Defeasible Security Policy Composition for Web Services Adam J. Lee, Jodie P. Boyer *, Lars E. Olson, and Carl A. Gunter University of Illinois at Urbana-Champaign.

Slides:

Advertisements

Similar presentations

Module 11: Integrating Business Rules. Overview Lesson 1: Introduction to Business Rules Lesson 2: Integrating Business Rules.

Advertisements

Cs7120 (Prasad)L22-MetaPgm1 Meta-Programming

Semantics Static semantics Dynamic semantics attribute grammars

Web Service Security CS409 Application Services Even Semester 2007.

Implementing Reflective Access Control in SQL Lars E. Olson 1, Carl A. Gunter 1, William R. Cook 2, and Marianne Winslett 1 1 University of Illinois at.

Methods of Proof Chapter 7, second half.. Proof methods Proof methods divide into (roughly) two kinds: Application of inference rules: Legitimate (sound)

Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 20

Logic Use mathematical deduction to derive new knowledge.

The International RuleML Symposium on Rule Interchange and Applications Local and Distributed Defeasible Reasoning in Multi-Context Systems Antonis Bikakis,

ISBN Chapter 3 Describing Syntax and Semantics.

Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter.

Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.

NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.

CPSC 322, Lecture 20Slide 1 Propositional Definite Clause Logic: Syntax, Semantics and Bottom-up Proofs Computer Science cpsc322, Lecture 20 (Textbook.

Relational Data Mining in Finance Haonan Zhang CFWin /04/2003.

Proof System HY-566. Proof layer Next layer of SW is logic and proof layers. – allow the user to state any logical principles, – computer can to infer.

Implementing P3P Using Database Technology Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu Presented by Yajie Zhu 03/24/2005.

McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 5 Understanding Entity Relationship Diagrams.

Negotiated Privacy and Security Policies for Web Services George Yee (Joint work with Larry Korba)

Composing Security Policies on Java Cards Michael McDougall with Rajeev Alur and Carl A. Gunter University of Pennsylvania April 26, 2004.

Describing Syntax and Semantics

Web Service Security CSCI5931 Web Security Instructor: Dr. T. Andrew Yang Student: Jue Wang.

USING THE MICROSOFT BUSINESS RULES ENGINE Ed Jones MCT, MCPD, MCTS.

1 Web Services Security XML Encryption, XML Signature and WS-Security.

Chapter 14 & 15 Conceptual & Logical Database Design Methodology

Security and DICOM Lawrence Tarbox, Ph.D. Chair, DICOM Working Group 14 Siemens Corporate Research.

AMPol: Adaptive Messaging Policy Raja N. Afandi, Jianqing Zhang, Munawar Hafiz, Carl A. Gunter Computer Science Department, University of Illinois Urbana-Champaign.

NHS CFH Approach to HL7 CDA Rik Smithies Chair HL7 UK NProgram Ltd.

Notes for Chapter 12 Logic Programming The AI War Basic Concepts of Logic Programming Prolog Review questions.

An XPath-based Preference Language for P3P IBM Almaden Research Center Rakesh Agrawal Jerry Kiernan Ramakrishnan Srikant Yirong Xu.

XML Signature Prabath Siriwardena Director, Security Architecture.

A Z Approach in Validating ORA-SS Data Models Scott Uk-Jin Lee Jing Sun Gillian Dobbie Yuan Fang Li.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Big Idea 1: The Practice of Science Description A: Scientific inquiry is a multifaceted activity; the processes of science include the formulation of scientifically.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Designing and Debugging Batch and Interactive COBOL Programs Chapter 5.

An Algebra for Composing Access Control Policies (2002) Author: PIERO BONATTI, SABRINA DE CAPITANI DI, PIERANGELA SAMARATI Presenter: Siqing Du Date:

AMPol-Q: Adaptive Middleware Policy to support QoS Raja Afandi, Jianqing Zhang, Carl A. Gunter Computer Science Department, University of Illinois Urbana-Champaign.

10/3/2012ISC329 Isabelle Bichindaritz1 Logical Design.

Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.

Advanced Topics in Propositional Logic Chapter 17 Language, Proof and Logic.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

Actions Planning and Defeasible Reasoning Guillermo R. Simari Alejandro J. García Marcela Capobianco Dept. of Computer Science and Engineering U NIVERSIDAD.

