Trust Management: Access policy and deduction John Mitchell

Diffuse Computing Distributed Data Systems

Access control decision Given: user and request for privilege =  resource, right  Decide: whether to grant request Specify: who, what, when, why ? Resource User/ process filename read/write Also: authorization management, workflow, …

Goals uFlexible and scalable access control for large- scale, open, decentralized systems Resource sharing in decentralized systems –coalitions, multi-centric collaborative systems –grid computing Electronic commerce Health care systems Authorization management

Policy Language and Deduction uSay what you want Succinctly and directly With confidence that you said what you meant uEnforcement Deduction, proof of compliance uPolicy development tools Manage policy lifecycle Safety analysis, availability Core Issue

Single sign-on systems e.g. Securant, Netegrity, Oblix Rules Authentication Application Data LAN user name password

Distributed Access Control Deduction Engine Deduction Engine Policies Credentials Policies Credentials Certificate Authority Resource Monitors

Player Digital Distribution Dream ( ) Artist DistributorConsumer Policy Content Policy Content Military ORCON Policy Secure network transactions

Trust-Management (TM) uMulticentric access control using delegation access control decisions are based on distributed policy statements issued by multiple principals policy statements contain –attributes of principals such as permissions, roles, qualifications, characteristics –trust relationships uCommon characteristics of TM systems: treat public keys as principals to be authorized use digitally signed credentials for non-local statements

History uEarly TM languages PolicyMaker, KeyNote [Blaze, Feigenbaum, et al.] SPKI/SDSI [Ellison, Rivest, Lampson, et al.] uDatalog-based TM languages Delegation Logic [Li, Feigenbaum, and Grosof] SD3 [Jim] Binder [DeTreville] uSome other related work ABLP logic [Abadi, Burrows, Lampson, et al.] AF logic [Appel and Felton] QCM [Gunter and Jim]

Our Policy Framework: FOL ( ) uA policy statement has the form:  x1,…,  xm (Condition  (  ) Permitted(principal, privilege)) where Condition is a conjunction of literals; principal can be individual [HW], or group [LM] privilege can be action [HW], or group [LM] uAlso need formulas defining conditions Feigenbaum, Li Halpern, W Li, Mitchell, … Permitting policy [HW, LM] : positive conclusion Denying policy [HW] : negative conclusion

What is RT? uRT = Role-based Trust management uInnovative features of the RT family expressive delegation constructs permissions for structured resources tractable semantics based on Constraint Datalog strongly-typed credentials and vocabulary agreement efficient deduction with millions of distributed policy statements safety and availability analysis [Li, Mitchell, Winsborough]

Languages in RT Framework RT 0 : Decentralized Roles RT 1 : Parameterized Roles RT T : for Separation of Duties RT D : for Selective Use of Role memberships RT 2 : Logical Objects RT T and RT D can be used (either together or separately) with any of the five base languages: RT 0, RT 1, RT 2, RT 1 C, and RT 2 C RT 1 C : structured resources RT 2 C : structured resources [Li, Mitchell, Winsborough]

Example AliceEPub StateU is a university Alice is a student Grants access to university students Trusts universities to certify students Trusts ABU to certify universities StateU ABU

Example RT 0 credentials 1.StateU.stuID  Alice 2.ABU.accredited  StateU 3.EPub.university  ABU.accredited 4.EPub.student  EPub.university.stuID 5.EPub.access  EPub.student Together, the five statements prove that Alice is entitled to access

Limitation of KeyNote, SPKI 1.0 uCapability-based TM systems A credential delegates certain permissions from an issuer to a subject A chain of credentials authorizes subject at the end of a chain uUsing these systems in the EPub scenario EPub delegates the access permission to ABU ABU delegates the access permission to StateU StateU delegates the access permission to Alice uNot scalable! Separate chain of delegations for each student

Policy forms, RT 0 uSimple attribute assignment StateU.stuID  Alice uDelegation of attribute authority StateU.stuID  COE.stuID uAttribute inferencing EPub.access  EPub.student uAttribute-based delegation of authority EPub.student  EPub.university.stuID i.e. mem(EPub.student)   B  mem(EPub.university) mem(B.stuID) uConjunction EPub.access  EPub.student  ACM.member

