A safety-checker for the ABACα model

Access control is a fundamental security requirement for computing environments: It controls the ability of a subject to use an object in some specific manner. A subject represents a user and any system process or entity that acts on behalf of a user. Users represent individuals who interact directly or indirectly with a system and have been authenticated and established their identities. Objects are the protected entities, and can represent either system abstractions (e.g., processes, files, or ports) or system resources (e.g., printers).

1 ABAC and ABACα

Attribute-based access control (ABAC) is a logical access control with great flexibility to specify access control policies as rules which get evaluated against the attributes of participating entities (user/subject or subject/object), operations, and the environment relevant to a request. Considerable work has been done and a number of formal models have been proposed recently for ABAC [Jin14, JKS12, PS04]. Among them, ABACα became popular because of its minimal set of features that make it powerful enough to configure the dominant traditional access control models DAC, MAC and RBAC.

A fundamental security problem in the design of ABAC models is safety. According to [HRU76], the safety problem for protection systems is to determine in a given situation whether a subject can acquire a particular right to an object. Recently, it was shown that safety of ABACαis decidable [AS17]. The proof was based on state-matching reduction of safety of ABACα to safety of the preauthorization model UCONpreAfinite, which is known to be decidable [RS16].

ABACα is foundational model for attribute-based access control with a minimal set of capabilities to configure many access control models of interest, including the dominant traditional ones: discretionary (DAC), mandatory (MAC), and role-based (RBAC). A fundamental security problem in the design of ABAC is to ensure safety, that is, to guarantee that a certain subject can never gain certain permissions to access certain object(s).

This problem can be solved nicely in a rule-based framework based on the ρLog calculus. We have developed a tool built on top of the rule-based capabilities of RhoLog, which allows us to do the following:

  1. 1.

    specify a configuration of interest for ABACα

  2. 2.

    call the method

    CheckSafety[cId,s,o,p]
    
    to check if the configuration guarantees that subject s never gets authorization to exercise permission p on an object o. If yes, the method returns SAFE, otherwise it returns UNSAFE.

2 Preliminaries

ABACα is a formal model of ABAC with a minimal set of features to configure the traditional models DAC, MAC, and RBAC. Its core components are entities of three kinds: users, subjects, and objects. Users represent human beings who create and modify subjects, and access resources through subjects. Subjects represent processes created by users to perform some actions in the system. Objects represent system entities that should be protected.

Every kind of entity has a fixed set of attributes. Every attribute has a type, scope, and range of possible values. The sets of attributes specific to each kind of entity, together with their type, scope, and range, are specified in a configuration type of ABACα: there will be one configuration type for DAC, and others for MAC, RBAC, etc.

In ABACα, the type of an attribute is either atomic or set. The scope of each attribute at is a finite set of values SCOPE(at). If at is of atomic type then it can assume any value from SCOPE(at), otherwise it can assume any subset of values from SCOPE(at). Formally, this means that the range Range(at) of possible values of at is SCOPE(at) if at is of atomic type, and 2SCOPE(at) otherwise.

User creation, attribute value assignment of user at creation time, user deletion and modification of a user’s attribute values are operations done by the security administrator and are outside the scope of ABACα. Therefore, in a running configuration of ABACα, the set U of existing users is fixed, but the sets S of existing subjects and O of existing objects may change. The identity of every user is specified by the value of a special attribute "id" of atomic type. In our system, configuration types are declared as follows:

DeclareCfgType[typeId,{"SA"{sAt1,,sAtn},"OA"{oAt1,,oAtp},
    "Scope"{at1[sId1,τ1],,atr[sIdr,τr]}}]
Such a declaration specifies a configuration type with unique identifier typeId (a string), where: {uAt1,,uAtm}, $sAt1,,sAtn, and {oAt1,,oAtp} are the sets of attributes for users, subjects, and objects, respectively; {at1,,atr} is their union; the scope of every attribute ati (a string) is the set bound to identifier sIdi in a particular configuration (see below), and its type is τi{"𝙴𝚕𝚎𝚖","𝚂𝚞𝚋𝚜𝚎𝚝"}, where "Elem" stands for atomic and "Subset" for set.

