Control Policy Test Technologies (ACPT and ACRLCS)

Faulty policies, misconfigurations, or flaws in software implementation can result in serious vulnerabilities. The specification of access control policies is often a challenging problem. Often, a system’s privacy and security are compromised due to the misconfiguration of AC policies, instead of the failure of cryptographic primitives or protocols. To address the issue, NIST developed the Access Control Policy Tool (ACPT), which allows a user to compose, verify, test, and generate access control policies.  ACPT has been download by more than 550 users by the year 2019, and was used by two commercial companies as the bases for their software products. NIST also researched the Access Control Rule Logic Circuit Simulation (ACRLCS) technique, which enables the access control policy authors to detect a fault when the fault-causing AC rule is added to the policy, so the fix can be implemented in real time before adding other rules that further complicate the detecting effort, rather than checking by retracing the interrelations between rules after the policy is completed.

For more information visit the CSRC website at:  https://csrc.nist.gov/Projects/Access-Control-Policy-Tool