,O\}$ consisting of the users ( $U$ ), subjects ( $S$ ), and objects ( $O$ ) that exist at that moment in the system and are compatible with the specifications of cId and its configuration type (stored in CfgType[cId]); and transitions correspond to the operations from the functional specification of ABAC_α. The state components $U$ , $S$ , $O$ are assumed to be multisets because the entities of ABAC are identity-less: their behavior is uniquely determined by the values of their attributes. For this reason, different entities may assume the same term representation in our framework.

We take for granted the functional specification of ABAC_α given in [AS17]. It consists of six operations:

subject creation:: user $u\in U$ can create a new subject $s$ if formula ${\tt ConstrS}[u,s]$ holds. This formula belongs to the instance of the common policy language (CPL) that makes use of the attribute values of $u$ and $s$ .
subject deletion:: $u\in U$ is free to delete any subject $s\in S$ it created before, that is, a subject $s$ for which ${\tt UId}[u]={\tt UId}[s]$ .
object creation:: $s\in S$ can create a new object $o$ if boolean formula ${\tt ConstrO}[s,o]$ holds. This formula belongs to the instance of CPL that uses the attribute values of entities $s$ and $o$ .
subject modification:: $u\in U$ can change a subject $s\in S$ into $s^{\prime}$ if ${\tt UId}[u]={\tt UId}[s]={\tt UId}[s^{\prime}]$ and ${\tt ConstrModS}[u,s,s^{\prime}]$ holds. This formula belongs to the instance of CPL that uses the attribute values of $u$ , $s$ , and $s^{\prime}$ .
object modification:: $s\in S$ can change $o\in O$ into $o^{\prime}$ if ${\tt ConstrModO}[s,o,o^{\prime}]$ holds. This formula belongs to the instance of CPL that uses the attribute values of $s$ , $o$ , and $o^{\prime}$ .
authorized access:: $s\in S$ can exercise a permission $p\in P$ on $o\in O$ if ${\tt Auth}[p,s,o]$ holds. $P$ is a finite set of permission IDs (strings) and, for every $p\in P$ , formula ${\tt Auth}[p,s,o]$ is from the instance of CPL that uses the attribute values of $s$ and $o$ .

3.1 Configuration-specific rules

CPL [Jin14] is the common policy language part for the languages used to express the boolean formulas that constrain the operations of the functional specification of ABAC_α. CPL describes a fragment of first-order logic where quantified formulas must be of the form $\exists x\in\mathit{set}.\varphi$ or $\forall x\in\mathit{set}.\varphi$ with $s e t$ a finite set of values. The host language of RhoLog is Mathematica, which is rich enough to express and decide the quantifier-free constraints of CPL. Moreover, we can eliminate all variable occurrences by repeated applications of the following reductions:

\displaystyle\exists x\in\mathit{set}.\varphi=\bigvee_{v\in\mathit{set}}% \varphi[x\mapsto v]\qquad\forall x\in\mathit{set}.\varphi=\bigwedge_{v\in% \mathit{set}}\varphi[x\mapsto v]

Every configuration type typeId has its own formulas that constrain the functionality of ABAC_α. These formulas are expressed in instances of CPL. Therefore, we can write rule-based definitions of these conditions, which are specific to every typeId:

typeId::{ $\bullet$ U[…], $\bullet$ S[…]}  $\Leftarrow\varphi_{1}$ 
typeId::{ $\bullet$ S[…], $\bullet$ O[…]}  $\Leftarrow\varphi_{2}$ 
typeId::{ $\bullet$ U[…], $\bullet$ S[…], $\bullet$ S[…]}  $\Leftarrow\varphi_{3}$ 
typeId::{ $\bullet$ S[…], $\bullet$ O[…], $\bullet$ O[…]}  $\Leftarrow\varphi_{4}$ 
typeId::Auth[ $p_{1},\tt\bullet{S}[\ldots],\bullet{O}[\ldots]$ ]  $\Leftarrow\varphi_{5,1}$ 
 $\ldots$ 
typeId::Auth[ $p_{r},\tt\bullet{S}[\ldots],\bullet{O}[\ldots]$ ]  $\Leftarrow\varphi_{5,r}$ .

where

\varphi_{1},\varphi_{2},\varphi_{3},\varphi_{4},\varphi_{5,1}

, …,

\varphi_{5,r}

are formulas expressed in CPL.