 A Web service is a method of communication between two electronic devices over World Wide Web.

Hong Zhu Dept of Computing and Communication Technologies Oxford Brookes University Oxford, OX33 1HX, UK TOWARDS.

Rules, RIF and RuleML.

Automated Reasoning Early AI explored how to automated several reasoning tasks – these were solved by what we might call weak problem solving methods as.

Ch. 13 Ch. 131 jcmt CSE 3302 Programming Languages CSE3302 Programming Languages (notes?) Dr. Carter Tiernan.

Computer Science CPSC 322 Lecture 22 Logical Consequences, Proof Procedures (Ch 5.2.2)

Dec. 13, 2002 WISE2002 Processing XML View Queries Including User-defined Foreign Functions on Relational Databases Yoshiharu Ishikawa Jun Kawada Hiroyuki.

The Database and Info. Systems Lab. University of Illinois at Urbana-Champaign Understanding Web Query Interfaces: Best-Efforts Parsing with Hidden Syntax.

Business Goal-Driven Optimization of Business Process in EERP James Wei Guo, eBridge China Symon Chang, BEA Systems Inc. April 29, 2008 Copyright © 2008.

Artificial Intelligence: Research and Collaborative Possibilities a presentation by: Dr. Ernest L. McDuffie, Assistant Professor Department of Computer.

The International RuleML Symposium on Rule Interchange and Applications Visualization of Proofs in Defeasible Logic Ioannis Avguleas 1, Katerina Gkirtzou.

Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.

Logical Design 12/10/2009GAK1. Learning Objectives How to remove features from a local conceptual model that are not compatible with the relational model.

Belief dynamics and defeasible argumentation in rational agents M. A. Falappa - A. J. García G. R. Simari Artificial Intelligence Research and Development.

1 The Relational Data Model David J. Stucki. Relational Model Concepts 2 Fundamental concept: the relation  The Relational Model represents an entire.

IETF61 (November 2004) SIMPLE1 Data model and RPID Henning Schulzrinne Columbia University.

Computer Science cpsc322, Lecture 20

Rules, RIF and RuleML.

Knowledge Representation

Conceptual Frameworks, Models, and Theories

Intelligent Systems (AI-2) Computer Science cpsc422, Lecture 20

Review of Week 1 Database DBMS File systems vs. database systems

Computer Science cpsc322, Lecture 20

Henning Schulzrinne Columbia University

Instructor Materials Chapter 5: Ensuring Integrity

Presentation transcript:

Defeasible Security Policy Composition for Web Services Adam J. Lee, Jodie P. Boyer *, Lars E. Olson, and Carl A. Gunter University of Illinois at Urbana-Champaign 3rd November 2006

2 Motivation Security policies –Tend to be large and difficult to understand –Do not always have a well-defined means of composition –May be governed by multiple organizations or entities Can we provide an intuitive way to specify and compose security policies? Approach: Defeasible security policy composition

3 What is Defeasible Logic? A computationally efficient non-monotonic logic Why non-monotonic logic? –Allows for “jumping to conclusions” but later retracting conclusions if contradictory evidence comes to light –Models human reasoning

4 Defeasible Theories Defeasible theories have three parts –Facts dog(Sam) –Three types of rules Strict rules: terrier(X) -> dog(X) Defeasible rules: dog(X) => bark(X) Defeater rules: sick(X) ~> ¬bark(X) –A superiority relationship Prioritizes rules to eliminate conflicts

5 Example Superiority Relationship The logical theory: basenji(Jasmine) basenji(X) -> dog(X) r : dog(X) => bark(X) r’ : basenji(X) => ¬bark(X) r’ > r Note: What happens without r’ > r?

