Security Property Verification by Transition Model | NIST Invites Public Comments on IR 8539

The initial public draft of NIST Internal Report (IR) 8539, Security Property Verification by Transition Model, is now available for public comment. Verifying the security properties of access control policies is a complex and critical task. The policies and their implementation often do not explicitly express their underlying semantics, which may be implicitly embedded in the logic flows of policy rules, especially when policies are combined. Instead of evaluating and analyzing access control policies solely at the mechanism level, formal transition models are used to describe these policies and prove the system’s security properties. This approach ensures that access control mechanisms can be designed to meet security requirements.

This document explains how to apply model-checking techniques to verify security properties in transition models of access control policies. It provides a brief introduction to the fundamentals of model checking and demonstrates how access control policies are converted into automata from their transition models. The document then focuses on discussing property specifications in terms of linear temporal logic (LTL) and computation tree logic (CTL) languages with comparisons between the two. Finally, the verification process and available tools are described and compared.

The public comment period is open through November 25, 2024. See the publication details for a copy of the draft and instructions for submitting comments.


NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the
Information Technology Laboratory (ITL) Patent Policy Inclusion of Patents in ITL Publications

Read More