For example, the configuration type of the discretionary access models DAC (discretionary), MAC (mandatory) and RBAC (role-based) are given by

DeclareCfgType["DAC",{"UA"{"id"},"SA"{"id"},"OA"{"id","r","w"},
  "Scope"{"id"["UId","Elem"],
    "r"["UId","Subset"],
    "w"["UId","Subset"]}}]
DeclareCfgType["MAC",{"UA"{"id","clearance"},
    "SA"{"id","clearance"},"OA"{"sensitivity"},
  "Scope"{"id"["UId","Elem"],
    "clearance"["level","Elem"],
    "sensitivity"["UId","Elem"]}}]
DeclareCfgType["RBAC",{"UA"{"id","role"},
    "SA"{"id","role"},"OA"{"rrole","wrole"},
  "Scope"{"id"["UId","Elem"],
    "role"["roleId","Subset"],
    "rrole"["roleId","Subset"],
    "wrole"["roleId","Subset"]}}]
We represent the system entities as first-order terms of the form

  • 𝚄[uAt1[v1],,uAtm[vm]]

  • 𝚂[sAt1[v1],,sAtn[vn]]

  • 𝙾[oAt1[v1],,oAtp[vp]]

where vi are the corresponding attribute values.

Every user has a unique ID, which is the string value of its "id" attribute. Subjects keep track of the ID of their creator in the value of their "id" attribute. We will assume without loss of generality that 𝚞𝙰𝚝=𝚜𝙰𝚝="𝚒𝚍", and that there is a function 𝚄𝙸𝚍[e] which returns the value of the attribute "id" of eUS.

A configuration of ABACα is an instance of a configuration type which specifies (1) the configuration type which it instantiates; the sets of values for the identifiers sIdi from the specification of the configuration type; and (3) the initial sets U,S, and O of entities (users, subjects, objects) in the configuration. In our tool, the declaration of a concrete configuration of ABACα has the syntax

DeclareConfiguration[cId,
 {"CfgType"typeId,
  "Users"{uId1u1,,uIdmum},
  "Range"{"UId"{uId1,,uIdm},
             sId1SCOPE[at1],,sIdrSCOPE[atr],
  "Subjects"{s1,,sn},"Objects"{o1,,oq}}
]
Its side effect is to instantiate some globally visible entries:

  • CfgType[cId] with typeId,

  • Users[cId] with the set of users {u1,,um},

  • every User[cId,uIdi] with user ui, Subjects[cId] with the set of subjects {s1,,sn},

  • Objects[cId] with the set of objects {o1,,oq}.

For example, the following is a declaration of a DAC configuration:

DeclareConfiguration["DAC-Cfg01",
  {"CfgType"->"DAC",
   "Users"{"u1"U["id"["u1"]],"u2"U["id"["u2"]],
             "u3"U["id"["u3"]]},
   "Range"{"UId"{"u1","u2","u3"}},
   "Subjects"{S["id"["u1"]],S["id"["u3"]]},
   "Objects"{O["id"["u1"],"r"[{"u1","u3"}],"w"[{"u1","u2"}]],
               O["id"["u1"],"r"[{"u1","u3"}],"w"[{"u2","u3"}]]}}]
It specifies an initial system state with three users identified by strings "u1", "u2", "u3"; two subjects; and two objects. The first object grants read access to subjects created by users "u1", "u3" and write access to subjects created by users "u1", "u2". The second object grants read access to subjects created by users "u1", "u3" and write access to subjects created by users "u2", "u3".

The following declaration is for a MAC configuration with five access levels:

DeclareConfiguration["MAC-Cfg01",
  {"CfgType"->"MAC",
   "Users"{"u1"U["id"["u1"],"clearance"[3]],
             "u2"U["id"["u2"],"clearance"[4]]},
   "Range"{"UId"{"u1","u2"},"level"->{1,2,3,4,5}},
   "Subjects"{S["id"["u1"],"clearance"[3]],
                S["id"["u2"],"clearance"[4]]},
   "Objects"{O["sensitivity"[1]],O["sensitivity"[4]]}}]
Feel free to download the notebook ABAC.nb from

staff.fmi.uvt.ro/~mircea.marin/rholog/ABAC.nb

which contains the implementation of our tool, together with some illustrated examples.

3 A state transition system for ABACα

A system with an initial configuration cId is a state transition system: states are triples {U,S,O} consisting of the users (U), subjects (S), and objects (O) that exist at that moment in the system and are compatible with the specifications of cId and its configuration type (stored in CfgType[cId]); and transitions correspond to the operations from the functional specification of ABACα. The state components U, S, O are assumed to be multisets because the entities of ABAC are identity-less: their behavior is uniquely determined by the values of their attributes. For this reason, different entities may assume the same term representation in our framework.

