Exploiting Hot Spots in Heuristic Safety Analysis of

Dynamic Access Control Models

Marius Schlegel

and Winfried E. K

uhnhauser

Technische Universit

at Ilmenau, Germany

Keywords:

Security Engineering, Security Policies, Access Control, Dynamic Access Control Models, Heuristic Safety

Analysis, Security Model Checking, Formal Methods.

Abstract:

Model-based security engineering approaches frequently suffer from computational complexity of model

analysis. As a consequence, a considerable amount of human expertise is involved in the analysis process,

rendering model analysis an expensive approach applied mostly to sophisticated systems with challenging

security requirements. This paper discusses algorithmic foundations for an automated safety analysis of dynamic

access control models. The computational complexity is tackled by a heuristic-based approach, rendering the

analysis algorithm scalable to large real-world access control systems.

1 INTRODUCTION

Security engineering approaches for IT systems with

sophisticated security requirements increasingly apply

security policies for deﬁning and implementing secu-

rity properties. A security policy precisely describes

strategies that implement these requirements. The crit-

ical importance of policy correctness calls for a careful

policy engineering process.

In order to achieve correctness guarantees, model-

based security policy engineering (MSPE) approaches

take advantage of formal models, allowing for rigorous

analysis and proof of a policy’s formalized security

properties (Vimercati et al., 2005, Li and Tripunitara,

2006, Tripunitara and Li, 2007, Jha et al., 2008, Barker,

2009, Basin et al., 2011), some of which are tractable

by static methods, while others require to reason about

the dynamic evolution of a system. Beyond that, secu-

rity models serve as formal speciﬁcations from which

policy implementations are engineered.

In this paper, we focus on dynamic security proper-

ties of dynamic access control (AC) models. They al-

low to reason about authorizations to execute security-

critical operations. Analyzing these properties has

been termed security analysis (Tripunitara and Li,

2007), which can be subdivided in two classes of ques-

tions: Given some dynamic AC model at a model

protection state, is it possible (1.) that some (desired)

property will ever become false; or (2.) that some

https://orcid.org/0000-0001-6596-2823

(undesired) property will ever become true? While

the ﬁrst question mainly deals with availability, the

intention of the second question is to validate restric-

tions on authorized operations which are, for example,

demanded by conﬁdentiality or integrity goals of a

policy. For historical reasons, this second family of

questions is called safety properties.

MSPE is not an easy approach. Especially the anal-

ysis of dynamic models suffers from its computational

complexity and the tractability of large model state

spaces, and in many cases essential model properties

are intractable or even undecidable. As a consequence,

MSPE involves challenging human expertise and thus

is primarily applied in scenarios with quite critical

security requirements.

This paper aims at paving the road to MSPE by

developing foundations for automated model analysis

tools. Focusing on model safety analysis of dynamic

AC models, the paper tackles time and space complex-

ity of heuristic safety analysis algorithms by shifting

the effects of exponential time and space complexity to

model state sizes signiﬁcantly larger than those found

in current real-world policies.

Speciﬁcally, we make the following contributions.

(1.) We argue that the handling of large parameter

spaces offers a great potential for optimizing heuristic

safety analysis algorithms (Sec. 2). (2.) We introduce

a novel approach for restricting large parameter spaces

based on hot spots, enabling more effective and ef-

ﬁcient state transitions, and we demonstrate our ap-

proach for dynamic HRU-type AC models (Sec. 3).

522

Schlegel, M. and Kühnhauser, W.

Exploiting Hot Spots in Heuristic Safety Analysis of Dynamic Access Control Models.

DOI: 10.5220/0009907705220532

In Proceedings of the 17th International Joint Conference on e-Business and Telecommunications (ICETE 2020) - SECRYPT, pages 522-532

ISBN: 978-989-758-446-6

(3.) We show that the implementation of our algorithm

offers a signiﬁcant runtime improvement over prior

algorithms (Sec. 4).

2 MODEL SAFETY ANALYSIS

In dynamic AC models, model safety deals with the

fundamental question whether permissions granted

in a given model state may leak to different subjects

in future model states. Safety analyses thus expose

model properties that allow for the prediction of an AC

system’s dynamic behavior. Model safety in general

is a non-decidable problem (Harrison et al., 1976).

While safety-decidable AC models have been proposed

(Harrison and Ruzzo, 1978, Sandhu, 1992, Lipton and

Snyder, 1977) these models generally are targeted to

particular application scenarios and have limitations

in their ability to model complex real-world policies.

For more general models without such limitations

safety analyses fall back to heuristic approaches that

trade accuracy for tractability. Heuristic-based analy-

sis algorithms exploit the fact that the safety problem

is semi-decidable and try to prove that some given

model state is not safe with respect to some right by

ﬁnding a state sequence that leaks this right in some

follow-up state. While they cannot always deliver anal-

ysis results, heuristic analysis algorithms often provide

valuable insights in the reasons for right leakages. Nev-

ertheless, while in general being capable of handling

large and complex models heuristic-based approaches

still severely suffer from computational complexity

and the tractability of large model state spaces.

2.1 Dynamic Access Control Models

One of the earliest AC models for analyzing model

safety is the HRU model (Harrison et al., 1975). While

from today’s perspective the HRU model uses quite

low-level abstractions the model is still among the

most powerful and general AC models. It provides a

calculus for the rigorous speciﬁcation of dynamic AC

policies as well as a foundation for statements about

the complexity of model safety analyses.

HRU models combine AC matrices (ACMs) with

deterministic automatons. Models in the HRU fam-

ily share the idea of modeling the dynamic behavior

of an AC system by state transitions schemes (STSs)

specifying the state transition function of their automa-

tons. Each state of an HRU model reﬂects a single

protection state of an AC system; state transitions –

triggered by inputs to the automaton – are effected by

policy-speciﬁc operations in the STS that modify the

state. Model safety properties now can be analyzed by

observing state transitions effected by input sequences;

in particular, the boundaries of right proliferation can

be explored by state reachability analyses.