6 Solution Overview Each entity specifies a defeasible logic “meta policy” Group of entities determine a precedence hierarchy Policies are merged using a composition function,  Resultant composed policy is converted into its XML representation using a projection function, 

7 Graphical Composition Overview Entity 1 Local Resource  A meta policy A Resource Policy

8 Graphical Composition Overview  

9 What Does a Meta-Policy Look Like? A meta-policy, P, is a tuple P = (P reas, P req ) –The reasoning theory, P reas, is a theory in the defeasible logic –The requirements theory, P req, is a propositional logic theory Used as a “sanity check” after merging to ensure this entity’s requirements are met If the conclusions drawn during the merge can prove the statement SATISFIED in P req, the defining entity is, well, satisfied with the outcome

10 Predicate Syntax Security Token –securitytoken(Type, Issuer, {Claims}) Integrity –integrity({Algorithms}, TokenInfo, {Claims}, {MessageParts}) Confidentiality –confidentiality({Algorithms}, KeyInfo, {MessageParts})

11 Examples of Predicate Syntax securitytoken('x509','uiuc',C) Represents an X.509 certificate issued by UIUC with no restrictions on the claims. confidentiality({algorithm('encryption','r sa')}, securitytoken(T,'uiuc',C), {messageparts('xpath',S,'/body')}) Represents RSA encryption of the element using a security token issued by UIUC.

12 Composition using  Define  recursively in terms of a two policy composition function  * Two cases for  *(p 1, p 2 ) –p 1 and p 2 unrelated by partial order –p 1 dominates p 2  * can be used iteratively to compose any collection of partially ordered meta-policies

13 Projection Using  Derive C, the set of all conclusions that can be defeasibly proven from the composite reasoning theory For each C i  2 C that satisfies the requirements theories, add C i to the set of sets S Fail if S is empty, otherwise generate XML

14 XML Generation Find I, the intersection of each s  S Insert the elements of I into an clause in the WS-SecurityPolicy Create an clause For each s  S, construct an clause containing each conclusion in the set (s \ I ) Add this clause as an item to the new clause

15 Example 2 organizations want to deploy a joint web service Organization 1 –Wants X.509 to be used as the security token. –Allows a combination of tokens to replace X.509 when resources are constrained in mobile apps Organization 2 –Deploys mobile apps –Requires Confidentiality The organizations are unrelated in the partial ordering

16 Example Policy (Part 1) Req: hassecuritytoken -> satisfied. securitytoken('x509','uiuc',C) -> hassecuritytoken. securitytoken('saml',I,C),securitytoken('unt',I,C) -> hassecuritytoken. Reas: R1: {} => securitytoken('x509','uiuc',C). R2: {} => securitytoken('saml',I,C). R3: {} => securitytoken('unt',I,C). R4: mobile ~> ~securitytoken('x509',I,C). R5: securitytoken('x509',I,C) ~> ~securitytoken('saml',I,C). R6: securitytoken('x509',I,C) ~> ~securitytoken('unt',I,C). R4 > R1. R5 > R2. R6 > R3.

17 Example Policy (Part 2) Req: hassecuritytoken,hasconfidentiality -> satisfied. securitytoken('saml','uiuc/cs/dais',C) -> hassecuritytoken. confidentiality({algorithm('encryption','aes128cbc')}, securitytoken('unt',I,C)), {messageparts('xpath',S,'/body')}) -> hasconfidentiality. Reas: mobile. R1: {} => securitytoken('saml','uiuc/cs/dais',C). R2: {} => confidentiality({algorithm('encryption','aes128cbc')}, securitytoken(T,I,C), {messageparts('xpath',S,'/body')}).

18 Merged Reasoning Theories R1_1: {} => securitytoken('x509','uiuc',C). R1_2: {} => securitytoken('saml',I,C). R1_3: {} => securitytoken('unt',I,C). R1_4: mobile ~> ~securitytoken('x509',I,C). R1_5: securitytoken('x509',I,C) ~> ~securitytoken('saml',I,C). R1_6: securitytoken('x509',I,C) ~> ~securitytoken('unt',I,C). R1_4 > R1_1. R1_5 > R1_2. R1_6 > R1_3. mobile. R2_1: {} => securitytoken('saml','uiuc/cs/dais',C). R2_2: {} => confidentiality({algorithm('encryption', 'aes128cbc')}, securitytoken(T,I,C), {messageparts('xpath',S,'/body')}).

