University of Birmingham School of Computer Science
RSMG Report 2
Verifying Access Control Policies through Model Checking by
Hasan Nageeb Qunoo
[email protected]
Supervisor: Dr. Mark D. Ryan. Thesis Group: Dr. Georgios K. Theodoropoulos. Dr. Eike Ritter. Dr. Mark D. Ryan.
Birmingham , April 2007
Contents
Contents
iii
1 Introduction 1.1 Changes since RSMG report 1 . . . . . . . . . . . . . . . . . . . . 1.2 New research focus . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Literature review 2.1 Access Control in Distributed Systems . . . . 2.2 Access Control Models . . . . . . . . . . . . . 2.3 Verification Access Control Policy Languages 2.3.1 RW . . . . . . . . . . . . . . . . . . . 2.3.2 Margrave . . . . . . . . . . . . . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
3 4 4 7 7 9 11 11 15
3 Ideas and hypotheses 17 3.1 Thesis proposal timetable . . . . . . . . . . . . . . . . . . . . . . . 18 4 Teaching and learning 19 4.1 Teaching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4.2 Learning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Bibliography
21
iii
1
The University of Birmingham School of Computer Science Research Student Monitoring Group Report 2 Name of student: Regestration number: Previous degrees: Name of Supervisor: Thesis Group: Date of report: Start date: Time expired (to date): Thesis working title:
Hasan Nageeb Qunoo 719440 MEng. Computer Engineering Islamic University- Gaza MSc. Internet Software Syst. University of Birmingham Dr. Mark D. Ryan. Dr. Eike Ritter (RSMG Member). Dr Georgios K. Theodoropoulos (Non-RSMG Member). April 2007 02/10/2006 0 years , 212 days Flexible Verified Access Control
Abstract This report details the progression of research conducted on my PhD, for the first half of the academic year 2006-2007. I present my intial exploration and the subsequent chosen direction of my thesis, a review of literature surrounding the subject and a summary of the work conducted to date. Furthermore, I detail the intended future progression of my research, its desired goals, proposed content and some anticipated results. I conclude by specifying a timetable forthe production of the forthcoming Thesis Proposal.
Chapter 1
Introduction In today’s world, enormous data is made available for legitimate users to access, update, and exchange. Online-banking, Personal health record and Human Resources are examples of complex systems that manage sensitive data and are becoming increasingly crucial for the individuals usual activities. Any security breaches of those systems are painfully unaffordable and must be prevented by a Suitable access control system. The process of mediating every request to resources and data maintained by a system and determining whether the request should be granted or denied is called Access Control [11]. As systems become larger and more dynamic, the access control decisions need to be made in a more intelligent rather than discretionary way. The discretionary can be expensive. Access Control Policy, the set of regulations that can be specified in an appropriate language and then enforced by the access control mechanism, needs to be defined properly. An access control model, formal representation of the access control security policy and its working, is needed to design proof of security properties. The Conference Paper Review System motivation example [29], shows the need for using automated tools to analyse and detect the security holes caused by interactions of rules, co-operations between agents, and multi-step actions which are impossible to detect by the imaginations of the policy designers or static analysis. The RW framework [29, 30, 28] proposes a solution to the problem. The RW framework uses a model-checking algorithm [15] to evaluate the fitness of access control policy.The advantages of model checking approach provides it with the ability to: • build a model M , based on the policy, which enables us to understand the policy as a whole. Any change made on a single rule or caused by 3
4
CHAPTER 1. INTRODUCTION
adding/deleting a rule will be reflected on M . This makes the study of interactions of rules easier. • Explore possible consequences of multi-step actions by performing temporal reasoning. Relatedly, the access control verification software suit Margrave [13] addresses the policy change-impact problem using Model-Checking techniques to compute the changes between two policy files written in XACML. Although those methods have proved successful on small sized examples, there is still a long way to producing a scalable and expressive access control policy verification framework for open, distributed systems which guaranteed to match the high-level policies of today’s organisation.