State reachability is known to be a non-decidable

problem. As a consequence, the HRU model has

inspired numerous and more restricted offsprings

(Goguen and Meseguer, 1982,Zhang et al., 2005,Mon-

dal et al., 2009, Stoller et al., 2011, Sandhu et al.,

1999, Shariﬁ and Tripunitara, 2013) that render model

safety tractable by tailoring a model calculus to ded-

icated application scenarios, allowing for statements

about worst-case execution times of safety analyses

(Harrison and Ruzzo, 1978, Sandhu, 1992, Lipton and

Snyder, 1977). As a consequence, the resulting safety

analysis algorithms strongly depend on the restrictions

of the respective model calculus and lack the gener-

ality needed for more universal model analysis tools

aiming at a broad scope of HRU model variants.

While in practice HRU models have long

since been supplanted by models supporting more

application-friendly abstractions such as roles (RBAC

models) or attributes (ABAC models), their fundamen-

tal idea of modeling dynamic behavior of AC sys-

tems by deterministic automatons has been adopted

in many HRU offsprings (Sandhu et al., 1999, K

uhn-

hauser and P

olck, 2011, Ranise et al., 2014, Amthor,

2015, Schlegel and Amthor, 2020). In order to be ap-

plicable to all these offsprings our approach aims at

a general foundation for safety analyses of general,

non-restricted HRU models, following the idea that in-

sights in the most general forefather in a model family

are also applicable to his descendants.

2.2 Heuristic Safety Analysis

Because the safety problem for general HRU models is

not decidable, safety analysis algorithms use heuristics

that exploit the semi-decidability of the problem: given

any two states of an AC system with one state being a

follow-up state of the other it is efﬁciently decidable

whether in the follow-up state a right leakage can be

observed. Thus, starting with some initial state, heuris-

tic search algorithms guide a model through its state

space by generating input sequences, feeding them

into the automaton and checking for each reached state

whether it renders the initial state unsafe.

The problem here is the large number of eligible

inputs for each state transition. In any HRU model,

an AC system’s dynamic behavior is modeled by its

STS, consisting of a set of commands where each

command triggers a state transition of the model’s

automaton. As an example, an application system’s

function to delegate a read right to a subject’s deputy

can be modeled by an HRU command consisting of a

Exploiting Hot Spots in Heuristic Safety Analysis of Dynamic Access Control Models

523

command delegateReadRight(

subject

from

,subject

,object) =

if read right ∈ m(subject

from

,object) then

enter read right into m(subject

,object)

ﬁ,

(set of) condition(s) and a (set of) primitive(s) with the

semantics that if the conditions are met by the current

model state, the primitives deﬁne the corresponding

state transition. An eligible input for triggering a state

transition in an HRU model thus consists of a com-

mand name (in the above example delegateReadRight)

and its parameters (values for

subject

from

subject

object).

A simple sample calculation shows that if input

sequences to explore the automaton’s state space are

chosen randomly then the probability of detecting a

state exposing a leakage is extremely small. On a

medium-sized ﬁle server with 100 users,

ﬁles, and

an STS with just 10 commands, each having 3 param-

eters, we encounter

10 · (10

)

= 10

different input

combinations, leading to as many possible follow-up

states. Thus, the probability of randomly hitting param-

eter values that result in a state transition ultimately

leading to a leakage is extremely small. Moreover,

for the second generation of follow-up states we al-

ready encounter

possibilities. With respect to

memory complexity, assuming just 1 byte of memory

required for each cell of the ACM (of size 100 users

·10

objects), the second generation would require

bytes of memory for storing the corresponding

state spaces. It is easy to see that a random search

of the complete state space for states exposing right

leakages is like searching for a needle in a hay stack.

2.3 The DEPSEARCH Heuristics

Other than randomized approaches, successful heuris-

tics generally are well-tailored to the speciﬁc problem

to be solved. The challenge for safety analysis heuris-

tics thus is to exploit model properties that have an

impact on the probability of an input to contribute to a

state sequence that leads from an initial state to some

follow-up state that actually exposes a right leakage.

The DEPSEARCH heuristics (Amthor et al., 2013,

Amthor et al., 2014, Amthor, 2017) exploits the (obvi-

ous) fact that for a right to be leaked into some ACM

cell it is a necessary condition that a command is exe-

cuted that includes a primitive to write this right into an

ACM cell. This command, again, has conditions that

have to be met for its execution, so it, again, depends

on other commands that establish these conditions,

leading to a chain of commands that successively es-

tablish necessary conditions for a right leakage. A

static analysis of a model’s STS discloses such com-

mand dependencies, resulting in a command depen-

dency graph (CDG)

V,E

where vertices

∈ V

represent commands and edges





signify that

has primitives that enter rights into the ACM that are

required by c

(see Fig. 1a and Fig. 1b for examples).

DEPSEARCH now chooses paths from the CDG as

command sequences that are fed into the automaton,

each command having a certain probability to estab-

lish necessary conditions for the next command and

thus moving the automation’s state “nearer” to a state

exposing a right leakage.

Model analysis thus consists of simulating a

model’s automaton by choosing command paths from

the CDG, selecting for each command a parameter

value set (see Sec. 3) and feeding them into a model

simulation engine. Starting with the model’s initial

state, the ﬁrst path component creates a follow-up state,

and the simulation of a complete command sequence

successively adds further states to a simulation’s state

transition tree. Once a path has been completely pro-

cessed, the simulation continues by choosing new com-

mand sequences from the CDG until a state is reached

leaking the target right (Amthor et al., 2013).

As discussed in (Amthor et al., 2013), safety anal-

ysis based on the DEPSEARCH heuristic becomes

tractable for scenarios with model state sizes of up

to 10

ACM cells.

