Automated Extraction and Validation of Security Policies from Natural-Language Documents

As one of the most fundamental security mechanisms of resources, Access Control Policies (ACP) specify which principals such as users or processes have access to which resources Ensuring the correct specification and enforcement of ACPs is crucial to prevent security vulnerabilities. However, in practice, ACPs are commonly written in Natural Language (NL) and buried in large documents such as requirements documents, not directly checkable for correctness. It is very tedious and error-prone to manually identify and extract ACPs from these NL documents, and validate NL functional requirements such as use cases against ACPs for detecting inconsistencies. To address these issues, we propose a novel approach, called Text2Policy, that automatically extracts ACPs from NL documents and extracts action steps from NL scenario-based functional requirements (such as use cases). From the extracted ACPs, Text2Policy automatically generates checkable ACPs in specification languages such as XACML. From the extracted action steps, Text2Policy automatically derives access control requests that can be validated against specified or extracted ACPs to detect inconsistencies. To assess the effectiveness of Text2Policy, we conduct three evaluations on the collected ACP sentences from 18 sources and 37 use cases from an open source project called iTrust (including 448 use-case sentences). The results show that Text2Policy effectively extracts ACPs from NL documents and action steps from use cases for detecting issues in the use cases.