3.2 Auxiliary functions and strategies

Subject and object creation are nondeterministic operations: they can be implemented by guessing the entity, and then creating it if the condition described by the corresponding CPL-formula holds. This process can be implemented in two steps. First, we define the functions sSeed[cId] which yields

 $\bullet$ S[ $sAt_{1}[{\rm{}SCOPE}(sAt_{1}),\tau_{1}],\ldots,sAt_{n}[{\rm{}SCOPE}(sAt_{n}),% \tau_{n}]$ ]

and oSeed[cId] which yields the term

 $\bullet$ O[ $oAt_{1}[{\rm{}SCOPE}(oAt_{1}),\tau_{1}],\ldots,oAt_{n}[{\rm{}SCOPE}(oAt_{p}),% \tau_{p}]$ ]

For example, sSeed["Cfg-01"] yields

 $\bullet$ S["id"[{"u1","u2","u3"},"Elem"]]

and oSeed["Cfg-01"] yields the term

 $\bullet$ O["id"[ $S$ ,"Elem"],"r"[ $S$ ,"Subset"],"w"[ $S$ ,"Subset"]]

where

S

is {"u1","u2","u3"}.

Next, we use these terms as seeds to produce any subject (resp. object) that may be created. In rule-based thinking, an entity $E[at_{1}[v_{1}],\ldots,at_{k}[v_{k}]]$ can be produced from the seed term $E[at_{1}[scope_{1},\tau_{1}],\ldots,at_{k}[scope_{k},\tau_{k}]]$ if and only if the reducibility formulas $scope_{i}\to_{\tau_{i}}v_{i}$ hold. Incidentally, the attribute type identifiers $\tau_{i}\in\{\mbox{\tt"Elem"}$ , $\mbox{\tt"Subset"}\}$ are also built-in atomic strategies of $\rho$ Log which guarantee the correctness of this rule-based thinking. Its implementation in $\rho$ Log is straightforward: If we define the strategy "setAt" with

 $\tt{att}^{f}[scope^{i},type^{i}]\to_{"setAt"}att^{f}[v^{i}]\Leftarrow(scope^{i% }\to_{{\tt{type}}^{i}}v^{i})$

then the set of entities that can be generated from a seed term

s t

is the set of all

e

for which the reducibility formula

st\to_{\mbox{\scriptsize\tt"Fmap"["setAt"]}}e

holds. Continuing this line of reasoning, we can argue that:

•

user u can create new subject s iff $\tt u\to_{\mbox{\scriptsize\tt"createS"[{\em cId}]}}s$ holds, where the strategy "createS"[cId] is defined by the rule

 $\tt{u}^{i}\to_{"createS"[cId^{i}]}s^{i}\Leftarrow((sSeed[cId^{i}]\to_{"Fmap"["% setAt"]}s^{i})\mathop{\text{\tt\&\&}}$ 
      $\tt(UId[u^{i}]===UId[s^{i}])\mathop{\text{\tt\&\&}}(CfgType[cId^{i}]::\{u^{i},% s^{i}\})$

•

subject s can modify its attribute values and become sN iff its user creator u is in set U of existing users and is capable to change s to sN. We express this as the validity of the reducibility formula $\tt\{U,s\}\to_{\mbox{\scriptsize\tt"modSA"[{\em cId}]}}sN$ , where this strategy is defined by the rule

 $\tt\{U^{i},s^{i}\}\to_{"modSA"[cId^{i}]}sN^{i}\Leftarrow$ 
   $\tt((User[cId^{i},UId[s^{i}]]\equiv{u}^{i})\mathop{\text{\tt\&\&}}{MemberQ}[U^% {i},u^{i}]\mathop{\text{\tt\&\&}}$ 
   $\tt(sSeed[cId^{i}]\to_{"Fmap"["setAt"]}sN^{i})\mathop{\text{\tt\&\&}}(UId[s^{i% }]===UId[sN^{i}])\mathop{\text{\tt\&\&}}$ 
   $\tt(CfgType[cId^{i}]::\{u^{i},s^{i},sN^{i}\}))$