3 HEURISTIC COMMAND

PARAMETER SELECTION

For real-world scenarios with states typically com-

prising over

ACM cells, heuristic safety analysis

algorithms still face effects of an exponential runtime

complexity. At this point, the idea is to shift the bound-

ary where model states become untractable to ACM

sizes signiﬁcantly larger than 10

ACM cells.

During model simulation, for any state transition of

the model’s automaton an input is needed, consisting

of a command to be executed as well as its parameter

values. In the DEPSEARCH heuristic (Amthor et al.,

2013), only commands are selected effectively and

efﬁciently, using the CDG-based command sequence

generation approach. As discussed in Sec. 2.2, in very

large AC model instances there is a huge number of

possible value assignments for command parameters

prohibiting an exhaustive testing of all possible param-

eter values. To tackle the problem of ﬁnding “good”

parameter values (parameter selection problem, PSP),

heuristics become here necessary as well.

SECRYPT 2020 - 17th International Conference on Security and Cryptography

524

3.1 The Role of Working Sets

Our approach to dealing with the PSP lies in the obser-

vation that there is a strong afﬁnity to a fundamental

problem in the virtual memory management (VMM)

of operating systems. Typically, virtual memory is

much larger than physical memory, so that not every

virtual memory page can always be resident in phys-

ical memory. If a page required by a process is not

present in physical memory, a page fault occurs and

a present page frame is cleared to accommodate the

actual page needed. Optimally, the page whose next

use is furthest in future should always be selected for

removal; page replacement algorithms try to achieve

an approximation to this optimum.

Contemporary page replacement algorithms, e. g.

WSClock (Carr and Hennessy, 1981), initially assume

that, due to the locality of page references, memory

access patterns of processes have hot spots in which

almost all accesses take place. Pages belonging to

hot spots are called its working set (i. e. the set of

pages a process is currently using) (Denning, 1968).

Consequently, accesses from a process to pages that

belong to its working set are much more likely than

accesses to pages that do not belong to it. The working

set of a process is determined by the pages last used in

a ﬁxed time interval; pages that do not belong to any

process’ current working set are therefore candidates

for removal from physical memory.

In a nutshell, working sets heuristically limit a

large number of elements to a small number of the

most interesting elements. This offers an interesting

perspective on the PSP: If we can ﬁnd a subset of

ACM cells that are more likely to be required for a

sequence of commands leading to a right leakage, then

the heuristic search algorithm can ignore a large part

of the ACM. In order to make the parameter selection

both efﬁcient and effective, the large number of ACM

cells can be restricted to only those cells which offer

the greatest potential for generating a right leakage.

However, the PSP and the page replacement prob-

lem have also a fundamental difference. Page replace-

ment algorithms can observe and exploit a process’ ref-

erence behavior to form a working set. In contrast, the

situation in heuristic safety analysis is totally different:

The dynamic model behavior is completely simulated

under heuristic control, so that hot spot patterns can

and have to be generated strategically. Therefore, the

heuristic for the PSP lies in how the parameter search

space is strategically constrained to enable both an

effective and efﬁcient parameter selection.

3.2 Parameter Working Sets

Generally, our approach for restricting the command

parameter value space adopts the idea of VMM work-

ing sets by limiting the large number of ACM cells to

only those that have the greatest potential for gener-

ating a right leakage. Here, a working set is a subset

of ACM cells, where each cell is deﬁned by its sub-

ject and object identiﬁers used as command parameter

values. We refer to it as parameter working set (PWS).

In VMM, working sets depend on the execution be-

havior of individual processes rendering them process-

individual. In the context of heuristic safety analyses,

command sequences (paths generated from the CDG)

are executed. And in the same way, PWSs depend on

the execution of individual paths rendering them path-

individual. Analogous to VMM working sets, a PWS

limits the value space for parameter selection and thus

restricts the ACM to the most ﬁlled cells that contain

as many rights as possible to satisfy the conditions of

the current path’s commands.

In order that the execution of a command also leads

to the entering of rights into ACM cells and even ad-

ditionally satisﬁable conditions, these rights must not

yet be present in the cells addressed in the enter right

primitives of that command. In general, this may ap-

ply to many cells. Therefore, to increase the potential

that entered rights lead to additionally satisﬁable con-

ditions of subsequently executed commands (and not

just ﬁll any ACM cells randomly), cells are selected as

parameter values for command bodies (and

enter right

primitives) that are already included in the PWS.

When creating a PWS for a speciﬁc path, all rights

occurring in the conditions of that path’s commands

have to be considered. The generation of a subsequent

path then most likely requires to consider different or

additional rights and regenerating the PWS for that

new path. Since we strive to ﬁll already well-ﬁlled

cells even more to potentially unlock commands which

were not executable before, it would not be sensible to

regenerate the PWS completely from scratch. There-

fore, we add new cells required by a path to the PWS

without removing the previously added cells (knowl-

edge of the past, cf. WSClock (Carr and Hennessy,

1981)). Then, newly added cells can be used to satisfy

command conditions, but contained, well-ﬁlled cells

can still be ﬁlled with rights by command primitives.

However, it is often observable, especially as an

analysis progresses, that an existing PWS is com-

pletely valid for a subsequent path and already meets

the criterion of path speciﬁcity, i. e. conditions of that

path’s commands are satisﬁable by the cells present in

the PWS. Thus, reusing an existing PWS and gentle

fostering is to be preferred over a regeneration. Conse-

Exploiting Hot Spots in Heuristic Safety Analysis of Dynamic Access Control Models

525

quently, in case that not yet all cells belonging to the

PWS are already saturated and commands can still be

executed effectively resulting in new states, a PWS can

be left the same even across the execution of different

paths. In case that neither a right leakage was evoked,

nor new rights were entered, the PWS seemingly is

inadequate and must be fostered. Therefore, a PWS is

used for subsequent paths only until the execution of

such a command sequence was completely ineffective

and did not result in a single new state.