1.1
Changes since RSMG report 1
Since my first RSMG report, I have explored the existing proposals and develop new ideas for access control frameworks and languages which address the above concerns. A number of research ideas have been generated and developed during that time. Through discussions and detailed studies for those ideas with Mark Ryan, I have deepened my understanding of the nature of the problems and challenges in the research area. Fine-grounded and defined research targets have resulted with no major changes regarding the research motivation. An elaborated literature survey is summarised in chapter 2. Chapter 3 states our yet developed ideas and hypotheses. My teaching and learning outcomes are demonstrated in chapter 4.
1.2
New research focus
Access control has been a significant research interest. The control of access to files and resources, has appeared for long time as crucial part of operating systems. As systems expand, the concept of systems evolves as well to include large-scale, heterogeneous and decentralized systems; and so do the access control concepts. In recent years, there have been many proposals to develop a high-level access control policy language with the appropriate mechanisms to address the problem. Grounded by the state-of-the-art techniques, the goal of this research can be summarised as a system or framework that has: • Flexibile and Scalable Analysis Techniques. The exsisting system, RW answers the question of whether there is a strategy for a coalition of
1.2. NEW RESEARCH FOCUS
5
agents to achieve a given goal. RW uses an algorithem to model the agents knowledge of the state of the system. It extracts strategies which make the goal achievable. One the other hand, Margrave does calculate the differences between two policies. Those methods can respond effectively to small sized examples. Yet no framework provides a flexible and scalable analysis method which bears a full scale real world organisation scenario (e.g. scenarios with policy constraints, roles and delegations, authentication and distributed policies). As applications vary in their requirements, we can define flexibility by the ability to model and verify a wide range of applications requirements using our modeling language. However, a trade off between the language expressiveness and complexity need to be maintained. • Expressiveness power. Improving the analysis techniques of the verification methods empowers us to develop a richer language to handle open and distributed systems. Such a language, we propose, can be used to describe the access control policies in a top-down fashion. Managers and decision makers at the moment are prevented from reasoning effectively about the actual access control process. The traditional way of using Access Control Lists (ACLs), XML-based policy files, or machine readable code for access control obstructs effective reasoning about access control policies at the scale of enterprise scale. This process also requires a high level of technical skill. • Policy translation techniques. The policy model should be transformable into a lower configuration level in an intelligent manner. The content of access control system lies in the design level which a smart high level policy language can facilitate. However, the tedious and lengthy process can be eliminated with a suitable policy transformer that can cope with the job smartly. We should be able to translate from our modelling formalism to other formalisms for the same system. This direction does not appear to be obvious at that stage of my research. However, one way to analyse the problem is to develop an appropriate abstraction techniques to compute the resulting system in a polynomial computing complexity.
Chapter 2
Literature review Access Control Policies allow us to reason about the system access control as a whole. It can facilitate, in the case of an efficient implementation, powerful enforcement for the authorisation rules to resources. The research of access control has developed intensively, in the past few years, with a mixture of theory and software engineering techniques. In the following, I will outline my literature review process since I embarked my PhD research.
2.1
Access Control in Distributed Systems
Access Control is the process of mediating every request to resources and data maintained by a system and determining weather the request should be granted or not. The concept of access control goes back to the invention of operating systems. However, the way the access control systems were developed at those days did not consider today’s environments. Today millions people all over the world are online, with whose introduction a new set of problems was introduced [19]: Attack from any where, Sharing with anyone, Automated infection, and Hostile code, environment, and hosts. Access control theory and practice provides mechanism to implement security in the modern systems. Figure 2.1 shows Lampson’s model. The guard needs to know two piece of informations to reply to a request: Authentication information which identifies the principle who made the request. This information often consist of some statements digitally signed to ensure their integrity and authenticity; these are called credentials [22]. Authorization information which says who is allowed to do what to the object. This information varies from an access model to another as we can see in section 2.2. 7
8
CHAPTER 2. LITERATURE REVIEW
Separating the guard from the object makes reasoning about the access control policies simpler [2, 19, 21]. Even so, access control seems hard to get right.
