Access Control Policy Translation and Verification Within Heterogeneous Data Federations Gregory Leighton Denilson Barbosa University of Alberta June 11, 2010

Outline Problem setting, challenges, and background Access control policy translation Verification of translated access control policies – Static analysis – Dynamic analysis Expressing translated policies in XACML Open issues & future work June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 2

PROBLEM SETTING, CHALLENGES, & BACKGROUND June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 3

Problem Setting June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 4 PatientSSN A. Smith B. Wilson PnameSSNAge F. Brown C. Murray patients patient namessn patient “A. Smith”“ ” namessn “B. Wilson”“ ” namessnage “C. Murray”“ ””65” Data Source 1Data Source n 11 nn … Each publishing function  I is a contract specifying how relational database contents are exposed as XML to the larger data federation A1A1 AnAn … Each data source also has an access control policy A i defined over the local database Each data source also defines an identity mapping function I, specifying an assignment of each local user to one or more federated identities

Challenges Individual data sources are often independently maintained – Each ACP is defined over a set of local identities – Need a centralized user authentication system capable of translating local identities into federated identities valid across the federation, without violating need to know principle Many access control models for relational and XML data already exist… but translating from one to the other must be done manually and is non-trivial due to several factors – “Real world” relational ACPs can be very large (hundreds of rules defined over a large set of database objects) – Hierarchical nature of XML introduces extra difficulties (when is it appropriate for permissions to be propagated from a parent node to a child?) – Combining ACPs originating from different data sources can lead to policy conflicts June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 5

We represent the publishing function  as a publishing transducer (Fan et al 2007) where – Q is a set of states; –  is a finite tag alphabet; – q 0 is the designated start state associated with the root tag r   ; –  is a finite set of transduction rules. Transduction rules are of the form (q, a)  (q 1, a 1,  1 (x 1 ; y 1 )),…, (q k, a k,  k (x k ; y k ))  = (Q, , q 0,  ) XML Publishing Transducers States in Q Tags in Σ Queries on D and/or local node register Conjunctive (=,≠) OR F.O. (=) OR inflationary fixpoint (=) 6ACP Translation/Verification Within Heterogeneous Data FederationsJune 11, 2010 ____

ACP Translation/Verification Within Heterogeneous Data Federations 7 ssnnameage Carol Doug45 (q 0,patients) (q 1,patient) (q (q 1,name)(q 1,age) (q (q 1 name)(q 1,age) Carol Doug45 ssnnameage Carol31 ssn name Carol age 31 Transduction Rule:

ACCESS CONTROL POLICY TRANSLATION June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 8

June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 9 Access Control Models for XML Many XML access control models have been proposed, specifying how permissions may be specified over an XML tree – Policy language (typically, an XPath fragment) – Rule scope (node, node+attributes, node+text, node+ descendents,…) – Conflict resolution policy, default semantics (allow vs. deny) But… these models say nothing about how an SQL access control policy can be equivalently expressed over a published XML tree! What’s needed: the ability to augment a publishing function  with additional information needed to preserve the original SQL ACP A over the published XML document  (D) – a secure publishing function ʹ

ACP Translation Framework June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 10 ACP Translator Rel. Schema S Rel. ACP A Publishing Function  Identity Mapping I Secure Publishing Function  We represent a secure publishing function as a secure publishing transducer (SPT), which extends the definition of a publishing transducer in two ways: Each tree node generated during the transduction process is assigned an access bitstring, recording the relevant permissions for that node Additional transduction rules are needed to model conditional access permissions (i.e., separate rules are needed to handle both possibilities: where the condition is/is not satisfied)

June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 11 Preservation of Access Control Policies A secure publishing function  ʹ preserves an SQL access control policy A if, for each federated ID f and permission p, the following conditions are satisfied over the XML tree  ʹ(D): 1.(Sufficiency condition) For every relational database object o made accessible to f by A under permission p, the XML representation of o in  ʹ(D) is also accessible to f within the context of permission p. 2.(Necessity condition) The XML representation of a database object o in  ʹ(D) is only made accessible to f within the context of p if o was originally made accessible to f by A under permission p.

