Policy verification method, electronic device, and storage medium

Abstract

The present disclosure provides a policy verification method, an electronic device and a storage medium. The policy verification method comprises: generating initial formula data and a formula to be verified according to a target policy, the formula to be verified and the initial formula in the initial formula data are both satisfiability modulo theory formulas; performing formula selection processing on the initial formula data according to the formula to be verified to generate target formula data, the target formula data comprising part of the initial formula data; performing satisfiability modulo theory solving according to the target formula data and the formula to be verified to generate first solving result data; and determining a policy verification result of the target policy according to the first solving result data.

Description

Technical Field

[0001] This disclosure relates to the field of network security technology, and in particular to a policy verification method, electronic device, and storage medium. Background Technology

[0002] Access control policies are a critical component of ensuring the security of computing systems. They define which entities can access which resources and under what conditions they can do so. In cloud computing applications, various cloud service providers offer users a rich set of access control policies, such as organization SCP policies, VPC endpoint policies, IAM identity policies, and OBS bucket policies. Each type of policy supports a large number of conditional attributes to help users implement attribute-based access control (ABAC).

[0003] In scenarios involving numerous and complex policy configurations, users often struggle to verify whether the configured policies meet security expectations and whether potential security risks exist. Incorrect policy configurations can lead to a range of security vulnerabilities, such as unauthorized data access, data breaches, and potential damage to critical system functions. Therefore, a policy verification method is urgently needed. Summary of the Invention

[0004] This disclosure provides a strategy verification method, an electronic device, and a storage medium.

[0005] The first aspect of this disclosure provides a strategy verification method, comprising: generating initial formula data and a formula to be verified based on a target strategy, wherein the formula to be verified and the initial formula in the initial formula data are both satisfiability modular theory formulas; performing formula selection processing on the initial formula data based on the formula to be verified to generate target formula data, wherein the target formula data includes a portion of the initial formula data; performing satisfiability modular theory solution based on the target formula data and the formula to be verified to generate first solution result data; and determining the strategy verification result of the target strategy based on the first solution result data.

[0006] In some implementations, generating initial formula data and formulas to be verified based on a target strategy includes: using a target encoder to perform satisfiability modular theory encoding on the target strategy to generate multiple initial formulas in the initial formula data; determining a strategy to be verified based on the target strategy; and using the encoder to perform satisfiability modular theory encoding on the strategy to be verified to generate the formulas to be verified.

[0007] In some implementations, the formula to be verified includes a first symbol, the initial formula data includes a set of initial formulas, and the step of performing formula selection processing on the initial formula data according to the formula to be verified to generate target formula data includes: determining the trigger symbol of the set of initial formulas; and performing formula selection processing on the initial formula data based on the trigger symbol of the set of initial formulas and the first symbol of the formula to be verified to generate the target formula data.

[0008] In some implementations, the initial formula includes a second symbol, and determining the trigger symbol of the set of initial formulas includes: determining the number of times the second symbol of the set of initial formulas appears in the initial formula data; and taking the second symbol with the smallest number of occurrences in each of the initial formulas as the trigger symbol of the corresponding initial formula.

[0009] In some implementations, the step of performing formula selection processing on the initial formula data based on the trigger symbols of the initial formulas and the first symbol of the formula to be verified, to generate the target formula data, includes: using the initial formulas whose trigger symbols are the same as the first symbol as the target formulas in the target formula data; and adding the initial formulas whose trigger symbols are the same as the non-trigger symbols of the target formulas to the target formula data to generate the target formula data.

[0010] In some implementations, determining the strategy verification result of the target strategy based on the first solution result data includes: in response to the first solution result data indicating the existence of a set of solution values, determining whether the target formula data includes all of the initial formula data; if yes, determining that the strategy verification result of the target strategy is a failed verification; if no, performing formula selection processing on the initial formula data based on the formula to be verified, the target tolerance, and the target trigger step number to generate expanded range formula data; and determining the strategy verification result of the target strategy based on the expanded range formula data and the solution values.

[0011] In some implementations, determining the strategy verification result of the target strategy based on the expanded range formula data and the solution value includes: concatenating the expanded range formula and the solution value formula in the expanded range formula data; performing satisfiability modulo theory on the concatenated formula to generate second solution result data; if the second solution result data does not contain any set of solution values, then determining that the strategy verification result of the target strategy is verified as passed; if the second solution result data contains a set of solution values, then increasing the target tolerance and the target triggering step number; and performing formula selection processing on the initial formula data based on the formula to be verified, the increased target tolerance, and the increased target triggering step number, regenerating the target formula data, and proceeding to the step of performing satisfiability modulo theory on the target formula data and the formula to be verified to generate first solution result data.

[0012] In some implementations, determining the policy verification result of the target policy based on the first solution result data further includes: in response to the first solution result data indicating that no set of solution values ​​exists, determining that the policy verification result of the target policy is verified as passed.

[0013] A second aspect of this disclosure provides an electronic device, comprising: a memory storing execution instructions; and a processor executing the execution instructions stored in the memory, causing the processor to perform the strategy verification method described in any embodiment of this disclosure.

[0014] A third aspect of this disclosure provides a readable storage medium storing executable instructions, which, when executed by a processor, are used to implement the strategy verification method described in any embodiment of this disclosure. Attached Figure Description

[0015] The accompanying drawings illustrate exemplary embodiments of the present disclosure and, together with the description thereof, serve to explain the principles of the present disclosure. These drawings are included to provide a further understanding of the present disclosure and are incorporated in and constitute a part of this specification.

[0016] Figure 1 This is a flowchart illustrating the strategy verification method of some embodiments of this disclosure.

[0017] Figure 2 This is a schematic diagram illustrating the process of generating initial formula data and formulas to be verified in some embodiments of this disclosure.

[0018] Figure 3 This is a schematic diagram illustrating the process of generating target formula data in some embodiments of this disclosure.

[0019] Figure 4This is a schematic diagram illustrating the process of determining the trigger symbol in some embodiments of this disclosure.

[0020] Figure 5 This is another schematic diagram illustrating the process of generating target formula data in some embodiments of this disclosure.

