Access Nets: Modeling Access to Physical Spaces

Transcription

1 Acce Net: Modeling Acce to Phyical Space Robert Frohardt, Bor-Yuh Evan Chang, and Sriram Sankaranarayanan Univerity of Colorado, Boulder, Colorado, USA Abtract. Electronic, oftware-managed mechanim uing, for example, radiofrequency identification (RFID) card, enable great flexibility in pecifying acce control policie to phyical pace. For example, acce right may vary baed on time of day or could differ in normal veru emergency ituation. With uch fine-grained control, undertanding and reaoning about what a policy permit become urpriingly difficult requiring knowledge of permiion level, patial layout, and time. In thi paper, we preent a formal modeling framework, called ACCESS NETS, uitable for decribing a combination of acce permiion, phyical pace, and temporal contraint. Furthermore, we provide evidence that model checking technique are effective in reaoning about phyical acce control policie. We decribe our reult from a tool that ue reachability analyi to validate ecurity policie. 1 Introduction Acce to phyical pace uch a building, mueum, airport, and chemical plant i increaingly mediated by electronic, oftware-controlled mechanim. Thee mechanim combine traditional human mediation, mechanical lock-and-key, a well a electronic technologie uch a radio-frequency identification (RFID) card. The ue of computerized acce control in thee ytem i on the rie, a they enable highly flexible policie. Computerized acce control policie enable adminitrator to add or remove acce to key peronnel or pecify policie that may vary depending on the time of the day (working hour veru evening), day of the week (weekday veru weekend), and month in the year (ummer veru fall). Thee policie can even be automatically changed in repone to emergencie uch a a fire in the building in contrat to acce policie mediated uing only mechanical lock-and-key. In thi paper, we addre formal modeling and verification of acce control policie for phyical pace. Our approach combine dynamic model of acce control policie in phyical pace with an application of model-checking technique. In particular, we make the following contribution: We preent a formal framework ACCESS NETS for the modeling of acce control in phyical pace, uch a office or building (Sect. 3). Our framework model the topology of the phyical pace, a well a the movement of peronnel with variou acce level in thi pace. Our model of acce control accommodate rich pecification, including thoe that depend on time.

2 2 Robert Frohardt, Bor-Yuh Evan Chang, and Sriram Sankaranarayanan Gallery Lobby Archive Acce Level viitor guard curator P1 P2 P3 The viitor may only be in the mueum between 9:00 a.m. and 5:00 p.m. The viitor may only enter the archive with guard ecort during mueum hour. The curator may enter the mueum and the archive at any time. Fig. 1. A floor plan, acce control role (top) and acce control policy (bottom) for a mueum. We demontrate a new and compelling application oormal verification technique, like model checking. While oftware-managed acce control ytem may be large and complex, we ee that well-known tate-pace reduction technique are urpriingly effective in reducing the ize of the model. Thu, we identify a new domain where model checking technique are particularly apt (Sect. 4). We provide evidence for the applicability of our technique through an initial cae tudy (Sect. 5). In particular, we oberve that our ACCESS NET-pecific reduction technique are quite effective in reducing the tate pace. Motivating Example. Figure 1 outline a imple floor plan and an acce control policy for a fictitiou mueum. The mueum ha a main entrance leading into a lobby. The lobby in turn lead into a gallery, which i connected to an archive. The main entrance and the entrance to the archive have key card reader. The archive entrance i taffed by a guard during opening hour. The acce control policie are alo decribed in Fig. 1. Given uch a policy pecification, we wih to verify that the acce control mechanim upport it. For example, i it poible for a viitor to be in the archive after hour? Can curator acce the archive at any time? In general, it i hard to manually conider all the relevant cenario, epecially for larger building with more complex acce control policie. Therefore, we deire a formal framework that capture the relevant detail of uch ytem and enable automatic verification. 2 Overview In thi ection, we preent an overview of the main feature in the ACCESS NETS model, uing the mueum example hown in Fig. 1. Note that we are not intereted in detail like the precie patial layout of the building (e.g., coordinate). Thu, we eek a graphlike model that capture connectivity but abtract patial layout. Drawing inpiration from Petri net [19], we ue token to model peron and tranition to capture the movement of peron from one place to another. Each tranition ha at leat one incoming and one outgoing arc. Tranition move token one-way from their input place to their output place. Thi capture common ituation wherein, a key i needed to enter a room but not needed to exit. The ACCESS NET model for the mueum example ha the graph tructure hown in Fig. 2.

