Automated Policy Analysis

Static analysis of access-control policies is becoming increasingly important. Such analysis can reveal errors and vulnerabilities in the policies, as well as logical inconsistencies, unintended effects, and discrepancies between different policies or different versions of the same policy. In the process, it helps policy developers to better understand the effects of their policies. Policy analysis has typically been done by hand. For instance, when a bug is discovered and corrected, the resulting policy is manually inspected to ensure that the fix works and that it does not introduce any new problems. But when the policies are large or their logical structure non-trivial, performing such analysis manually is tedious and error-prone. In this paper we show how to automate a wide array of useful policy analyses. This is accomplished by representing policies as logical formulas in the SMT (satisfiability-modulo-theory) subset of first-order logic, and couching analysis questions as SMT problems, which are then solved by efficient off-the-shelf SMT solvers. Because SMT solvers can reason about arithmetic and inductive data types, in addition to Boolean constraints, our system can handle many policies that cannot be analyzed by existing policy engines. We describe the formulation of a number of useful analyses (consistency, completeness, and observational equivalence), and report experimental results on the efficiency of our implementation for analyzing policies of various sizes and kinds of logical structure.