Draft NIST IR 8360 Machine Learning for Access Control Policy Verification Vincent C. Hu This publication is available free of charge from: https://doi.org/10.6028/ NIST.IR.8360- draft Draft NIST IR 8360 Machine Learning for Access Control Policy Verification Vincent C. Hu Computer Security Division Information Technology Laboratory This publication is available free of charge from: https://doi.org/10.6028/ NIST.IR.8360- draft March 2021 U.S. Department of Commerce Gina Raimondo , Secretary National Institute of Standards and Technology James K. Olthoff, Performing the Non -Exclusive Functions and Duties of the Under Secretary of Commerce for Standards and Technology & Director, National Institute of Standards and Technol ogy NISTIR 8360 (DRAFT) MACHINE LEARNING FOR ACCESS CONTROL POLICY VERIFICATION ii National Institute of Standards and Technology Interagency or Internal Report 8360 25 pages ( March 2021 ) This publication is available free of charge from: https://doi.org/10.6028/ NIST.IR.8360 -draft Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Suc h identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to othe r publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such com panion publications. Thus, until each publication is completed, current requirements, guideline s, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. Many NIST cybersecurity publications , ot her than the ones noted above, are available at https://csrc.nist.gov/publications . Public comment period: March 23, 2021 through May 7, 2021 National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899 -8930 Email: ir8360 [email protected] All comments are subject to release under the Freedom of Information Act (FOIA). NISTIR 8360 (DRAFT) MACHINE LEARNING FOR ACCESS CONTROL POLICY VERIFICATION iii Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost -effective security and privacy of other than national security- related information in federal information systems. Abstract Access control policy verification ensures that there are no faults within the policy that leak or block access privileges. As a software test, access control policy verification relies on methods such as model proof, data structure, system simulation, and test oracle to verify that the policy logic functions as expected. However, these methods have capability and performance issues related to inaccuracy and complexity l