Date post: | 27-Dec-2015 |
Category: |
Documents |
Upload: | myron-burke |
View: | 214 times |
Download: | 1 times |
Access control decision
• Given: user and request for privilege = resource, right
• Decide: whether to grant request
• Specify: who, what, when, why
? ResourceUser/
process
filename
read/write
Also: authorization management, workflow, …
Goals
Flexible and scalable access control for large-scale, open, decentralized systems• Resource sharing in decentralized systems
– coalitions, multi-centric collaborative systems – grid computing
• Electronic commerce• Health care systems• Authorization management
Policy Language and Deduction
Say what you want• Succinctly and directly• With confidence that you said what you
meant
Enforcement• Deduction, proof of compliance
Policy development tools• Manage policy lifecycle• Safety analysis, availability
Core Issue
Single sign-on systemse.g. Securant, Netegrity, Oblix
Rules
Authentication Application
Data
Data
LAN
user namepassword
Distributed Access Control
DeductionEngine
DeductionEngine
PoliciesCredentials
PoliciesCredentials
Certificate Authority
Resource Monitors
Player
Digital Distribution Dream ( )
Artist Distributor Consumer
Policy
Content Policy
Content
Content
MilitaryORCONPolicy
Secure network transactions
Trust-Management (TM)
Multicentric access control using delegation• access control decisions are based on distributed
policy statements issued by multiple principals• policy statements contain
– attributes of principals such as permissions, roles, qualifications, characteristics
– trust relationships
Common characteristics of TM systems:• treat public keys as principals to be authorized• use digitally signed credentials for non-local
statements
History
Early TM languages• PolicyMaker, KeyNote [Blaze, Feigenbaum, et al.]
• SPKI/SDSI [Ellison, Rivest, Lampson, et al.]
Datalog-based TM languages• Delegation Logic [Li, Feigenbaum, and Grosof]
• SD3 [Jim]
• Binder [DeTreville]
Some other related work• ABLP logic [Abadi, Burrows, Lampson, et al.]
• AF logic [Appel and Felton]
• QCM [Gunter and Jim]
Our Policy Framework: FOL ( )
A policy statement has the form: x1,…, xm (Condition () Permitted(principal, privilege))
where• Condition is a conjunction of literals;• principal can be individual [HW], or group [LM]• privilege can be action [HW], or group [LM]
Also need formulas defining conditions
Feigenbaum, LiHalpern, W
Li, Mitchell, …
Permitting policy [HW, LM]: positive conclusionDenying policy [HW]: negative conclusion
What is RT?
RT = Role-based Trust management Innovative features of the RT family
• expressive delegation constructs• permissions for structured resources• tractable semantics based on Constraint
Datalog• strongly-typed credentials and vocabulary
agreement• efficient deduction with millions of distributed
policy statements• safety and availability analysis
[Li, Mitchell, Winsborough]
Languages in RT Framework
RT0: Decentralized Roles
RT1: Parameterized Roles
RTT : for Separation of Duties
RTD: for Selective Use of Role memberships
RT2: Logical Objects
RTT and RTD can be used (either together or separately) with any of the five base languages: RT0, RT1, RT2, RT1
C, and RT2C
RT1C: structured resources
RT2C: structured resources
[Li, Mitchell, Winsborough]
Example
AliceEPub
StateU is a university
Alice is a student
Grants access to university students
Trusts universities to certify students
Trusts ABU to certify universities
StateUABU
Example RT0 credentials
1. StateU.stuID Alice2. ABU.accredited StateU3. EPub.university ABU.accredited4. EPub.student EPub.university.stuID5. EPub.access EPub.student
Together, the five statements prove that Alice is entitled to access
Limitation of KeyNote, SPKI 1.0
Capability-based TM systems• A credential delegates certain permissions from an
issuer to a subject• A chain of credentials authorizes subject at the
end of a chain
Using these systems in the EPub scenario • EPub delegates the access permission to ABU• ABU delegates the access permission to StateU• StateU delegates the access permission to Alice
Not scalable!• Separate chain of delegations for each student
Policy forms, RT0