Figure 2.1: Lampson’s access-control model.[21]
Over the years, many theories and systems for access control systems ware developed. Many logics and calculus like [1, 4, 2] ware proposed. The main approach is study the concepts, protocols and algorithms of access control system and develop a notation for representing principals and their statements [1]. This approach aims provide a derivation rules for the system as we can see in Example 2.1. Example 2.1: given the following rules (subset from [2]) : r.0 A says s : A makes the statement s. When we say A says s , A can be an encryption key which identifies a secure channel. r.1 A speaks for B : A is a stronger principal than B . (i.e. when B represents a group, A may represent a member or a subgroup of B .) r.2 ` A says (s → t) → (A says s) → (A says t). r.3 if ` s then A says s . r.4 ` A speaks for B → (A says s ) → (B says s) . r.5 ` A speaks for A . r.6 `A speaks for B ∧ B speaks for C → A speaks for C . r.7 ` B controls s → (B says s) → s. Let good-to-delete-file1 be a proposition. Assume that: p.1 B controls (A speaks for B). p.2 B controls good-to-delete-file1. p.3 B says (A speaks for B). p.4 A says good-to-delete-file1.
2.2. ACCESS CONTROL MODELS
9
We can derive B says good-to-delete-file1, good-to-delete-file1 as following: • From r.7, p.1 and p.3. we can derive: A speaks for B as 1. • Using r.4, 1 and p.4 we can derive: B says good-to-delete-file1.a In this example says represent the communication across context and abstracts from the details of authentication. Therefore, the way we choose axioms for says in a language changes the semantics of that language. Debatably , Logic-based security languages and systems like Binder [10], PolicyMaker and KeyNote [8], SPKI [3], SDSI and RT [23], XrML, Cassandra [6], SecPAL [5] are examples of those languages. We can classify those proposals by their ideas and techniques. However I have noticed that recent languages like Binder, RT/RTC , Cassandra are based on ideas and techniques from logic programming. As the basic question of Authentication is "who is trusted?". the term “Trust Management”, first appeared in [8], refer to decentralised administration, unified expressive and abstract language to express policies, credentials, and relationships collectively as the “trust management problem”. They argue that distributed systems must address this problem. They propose a prototype implementation for PolicyMaker. PolicyMaker provides a simple language to specify trusted actions and relationships. This term is also used by [5, 23]. However, researchers does not agree in the literature on that definition.
2.2
Access Control Models
In the Mandatory Access Control (MAC) Model, first formalised by Bell and LaPadula [7], access to data is based firstly on the data as sensitivity or classification, represented by a security label, and secondly on the clearance of the user, represented also by a security label. Security labels forms a lattice. One common set of labels used is unclassified ≤ confidential ≤ secret ≤ topsecret. The systems, known as multilevel security systems using MAC are based the two principles: • All users can read information with classification no higher that the one they are granted. • No user can write to a lower classification. As MAC was designed for military systems, the administration is centralised and delegation is forbidden. Such specification does not suit well other purposes, especially commercial organisations. Discretionary access control model (DAC), less constrained model, where the owner of an object is trusted to manage access permissions to other
10
CHAPTER 2. LITERATURE REVIEW
users of the system. Users also can delegate control over an object to another user[25, 17]. An Access Control List (ACL) attached to each file is a classical approach used in operating systems like Windows, Linux and Unix to restrict users’ access to the file system. Permissions specified in rwx triple for the owner, group and others specify the rights to read, write, or execute the file. Figure 2.2 shows the ACL of a file which belongs to Bob, who is a member of the group Staff. Access control matrices [16, 20] will be stored in columns. The DAC model is hard to administer as organisations grow. Any change to the policy can be an expensive and tedious process. rwxr-x--x
Bob
Staff
Figure 2.2: An access control list.
To fill the gap between MAC and DAC, Role-Based Access Control (RBAC) has been proposed to compromise between MAC, which is too rigid, and DAC, which is hard to administer.
Figure 2.3: The RBAC0 model.[27]
As in real organisations, users are assigned roles or job functions. each role is associated with access permissions. Many different RBAC models have been proposed over the past few years but RBAC0 [24] is often considered the core model. If we consider the set of Users (U), Roles (R) and Permissions (P) as key components, the RBAC0 policy can be expressed as user assignment (RA) relations with roles and permission assignments (PA) to roles as shown in Figure 2.3. RBAC1 has extended RBAC0 with role hierarchies, within senior roles inherit permissions held by junior roles. conversely, RBAC2 has introduced constraints on relations to RBAC0 . RBAC3 integrates constraints and role-hierarchies.