3 Acce Net: Modeling Acce to Phyical Space 3 main(in) gallery(in) archive(in) outide lobby gallery archive main(out) gallery(out) archive(out) Fig. 2. The graph tructure of the ACCESS NETS model for the example in Fig. 1. Token Type. Each token in our model ha an aociated type that repreent it acce level (e.g., viitor, guard, curator, adminitrator, or upervior). Tranition are enabled baed on the number of token of each type from each of their input place. For example, the rule that a viitor may only enter the archive under guard ecort (rule P2 in Fig. 1) i hown in Fig. 3. Both the incoming and outgoing arc of the archive(in) tranition are annotated with 1 guard and 1 viitor. Thee label pecify the enabling condition that there mut be a guard and a viitor preent in the gallery. Tranition Firing. Tranition whoe input condition are atified may fire nondeterminitically to yield a next tate baed on the output condition of the tranition. Thu, for example, to capture that a curator may enter the archive herelf without guard ecort (rule P3), we can imply add a eparate tranition with arc from the gallery and to the archive each labeled with 1 curator. Time. Some tranition rule depend on the time of day. For example, anyone may enter the mueum between 9:00 a.m. and 5:00 p.m. To model time, we add a global clock to an ACCESS NET tate and a et of time interval to the enabling condition of each tranition. For intance, we can aociate a et of time [9, 17] with the main(in) tranition in Fig. 3, o that it i enabled between 9:00 a.m. and 5:00 p.m. Mandatory Tranition. Recall that viitor may be in the mueum only between 9:00 a.m. and 5:00 p.m. (rule P1), o not only do we allow viitor to enter during thoe hour, but we mut require viitor to leave when the mueum cloe at 5:00 p.m. To do o, we introduce the notion of a mandatory tranition. At any tate, if any mandatory tranition i enabled, one of them mut be taken next (ee Sect. 3). In thi cenario, we add mandatory tranition from the archive, gallery, and lobby to the outide requiring the viitor to leave during the time range [17, 17.5] (i.e., 5:00 p.m. to 5:30 p.m.). 3 Acce Net In thi ection, we provide a formalization of ACCESS NETS. The formal model provide a bai for verification technique (Sect. 4) and the cae tudie (Sect. 5). Topology. The topology of a building i modeled uing a directed graph, whoe node include a et of place P and a et of tranition T. The arc, F (P T ) (T P ), connect place to tranition, and tranition back to place. The inet place tranition arc p P t T f F

4 4 Robert Frohardt, Bor-Yuh Evan Chang, and Sriram Sankaranarayanan main(in) gallery(in) archive(in) 1 guard 1 guard 1 viitor 1 viitor outide [9,17] lobby gallery archive main(out) gallery(out) archive(out) Fig. 3. The ACCESS NET model from Fig. 2 with acce control pecified. box to the right ummarize the notation ued. The incoming arc for a tranition t indicate the place from which t remove token, and the outgoing arc indicate the place to which t add token (cf. Definition 3). Pictorially, place are denoted a circle and tranition a rectangle (cf. Fig. 2). type S marking m : (P S) N global time τ [τ min, τ max ] enabled time H : T P([τ min, τ max ]) tate σ = (m, τ) State: Acce Type, Marking, and Time. To model variou acce control role, each token i annotated with a type drawn from a et S. For example, in the mueum example dicued previouly, the et S i {viitor, guard, curator}, repreenting variou role. Peron are repreented by token of particular type (i.e., with particular acce role). A part of the tate, we decribe where people are with a marking. Definition 1 (Marking). A marking m i a function m : (P S) N that repreent the number of token of type in place p. Pictorially, a marking i denoted by drawing m(p, ) dot labeled at place p. To model temporal acce control rule, we introduce a global clock τ that i a value in a fixed range [τ min, τ max ]. For example, we may chooe τ min = 0 and τ max = 24 repreenting the hour of day. The framework i agnotic to tranlation of thee value to real time. Therefore, time can be modeled at the appropriate granularity (e.g., econd, minute, hour, and day). Time i updated in the ACCESS NET model by uing a pecial tick tranition. For each tranition t, we define the hour function H : T P([τ min, τ max ]). For implicity, H(t) i aumed to be the union oinitely many dijoint interval for each tranition t, pecifying the time intant during which the tranition t can be enabled (cf. Definition 2). Diagrammatically, H(t) i denoted by writing a range next to the tranition (e.g., [9, 17] in Fig. 3). The abence of uch an annotation indicate that the tranition i time independent (i.e., H(t) i [τ min, τ max ]). A tate σ of an ACCESS NET i then the pair (m, τ) coniting of it current marking and it current time. State Tranition. The execution of an ACCESS NET model the movement of people throughout the building and the progreion of time. Recall from Sect. 2 that our model contain mandatory tranition M T that are taken whenever enabled. Definition 2 decribe the enforcement of mandatory tranition.

