Recursive policies Expressive historical conditions with constraints Fine-grained defaults Abstract language for policies at all levels of abstraction Annual Conference of ITA ACITA 2009 Expressive Policy Analysis with Laws of System Change Robert Craven, Jiefei Ma, Alessandra Russo, Emil Lupu, Morris Sloman Jorge Lobo, Seraphin Calo Arosha Bandara Imperial College London IBM T.J. Watson Research Centre Open University Despite several research studies, the effective analysis of policy based systems remains a significant challenge. Policy analysis should at least (i) be expressive, (ii) take account of obligations and authorizations, (iii) include a dynamic system model, and (iv) give useful diagnostic information. We present a logic-based policy analysis framework which satisfies these requirements, showing how many significant policy-related properties can be analysed, and give details of an implementation. Analysis Framework Policies Domain Description Query A person cannot assist in a medical situation once he has taken part in surveying a contaminated area denied(Sub, M1, assist, T) do(Sub, M2, assist, T), T < T, holdsAt(activity_type(M1, medical), T), holdsAt(activity_type(M2, survey(A)), T), holdsAt(area_classify(A, contaminated), T). A connecting node should re-identify itself within five minutes of making a connection to a server, or the server must drop the connection within one second obl(U, serv, sub2ID(U, serv), T, T+, T+300, T+ ) holdsAt(node(U), T), do(U, serv, connect, T). obl(serv, serv, disconnect(U, serv), Te, Te+1, Te) violated(U, serv, sub2ID(U, serv), Ts, Te, Te). Event Calculus for description of policy-governed system Separable from Policy Set: analyse policies on different systems, or different policies on same system, easily holdsAt(hasRole(U,R),T) holdsAt(hasUser(R,U),T), holdsAt(subRole(R,R),T). initiates((S:R:assignUser(U)), hasUser(R,U), T). initiates((S:R:assignPerm(T,A)), hasPerm(R,T,A), T). Modality Conflicts for actions both permitted and denied, or obligations without attendant permission Detailed Trace Abduction for analysis of behaviour leading to input system and policy state Configurable Constrained Search,and Mutiple Solutions Various types of Separation of Duty analysis Coverage Gap discovery Behavioural Simulation Policy Comparison Is there ever a time at which sub is allowed to activate two roles which are separated permitted(sub, roles, activate(Role_a), T) permitted(sub, roles, activate(Role_b), T) holdsAt(separated(sub, Role_a, Role_b), T) Are there situations in which a medic has an obligation to perform some action but no permission to do it obl(Medic, Tar, Act, Ts, Te, Tinit) not cease_obl(Medic, Tar, Act, Tinit, Ts, Te, T) denied(Medic, Tar, Act, T) Ts < T holdsAt(role(medic, Medic), T) Show all actions neither permitted nor denied not permitted(Sub,Tar,Act,T) not denied(Sub,Tar,Act,T) Query Solution Use of Abductive Constraint Logic Programming for finding multiple solutions to linked policy/domain queries. Solutions specify: requests for access, governed by policies; the initial state, and history of events in the system; any policies involved; temporal constraints between these; that have been proved to lead to the property given in the query: Policies Query Solution Query Property + +