Simple attribute assignment • StateU.stuID Alice
Delegation of attribute authority • StateU.stuID COE.stuID
Attribute inferencing • EPub.access EPub.student
Attribute-based delegation of authority• EPub.student EPub.university.stuID
i.e. mem(EPub.student) Bmem(EPub.university) mem(B.stuID)
Conjunction • EPub.access EPub.student ACM.member
Policy forms, RT1 …
Attributes with fields• StateU.stuID (name=.., program=.., …)
Alice• EPub.access
StateU.stuID(program=“graduate”)
Permissions for structured resources• e.g., allow connection to any host in a
domain and at any port in a range
Datalog As A Foundation
Natural• Security policy statements are if-then rules
Precise• Declarative and widely-understood semantics
Tractable• No function symbols tractability• Efficient goal-directed evaluation procedures
Available technology• Extensive Datalog research in LP and DB
Datalog Semantics of RT0
Each statement translated into Datalog rule
Type-1: A.r D m(A, r, D)
Type-2: A.r B.r1 m(A, r, z) :- m(B, r1, z)
Type-3: A.r A.r1.r2m(A, r, z) :- m(A, r1, y), m(y, r2, z)
Type-4: A.r B1.r1 B2.r2 ... Bk.rk
m(A, r, z) :- m(A, r1, y),
m(y, r2, z)
Better: Constraint Datalog
Why constraints: • Datalog cannot easily express permissions about
structured resources and ranges
What is Constraint Datalog• Special form of CLP; query language for
Constraint DB
A Constraint Datalog rule: • R0(x0) :- R1(x1), ..., Rn(xn), (x0, x1, …, xn)
– x0, x1, …, xn are tuples of variables
is a constraint in all the variables
Example Policy with Constraints
A grants to B the permission to• connect to hosts in the domain “stanford.edu” • at port 80,
• valid from time t1 to t3 , and
• allows B to further delegate
grantConnect(A, B, h, p, v) :-
h edu,stanford, p=80, v [t1, t3]
grantConnect(A, x, h, p, v) :- grantConnect(B, x, h, p, v), h edu,stanford, p=80, v [t1, t3]
Useful Constraint Domains for TM
Tree domains: • Path expressions a1,a2 , ,ak
– E.g., pub,software for /pub/software
• Primitive constraint: x=y or x a1,a2 , ,ak, where {=, <, , , }
Range domains:• each constant is a number• Primitive constraint: x=y, x=c, or, x (c1 ,
c2)
Discrete domains with finite sets:• Primitive constraint: x=y, x {c1,c2 , ,cj}
RT1C : RT1 with constraints
Theorem: • Multi-sorted CDatalog program with multiple
tractable constraint domains can be evaluated in polynomial time.
Corollary: The RT languages are tractable• Statements in the RT languages can be
translated into multi-sorted CDatalog program
Example: • FileServer.access (path < pub,software,
type{read,write,delete}) StateU.student (dept=‘CS’)
Using CDatalog to Analyze KeyNote
Theorem: it is undecidable whether a KeyNote assertion authorizes any request at all• One constraint domain used in KeyNote
involves Hilbert’s 10th problem: – find integer solutions to p(x1,…,xk)=0
Moral: KeyNote constraints too expensive• Practical examples do not use these
expensive features
Logical perspective leads to expressive, tractable policy languages
Goal-directed Deduction for RT0
Queries:1. Given A.r, determines its members
– The backward search algorithm
2. Given D, determines the set of roles that D is a member of– The forward search algorithm
3. Given A.r and D, determines whether D is a member of A.r– The Bi-direction search algorithm
Credential Graph for Policy
Nodes:• A.r and e for each statement A.r e in P
Credential edges:• A.r e for each statement A.r e in P
Summary edges:• A.r1.r2 B.r2 if there is a path from B to A.r1• A1.r1 … Ak.rk D if there are paths from D to each Aj.rj
Theorem: Reachability in the credential graph is sound and complete for RT0
Example Bidirection Search on A Credential Graph
EPub.university
StateU
ABU.accredited
EPub.student
EPub.university.stuID
Credential
Summary
Key
Alice
StateU.stuID
COE.stuID
Worst-Case Complexity
Backward: time O(N3+NM), space O(NM)• N is the number of rules• M is the sum of the sizes of all rules,
– A.r f1fk having size k, other credentials have size 1
Forward and bi-direction time O(N2M), space O(NM) Same as previous work for SDSI [Clarke, et
al.]• but our algorithms are goal directed, making
them much better in practice
Who stores credentials?