5 Acce Net: Modeling Acce to Phyical Space 5 State tranition σ σ denote a move from current tate σ to a next tate σ. There are two main type of tate tranition: (1) token tranition model the movement of people, and (2) tick tranition model the progreion of time. Token Tranition. An ACCESS NET ha a weight function W : (F S) N that give the number of token of a type that move along each arc f during a tranition. Definition 2 (Enabled Tranition). Tranition t i enabled in tate σ = (m, τ) iff 1. The current time belong to the permiible range: τ H(t). 2. There are ufficiently many token in the input place: W (f, ) m(p, ) for all f : (p, t) in(t) and for all S. 3. If t / M, then every mandatory tranition t m M i not enabled. where in(t) = def {(p, t) F p P } and out(t) = def {(t, p) F p P } (i.e., the incoming and outgoing arc of tranition t, repectively). An enabled tranition can move token from it input place to it output place. Definition 3 (Token Tranition). Given tate σ = (m, τ) and enabled tranition t, a token tranition reult in a new marking m, uch that m (p, ) = m(p, ) W (f, ), S, f : (p, t) in(t). m (p, ) = m(p, ) + W (f, ), S, f : (t, p) out(t). For implicity in preentation, in(t) and out(t) are aumed dijoint, that i, there are no elf-loop. Self-loop can be eliminated by the introduction of dummy tranition and t place [19]. We write uch a token tranition a (m, τ) (m, τ). Tick Tranition. Tick tranition model the elape of time. For any tate σ = (m, τ) uch that τ [τ min, τ max ), and no mandatory tranition are enabled, the global time may progre to any time in (τ, τ ] where τ = min(τ M, τ max ) where τ M > τ i the next time when ome mandatory tranition could be enabled. We write a time tranition from τ to τ a follow: (m, τ) tick (m, τ ). When checking the model, not all time value τ need to be conidered. Intead, time i abtracted uing a region contruction along the line of Alur and Dill [1]. To implify ome oormalization, we alo define idling tranition that do not change the tate, which we write a σ ε σ. Execution. An execution of an ACCESS NET conit of a finite equence of tate σ 0, σ 1,..., σ n wherein each tate σ i+1 i obtained from the previou tate σ i by a legal tate tranition a decribed above. For example, we write a ample execution a t follow: σ 1 ε tick t 0 σ1 σ 2 n 1 σn. We conider finite equence of tate ince we are intereted in execution in which time remain within [τ min, τ max ]. However, temporal logic are interpreted over infinite tate equence (or tree) [5]. We extend our finite equence to infinite one by adding infinitely many idling tranition. Conervation. Since token repreent people, there i a phyical contraint that all tate tranition σ σ conerve the number and type of token. We enforce thi by requiring that all tranition t are conervative. Conervative tranition i not an inherent limitation to our approach but rather a check for more faithful model.

6 6 Robert Frohardt, Bor-Yuh Evan Chang, and Sriram Sankaranarayanan Definition 4 (Conervative Tranition). A tranition t i conervative ifor every acce type, the um of token of that type on incoming edge to t i equal to the um of that type on outgoing edge, that i, for all S, W (f, ) = W (f, ). f in(t) f out(t) If all tranition are conervative, then any execution i alo conervative capturing the deired phyical contraint (ee our companion technical report [10] for a proof). For reference, we gather all of the piece of an ACCESS NET a decribed above in our companion technical report [10]. There are related Petri net model, e.g., with typed token [16] and with predicate on tranition [11]. Here, we have incorporated the apect that are critically neceary to capture acce control policie. 4 Verification of Acce Propertie In thi ection, we conider verifying propertie of ACCESS NETS. Our primary goal i to check whether token of a certain type can be preent in a certain room in a certain time range; for example, a property of interet could ay, There i never a viitor in the archive before 9:00 a.m. or after 5:30 p.m. Thi retricted cla of reachability propertie enable u to perform aggreive tate-pace reduction. It i poible to extend our reduction to verify ACTL propertie, following Clarke et al. [6]. Given an ACCESS NET A with a place p and a token type, we ay p i token reachable for at time τ if and only if σ 0 σ n where i the tranitive cloure of the tranition relation, tate σ 0 i the initial tate, and if σ n = (m n, τ n ) then m n (p, ) > 0 and τ n = τ. A expected, we can verify uch propertie uing model checking. The tate pace of an ACCESS NET blow up quickly a we increae the number of place, tranition, and token type, a we ee in our cae tudy (Sect. 5). Fortunately, there are everal natural reduction that can be performed that repect the token reachability property of interet. Our reduction generate a new ACCESS NET that abtract the original in the ene that it i ound with repect to token reachability. Stated more preciely, let A be a reduced ACCESS NET of A, and let π be the function mapping each place of A to it correponding place in A. Then, the reduction i ound with repect to token reachability if whenever π(p) i not reachable for at time τ in A, then p i not reachable for at time τ in A. In other word, reduction preerve afety. Furthermore, two of our three reduction, namely the unlocked door and redundant tranition reduction, are complete with repect to token reachability. The two mot intereting reduction ue the following procedure (cf. Clarke et al. [6]): (1) we define an equivalence relation pl over place; (2) we define a new AC- CESS NET A a the quotient of A with repect to. pl Definition 5 (Acce Net Reduction). Let A be an ACCESS NET and let pl be an equivalence relation over place. Thi equivalence relation induce the following equivalence relation over arc: ar f 1 f 2 iff pl p 1 p 2 and t 1 = t 2, and either f 1 = (p 1, t 1 ) and f 2 = (p 2, t 2 ) or f 1 = (t 1, p 1 ) and f 2 = (t 2, p 2 )

