Ac Access Control Sy Synthesis fo for Physical Spaces Petar Tsankov, Mohammad Torabi Dashti, David Basin Institute of Information Security, ETH Zurich
Airports
Corporate buildings
Sport centers
Setting Locks Office Meeting room Lobby
Setting Local Policy Locks “Only employees can enter” Office Eric Global requirement “Employees can access the office from the main entrance” Meeting room Lobby
Setting Local Policy “Only employees can enter” Office Wrong deny! Eric Global requirements “Employees can access the office from the main entrance” Meeting room Lobby
Setting Local Policy “Only employees can enter” Office Ch Challenge Wrong deny! Come up with local policies that Eric enforce all global requirements Global requirements “Employees can access the office from the main entrance” Meeting room Lobby
Current Practice Global No policies yet Problems requirements Cannot satisfy requirements one-by-one Requirements Physical space Manual policy writing Policie Local policies s
Current Practice Example Global No policies yet Problems requirements Office Cannot satisfy requirements one-by-one Requirements Physical space Manual Policy Writing Local Meeting room Lobby policies R1: Visitors can access the meeting room
Current Practice Example Global No policies yet Problems requirements Office Cannot satisfy requirements one-by-one Requirements Physical space Victor Manual Policy Writing Local Meeting room Lobby policies R1: Visitors can access the meeting room
Current Practice Example Global No policies yet Problems requirements Office Cannot satisfy requirements one-by-one Requirements Physical space Victor Manual Policy Writing Local Meeting room Lobby policies R1: Visitors can access the meeting room R2: Visitors cannot access the meeting room if they have not passed through the lobby
Current Practice Example Global No policies yet Problems requirements Wrong Office Cannot satisfy permit! requirements one-by-one Requirements Physical space Victor Manual Policy Writing Local Meeting room Lobby policies R1: Visitors can access the meeting room R2: Visitors cannot access the meeting room if they have not passed through the lobby
Current Practice Example Global No policies yet Problems requirements Office Cannot satisfy requirements one-by-one Requirements Physical space Victor Manual Policy Writing Local Meeting room Lobby policies R1: Visitors can access the meeting room R2: Visitors cannot access the meeting room if they have not passed through the lobby
Current Practice Example Global No policies yet Problems requirements Office Cannot satisfy requirements one-by-one Requirements Physical space Victor Manual Policy Writing Local Meeting room Lobby policies R1: Visitors can access the meeting room R2: Visitors cannot access the meeting room if they have not passed through the lobby
Current Practice Problems Cannot satisfy requirements one-by-one Requirements Physical space Manual Rewrite policies upon policy writing changes to the physical Local space or requirements Policies policies
Current Practice Problems Cannot satisfy requirements one-by-one Requirements Physical space Manual Rewrite policies upon policy writing changes to the physical space or requirements Policies Correct? No security guarantees
Current Practice Po Policy Synthesis Physical space Requirements Requirements Physical space Automated Manual policy synthesis policy writing
Goal Automatically compute correct local policies for a given physical space and its global requirements Contributions § Formalization of physical access control § Expressive declarative language for specifying global requirements § Efficient synthesis algorithm based on SMT solving § Demonstration of the approach on realistic case studies
Formalizing Physical Spaces
Formalizing Physical Spaces lobby entry office formalize corridor meeting room Enclosed space = Node = Edge Lock
Formalizing Physical Spaces lobby entry office formalize corridor meeting room Enclosed space = Node = Edge Lock
Formalizing Physical Spaces lobby entry office formalize corridor meeting room Enclosed space = Node = Edge Lock Label physical spaces with attributes (e.g., to mark security zones)