We take for granted the functional specification of ABACα given in [AS17]. It consists of six operations:

subject creation:

user uU can create a new subject s if formula 𝙲𝚘𝚗𝚜𝚝𝚛𝚂[u,s] holds. This formula belongs to the instance of the common policy language (CPL) that makes use of the attribute values of u and s.

subject deletion:

uU is free to delete any subject sS it created before, that is, a subject s for which 𝚄𝙸𝚍[u]=𝚄𝙸𝚍[s].

object creation:

sS can create a new object o if boolean formula 𝙲𝚘𝚗𝚜𝚝𝚛𝙾[s,o] holds. This formula belongs to the instance of CPL that uses the attribute values of entities s and o.

subject modification:

uU can change a subject sS into s if 𝚄𝙸𝚍[u]=𝚄𝙸𝚍[s]=𝚄𝙸𝚍[s] and 𝙲𝚘𝚗𝚜𝚝𝚛𝙼𝚘𝚍𝚂[u,s,s] holds. This formula belongs to the instance of CPL that uses the attribute values of u, s, and s.

object modification:

sS can change oO into o if 𝙲𝚘𝚗𝚜𝚝𝚛𝙼𝚘𝚍𝙾[s,o,o] holds. This formula belongs to the instance of CPL that uses the attribute values of s, o, and o.

authorized access:

sS can exercise a permission pP on oO if 𝙰𝚞𝚝𝚑[p,s,o] holds. P is a finite set of permission IDs (strings) and, for every pP, formula 𝙰𝚞𝚝𝚑[p,s,o] is from the instance of CPL that uses the attribute values of s and o.

3.1 Configuration-specific rules

CPL [Jin14] is the common policy language part for the languages used to express the boolean formulas that constrain the operations of the functional specification of ABACα. CPL describes a fragment of first-order logic where quantified formulas must be of the form x𝑠𝑒𝑡.φ or x𝑠𝑒𝑡.φ with set a finite set of values. The host language of RhoLog is Mathematica, which is rich enough to express and decide the quantifier-free constraints of CPL. Moreover, we can eliminate all variable occurrences by repeated applications of the following reductions:

x𝑠𝑒𝑡.φ=v𝑠𝑒𝑡φ[xv]x𝑠𝑒𝑡.φ=v𝑠𝑒𝑡φ[xv]

Every configuration type typeId has its own formulas that constrain the functionality of ABACα. These formulas are expressed in instances of CPL. Therefore, we can write rule-based definitions of these conditions, which are specific to every typeId:

typeId::{U[…],S[…]} φ1
typeId::{S[…],O[…]} φ2
typeId::{U[…],S[…],S[…]} φ3
typeId::{S[…],O[…],O[…]} φ4
typeId::Auth[p1,𝚂[],𝙾[]] φ5,1

typeId::Auth[pr,𝚂[],𝙾[]] φ5,r.
where φ1,φ2,φ3,φ4,φ5,1, …, φ5,r are formulas expressed in CPL.

3.2 Auxiliary functions and strategies

Subject and object creation are nondeterministic operations: they can be implemented by guessing the entity, and then creating it if the condition described by the corresponding CPL-formula holds. This process can be implemented in two steps. First, we define the functions sSeed[cId] which yields

S[sAt1[SCOPE(sAt1),τ1],,sAtn[SCOPE(sAtn),τn]]

and oSeed[cId] which yields the term

O[oAt1[SCOPE(oAt1),τ1],,oAtn[SCOPE(oAtp),τp]]
For example, sSeed["Cfg-01"] yields
S["id"[{"u1","u2","u3"},"Elem"]]
and oSeed["Cfg-01"] yields the term
O["id"[S,"Elem"],"r"[S,"Subset"],"w"[S,"Subset"]]
where S is {"u1","u2","u3"}.