7 Acce Net: Modeling Acce to Phyical Space 7 Let π map a place or arc in A = (P, T,...) to it repective equivalence cla (under pl or ). ar We alo write π 1 for the pre-image of thi mapping. Then, A = (P, T,...) i a reduced ACCESS NET under equivalence relation : pl P = π(p ) F = π(f ) T = T M = M S = S τ 0 = τ 0 τ min = τ min τ max = τ max H = H W : (f, ) W (f, ) m 0 : (p, ) f π 1 ({f }) p π 1 ({p }) m 0 (p, ) where π(p ) i the image of P under π and π(f ) i the image of F under π. That i, we map all place and arc to their equivalence clae (firt line); tranition, mandatory tranition, token type, time contraint and the clock tay the ame; weight on arc and the initial marking are combined by umming the number of token of each type. It remain to be hown that A a defined above i actually an ACCESS NET. In particular, the main property that mut be checked i that conervation i preerved, which i hown in our companion technical report [10]. We now define everal reduction on ACCESS NETS that ue thi idea of defining equivalence relation over place. Unlocked Door Reduction. If the only barrier between two room i an unlocked door, then for the purpoe of checking reachability, the two room can be merged into a ingle room. Definition 6 (Equivalent up to Unlocked Door). A room p 2 can be reached through one unlocked door from a room p 1 p 2, written unlocked(p 1, p 2 ), if and only ior every ecurity role, there i ome tranition t uch that 1. We have H(t) = [τ min, τ max ], that i, the tranition i enabled at all time. 2. We have pred(t) = {p 1 } and ucc(t) = {p 2 } where pred and ucc are the function mapping a place to it et of predeceor and ucceor place, repectively. In other word, t i a tranition from p 1 to p 2 and doe not take token from or end token to any place other than p 1 and p 2. pl Two room p 1 and p 2 are equivalent up to unlocked door in one-tep, written p 1 1 p 2, if and only if unlocked(p 1, p 2 ) and unlocked(p 2, p 1 ). The equivalence relation for unlocked door i imply the reflexive-tranitive cloure of pl 1. Figure 4(a) how a implified ACCESS NET of the office building (ECOT) ued in our cae tudy (ee Sect. 5) with two token type and f (to repreent tudent and faculty, repectively). Figure 4(b) how the reult of applying the unlocked door reduction to Fig. 4(a). We ee that the two place hall 1 and hall 2 have been merged into a place [hall 1], a the two place allow free paage of both and f in both direction. After the unlocked door reduction, the reduced model technically would have unneceary elf-loop tranition between each new repreentative and itelf. Thee tranition can be deleted from the model.