•

if the creator of s is an existing user, then the admissible changes of s into sN are defined by the rule

 $\tt{s}^{i}\to_{"modSA"[cId^{i}]}sN^{i}\Leftarrow((sSeed[cId^{i}]\to_{"Fmap"["% setAt"]}sN^{i})\mathop{\text{\tt\&\&}}$ 
            $\tt(UId[s]===UId[sN])\mathop{\text{\tt\&\&}}(User[cId^{i},UId[s^{i}]]\equiv{u}% ^{i})\mathop{\text{\tt\&\&}}$ 
            $\tt(CfgType[cId^{i}]{::}\{u^{i},s^{i},sN^{i}\})$

•

subject s can change the attributes of object o to become object oN iff $\tt\{s,o\}\to_{\mbox{\scriptsize\tt"modOA"[{\em cId}]}}oN$ holds, where

 $\tt\{s^{i},o^{i}\}\to_{"modOA"[cId^{i}]}oN^{i}\Leftarrow$ 
     $\tt((oSeed[cId^{i}]\to_{"Fmap["setAt"]}oN^{i})\mathop{\text{\tt\&\&}}(CfgType[% cId^{i}]{::}\{s^{i},o^{i},oN^{i}\}))$

3.3 The transition system

Except for authorized access, the other five operations from the functional specification of ABAC_α determine state transitions in its model. Their rule-based specifications are:

 $\tt\{\{a^{s},u^{i},b^{s}\},S^{i},O^{i}\}\to_{"createSubj"[cId^{i}]}\{\{a^{s},u% ^{i},b^{s}\},Prepend[S^{i},s^{i}],O^{i}\}\Leftarrow$ 
     $\tt((u^{i}\to_{"createS"[cId^{i}]}s^{i})\mathop{\text{\tt\&\&}}{Not}[MemberQ[S% ^{i},s^{i}]])$ 
 $\tt\{\{a^{s},u^{i},b^{s}\},\{x^{s},s^{i},y^{s}\},O^{i}\}\to_{"deleteSubj"[cId^% {i}]}\{\{a^{s},u^{i},b^{s}\},\{x^{s},y^{s}\},O^{i}\}\Leftarrow$ 
     $\tt(UId[u^{i}]===UId[s^{i}]))$ 
 $\tt\{U^{i},\{a^{s},s^{i},b^{s}\},O^{i}\}\to_{"createObj"[cId^{i}]}\{U^{i},\{a^% {s},s^{i},b^{s}\},Prepend[O^{i},o^{i}]\}\Leftarrow$ 
    $\tt((s^{i}\to_{"createO"[cId^{i}]}o^{i})\mathop{\text{\tt\&\&}}{Not}[MemberQ[O% ^{i},o^{i}]])$ 
 $\tt\{U^{i},\{a^{s},s^{i},b^{s}\},O^{i}\}\to_{"modifySubj"[cId^{i}]}\{U^{i},\{a% ^{s},sN^{i},b^{s}\},O^{i}\}\Leftarrow$ 
     $\tt(\{U^{i},s^{i}\to_{"modSA"[cId^{i}]}sN^{i})$ 
 $\tt\{U^{i},\{a^{s},s^{i},b^{s}\},\{x^{s},o^{i},y^{s}\}\}\to_{"modifyObj"[cId^{% i}]}\{U^{i},\{a^{s},s^{i},b^{s}\},\{x^{s},oN^{i},y^{s}\}\}\Leftarrow$ 
     $\tt(\{s^{i},o^{i}\}\to_{"modOA"[cId^{i}]}oN^{i})$

In the state transitions defined by these rules, the entity matched by

\tt s^{i}

is the selected subject, and the one matched by

\tt o^{i}

is the selected object. Subjects may be created, and selected subjects are deleted or modified. Objects may be created, and selected objects are modified. To keep track of the attribute values of a subject or object in a particular state, we define its descendant with respect to a sequence

\Pi

of state transitions.