3.3 The WSDEPSEARCH Algorithm

In this section, the described parameter space approach

based on working sets is speciﬁed as the working-

set-based dependency search (WSDEPSEARCH) al-

gorithm building upon previous works (Amthor et al.,

2013, Amthor et al., 2014, Amthor, 2017).

In the ﬁrst phase, a static analysis of the HRU

STS is performed to construct the CDG (see (Amthor,

2017, p. 5, Alg. 2)). It yields a graph-based descrip-

tion of inter-command dependencies, constituted by

entering (as part of primitives) and requiring (as part

of conditions) the same right in two different com-

mands. The CDG is recursively assembled in a way

that all paths from vertices without incoming edges

to vertices without outgoing edges indicate input se-

quences for reaching

target

from

. To achieve this,

two virtual commands

and

target

are generated

(by

createCDGSource

and

createCDGSink

is the

source of all paths in the CDG, since it mimics the

state

to be analyzed, represented by a virtual com-

mand speciﬁcation added to the set

of all com-

mands. It is generated by encoding the ACM m

the body of

. In a similar manner,

target

is the sink

of all paths in the CDG, which represents all possible

states

target

by checking the presence of the target

right

target

in some cell of m

. In order to determine

predecessor-edges between a command

and other

commands that establish necessary conditions for it to

be executed (

predecessors

buildPredSet

returns a set

P = {c ∈ C|c.Prim.Enter .Rights ∩v.Cond.Rights 6=

where

c.Prim.Enter.Rights

denotes the set of rights en-

tered by primitives of

and

v.Cond.Rights

denotes the

rights required to satisfy conditions of command v.

In the second phase, the dynamic analysis, the

CDG is used to guide state transitions by generating

input sequences to the automaton. The commands in

each sequence are chosen according to different paths

from

target

(see (Amthor, 2017, p. 5, Alg. 1)).

Paths are generated based on a modiﬁed ant algorithm:

with each edge traversed to generate an input sequence,

the algorithm increases an edge weight (“scent”

in-

creased by

) which has a repellent effect for the next

In: – W ⊆ S × O: current PWS

– R

path

: set of rights required in the conditions of the

path’s commands

– q =

S,O, m

: current model state

Out: – W: PWS for path

procedure addParameters( )

← CW.someMember;

maxr ← |m(s

) ∩ R

path

for

s,o

∈ CW do

if |m(s,o) ∩ R

path

| > maxr then

← s; o

← o;

maxr ← |m(s

) ∩ R

path

if maxr > 0 then

W ← W ∪ {

};

CW ← CW ∩ {

};

path

← R

path

∩ m(s

);

if R

path

0 and CW 6=

0 then

addParameters( );

CW ←

for

s,o

∈ m do

s,o

/∈ W and m(s,o) ∩ R

path

0 then

CW ← CW ∪ {

s,o

};

if CW 6=

0 and W 6=

0 then

addParameters( );

else

s ← S.someMember; o ← O.someMember;

W ← W ∪ {

s,o

};

return W;

Algorithm 1: PWSGeneration.

iteration of the CDG traversal. Since the path gener-

ation always selects edges with lower scents before

such with higher scents (

lowestScent

), a uniform cov-

erage of the CDG is achieved and, thus, the threat of

running and staying in blind alleys is countered. As a

prerequisite for the PWS generation, with each edge

added to a path, the set

path

of all rights required in

the conditions of that path’s commands is ﬁlled.

Based on the PWS approach, Alg. 1 outlines their

generation and fostering. First, ACM cells are col-

lected in the set of cells

that qualify as PWS mem-

ber candidates. For this, cells have to satisfy at least

one condition of a current path’s command, i. e. hold at

least one right of

path

, and may not yet be element of

the PWS. Subsequently, the actual PWS members are

determined (addParameters). In each recursive step, a

new member cell is added to the PWS. For reasons of

efﬁciency, the algorithm always selects as few cells as

possible, but adds those with the greatest potential for

contributing to a right leakage. Therefore, a member

candidate to be added to the PWS is required to con-

tain most of the rights not yet considered compared

to all other candidates (such that

(s,o) ∩ R

path

| =

max

∈CW

) ∩ R

path

), where at least one

SECRYPT 2020 - 17th International Conference on Security and Cryptography

526

In: – C: the model’s STS

– q

: state the safety of which is to be analyzed

– r

target

: target right

Out: – stateSeq: state sequence leaking r

target

function

isLeaked(

in q =

S,O, m

∈ Q

in q

∈ Q)

for s ∈ S ∩ S

for o ∈ O ∩ O

if r

target

/∈ m(s,o) ∧ r

target

∈ m

(s,o) then

return true;

return false;

q ← q

; stateSeq ← q;

V,E

,d,

d, c

← CDGAssembly(C,q, r

target

);

W ←

0; effCount ← 0;

repeat

path,d,R

path

← CDGPathGeneration(

V,E

,d,

d, c

);

if effCount = 0 then

W ← PWSGeneration(W , R

path

,q);

effCount ← 0;

while c ← path.nextCommand do

← δ(q,c, selectParameters(W,c));

if q

/∈ stateSeq then

effCount ← effCount + 1;

stateSeq ← stateSeq ◦ q

;

q ← q

;

until isLeaked(q

target

);

return stateSeq;

Algorithm 2: WSDEPSEARCH.

new right must be present in that cell (i. e. m

(s,o) ∩

path

). If one of the candidate cells meets those

requirements, it is added to the PWS

, removed from

, and the cell’s rights are removed from

path

. This

procedure is called recursively until

path

is empty (i. e.

all required rights have been considered) or none of

the remaining candidates meets the requirements.