Next, we use these terms as seeds to produce any subject (resp. object) that may be created. In rule-based thinking, an entity E[at1[v1],,atk[vk]] can be produced from the seed term E[at1[scope1,τ1],,atk[scopek,τk]] if and only if the reducibility formulas scopeiτivi hold. Incidentally, the attribute type identifiers τi{"Elem", "Subset"} are also built-in atomic strategies of ρLog which guarantee the correctness of this rule-based thinking. Its implementation in ρLog is straightforward: If we define the strategy "setAt" with

𝚊𝚝𝚝𝚏[𝚜𝚌𝚘𝚙𝚎𝚒,𝚝𝚢𝚙𝚎𝚒]"𝚜𝚎𝚝𝙰𝚝"𝚊𝚝𝚝𝚏[𝚟𝚒](𝚜𝚌𝚘𝚙𝚎𝚒𝚝𝚢𝚙𝚎𝚒𝚟𝚒)
then the set of entities that can be generated from a seed term st is the set of all e for which the reducibility formula st"Fmap"["setAt"]e holds. Continuing this line of reasoning, we can argue that:

  • user u can create new subject s iff 𝚞"createS"[cId]𝚜 holds, where the strategy "createS"[cId] is defined by the rule

    𝚞𝚒"𝚌𝚛𝚎𝚊𝚝𝚎𝚂"[𝚌𝙸𝚍𝚒]𝚜𝚒((𝚜𝚂𝚎𝚎𝚍[𝚌𝙸𝚍𝚒]"𝙵𝚖𝚊𝚙"["𝚜𝚎𝚝𝙰𝚝"]𝚜𝚒)&&
         (𝚄𝙸𝚍[𝚞𝚒]===𝚄𝙸𝚍[𝚜𝚒])&&(𝙲𝚏𝚐𝚃𝚢𝚙𝚎[𝚌𝙸𝚍𝚒]::{𝚞𝚒,𝚜𝚒})
    

  • subject s can modify its attribute values and become sN iff its user creator u is in set U of existing users and is capable to change s to sN. We express this as the validity of the reducibility formula {𝚄,𝚜}"modSA"[cId]𝚜𝙽, where this strategy is defined by the rule

    {𝚄𝚒,𝚜𝚒}"𝚖𝚘𝚍𝚂𝙰"[𝚌𝙸𝚍𝚒]𝚜𝙽𝚒
      ((𝚄𝚜𝚎𝚛[𝚌𝙸𝚍𝚒,𝚄𝙸𝚍[𝚜𝚒]]𝚞𝚒)&&𝙼𝚎𝚖𝚋𝚎𝚛𝚀[𝚄𝚒,𝚞𝚒]&&
      (𝚜𝚂𝚎𝚎𝚍[𝚌𝙸𝚍𝚒]"𝙵𝚖𝚊𝚙"["𝚜𝚎𝚝𝙰𝚝"]𝚜𝙽𝚒)&&(𝚄𝙸𝚍[𝚜𝚒]===𝚄𝙸𝚍[𝚜𝙽𝚒])&&
      (𝙲𝚏𝚐𝚃𝚢𝚙𝚎[𝚌𝙸𝚍𝚒]::{𝚞𝚒,𝚜𝚒,𝚜𝙽𝚒}))
    

  • if the creator of s is an existing user, then the admissible changes of s into sN are defined by the rule

    𝚜𝚒"𝚖𝚘𝚍𝚂𝙰"[𝚌𝙸𝚍𝚒]𝚜𝙽𝚒((𝚜𝚂𝚎𝚎𝚍[𝚌𝙸𝚍𝚒]"𝙵𝚖𝚊𝚙"["𝚜𝚎𝚝𝙰𝚝"]𝚜𝙽𝚒)&&
               (𝚄𝙸𝚍[𝚜]===𝚄𝙸𝚍[𝚜𝙽])&&(𝚄𝚜𝚎𝚛[𝚌𝙸𝚍𝚒,𝚄𝙸𝚍[𝚜𝚒]]𝚞𝚒)&&
               (𝙲𝚏𝚐𝚃𝚢𝚙𝚎[𝚌𝙸𝚍𝚒]::{𝚞𝚒,𝚜𝚒,𝚜𝙽𝚒})
    

  • subject s can change the attributes of object o to become object oN iff {𝚜,𝚘}"modOA"[cId]𝚘𝙽 holds, where

    {𝚜𝚒,𝚘𝚒}"𝚖𝚘𝚍𝙾𝙰"[𝚌𝙸𝚍𝚒]𝚘𝙽𝚒
        ((𝚘𝚂𝚎𝚎𝚍[𝚌𝙸𝚍𝚒]"𝙵𝚖𝚊𝚙["𝚜𝚎𝚝𝙰𝚝"]𝚘𝙽𝚒)&&(𝙲𝚏𝚐𝚃𝚢𝚙𝚎[𝚌𝙸𝚍𝚒]::{𝚜𝚒,𝚘𝚒,𝚘𝙽𝚒}))
    

