1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
Cyber-Identity, Authority and Trust in an Uncertain World
Cyber-Identity, Authority and Trust in an Uncertain World
© 2004 Ravi Sandhu The Schematic Protection Model (SPM) Ravi Sandhu Laboratory for Information Security Technology George Mason University.
QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.
Attribute Mutability in Usage Control July 26, 2004, IFIP WG11.3 Jaehong Park, University of Maryland University College Xinwen Zhang, George Mason University.
A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,
Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Antonio) Ravi Sandhu (UT San Antonio) William Winsborough.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
1 Safety Analysis of Usage Control (UCON) Authorization Model Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce George Mason University AsiaCCS.
Towards Usage Control Models: Beyond Traditional Access Control 7 th SACMAT, June 3, 2002 Jaehong Park and Ravi Sandhu Laboratory for Information Security.
Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection Min Xu George Mason University Xuxian Jiang George Mason University Ravi.
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
11 World-Leading Research with Real-World Impact! A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu.
Ravi Sandhu Venkata Bhamidipati
Institute for Cyber Security
1 A Model of OASIS Role-Based Access Control and Its Support for Active Security Rick Murphy, IT 862, Spring 2005.
1 TRANSACTION CONTROL EXPRESSIONS (TCEs) Ravi Sandhu.
A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Usage Control: UCON Ravi Sandhu. © Ravi Sandhu2 Problem Statement Traditional access control models are not adequate for todays distributed, network-
Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
Institute for Cyber Security ASCAA Principles for Next-Generation Role-Based Access Control Ravi Sandhu Executive Director and Endowed Chair Institute.
Institute for Cyber Security
Usage Control: A Vision for Next Generation Access Control Oct 14, 2003 Ravi Sandhu and Jaehong Park ( Laboratory for Information Security.
Future Directions in Role-Based Access Control Models Ravi Sandhu Co-Founder and Chief Scientist SingleSignOn.Net & Professor of Information Technology.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.
© Ravi Sandhu HRU and TAM Ravi Sandhu Laboratory for Information Security Technology George Mason University
ISA 662 RBAC-MAC-DAC Prof. Ravi Sandhu. 2 © Ravi Sandhu RBAC96 ROLES USER-ROLE ASSIGNMENT PERMISSIONS-ROLE ASSIGNMENT USERSPERMISSIONS... SESSIONS ROLE.
Towards A Times-based Usage Control Model Baoxian Zhao 1, Ravi Sandhu 2, Xinwen Zhang 3, and Xiaolin Qin 4 1 George Mason University, Fairfax, VA, USA.
© 2004 Ravi Sandhu The Typed Access Matrix Model (TAM) and Augmented TAM (ATAM) Ravi Sandhu Laboratory for Information Security Technology.
A Role-Based Delegation Model and some extensions By: Ezedin S.Barka Ravi Sandhu George Mason University.
ROLE-BASED ACCESS CONTROL: A MULTI-DIMENSIONAL VIEW Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman Seta Corporation McLean, VA Ravi Sandhu.
A THREE TIER ARCHITECTURE FOR ROLE-BASED ACCESS CONTROL Ravi Sandhu and Hal Feinstein Seta Corporation McLean, VA Ongoing NIST-funded project Other Project.
Title ON FOUR DEFINITIONS OF DATA INTEGRITY Ravi Sandhu George Mason University FIVE.
Flexible access control policy specification with constraint logic programming Steve Barker, Peter J. Stuckey Presenter: Vijayant Dhankhar.
Engineering Authority and Trust in Cyberspace: The OM-AM and RBAC Way Prof. Ravi Sandhu George Mason University
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
0 - 0.
June, 2006 The 11th CAiSE06 International Workshop on Exploring Modeling Methods in Systems Analysis and Design (EMMSAD06), Luxembourg Ontological.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
1 A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC Prof. Ravi Sandhu Executive Director and Endowed Chair DBSEC July 11, 2012.
Attribute-Based Access Control Models and Beyond
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
Lecture 7 Access Control
Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.
UCON M ODEL Huỳnh Châu Duy. OUTLINE UCON MODEL What? What for? When? Why? CORE MODELS 16 basic models Example COMPARISON Traditional access.
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
Trust and Security for Next Generation Grids, Tutorial Usage Control for Next Generation Grids Introduction Philippe Massonet et al CETIC.
12/4/20151 Computer Security Security models – an overview.
FlexFlow: A Flexible Flow Policy Specification Framework Shipping Chen, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems George.
1 Attribute-Based Access Control Models and Beyond Prof. Ravi Sandhu Executive Director, Institute for Cyber Security Lutcher Brown Endowed Chair in Cyber.
1 Usage Control (UCON) or ABAC on Steroids Prof. Ravi Sandhu Executive Director and Endowed Chair February 26, 2016
Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.
Institute for Cyber Security
Institute for Cyber Security
Attribute-Based Access Control (ABAC)
Role-Based Access Control (RBAC)
Institute for Cyber Security
Institute for Cyber Security
Institute for Cyber Security
ASCAA Principles for Next-Generation Role-Based Access Control
Assured Information Sharing
Institute for Cyber Security
Attribute-Based Access Control (ABAC)
Presentation transcript:

1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce Department of Information and Software Engineering School of Information Technology and Engineering George Mason University, Fall 2005

2 Outline Introduction Motivations & Problem Statement Background Usage control and TLA A Formalization of UCON A logical model to formalize state transitions in a single usage Policy specification flexibility of the logical model Expressive Power of UCON A model to formalize the global effects of a usage and accumulative results of a sequence of usages Relative expressive power between UCON A and traditional access control models Relative expressive power between UCON A and UCON B Safety Analysis of UCON Safety undecidability of the general UCON A model Safety decidable UCON A models Expressive power of safety decidable models Contribution Summary and Future Work

3 Motivations & Problem Statement Motivations of UCON A comprehensive unified model that fundamentally extends traditional access control models captures DRM and trust management systems A conceptual model has been presented by Park and Sandhu. Formalization of UCON Model is required for the precise semantics of the conceptual model for policy definition for the analysis of UCON properties. Two fundamental problems in access control: Expressive Power Safety Analysis

4 UCON Model (Park and Sandhu 2004) Attributes can be updated as side-effects of a usage: pre, ongoing, post and updates Attribute Mutability Core models: preA 0, preA 1, preA 2, preA 3, onA x, preB x, onB x preC x onC x A real model may be a combination of core models. Three phases of a usage process Decision in first two phases pre-decision: preA, preB, preC ongoing-decisions: repeatedly d ecision check during ongoing usage phase onA, onB, onC Decision Continuity

5 An Example Resource-constrained access control Limited number (10) of ongoing accesses to a single object When 11th subject requesting new access, one ongoing accessing will be revoked. Different revocation policies: By start time: the longest ongoing usage is revoked By idle time: the usage with the longest total idle time is revoked By total usage time: the usage with the longest accumulating usage time is revoked. Need decision continuity, attribute mutability, and ongoing access revocations

6 Temporal Logic of Actions (Lamport 1994) Basic terms of TLA: Variables and values State: assignment of values to variables Predicates: boolean expressions using variables in a single state Actions: boolean expressions using variables in two states. Future temporal operators: Past Temporal operators

7 Logical Model of UCON: Variables, States, Predicates Variables: role, group, clearance, credit Subject attributes: role, group, clearance, credit, etc. type, owner, access control list Object attributes: type, owner, access control list, etc. location, time, load System attributes: location, time, load, etc. A state of a UCON system is an assignment of values to attributes. Predicates: boolean expressions built from subject attributes, object attributes, and system attributes in a single state. Alice.credit > $1000, file1.classification = secure Dominate(Alice.clearance, file1.classification) (Bob, read) file2.ACL)

8 Logical Model of UCON: Actions Control actions: usage state (s,o,r) Actions changing the usage state of a single usage process (s,o,r) 6 values of state(s,o,r) 6 values of state(s,o,r) 5 actions 5 actions Update actions: s.credit=s.credit - $50.0 s.credit=s.credit - $50.0 Obligation actions: Actions that have to be performed before or during a usage May or may not be performed by the requesting subject and on the target object.

