Parameterized model checking for security policy analysis