Automatic Error Finding in Access-Control Policies
Access-control policies are a key infrastructural technology for computer security. However, a significant problem is that system administrators need to be able to automatically verify whether their policies capture the intended security goals. To address this important problem, researchers have proposed many automated verification techniques. Despite considerable progress in verification techniques, scalability is still a significant issue. Hence, in this paper we propose that error finding complements verification, and is a fruitful way of checking whether or not access control policies implement the security intent of system administrators. Error finding is more scalable (at the cost of completeness), and allows for the use of a wider variety of techniques. In this paper, we describe an abstraction-refinement based technique and its implementation, the Mohawk tool, aimed at finding errors in ARBAC access-control policies. The key insight behind our abstraction-refinement technique is that it is more efficient to look for errors in an abstract policy (with successive refinements, if necessary) than its complete counterpart. Mohawk accepts as input an access-control policy and a safety question. If Mohawk finds an error in the input policy, it terminates with a sequence of actions that cause the error. We provide an extensive comparison of Mohawk with the current state-of-the-art analysis tools. We show that Mohawk scales very well as the size and complexity of the input policies increase, and is orders of magnitude faster than competing tools. The Mohawk tool is open source and available from the Google Code website: http://code.google.com/p/mohawk/