2.3. VERIFICATION ACCESS CONTROL POLICY LANGUAGES
2.3 2.3.1
11
Verification Access Control Policy Languages RW
RW is a framework for evaluating and generating access control systems. It analyses and detects the security holes caused by interactions of rules, cooperations between agents and multi-step actions. It argues that: • All policy rules, working together, must behave correctly. It does not ensure the behaviour of single rule. • An attack can be achieved by a set of agents through co-operation. • An agent can achieve an attack using a sequence of actions. RW propose a solution for those problems. RW’s solution is a composite of the following steps: 1. Build a model M for the access control policy using the RW formalism. 2. Express the model M in the, machine-readable , RW specification language. 3. Specify a property of the framework to be verified. The property defines a goal , a coalition of agents and some conditions to serve as a prerequirements for the checking to be performed. 4. If, as is ideal, the policy is immune to the malicious goals and guarantees the achievability of the legitimate goals, The framework implements a tool to convert the policy from the RW language into a policy file in XACML. In case the goal is achievable, RW , using a model checking algorithm, outputs a strategy the agent(s) may use to achieve the goal. The output strategy can be used to amend the policy. First we can define the RW formalism as following: Definition 2.3.1: Let L(P ) be the set of the propositional logic formulas built from the propositional variables in the set P . An access control system S is a tuple hΣ, P, r, wi, where Σ is a set of agents, P is a set of propositional variables and the mappings r, w : P × P(Σ) → L(P ) specify the immediate access rights of coalitions of agents. In the following we will introduce, in a formal way, the concepts of RW through a running example ∗ . Following Definition 2.3.1, we define an access control sys∗
This example is based on Example 4.1 in [28]. We use it to demonstrate the concept of policy template, query, strategy and guessing strategy. More advanced and expressive examples can be found in the Zhang et. al paper.
12
CHAPTER 2. LITERATURE REVIEW
tem ShΣ, P, r, wi, where P = {u, x, y, z, t} and Σ = {a}. For each p ∈ P , mappings r(p, a) and w(p, a) is detailed in the RW formalism as following: r( u, a) ⊥ r(x, a) > r(y, a) > r(z, a) > r(t, a) >
w(u, a) ⊥ w(x, a) ¬u w(y, a) u w(z, a) x ∨ y w(t, a) x
The RW program for Example 2.3.1 template is shown in Fig. 2.4. To perAccessControlSystem XYZTexample Class P; Predicate u(p: P), x(p: P), y(p: P), z(p: P), t(p: P); x(p){ read: true; write: ~u(p); } y(p){ read: true; write: u(p); } z(p){ read: true; write: (x(p) or y(p)); } t(p){ read: true; write: (x(p)); } End Figure 2.4: The RW script for the policy defined in Example 2.3.1.
form model-checking, a concrete instance based on the template needs to be constructed. This task is done through a run-statement. The syntax of the run-statement is: hRunStatementi ::= “run for” hNumberClassPairi (“,” hNumberClassPairi)* hNumberClassPairi ::= hIntegeri hClassNamei Following the run-statement, a property can be specified. A property is a query, taking the form of
2.3. VERIFICATION ACCESS CONTROL POLICY LANGUAGES
13
check { L Ã || ϕ → A : ψ} where L Ã defines a number of quantified variables used in ϕ, ψ and A; ϕ (optional) is a list of conditions based on which the goal, defined by ψ, is to be achieved; and A defines a coalition of agents who work together, intending to achieve the goal. What this query asks is: Are there strategies or guessing strategies – depending on the mode of checking – available for the agents in A, such that, by following the strategies or guessing strategies, they can achieve the goal defined by ψ on the basis of the conditions defined by ϕ. Now we write a query to ask the question whether there is a strategy or guessing strategy for a to set z’s value to false. This query is expressed by Query 2.3.1. Query 2.3.1: run for 1 P, 1 Agent check{E p: P, a: Agent || {a}:{~z(p)}} A strategy is a sequence of actions by which a coalition A of agents achieves a goal [30]. In that mode, only the actions that the agent(s) in the coalition know they can perform. This covers the scenario when trials to perform an illegal actions may be recorded in a log file somewhere which will be audited. The agent(s), in that case, are not welling to take the risk. A guessing strategy is similar to a strategy, except that it is not required that the agent knows he can perform each action [30] .In this case, the agent(s) are willing to take a risk that the action will be denied. The RW algorithem will model the learning process for the coalition of agants to compute whether there is a strategy or guessing strategy to acheive goal. Strategies and guessing strategies are output to a file as shown in fig. 2.5. AcPeg (Access Control Policy Evaluator and Generator) is a Java implementation for RW framework. We can use AcPeg to model-check access control policy written in RW specification language. AcPeg also translate from the RW to XACML. AcPeg has implemented a three-level abstraction mechanism to handle large cases with a promising computational performance. AcPeg’s methodology of abstraction using Counter-Example-Guided Abstraction Refinement (CEGAR) [9] techniques has improved the computational performance by keeping the model as compact as possible.