3.3 The transition system

Except for authorized access, the other five operations from the functional specification of ABACα determine state transitions in its model. Their rule-based specifications are:

{{𝚊𝚜,𝚞𝚒,𝚋𝚜},𝚂𝚒,𝙾𝚒}"𝚌𝚛𝚎𝚊𝚝𝚎𝚂𝚞𝚋𝚓"[𝚌𝙸𝚍𝚒]{{𝚊𝚜,𝚞𝚒,𝚋𝚜},𝙿𝚛𝚎𝚙𝚎𝚗𝚍[𝚂𝚒,𝚜𝚒],𝙾𝚒}
    ((𝚞𝚒"𝚌𝚛𝚎𝚊𝚝𝚎𝚂"[𝚌𝙸𝚍𝚒]𝚜𝚒)&&𝙽𝚘𝚝[𝙼𝚎𝚖𝚋𝚎𝚛𝚀[𝚂𝚒,𝚜𝚒]])
{{𝚊𝚜,𝚞𝚒,𝚋𝚜},{𝚡𝚜,𝚜𝚒,𝚢𝚜},𝙾𝚒}"𝚍𝚎𝚕𝚎𝚝𝚎𝚂𝚞𝚋𝚓"[𝚌𝙸𝚍𝚒]{{𝚊𝚜,𝚞𝚒,𝚋𝚜},{𝚡𝚜,𝚢𝚜},𝙾𝚒}
    (𝚄𝙸𝚍[𝚞𝚒]===𝚄𝙸𝚍[𝚜𝚒]))
{𝚄𝚒,{𝚊𝚜,𝚜𝚒,𝚋𝚜},𝙾𝚒}"𝚌𝚛𝚎𝚊𝚝𝚎𝙾𝚋𝚓"[𝚌𝙸𝚍𝚒]{𝚄𝚒,{𝚊𝚜,𝚜𝚒,𝚋𝚜},𝙿𝚛𝚎𝚙𝚎𝚗𝚍[𝙾𝚒,𝚘𝚒]}
   ((𝚜𝚒"𝚌𝚛𝚎𝚊𝚝𝚎𝙾"[𝚌𝙸𝚍𝚒]𝚘𝚒)&&𝙽𝚘𝚝[𝙼𝚎𝚖𝚋𝚎𝚛𝚀[𝙾𝚒,𝚘𝚒]])
{𝚄𝚒,{𝚊𝚜,𝚜𝚒,𝚋𝚜},𝙾𝚒}"𝚖𝚘𝚍𝚒𝚏𝚢𝚂𝚞𝚋𝚓"[𝚌𝙸𝚍𝚒]{𝚄𝚒,{𝚊𝚜,𝚜𝙽𝚒,𝚋𝚜},𝙾𝚒}
    ({𝚄𝚒,𝚜𝚒"𝚖𝚘𝚍𝚂𝙰"[𝚌𝙸𝚍𝚒]𝚜𝙽𝚒)
{𝚄𝚒,{𝚊𝚜,𝚜𝚒,𝚋𝚜},{𝚡𝚜,𝚘𝚒,𝚢𝚜}}"𝚖𝚘𝚍𝚒𝚏𝚢𝙾𝚋𝚓"[𝚌𝙸𝚍𝚒]{𝚄𝚒,{𝚊𝚜,𝚜𝚒,𝚋𝚜},{𝚡𝚜,𝚘𝙽𝚒,𝚢𝚜}}
    ({𝚜𝚒,𝚘𝚒}"𝚖𝚘𝚍𝙾𝙰"[𝚌𝙸𝚍𝚒]𝚘𝙽𝚒)
In the state transitions defined by these rules, the entity matched by 𝚜𝚒 is the selected subject, and the one matched by 𝚘𝚒 is the selected object. Subjects may be created, and selected subjects are deleted or modified. Objects may be created, and selected objects are modified. To keep track of the attribute values of a subject or object in a particular state, we define its descendant with respect to a sequence Π of state transitions.