Local Policies Attribute-based policies with: 𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ∧ (8 ≤ 𝑢𝑗𝑛𝑓 ≤ 20) Subject attributes (e.g. 𝑠𝑝𝑚𝑓𝑡 ) Contextual attributes (e.g. 𝑢𝑗𝑛𝑓 ) lobby entry office Local policy semantics corridor § An access request maps attributes to values meeting room § A lock grants an access request if the access request satisfies the lock’s local policy
Semantics of Physical Access Control An access request is authorized along a path if all locks along the path grant it 𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ∧ (8 ≤ 𝑢𝑗𝑛𝑓 ≤ 20) Example lobby 𝑏 𝑠𝑝𝑚𝑓 ↦ 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 𝐵𝑑𝑑𝑆𝑓𝑟 D = 𝑐 𝑢𝑗𝑛𝑓 ↦ 6 entry office corridor meeting room
Semantics of Physical Access Control An access request is authorized along a path if all locks along the path grant it Example A subgraph of the physical lobby 𝑏 𝑠𝑝𝑚𝑓 ↦ 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 space 𝐵𝑑𝑑𝑆𝑓𝑟 D = 𝑐 𝑢𝑗𝑛𝑓 ↦ 6 entry corridor meeting room
Specifying Global Requirements
Requirement Examples Visitors can access the meeting room Office Lobby Meeting room
Requirement Examples Visitors can access the meeting room Office Non-employees cannot access the office Lobby Meeting room
Requirement Examples Visitors can access the meeting room Office Non-employees cannot access the office Visitors cannot access the meeting room if they have not passed through the lobby Lobby Meeting room
�� The SpCTL Language Key features Common patterns Permission A Subject & contextual attributes e.g. 𝑠𝑝𝑚𝑓,𝑢𝑗𝑛𝑓 Prohibition A Resource attributes e.g. 𝑡𝑓𝑑𝑣𝑠𝑗𝑢𝑧𝑎𝑝𝑜𝑓 Waypointing A B Quantification over paths Example: (𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠)⋀ (8 ≤ 𝑢𝑗𝑛𝑓 ≤ 20) ⇒ 𝐹𝐺(𝑗𝑒 = 𝑛𝑠)
�� The SpCTL Language Key features Common patterns Permission A Subject & contextual attributes e.g. 𝑠𝑝𝑚𝑓,𝑢𝑗𝑛𝑓 Prohibition A Resource attributes e.g. 𝑡𝑓𝑑𝑣𝑠𝑗𝑢𝑧𝑎𝑝𝑜𝑓 Constraint over Waypointing A B Quantification over paths subject & contextual CTL formula over attributes resource attributes Example: (𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠)⋀ (8 ≤ 𝑢𝑗𝑛𝑓 ≤ 20) ⇒ 𝐹𝐺(𝑗𝑒 = 𝑛𝑠)
Policy Synthesis Problem
Policy Synthesis Problem 𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ⇒ 𝐹𝐺 𝑗𝑒 = 𝑛𝑠 Input ... Physical space Requirements How hard is this problem? Policy Synthesis (𝑠𝑝𝑚𝑓 = 𝑓𝑛𝑞𝑚𝑝𝑧𝑓𝑓) Unsat Output
Complexity of Policy Synthesis Theorem 1. The policy synthesis problem is decidable. Proof. We give a synthesis algorithm that uses CTL controller synthesis as a subroutine Theorem 2. The policy synthesis problem is NP-hard. Proof. Through reduction from propositional satisfiability to policy synthesis
Complexity of Policy Synthesis Theorem 1. The policy synthesis problem is decidable. Proof. We give a synthesis algorithm that uses CTL controller synthesis as a subroutine Unfortunately, the running time of this algorithm is exponential Theorem 2. The policy synthesis problem is NP-hard. in the number of requirements Proof. Through reduction from propositional satisfiability to policy synthesis
Policy Synthesis using SMT Solving 𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ⇒ 𝐹𝐺 𝑗𝑒 = 𝑛𝑠 ... Requirements Physical space SMT Solving Unsat
Policy Synthesis using SMT Solving 𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ⇒ 𝐹𝐺 𝑗𝑒 = 𝑛𝑠 ... Requirements Physical space SMT Solving Encode the A model identifies requirements’ correct local policies satisfaction using SMT constraints Unsat
Policy Synthesis Algorithm 𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ⇒ 𝐹𝐺 𝑗𝑒 = 𝑛𝑠 ... Requirements Physical space 𝜒 SMT Solving Encode the Local Policy requirements’ Templates satisfaction using SMT constraints Unsat
Policy Synthesis Algorithm 𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠 ⇒ 𝐹𝐺 𝑗𝑒 = 𝑛𝑠 ... Example Template Requirements Physical space ( = ) ∧ ( ≤ ≤ ) 𝜒 SMT Solving Encode the (example instantiation) Local Policy requirements’ Templates ( 𝑠𝑝𝑚𝑓 = 𝑤𝑗𝑡𝑗𝑢𝑝𝑠) ∧ (8 ≤ 𝑢𝑗𝑛𝑓 ≤ 20) satisfaction using SMT constraints Unsat
Recommend
More recommend