14
CHAPTER 2. LITERATURE REVIEW
[p=1 a=1] Acting agents: [1] Guessing strategy: 1 if (z(1) is true) by set z(1) to false skip; }else { skip; } Guessing strategy: 2 if (u(1) is true) by set z(1) to false skip; }else { set z(1) to false skip; }
1 { by 1;
1 { by 1;
by 1;
Guessing strategy: 3 if (x(1) is true) by 1 { set z(1) to false by 1; skip; }else { set z(1) to false by 1; skip; } Guessing strategy: 4 if (y(1) is true) by 1 { set z(1) to false by 1; skip; }else { set z(1) to false by 1; skip; } Guessing strategy: 5 if (t(1) is true) by 1 { set z(1) to false by 1; skip; }else { set z(1) to false by 1; skip; } The number of guessing strategies found is: 5
Figure 2.5: The guessing strategy found for Example 2.3.1.
2.3. VERIFICATION ACCESS CONTROL POLICY LANGUAGES
2.3.2
15
Margrave
Margrave [13] is a software suite to analysing role-based access-control policies. Margrave has two components: Verification system: given an access control policy written in XACML language and a given property, Margrave’s verification tool will determine whether the policy satisfies the property or not. In case the property is not satisfied counter examples will be yielded. Change-Impact analysis system: given two policies, the system will list a set of changes and summarize the differences between the two policies. Given a university’s access control policy for assigning and accessing grades, written in a restricted subset of the XACML standard† , the desired users of Margrave, the administrators of the grading system, should be able to use Margrave to verify their XACML policy against a Property like There do not exist members of Student who can Assign ExternalGrades. The tool restricts the policy to cases that permit assigning external grades, then check to see whether students are enabled in the restricted policy. Margrave will yield the requests that lead to the violation (counter-example) as an error report shown in Figure 2.6. To elaborate on that example, the administrator saves a backup of the XACML > Pr_1: FAILED Pr_1 Counter-example: 1:/Resource, resource-class, ExternalGrades/ 2:/Resource, resource-class, InternalGrades/ 3:/Action, command, Assign/ 4:/Action, command, View/ 5:/Subject, role, Faculty/ 6:/Action, command, Receive/ 7:/Subject, role, Student/ 8:/Subject, role, TA/ 12345678 { 10100011 }
Figure 2.6: Margrave Error report
policy file and changes the policy to prevent the incidence. He tests the assigning external grades property again and it passes. Now, he wants to check what impact that change has made. Margrave consumes the two policy files and analyses , without specifying any property, the differences between the two policies, †
Policy is specified by Roles, Resources and Actions only.
