A safety-checker for the ABACα model
Access control is a fundamental security requirement for computing environments: It controls the ability of a subject to use an object in some specific manner. A subject represents a user and any system process or entity that acts on behalf of a user. Users represent individuals who interact directly or indirectly with a system and have been authenticated and established their identities. Objects are the protected entities, and can represent either system abstractions (e.g., processes, files, or ports) or system resources (e.g., printers).
1 ABAC and ABACα
Attribute-based access control (ABAC) is a logical access control with great flexibility to specify access control policies as rules which get evaluated against the attributes of participating entities (user/subject or subject/object), operations, and the environment relevant to a request. Considerable work has been done and a number of formal models have been proposed recently for ABAC [Jin14, JKS12, PS04]. Among them, ABACα became popular because of its minimal set of features that make it powerful enough to configure the dominant traditional access control models DAC, MAC and RBAC.
A fundamental security problem in the design of ABAC models is safety. According to [HRU76], the safety problem for protection systems is to determine in a given situation whether a subject can acquire a particular right to an object. Recently, it was shown that safety of ABACαis decidable [AS17]. The proof was based on state-matching reduction of safety of ABACα to safety of the preauthorization model UCON, which is known to be decidable [RS16].
ABACα is foundational model for attribute-based access control with a minimal set of capabilities to configure many access control models of interest, including the dominant traditional ones: discretionary (DAC), mandatory (MAC), and role-based (RBAC). A fundamental security problem in the design of ABAC is to ensure safety, that is, to guarantee that a certain subject can never gain certain permissions to access certain object(s).
This problem can be solved nicely in a rule-based framework based on the Log calculus. We have developed a tool built on top of the rule-based capabilities of RhoLog, which allows us to do the following:
-
1.
specify a configuration of interest for ABACα
-
2.
call the method
CheckSafety[cId,]
to check if the configuration guarantees that subject s never gets authorization to exercise permission on an object . If yes, the method returns SAFE, otherwise it returns UNSAFE.
2 Preliminaries
ABACα is a formal model of ABAC with a minimal set of features to configure the traditional models DAC, MAC, and RBAC. Its core components are entities of three kinds: users, subjects, and objects. Users represent human beings who create and modify subjects, and access resources through subjects. Subjects represent processes created by users to perform some actions in the system. Objects represent system entities that should be protected.
Every kind of entity has a fixed set of attributes. Every attribute has a type, scope, and range of possible values. The sets of attributes specific to each kind of entity, together with their type, scope, and range, are specified in a configuration type of ABACα: there will be one configuration type for DAC, and others for MAC, RBAC, etc.
In ABACα, the type of an attribute is either atomic or set. The scope of each attribute is a finite set of values SCOPE. If is of atomic type then it can assume any value from SCOPE, otherwise it can assume any subset of values from SCOPE. Formally, this means that the range Range of possible values of is SCOPE if is of atomic type, and otherwise.
User creation, attribute value assignment of user at creation time, user deletion and modification of a user’s attribute values are operations done by the security administrator and are outside the scope of ABACα. Therefore, in a running configuration of ABACα, the set of existing users is fixed, but the sets of existing subjects and of existing objects may change. The identity of every user is specified by the value of a special attribute "id" of atomic type. In our system, configuration types are declared as follows:
DeclareCfgType[typeId,{"SA","OA",
"Scope"}]
Such a declaration specifies a configuration type with unique identifier typeId (a string), where: , , and are the sets of attributes for users, subjects, and objects, respectively; is their union; the scope of every attribute (a string) is the set bound to identifier in a particular configuration (see below), and its type is , where "Elem" stands for atomic and "Subset" for set.
For example, the configuration type of the discretionary access models DAC (discretionary), MAC (mandatory) and RBAC (role-based) are given by
DeclareCfgType["DAC",{"UA"{"id"},"SA"{"id"},"OA"{"id","r","w"}, "Scope"{"id"["UId","Elem"], "r"["UId","Subset"], "w"["UId","Subset"]}}]
DeclareCfgType["MAC",{"UA"{"id","clearance"}, "SA"{"id","clearance"},"OA"{"sensitivity"}, "Scope"{"id"["UId","Elem"], "clearance"["level","Elem"], "sensitivity"["UId","Elem"]}}]
DeclareCfgType["RBAC",{"UA"{"id","role"}, "SA"{"id","role"},"OA"{"rrole","wrole"}, "Scope"{"id"["UId","Elem"], "role"["roleId","Subset"], "rrole"["roleId","Subset"], "wrole"["roleId","Subset"]}}]We represent the system entities as first-order terms of the form
-
•
-
•
-
•
where are the corresponding attribute values.
