Access Policy John Mitchell Stanford University

Research directions uProblem Access policy: specification and enforcement uApproach Tractable subsets of first-order logic uAccomplishments Policy languages, algorithms, demo applications uTransitions to Industry Collaboration, start-up, students to industry, industrial visitor to Stanford uContinuing efforts Interface w/commercial approaches: XrML, EPAL, P3P Policy development environment: algorithms, tools

Policy at site A may govern resources at site B Protect distributed resources with distributed policy Distributed Access Control Policy Resource Policy Resource Policy Resource ID

Decentralized Policy Example AliceEPub StateU is a university Alice is a student Grants access to university students Trusts universities to certify students Trusts ABU to certify universities StateU ABU

Policy Combination uBuild policy templates Policy 1: Generic hospital/clinic policy Policy 2: Additional decisions for this clinic uCoalitions Policy 1: Your company Policy 2: Another company that makes a business deal with you

Plan Analyze Enforce Measure Improve Policy Management Lifecycle

Policy lifecycle issues uRequirements capture What should the policy say? uDevelopment Adapt standard modules; build new ones; combine uEvaluation Does the policy say what we want? –Analysis Testing Debugging uCompliance Can the policy be enforced by info system? uMaintenance Change as needed as requirements evolve

Policy Language and Deduction uSpecification State policy succinctly and directly Confident that policy captures intention uEnforcement Deduction, proof of compliance uManage policy lifecycle Policy development tools Safety and availability analysis Core Issue

SPYCE Approach uTractable subsets of first-order logic Datalog –If-then patterns without function symbols or negation –Standard database query formalism Constraint Datalog –Constraints based on constraint domains –Hierarchies, intervals, discrete sets Polarity-restricted FOL (“Lithium”) –Allows function symbols, negation –Supports modular combination of policies

General policy form uA policy statement has the form:  x 1,…,  x m (Condition  (+/-) Permitted(principal, privilege)) where Condition is a conjunction of literals; principal is individual [HW] or group [LM] privilege can be action [HW] or group [LM] Yale Feigenbaum, Li Cornell Halpern, Weissman Stanford Li, Mitchell, …

Role-based Trust-management (RT) RT 0 : Decentralized Roles RT 1 : Parameterized Roles RT T : for Separation of Duties RT D : for Selective Use of Role memberships RT 2 : Logical Objects RT T and RT D can be used (either together or separately) with any of the five base languages: RT 0, RT 1, RT 2, RT 1 C, and RT 2 C RT 1 C : structured resources RT 2 C : structured resources [Li, Mitchell, Winsborough, …]

Recall example AliceEPub StateU is a university Alice is a student Grants access to university students Trusts universities to certify students Trusts ABU to certify universities StateU ABU

Example RT 0 credentials 1.StateU.stuID  Alice 2.ABU.accredited  StateU 3.EPub.university  ABU.accredited 4.EPub.student  EPub.university.stuID 5.EPub.access  EPub.student Together, five statements prove Alice is entitled to access

Distributed Policy Alice EPub StateU ABU ABU.accredited  StateU COE.stuID  Alice EPub.university  ABU.accredited EPub.student  EPub.university.stuID StateU.stuID  COE.stuID COE

Privacy uPolicy Companies state privacy policy on web site This is legally binding uOutsourcing and coalitions Many companies outsource specific functions Partners may not have same privacy policies Partners may have conflicting business objectives

Web Architecture and Privacy Database System Application Enterprise Portal Policy!Enforcement?

Who cares about privacy? uCompanies with P3P policy P3P policy makes promise to customers Company is legally obligated to comply uOrganizations facing compliance Healthcare, financial institutions Government uCompanies with customer assets “Privacy” means that customer assets are not compromised Banks must preserve secrecy of customer SSN

JetBlue information flow Source: A Anton JetBlue info collected by OpenSkies is shared info with Torch Concepts. Torch combined JB info with data from Acxiom, has no stated privacy policy.

EPAL Concepts uCondition, ruling, obligations If condition then outcome Outcome = ruling  obligations Ruling = { yes, no, don’t care} Obligations: actions that must occur uExamples If employee owns the file then yes If anyone accesses data then don’t care and log the request IBM privacy language

Policy Combination Denied Permitted Denied Permitted Denied = + OK Denied Permitted Denied Permitted Denied = + ??

Policy language design space Permit only Permit / Deny Resolve contradiction Can be contradictory EPAL Ordered

EPAL order priority uIntuitive ? Need to give exception before general case –Birds can fly –Penguins cannot fly uEfficiency Cannot evaluate sub-policies in parallel uScalability How to combine separate sub-policies?