Suppose $\{U,S,O\}$ is a state for a configuration identified by cId, and $s\in S,o\in O$ . Also, let $\pi:\{U,S,O\}\to_{\mathit{stgId}[\mbox{\scriptsize\tt\em cId}]}\{U,S^{\prime},% O^{\prime}\}$ be a state transition step. The descendants $desc_{\pi}(s)$ and $desc_{\pi}(o)$ of $s$ and $o$ with respect to $\pi$ are defined as follows:

•

$desc_{\pi}(s):=\bot$ if $\pi:\{U,S,O\}\to{\tt{}_{"deleteSubj"[\mbox{\scriptsize\tt\em{cId}}]}}\{U,S^{% \prime},O\}$ and the selected subject from $S$ is $s$
•

$desc_{\pi}(s):=s^{\prime}$ if $\pi:\{U,S,O\}\to{\tt{}_{"modSA"[\mbox{\scriptsize\tt\em{cId}}]}}\{U,(S-\{s\})% \cup\{s^{\prime}\},O\}$
•

$desc_{\pi}(o):=o^{\prime}$ if $\pi:\{U,S,O\}\to{\tt{}_{"modOA"[\mbox{\scriptsize\tt\em{cId}}]}}\{U,S,(O-\{o\}% )\cup\{o^{\prime}\}\}$
•

In the unspecified situations we have $desc_{\pi}(e):=e.$

Let $\Pi:\{U,S,O\}\to^{*}\{U,S^{\prime},O^{\prime}\}$ be a sequence of $n\geq 0$ transition steps and $s\in S$ , $o\in O$ . If $n=0$ then $desc_{\Pi}(s):=s$ and $desc_{\Pi}(o):=o$ . Otherwise, let $\pi$ be the first transition step of $\Pi$ , and $\Pi^{\prime}$ the sequence of remaining transition steps. In this case $desc_{\Pi}(o):=desc_{\Pi^{\prime}}(desc_{\pi}(o))$ and

$\begin{array}[]{l}desc_{\Pi}(s):=\left\{\begin{array}[]{ll}\bot&\text{if }desc% _{\pi}(s)=\bot,\\ desc_{\Pi^{\prime}}(desc_{\pi}(s))&\text{otherwise}.\end{array}\right.\end{array}$

More generally, we define the set of descendants of $e\in S\cup O$ from a state $\Sigma:=\{U,S,O\}$ as follows:
${Desc^{\Sigma}}(e):=\{e^{\prime}\mid\!\!\begin{array}[t]{l}e^{\prime}\neq\bot% \text{ and }e^{\prime}=desc_{\Pi}(e)\text{ for some sequence $\Pi$ of state % transitions starting with }\Sigma\}.\end{array}$

4 Safety of ABAC_α

The safety problem for configurations of ABAC_α is:

Given: a state $\{U,S,O\}$ for an ABAC_α configuration identified by cId, entities $s\in S$ , $o\in O$ , and a permission $p\in P$ ,
Decide: if there exists a sequence of state transitions
$\Pi:\{U,S,O\}\to_{\mathit{stg}_{1}}\{U,S_{1},O_{1}\}\ldots\to_{\mathit{stg}_{n% }}\{U,S_{n},O_{n}\}$
abbreviated $\Pi{:}\{U,S,O\}{\to^{*}}\{U,S_{n},O_{n}\}$ , such that $desc_{\Pi}(s)\neq\bot$ and the reducibility formula CfgType[cId]::Auth[ $p,desc_{\Pi}(s),desc_{\Pi}(o)$ ] holds.

We start by pointing out a few properties of ABAC_α that allow us to make some simplifying assumptions.

The five kinds of transitions are influenced only by the selected entities, at most two, and affect only one entity; the other entities of the system state are not affected. In particular:

1.