[0021] Figure 6 This is a schematic diagram illustrating the rules of the formula selection algorithm for some implementations of this disclosure.

[0022] Figure 7 This is a schematic diagram illustrating the process of verifying the determination strategy results of some implementation methods of this disclosure.

[0023] Figure 8 This is another schematic diagram illustrating the process of verifying the determination strategy results of some embodiments of this disclosure.

[0024] Figure 9 This is a schematic diagram of the architecture of a strategy verification method for some implementations of this disclosure.

[0025] Figure 10 This is another schematic diagram illustrating the verification process of the determination strategy for some embodiments of this disclosure.

[0026] Figure 11 These are visual example diagrams of the formulas to be verified for some embodiments of this disclosure.

[0027] Figure 12 This is a partial snapshot of the program for verifying the strategy of some implementations of this disclosure.

[0028] Figure 13 These are visual examples of performance evaluations of some embodiments of this disclosure.

[0029] Figure 14 This is another visual example of the performance evaluation of some embodiments of this disclosure.

[0030] Figure 15 This is a diagram comparing the solution times of different solvers based on the RW dataset.

[0031] Figure 16 This is a diagram comparing the solution times of different solvers based on the AC dataset.

[0032] Figure 17 This is a schematic block diagram of a strategy verification device using a processor-based hardware implementation according to one embodiment of the present disclosure. Detailed Implementation

[0033] The present disclosure will now be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are for illustrative purposes only and are not intended to limit the scope of the disclosure. Furthermore, it should be noted that, for ease of description, only the parts relevant to the present disclosure are shown in the accompanying drawings.

[0034] It should be noted that, where there is no conflict, the embodiments and features described in this disclosure can be combined with each other. The technical solutions of this disclosure will now be described in detail with reference to the accompanying drawings and embodiments.

[0035] Unless otherwise stated, the exemplary implementations / embodiments shown are to be understood as providing exemplary features of various details that provide ways in which the technical concepts of this disclosure can be implemented in practice. Therefore, unless otherwise stated, the features of various implementations / embodiments may be additionally combined, separated, interchanged and / or rearranged without departing from the technical concepts of this disclosure.

[0036] The use of crosshairs and / or shading in the accompanying drawings is generally used to clarify the boundaries between adjacent components. Thus, unless otherwise stated, the presence or absence of crosshairs or shading does not convey or indicate any preference or requirement for the specific material, material properties, dimensions, proportions, commonalities between the illustrated components, or any other characteristics, properties, etc., of the components. Furthermore, in the accompanying drawings, the dimensions and relative dimensions of components may be exaggerated for clarity and / or descriptive purposes. When exemplary embodiments can be implemented differently, a specific process sequence may be performed in a different order than that described. For example, two consecutively described processes may be performed substantially simultaneously or in the reverse order of their description. Furthermore, the same reference numerals denote the same components.

[0037] When a component is referred to as being "on" or "above" another component, "connected to," or "joined to" another component, the component may be directly on, directly connected to, or directly joined to the other component, or there may be intermediate components. However, when a component is referred to as being "directly on" another component, "directly connected to," or "directly joined to" another component, there are no intermediate components. Therefore, the term "connection" can refer to a physical connection, an electrical connection, etc., and may or may not have intermediate components.

[0038] The terminology used herein is for the purpose of describing particular embodiments and is not intended to be limiting. As used herein, unless the context clearly indicates otherwise, the singular forms “a” and “the” are intended to include the plural forms as well. Furthermore, when the terms “comprising” and / or “including” and variations thereof are used in this specification, it indicates the presence of the stated features, integrals, steps, operations, parts, components, and / or groups thereof, but does not exclude the presence or addition of one or more other features, integrals, steps, operations, parts, components, and / or groups thereof. It should also be noted that, as used herein, the terms “substantially,” “about,” and other similar terms are used as approximate terms rather than as terms of degree, thus explaining the inherent biases in measurements, calculated values, and / or provided values ​​that would be recognized by one of ordinary skill in the art.

[0039] The policy verification method disclosed herein can be applied to the policy verification device disclosed herein, which can be configured on a terminal device. The terminal device can be a mobile terminal, such as a mobile phone, tablet computer, personal digital assistant, or other hardware device with various operating systems.

[0040] The following text combines Figures 1 to 17 The strategy verification method and strategy verification device disclosed herein are described in detail.

[0041] Figure 1 This is a flowchart illustrating the strategy verification method for some embodiments of this disclosure. Please refer to... Figure 1 The strategy verification method M100 provided in this disclosure may include steps S110, S120, S130 and S140.

[0042] S110: Generate initial formula data and formulas to be verified based on the target strategy. Both the formulas to be verified and the initial formulas in the initial formula data are satisfiability modular theory formulas.

[0043] S120: Based on the formula to be verified, perform formula selection processing on the initial formula data to generate target formula data, which includes part of the initial formula data.

[0044] S130: Solve the satisfiability modulus theory based on the target formula data and the formula to be verified, and generate the first solution result data.

[0045] S140: Determine the policy verification result of the target policy based on the first solution result data.

[0046] The strategy verification method of this disclosure automatically verifies the target strategy based on the satisfiability modulo theory formula. Moreover, compared with directly solving all initial formula data using satisfiability modulo theory, this disclosure selects a portion of the initial formula data from all initial formula data according to the formula to be verified, and solves the satisfiability modulo theory on the portion of the initial formula data. That is, the amount of data involved in the satisfiability modulo theory solution is smaller, so the solution time is shorter, the solution cost is reduced, and thus the overall efficiency of strategy verification can be improved, thereby accelerating strategy verification.

[0047] Optionally, the target policy can be an access control policy.

[0048] Optionally, the initial formula data and the target formula data can be in the form of sets. That is, the initial formula data may include a set of initial formulas, and the target formula data may include a set of target formulas. The initial formula set may contain multiple initial formulas, and the target formula set may contain multiple target formulas. The type of the formula to be verified and the type of the initial formula are both Satisfiability Modulo Theories (SMT) formulas.