9 Logical Model of UCON (S, P A, P C, A A, A B ) The logical model of a UCON system is a 5-tuple: (S, P A, P C, A A, A B ), where S S is a set of sequences of states of the system, P A P A is a finite set of authorization predicates built from the attributes of subjects and objects, P C P C is a finite set of condition predicates built from the system attributes, A A A A is a finite set of control actions, A B A B is a finite set of obligation actions. A logic formula consisting of predicates, actions, and logical and temporal operators:

10 Specification of Core Models Ongoing authorizations: onA 123 Resource-constrained access control, revocation by idle time Object attribute: status (with value of busy or idle)idleTime Subject attributes: status (with value of busy or idle), idleTime

11 Specify General Policies Control Rules: Update Rules:

12 Specifying General Policies Completeness: Completeness: Any UCON policy can be specified by a non-empty set of control rules and a set of update rules. Soundness: Soundness: A non-empty set of control rules and a set of update rules can be satisfied by at least one UCON model.

13 Policy Specification Flexibility RBAC models (RBAC0, RBAC1, RBAC2) Chinese Wall policies Dynamic separation of duty MAC policy with high watermark property Healthcare information systems with authorizations and obligations

14 Expressive Power & Safety Analysis Expressive Power: The flexibility to express policies for variant requirements. Comparing expressive power between access control models Safety problem: initial state schemea reachable state By giving a system, specified by an initial state and a scheme, is there a reachable state in which a subject has a particular right on an object? Expressive power and safety analysis are two conflict problems for an access control model: In general, the more expressive power it has, the harder it is to computationally carry out safety analysis. Examples: HRU, SPM, and TAM

15 Formal Model of preA & preB global effect To formalize the global effect of a single usage process Instead of the detailed state transitions in single usage process by the logical model (O, ) A system state is (O, ), where O O is a set of objects : O ATT dom(ATT) {null} : O ATT dom(ATT) {null} S O S O Three primitive actions: createObject, destroyObject, updateAttribute createObject, destroyObject, updateAttribute preA policy: preB policy:

16 Formal Model of preA & preB (ATT, R, P, C) A UCON preA scheme is a 4-tuple (ATT, R, P, C), where ATT ATT is a finite set of attribute names R R is a finite set of rights, P P is a finite set of predicates C C is a finite set of policies state (O 0, 0 ) A UCON preA system is specified by a preA scheme and an initial state (O 0, 0 ). (ATT, R, P, B, C) A UCON preB scheme is a 5-tuple (ATT, R, P, B, C), where B B is a finite set of obligation actions state (O 0, 0 ) A UCON preB system is specified by a preB scheme and an initial state (O 0, 0 ).

17 Expressive Power of preA: iTunes-like Systems register user_register (s, u): true permit(s,u, register) createObject u; updateAttribute:s.regUsers' = s.regUsers {u}; updateAttribute: u.registered' = true; updateAttribute: u.platformList'=o; updateAttribute: u.orderList'=o; updateAttribute: u.credit' = 0.00; order (u, m): (u.registered=true) (u.credit m.price) (m u.orderList) permit(u,m,order) updateAttribute:u.orderList' = u.orderList {m}; updateAttribute: m.owner' = u; updateAttribute:u.credit' = u.credit - m.price; order play (p,m): (p.authorizedby null) (m.owner null) (p.authorizedby=m.owner) permit(p,m,play) play authorize_platform (u, p): (u.registered=true) (|u.platformList|<5) (p u.platformList) permit(u,p,authorize) updateAttribute: u.platformList' = u.platformList {p}; updateAttribute: p.authorizedBy' = u; deauthorize_platform (u, p): (u.registered=true) (p u.platformList) permit(u,p,deauthorize) updateAttribute: u.platformList' = u.platformList - {p}; updateAttribute: p.authorizedBy' = null; authorize deauthorize User iTunes music store Device Music file

18 Expressive Power of UCON preA The expressive power of UCON preA model has been formally studied by comparing it with traditional access control models: simulating the general SO-TAM model Simulating the general SO-ATAM model Theorem UCON preA is more expressive than TAM. UCON preA is at least as expressive as ATAM.

19 Relative Expressive Power of preA & preB Theorem UCON preA and preB have the same expressive power. A preA policy can be simulated by a preB policy. A preB policy can be simulated by a finite number of preA policies.

20 Safety Analysis of UCON preA Theorem The general preA model has undecidable safety. By reducing a general SO-TAM system to a preA system By simulating the operations of a general Turing machine with a preA model.