16
CHAPTER 2. LITERATURE REVIEW
which is output as a report shows in Figure 2.7. Margrave is implemented atop ===== Pol_3 vs Pol_4 ===== 1:/Subject, role, Faculty/ 2:/Subject, role, Student/ 3:/Resource, resource-class, ExternalGrades/ 4:/Resource, resource-class, InternalGrades/ 5:/Action, command, Assign/ 6:/Action, command, View/ 7:/Action, command, Receive/ 8:/Subject, role, TA/ 12345678 { 00010101 N->P 00011001 N->P 00100101 N->P 00101001 N->P 01010101 N->P 01011001 N->P 01100101 N->P 01101001 N->P } query: #f
Figure 2.7: Margrave Change-Impact report
of the CUDD package [26] and represents the XACML policy as MTBDD [18] multi-terminal binary decision diagram. Each rule is represented by a MTBDD then the MTBDD are combined using a parameterized general algorithm called Apply. Environmental constraints, like no faculty is also a student are represented as boolean conditions. Users can write queries and test cases, one per run, using DrScheme [12], a programming environment for scheme. Its type domain as no predicates is allowed, rather limited, which make verification for properties like, Students can not write grades unrepresentable in its formalism. Margrave performance, when tested, was satisfactory. The soundness and completeness of Margrave, with Respect to the subset of XACML, is proved [14].
Chapter 3
Ideas and hypotheses
Further forward than the literature review, Experiments and studies done so far on RW and Margrave tools has shown its capability to model scenarios like: conference paper review system, student progress recode, a patient record system. However, RW’s expressive power can not at the moment express integrity constraints; For example: 1. In the RW language, there is no way to express mutual exclusions between the values of different variables. For example: An agent can not be a Chair and an Author at the same time. or Chair(x) → ¬ ∃ p, author(p,x) 2. In the RW language, there is no way to express inheritance between roles. In the context of the RW formalism inheritance means that one variable’s value being true implies another’s being true. For example: If an agent is a Chair, then he is also a PC member. or Chair(x) → pcmember(x) 3. In the RW language, there is no way to express context-based and timebased constraints in policies. For example: An author can submit a paper before the deadline. In practice, policy makers would like to express this policy in a more precise and exhaustive way by using negative policies like: 17
18
CHAPTER 3. IDEAS AND HYPOTHESES
An author can not submit a paper after the deadline. which is not supported by RW either. However, we are planning to define the RW limitations precisely and exhaustively. We also aim to specify the possible extensions of RW framework to define my approach which will show up in a more developed, or completely altered, form in my thesis proposal.
3.1
Thesis proposal timetable
I propose the following timetable for the completion of my thesis proposal: May / June : Continue literature review; Design new case studies and open frameworks like RW and Margrave for surgery. Define the limitations of each framework and explore the possible extensions of RW analysis tools. This process which might give an idea about the nature of abstraction techniques required to fulfill the research focus first point. We also expect to modify/update the model assumptions made so far for verifying the Policies. We may adopt some techniques proposed by some high-level policy languages (e.g. Cassandra and SecPAL). We are planing to formalise systems like Conference System in Margrave, SecPAL and Cassandra. This also may include experiments to model the Electronic Health Record system proposed by Cassandra in RW. This step will shed the light on the needs and the gaps in the RW specification language and formalism. July: Given the results of our experiments, we will outline the specification of a desired high-level policy language that fulfill our purpose which we might call RW + for the moment. July / August: Perform another series of experiment on RW + to specify and prove more advanced scenarios. We may need some testing tools to carry out the tests in a systematic way. An improved specification should be produced from the process. August / September: Decide upon a thesis topic based on the results collected from our experiments. Write my thesis proposal and aim for submission on 27-Aug-07 (0 years, 352 days) after my start date. This time table might seem ambitious but I feel that I have refined my understanding of the field concepts and tools.
Chapter 4
Teaching and learning
4.1
Teaching
This academic year I have been a Teaching Assistant on the following modules: • 06-18156 - Internet Computing Workshop (Sem 1 + Sem 2) : Level 4/M • 06-20009 - Network Security (Sem 2) : Level 4/M My duties have included demonstrating, supervising small groups, giving lectures (tutorials), marking and course preparation. I have also been responsible for some of the administrative aspects of the above modules, including maintaining module web pages and performing plagiarism detection. I was able to gain invaluable experience in a highly professional teaching environment. This made me more confident and focused as an individual. It has been also an opportunity to help students to make progress, enhancing my communication skills and further consolidating my knowledge. My calculations show that I have fulfilled my 300 hours teaching this year.