[0049] For example, in step S120, the initial formula data may include multiple initial formulas. Initial formulas related to the formula to be verified can be selected from the initial formula data, and these initial formulas are used as target formulas in the target formula data. That is, the target formulas in the target formula data originate from the initial formula data, and the number of target formulas is less than or equal to the number of initial formulas. It is understandable that formula selection is a crucial step that directly affects the performance of SMT solving. An effective formula selection algorithm can reduce the search space, avoid unnecessary computation, and thus speed up SMT solving. In one example, formula selection aims to choose some of the most relevant initial formulas from a potentially very large set of initial formulas as target formulas, such that the target formulas are sufficient to prove the satisfiability or unsatisfiability of the formula to be verified.

[0050] For example, in step S130, multiple target formulas in the target formula data can be combined with the formula to be verified, and a target SMT solver (such as the Z3 solver and the CVC4 solver) can be used to perform satisfiability modulo theory solution on the combined formula to generate the first solution result data. In this way, satisfiability problems under a given theory (such as integer arithmetic, real number arithmetic, bit vectors, arrays, functions, etc.) can be solved efficiently based on the target SMT solver. Furthermore, since the target SMT solver can consider various logical and mathematical theories, it can also effectively improve the accuracy of strategy verification. For example, if the target formula is P and the formula to be verified is... The formula after conjunction can be: In one example, if Q represents prohibiting employees from accessing financial data, then The representation allows employees to access financial data.

[0051] For example, in step S140, if the combined formula of the target formula data and the formula to be verified does not have any set of solution values, then the combined formula of the target formula data and the formula to be verified is considered to be unsatisfiable (UNSAT), and the strategy verification result of the target strategy can be directly determined to be verified as passed, that is, the target verification strategy is considered to meet expectations; if the combined formula of the target formula data and the formula to be verified has a set of solution values, then the combined formula of the target formula data and the formula to be verified is considered to be satisfiable (SAT), and the strategy verification result of the target strategy can be determined through further verification (Validation).

[0052] Please see Figure 2 In some implementations, step S110 may include steps S111, S112 and S113.

[0053] S111: The target strategy is encoded using a target encoder to perform satisfiability modulo theory encoding, generating multiple initial formulas in the initial formula data.

[0054] S112: Determine the strategy to be verified based on the target strategy.

[0055] For example, the target policy may include multiple preset entities and multiple sub-policies. If a sub-policy includes an execution action and its corresponding prohibited execution entity, and the prohibited execution entity may be some or all of the multiple preset entities, then the sub-policy may be used as the policy to be verified.

[0056] In one example, multiple preset entities are managers and employees. One sub-policy in the target strategy is to prohibit employees from accessing financial data. That is, the action to be performed is to access financial data and prohibit the entity to be performed is employees. Therefore, the strategy to be verified can be to prohibit all entities with the employee role from accessing financial data.

[0057] S113: The encoder is used to encode the satisfiability modulus of the strategy to be verified, and the formula to be verified is generated.

[0058] The strategy verification method described above can encode the target strategy and the strategy to be verified using satisfiability modulus based on the target encoder, thereby quickly and accurately generating the initial formula and the formula to be verified, which facilitates the execution of subsequent strategy verification steps.

[0059] In some implementations, the formula to be verified includes a first symbol, and the initial formula data includes a set of initial formulas. Accordingly, please refer to... Figure 3Step S120 may include steps S121 and S122.

[0060] S121: Determine the trigger symbol for the initial formula of this group.

[0061] In some implementations, the initial formula includes a second symbol. See accordingly. Figure 4 Step S121 may include steps S1211 and S1212.

[0062] S1211: Determine the number of times the second symbol of the initial formula appears in the initial formula data.

[0063] S1212: Use the second symbol that appears the least in each initial formula as the trigger symbol for the corresponding initial formula.

[0064] In this way, the trigger symbol of each initial formula can be determined based on the number of times the second symbol appears in the initial formula data.

[0065] For example, the initial formula data is a set of formulas A, which includes a set of initial formulas a. Each initial formula a may include multiple second symbols s. The trigger relationship between a second symbol s and an initial formula a is denoted as trigger(s,a). This trigger relationship is only valid when the second symbol s appears in the initial formula a. If this trigger relationship is valid, it can be said that the second symbol s triggers the initial formula a, that is, the second symbol s is the trigger symbol of the initial formula a.

[0066] The trigger relationship is defined as follows:

[0067] (1) If the second symbol s appears in the formula to be verified, then s is triggered at step 0.

[0068] (2) If the second symbol s is triggered in step k and s triggers the initial formula a, then the initial formula a is triggered in step k+1.

[0069] (3) If the initial formula a is triggered by k steps and the second symbol s appears in the initial formula a, then the second symbol s is also triggered by k steps.

[0070] (4) If a formula or symbol is triggered in k steps, it can be called triggered for some k≥0.

[0071] Therefore, introducing trigger relationships can solve the problem of common symbols. For example, it can be specified that s triggers the initial formula a only if s is not a common second symbol. Alternatively, for safety, it can be specified that a common second symbol s triggers the initial formula a only if all second symbols in the initial formula a are common.

[0072] It is reasonable to assume that if the set of symbols of all triggering formula sets A can be computed in linear time with respect to the size of A, then the set of all triggering (and all k-step triggering) formula sets T can be computed in linear time with respect to the size of T. This is achieved by maintaining the mapping from symbols to the sets of formulas they trigger.

[0073] The formula selection algorithm in this disclosure is a special case based on trigger selection. It uses a trigger relationship that attempts to reflect, in some way, the difficult-to-formulate concept that "s2 is defined by s1" or "s1 is more general than s2".

[0074] Suppose a large knowledge base contains a vast set of hierarchical definitions, where more general terms are defined using less general terms. Extracting such definitions is not easy, as they can take various forms. Similarly, the relation of "more general" is not easily formalized. As a simple approximation of "more general," we can consider the relation of "more common": if symbol s1 appears in more formulas than s2, then s2 is considered more common than s1. Then, as a potential approximation of "s2 is defined by s1," we can consider the relation: "s1 and s2 appear in the same formula A, and s2 is the least common symbol in A." This is essentially the definition of the trigger function for formula selection.