8 8 Robert Frohardt, Bor-Yuh Evan Chang, and Sriram Sankaranarayanan office 1 hall 1 hall 2 office 2 (a) Simplified ACCESS NET before any reduction. office 1 [hall 1] office 2 [office 1] [hall 1] (b) After the unlocked door reduction. (c) After equivalent room and redundant tranition reduction. Fig. 4. Applying reduction to a implified ACCESS NET for an office building. Redundant Tranition Reduction. If two tranition repreent identical acce rule and move token from the ame ource to the ame detination, then one of the two tranition can be deleted. Thi reduction doe not follow the pattern of defining an equivalence relation on place for the ake of merging place. Intead if two tranition are equivalent according to the following definition, then one of the tranition can be arbitrarily deleted. Definition 7 (Equivalent up to Redundant Tranition). Two tranition t 1 and t 2 are equivalent up to redundant tranition, written tr, iff: 1. H(t 1 ) = H(t 2 ), that i, the tranition are enabled at exactly the ame time. 2. There exit a bijective mapping µ : in(t 1 ) in(t 2 ) uch that for every place p 1 where (p 1, t 1 ) in(t 1 ), then whenever (p 2, t 2 ) = µ(p 1, t 1 ), we have: p 1 = p 2 and W ((p 1, t 1 ), ) = W ((p 2, t 2 ), ) for every S. 3. There exit a bijective mapping ν : out(t 1 ) out(t 2 ) uch that for every place p 1 where (t 1, p 1 ) out(t 1 ), then whenever (t 2, p 2 ) = ν(t 1, p 1 ), we have: p 1 = p 2 and W ((t 1, p 1 ), ) = W ((t 2, p 2 ), ) for every S. Thi definition ay that two tranition are equivalent if they are enabled at exactly the ame time and if their incoming and outgoing edge can be put into a bijective correpondence of equivalent edge. It i traightforward to how that tr i an equivalence relation. For each equivalence cla of tranition, all of the tranition in that cla can be deleted except for one arbitrary repreentative.

9 Acce Net: Modeling Acce to Phyical Space 9 Equivalent Room Reduction. If two room are equivalent in the ene that they are only reachable from the ame room according to the ame acce control rule, then the two room can be merged into a ingle room. Definition 8 (Equivalent Room). Firt, we define two tranition a being equivalent up to q 1 = q 2, written q1=q2 in the ame way a tr from the redundant tranition reduction with one change. Intead of requiring of µ and ν that p 1 = p 2, we require only that p 1 = p 2 or p 1 = q 1 and p 2 = q 2 or p 1 = q 2 and p 2 = q 1 That i, the tranition are redundant under an aumption that q 1 pl room q 1 and q 2 are equivalent room, denoted q 1 q 2 if and only if = q 2. Then two 1. There exit a bijective mapping µ : pred(q 1 ) pred(q 2 ) uch that for every tranition t pred(q 1 ), we have t q1=q2 µ(t). 2. There exit a bijective mapping ν : ucc(q 1 ) ucc(q 2 ) uch that for every tranition t ucc(q 1 ), we have t q1=q2 ν(t). It i traightforward to how that pl i an equivalence relation. Figure 4(c) how the reult of applying the equivalent room and redundant door reduction to Fig. 4(b). We ee that office 1 and office 2 have been merged into a ingle place [office 1]. Thee reduction correpond naturally to our intuition, a from the perpective of token reachability, all of the office and all of the hall look the ame a long a they are connected to each other though unlocked area. All three reduction, unlocked door, redundant tranition, and equivalent room, are ound with repect to token reachability. Furthermore, unlocked door and redundant tranition are complete with repect to token reachability (though equivalent room i not). Proof of thee fact are given in our companion technical report [10]. At a high-level, the reduction merge equivalent place that atify the ame et of propertie, in order to contruct an abtraction. Thi abtraction i imilar in way to canonical abtraction in the TVLA program analyi framework [22]. Untiming. Regarding tick tranition, the definition for tate tranition allow arbitrary time tep and decribe an infinite tate pace. However, only the the initial time and the boundarie of time interval referenced by time-dependent tranition need to be conidered during verification. To thi end, we apply a tandard untiming contruction a decribed in Alur and Dill [1]. The untiming contruction i epecially implified in the cae of ACCESS NETS ince the model ha a ingle timer. 5 Cae Study: Office Security To validate the feaibility of our approach, we modeled a part of the Engineering Center Office Tower (ECOT) at the Univerity of Colorado, Boulder and a et of ynthetic acce control rule. Furthermore, we have completely modeled an actual, large office building with multiple floor, occupied by many buinee uing a real acce control