Objects can only participate at changing their own attributes. Since the presence of objects from $O-\{o\}$ plays no role in deciding whether ${\tt Auth}[p,desc_{\Pi}(s),desc_{\Pi}(o)]$ holds for some $\Pi$ , it is harmless to assume that the initial state is $\{U,S,\{o\})$ and $\Pi$ has no object creation steps.
2.

If $\{U,S,O\}\to_{\mathit{stg}}\{U,S^{\prime},O^{\prime}\}$ then $\{U,S\cup S^{\prime\prime},O^{\prime}\}\to_{\mathit{stg}}\{U,S\cup S^{\prime% \prime},O^{\prime}\}$ holds too, because we can choose the same participating entities to perform the transition. Therefore, it is harmless to assume that $\Pi$ has no subject deletion steps.

Thus, it is harmless to assume that (1) $\Pi$ has no transition steps of the strategies "deleteSubj"[cId] and "createObj"[cId], and (2) the given state is of the form $\{U,S,\{o\}\}$ .

From now on we assume that $\Sigma:=\{U,S,\{o\}\}$ is a state for an ABAC_α configuration identified by cId, and that $s\in S$ and $p\in P$ .

Theorem 4.1

Let $s^{\prime}\in{Desc^{\Sigma}}(s)$ and $o^{\prime}\in{Desc^{\Sigma}}(o)$ . There exists a derivation $\Pi:\Sigma\to^{*}\{U,S^{\prime},\{o^{\prime}\}\}$ such that $s^{\prime}=desc_{\Pi}(s)$ .

Proof

Let $u$ be the creator of $s$ . $o^{\prime}\in{Desc^{\Sigma}}(o)$ implies the existence of $\Pi_{1}:\Sigma\to^{*}\{U,S^{\prime\prime},\{o^{\prime}\}\}.$ If $s^{\prime}\in S^{\prime\prime}$ then the lemma holds for $\Pi=\Pi_{1}$ . Note that, if $u\not\in U$ , then $s$ can not change its attribute values, thus ${Desc^{\Sigma}}(s)=\{s\}\subseteq S^{\prime\prime}$ and the lemma holds for $\Pi=\Pi_{1}$ .

The only case left to analyse is when $u\in U$ and $s^{\prime}\not\in S^{\prime\prime}.$ In this case, there exists a derivation $u\to_{\mbox{\scriptsize\tt"createS"[{\em{cId}}]}}s_{0}\to_{\mbox{\scriptsize% \tt"modSA"[{\em{cId}}]}}^{*}s.$ $s^{\prime}\in{Desc^{\Sigma}}(s)$ implies the existence of a derivation $s\to_{\mbox{\scriptsize\tt"modSA"[{\em{cId}}]}}^{*}s^{\prime}$ . By concatenating these two derivations we obtain

u\to_{\mbox{\scriptsize\tt"createS"[{\em{cId}}]}}s_{0}\to_{\mbox{\scriptsize% \tt"modSA"[{\em{cId}}]}}^{*}s^{\prime}.

Therefore, if $s_{0}\not\in S^{\prime\prime}$ then $\Pi_{1}$ can be extended as follows:
$\Pi:\Sigma\to^{*}\{U,S^{\prime\prime},\{o^{\prime}\}\}\to_{\mbox{\scriptsize% \tt"createSubj"[\em{cId}}]}$

$\{U,S^{\prime\prime}\uplus\{s_{0}\},\{o^{\prime}\}\}\to_{\mbox{\scriptsize\tt"% modifySubj"[{\em{cId}}]}}^{*}\!\{U,S^{\prime\prime}\uplus\{s^{\prime}\},O^{% \prime}\}.$
Otherwise, $S^{\prime\prime}=\{s_{0}\}\uplus S^{\prime\prime\prime}$ and $\Pi_{1}$ can be extended as follows:
$\Pi:\Sigma\to^{*}\{U,\{s_{0}\}\uplus S^{\prime\prime\prime},\{o^{\prime}\}\}% \to^{*}_{\mbox{\scriptsize\tt"modifySubj"[\em{cId}}]}\{U,\{s^{\prime}\}\uplus S% ^{\prime\prime\prime},\{o^{\prime}\}\}.$