[0075] Next, we describe the definition of the trigger relationship. Let occ(s) denote the number of times the second symbol s appears in the set of formulas A. The trigger relationship is defined as follows: if for all the second symbols s' appearing in the initial formula a, occ(s) ≤ occ(s'), then trigger(s,a) holds. In other words, a formula can only be triggered by the least common symbol that appears in it.

[0076] In the Sine formula selection example, we use uppercase letters to represent variables. This example illustrates Sine formula selection and why it is often incomplete. Suppose that the set of formulas A includes the following initial set of formulas:

[0077] subclass(X,Y)∧subclass(Y,Z)→subclass(X,Z)

[0078] subclass(petrol, liquid)

[0079] subclass(stone, liquid)

[0080] subclass(beverage, liquid)

[0081] subclass(beer,beverage)

[0082] subclass(guinness, beer)

[0083] subclass(pilsner, beer)

[0084] By performing statistical analysis on the formula set A, the frequency of occurrence of each second symbol in the formula set A can be determined, as shown in Table 1.

[0085] Table 1

[0086]

[0087]

[0088] Based on Table 1, the trigger symbols (trigger relationships) of each initial formula in formula set A can be determined, as shown in Table 2.

[0089] Table 2

[0090]

[0091] Suppose the formula to be verified is `subclass(beer, liquid)`. This formula is the logical consequence of these initial formulas. However, the symbols `subclass`, `beer`, and `liquid` in the formula to be verified only trigger the first initial formula. Sine formula selection will only select the first initial formula, which is insufficient to prove the formula to be verified.

[0092] In another example, we illustrate how a (small) change in the initial formula dataset can affect formula selection. By removing the last initial formula from formula set A, and performing statistical analysis on formula set A after removing the last initial formula, we determine the frequency of each second symbol in formula set A after removing the last initial formula, as shown in Table 3.

[0093] Table 3

[0094] Second symbol Number of occurrences (occ(s)) subclass 6 liquid 3 beer 2 beverage 2 petrol 1 stone 1 guinness 1

[0095] Based on Table 3, the trigger symbols (trigger relationships) of each initial formula in formula set A that removes the last initial formula can be determined, as shown in Table 4.

[0096] Table 4

[0097]

[0098]

[0099] Assume the formula to be verified is still `subclass(beer, liquid)`. Now, the symbols `subclass`, `beer`, and `liquid` in the formula trigger the first initial formula and the initial formula `subclass(beer, beverage)`. This causes `beverage` to be added to the list of triggering symbols. As a result, this addition triggers the initial formula `subclass(beverage, liquid)`. This does not trigger any new symbols (because `beverage` has already been triggered), so the following selected subset of formulas is chosen to conclude:

[0100] subclass(X,Y)∧subclass(Y,Z)→subclass(X,Z)

[0101] subclass(beverage, liquid)

[0102] subclass(beer,beverage)

[0103] This set of formulas is sufficient to prove the formula to be verified. Moreover, it represents the minimum set of formulas required to prove the current formula to be verified. This example also illustrates that removing some initial formulas from the initial formula dataset may lead to a greater selection of initial formulas than before the removal.

[0104] S122: Based on the trigger symbol of the initial formula and the first symbol of the formula to be verified, perform formula selection processing on the initial formula data to generate the target formula data.

[0105] Please see Figure 5 In some implementations, step S122 may include steps S1221 and S1222.

[0106] S1221: Use the initial formula with the same trigger symbol as the first symbol as the target formula in the target formula data.

[0107] S1222: Add the initial formula whose trigger symbol is the same as the non-trigger symbol of the target formula to the target formula data to generate the target formula data.

[0108] Thus, by using trigger relationships, the most relevant formulas for specific attribute verification can be selected from the massive initial formula data, thereby narrowing down the set of formulas that need to be solved using SMT. Solving SMT based on the selected target formula data can often significantly reduce the time required for SMT, especially for SMT solving of large-scale formula sets.

[0109] For example, the core idea of ​​the formula selection algorithm is to infer the hierarchical relationship between symbols by using the frequency of their occurrence in the initial formula data, thereby achieving intelligent selection of formulas.

[0110] Please combine Figure 6 In one example, the formula selection algorithm takes a set of formulas A (i.e., initial formula data) as input and a formula G to be verified as input. The output is the set of triggered formulas T (i.e., target formula data). The formula selection algorithm consists of two main phases: a preprocessing phase and a selection phase. The preprocessing phase is independent of the target and simply preprocesses all the initial formulas. In the preprocessing phase, the algorithm first iterates through the entire set of initial formulas, establishing a mapping of the occurrence counts of each second symbol. This mapping records the occurrence count of each second symbol in all initial formulas. Then, the algorithm further examines each second symbol in each initial formula to determine which second symbols can trigger that initial formula. A second symbol triggers an initial formula if it appears in the initial formula and is one of the second symbols with the lowest occurrence count in that initial formula. Thus, a trigger relationship set is constructed, which will be used in the selection phase to determine which initial formulas are relevant.

[0111] The preprocessing stage can be performed in time linearly with the size of the entire set of formulas in the initial formula data. It can be accomplished by traversing the initial formulas twice (the number of occurrences required to calculate trigger relationships).

[0112] In the selection phase (depending on the formula to be verified), we construct a set of all triggered (or k-step triggered, if k is given) formulas using a stored trigger relation. If the trigger relation is indexed on the first symbol, the time complexity of the second phase is linear with the number of target formulas in the selected target formula data and independent of the number of initial formulas in the initial formula data. After selection, the formulas to be verified and the target formulas in the target formula data are passed to the first-order theorem prover. Separating these two steps of the formula selection algorithm provides an efficient way to handle sets of problems that share a large number of initial formulas. After preprocessing the shared initial formulas, each problem only runs the selection phase, thus avoiding repeated execution of the preprocessing phase.

[0113] The strategy verification method described above innovatively introduces formula selection into strategy verification, thereby reducing the number of SMT formulas in the target formula data and thus helping to reduce the SMT solution cost.

[0114] Please see Figure 7 In some implementations, step S140 may include steps S141, S142, S143 and S144.

[0115] S141: In response to the existence of a set of solution values ​​in the first solution result data, determine whether the target formula data includes all the initial formula data.

