Automated Analysis of Scenario-based Specifications of Distributed Access Control Policies with Non-Mechanizable Activities (Extended Version)

TL;DR

This paper introduces an automated method for analyzing scenario-based specifications of distributed access control policies, addressing complex features like certificates and human intervention to ensure secure resource access.

Contribution

It presents a novel automated analysis technique tailored for complex, scenario-based access control policies in open distributed systems, including real-world case studies.

Findings

Effective analysis of complex policies demonstrated

Improved security guarantees for web services

Case study validation in e-government context

Abstract

The advance of web services technologies promises to have far-reaching effects on the Internet and enterprise networks allowing for greater accessibility of data. The security challenges presented by the web services approach are formidable. In particular, access control solutions should be revised to address new challenges, such as the need of using certificates for the identification of users and their attributes, human intervention in the creation or selection of the certificates, and (chains of) certificates for trust management. With all these features, it is not surprising that analyzing policies to guarantee that a sensitive resource can be accessed only by authorized users becomes very difficult. In this paper, we present an automated technique to analyze scenario-based specifications of access control policies in open and distributed systems. We illustrate our ideas on a case study arising in the e-government area.