10 10 Robert Frohardt, Bor-Yuh Evan Chang, and Sriram Sankaranarayanan Table 1. Dependence of explicit-tate model checking uing Spin on the ize of the building for verifying a valid property. In each tet cae run, we how the ize of the ACCESS NET (number of room, tranition, and peron) along with the number tate oberved by Spin, the total memory ued by Spin, and the total time for the model checking to run. Model Room Tranition Peron State Memory (MB) Time () ECOT ECOT 7, ECOT 6,7, policy. With thee model, we applied explicit-tate model checking uing Spin [15] and bounded model checking [4] uing our implementation baed on the Yice SMT olver [8] (other verification technique could apply). With thi tudy, we are intereted in how the building and acce control policy i encoded a an ACCESS NET model and how feaible i model checking. We alo look at how much the tate pace can be reduced uing the technique from Sect. 4. To create our ACCESS NET model of ECOT, we examined CAD drawing of the ixth, eventh, and eighth floor of the building (which i where the Computer Science Department i located). The acce control policy involved three acce type, tudent, faculty, and maintenance and conited of the following rule: 1. Any faculty can enter any office. Anybody in an office can exit it. 2. Any maintenance can enter a mechanical room or janitorial room. Anybody in one of thee room can exit it. 3. Any tudent can only enter a conference room accompanied by a faculty and only between 9:00 a.m. and 5:00 p.m. Conference room can be exited freely. A perhap expected, the tate pace grow quickly even for our relatively mall model by either increaing the number of place and tranition or the number of token. Fortunately, the topology and acce policie that we work with are amenable to reduction, which apply regardle of model checking technique. We firt conider verification of a valid property uing Spin on unreduced model and look at the growth in verification reource a a function of model ize. Then, we look at the cot of dicovering property violation. We conider not only explicit-tate model checking but alo bounded model checking, which i inenitive to number of token. Finally, we look at the effectivene of reduction. Verifying Valid Propertie. Table 1 how the relationhip between the reource required for explicit-tate model checking and number of room and tranition in an ACCESS NET, while Table 2 conider the dependence on number of peron. All of our tet were executed on a Linux erver with 32 GB memory and ixteen 2.93GHz Intel Xeon X7350 CPU. In the tet run in thee two table, we checked that a tudent can never be in a particular office (826) and a faculty member can never be in a pecific mechanical room (805A), which i valid in thee model. There were no ue of time in any of thee model (i.e., we did not ue rule 3 regarding the conference room here). In Table 1, we ee that Spin work with reaonable memory and time contraint, but the tate pace blow up quite quickly a we add additional room (by ucceively

11 Acce Net: Modeling Acce to Phyical Space 11 Table 2. Dependence of explicit-tate model checking uing Spin on the number of peron in the model for verifying a valid property. We tarted with one peron of each type and then ucceively added one faculty at a time. Model Room Tranition Peron State Memory (MB) Time () ECOT ECOT ECOT ECOT ECOT adding the room on the 7th and 6th floor). In thee tet, we tarted one token of each type in a public room on the 8th floor. For increaing number of peron, we ee the number of tate conidered by Spin alo grow rapidly, a doe the increae in memory and time conumption, a hown in Table 2. In thee tet, we tarted with one token of each type and then ucceively added one token of type faculty at a time. We choe the faculty type, a it lead to the larget tate pace. Dicovering Property Violation. Both of the previou example checked propertie that could not be violated (and thu required an exhautive exploration of the tate pace). Here, we conider violated propertie. Firt, we conider the ame et of ACCESS NET model from Table 1 that do not ue timed tranition. The violated property wa a faculty member cannot be in a particular office on the 8th floor (826). The tet run are hown in the top half of Table 3. We then looked at a et of timed model that add the conference room rule (rule 3), that i, that a tudent can only enter a conference room with a faculty member between 9:00 a.m. and 5:00 p.m. In thi cae, the initial tate wa a tudent and a faculty on the 7th floor at 9:00 a.m. The violated property wa a tudent cannot be in the conference room (831) at 6:00 p.m. Thi property can be violated by the faculty letting the tudent into the conference room between 9:00 a.m. and 5:00 p.m. and then the tudent remaining in the room after 5:00 p.m. until 6:00 p.m. Table 2 how rapid exploion in the number of tate conidered by Spin a we increae the number of token. A potential advantage of bounded model checking i it inenitivity to number of token, and thu, we applied it to the property violation cae of Table 3. Table 4 preent thee reult. We confirm that the Yice-baed bounded model checker find the ame witnee a Spin in a reaonable amount of time and pace. Note that our BMC implementation i currently a prototype. Reduction. The redundant tructure of ECOT i particularly well-uited to the reduction decribed in Sect. 4. Even after adding in the 5th floor, ECOT reduce to jut four room! In the reduced model, there i one public room, one repreentative office, one repreentative maintenance room, and one repreentative conference room. Table 5 how the reult from the reduction; the memory and time meaurement how the cot of computing the reduced model. In all cae, after applying all reduction, the model are o mall that the model checking time are negligible (and thu not hown