[0116] S142: If so, determine that the policy verification result of the target policy is that the verification failed.

[0117] S143: If not, perform formula selection processing on the initial formula data based on the formula to be verified, the target tolerance, and the target triggering steps to generate expanded range formula data.

[0118] For example, in step S143, the initial formula data is reprocessed based on the formula to be verified, the target tolerance, and the target trigger step count to generate expanded range formula data. The number of formulas in the expanded range formula data is greater than the number of formulas in the target formula data, and the number of formulas in the expanded range formula data is less than or equal to the number of formulas in the initial formula data. The target tolerance and the target trigger step count are used to control the number of initial formulas selected from the initial formula data.

[0119] For example, the target tolerance is introduced to mitigate the incompleteness problem of the Sine formula selection algorithm. For instance, if symbol s1 appears in 7 formulas and symbol s2 appears in 8 formulas, then s1 and s2 can be considered to be essentially equally common. However, s1 might trigger a formula that contains both s1 and s2, while s2 might not.

[0120] Definition: For each symbol s in formula a, if the number of times s appears in all formulas is less than or equal to the number of times other symbols in a appear multiplied by the tolerance t, then s triggers a.

[0121] In one example, consider the following set of formulas:

[0122] subclass(X,Y)∧subclass(Y,Z)→subclass(X,Z)

[0123] subclass(petrol, liquid)

[0124] subclass(stone, liquid)

[0125] subclass(beverage, liquid)

[0126] subclass(beer,beverage)

[0127] subclass(guinness, beer)

[0128] By performing statistical analysis on the formula set, the frequency of occurrence of each symbol in the formula set can be determined, as shown in Table 5.

[0129] Table 5

[0130] symbol Number of occurrences subclass 6 liquid 3 beer 2 beverage 2 petrol 1 stone 1 guinness 1

[0131] Furthermore, if the tolerance t = 0, then the trigger symbols (trigger relationships) of each formula in this example formula set are shown in Table 6.

[0132] Table 6

[0133]

[0134] However, if the tolerance t = 1, the trigger relationships will differ; for example, the trigger symbol for subclass(beverage, liquid) will include "beer". Note: The number of formulas in the target formula data and the expanded range formula data is related to the tolerance value. Increasing the tolerance value will ensure that all previously selected formulas are still selected in subsequent formula selections, while some previously unselected formulas may be selected later. For sufficiently large tolerance values, the selected target formula data and expanded range formula data simply include all initial formulas related to the formula to be verified. By adjusting the tolerance parameter, it is possible to more flexibly select initial formulas related to the formula to be verified, rather than strictly based on the number of symbol occurrences.

[0135] For example, the target trigger step count, or depth, limits the number of trigger steps required to compute the target formula data and the expanded range formula data. In formula selection algorithms, the depth parameter is closely related to the definition of triggering, and its main purpose is to limit the number of trigger steps when computing the target formula data and the expanded range formula data. Specifically, the depth parameter determines the maximum number of steps the trigger relationship can propagate when the formula selection algorithm constructs the formula set associated with the formula to be verified. For example, if depth is set to 3, the formula selection algorithm will select all initial formulas that trigger in 3 steps, that is, all initial formulas reachable from the first symbol in the formula to be verified through a maximum of three trigger steps.

[0136] The Depth parameter affects the number and types of formulas selected. Different Depth values ​​lead to different formula selection results: a smaller depth value results in a smaller set of selected formulas because only those initial formulas closely related to the formula to be verified are selected. This may result in a fast algorithm execution, but it may also fail to prove the formula to be verified due to the lack of some indirectly related initial formulas; a larger depth value results in a larger set of selected formulas, including those indirectly related initial formulas. This may increase the probability of proving the formula to be verified, but it will also increase the subsequent SMT solution time and complexity.

[0137] Experimental results show that the Depth parameter is very important. For example, in the Mizar problem set, only 147 problems (out of 231) can be solved using a Depth set to infinity. This indicates that for some problem sets, unlimited depth may be a good strategy, but for other problem sets (such as Mizar), a more refined depth setting may be needed to find better solutions.

[0138] S144: Determine the strategy verification results of the target strategy based on the expanded range formula data and the solution value.

[0139] Please see Figure 8 In some implementations, step S144 may include steps S1441, S1442, S1443, S1444 and S1445.

[0140] S1441: Combine the expanded range formula and the solution value formula in the expanded range formula data.

[0141] S1442: Solve the conjunctive formula using the satisfiability modular theory to generate the second solution result data.

[0142] S1443: If the second solution result data does not contain any set of solution values, then the policy verification result of the target policy is determined to be verified as passed.

[0143] S1444: If the second solution result data contains a set of solution values, then increase the target tolerance and the target trigger step count.

[0144] S1445: Based on the formula to be verified, the increased target tolerance, and the increased target triggering steps, perform formula selection processing on the initial formula data, regenerate the target formula data, and proceed to the step of solving the satisfiability modulus theory based on the target formula data and the formula to be verified to generate the first solution result data.

[0145] Thus, by combining the expanded range formula and the solution value formula in the expanded range formula data to further verify the first solution result data, the accuracy of the large formula solution can be effectively guaranteed, and the accuracy of the strategy verification results can be improved.

[0146] Understandably, formula selection is used to choose initial formulas (i.e., rules or strategies) related to the formula to be verified, thereby reducing the number of formulas to be solved in subsequent SMT processes. This may speed up the SMT solving process, but it may also produce inaccurate results because not all rules are considered. If the first solution result data is unsatisfactory (UNSAT), then even without re-selecting formulas, the result will still be UNSAT. This is due to the nature of the SAT problem: a UNSAT result often results from logical conflicts between formulas, making it impossible for a SAT result to exist. Therefore, when a subset of the initial formula data (target formula data or expanded range formula data) is UNSAT, the same logical conflicts will still exist in the superset of the subset, leading to UNSAT.

[0147] When the sub-formula set of the initial formula data is SAT, there may still be some sub-formulas in the entire initial formula data that can lead to UNSAT, so the result may produce false positives. In this case, we combine the model obtained from the SAT result, which is a set of solution formulas that make the sub-formula set SAT, with the expanded range formulas in the expanded range formula data for further verification.

