Heuristic safety analysis of access control models

Model-based security engineering uses formal security models for specifying and analyzing access control systems. Tool-based model analysis encounters a fundamental difficulty here: on the one hand, real-world access control systems generally are quite large and complex and require models that have high expressive power. On the other hand, analysis of such models is often pestered by computational complexity or even non-decidability, making it difficult to devise algorithms for automated analysis tools. One approach to this problem is to limiting the expressive power of the modeling calculus, resulting in restrictions to the spectrum of application scenarios that can be modeled. In this paper we propose a different approach: a heuristic-based method for analyzing the safety properties of access control models with full expressive power. Aiming at generality, the paper focuses on the lineage of HRU-style, automaton-based access control models that are fundamental for modeling the dynamic behavior of contemporary role-based or attribute-based access control systems. The paper motivates a heuristics-based approach to model analysis, describes in detail a heuristic model safety analysis algorithm, and discusses its computational complexity. The algorithm is the core of a security model analysis tool within the context of a security policy engineering workbench; a formal description of major components of its heuristic-based symbolic model execution engine is given, and its capacity to analyze complex real-world access control systems is evaluated.