Suppose {U,S,O} is a state for a configuration identified by cId, and sS,oO. Also, let π:{U,S,O}𝑠𝑡𝑔𝐼𝑑[cId]{U,S,O} be a state transition step. The descendants descπ(s) and descπ(o) of s and o with respect to π are defined as follows:

  • descπ(s):= if π:{U,S,O}{U,S,O}"𝚍𝚎𝚕𝚎𝚝𝚎𝚂𝚞𝚋𝚓"[cId] and the selected subject from S is s

  • descπ(s):=s if π:{U,S,O}{U,(S{s}){s},O}"𝚖𝚘𝚍𝚂𝙰"[cId]

  • descπ(o):=o if π:{U,S,O}{U,S,(O{o}){o}}"𝚖𝚘𝚍𝙾𝙰"[cId]

  • In the unspecified situations we have descπ(e):=e.

Let Π:{U,S,O}{U,S,O} be a sequence of n0 transition steps and sS, oO. If n=0 then descΠ(s):=s and descΠ(o):=o. Otherwise, let π be the first transition step of Π, and Π the sequence of remaining transition steps. In this case descΠ(o):=descΠ(descπ(o)) and

descΠ(s):={if descπ(s)=,descΠ(descπ(s))otherwise.

More generally, we define the set of descendants of eSO from a state Σ:={U,S,O} as follows:
DescΣ(e):={ee and e=descΠ(e) for some sequence Π of state transitions starting with Σ}.

4 Safety of ABACα

The safety problem for configurations of ABACα is:

Given

a state {U,S,O} for an ABACα configuration identified by cId, entities sS, oO, and a permission pP,

Decide

if there exists a sequence of state transitions
Π:{U,S,O}𝑠𝑡𝑔1{U,S1,O1}𝑠𝑡𝑔n{U,Sn,On}
abbreviated Π:{U,S,O}{U,Sn,On}, such that descΠ(s) and the reducibility formula CfgType[cId]::Auth[p,descΠ(s),descΠ(o)] holds.

We start by pointing out a few properties of ABACα that allow us to make some simplifying assumptions.

The five kinds of transitions are influenced only by the selected entities, at most two, and affect only one entity; the other entities of the system state are not affected. In particular:

  1. 1.

    Objects can only participate at changing their own attributes. Since the presence of objects from O{o} plays no role in deciding whether 𝙰𝚞𝚝𝚑[p,descΠ(s),descΠ(o)] holds for some Π, it is harmless to assume that the initial state is {U,S,{o}) and Π has no object creation steps.

  2. 2.

    If {U,S,O}𝑠𝑡𝑔{U,S,O} then {U,SS′′,O}𝑠𝑡𝑔{U,SS′′,O} holds too, because we can choose the same participating entities to perform the transition. Therefore, it is harmless to assume that Π has no subject deletion steps.

Thus, it is harmless to assume that (1) Π has no transition steps of the strategies "deleteSubj"[cId] and "createObj"[cId], and (2) the given state is of the form {U,S,{o}}.

From now on we assume that Σ:={U,S,{o}} is a state for an ABACα configuration identified by cId, and that sS and pP.

Theorem 4.1

Let sDescΣ(s) and oDescΣ(o). There exists a derivation Π:Σ{U,S,{o}} such that s=descΠ(s).

Proof

Let u be the creator of s. oDescΣ(o) implies the existence of Π1:Σ{U,S′′,{o}}. If sS′′ then the lemma holds for Π=Π1. Note that, if uU, then s can not change its attribute values, thus DescΣ(s)={s}S′′ and the lemma holds for Π=Π1.

The only case left to analyse is when uU and sS′′. In this case, there exists a derivation u"createS"[cId]s0"modSA"[cId]s. sDescΣ(s) implies the existence of a derivation s"modSA"[cId]s. By concatenating these two derivations we obtain

u"createS"[cId]s0"modSA"[cId]s.

Therefore, if s0S′′ then Π1 can be extended as follows:
Π:Σ{U,S′′,{o}}"createSubj"[cId]

{U,S′′{s0},{o}}"modifySubj"[cId]{U,S′′{s},O}.
Otherwise, S′′={s0}S′′′ and Π1 can be extended as follows:
Π:Σ{U,{s0}S′′′,{o}}"modifySubj"[cId]{U,{s}S′′′,{o}}.

Theorem 1

There is a derivation Π:Σ{U,S,{o}} such that descΠ(s) and CFGType[cId]::Auth[p,descΠ(s),o] holds if and only if CFGType[cId]::Auth[p,s,o] holds for some sDescΣ(s) and oDescΣ(o).

Proof

If Π exists then oDescΣ(o) and we can choose the subject s:=descΠ(s)DescΣ(s) such that CfgType[cId]::Auth[p,s,o] holds.