[0148] like Figure 9 As shown, if the second solution result obtained through further verification is UNSAT, it proves that the result is valid, that is, the policy verification result of the target policy is confirmed as passed, and the policy verification ends. If the second solution result obtained through further verification is SAT, it proves that the initial formula selected for the current expanded range formula data is too small, and more initial formulas need to be selected to ensure the correctness of the result. At this time, we return to the formula selection stage, increase the two parameters of target tolerance and target trigger steps to obtain a larger scale of target formula data for further SMT solution, and repeat the above process again.

[0149] The strategy verification method described above performs formula selection processing on the initial formula data based on the formula to be verified, the target tolerance, and the target triggering steps to generate expanded range formula data. Then, it determines the strategy verification result of the target strategy based on the expanded range formula data and the solution value, thereby improving the correctness of the strategy verification result.

[0150] Understandably, when using the SAT solver, if a subformulation yields a SAT (satisfiable) result, it means that at least one variable assignment satisfies this subformulation. However, merely satisfying a subformulation does not guarantee that the variable assignment satisfies the initial formula of the entire target policy. During policy validation, ensuring that the model (i.e., the variable assignments that satisfy the formulas) satisfies not only local constraints but also the constraints of the entire policy is crucial. This necessitates further validation by concatenating the local solution values ​​with the expanded-range formula to ensure that no global constraints are overlooked.

[0151] Please see Figure 10 In some embodiments, step S140 further includes step S145.

[0152] S145: In response to the fact that no solution value exists in the first solution result data, the policy verification result of the target policy is determined to be verified as passed.

[0153] The strategy verification method described above can directly determine that the strategy verification result of the target strategy is passed when the first solution result data does not contain any set of solution values, thereby improving the strategy verification speed.

[0154] In one example, based on Figure 9 The strategy verification architecture shown implements formula selection versions based on the open-source SMT solver, namely AS-Z3 and AS-CVC5. It also implements a further verification architecture for formula fidelity assurance.

[0155] Furthermore, a performance evaluation experiment was conducted on a SITON server, and relevant performance data was recorded. The server was equipped with two Intel Xeon Silver 4210R processors. For the dataset selection, an Amazon AWS dataset containing 516 SMT files was chosen, and the timeout was set to 5 minutes. During the experiment, a visualization example of the formula to be verified is shown below. Figure 11 As shown, a partial snapshot of the policy verification process is as follows: Figure 12 As shown.

[0156] In the SMT file example RW189, the variables in the specification are not referenced in other formulas, and the abstract solver does not use any formulas. The processing time using the Z3 solver is 11289 milliseconds, while its abstract solver version, AS-Z3, takes only 29 milliseconds; whereas using the CVC5 solver takes 37 milliseconds, and its abstract version, AS-CVC5, takes only 15 milliseconds.

[0157] The experimental evaluation is shown below:

[0158] In an experiment with 516 SMT files, a 5-minute timeout was set, and Axiom Selection (AS) was applied to the Z3 solver. The target tolerance t was set to 5, and the target trigger step d was set to 1. Without AS, Z3 could not solve 124 files, while with AS (AS-Z3), only 21 files failed to solve. Before using AS, the number of formulas participating in the SMT solution (i.e., the selected formulas) was 34. After applying AS, the number of formulas participating in the SMT solution was either 0 or 6.

[0159] Please combine Figure 13 Regarding performance improvements, the results obtained from the strategy verification method disclosed herein are distributed as follows:

[0160] Twelve SMT files (2.3%) showed performance degradation, including two outlier data points.

[0161] The performance of 195 SMT files (37.8%) achieved a 10x improvement.

[0162] The performance improvement for 30 SMT files (5.8%) reached 100 times.

[0163] The performance improvement for 16 SMT files (3.1%) reached 1000 times.

[0164] Of the remaining SMT files, representing 51% of the total, 38.4% showed performance improvements exceeding 20%. Notably, compared to the non-timeout Z3 data, the solution results using AS were completely consistent with those of Z3, indicating that AS effectively improved solution efficiency without sacrificing accuracy.

[0165] In an experiment with 516 SMT files, a 5-minute timeout was set, and AS (Advanced Stress Resolution) technology was used on the CVC5 solver. The target tolerance t was set to 5, and the target trigger step d was set to 1. Without AS, the CVC5 solver failed to solve 9 files within the specified time. However, with AS added (AS-CVC5), the number of unsolved files decreased to 8. Before the experiment, each SMT file had an average of 34 formulas involved in the SMT solution. After introducing AS, the number of formulas involved in the SMT solution was either 0 or 6.

[0166] Please combine Figure 14 The experimental results showed varying degrees of performance changes:

[0167] 78 SMT files (approximately 15% of the total) experienced performance degradation, with the lowest efficiency drop to 33% of the original.

[0168] Performance improvements of over 20% were achieved for 399 SMT files (77.4%).

[0169] It is worth noting that when comparing the SMT files solved without timeout with the traditional CVC5 solver, only two SMT files showed inconsistent results with the traditional CVC5 results after using AS. This indicates that AS technology can significantly improve the solver's efficiency in most cases without affecting the correctness of the results.

[0170] Please combine Figure 15 , Figure 15 The time comparison of different solvers for the SMT problem on the RW dataset (containing 506 instances) is shown.

[0171] Overall, AS-CVC5 (the CVC5 solver that uses formula selection technology) showed the best performance in most cases, i.e., it solved the problem in the shortest amount of time.

[0172] In some instances, the traditional CVC5 solver slightly outperforms AS-CVC5, exhibiting a faster solution time.

[0173] Compared to other solvers, Z3 and CVC4 show significant performance differences. In some cases, Z3's solution time is much longer than CVC4's, but in other cases, they are quite similar.

[0174] The performance improvement of AS-Z3 (the Z3 solver using formula selection technology) compared to AS-CVC5 is not significant, and its performance in some instances is even worse than the traditional Z3 solver. Furthermore, according to the trend line shown in the chart, AS-CVC5's performance is relatively stable, with fewer peak performance spikes. While the traditional CVC5 can be faster in a few cases, its performance fluctuates more, especially when dealing with certain complex instances, where the time required can be significantly longer than that of AS-CVC5.