Every user has a unique ID, which is the string value of its "id" attribute. Subjects keep track of the ID of their creator in the value of their "id" attribute. We will assume without loss of generality that , and that there is a function which returns the value of the attribute "id" of .
A configuration of ABACα is an instance of a configuration type which specifies (1) the configuration type which it instantiates; the sets of values for the identifiers from the specification of the configuration type; and (3) the initial sets , and of entities (users, subjects, objects) in the configuration. In our tool, the declaration of a concrete configuration of ABACα has the syntax
DeclareConfiguration[cId,
{"CfgType"typeId,
"Users",
"Range""UId",
,
"Subjects","Objects"}
]
Its side effect is to instantiate some globally visible entries:
-
•
CfgType[cId] with typeId,
-
•
Users[cId] with the set of users ,
-
•
every User[cId,] with user , Subjects[cId] with the set of subjects ,
-
•
Objects[cId] with the set of objects .
For example, the following is a declaration of a DAC configuration:
DeclareConfiguration["DAC-Cfg01", {"CfgType"->"DAC", "Users"{"u1"U["id"["u1"]],"u2"U["id"["u2"]], "u3"U["id"["u3"]]}, "Range"{"UId"{"u1","u2","u3"}}, "Subjects"S["id"["u1"]],S["id"["u3"]]}, "Objects"O["id"["u1"],"r"[{"u1","u3"}],"w"[{"u1","u2"}]], O["id"["u1"],"r"[{"u1","u3"}],"w"[{"u2","u3"}]]}}]It specifies an initial system state with three users identified by strings "u1", "u2", "u3"; two subjects; and two objects. The first object grants read access to subjects created by users "u1", "u3" and write access to subjects created by users "u1", "u2". The second object grants read access to subjects created by users "u1", "u3" and write access to subjects created by users "u2", "u3".
The following declaration is for a MAC configuration with five access levels:
DeclareConfiguration["MAC-Cfg01", {"CfgType"->"MAC", "Users"{"u1"U["id"["u1"],"clearance"[3]], "u2"U["id"["u2"],"clearance"[4]]}, "Range"{"UId"{"u1","u2"},"level"->{1,2,3,4,5}}, "Subjects"S["id"["u1"],"clearance"[3]], S["id"["u2"],"clearance"[4]]}, "Objects"O["sensitivity"[1]],O["sensitivity"[4]]}}]Feel free to download the notebook ABAC.nb from
staff.fmi.uvt.ro/~mircea.marin/rholog/ABAC.nb
which contains the implementation of our tool, together with some illustrated examples.
3 A state transition system for ABACα
A system with an initial configuration cId is a state transition system: states are triples consisting of the users (), subjects (), and objects () that exist at that moment in the system and are compatible with the specifications of cId and its configuration type (stored in CfgType[cId]); and transitions correspond to the operations from the functional specification of ABACα. The state components , , are assumed to be multisets because the entities of ABAC are identity-less: their behavior is uniquely determined by the values of their attributes. For this reason, different entities may assume the same term representation in our framework.
We take for granted the functional specification of ABACα given in [AS17]. It consists of six operations:
- subject creation:
-
user can create a new subject if formula holds. This formula belongs to the instance of the common policy language (CPL) that makes use of the attribute values of and .
- subject deletion:
-
is free to delete any subject it created before, that is, a subject for which .
- object creation:
-
can create a new object if boolean formula holds. This formula belongs to the instance of CPL that uses the attribute values of entities and .
- subject modification:
-
can change a subject into if and holds. This formula belongs to the instance of CPL that uses the attribute values of , , and .
- object modification:
-
can change into if holds. This formula belongs to the instance of CPL that uses the attribute values of , , and .
- authorized access:
-
can exercise a permission on if holds. is a finite set of permission IDs (strings) and, for every , formula is from the instance of CPL that uses the attribute values of and .