Theorem 1

There is a derivation $\Pi:\Sigma\to^{*}\{U,S^{\prime},\{o^{\prime}\}\}$ such that $desc_{\Pi}(s)\neq\bot$ and CFGType[cId]::Auth[ $p,desc_{\Pi}(s),o^{\prime}$ ] holds if and only if CFGType[cId]::Auth[ $p,s^{\prime},o^{\prime}$ ] holds for some $s^{\prime}\in{Desc^{\Sigma}}(s)$ and $o^{\prime}\in{Desc^{\Sigma}}(o)$ .

Proof

If $\Pi$ exists then $o^{\prime}\in{Desc^{\Sigma}}(o)$ and we can choose the subject $s^{\prime}:=desc_{\Pi}(s){\in}{Desc^{\Sigma}}(s)$ such that CfgType[cId]::Auth[ $p,s^{\prime},o^{\prime}$ ] holds.

Conversely, if CfgType[cId]::Auth[ $p,s^{\prime},o^{\prime}$ ] holds for $s^{\prime}\in{Desc^{\Sigma}}(s)$ and $o^{\prime}\in{Desc^{\Sigma}}(o)$ then, by Lemma 4.1, there exists a derivation $\Pi:\Sigma\to^{*}\{U,S^{\prime},\{o^{\prime}\}\}$ such that $s^{\prime}=descs_{\Pi}(s).$ Therefore, CfgType[cId]::Auth[ $p,desc_{\Pi}(s),o^{\prime}$ ] holds too.

According to Theorem 1, we can proceed in two steps:

1.

look at all possible descendants $s^{\prime}$ of $s$ ; decide UNSAFE if any of them gets permission $p$ on $o$ , otherwise compute ${Desc^{\Sigma}}(s)$ ,
2.

look at all possible descendants $o^{\prime}$ of $o$ ; decide UNSAFE if any $s^{\prime}\in{Desc^{\Sigma}}(s)$ can exercise permission $p$ on some $o^{\prime}$ , otherwise decide SAFE.

It remains to figure out how to compute ${Desc^{\Sigma}}(s)$ and ${Desc^{\Sigma}}(o)$ , and how to check if Auth[ $p,s^{\prime},o^{\prime}$ ] $\tt\to_{\mbox{\scriptsize\tt CfgType[{\em cId}]}}True$ holds for some $s^{\prime}\in{Desc^{\Sigma}}(s)$ and $o^{\prime}\in{Desc^{\Sigma}}(o)$ . For this purpose, we define three strategies: For this purpose, we define three strategies:

 $\tt"auth?"[p^{i},ct^{i}]::\{\{\_^{s},s^{i},\_^{s}\},\{\_^{s},o^{i},\_^{s}\}\}% \Leftarrow(ct^{i}::Auth[p^{i},s^{i},o^{i}])$ 
 $\tt\{\_^{s},s^{i},\_^{s}\}\to_{"newModS"[c^{i},S^{i}]}sN^{i}\Leftarrow$ 
     $\tt((s^{i}\to_{"modSA"[c^{i}]}sN^{i})\mathop{\text{\tt\&\&}}{Not}[MemberQ[S^{i% },sN^{i}]])$ 
 $\tt\{\{\_^{s},s^{i},\_^{s}\},\{\_^{s},o^{i},\_^{s}\}\}\to_{"newModO"[c^{i},O^{% i}]}oN^{i}\Leftarrow$ 
     $\tt((\{s^{i},o^{i}\}\to_{"modOA"[c^{i}]}oN^{i})\mathop{\text{\tt\&\&}}{Not}[% MemberQ[O^{i},oN^{i}]])$