19 Set of Possible Conclusions securitytoken('saml','uiuc/cs/dais',C) securitytoken('unt',I,C) confidentiality({algorithm('encryption','aes128cbc' )}, securitytoken('unt',I,C), {messageparts('xpath',S,'/body')})

20 Expected WS-Policy Output wsse:SAMLAssertion uiuc/cs/dais wsse:UsernameToken <wsse:Algorithm Type="wsse:AlgSignature" URI="...AES128_CBC"/> wsse:UsernameToken /Body

21 Web Services and Beyond This policy composition method is not only useful for merging WS-SecurityPolicy documents Reliable messaging policies –WS-RM Policy specification –Investigating the interplay between security and reliable messaging policies would be an interesting area Firewall policies –Example: Multiple groups sharing lab space –Efficiency of defeasible logic makes temporal firewall rules possible

22 Conclusion Presented a system to compose security policies –Preferences for composition are encoded in meta-policies –Single operation for composition Allow organizations to specify long term meta-policies –can be used for local resource policies –can be composed to determine the policy for a shared resource

Thank you for your attention.

24 Example Policy (Part 1) Req: hassecuritytoken,hasintegrity -> satisfied. securitytoken('x509','uiuc',C) -> hassecuritytoken. securitytoken('saml',I,C),securitytoken('unt',I,C) -> hassecuritytoken. integrity({algorithm('signature','rsa'),algorithm('transform',' enveloped')}, securitytoken(T,'uiuc',C1), C2, {messageparts('xpath',S,'/')}) -> hasintegrity. integrity({algorithm('signature','hmac'),algorithm('transform', 'enveloped')}, securitytoken('unt',I,C1), C2, {messageparts('xpath',S,'/')}) -> hasintegrity. Reas: R1: {} => securitytoken('x509','uiuc',C). R2: {} => securitytoken('saml',I,C). R3: {} => securitytoken('unt',I,C). R4: mobile ~> ~securitytoken('x509',I,C). R5: securitytoken('x509',I,C) ~> ~securitytoken('saml',I,C). R6: securitytoken('x509',I,C) ~> ~securitytoken('unt',I,C). R4 > R1. R5 > R2. R6 > R3. R7: securitytoken('x509',I,C) => integrity({algorithm('signature','rsa'),algorithm('transform',' enveloped')}, securitytoken(T,I,C1), C2, M). R8: securitytoken('unt',I,C) => integrity({algorithm('signature','hmac'),algorithm('transform', 'enveloped')}, securitytoken('unt',I,C), C2, M). R9: integrity({algorithm('signature','rsa')}, securitytoken(T,'uiuc',C1), C2, M) ~> ~integrity({algorithm('signature','hmac')}, S, C3, M). R10: integrity({algorithm('signature','hmac')}, securitytoken('unt',I,C), C2, M) ~> ~integrity({algorithm('signature','rsa')}, S, C2, M).

25 Example Policy (Part 1) Req: hassecuritytoken,hasintegrity -> satisfied. securitytoken('x509','uiuc',C) -> hassecuritytoken. securitytoken('saml',I,C),securitytoken('unt',I,C) -> hassecuritytoken. integrity({algorithm('signature','rsa'),algorithm('transform','enveloped' )}, securitytoken(T,'uiuc',C1), C2, {messageparts('xpath',S,'/')}) -> hasintegrity. integrity({algorithm('signature','hmac'),algorithm('transform','enveloped ')}, securitytoken('unt',I,C1), C2, {messageparts('xpath',S,'/')}) -> hasintegrity. Reas: R1: {} => securitytoken('x509','uiuc',C). R2: {} => securitytoken('saml',I,C). R3: {} => securitytoken('unt',I,C). R4: mobile ~> ~securitytoken('x509',I,C). R5: securitytoken('x509',I,C) ~> ~securitytoken('saml',I,C). R6: securitytoken('x509',I,C) ~> ~securitytoken('unt',I,C). R4 > R1. R5 > R2. R6 > R3. R7: securitytoken('x509',I,C) => integrity({algorithm('signature','rsa'),algorithm('transform','enveloped' )}, securitytoken(T,I,C1), C2, M). R8: securitytoken('unt',I,C) => integrity({algorithm('signature','hmac'),algorithm('transform','enveloped ')}, securitytoken('unt',I,C), C2, M). R9: integrity({algorithm('signature','rsa')}, securitytoken(T,'uiuc',C1), C2, M) ~> ~integrity({algorithm('signature','hmac')}, S, C3, M). R10: integrity({algorithm('signature','hmac')}, securitytoken('unt',I,C), C2, M) ~> ~integrity({algorithm('signature','rsa')}, S, C2, M).