12 12 Robert Frohardt, Bor-Yuh Evan Chang, and Sriram Sankaranarayanan Table 3. Dicovering a property violation uing Spin in breadth-firt earch mode. We conider the et of ACCESS NET model without timed tranition from Table 1 and a new et with timed tranition. Model Room Tranition Peron State Memory Depth Time (MB) () Without Timed Tranition ECOT ECOT 7, ECOT 6,7, With Timed Tranition ECOT ECOT 7, Table 4. Dicovering a property violation uing the Yice-baed BMC (untimed model). Note that BMC doe not require a bound on the number of peron. Model Memory (MB) Time () Depth ECOT ECOT 7, ECOT 6,7, in the table). The row labeled ome reduction how the effect of performing only the unlocked door and redundant tranition reduction (Definition 6 and 7). The row labeled all reduction add the equivalent room reduction (Definition 8), which i all reduction decribed in Sect. 4. In our model, all faculty can acce all office, but in a light variant, we may have a unique acce policy for each office. In thi cae, the equivalent room reduction would have no effect giving reduced model analogou to the cae with ome reduction. Real-World Example. We alo obtained the complete acce control pecification for an actual four-tory, multi-tenant office building. The building houe roughly 200 employee during working hour. Our model of the building had about 200 room and 230 door. The operator of the building can aign up to 24 different acce type. Due to the exponential dependence of our model on the number of people in the model, we could not imulate all acce type at once. We elected two acce type that were more intereting and ran a imple licing reduction (not decribed in Sect. 4) that remove tranition for the excluded acce type. Without reduction, thi model i too large for the explicit-tate model checker, but the reduction are very effective (ee Table 6). After reduction, we can prove afety propertie very efficiently. Note that the retriction in the number of peron doe not apply to BMC that wa run for an unbounded number of peron. Thi make the BMC approach epecially appealing becaue the number of people in the model doe not directly affect the encoding ize. The BMC implementation ran for an hour on the full

13 Acce Net: Modeling Acce to Phyical Space 13 Table 5. Size of reduced model and reource requirement to calculate the reduction. The marking (<) indicate omething below the granularity of our meaurement, while (*) indicate a cae where we fail to run Spin poibly becaue of the model ize. Model Reduction Model Room Tranition Peron State Memory (MB) Time () ECOT 8 no reduction N/A N/A ome reduction < < all reduction < < ECOT 7, 8 no reduction N/A N/A ome reduction < 0.1 all reduction ECOT 6, 7, 8 no reduction N/A N/A ome reduction all reduction ECOT 5, 6, 7, 8 no reduction * N/A N/A ome reduction all reduction Table 6. Reult of explicit-tate model checking for real office building. Model Room Tranition Peron State Memory (MB) Time () before reduction N/A N/A N/A after reduction model without reduction, earching up to depth 7, but wa unable to find a violation. The running time on the reduced model wa ignificantly maller (30) for a depth Related Work Sampemane et al.preent a pecification formalim for role-baed acce control to phyical pace that allow novel ue of phyical pace, while enuring that reource in thee pace are not miued [23]. Similarly, Bauer et al.preent a framework for modeling and reaoning about peronnel credential and their delegation for phyical a well a cyber acce control uing theorem proving [3]. The previouly cited work preent formalization that upport the addition, deletion, and modification of acce control policie. Our work i complementary: we focu on modeling the phyical topology of the building and reaoning about it interplay with acce control mechanim.

14 14 Robert Frohardt, Bor-Yuh Evan Chang, and Sriram Sankaranarayanan Dynamical model of building have been invetigated both at the macrocopic level, wherein, pedetrian flow are often modeled a continuou, without ditinguihing the behavior of each individual pedetrian [14] and at microcopic level with an agentbaed model of individual action. Application of thee imulation have included technique to predict the time to evacuate large and complex building [18,13,24,21]. Thee model inevitably ue a graph-baed repreentation to capture the building topology. Our work offer a ytematic model that alo take into account the different acce level and the complex oftware-controlled acce policie that are virtually tandard in modern building. Model checking ha alo been applied in the pat to check acce control policy for computer network ytem. The model propoed here i imilar to the role-baed acce control (RBAC) model ued for mediating acce to electronic reource in an organization [9]. The verification of acce control policie for organizational ytem ha been conidered in the pat. For intance, Jha et al. [17] preent a formalization of variou RBAC model and characterize the computational complexity of ome analyi problem. Guelev et al.preent a model-checking approach for verifying both the permiivity a well a the ecurity of acce control policie [12]. Our work on phyical pace bear many imilaritie to role-baed acce control policie. For intance, our model aume that permiion are provided baed on certain well-defined organizational role, which can be finitely many and well-known a priori. However, the verification problem i inherently different. Unlike network topologie, building have a non-trivial patial layout, whoe modeling at the appropriate level of detail i critical. Furthermore, building tend to be larger with more room, door, paageway with a rich variety of acce enforcement mechanim. Building acce control rule vary with time unlike network acce control rule. Finally, the need for mandatory tranition i alo quite unique. Neverthele, a witneed by the ucce of our abtraction-baed approache, building alo preent large amount of regularity that can be exploited through imple reduction cheme to ignificantly reduce the complexity of property verification. Our work make ue of a tranlation to exiting model checking tool including Spin for explicit tate model checking [5,15], a well a a bounded model checker [4] implemented uing the SAT-modulo theory olver Yice [20,8]. Other fat SMT olver include olver uch a Z3 [7,2]. 7 Concluion Although we have focued on reachability propertie, we can conider ACCESS NETS that model and verify other apect of phyical pace. For example, other potential application include checking for detectability of violation (e.g., by adding obervability to the emantic) or modeling evacuation plan for building. In ummary, we have preented a formal model, ACCESS NETS, for analyzing acce control policie for phyical pace. The model can expre many apect that are relevant uch a phyical topology, role-baed acce policie, and time-dependent acce rule. Formal verification technique can be ued on thee model, thereby making computer-aided validation of acce control policie poible. Furthermore, we have demontrated that although the