4.2
Learning
I attended the 06-06996 - Research Skills course in the first semester of this academic year. Moreover, I have been a regular attendee and member of the Computer Security Reading Group. The Computer Security Reading Group is an informal meeting of staff and PhD students, with the goal of broadening our knowledge and improving our understanding of computer security-related concepts and techniques. In addition, I have attended a number of different seminars and lectures within the school to explore more ideas from related research fields. 19
20
CHAPTER 4. TEACHING AND LEARNING
Following my supervisor’s advice and to strengthen my mathematical background to match my research field requirements, I have continuously focused on filling any emerged gaps in my knowledge. This approach has improved my ability to think for myself which requires active engagement, not passive listening and regurgitation. I have explored with great interest the advanced topics of logic in Computer Science. These include, but are not limited to : Natural Deduction, Provable Equivalence, Proof by Contradiction, Predicate Logic as a Formal Language, Verification by Model Checking, Prime Number Properties, and Complexity Theory. I have gained valuable skills for finding reliable sources and achieve my desired level of understanding. In April 2007, I was lucky to attend the Midlands Graduate School in Foundations of Computer Science held at the University of Nottingham. During this course, I attended lectures on Algorithmic Problem Solving, Operational Semantics, Category Theory, Typed Lambda Calculus, and Concurrency Theory. I found the courses helpful and they allowed me to grasp concrete mathematical fundamentals which I will hopefully elaborate on throughout my research degree. Related talks that I have given during the past six months include ∗ : • “Flexible Verified Access Control”, 31st January 2007, for 06-06991 - Research Skills, The University of Birmingham, Computer Science • “Generating verified access control policies through model-checking”, 20th March 2007, for Computer Security Reading Group, The University of Birmingham, Computer Science I feel that I have managed and organised my teaching duties and improved my time management. I am allowed now to dedicate more uninterrupted time on research and to schedule my teaching and communication commitments in a more productive way. I am excited and looking forward to discussing the work I have done and my future research prospectives with my thesis group.
∗
The titled talks materials http://www.cs.bham.ac.uk/~hxq .
can
be
accessed
from
my
personal
web
page:
Bibliography
[1]
M. Abadi. Logic in access control. In In Proceedings of the 18th Annual Symposium on Logic in Computer Science (LICS’03), volume 15, pages pages 228–233, Ottawa, Canada, June 2003. IEEE Computer Society Press. [cited at p. 8]
[2]
M. Abadi, M. Burrows, Lampson B., and Plotkin G. A calculus for access control in distributed systems. In ACM Transactions on Programming Languages and Systems (TOPLAS), volume 15, pages 706–734. ACM Press, Sep 1993. [cited at p. 8]
[3]
Tuomas Aura and Carl Ellison. Privacy and accountability in certificate systems. Research Report A61, Helsinki University of Technology, Laboratory for Theoretical Computer Science, Espoo, Finland, April 2000. [cited at p. 9]
[4]
L. Bauer, K. Bowers, F. Pfenning, and M. Reiter. Consumable credentials in logicbased access control, 2006. [cited at p. 8]
[5]
Moritz Y. Becker, Cedric Fournet, and Andrew D. Gordon. Secpal: Design and semantics of a decentralized authorization language,. Technical report, Microsoft Research, September 2006. [cited at p. 9]
[6]
Moritz Y. Becker and Peter Sewell. Cassandra: Flexible trust management, applied to electronic health records. [cited at p. 9]
[7]
D. Bell and L. La Padula. Secure computer systems: unified exposition and Multics interpretation. Technical Report MTR-2997, MITRE Corporation, July 1975. [cited at p. 9]
[8]
Matt Blaze, Joan Feigenbaum, and Jack Lacy. Decentralized trust management. In 1996 IEEE Symposium on Security and Privacy, pages 164–173. IEEE Computer Society, May 1996. [cited at p. 9]