Some examples uUnreachable If male then yes If female then no If manager then no uInapplicable If manager then yes If VP then no If male then no u Ineffective If VP then {run} If manager then {run, jump} u Redundant If manager then {run, jump} If VP then {run} A policy editor could detect these situations Big problem: combination of EPAL policies may not be EPAL policy

Datalog As A Foundation uNatural Security policy statements are if-then rules uPrecise Declarative and widely-understood semantics uTractable No function symbols  tractability Efficient goal-directed evaluation procedures uAvailable technology Extensive Datalog research in LP and DB

Better: Constraint Datalog uWhy constraints: Datalog cannot easily express permissions about structured resources and ranges uWhat is Constraint Datalog Special form of CLP; query language for Constraint DB uA Constraint Datalog rule: R 0 (x 0 ) :- R 1 (x 1 ),..., R n (x n ),  (x 0, x 1, …, x n ) –x 0, x 1, …, x n are tuples of variables –  is a constraint in all the variables

Example Policy with Constraints uA grants to B the permission to connect to hosts in the domain “stanford.edu” at port 80, valid from time t 1 to t 3, and allows B to further delegate grantConnect(A, B, h, p, v) :- h   edu,stanford , p=80, v  [t 1, t 3 ] grantConnect(A, x, h, p, v) :- grantConnect(B, x, h, p, v), h   edu,stanford , p=80, v  [t 1, t 3 ]

Useful Constraint Domains uTree domains: Path expressions  a1,a2, ,ak  –E.g.,  pub,software  for /pub/software Primitive constraint: x=y or x   a1, ,ak , where   {=, <, , ,  } uRange domains: Primitives: x=y, x=c, or, x  (c1, c2) uDiscrete domains with finite sets: Primitive constraint: x=y, x  {c1,c2, ,cj}

RT Accomplishments uRT language design uRT deduction, trust negotiation Fast distributed deduction, constraints uComparative analysis: KeyNote, SPKI 2.0 uSafety and availability analysis HRU undecidability => RT poly-time, NP, Pspace uSample applications August scheduling, UStorIt file sharing, ATN, … uTransitions IBM privacy, InnerPresence, NTT DoCoMo, Hitachi

Implementation Status uJava inference engine for RT 0 uPreliminary version of RTML an XML-based Encoding of RT statements XML Schemas and parser exist uApplications U-STOR-IT: Web-based file storage and sharing August: A Distributed Calendar Program Automated Trust Negotiation Demo by NAI TNT Trust Negotiation architecture at BYU

Architecture design for policy-based portal site Portal site Web service invoke service return results(customized by General Policy) User Service Provider access Authentication Authority Attribute Authority(A) Bob’s Policy(A) -Bob.Address <- CA -Bob.Job <- Student … General Policy -Discount <- Student … Web service Attribute Authority(B) Policy Decision Authority Bob’s Policy(B) -Bob.MembershipPoint <- high … invoke service return results(customized by Bob’s Policy(B)) Attribute Assertion Authentication Assertion Bob’s Policy(A) -Bob.Address <- CA -Bob.Job <- Student … federated ID User doesn’t have a federated ID User has a federated ID Role-based Trust Management (TM) language (SOAP) (SAML) UDDI Registry register discover create (UDDI) Policy Decision Authority Attribute Authority(B) Attribute Authority(A) Authentication Authority Credential Chains (Liberty Alliance) Hitachi

Open Problems uEvaluation Complete study of EPAL uExtend RT languages Denying policies – for policy combination Obligations uDistributed enforcement algorithms uPolicy lifecycle tools Safety analysis, resolve conflicts in policy combination Enforcement policy  Advertised policy ?

Critical Infrastructure Protection uMany critical infrastructures, national and DoD-specific, are decentralized uData sharing essential for operation, but data compromise can be catastrophic uResearch Question: How to share data safely, using policies that are easy to formulate, enforce, maintain uApproach: diffuse trust management

Assuring Software Quality uTechnology applicable to managing process interaction Process A delegates rights to process B –For limited purpose, limited time, limited locations Fine-grained control of process actions Works for diffuse systems that escape normal controls imposed by localized OSs uDiffuse principle of least privilege

DoD Impact uDynamic coalitions Partial sharing based on partial trust uJoint Vision 2010 / Joint Vision 2020 of “Network Centric” operations Can use policy to push data, overcome network bandwidth limitations Right data to right place at right time

Plans uApplications and Transitions Work with XrML developers on language and algorithm IBM Privacy Project –Extend RT algorithms to EPAL, P3P applications Pursue commercial and DOD applications Larger policy sets, Network policies uGeneralize results: RT  Datalog  PFOL uImprove implementation: RT 0  Datalog  PFOL uPolicy development environment and tools User interface, XML-format, interoperability Testing methodology, analysis methods

Automated Trust Negotiation uCredentials may contain sensitive information need protection just as other resources deduction must be interactive uThe Trust Target Graph (TTG) protocol supports RT 0, which has delegation supports distributed discovery of statements supports Ack policies, which also protects against unauthorized leakage of attribute information uCryptographic protocols for ATN Oblivious Signature-Based Envelope (OSBE)

August: Distributed Calendar uUsers define groups, maybe interdependent uEach user has a calendar and can specify policy which determines who is allowed to view each part of the user's calendar who is allowed to add an activity of a certain kinds at a certain time

U-STOR-IT: Web-based sharing uUser auth: SSL and X.509 certificates uUsers define interdependent groups uLocker Hierarchical folder of heterogeneous files Locker/file upload/access policy set by owner uPolicies translated into RT uImplement w/Java Servlets and MySQL