1

Specifying and Specifying and Reasoning about Reasoning about

Dynamic Access-Control Dynamic Access-Control PoliciesPolicies

Daniel J. Dougherty, Kathi Fisler, and Shriram Krishnamurthi

Mouiad A. Hani

Presented by

2

Paper’s outlineMotivationBackground InformationIntroductionModeling Policies and their Dynamic EnvironmentsAnalyzing and Comparing PoliciesRelated WorksConclusions

3

MotivationThe increasing complexity of access-control policies.The dynamic nature of the environments in which these policies work and evaluate.The need for separating the policy from its underlying enforcement engine.The need for providing formal analyses regarding policy rules’ safety and availability properties.

4

Access Control: controlling and enforcing protection to every access to a system and its resources and makes access possible only for authorized subjects.The primary purpose for security mechanisms in a computer system is access control, which consists of three tasks:

Authorization: determining which subjects are entitled to have access to which resource Determining the access rights (a combination of access modes such as read, write, execute, delete, and append)Enforcing these access rights

Many types of resources need access control to reach them:Sensitive documents, files, and information stored in databases, servers, …etc. RAMs and Virtual memories dedicated to OS and other applications’ usesCPU time of clients and servers connected to the netToo many other examples

Background Information

5

Access Control KindsDiscretionary Access Control (DAC) means that the owner of the resource controls other users' accesses to that resource. Only those users specified by the owner may have some combination of read, write, execute, and other permissions to the resource.

Drawbacks:TransitiveVulnerable to Trojan horse attacks.

Mandatory access control (MAC) means that access control decisions are made by a central authority, not by the individual owner of an object, and the owner cannot change access rights.

Drawback:Covert channel problem

Role-Based Access Control (RBAC) controls access depending on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles.

Background…continue

6

An access-control language must provide a way of describing the different forms of access and the environment in which they could occur. This information forms a request. Many languages break requests into four different parts:Subject (active entity): the person or process making the requestResource (passive entity): the object, subsystem, person, or process that would be affected (e.g., a file name or a process id)Action: the command or change that would be executed on the resource by the subject Environment: describes any other relevant information such as the time of day, location, or the previous actions of the subject

The first three of these make up the form of requested access while the last gives the context in which this access would be exercised.

Background…continue

7

PolicyEnforcement

Point

PolicyDecision

Point

The point where policy decisions are made

by access control policy.

RequestDecision

PolicyRepository

The point where the policy decisions are actually

enforced by access control mechansim.

Modern applications express policies in domain-specific languages like XML, XACML, …etc.

The applications consult policies through a policy enforcement engine

Background…continue

8

Background…continue Example: Classical Access Control Policy Framework

9

IntroductionSpecifying: Who can access What, How and When?Reasoning: The process of drawing or establishing new conclusions (facts) from the current facts.Reasoning, in this paper, is about goal-Reachability and contextual containment within dynamic access-control policies.

10

Why Separating Policies from Their Underlying Programs?

It allows the same policy to be used with multiple applications;It enables non-programmers to develop and maintain policies;It adopts rich mechanisms for combining policy modules derived from different, even geographically distributed, entities

Introduction…continue

11

Policy ModelingDefinition: Let Subjects, Actions, and Resources each be sorts (types). Let ∑ be a first-order relational signature (alphabet) including at least the two distinguished ternary predicates Permit and Deny of type Subjects × Actions × Resources. A policy rule over Σ is a Datalog rule over Σ whose head is either Permit or Deny. A policy over Σ is a set of policy rules over Σ.For a set of rules (the policy) P, we have:

∑ P = edb idb {the signature or alphabet of P}The policy rule over ∑ ≡ Datalog rule over ∑.

12

Permit(a, submit-paper, p) :- author(a) , paper(p) , phase(submission)Permit(r, submit-review, p) :- reviewer(r) , paper(p), assigned(r, p) , phase(review)Permit(r, read-scores, p) :- reviewer(r) , paper(p), has-reviewed(r,p) , phase(meeting)Deny(a, read-scores, p) :- author(a) , paper(p)

Example of a policy written in Datalog

author(Alice). author(Bob). author(Grey).reviewer(Ali). reviewer(Jad). reviewer(Tom).paper(P1). paper(P2). paper(P3).

13

Datalog rule (program)

R(U0) :- R1(U1), R2(U2), …, Rn(Un).

The Body or extensional predicates or rules (extensional database edb)

The head or intentional predicate (intentional database idb)

•Extension refers to whatever extends, i.e., “is quantifiable in space as well as in time”;

•Extensional to refer to that which is explicitly represented (e.g., a fact);

•Intentional to refer to that which is represented abstractly, e.g., by a rule of inference;

14

Datalog program analysis and characteristics Subset of Prolog Language;Set of Horn Clauses (first-order logic program);

Tree-based Data Structure;

Top-down (left-to-right) depth-first search with backward chaining and backtracking;

Unification and dynamic instantiation;

Undecidable.

15

Policy Environment Modeling

–The underlying Program (e.g., which reviewers have submitted papers–The end-users (such as credentials).–The run-time system also provides information (such as the current time)–The policy framework itself (in role-based access control, for example, policies operate under assignments of users to roles and under hierarchies of permission inheritance among roles).

Where does environment’s information come from?