Policy forms, RT 1 … uAttributes with fields StateU.stuID (name=.., program=.., …)  Alice EPub.access  StateU.stuID(program=“graduate”) uPermissions for structured resources e.g., allow connection to any host in a domain and at any port in a range

Datalog As A Foundation uNatural Security policy statements are if-then rules uPrecise Declarative and widely-understood semantics uTractable No function symbols  tractability Efficient goal-directed evaluation procedures uAvailable technology Extensive Datalog research in LP and DB

Datalog Semantics of RT 0 uEach statement translated into Datalog rule Type-1: A.r  D m(A, r, D) Type-2: A.r  B.r 1 m(A, r, z) :- m(B, r1, z) Type-3: A.r  A.r 1.r 2 m(A, r, z) :- m(A, r1, y), m(y, r2, z) Type-4: A.r  B 1.r 1  B 2.r 2 ...  B k.r k m(A, r, z) :- m(A, r1, y), m(y, r2, z)

Better: Constraint Datalog uWhy constraints: Datalog cannot easily express permissions about structured resources and ranges uWhat is Constraint Datalog Special form of CLP; query language for Constraint DB uA Constraint Datalog rule: R0(x0) :- R1(x1),..., Rn(xn),  (x0, x1, …, xn) –x0, x1, …, xn are tuples of variables –  is a constraint in all the variables

Example Policy with Constraints uA grants to B the permission to connect to hosts in the domain “stanford.edu” at port 80, valid from time t 1 to t 3, and allows B to further delegate grantConnect(A, B, h, p, v) :- h   edu,stanford , p=80, v  [t 1, t 3 ] grantConnect(A, x, h, p, v) :- grantConnect(B, x, h, p, v), h   edu,stanford , p=80, v  [t 1, t 3 ]

Useful Constraint Domains for TM uTree domains: Path expressions  a1,a2, ,ak  –E.g.,  pub,software  for /pub/software Primitive constraint: x=y or x   a1,a2, ,ak , where   {=, <, , ,  } uRange domains: each constant is a number Primitive constraint: x=y, x=c, or, x  (c1, c2) uDiscrete domains with finite sets: Primitive constraint: x=y, x  {c1,c2, ,cj}

RT 1 C : RT 1 with constraints uTheorem: Multi-sorted CDatalog program with multiple tractable constraint domains can be evaluated in polynomial time. uCorollary: The RT languages are tractable Statements in the RT languages can be translated into multi-sorted CDatalog program uExample: FileServer.access (path <  pub,software , type  {read,write,delete})  StateU.student (dept=‘CS’)

Using CDatalog to Analyze KeyNote uTheorem: it is undecidable whether a KeyNote assertion authorizes any request at all One constraint domain used in KeyNote involves Hilbert’s 10th problem: –find integer solutions to p(x 1,…,x k )=0 uMoral: KeyNote constraints too expensive Practical examples do not use these expensive features Logical perspective leads to expressive, tractable policy languages

Goal-directed Deduction for RT 0 uQueries: 1.Given A.r, determines its members –The backward search algorithm 2.Given D, determines the set of roles that D is a member of –The forward search algorithm 3.Given A.r and D, determines whether D is a member of A.r –The Bi-direction search algorithm

Credential Graph for Policy uNodes: A.r and e for each statement A.r  e in P uCredential edges: A.r  e for each statement A.r  e in P uSummary edges: A.r1.r2  B.r2 if there is a path from B to A.r1 A1.r1  …  Ak.rk  D if there are paths from D to each Aj.rj uTheorem: Reachability in the credential graph is sound and complete for RT 0

Example Bidirection Search on A Credential Graph EPub.university StateU ABU.accredited EPub.student EPub.university.stuID Credential Summary Key Alice StateU.stuID COE.stuID

Worst-Case Complexity uBackward: time O(N 3 +NM), space O(NM) N is the number of rules M is the sum of the sizes of all rules, –A.r  f 1  f k having size k, other credentials have size 1 uForward and bi-direction time O(N 2 M), space O(NM) uSame as previous work for SDSI [Clarke, et al.] but our algorithms are goal directed, making them much better in practice

Who stores credentials? Alice EPub StateU ABU ABU.accredited  StateU COE.stuID  Alice EPub.university  ABU.accredited EPub.student  EPub.university.stuID StateU.stuID  COE.stuID COE