Finally, we have speciﬁed the WSDEPSEARCH

algorithm in Alg. 2 using (Amthor, 2017, Alg. 2),

(Amthor, 2017, Alg. 1) and Alg. 1. WSDEPSEARCH

successively generates input sequences by traversing

the CDG on every possible path and, depending on the

success of the previous path in terms of resulting effec-

tive steps, modiﬁes the PWS. With parameter values

selected from the PWS (

selectParameters

), the execu-

tion of each command is simulated by the algorithm,

and once a CDG path is completed, the violation of

the HRU safety criteria is checked (isLeaked).

Runtime and Space Complexity.

The CDG assem-

bly runs in

O(n

)

, where

is the number of commands

in the model’s STS. The CDG requires a space com-

plexity of

O(|V | + |E|)

using an adjacency list repre-

sentation, where a quadratic worst case complexity

occurs only in the untypical case of a complete CDG.

The CDG path generation runs in

O(n)

, because due

to the minimum scent of each path, eventual cycles

occur at most once in a path (Amthor et al., 2013).

The PWS generation (Alg. 1) has a computational run-

time complexity of

O((|S

× O

path

)

, where

and

are the subject and object sets in model state

In worst case, each ACM cell is added to the PWS

candidate set and checked for the presence of a par-

ticular right of

path

(each call of addParameters). A

PWS can require a worst case space complexity of

O(|S

× O

(ACM dimensions), although the PWS

size in the evaluation was never larger than 1 % of the

ACM’s size. The actual parameter selection (selectPa-

rameters in Alg. 2) using a brute force scheme runs in

O(max(|S

|,|O

)

, where

and

as above, and

denotes the maximum number of command parame-

ters. Finally, due to the semi-decidable nature of the

safety problem, we can tell nothing about the total

number of steps taken by the heuristic (Alg. 2).

4 EVALUATION

This section presents the evaluation of the WSDEP-

SEARCH heuristic. Two major goals are addressed:

(1.) the practical feasibility regarding runtime perfor-

mance of analyses of real-world sized AC model in-

stances, and (2.) the relative heuristic quality. Evalua-

tion subject is the WSDEPSEARCH algorithm (Alg. 2).

4.1 Evaluation Method

The evaluation goals are examined by measuring analy-

sis runtimes. To obtain meaningful results, the models

used must cover two key performance indicators of

analyses in practice: (1.) STS scheme complexity in

terms of command dependencies and (2.) model state

size in terms of ACM size.

For the practical feasibility evaluation, we consider

two different types of models: hybrid RBAC/HRU

(role-based AC) models of a health care information

system (HIS) security policy serve as realistic scenar-

ios, and synthetic high-dependency HRU models with

STSs designed to contain well-hidden right leaks serve

as stress-tests (with a big calculation effort). By using

randomly initialized ACMs with up to

2 · 10

cells, we

cover model state sizes of practical AC systems.

The relative quality is evaluated by comparing WS-

DEPSEARCH with the classical DEPSEARCH using a

brute-force parameter search in the whole ACM. The

same realistic and synthetic models are used as test

cases, but due to longer simulation times lower limits

on the number of ACM cells are used.

Exploiting Hot Spots in Heuristic Safety Analysis of Dynamic Access Control Models

527

Basically, the test procedure is as follows: When-

ever the heuristic is executed, it selects a particular

model state from the state transition tree (STT), a com-

mand from the STS, and a parameter vector. These

inputs are passed to a simulation engine implement-

ing the deterministic state machine of an HRU model,

which eventually triggers a state transition. A possible

reason for a failing transition may be that conditions

of a command cannot be satisﬁed, or that primitives

do not modify the given state at all. If a transition was

successful and led to a new follow-up state, this state

is inserted into the STT. The result of a transition is

passed to the heuristic which then selects a new input.

Each of these iterations is called a step. Since a heuris-

tic does not necessarily trigger a transition to a new

state, we call those steps that actually do effective.

To judge the results, three different measures are

used: effective step count (ESC), effective step time

(EST), and total runtime of a heuristic. The ESC is

the total count of effective steps required to leak a tar-

get right, while the EST is the average time required

to make an effective step (including any ineffective

steps within that time). For the feasibility evaluation,

we performed a runtime comparison of the WSDEP-

SEARCH algorithm for all test models, that allows for

performance estimations regarding both average and

worst-case runtime. The qualitative comparison with

DEPSEARCH is done based on the total runtime and

the measures of ESC and EST.

The remainder of this section addresses the evalua-

tion method in detail: it describes the used models, the

selection of parameter values, the test input conﬁgura-

tions and the execution environment.

4.1.1 Test Cases

HIS Models.

The realistic models are based on

a security policy of a real-world HIS for an aged-

care facility introduced by (Evered and B

ogeholz,

2004) and rendered more precisely by (Gofman et al.,

2009, Stoller et al., 2011) to develop a formal static

RBAC model (Sandhu et al., 1996) with 20 roles, a

role hierarchy, and separation-of-duty focusing on role

exclusion. To describe dynamic behavior, (Amthor

et al., 2013) enhanced the model by a state automaton

along with a STS with 16 commands. The result are

two hybrid RBAC

/HRU models, HIS I and HIS II,

each focusing on certain parts of the original RBAC

model

to allow for analyses of relevant aspects.

Regarding the dynamic behavior of RBAC/HRU

models, two analysis questions are practically relevant.

(1.) Given some state, is it possible that a user

is ever

Note that due to simplicity, sessions and object attributes

were omitted.

assigned a role

? In terms of model abstractions, the

dynamics of the user-to-role assignment

are exam-

ined: Given an STS, if a tuple

u,r

can ever become

an element of

, the corresponding state is consid-

ered not safe with respect to that role (cf. user-role

reachability in (Sasturkar et al., 2011)). Analogously,

the second question deals with the permission-to-role

assignment

: (2.) Given some state, is it possible

that a role

is assigned a permission

o,op

, i. e. an op-

eration on an object? In this case, we call such a state

not safe with respect to that operation (cf. permission-

role reachability in (Sasturkar et al., 2011)).