Conversely, if CfgType[cId]::Auth[p,s,o] holds for sDescΣ(s) and oDescΣ(o) then, by Lemma 4.1, there exists a derivation Π:Σ{U,S,{o}} such that s=descsΠ(s). Therefore, CfgType[cId]::Auth[p,descΠ(s),o] holds too.

According to Theorem 1, we can proceed in two steps:

  1. 1.

    look at all possible descendants s of s; decide UNSAFE if any of them gets permission p on o, otherwise compute DescΣ(s),

  2. 2.

    look at all possible descendants o of o; decide UNSAFE if any sDescΣ(s) can exercise permission p on some o, otherwise decide SAFE.

It remains to figure out how to compute DescΣ(s) and DescΣ(o), and how to check if Auth[p,s,o]CfgType[cId]𝚃𝚛𝚞𝚎 holds for some sDescΣ(s) and oDescΣ(o). For this purpose, we define three strategies: For this purpose, we define three strategies:

"𝚊𝚞𝚝𝚑?"[𝚙𝚒,𝚌𝚝𝚒]::{{_𝚜,𝚜𝚒,_𝚜},{_𝚜,𝚘𝚒,_𝚜}}(𝚌𝚝𝚒::𝙰𝚞𝚝𝚑[𝚙𝚒,𝚜𝚒,𝚘𝚒])
{_𝚜,𝚜𝚒,_𝚜}"𝚗𝚎𝚠𝙼𝚘𝚍𝚂"[𝚌𝚒,𝚂𝚒]𝚜𝙽𝚒
    ((𝚜𝚒"𝚖𝚘𝚍𝚂𝙰"[𝚌𝚒]𝚜𝙽𝚒)&&𝙽𝚘𝚝[𝙼𝚎𝚖𝚋𝚎𝚛𝚀[𝚂𝚒,𝚜𝙽𝚒]])
{{_𝚜,𝚜𝚒,_𝚜},{_𝚜,𝚘𝚒,_𝚜}}"𝚗𝚎𝚠𝙼𝚘𝚍𝙾"[𝚌𝚒,𝙾𝚒]𝚘𝙽𝚒
    (({𝚜𝚒,𝚘𝚒}"𝚖𝚘𝚍𝙾𝙰"[𝚌𝚒]𝚘𝙽𝚒)&&𝙽𝚘𝚝[𝙼𝚎𝚖𝚋𝚎𝚛𝚀[𝙾𝚒,𝚘𝙽𝚒]])
If S,S′′ are sets of subjects and O,O′′ are sets of objects, then:
1) ApplyStg["auth?"[p,CfgType[cId]],{S,O}] returns True iff some sS can exercise permission p on some oO.
2) ApplyStgList["newModS"[cId,S′′], S] returns all descendants of elements from S which are not in S′′.
3) ApplyStgList["newModO"[cId,O′′], {S,O}] returns all descendants of elements from O produced by some subject from S, which are not in O′′.

Step 1

In this step we accumulate the value of DescΣ(s) in a variable sDESC while checking if some s𝚜𝙳𝙴𝚂𝙲 has the authority to exercise permission p on o. If the creator of s is not a user in the given configuration then the only descendant of s is s, and we only have to check if Auth[p,s,o]𝙲𝚏𝚐𝚃𝚢𝚙𝚎[cId]True holds or not. If yes, we decide UNSAFE, otherwise we set 𝚜𝙳𝙴𝚂𝙲:={s}.

Otherwise, the creator of s is in U and DescΣ(s)=k=0Sk where S1:={s} and

Sk+1:={s′′i=1kSisSk.s"modSA"[cId]s′′}=𝙰𝚙𝚙𝚕𝚢𝚂𝚝𝚐𝙻𝚒𝚜𝚝["𝚗𝚎𝚠𝙼𝚘𝚍𝚂"[𝚌𝙸𝚍,i=1kSi],Sk]

Based on this observation, we can interleave the incremental accumulation in sDESC of the elements of Sk with the detection of unsafety when 𝙰𝚞𝚝𝚑[p,s,o] holds for some sSk:
[Uncaptioned image]Note that, before entering the k-th loop of while, the values of sDESC and sN are i=1kSi and Sk+1. The while loop will terminate because sDESC is finite, therefore Sn= for some n.

