Modelling and verifying dynamic access control policies using knowledge-based model checking

The purpose of access control policies in computing is to guarantee that access to resources is solely restricted to legitimate users. This clarity of purpose does not make the design of these policies any easier. Today’s systems are large in size, have many users with different roles and can be accessed from anywhere and at any time. Systems often allowed users to perform actions and read data so that users can do their job. Such a reality made it inherently difficult to get access control policies right. Recently, failure to get these policies right has resulted in breach of privacy laws, caused financial loss and threatened the integrity of critical systems. This thesis aims at providing and developing methods and tools to address this issue. The error-prone process of designing access control policies can be aided greatly by the right tools and methods. A modelling language that can express these complex policies and an automated framework to analyse those policies for security flaws can help mitigate this issue. It allows the policy designers to simplify and reason about the access control policy automatically. This thesis advances the modelling and verification of access control policies by using automated knowledge-based symbolic model checking techniques. The key contributions of this thesis are threefold: firstly, a modelling language that expresses dynamic access control policies with compound actions that update multiple variables; secondly, a knowledge-based verification algorithm that verifies properties over an access control policy that has compound actions; and finally, an automated tool, called X-Policy, which implements the algorithm. This research enables us to model and verify access control policies for web-based collaborative systems. We model and analyse a number of conference management systems and their security properties. We propose the appropriate modifications to rectify the policies when possible. Ultimately, this research will allow us to model and verify more systems and help avoid the current situation.