The HIS I model focuses on user-to-role assign-

ment and separation-of-duty based on role exclusion.

Its state

q =





is described by the user set

of the original RBAC model as the subject set

, the

RBAC object set as

, and an ACM

: S

× O

→

roles

which maps a user-object-pair to a set of roles.

Any STS command is guarded by at least one condi-

tion of the type “a user has to own a speciﬁc role for

a speciﬁc object”. The HIS I model implements role

exclusion by negative roles: Since conditions in HRU-

like models cannot test the absence of rights in the

ACM, a negative role is added for each role simulating

its absence. The STS contains

commands that mod-

ify the RBAC user-to-role assignment considering role

exclusions. Analyzing the HIS I model with respect to

HRU safety is then equivalent to analyzing the original

RBAC model regarding RBAC safety ﬂavor (1).

The HIS II model implements the permission-to-

role assignment and the role hierarchy of the original

RBAC model. As in HIS I, its state

q =





includes the RBAC object set

is now deﬁned as

the RBAC role set and the ACM

: S

× O

→ 2

ops

maps a role-object-pair to a set of operations. The

ACM hence exactly represents the RBAC

relation,

omitting the indirection level of permissions. The STS

incorporates the role hierarchy relation by solving the

level of indirections of

, resulting in a HRU-like

RBAC model with

commands. Analyzing the HRU

target

(a) High-Dep I

target

(b) High-Dep II

Figure 1: CDGs of High-Dependency Models.

SECRYPT 2020 - 17th International Conference on Security and Cryptography

528

safety of the HIS II model then equals analyzing the

original RBAC model regarding safety ﬂavor (2).

High-dependency Models.

The DEPSEARCH ap-

proach originally was developed because earlier heuris-

tics failed in analyzing atypical models where right

leakages are well hidden and appeared only after long

command sequences where each command depends

exactly on the execution of its predecessor – a type of

complexity which is part of many real-world security

policies. For this reason, two artiﬁcially tailored stress-

test models from (Amthor et al., 2013) will serve as a

kind of benchmark for this type of STS complexity.

The high-dependency models, High-Dep I and

High-Dep II, are traditional HRU models where the

STS and initial state reﬂect the dependencies shown in

the corresponding CDGs (see Fig. 1): In High-Dep I,

the target right

is entered by command

. Each

label of an edge





denotes a right that is entered

and required by

; the initial state

is chosen

such that

∀

s,o

∈ S

× O

: {r

,. . .,r

} /∈ m

(s,o)

(apart from this, all ACM cells are initialized randomly

based on a generic right set

R = {r

,. . .,r

}

). No

command requires or enters more than one right out of

,. . .,r

}

. High-Dep II is analogously constructed

(target right

, leaked by

), comprising more com-

plex dependencies. In case of both models, each node

of the CDG has to be visited at least once because none

of the rights that impose the dependencies are present

in the initial ACM. Therefore, a minimum number of

state transitions is required to discover a right leakage.

Brute-force Parameter Selection.

For the sake of

efﬁciency regarding ESTs, we use a brute-force pa-

rameter selection approach running in

O(|W |

)

for

WSDEPSEARCH and in

O(max(|S

|,|O

)

for DEP-

SEARCH, where

is the current PWS,

and

are

state

’s subject and object sets, and

denotes the max-

imum number of parameters in any STS commands.

4.1.2 Test Input Conﬁgurations

The following input conﬁgurations were used for the

test runs: initial subject and object count (

and

|), ACM initialization (m

), and target right. For

each model, the initial state’s object count and ACM

contents are varied, whereas the subject count is kept

constant (since only the number of ACM cells impacts

the heuristic behavior, not their layout).

For the feasibility evaluation, we cover ACM di-

mensions starting from

20 × (5 · 10

)

and

20 × (10 ·

)

, increasing

from

stepwise by

up to

(i. e.

20,000,000

cells). For comparing WSDEPSEARCH

and DEPSEARCH, we used dimensions starting from

20 × 20

and ending with

20 × 500

, increasing in steps

objects (i. e.

400

cells). The initial ACM con-

tents are randomized using a ﬁxed, model-individual

right set

, such that the resulting model is not safe

by construction. Moreover, the target right (that safety

is analyzed for) is also ﬁxed and model-speciﬁc. For

each conﬁguration, 10 runs have been performed.

4.1.3 Execution Environment

The evaluation is performed in our security policy engi-

neering framework WorSE (Amthor et al., 2014). We

have integrated WSDEPSEARCH into a reimplemen-

tation of the model safety analysis tool for dynamic

AC models. Each model simulation engine is based on

a generic deterministic state machine implementation.

Similarly, the implementation of WSDEPSEARCH is

derived from a heuristic base class. The model itself is

a data structure shared by the simulation engine and

heuristics, and includes implementations of the STT

and the STS. All measurements were performed on

contemporary desktop hardware with an Intel Core

i7-7700K CPU at 4.2 GHz and 32 GiB DDR4 RAM

at 2,400 MHz under Ubuntu Linux 18.04 LTS.

4.2 Evaluation Results

We will now discuss the results of the experimental

evaluation. In all ﬁgures the error bars show the 95 %

conﬁdence intervals (CIs).

4.2.1 Feasible Runtime Performance

We measured the total runtime of WSDEPSEARCH for

each of the

models covering ACM sizes from

2 · 10

cells. The results shown in Fig. 2 suggest a

quadratic growth of the runtime. For model state sizes

of up to

20,000,000

ACM cells, the absolute analysis

runtime for both HIS models is at most just over

sec-

onds and for the High-Dep stress models with a highly

complex STS at most just over

100

seconds. Hence, it

can be argued that the absolute runtime does not nearly

exceed the scale of real-world analysis sessions.