Automated Trust Negotiation uCredentials may contain sensitive information need protection just as other resources deduction must be interactive uThe Trust Target Graph (TTG) protocol supports RT0, which has delegation supports distributed discovery of statements supports Ack policies, which also protects against unauthorized leakage of attribute information uCryptographic protocols for ATN Oblivious Signature-Based Envelope (OSBE)

Safety and Availability Analysis uOrganizations delegate partial control What happens if other organizations change policy in the future without my knowledge? uGiven policy P and restriction R on changes Simple safety: Is A.r  {D} possible?  PTIME Simple availability: Is A.r  {D} necessary?  PTIME Bounded safety: Is {D1, …, Dn}  A.r necessary?  PTIME

Complexity of Containment Analysis uGiven P and R, is A.r  B.r1 necessary? Simple delegation  PTIME –Uses logic programs with stratified negation Intersection  coNP-complete –Equivalent to determining validity in propositional logic Linking  PSPACE-complete –Equivalent to containment of languages accepted by NFA Linking+Intersection  decidable in coNEXP –Exact complexity unknown Decidability, PTIME stand in contrast to the HRU model, in which simple safety is undecidable

Implementation Status uJava inference engine for RT 0 uPreliminary version of RTML an XML-based Encoding of RT statements XML Schemas and parser exist uApplications U-STOR-IT: Web-based file storage and sharing August: A Distributed Calendar Program Automated Trust Negotiation Demo by NAI TNT Trust Negotiation architecture at BYU

Publications on RT uLanguage specification, distributed deduction [ACM CCS’01] [JCS] [IEEE S&P’02] uConstraint Datalog [PADL’03] [CSFW’03] uSummary of RT [DISCEX’03] uInteractive deduction, protecting sensitive credentials [IEEE Policy’ 02] [ACM WPES’02] uSafety and availability analysis of RT policies [IEEE S&P’03]

Ongoing Work Related to RT uFoundation of distributed trust management: more expressive constraints additional safety and availability analysis problems uAlgorithms: deduction algorithms for the full RT framework trust negotiation with more expressive RT languages uSystems: RTML as a more expressive PKI complete implementation of RT and more applications

Policy with negation, functions uMany applications explicitly forbid actions. `Smoking is prohibited in the dining areas of all restaurants seating more than 35 people’ is part of the NYC Smoke-Free Air Act. `The tickets may not be refunded’ is a policy of many theaters, special airline fares, … uFunctions may be useful  x 1, x 2 (OnSite(x 1 )  Permitted(x 2, copy(x 1 ))) uThese policies cannot be written directly in Datalog, Constraint Datalog [Halpern, Lagoze, Weissman]

Tractability with function symbols uKey idea: Restrict bipolars A literal l is bipolar in a formula f if –Positive l in f is unifiable with a negated l’ in f –E.g. R(Alice, x) is bipolar in R(Alice, x)   R(y, Bob) uIf E is environment and P is policy such that every var in lhs of a policy also appears in rhs E is a conjunction of ground literals, and there are no bipolar literals in P Then queries answered in time |P||E| Remains polytime under weaker assumptions

Explanation of restrictions uEvery variable on the lhs also on the rhs Permissions (prohibitions) depend only on attributes of individual and action being regulated uEnvironment E a conjunction of ground literals Reasonable if the environment is a database, and/or set of certificates uNo bipolar literals in policy P Reasonable if –permitted is not in any policy’s premise –All policies are permitting (or all denying)

Mixed policy sets uThm: For any env E, policy P, can reformulate as such that Permissions follow from E’ and permitting policies in P’ only Prohibitions follow from E’ and denying policies in P’ only Quadratic increase in size uThe fragment can capture a number of policy sets Samples collected from libraries Samples collected from government docs Most of the XrML core, and all of Content Schema More information: Vicky Weissman poster

Future SPYCE Directions uAccomplishments Framework and logic for policy definition Algorithms for policy enforcement Some experience with capturing practical policy requirements from a variety of applications uChallenges Continue implementation and deployment efforts Policy development algorithms and tools –Debugging and testing, safety and availability analysis Additional challenges –Policy privacy, Automated trust negotiation, Revocation

Sample Applications uAugust Distributed Calendar uUSTORIT uSocial security database policy to qualify for social security Also: tax law database uLibrary policy Have to administer copyright Who is allowed to access course notes? uXrML Commercial license and rights framework