[0175] Please combine Figure 16 , Figure 16 The performance of different solvers on the AC dataset is shown. The AC dataset contains 10 instances, and the timeout for each solver is set to 5 minutes.

[0176] CVC4 performed the worst on the AC dataset, failing to solve any instances.

[0177] CVC5 is an improvement over CVC4, capable of solving one instance, but the remaining instances still cannot be solved within the specified time.

[0178] Z3 and AS-CVC5 perform similarly, both being able to solve two instances, although they differ in solution time.

[0179] AS-Z3 performed best among all tools, solving four instances, demonstrating that the formula selection technique significantly improves the performance of the Z3 solver.

[0180] Across the entire AC dataset, AS-Z3 generally performs faster than other tools, especially when solving the most complex instances, where it demonstrates high efficiency.

[0181] Figure 17 This is a schematic block diagram of a strategy verification device using a processor-based hardware implementation according to one embodiment of the present disclosure.

[0182] The strategy verification apparatus may include corresponding modules that perform one or more steps in the flowchart above. Therefore, each or more steps in the flowchart above can be performed by a corresponding module, and the apparatus may include one or more of these modules. A module may be one or more hardware modules specifically configured to perform a corresponding step, or implemented by a processor configured to perform a corresponding step, or stored in a computer-readable medium for implementation by a processor, or implemented through some combination thereof.

[0183] The hardware architecture of the policy verification device disclosed herein can be implemented using a bus architecture. The bus architecture can include any number of interconnect buses and bridges, depending on the specific application of the hardware and overall design constraints. Bus 1100 connects various circuits including one or more processors 1200, memory 1300, and / or hardware modules. Bus 1100 can also connect various other circuits 1400 such as peripheral devices, voltage regulators, power management circuits, external antennas, etc.

[0184] Bus 1100 can be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, or an Extended Industry Standard Component (EISA) bus, etc. Buses can be categorized as address buses, data buses, control buses, etc. For ease of representation, only one connection line is used in this diagram, but this does not imply that there is only one bus or only one type of bus.

[0185] Any process or method description in the flowcharts or otherwise herein can be understood as representing a module, segment, or portion of code comprising one or more executable instructions for implementing a particular logical function or process, and the scope of the preferred embodiments of this disclosure includes additional implementations in which functions may be performed not in the order shown or discussed, including substantially simultaneously or in reverse order depending on the functions involved, as will be understood by those skilled in the art to which embodiments of this disclosure pertain. The processor performs the various methods and processes described above. For example, the method embodiments of this disclosure may be implemented as software programs tangibly contained in a machine-readable medium, such as memory. In some embodiments, part or all of the software program may be loaded and / or installed via memory and / or a communication interface. When the software program is loaded into memory and executed by the processor, one or more steps of the methods described above may be performed. Alternatively, in other embodiments, the processor may be configured to perform one of the methods described above by any other suitable means (e.g., by means of firmware).

[0186] The logic and / or steps represented in the flowchart or otherwise described herein may be specifically implemented in any readable storage medium for use by, or in conjunction with, an instruction execution system, apparatus or device (such as a computer-based system, a processor-included system or other system that can fetch and execute instructions from, an instruction execution system, apparatus or device).

[0187] For the purposes of this specification, a "readable storage medium" can be any means capable of containing, storing, communicating, propagating, or transmitting a program for use by or in conjunction with an instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of readable storage media include: an electrical connection having one or more wires (electronic device), a portable computer disk drive (magnetic device), random access memory (RAM), read-only memory (ROM), erasable and programmable read-only memory (EPROM or flash memory), fiber optic devices, and portable read-only memory (CDROM). Furthermore, a readable storage medium can even be paper or other suitable media on which a program can be printed, since a program can be obtained electronically, for example, by optically scanning the paper or other medium, followed by editing, interpreting, or otherwise processing as necessary, and then stored in memory.

[0188] It should be understood that various parts of this disclosure can be implemented in hardware, software, or a combination thereof. In the above embodiments, multiple steps or methods can be implemented in software stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented using any one or a combination of the following techniques known in the art: discrete logic circuits having logic gates for implementing logical functions on data signals, application-specific integrated circuits (ASICs) having suitable combinational logic gates, programmable gate arrays (PGAs), field-programmable gate arrays (FPGAs), etc.

[0189] Those skilled in the art will understand that all or part of the steps of the methods described above can be implemented by a program instructing related hardware. The program can be stored in a readable storage medium, and when executed, the program includes one or a combination of the steps of the method implementation.

[0190] Furthermore, the functional units in the various embodiments of this disclosure can be integrated into a single processing module, or each unit can exist physically separately, or two or more units can be integrated into a single module. The integrated module can be implemented in hardware or as a software functional module. If the integrated module is implemented as a software functional module and sold or used as an independent product, it can also be stored in a readable storage medium. The storage medium can be a read-only memory, a disk, or an optical disk, etc.

[0191] refer to Figure 17 According to one embodiment of the present disclosure, the strategy verification device 1000 of the present disclosure includes a first generation module 1002, a second generation module 1004, a third generation module 1006, and a determination module 1008.

[0192] The system comprises the following modules: a first generation module 1002, used to generate initial formula data and a formula to be verified based on the target strategy; both the formula to be verified and the initial formula data are satisfiability modular theory formulas. A second generation module 1004, used to perform formula selection processing on the initial formula data based on the formula to be verified, generating target formula data, which includes a portion of the initial formula data. A third generation module 1006, used to perform satisfiability modular theory solving based on the target formula data and the formula to be verified, generating first solution result data. A determination module 1008, used to determine the strategy verification result of the target strategy based on the first solution result data.

[0193] This disclosure also provides an electronic device, including: a memory storing execution instructions; and a processor or other hardware module executing the execution instructions stored in the memory, causing the processor or other hardware module to perform the above-described method.

[0194] This disclosure also provides a readable storage medium storing executable instructions, which, when executed by a processor, are used to implement the above-described method.