However, Fig. 2 also reveals a peculiarity: In order

to generate a right leakage when performing the safety

analysis of HIS I model, a minimal ESC of

steps

would have been necessary at least. Nevertheless, in

the ﬁrst

conﬁgurations

steps were actually needed

resulting in a total runtime higher than needed for the

analysis of High-Dep I model. The reason for this

is the randomized initialization of ACM cells and the

PWS initialization: Since after the ﬁrst path generation

a cell was added to the PWS, where only one of the

two rights necessary for the execution of a command

(

assignReferredDoctorRole

) was present. Then, the

Exploiting Hot Spots in Heuristic Safety Analysis of Dynamic Access Control Models

529

ACM size [number of cells]

0.0001

0.001

0.01

0.1

100

1,000

Runtime [s]

HIS I

HIS II

High-Dep I

High-Dep II

Figure 2: WSDEPSEARCH runtimes.

right leakage occurred only after the second path gen-

eration, the enlargement of the PWS by an additional

cell and the execution of that path.

4.2.2 Heuristic Quality

For evaluating the relative quality, we compared the

performance of WSDEPSEARCH with the classical

DEPSEARCH using a randomized brute-force parame-

ter selection algorithm for both heuristics.

Effective Step Quality.

For all models and runs, Ta-

ble 1 shows the mean ESCs of both heuristic algo-

rithms along with the corresponding 95 % CIs. Addi-

tionally to judge the heuristic quality based on ESC,

the ratio of minimal ESC to mean ESC is given, called

effective step quality (Q

ESC

Considering the ESC and

ESC

values, both algo-

rithms are nearly equally effective due to their com-

mon foundation. However, there are two recognizable

differences: For HIS I model, the WSDEPSEARCH’s

mean ESC is slightly worse than that of DEPSEARCH.

We explain this, as in Sec. 4.2.1, with the initializa-

tion of the ACM cells in small model states and the

PWS initialization. For High-Dep II model, WSDEP-

SEARCH achieves a noticeable improvement due to the

Table 1: Mean ESC and Q

ESC

HIS I HIS II H.-Dep I H.-Dep II

Min. ESC 2 2 4 10

DEPSEARCH heuristic

Mean ESC 2.0 2.0 4.0 15.0

95 % CI 0.0 0.0 0.0 0.0

ESC

1.0 1.0 1.0 0.667

WSDEPSEARCH heuristic

Mean ESC 2.08 2.0 4.0 10.0

95 % CI 3.196 0.0 0.0 0.0

ESC

0.961 1.0 1.0 1.0

0 2,000 4,000 6,000 8,000 10,000

ACM size [number of cells]

0.0001

0.001

0.01

0.1

100

Effective Step Time (EST) [s]

DEPSEAR CH:

WSDEPS E ARCH:

HIS I

HIS II

High-Dep I

High-Dep II

Figure 3: EST comparison.

0 2,000 4,000 6,000 8,000 10,000

ACM size [number of cells]

0.0001

0.001

0.01

0.1

100

1,000

Runtime [s]

DEPSEAR CH:

WSDEPS E ARCH:

HIS I

HIS II

High-Dep I

High-Dep II

Figure 4: Runtime comparison.

strategically restricted parameter space. In result, aver-

aging over all ESC and

ESC

values, WSDEPSEARCH

beats DEPSEARCH.

Runtime Quality.

In order to evaluate the heuristic

quality based on runtime performance, both ESTs and

total runtimes of WSDEPSEARCH and DEPSEARCH

were compared for each model.

Fig. 3 depicts a comparison regarding average

ESTs. Overall, it can be clearly seen that, for all

models, the WSDEPSEARCH heuristic made effective

steps in a much shorter time compared to the DEP-

SEARCH heuristic. Even though both heuristics have

a comparable

ESC

values for models HIS I, HIS II

and High-Dep I, the restriction of the parameter search

space by means of PWSs in WSDEPSEARCH shows a

clear EST improvement of nearly

orders of magni-

tude over DEPSEARCH for all models.

The average total runtime of both algorithms is

compared in Fig. 4. Here again, WSDEPSEARCH

clearly outperforms DEPSEARCH. A ﬁnal compari-

son of both Figs. 3 and 4 concludes that even under

the usage of a simple brute-force parameter selection

SECRYPT 2020 - 17th International Conference on Security and Cryptography

530

algorithm the working-set-based approach of WSDEP-

SEARCH leads to signiﬁcantly better EST values and

thus, under consideration of the ESC values, to a simi-

lar signiﬁcant improvement of the overall runtime.

5 CONCLUSIONS

This paper addresses the exponential time complexity

problem of heuristic algorithms for the safety analysis

of dynamic AC models with large parameter spaces.

While former heuristics identify well-hidden command

sequences in which each command establishes the pre-

conditions of its subsequent command until a target

right is leaked, the selection of corresponding com-

mand parameter values is neither effective nor efﬁcient

resulting in over 90 % of the total analysis runtime.

To drastically reduce this weakness, we present

WSDEPSEARCH which adapts the idea of working

sets known from page replacement algorithms by

strictly limiting the the parameter value space to only

those cells of the ACM that offer a high potential for

a command sequence to contribute to a right leakage.

The implementation of the heuristic analysis algorithm

was integrated into our security policy engineering

framework WorSE. The evaluation shows a runtime

improvement up to 4 orders of magnitude which makes

analyses of automaton-based AC models with realistic

state transition schemes and model state sizes encom-

passing more than 10

ACM cells tractable.

REFERENCES

Amthor, P. (2015). A Uniform Modeling Pattern for Operat-

ing Systems Access Control Policies with an Applica-

tion to SELinux. In Proc. 12th Int. Conf. on Secur. and

Crypt., pages 88–99.

