![Page 1: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/1.jpg)
Margrave: XACML Verification and Change-Impact Analysis
Kathi Fisler, WPIShriram Krishnamurthi, Brown
Leo Meyerovich, BrownMichael Carl Tschantz, Brown
![Page 2: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/2.jpg)
Running Example
Roles:Faculty, Student
Resources:InternalGrades, ExternalGrades
Actions:Assign, View, Receive
![Page 3: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/3.jpg)
Properties
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
![Page 4: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/4.jpg)
Policy 1
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
![Page 5: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/5.jpg)
Policy 1, Properties 1-3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
![Page 6: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/6.jpg)
Output
Error!
Counterexample:Student simultaneously requests to – Receive ExternalGrade – Assign ExternalGrade
XACML: attributes represent sets
![Page 7: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/7.jpg)
Policy 2
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• Attributes for action and requested resources are constrained as singletons
![Page 8: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/8.jpg)
Policy 2, Properties 1-3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• Attributes for action and requested resources are constrained as singletons
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
![Page 9: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/9.jpg)
Output
Error!
Counterexample:Faculty - Student requests …
But a Faculty isn’t also a Student
![Page 10: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/10.jpg)
Policy 3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
![Page 11: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/11.jpg)
Policy 3, Properties 1-3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
![Page 12: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/12.jpg)
Output
Success!
![Page 13: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/13.jpg)
Policy 4
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs have the same privileges as Faculty
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
![Page 14: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/14.jpg)
Policy 4, Properties 1-3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs have the same privileges as Faculty
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
![Page 15: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/15.jpg)
Output
Error!
Counterexample:• Student - TA can Assign
ExternalGrades• Student - TA is not a Faculty
TAs are tricky!
![Page 16: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/16.jpg)
Policy 5
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
![Page 17: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/17.jpg)
Policy 5, Properties 1-3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
![Page 18: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/18.jpg)
Output
Success!
![Page 19: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/19.jpg)
Policy 6
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• FacultyFamily can Receive ExternalGrades
• Singleton and disjointness constraints
![Page 20: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/20.jpg)
Policy 6, Properties 1-3• Requests for Students to
Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• FacultyFamily can Receive ExternalGrades
• Singleton and disjointness constraints
1. There do not exist members of Student who can Assign ExternalGrades
2. Faculty can Assign both InternalGrades and ExternalGrades
3. No combination of roles exists whose user can both Receive and Assign ExternalGrades
![Page 21: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/21.jpg)
Output
Error!
Counterexample:• Faculty can Assign ExternalGrades• FacultyFamily can Receive
ExternalGrades• The same person generates both
![Page 22: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/22.jpg)
Design Flow
• Verification catches subtle corner-cases
• Testing without the test cases: property represents a set of test cases
• The disadvantage is usually cost (there’s another one we’ll get to later…)
![Page 23: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/23.jpg)
Performance
• Parsing: 355ms (cold cache) – 70ms (warm)
• Longest verification: 10ms; most were faster than timer could measure
• Memory: baseline of 4.7Mb, no increase
[Athlon XP 1800+, 1.5GHz, 512Mb]
![Page 24: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/24.jpg)
Implementation
![Page 25: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/25.jpg)
Multi-Terminal Decision Diagrams
• Faculty (f) can assign (a) grades (g)• Students (s) can receive (r) grades (g)
![Page 26: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/26.jpg)
Rules and Rule Combination
![Page 27: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/27.jpg)
Constraints
• Represented by boolean expressions
• Easy to combine booleans with MTDDs
• Adds new terminal: EC (Excluded by Constraint)
![Page 28: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/28.jpg)
Properties?!?
![Page 29: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/29.jpg)
Policies Without Properties
• Working policy P1
• Modified policy P2
• Testing reveals intended change
• But…
![Page 30: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/30.jpg)
Policy 4 – Policy 3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs have the same privileges as Faculty
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
![Page 31: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/31.jpg)
Output
• Eight combinations grant access
• Four involve ExternalGrades
• Adding TAs should not have affected this!
![Page 32: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/32.jpg)
Policy 5 – Policy 3
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• Attributes for action and requested resources are constrained as singletons
• Faculty are disjoint from Students
![Page 33: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/33.jpg)
Output
All changes involve only
• TAs• InternalGrades
Therefore, we can be confident about the edit
![Page 34: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/34.jpg)
Policy 6 – Policy 5• Requests for Students to
Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• FacultyFamily can Receive ExternalGrades
• Singleton and disjointness constraints
• Requests for Students to Receive ExternalGrades succeed
• Requests for Faculty to Assign or View ExternalGrades succeed
• TAs can View and Assign InternalGrades but not ExternalGrades
• Singleton and disjointness constraints
![Page 35: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/35.jpg)
Output
All changes involve Receiving grades
Some changes involve the Faculty role
Is there an error?
![Page 36: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/36.jpg)
Exploring Changes
• We can query and verify differenceseg: Did a change affect ExternalGrades?
• Properties of differences may be stronger than properties of the entire system
• Exploration may eventually lead to identifying system properties
![Page 37: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/37.jpg)
Case Study
![Page 38: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/38.jpg)
Application
Continue: paper submission and reviewSoftvis 2005, CSFW 2005, FOAL 2005, ISSTA 2004, LMO
2005, TAV-WEB 2004, PADL 2004/3/2/1, FDPE 2003, Scheme 2003/2, ...
• Roles: Admin, Chair, PC Member, Subrev…• Actions: Submit, Review, Broadcast, …• Resources: Papers, Reviews,
Configurations
![Page 39: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/39.jpg)
Performance
• Policy has 50 MTDD variables• Raw policy has 1268 MTDD nodes• Constraints shrink it to 817 nodes• Parsing/constraining: 2.07s• Twelve properties: each < 10ms• Memory: 316,288 bytes over baseline• Change: 2ms, 1133 nodes, 16.3Kb
memory
![Page 40: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/40.jpg)
Conclusion
![Page 41: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/41.jpg)
Tool Output1:/Subject, role, Faculty/ 2:/Subject, role, Student/ 3:/Resource, resource-class, ExternalGrades/ 4:/Resource, resource-class, InternalGrades/ 5:/Action, command, Assign/ 6:/Action, command, View/7:/Action, command, Receive/ 8:/Subject, role, TA/12345678{00010101 N->P00011001 N->P00100101 N->P00101001 N->P01010101 N->P01011001 N->P01100101 N->P01101001 N->P}
![Page 42: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/42.jpg)
Perspective
• Verification can be cheap enough to fit into the design flow and encourage policy exploration
• Change impact– useful in itself finds some errors without
properties– query/verif. is a bonus lightweight formal method
• Think about continuous verification and change impact reports
![Page 43: Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown](https://reader030.vdocuments.site/reader030/viewer/2022032517/56649cb95503460f94980d86/html5/thumbnails/43.jpg)
XACML analysis:http://www.cs.brown.edu/research/plt/software/margrave/
Conference manager:http://continue.cs.brown.edu/