21 Safety Analysis of UCON preA Theorem The safety problem of a preA system is decidable if: the value domain of each attribute is finite, and there is no creating policy in the scheme. The complexity of the safety problem is: polynomial in the number of possible states of the system. NP-hard in number of policies in the scheme.Theorem The safety problem of a preA system is decidable if: the attribute creation graph is acyclic, and the attribute update graph has no cycle containing a create-parent attribute tuple, and in each creating policy, both the parent's and the child's attribute tuples are updated.

22 Expressive Power of Decidable preA RBAC96 model with URA97 scheme The decidable model can express an RBAC96 model with URA97 scheme. consumable rights. The decidable model can express DRM applications with consumable rights. order (s, o): (s.credit o.price) (o.owner = null) permit(s,o,order) updateAttribute: s.credit'=s.credit - o.price; updateAttribute: o.owner=s; updateAttribute:o.copylicense=10; order allow_copy (s, o): (o.owner=s) (o.copylicense > 0) permit(s,o,allowcopy) updateAttribute: o.allowcopy = true; allowcopy copy (o 1, o 2 ): (o 1.allowcopy=true) permit(o 1,o 2,copy) createObject o 2 ; updateAttribute: o 2.sn' = o 1.copylicense; updateAttribute: o 1.copylicense' = o 1.copylicense-1; updateAttribute: o 1.allowcopy' = false; copy

23 Contribution Summary A logical model A logical model of UCON is developed: Precisely defining the semantics of the conceptual model Specifying policies for general UCON models with completeness and soundness Policy specification flexibility by defining policies for various applications expressive power Formal study of the expressive power of UCON preA and preB: preA is at least as expressive as ATAM. preA and preB have the same expressive power. Safety analysis Safety analysis of UCON preA: Safety undecidability of the general model Two safety decidable models with restrictions on the general model Expressive power of the decidable models by simulating RBAC and DRM applications

24 Future Work An administrative model of UCON Efficiently decidable UCON models Expressive power and safety analysis of UCON ongoing models. UCON architectures and mechanisms

25 Related Publications Xinwen Zhang, Sejong Oh, and Ravi Sandhu, PBDM: A Flexible Delegation Model in RBAC, 8th ACM Symposium on Access Control Models and Technologies (SACMAT), Xinwen Zhang, Jaehong Park, Francesco Parisi-Presicce, and Ravi Sandhu, A Logical Specification for Usage Control, ACM SACMAT, Jaehong Park, Xinwen Zhang, and Ravi Sandhu, Attribute Mutabiligy in Usage Control, Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Xinwen Zhang, Jaehong Park, Francesco Parisi-Presicce, and Ravi Sandhu, Formal Model and Policy Specification of Usage Control, ACM Transactions on Information and System Security (TISSEC), to appear. Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce, Safety Analysis of Usage Control Authorization Model, to appear in ACM Symposium on Information, Computer, and Communication Security, Xinwen Zhang, Masayuki Nakae, Ravi Sandhu, Michael J. Covington, A Usage- based Authorization Framework for Collaborative Computing Systems, in submission.

26 Thank you! Q & A

27 Backup

28 OM-AM Framework (Sandhu 2000)

29 Specifying Core Models PreA 0 PreA 1 An example: Dynamic Separation of Duty (DSOD) preparesissue A subject who prepares a check cannot issue it:

30 Expressive Power of preA A model for iTunes-like systems (ATT, R, P, C) A UCON preA sheme (ATT, R, P, C), where R={register, order, authorize, deauthorize, play} R={register, order, authorize, deauthorize, play} ATT: ATT: a set of attribute names

31 Relative Expressive Power of preA & preB A preB system can be simulated with a preA system: policy_B(s,o,o b ): (s.role=ITE_faculty) (o.statement = o b ) sign(s,o b ) permit(s,o,r) access policy_A1(s,o b ): true permit(s,o b,sign) updateAttribute:s.signed = o b ; sign Policy_A2 (s,o): (s.role=ITE_faculty) (o.statement=s.signed) permit(s,o,r) updateAttribute: s.signed=null; access

32 Relative Expressive Power of preA & preB A preA system can be simulated with a preB system: policy_A(s,o): (s.role=ITE_faculty) permit(s,o,r) access policy_B(s,o): (s.role=ITE_faculty) try_access(s,o) permit(s,o,r) access