S^{\prime},S^{\prime\prime}

are sets of subjects and

O^{\prime},O^{\prime\prime}

are sets of objects, then:
1) ApplyStg["auth?"[

p

,CfgType[cId]],

\{S^{\prime},O^{\prime}\}

] returns True iff some

s^{\prime}\in S^{\prime}

can exercise permission

p

on some

o^{\prime}\in O^{\prime}

.
2) ApplyStgList["newModS"[cId,

S^{\prime\prime}

S^{\prime}

] returns all descendants of elements from

S^{\prime}

which are not in

S^{\prime\prime}

.
3) ApplyStgList["newModO"[cId,

O^{\prime\prime}

\{S^{\prime},O^{\prime}\}

] returns all descendants of elements from

O^{\prime}

produced by some subject from

S^{\prime}

, which are not in

O^{\prime\prime}

Step 1

In this step we accumulate the value of ${Desc^{\Sigma}}(s)$ in a variable sDESC while checking if some $s^{\prime}\in{\tt sDESC}$ has the authority to exercise permission $p$ on $o$ . If the creator of $s$ is not a user in the given configuration then the only descendant of $s$ is $s$ , and we only have to check if Auth[ $p, s, o$ ] $\tt\to_{CfgType\mbox{\scriptsize\tt[{\em{}cId}]}}$ True holds or not. If yes, we decide UNSAFE, otherwise we set ${\tt sDESC}:=\{s\}$ .

Otherwise, the creator of $s$ is in $U$ and ${Desc^{\Sigma}}(s)=\bigcup_{k=0}^{\infty}S_{k}$ where $S_{1}:=\{s\}$ and

S_{k+1}\begin{array}[t]{l}:=\{s^{\prime\prime}\not\in\bigcup_{i=1}^{k}S_{i}% \mid\exists s^{\prime}\in S_{k}.s^{\prime}\to_{\mbox{\scriptsize\tt"modSA"[{% \em cId}]}}s^{\prime\prime}\}={\tt ApplyStgList["newModS"[cId,}\bigcup_{i=1}^{% k}S_{i}{\tt]},S_{k}{\tt]}\end{array}

Based on this observation, we can interleave the incremental accumulation in sDESC of the elements of $S_{k}$ with the detection of unsafety when ${\tt Auth}[p,s^{\prime},o]$ holds for some $s^{\prime}\in S_{k}$ :
[Uncaptioned image] Note that, before entering the $k$ -th loop of while, the values of sDESC and sN are $\bigcup_{i=1}^{k}S_{i}$ and $S_{k+1}$ . The while loop will terminate because sDESC is finite, therefore $S_{n}=\emptyset$ for some $n\in\mathbb{N}.$

Step 2

In this step we accumulate the descendants of $o$ in a variable oDESC and report UNSAFE as soon as we detect the truth of the formula

"auth?"[p,CfgType[cId]]::{sDESC,oDESC}

First, we must figure out how to compute oDESC. The only subjects which may change the attribute values of (descendants) of $o$ from $\Sigma$ are those from $\left\{s^{\prime\prime}\mid\exists s^{\prime}\in S\cup{\tt sNew}.s^{\prime}\to% ^{*}_{\text{\tt"modSA"[cId]}}s^{\prime\prime}\right\}$ where sNew is the set of subjects that may be created by users from $U$ . ${\tt sALL}$ can be computed incrementally as follows:

${\tt sNew}:=\bigcup_{u\in U}{\tt ApplyStgList}[u,\mbox{\tt"createS"[{\em cId}]}]$ ;
${\tt sALL}:=\emptyset$ ; ${\tt sN}:=S\cup{\tt sNew}$ ;
wh	ile ${\tt sN}\neq\emptyset$ do
	${\tt sALL}:={\tt sALL}\cup{\tt sN}$ ;
	$\tt sN:=Ap$	AplyStgList["newModS"[cId,sALL],sN];

In every loop of while we compute the elements of a nonempty subset ${\tt sN}\subseteq\bigcup_{S\cup{\tt sNew}}{Desc^{\Sigma}}(s)$ which are not yet accumulated in sDESC, and accumulate them in sDESC. The loop will terminate because the set $\bigcup_{S\cup{\tt sNew}}{Desc^{\Sigma}}(s)$ is finite.