Amthor, P. (2017). Efﬁcient Heuristic Safety Analysis of

Core-based Security Policies. In Proc. 14th Int. Conf.

on Secur. and Crypt., pages 384–392.

Amthor, P., K

uhnhauser, W. E., and P

olck, A. (2013). Heuris-

tic Safety Analysis of Access Control Models. In Proc.

18th ACM Symp. on Access Control Models and Tech-

nol., pages 137–148.

Amthor, P., K

uhnhauser, W. E., and P

olck, A. (2014).

WorSE: A Workbench for Model-based Security Engi-

neering. Comp. & Secur., 42:40–55.

Barker, S. (2009). The Next 700 Access Control Models or

a Unifying Meta-Model? In Proc. 14th ACM Symp. on

Access Control Models and Technol., pages 187–196.

Basin, D., Clavel, M., and Egea, M. (2011). A Decade of

Model-Driven Security. In Proc. 16th ACM Symp. on

Access Control Models and Technol., pages 1–10.

Carr, R. W. and Hennessy, J. L. (1981). WSClock – A

Simple and Effective Algorithm for Virtual Memory

Management. In Proc. 8th Symp. on Operating Syst.

Principles, pages 87–95.

Denning, P. J. (1968). The Working Set Model for Program

Behaviour. Comm. of the ACM, 11(5):323–333.

Evered, M. and B

ogeholz, S. (2004). A Case Study in Access

Control Requirements for a Health Information System.

In Proc. Austral. Inf. Secur. Workshop, pages 53–61.

Gofman, M. I., Ramakrishnan, C. R., Stoller, S. D., et al.

(2009). Parameterized PRBAC and ARBAC Policies

for a Small Health Care Facility.

Goguen, J. A. and Meseguer, J. (1982). Security Policies

and Security Models. In Proc. IEEE Symp. on Secur.

and Priv., pages 11–20.

Harrison, M. A. and Ruzzo, W. L. (1978). Monotonic Protec-

tion Systems. In Found. of Sec. Comp., pages 337–365.

Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. (1975).

On Protection in Operating Systems. Oper. Syst. Rev.,

9(5):14–24.

Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. (1976).

Protection in Operating Systems. Comm. of the ACM,

19(8):461–471.

Jha, S., Li, N., Tripunitara, M. V., Wang, Q., et al. (2008).

Towards Formal Veriﬁcation of Role-Based Access

Control Policies. IEEE Trans. on Dep. and Sec. Comp.,

5(4):242–255.

uhnhauser, W. E. and P

olck, A. (2011). Towards Access

Control Model Engineering. In Proc. 7th Int. Conf. on

Inf. Syst. Secur., volume 7093, pages 379–382.

Li, N. and Tripunitara, M. V. (2006). Security Analysis in

Role-Based Access Control. ACM Trans. on Inf. and

Syst. Secur., 9(4):391–420.

Lipton, R. J. and Snyder, L. (1977). A Linear Time Algo-

rithm for Deciding Subject Security. Journal of the

ACM, 24(3):455–464.

Mondal, S., Sural, S., and Atluri, V. (2009). Towards Formal

Security Analysis of GTRBAC Using Timed Automata.

In Proc. 14th ACM Symp. on Access Control Models

and Technol., pages 33–42.

Ranise, S., Truong, A., and Armando, A. (2014). Scal-

able and Precise Automated Analysis of Administrative

Temporal Role-based Access Control. In Proc. 19th

ACM Symp. on Access Control Models and Technol.,

pages 103–114.

Sandhu, R., Bhamidipati, V., and Munawer, Q. (1999). The

ARBAC97 Model for Role-based Administration of

Roles. ACM Trans. on Inf. and Syst. Secur., 2(1):105–

135.

Sandhu, R. S. (1992). The Typed Access Matrix Model.

In Proc. IEEE Symp. on Research in Secur. and Priv.,

pages 122–136.

Sandhu, R. S., Coyne, E. J., Feinstein, H. L., et al. (1996).

Role-Based Access Control Models. IEEE Comp.,

29(2):38–47.

Sasturkar, A., Yang, P., Stoller, S. D., et al. (2011). Pol-

icy Analysis for Administrative Role-Based Access

Control. Theor. Comp. Sci., 412(44):6208–6234.

Schlegel, M. and Amthor, P. (2020). Beyond Administration:

A Modeling Scheme Supporting the Dynamic Analysis

of Role-based Access Control Policies. In Proc. 17th

Int. Conf. on Secur. and Crypt. (to appear).

Exploiting Hot Spots in Heuristic Safety Analysis of Dynamic Access Control Models

531

Shariﬁ, A. and Tripunitara, M. V. (2013). Least-restrictive

Enforcement of the Chinese Wall Security Policy. In

Proc. 18th ACM Symp. on Access Control Models and

Technol., pages 61–72.

Stoller, S. D., Yang, P., Gofman, M. I., et al. (2011). Sym-

bolic Reachability Analysis for Parameterized Admin-

istrative Role-Based Access Control. Comp. & Secur.,

30(2–3):148–164.

Tripunitara, M. V. and Li, N. (2007). A Theory for Compar-

ing the Expressive Power of Access Control Models.

Journal. of Comp. Secur., 15(2):231–272.

Vimercati, S. D. C. d., Samarati, P., and Jajodia, S. (2005).

Policies, Models, and Languages for Access Control.

In Proc. 4th Int. Workshop on Databases in Netw. Inf.

Syst., volume 3433/2005 of LNCS, pages 225–237.

Zhang, X., Li, Y., and Nalla, D. (2005). An Attribute-based

Access Matrix Model. In Proc. 2005 ACM Symp. on

Applied Comp., pages 359–363.

SECRYPT 2020 - 17th International Conference on Security and Cryptography

532