Step 2

In this step we accumulate the descendants of o in a variable oDESC and report UNSAFE as soon as we detect the truth of the formula

"auth?"[p,CfgType[cId]]::{sDESC,oDESC}

First, we must figure out how to compute oDESC. The only subjects which may change the attribute values of (descendants) of o from Σ are those from {s′′sS𝚜𝙽𝚎𝚠.s"modSA"[cId]s′′} where sNew is the set of subjects that may be created by users from U. 𝚜𝙰𝙻𝙻 can be computed incrementally as follows:

𝚜𝙽𝚎𝚠:=uU𝙰𝚙𝚙𝚕𝚢𝚂𝚝𝚐𝙻𝚒𝚜𝚝[u,"createS"[cId]];
𝚜𝙰𝙻𝙻:=; 𝚜𝙽:=S𝚜𝙽𝚎𝚠;
wh ile 𝚜𝙽 do
𝚜𝙰𝙻𝙻:=𝚜𝙰𝙻𝙻𝚜𝙽;
𝚜𝙽:=𝙰𝚙 AplyStgList["newModS"[cId,sALL],sN];

In every loop of while we compute the elements of a nonempty subset 𝚜𝙽S𝚜𝙽𝚎𝚠DescΣ(s) which are not yet accumulated in sDESC, and accumulate them in sDESC. The loop will terminate because the set S𝚜𝙽𝚎𝚠DescΣ(s) is finite.

It is easy to see that DescΣ(o) coincides with k=1Ok where O0:={o} and

Ok+1:={o′′i=1kOis𝚜𝙰𝙻𝙻.oOk.{s,o}"𝚖𝚘𝚍𝙾𝙰"[𝚌𝙸𝚍]o′′}=𝙰𝚙𝚙𝚕𝚢𝚂𝚝𝚐𝙻𝚒𝚜𝚝["𝚗𝚎𝚠𝙼𝚘𝚍𝙾"[𝚌𝙸𝚍,i=1kOi],{𝚜𝙰𝙻𝙻,𝙾𝚔}]

Based on this observation, we can iterate the computation of Ok together with the test if Auth[p,s,o] holds for some s𝚜𝙳𝙴𝚂𝙲 and oOk. This iterative process stops when we reach a k with Ok=, and this will eventually happen because DescΣ(o) is finite.
[Uncaptioned image]

The final algorithm

By putting together the rule-based algorithms for steps 1 and 2, we obtain the algorithm illustrated in Figure 1.

Refer to caption
Figure 1: The safety check algorithm for ABACα.

5 Conclusions

We proved that the safety problem of ABACα can be reduced to checking if 𝙰𝚞𝚝𝚑[p,s,o] holds for some sDescΣ(s) and oDescΣ(o), and solved it by identifying a rule-based algorithm that interleaves the detection of unsafety with the incremental computation of DescΣ(s) and DescΣ(o).

Our algorithm is parametric with respect to the configuration types of ABACα. Therefore, whenever we want to check that, for a given configuration, a subject s never gets authorization to exercise permission p on an object o, it is enough to do the following: (1) specify the configuration and its type, and (2) call the method

CheckSafety[cId,s,o,p]
which runs our safety check algorithm. It returns SAFE if s never gets authorization to exercise permission p on o, and UNSAFE otherwise.

References

  • [AS17] T. Ahmed and R. Sandhu. Safety of ABACα is Decidable. In Z. Yan, R. Molva, W. Mazurczyk, and R. Kantola, editors, Network and System Security, page 257–272. Springer International Publishing, 2017.
  • [HRU76] M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Commun. ACM, 19(8):461–471, 1976.
  • [Jin14] X. Jin. Attribute-Based Access Control Models and Implementation in Cloud Infrastructure as a Service. PhD thesis, University of Texas at San Antonio, 2014.
  • [JKS12] X. Jin, R. Krishnan, and R. Sandhu. A unified attribute-based access control model covering DAC, MAC and RBAC. In N. Cuppens-Boulahia, F. Cuppens, and J. Garcia-Alfaro, editors, Data and Applications Security and Privacy XXVI, volume 7371 of LNCS, pages 41–55. Springer, Berlin, Heidelberg, 2012.
  • [PS04] J. Park and R. Sandhu. The UCONABC Usage Control Model. ACM Transactions on Information and System Security (TISSEC), 7(1):161–182, 2004.
  • [RS16] P. V. Rajkumar and R. Sandhu. Safety decidability for pre-authorization usage control with finite attribute domains. IEEE Transactions on Dependable and Secure Computing, 13(5):582–590, 2016.