3.1 Configuration-specific rules
CPL [Jin14] is the common policy language part for the languages used to express the boolean formulas that constrain the operations of the functional specification of ABACα. CPL describes a fragment of first-order logic where quantified formulas must be of the form or with a finite set of values. The host language of RhoLog is Mathematica, which is rich enough to express and decide the quantifier-free constraints of CPL. Moreover, we can eliminate all variable occurrences by repeated applications of the following reductions:
Every configuration type typeId has its own formulas that constrain the functionality of ABACα. These formulas are expressed in instances of CPL. Therefore, we can write rule-based definitions of these conditions, which are specific to every typeId:
typeId::{U[…],S[…]} typeId::{S[…],O[…]} typeId::{U[…],S[…],S[…]} typeId::{S[…],O[…],O[…]} typeId::Auth[] typeId::Auth[] .where , …, are formulas expressed in CPL.
3.2 Auxiliary functions and strategies
Subject and object creation are nondeterministic operations: they can be implemented by guessing the entity, and then creating it if the condition described by the corresponding CPL-formula holds. This process can be implemented in two steps. First, we define the functions sSeed
[cId] which yields
S[]
and oSeed
[cId] which yields the term
O[]For example,
sSeed["Cfg-01"]
yields
S["id"[{"u1","u2","u3"},"Elem"]]and
oSeed["Cfg-01"]
yields the term
O["id"[,"Elem"],"r"[,"Subset"],"w"[,"Subset"]]where is
{"u1","u2","u3"}
.
Next, we use these terms as seeds to produce any subject (resp. object) that may be created. In rule-based thinking, an entity can be produced from the seed term
if and only if the reducibility formulas hold. Incidentally, the attribute type identifiers , are also built-in atomic strategies of Log which guarantee the correctness of this rule-based thinking. Its implementation in Log is straightforward: If we define the strategy "setAt"
with
then the set of entities that can be generated from a seed term is the set of all for which the reducibility formula holds. Continuing this line of reasoning, we can argue that:
-
•
user u can create new subject s iff holds, where the strategy "createS"[cId] is defined by the rule
-
•
subject s can modify its attribute values and become sN iff its user creator u is in set U of existing users and is capable to change s to sN. We express this as the validity of the reducibility formula , where this strategy is defined by the rule
-
•
if the creator of s is an existing user, then the admissible changes of s into sN are defined by the rule
-
•
subject s can change the attributes of object o to become object oN iff holds, where
3.3 The transition system
Except for authorized access, the other five operations from the functional specification of ABACα determine state transitions in its model. Their rule-based specifications are:
In the state transitions defined by these rules, the entity matched by is the selected subject, and the one matched by is the selected object. Subjects may be created, and selected subjects are deleted or modified. Objects may be created, and selected objects are modified. To keep track of the attribute values of a subject or object in a particular state, we define its descendant with respect to a sequence of state transitions.
Suppose is a state for a configuration identified by cId, and . Also, let be a state transition step. The descendants and of and with respect to are defined as follows:
-
•
if and the selected subject from is
-
•
if
-
•
if
-
•
In the unspecified situations we have
Let be a sequence of transition steps and , . If then and . Otherwise, let be the first transition step of , and the sequence of remaining transition steps. In this case and
More generally, we define the set of descendants of from a state as follows:
4 Safety of ABACα
The safety problem for configurations of ABACα is:
- Given
-
a state for an ABACα configuration identified by cId, entities , , and a permission ,
- Decide
-
if there exists a sequence of state transitions
abbreviated , such that and the reducibility formula CfgType[cId]::Auth[] holds.
We start by pointing out a few properties of ABACα that allow us to make some simplifying assumptions.
The five kinds of transitions are influenced only by the selected entities, at most two, and affect only one entity; the other entities of the system state are not affected. In particular:
-
1.
Objects can only participate at changing their own attributes. Since the presence of objects from plays no role in deciding whether holds for some , it is harmless to assume that the initial state is and has no object creation steps.
-
2.
If then holds too, because we can choose the same participating entities to perform the transition. Therefore, it is harmless to assume that has no subject deletion steps.
Thus, it is harmless to assume that (1) has no transition steps of the strategies "deleteSubj"[cId] and "createObj"[cId], and (2) the given state is of the form .
From now on we assume that is a state for an ABACα configuration identified by cId, and that and .
Theorem 4.1
Let and . There exists a derivation such that .
Proof
Let be the creator of . implies the existence of If then the lemma holds for . Note that, if , then can not change its attribute values, thus and the lemma holds for .
The only case left to analyse is when and In this case, there exists a derivation implies the existence of a derivation . By concatenating these two derivations we obtain
Therefore, if then can be extended as follows:
Otherwise, and can be extended as follows:
Theorem 1
There is a derivation such that and CFGType[cId]::Auth[] holds if and only if CFGType[cId]::Auth[] holds for some and .
