SMT-Based Verification of NGAC Policies

Next Generation Access Control (NGAC) is a standard for implementing attribute-based access control in computer software. It allows for run-time privilege changes through administrative obligations triggered by access events. However, incorrect privilege changes due to error or intent can cause grave harm to the authorization state. It is important to ensure that the run-time privilege changes meet the access control requirements. To address this issue, we present an efficient approach to verifying NGAC policies by leveraging SMT to deal with complex policy structures and semantics. We have implemented our approach based on the NGAC reference implementation and applied it to two case studies, including the first and only fully-fledged NGAC application. We have formalized 259 access control requirements and successfully verified them against the subject policies. To further evaluate the error detection capability of our approach, we have verified 205 policy versions with a single-seeded obligation error and 154 versions with multiple-seeded obligation errors. The verification results show that all faulty policies failed to satisfy the requirements, and thus the errors were revealed.