[9]
Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. Counterexample guided abstraction refinement for symbolic model checking. Journal of the ACM (JACM), 50:752–794, Sep 2003. [cited at p. 13]
[10] John DeTreville. Binder, a logic-based security language. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, 2002. [cited at p. 9]
21
22
BIBLIOGRAPHY
[11] Sabrina De Capitani di Vimercati, Stefano Paraboschi, and Pierangela Samarati. Access control: principles and solutions. Software Practice and Experience, 33:397– 421, 2003. [cited at p. 3] [12] Robert Bruce Findler, Cormac Flanagan, Matthew Flatt, Shriram Krishnamurthi, and Matthias Felleisen. DrScheme: A Pedagogic Programming Environment for Scheme, September 1997. [cited at p. 16] [13] Kathi Fisler, Shriram Krishnamurthi, Leo A. Meyerovich, and Michael Carl Tschantz. Verification and change-impact analysis of access-control policies. In ICSE’05, St. Louis, Missouri, USA, May 2005. [cited at p. 4, 15] [14] Michael Matthew Greenberg, Casey Marks, Leo Alexander Meyerovich, and Michael Carl Tschantz. The soundness and completeness of margrave with respect to a subset of xacml. Technical Report CS-05-05, Computer Science Department, Brown University, April 2005. [cited at p. 16] [15] Dimitar P. Guelev, Mark D. Ryan, and Pierre-Yves Schobbens. Model-checking access control policies. In 7th Information Security Conference (ISC’04), Lecture Notes in Computer Science. Springer-Verlag, 2004. [cited at p. 3] [16] M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Communications of the ACM, 19(8):461–471, 1976. [cited at p. 10] [17] Michael V. Hayden. National Information Systems Security Glossary. National Security Telecommunications and Information Systems Security Committee, Sep 2000. [cited at p. 10] [18] H. Hermanns, J. Meyer-Kayser, and M. Siegle. Multi-terminal binary decision diagrams to represent and analyse continuous-time markov chains, 1999. [cited at p. 16] [19] B. Lampson. Computer security in the real world. Presented at the Annual Computer Security Applications Conference, 2000, 2001. [cited at p. 7, 8] [20] Butler Lampson. Protection and access control in operating systems. In Operating Systems, pages 309–326. Infotech State of the Art Report, 1972. [cited at p. 10] [21] Butler Lampson, Mart´ın Abadi, Michael Burrows, and Edward Wobber. Authentication in distributed systems: Theory and practice. ACM Transactions on Computer Systems, 10(4):265–310, 1992. [cited at p. 8] [22] Ninghui Li and John C. Mitchell. Datalog with constraints: A foundation for trust management languages. In Proceedings of the Fifth International Symposium on Practical Aspects of Declarative Languages, January 2003. [cited at p. 7] [23] William H. Winsborough Kent E. Seamons Michael Halcrow Ninghui Li, John C. Mitchell and Jared Jacobson. Rtml: A role-based trust-management markup language. Technical report, Purdue University. CERIAS TR 2004-03. [cited at p. 9] [24] Ravi Sandhu, Edward Coyne, Hal Feinstein, and Charles Youman. Role-based access control models. IEEE Computer, 29(2):38–47, Feb. 1996. [cited at p. 10] [25] Ravi S. Sandhu and Pierangela Samarati. Access control: Principles and practice. IEEE Communications Magazine, 1994. [cited at p. 10]
23
[26] Fabio Somenzi. CUDD: Colorado University decision diagram package 2.4.1, May 2005. [cited at p. 16] [27] Nan Zhang. Generating Verified Access Control Policies through Model-Checking. PhD thesis, Scool of Computer Science, University of Birmingham, 2005. [cited at p. 10]
[28] Nan Zhang, Mark Ryan, and Dimitar P. Guelev. Synthesising verified access control systems in XACML. In 2004 ACM Workshop on Formal Methods in Security Engineering, pages 56–65, Washington DC, USA, Oct 2004. ACM Press. [cited at p. 3, 11]
[29] Nan Zhang, Mark Ryan, and Dimitar P. Guelev. Synthesising verified access control systems through model checking. Journal of Computer Security (in print), 2005. [cited at p. 3]
[30] Nan Zhang, Mark D. Ryan, and Dimitar P. Guelev. Evaluating access control policies through model-checking. In 8th Information Security Conference (ISC’05), Singapore, Sep 2005. Springer-Verlag. [cited at p. 3, 13]