Proof
If exists then and we can choose the subject such that CfgType[cId]::Auth[] holds.
Conversely, if CfgType[cId]::Auth[] holds for and then, by Lemma 4.1, there exists a derivation such that Therefore, CfgType[cId]::Auth[] holds too.
According to Theorem 1, we can proceed in two steps:
-
1.
look at all possible descendants of ; decide UNSAFE if any of them gets permission on , otherwise compute ,
-
2.
look at all possible descendants of ; decide UNSAFE if any can exercise permission on some , otherwise decide SAFE.
It remains to figure out how to compute and , and how to check if
Auth[
] holds for some and .
For this purpose, we define three strategies:
For this purpose, we define three strategies:
If are sets of subjects and are sets of objects, then:
1) ApplyStg["auth?"[,CfgType[cId]],] returns True iff some can exercise permission on some .
2) ApplyStgList["newModS"[cId,], ] returns all descendants of elements from which are not in .
3) ApplyStgList["newModO"[cId,], ] returns all descendants of elements from produced by some subject from , which are not in .
Step 1
In this step we accumulate the value of in a variable sDESC while checking if some has the authority to exercise permission on . If the creator of is not a user in the given configuration then the only descendant of is , and we only have to check if Auth[]True holds or not. If yes, we decide UNSAFE, otherwise we set .
Otherwise, the creator of is in and where and
Based on this observation, we can interleave the incremental accumulation in sDESC of the elements of with the detection of unsafety when
holds for some :
Note that, before entering the -th loop of while, the values of sDESC and sN are and .
The while loop will terminate because sDESC is finite, therefore for some
Step 2
In this step we accumulate the descendants of in a variable oDESC and report UNSAFE as soon as we detect the truth of the formula
"auth?"[p,CfgType[cId]]::{sDESC,oDESC}
First, we must figure out how to compute oDESC. The only subjects which may change the attribute values of (descendants) of from are those from where sNew is the set of subjects that may be created by users from . can be computed incrementally as follows:
; | ||
; ; | ||
wh | ile do | |
; | ||
AplyStgList["newModS"[cId,sALL],sN]; |
In every loop of while we compute the elements of a nonempty subset which are not yet accumulated in sDESC, and accumulate them in sDESC. The loop will terminate because the set is finite.
It is easy to see that coincides with where and
Based on this observation, we can iterate the computation of together with the test if Auth holds for some and This iterative process stops when we reach a with , and this will eventually happen because is finite.
The final algorithm
By putting together the rule-based algorithms for steps 1 and 2, we obtain the algorithm illustrated in Figure 1.

5 Conclusions
We proved that the safety problem of ABACα can be reduced to checking if holds for some and , and solved it by identifying a rule-based algorithm that interleaves the detection of unsafety with the incremental computation of and .
Our algorithm is parametric with respect to the configuration types of ABACα. Therefore, whenever we want to check that, for a given configuration, a subject never gets authorization to exercise permission on an object , it is enough to do the following: (1) specify the configuration and its type, and (2) call the method
CheckSafety[cId,]
which runs our safety check algorithm.
It returns SAFE if never gets authorization to exercise permission on , and UNSAFE otherwise.
References
- [AS17] T. Ahmed and R. Sandhu. Safety of ABACα is Decidable. In Z. Yan, R. Molva, W. Mazurczyk, and R. Kantola, editors, Network and System Security, page 257–272. Springer International Publishing, 2017.
- [HRU76] M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Commun. ACM, 19(8):461–471, 1976.
- [Jin14] X. Jin. Attribute-Based Access Control Models and Implementation in Cloud Infrastructure as a Service. PhD thesis, University of Texas at San Antonio, 2014.
- [JKS12] X. Jin, R. Krishnan, and R. Sandhu. A unified attribute-based access control model covering DAC, MAC and RBAC. In N. Cuppens-Boulahia, F. Cuppens, and J. Garcia-Alfaro, editors, Data and Applications Security and Privacy XXVI, volume 7371 of LNCS, pages 41–55. Springer, Berlin, Heidelberg, 2012.
- [PS04] J. Park and R. Sandhu. The UCONABC Usage Control Model. ACM Transactions on Information and System Security (TISSEC), 7(1):161–182, 2004.
- [RS16] P. V. Rajkumar and R. Sandhu. Safety decidability for pre-authorization usage control with finite attribute domains. IEEE Transactions on Dependable and Secure Computing, 13(5):582–590, 2016.