This suggests that:

–The environment must be a transition system, to model the program’s execution and the passage of time–Each state must consist of an instance of the edb relations referred to by the policy

16

To design a secure system with the help of state machine models:define state set so that it captures “security”check that initial state of the system is ‘secure’ check that all state transitions starting in a “secure” state yield a “secure” state

Security is then preserved by all state transitions. The system will always be ‘secure’.

State Machine Model

17

18

Modeling the Policy and its Dynamic Environment in One Model

19

One Big Automaton (after step 1)

Start

has-reviewed (B,P)

assigned (Bob,Paper1)

has-reviewed (Bob,Paper1)

assigned(R,P)

phase(S)

phase(S)

phase(S)

deny(Alice,read-scores,paper1)

read-scores

Deny

permit(Alice,submit-paper,paper1,phase(submission))permit(Bob,submit-review,paper1,phase(review))permit(Bob,read-scores,paper1,phase(meeting))

permitAt any point in time, the dynamic environment provides a database of facts. This changing environment is modeled as a FSA where states are defined by facts at different points in time

20

One Big Automaton just for Permission

Start

has-reviewed (B,P)

assigned (Bob,Paper1)

has-reviewed (Bob,Paper1)

assigned(R,P)

phase(S)

phase(S)

phase(S)

permit(Alice,submit-paper,paper1,phase(submission))permit(Bob,submit-review,paper1,phase(review))permit(Bob,read-scores,paper1,phase(meeting))

permitt1

t2t3Time

21

Analyzing and Comparing Policies

Two fundamental analyses are:safety (does a policy prohibit users from doing something undesirable)availability (does a policy permit a user to do something that they are allowed to do).

22

Goal ReachabilityIs there some accessible state in the dynamic access model satisfy some Boolean query (expression) over policy facts?To evaluate the goal at a particular state in a model is to evaluate the associated Boolean query on the database of facts at that state

23

Example: Finding an accessible state satisfying the formula

Goal Reachability

24

Checking Contextual Policy Containment

Rename the predicates in the two policies so they are disjointTake the union of the two policiesUse model checking to verify the temporal logic sentence

The Expensive Way

25

But the notion of accessibility is different depending on whether a rule is considered in

isolation or as part of a larger policy??

Consider each rule as a single policy in its own right

Check individual rules are contained in (whole) policies

The less Expensive Way

This motivates the following refinement of contextual containment

26

Example: Consider when a policy author wants to replace the following rule ρ1 for reviewers’ access to paper reviews with rule ρ2:

Semantic ambiguity??So, the syntactic analysis is insufficient, in general.

Algorithms (12) and (16)

27

Related WorksBell and LaPadula [6] were the first to use state transition systems to model programs guarded by access control policies.

They have defined the states of the system in such a way as to embody all the information which considered pertinent to security

considerations.

28

Related Works …continue

Harrison, Ruzzo and Ullman [18], presented a formal model of access control which has become known as HRU.

A state of an HRU system is denoted by a set of objects, some of which are subjects, and a protection matrix giving the current access rights between pairs of subjects and objects.

A policy is a set of commands, each parameterized by objects and specifying some possible transformation on the access matrix.

29

Related Works …continue

Talel Abdessalem and Imen Ben Dhia [6, bibliography] propose an access control model for online social networks based on connection characteristics between users, in an extended sense that includes indirect connections. This model provides a conditional access to shared resources based on reachability constraints, between the owner and the requester of a piece of information.

30

Related Works …continue

Ninghui Li and Mahesh V. [32] proposed to use security analysis techniques to maintain desirable security properties while delegating administrative privileges. They gave a precise definition of a family of security analysis problems in RBAC, which is more general than safety analysis that is studied in the literature. They also show that two classes of problems in the family can be reduced to similar analysis in the RT0 trust-management language, thereby establishing an interesting relationship between RBAC and the RT (Role-based Trust-management) framework.

31

Conclusions

The subtlety in this work arises because of complexities of the policies and their environments.The notions of uniform contextual containment and equivalence defined in this paper are fundamental concepts for a theory of policies.The work in this paper can be used to analyze any situation where the program’s execution is governed by a logical policy.Access-control policies are hard to get right.

32

I have questions…

THANK YOUTHANK YOU

33

Bibliography

1. G. F. Luger, W. A. Stubblefield., “AI Algorithms, Data Structures, and Idioms in Prolog, Lisp, and Java”, Pearson Education, (2009).

2. K. Ramamohanarao and J. Harland, “An Introduction to Deductive Database Languages and Systems”, VLDB Journal, Vol. 3, 107-122, (1994).

3. M. A. Harrison, W. L. Ruzzo, and J. D. Ullman, “Protection in operating systems”, Communications of the ACM, 19(8):461–471, Aug. (1976).

4. Morrie Gasser, “BUILDING A SECURE COMPUTER SYSTEM”, Van Nostrand Reinhold, (1988).5. Vincent C. Hu David F. Ferraiolo D. Rick Kuhn, “ Assessment of Access Control Systems”,

Interagency Report 7316, NIST, (2006).6. Talel Abdessalem and Imen Ben Dhia, “Access Control in Social Networks: A reachability-

Based Approach”, In ACM Proceedings of the 2012 Joint EDBT/ICDT Workshops, 227-232 (2012).