Composite DecentralizedAccess Control

Petar Tsankov, Srdjan Marinovic, Mohammad Torabi Dashti, David Basin

Institute of Information SecurityETH Zurich

Example: SweGrid

Access Control Requirements– A project leader delegates his authority

over resources to principals– A project leader composes the principals'

policies (e.g., using permit-override)

GoalProvides computational and storage resources to researchers

Delegation

Multiple principals can issue access rights

Researchers

access rights access rights

delegations

Projectleader

Dave

ProjectLeader

Bob

Researchers

Delegation

Multiple principals can issue access rights

Researchers

access rights access rights

delegations

Decentralized Access Control

Projectleader

Dave

ProjectLeader

Bob

Researchers

Composition

Policy decisions in large-scale systems– Grant, Deny, Not-applicable, Conflict

Dave

Project leader

+Bob

Composition operators, e.g.:● Permit-override● Deny-override● Conflict-override

+

Composite Access Control

Composition

Policy decisions in large-scale systems– Grant, Deny, Not-applicable, Conflict

Dave

Project leader

+Bob

Composition operators, e.g.:● Permit-override● Deny-override● Conflict-override

+

System Model

Subjects Resources

System ModelRequirements

control access

Subjects Resources

Principals

System Model

PEP

PDP

Requirements

control access

Subjects Resources

Principals

Policies

Related Work

Systems andstandards

Formalfoundations

Related Work

Systems andstandards

Formalfoundations DKAL ('08)

RT ('01)

SecPAL for Grid

Delegation

KeyNote PDP(RFC 2704)

...

Related Work

Systems andstandards

Formalfoundations

XACML v2.0

D-Algebra ('09)PTaCL ('12)

PBel ('08)DKAL ('08)RT ('01)

SecPAL for Grid

Delegation Composition

KeyNote PDP(RFC 2704)

......

Related Work

Systems andstandards

Formalfoundations

XACML v2.0

D-Algebra ('09)

SweGrid

PTaCL ('12)

PBel ('08)DKAL ('08)RT ('01)

XACML v3.0 ('13)SecPAL for Grid

WSO2 ID Server

Delegation CompositionDelegation + Composition

KeyNote PDP(RFC 2704)

......

Related Work

Systems andstandards

Formalfoundations

XACML v2.0

D-Algebra ('09)

SweGrid

PTaCL ('12)

PBel ('08)DKAL ('08)RT ('01)

XACML v3.0 ('13)SecPAL for Grid

WSO2 ID Server

BelLog

Delegation CompositionDelegation + Composition

KeyNote PDP(RFC 2704)

......

How to Build Access Control Systems

SpecifyPolicy

VerifyPolicy

ConstructPDP

➔ Formal semantics

➔ Support fordelegation

➔ Support forcomposition

➔ Analysis language

➔ Decision algorithms

➔ Efficient evaluation algorithm

How to Build Access Control Systems

SpecifyPolicy

VerifyPolicy

ConstructPDP

➔ Formal semantics

➔ Support fordelegation

➔ Support forcomposition

➔ Analysis language

➔ Decision algorithms

➔ Efficient evaluation algorithm

Belnap Logic + Datalog = BelLog

(Program)(rule)

(literal)(atom)Tr

uth

orde

ring

Knowledge ordering

Belnap Logic (stratified) Datalog

Belnap Logic + Datalog = BelLog

(Program)(rule)

(literal)(atom)Tr

uth

orde

ring

Knowledge ordering

Belnap Logic (stratified) Datalog

Belnap Logic + Datalog = BelLog

(Program)(rule)

(literal)(atom)Tr

uth

orde

ring

Knowledge ordering

Belnap Logic (stratified) Datalog

Belnap Logic + Datalog = BelLog

(Program)(rule)

(literal)(atom)Tr

uth

orde

ring

Knowledge ordering

Belnap Logic (stratified) Datalog

BelLog

(Program)(rule)(literal)(atom)