It is easy to see that ${Desc^{\Sigma}}(o)$ coincides with $\bigcup_{k=1}^{\infty}O_{k}$ where $O_{0}:=\{o\}$ and

O_{k+1}\begin{array}[t]{l}:=\{o^{\prime\prime}\not\in\bigcup_{i=1}^{k}O_{i}% \mid\exists s^{\prime}\in{\tt sALL}.\exists o^{\prime}\in O_{k}.\{s^{\prime},o% ^{\prime}\}\to_{\tt"modOA"[cId]}o^{\prime\prime}\}\\ ={\tt ApplyStgList["newModO"[cId},\bigcup_{i=1}^{k}O_{i}{\tt],\{sALL,O_{k}\}]}% \end{array}

Based on this observation, we can iterate the computation of $O_{k}$ together with the test if Auth $[p,s^{\prime},o^{\prime}]$ holds for some $s^{\prime}\in{\tt sDESC}$ and $o^{\prime}\in O_{k}.$ This iterative process stops when we reach a $k$ with $O_{k}=\emptyset$ , and this will eventually happen because ${Desc^{\Sigma}}(o)$ is finite.
[Uncaptioned image]

The final algorithm

By putting together the rule-based algorithms for steps 1 and 2, we obtain the algorithm illustrated in Figure 1.

Refer to caption — Figure 1: The safety check algorithm for ABAC_α.

5 Conclusions

We proved that the safety problem of ABAC_α can be reduced to checking if ${\tt Auth}[p,s^{\prime},o^{\prime}]$ holds for some $s^{\prime}\in{Desc^{\Sigma}}(s)$ and $o^{\prime}\in{Desc^{\Sigma}}(o)$ , and solved it by identifying a rule-based algorithm that interleaves the detection of unsafety with the incremental computation of ${Desc^{\Sigma}}(s)$ and ${Desc^{\Sigma}}(o)$ .

Our algorithm is parametric with respect to the configuration types of ABAC_α. Therefore, whenever we want to check that, for a given configuration, a subject $s$ never gets authorization to exercise permission $p$ on an object $o$ , it is enough to do the following: (1) specify the configuration and its type, and (2) call the method

CheckSafety[cId, $s, o, p$ ]

which runs our safety check algorithm. It returns SAFE if

s

never gets authorization to exercise permission

p

o

, and UNSAFE otherwise.

References

[AS17] T. Ahmed and R. Sandhu. Safety of ABAC_α is Decidable. In Z. Yan, R. Molva, W. Mazurczyk, and R. Kantola, editors, Network and System Security, page 257–272. Springer International Publishing, 2017.
[HRU76] M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Commun. ACM, 19(8):461–471, 1976.
[Jin14] X. Jin. Attribute-Based Access Control Models and Implementation in Cloud Infrastructure as a Service. PhD thesis, University of Texas at San Antonio, 2014.
[JKS12] X. Jin, R. Krishnan, and R. Sandhu. A unified attribute-based access control model covering DAC, MAC and RBAC. In N. Cuppens-Boulahia, F. Cuppens, and J. Garcia-Alfaro, editors, Data and Applications Security and Privacy XXVI, volume 7371 of LNCS, pages 41–55. Springer, Berlin, Heidelberg, 2012.
[PS04] J. Park and R. Sandhu. The UCON_ABC Usage Control Model. ACM Transactions on Information and System Security (TISSEC), 7(1):161–182, 2004.
[RS16] P. V. Rajkumar and R. Sandhu. Safety decidability for pre-authorization usage control with finite attribute domains. IEEE Transactions on Dependable and Secure Computing, 13(5):582–590, 2016.

A safety-checker for the ABACα model

1 ABAC and ABACα

2 Preliminaries

3 A state transition system for ABACα

3.1 Configuration-specific rules

3.2 Auxiliary functions and strategies

3.3 The transition system

4 Safety of ABACα

Theorem 4.1

Proof

Theorem 1

Proof

Step 1

Step 2

The final algorithm

5 Conclusions

References

A safety-checker for the ABAC_α model

1 ABAC and ABAC_α

3 A state transition system for ABAC_α

4 Safety of ABAC_α