15 Acce Net: Modeling Acce to Phyical Space 15 tate-pace doe explode, domain-pecific tate-pace reduction technique are quite effective in reducing the complexity of the verification problem. Acknowledgment. We thank the anonymou reviewer for their helpful comment. Reference 1. R. Alur and D. L. Dill. A theory of timed automata. Theor. Comput. Sci., 126(2), C. Barrett, M. Deter, A. Olivera, and A. Stump. Deign and reult of the third annual atifiability modulo theorie competition (SMT-Comp 2007). International Journal on Artificial Intelligence Tool, 17(4), L. Bauer, S. Garri, and M. K. Reiter. Efficient proving for practical ditributed accecontrol ytem. In Computer Security (ESORICS), A. Biere, A. Cimatti, E. Clarke, and Y. Zhu. Symbolic model checking without BDD. In Tool and Algorithm for the Contruction and Analyi of Sytem (TACAS), E. Clarke, O. Grumberg, and D. Peled. Model Checking E. M. Clarke, O. Grumberg, and D. E. Long. Model checking and abtraction. ACM Tran. Program. Lang. Syt., 16(5), L. de Moura and N. Bjørner. Z3: An efficient SMT olver. In Tool and Algorithm for the Contruction and Analyi of Sytem (TACAS), B. Dutertre and L. de Moura. The YICES SMT olver. tool-paper.pdf. 9. D. F. Ferraiolo, D. R. Kuhn, and R. Chandramouli. Role-baed Acce Control R. Frohardt, B.-Y. E. Chang, and S. Sankaranarayanan. Acce Net: Modeling acce to phyical pace (extended verion). Technical Report CU-CS , Department of Computer Science, Univerity of Colorado, Boulder, H. J. Genrich and K. Lautenbach. Sytem modelling with high-level Petri net. Theor. Comput. Sci., 13(1), D. P. Guelev, M. Ryan, and P.-Y. Schobben. Model-checking acce control policie. In Information Security (ISC), D. Helbing, I. Farka, and T. Vicek. Simulating dynamical feature of ecape panic. Nature, 407(6803), L. Henderon. The tatitic of crowd fluid. Nature, 229, G. Holzmann. The SPIN Model Checker K. Jenen. Coloured Petri net and the invariant-method. Theor. Comput. Sci., 14(3), S. Jha, N. Li, M. V. Tripunitara, Q. Wang, and W. H. Winborough. Toward formal verification of role-baed acce control policie. IEEE Tranaction on Dependable and Secure Computing (TDSC), 5(4), G. Lova. Modeling and imulation of pedetrian traffic flow. Tranportation Reearch B, 28(6), T. Murata. Petri net: Propertie, analyi and application. Proc. IEEE, 77(4), R. Nieuwenhui, A. Olivera, and C. Tinelli. Solving SAT and SAT modulo theorie: From an abtract DPLL procedure to DPLL(T). J. ACM, 53(6), N. Pelechano and A. Malkawi. Evacuation imulation model: Challenge in modeling high rie building evacuation with cellular automata approache. Automation in Contruction, 17(4), M. Sagiv, T. Rep, and R. Wilhelm. Parametric hape analyi via 3-valued logic. ACM Tran. Program. Lang. Syt., 24(3), G. Sampemane, P. Naldurg, and R. H. Campbell. Acce control for active pace. In Computer Security Application (ACSAC), T. Shen. ESM: A building evacuation imulation model. Building and Environment, 40(5), 2005.