[0195] It is understood that before using the technical solutions disclosed in the various embodiments of this disclosure, users should be informed of the types, scope of use, and usage scenarios of the personal information involved in this disclosure in an appropriate manner in accordance with relevant laws and regulations, and user authorization should be obtained.

[0196] For example, upon receiving a user's active request, a prompt message is sent to the user to explicitly inform them that the requested operation will require the acquisition and use of the user's personal information. This allows the user to independently choose whether to provide personal information to the software or hardware, such as the electronic device, application, server, or storage medium performing the operations of this disclosed technical solution, based on the prompt message.

[0197] As an optional but non-limiting implementation, in response to a user's active request, sending a prompt message to the user can be done via a pop-up window, where the prompt message can be presented in text format. Furthermore, the pop-up window can also include a selection control allowing the user to choose "agree" or "disagree" to provide personal information to the electronic device.

[0198] It is understood that the above notification and user authorization process are merely illustrative and do not constitute a limitation on the implementation of this disclosure. Other methods that comply with relevant laws and regulations may also be applied to the implementation of this disclosure.

[0199] At the same time, it is understood that the data involved in this disclosed technical solution (including but not limited to the data itself, the acquisition or use of the data) shall comply with the requirements of relevant laws, regulations and related provisions.

[0200] In the description of this specification, the references to terms such as "one embodiment / mode," "some embodiments / modes," "example," "specific example," or "some examples," etc., indicate that a specific feature, structure, material, or characteristic described in connection with that embodiment / mode or example is included in at least one embodiment / mode or example of this disclosure. In this specification, the illustrative expressions of the above terms do not necessarily refer to the same embodiment / mode or example. Furthermore, the specific features, structures, materials, or characteristics described may be combined in any suitable manner in one or more embodiments / modes or examples. Moreover, without contradiction, those skilled in the art can combine and integrate the different embodiments / modes or examples described in this specification, as well as the features of different embodiments / modes or examples.

[0201] Furthermore, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one of that feature. In the description of this disclosure, "a plurality of" means at least two, such as two, three, etc., unless otherwise explicitly specified.

[0202] Those skilled in the art should understand that the above embodiments are merely for illustrating the present disclosure and are not intended to limit the scope of the disclosure. Those skilled in the art can make other changes or modifications based on the above disclosure, and these changes or modifications still fall within the scope of the present disclosure.

Claims

1. A strategy verification method, characterized in that, include: Initial formula data and formulas to be verified are generated according to the target strategy. The formulas to be verified and the initial formulas in the initial formula data are both satisfiability modular theory formulas. The target strategy is a data access control strategy. Based on the formula to be verified, the initial formula data is processed by formula selection to generate target formula data, which includes a portion of the initial formula data. Based on the target formula data and the formula to be verified, the satisfiability modulo theory is used to solve the solution and generate the first solution result data. as well as The policy verification result of the target policy is determined based on the first solution result data. The step of generating initial formula data and formulas to be verified based on the target strategy includes: using a target encoder to encode the target strategy using satisfiability modular theory to generate multiple initial formulas in the initial formula data; determining the strategy to be verified based on the target strategy; and using the encoder to encode the strategy to be verified using satisfiability modular theory to generate the formulas to be verified. The formula to be verified includes a first symbol, and the initial formula data includes a set of initial formulas. The step of performing formula selection processing on the initial formula data based on the formula to be verified to generate target formula data includes: determining the trigger symbol of the set of initial formulas; and performing formula selection processing on the initial formula data based on the trigger symbol of the set of initial formulas and the first symbol of the formula to be verified to generate the target formula data. The step of determining the strategy verification result of the target strategy based on the first solution result data includes: in response to the first solution result data indicating the existence of a set of solution values, determining whether the target formula data includes all the initial formula data; if yes, determining that the strategy verification result of the target strategy is that the verification failed; if no, performing formula selection processing on the initial formula data based on the formula to be verified, the target tolerance, and the target trigger step number to generate expanded range formula data; and determining the strategy verification result of the target strategy based on the expanded range formula data and the solution values.

2. The strategy verification method according to claim 1, characterized in that, The initial formula includes a second symbol, and determining the trigger symbol for the set of initial formulas includes: Determine the number of times the second symbol of the initial formula appears in the initial formula data; and The second symbol that appears least frequently in each of the initial formulas is used as the trigger symbol for the corresponding initial formula.

3. The strategy verification method according to claim 1, characterized in that, The process of generating the target formula data by performing formula selection processing on the initial formula data based on the trigger symbols of the initial formula and the first symbol of the formula to be verified includes: The initial formula whose trigger symbol is the same as the first symbol is used as the target formula in the target formula data; and The initial formula, whose trigger symbol is the same as the non-trigger symbol of the target formula, is added to the target formula data to generate the target formula data.

4. The strategy verification method according to claim 1, characterized in that, The step of determining the strategy verification result of the target strategy based on the expanded range formula data and the solution value includes: Combine the expanded range formula and the solution value formula in the expanded range formula data; The conjunctive formula is solved using the satisfiability modular theory to generate a second solution result. If the second solution result data does not contain any set of solution values, then the policy verification result of the target policy is determined to be verified as passed; If the second solution result data shows the existence of a set of solution values, then increase the target tolerance and the target triggering step number; and Based on the formula to be verified, the increased target tolerance, and the increased target triggering steps, the initial formula data is processed by formula selection, the target formula data is regenerated, and then the process proceeds to the step of solving the satisfiability modulus theory based on the target formula data and the formula to be verified to generate the first solution result data.

5. The strategy verification method according to claim 1, characterized in that, Determining the policy verification result of the target policy based on the first solution result data also includes: In response to the first solution result data showing that no solution value exists, the policy verification result of the target policy is determined to be verified as passed.

6. An electronic device, characterized in that, include: The memory stores execution instructions; as well as A processor that executes the execution instructions stored in the memory, causing the processor to perform the strategy verification method according to any one of claims 1 to 5.

7. A readable storage medium, characterized in that, The readable storage medium stores execution instructions, which, when executed by a processor, are used to implement the strategy verification method according to any one of claims 1 to 5.

Images