June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 12 Transduction Rules Each rule in has the form where is a state in ; is a tag in ; and each are access bitstrings; and is a query on and/or the local node register. Example access bitstring: st bit: Carol holds “select” permission 2 nd bit: Carol holds grant option for “select” 3 rd bit: Carol holds “insert” permission 4 th bit: Carol does not hold grant option for “insert” 5 th bit: Doug holds “select” permission 6 th bit: Doug does not hold grant option for “select” 7 th bit: Doug does not hold “insert” permission 8 th bit: Doug does not hold grant option for “insert” In general, bitstrings will be of length

June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 13 Expressibility Problem For arbitrary relational database D with schema S, relational ACP A, and publishing function , can one always find a secure publishing function ʹ that preserves A over  (D)? Result: an algorithm for solving the expressibility problem (see paper) – Applicable when  can be expressed as a publishing transducer – Time complexity:

VERIFICATION OF TRANSLATED ACCESS CONTROL POLICIES June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 14

Verification of Translated ACPs Two Problem Variants Dynamic VerificationStatic Verification June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 15 Policy Verifier SAI  (D)(D)   (D)  ? Policy Verifier SAI     ? D Inputs: rel. schema S; rel. ACP A; identity mapping function I; S.P.T.   ; database instance D (for dynamic variant only)

Dynamic Verification June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 16 Applicable for scenarios where database contents do not change frequently (e.g., archival data) Procedure: 1.Derive S.P.T.   from supplied inputs S, A, I, and  2.For specific database instance D, obtain XML trees X 1 =   (D) and X 2 =  (D) and ensure that, at each tree position, the corresponding nodes in X 1 and X 2 i.Have the same label ii.Have the same number of children iii.Have the same bitstring assignment

Static Verification June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 17 Procedure: 1.Derive S.P.T.   from supplied inputs , S, A, and I 2.Verification of supplied S.P.T.  succeeds iff the following conditions are met: i.For every database D conforming to schema S,   (D) =  (D) ii.Relational ACP A and access bitstrings in  share the same semantics

Verification of Translated ACPs Computational Complexity June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 18 We consider the complexity of deciding both problem variants for various classes of S.P.T.s SPT ( L,S,A ), where L denotes the language of queries appearing in transduction rules (FO or CQ); S is either TP or RL, indicating whether each node register in produced XML tree stores a single tuple or a relation; and A specifies the complexity of queries appearing in the relational ACP rules (FO or CQ) SPT nr ( L,S,A ) denotes subclass of S.P.T.’s w/o recursion in transduction rules

Verification of Translated ACPs Computational Complexity June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 19 SPT classDynamic Verification Static Verification SPT( L,rl, A )2EXPTIMEundecidable SPT( L,tp, A) EXPTIMEundecidable SPT nr (FO,tp, A )PTIMEundecidable SPT nr (CQ,tp, A )PTIME  3 P -complete Dynamic verification: complexity is dominated by cost of materializing XML trees, given S.P.T.s  and   Static verification: complexity is dominated by need to decide equivalence b/w S.P.T.s  and  

EXPRESSING TRANSLATED ACPS IN XACML June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 20

Generating XACML From a Translated ACP June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 21 XACML Generator  XACML Policy Process is done at the schema level – only once for each  Generated XACML policy is applicable to all generated XML trees  (D)

Expressing Translated ACPs in XACML June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 22 Procedure: 1.Construct a rule reachability graph (RRG) from transduction rules in  Nodes are transduction rules; edge (i, j) indicates that i-th rule contains reference to j-th rule in its RHS and is labelled with the associated  query 2.Traverse RRG in preorder If last travelled edge is labelled with a conditional  query, need to resolve the condition into an equivalent XPath expression (see paper) Each time the bitstrings for a parent and child node in the RRG differ, a new XACML policy rule is created 3.Created XACML policy rules sharing the same subset of federated IDs as their subject are combined into a single policy rule

Future Work June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 23 Policy Translation Automating the discovery of a “smallest set” of federated identities needed to preserve semantics of each relational ACP, while also obeying need to know principle Minimization of secure publishing transducers Minimizing number of transduction rules Minimizing queries in each transduction rule Policy Verification In general, verification is difficult or undecidable – can subclasses of S.P.T.s for which verification is more tractable be identified? Consider additional problem variants Translated policy is specified as an XACML policy, not a S.P.T. List of federated users is not fixed – requires reasoning about ACPs instead of bitstrings

Final Slide Thank you Questions? June 11, ACP Translation/Verification Within Heterogeneous Data Federations