Negation on truthNegation on knowledge

Belnap Logic + Datalog = BelLog

(Program)(rule)

(literal)(atom)Tr

uth

orde

ring

Knowledge ordering

Belnap Logic (stratified) Datalog

BelLog

(Program)(rule)(literal)(atom)

Negation on truthNegation on knowledge

SemanticsExtend stratified Datalog to four-valued fixed-point semantics

BelLog Examples

BelLog Examples

Transitive delegation

BelLog Examples

Transitive delegation

Policy targets

BelLog Examples

Transitive delegation

Policy targets

Agreement

BelLog Examples

Transitive delegation

Conflict-override

Policy targets

Agreement

BelLog Examples

Transitive delegation

Conflict-override

Policy targets

Agreement

Other idioms?

➔ Formal semantics

➔ Support fordelegation

➔ Support forcomposition

➔ Analysis language

➔ Decision algorithms

➔ Efficient evaluation algorithm

How to Build Access Control Systems

SpecifyPolicy

VerifyPolicy

ConstructPDP

Policy Analysis

Does the policy meet its requirements?

RequirementsPolicy

Policy Analysis

Does the policy meet its requirements?

RequirementsPolicy

Questions

Policy Analysis

Does the policy meet its requirements?

RequirementsPolicy

Questions

Analyzer

Policy Analysis

Does the policy meet its requirements?

RequirementsPolicy

Questions

Analyzer

Counter-example

Policychecked

Fix

Policy Analysis

Does the policy meet its requirements?

RequirementsPolicy

Questions

Analyzer

Counter-example

Policychecked

Fix

How do we write this?

Policy Analysis

Does the policy meet its requirements?

RequirementsPolicy

Questions

Analyzer

Counter-example

Policychecked

Fix

How do we write this?

Decidability?Complexity?

Analysis Questions

Syntax

– Is policy P2 more permissive than P1 for all inputs that satisfy the condition c?

(condition)

(question)

Analysis Questions

All requests Requests granted by P2

Requestsgranted by P1

Syntax

– Is policy P2 more permissive than P1 for all inputs that satisfy the condition c?

(condition)

(question)

For a given input:

Analysis Questions

All requests Requests granted by P2

Requestsgranted by P1

Syntax

– Is policy P2 more permissive than P1 for all inputs that satisfy the condition c?

(condition)

(question)

For a given input:

Analysis Questions

All requests Requests granted by P2

Requestsgranted by P1

Syntax

– Is policy P2 more permissive than P1 for all inputs that satisfy the condition c?

(condition)

(question)

For a given input: Check for all inputs that satisfy the condition

Example: Analysis Question

RequirementIf the requester is a project leader, then grant access.

Policy

Example: Analysis Question

RequirementIf the requester is a project leader, then grant access.

Analysis Question

Policy

Analysis

Analysis

Theorem 1Policy containment is undecidable

Analysis

Theorem 2 Policy containment for unary-input policies* is in CO-NEXP-COMPLETE

Theorem 1Policy containment is undecidable

*Unary-input policies– Example:

Analysis

Theorem 3Policy containment for a finite universe is in CO-NP-COMPLETE

Theorem 2 Policy containment for unary-input policies* is in CO-NEXP-COMPLETE

Theorem 1Policy containment is undecidable

*Unary-input policies– Example:

➔ Formal semantics

➔ Support fordelegation

➔ Support forcomposition

➔ Analysis language

➔ Decision algorithms

➔ Efficient evaluation algorithm

How to Build Access Control Systems

SpecifyPolicy

VerifyPolicy

ConstructPDP

Constructing PDPs

Policy Interpreterhttp://bellog.org

GitHubhttps://github.com/ptsankov/bellog/

Theorem 4 Policy entailment is in PTIME

Limitations

– Analysis of administrative changes– Analysis complexity and tool support– Usability

BelLog Contributions

A foundation for composite decentralized

access controlPolicy analysis

framework

BelLog PDP (www.bellog.org)