AliceEPub
StateU
ABUABU.accredited
StateU
COE.stuID AliceEPub.university ABU.accreditedEPub.student
EPub.university.stuID
StateU.stuID COE.stuID
COE
Automated Trust Negotiation
Credentials may contain sensitive information• need protection just as other resources• deduction must be interactive
The Trust Target Graph (TTG) protocol• supports RT0, which has delegation• supports distributed discovery of statements• supports Ack policies, which also protects against
unauthorized leakage of attribute information
Cryptographic protocols for ATN• Oblivious Signature-Based Envelope (OSBE)
Safety and Availability Analysis
Organizations delegate partial control • What happens if other organizations change
policy in the future without my knowledge?
Given policy P and restriction R on changes• Simple safety: Is A.r {D} possible?
PTIME• Simple availability: Is A.r {D} necessary?
PTIME• Bounded safety: Is {D1, …, Dn} A.r
necessary? PTIME
Complexity of Containment Analysis
Given P and R, is A.r B.r1 necessary?• Simple delegation PTIME
– Uses logic programs with stratified negation
• Intersection coNP-complete– Equivalent to determining validity in propositional
logic
• Linking PSPACE-complete– Equivalent to containment of languages accepted
by NFA
• Linking+Intersection decidable in coNEXP– Exact complexity unknown
Decidability, PTIME stand in contrast to the HRU model, in which simple safety is undecidable
Implementation Status
Java inference engine for RT0
Preliminary version of RTML• an XML-based Encoding of RT statements• XML Schemas and parser exist
Applications• U-STOR-IT: Web-based file storage and
sharing• August: A Distributed Calendar Program• Automated Trust Negotiation Demo by NAI• TNT Trust Negotiation architecture at BYU
Publications on RT
Language specification, distributed deduction
[ACM CCS’01] [JCS] [IEEE S&P’02] Constraint Datalog [PADL’03] [CSFW’03]
Summary of RT [DISCEX’03]
Interactive deduction, protecting sensitive credentials [IEEE Policy’ 02] [ACM WPES’02]
Safety and availability analysis of RT policies
[IEEE S&P’03]
Ongoing Work Related to RT
Foundation of distributed trust management:• more expressive constraints• additional safety and availability analysis problems
Algorithms:• deduction algorithms for the full RT framework• trust negotiation with more expressive RT
languages
Systems:• RTML as a more expressive PKI• complete implementation of RT and more
applications
Policy with negation, functions
Many applications explicitly forbid actions. • `Smoking is prohibited in the dining areas of all
restaurants seating more than 35 people’ is part of the NYC Smoke-Free Air Act.
• `The tickets may not be refunded’ is a policy of many theaters, special airline fares, …
Functions may be useful x1, x2 (OnSite(x1) Permitted(x2, copy(x1)))
These policies cannot be written directly in Datalog, Constraint Datalog
[Halpern, Lagoze, Weissman]
Tractability with function symbols
Key idea: Restrict bipolars• A literal l is bipolar in a formula f if
– Positive l in f is unifiable with a negated l’ in f– E.g. R(Alice, x) is bipolar in R(Alice, x) R(y, Bob)
If E is environment and P is policy such that• every var in lhs of a policy also appears in rhs • E is a conjunction of ground literals, and• there are no bipolar literals in P
Then queries answered in time |P||E|
Remains polytime under weaker assumptions
Explanation of restrictions
Every variable on the lhs also on the rhs• Permissions (prohibitions) depend only on
attributes of individual and action being regulated
Environment E a conjunction of ground literals• Reasonable if the environment is a database,
and/or set of certificates
No bipolar literals in policy P• Reasonable if
– permitted is not in any policy’s premise– All policies are permitting (or all denying)
Mixed policy sets
Thm: For any env E, policy P, can reformulate as <E’,P’> such that • Permissions follow from E’ and permitting policies in
P’ only• Prohibitions follow from E’ and denying policies in P’
only• Quadratic increase in size
The fragment can capture a number of policy sets• Samples collected from libraries• Samples collected from government docs• Most of the XrML core, and all of Content Schema
More information: Vicky Weissman poster
Future SPYCE Directions
Accomplishments• Framework and logic for policy definition• Algorithms for policy enforcement• Some experience with capturing practical policy
requirements from a variety of applications
Challenges• Continue implementation and deployment efforts• Policy development algorithms and tools
– Debugging and testing, safety and availability analysis
• Additional challenges– Policy privacy, Automated trust negotiation, Revocation