发明名称 |
Verifying access-control policies with arithmetic quantifier-free form constraints |
摘要 |
A system and method is provided for verifying an access-control policy against a particular constraint for a multi-step operation. In disclosed embodiments, the method includes expressing the access-control policy as a first quantifier-free form (QFF) constraint and identifying the particular constraint as a second QFF constraint. The method also includes identifying an operation vector and providing copies of the operation vector associated with steps in the multi-step operation. The method also includes determining a third QFF constraint using the first QFF constraint, the second QFF constraint, and the copies of the operation vector. The method also includes solving the third QFF constraint to determine a solution and outputting a result of the solving. |
申请公布号 |
US8826366(B2) |
申请公布日期 |
2014.09.02 |
申请号 |
US201012837068 |
申请日期 |
2010.07.15 |
申请人 |
TT Government Solutions, Inc. |
发明人 |
Narain Sanjai;Levin Gary |
分类号 |
G06F17/00;G06F11/00;G06F21/62;G06F13/362;G06F21/60;G06F13/00;G06F7/60;H04L29/06 |
主分类号 |
G06F17/00 |
代理机构 |
Heslin Rothenberg Farley & Mesiti P.C. |
代理人 |
Heslin Rothenberg Farley & Mesiti P.C. |
主权项 |
1. A method comprising:
verifying, by a processor, the processor comprising hardware, an access-control policy for operating system objects against a particular constraint for a multi-step operation between operating system objects to determine an extent to which handling of the multi-step operation by the access-control policy is consistent with handling of the multi-step operation by the particular constraint, the verifying comprising:
expressing the access-control policy as a first quantifier-free form (QFF) constraint;identifying the particular constraint as a second QFF constraint, the second QFF constraint for comparison to the first QFF constraint to determine the extent to which handling of the multi-step operation by the access-control policy is consistent with handling of the multi-step operation by the particular constraint, wherein the multi-step operation may be broken-down into a sequence of multiple operation steps; identifying an operation vector generically defining the multi-step operation between operating system objects; providing for each operation step of the sequence of multiple operation steps of the multi-step operation, a respective copy of the operation vector, the respective copy representing the operation step of the multi-step operation; determining a third QFF constraint based on the first QFF constraint, the second QFF constraint, and the provided copies of the operation vector; solving the third QFF constraint to determine a solution, the solution indicative of a level of consistency between the access-control policy and the particular constraint in handling the multi-step operation; and outputting the solution. |
地址 |
Piscataway NJ US |