1 Specifying and Reasoning about Dynamic Access-Control Policies Daniel J. Dougherty, Kathi Fisler, and Shriram Krishnamurthi Mouiad A. Hani Presented by

2 Paper’s outline Motivation Background Information Introduction Modeling Policies and their Dynamic Environments Analyzing and Comparing Policies Related Works Conclusions

3 Motivation The increasing complexity of access-control policies. The dynamic nature of the environments in which these policies work and evaluate. The need for separating the policy from its underlying enforcement engine. The need for providing formal analyses regarding policy rules’ safety and availability properties.

4 Access Control: controlling and enforcing protection to every access to a system and its resources and makes access possible only for authorized subjects. The primary purpose for security mechanisms in a computer system is access control, which consists of three tasks: Authorization: determining which subjects are entitled to have access to which resource Determining the access rights (a combination of access modes such as read, write, execute, delete, and append) Enforcing these access rights Many types of resources need access control to reach them: Sensitive documents, files, and information stored in databases, servers, …etc. RAMs and Virtual memories dedicated to OS and other applications’ uses CPU time of clients and servers connected to the net Too many other examples Background Information

5 Access Control Kinds Discretionary Access Control (DAC) means that the owner of the resource controls other users' accesses to that resource. Only those users specified by the owner may have some combination of read, write, execute, and other permissions to the resource. Drawbacks: Transitive Vulnerable to Trojan horse attacks. Mandatory access control (MAC) means that access control decisions are made by a central authority, not by the individual owner of an object, and the owner cannot change access rights. Drawback: Covert channel problem Role-Based Access Control (RBAC) controls access depending on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles. Background…continue

6 An access-control language must provide a way of describing the different forms of access and the environment in which they could occur. This information forms a request. Many languages break requests into four different parts: Subject (active entity): the person or process making the request Resource (passive entity): the object, subsystem, person, or process that would be affected (e.g., a file name or a process id) Action: the command or change that would be executed on the resource by the subject Environment: describes any other relevant information such as the time of day, location, or the previous actions of the subject The first three of these make up the form of requested access while the last gives the context in which this access would be exercised. Background…continue

7 Policy Enforcement Point Policy Decision Point The point where policy decisions are made by access control policy. Request Decision Policy Repository The point where the policy decisions are actually enforced by access control mechansim. Modern applications express policies in domain-specific languages like XML, XACML, …etc. The applications consult policies through a policy enforcement engine Background…continue

8 Background…continue Example: Classical Access Control Policy Framework

9 Introduction Specifying: Who can access What, How and When? Reasoning: The process of drawing or establishing new conclusions (facts) from the current facts. Reasoning, in this paper, is about goal-Reachability and contextual containment within dynamic access-control policies.

10 Why Separating Policies from Their Underlying Programs? It allows the same policy to be used with multiple applications; It enables non-programmers to develop and maintain policies; It adopts rich mechanisms for combining policy modules derived from different, even geographically distributed, entities Introduction…continue

11 Policy Modeling Definition: Let Subjects, Actions, and Resources each be sorts (types). Let ∑ be a first-order relational signature (alphabet) including at least the two distinguished ternary predicates Permit and Deny of type Subjects × Actions × Resources. A policy rule over Σ is a Datalog rule over Σ whose head is either Permit or Deny. A policy over Σ is a set of policy rules over Σ. For a set of rules (the policy) P, we have: ∑ P = edb idb {the signature or alphabet of P } The policy rule over ∑ ≡ Datalog rule over ∑.

12 Permit( a, submit-paper, p ) :- author( a ), paper( p ), phase(submission) Permit( r, submit-review, p ) :- reviewer( r ), paper( p ), assigned( r, p ), phase(review) Permit( r, read-scores, p ) :- reviewer( r ), paper( p ), has-reviewed( r, p ), phase(meeting) Deny( a, read-scores, p ) :- author( a ), paper( p ) Example of a policy written in Datalog author(Alice). author(Bob). author(Grey). reviewer(Ali). reviewer(Jad). reviewer(Tom). paper(P1). paper(P2). paper(P3).

13 Datalog rule (program) R( U 0 ) :- R 1 (U 1 ), R 2 (U 2 ), …, R n ( U n ). The Body or extensional predicates or rules (extensional database edb) The head or intentional predicate (intentional database idb) Extension refers to whatever extends, i.e., “is quantifiable in space as well as in time”; Extensional to refer to that which is explicitly represented (e.g., a fact); Intentional to refer to that which is represented abstractly, e.g., by a rule of inference;

14 Datalog program analysis and characteristics Subset of Prolog Language ; Set of Horn Clauses (first-order logic program); Tree-based Data Structure; Top-down (left-to-right) depth-first search with backward chaining and backtracking; Unification and dynamic instantiation; Undecidable.

15 Policy Environment Modeling –The underlying Program (e.g., which reviewers have submitted papers –The end-users (such as credentials). –The run-time system also provides information (such as the current time) –The policy framework itself (in role-based access control, for example, policies operate under assignments of users to roles and under hierarchies of permission inheritance among roles). Where does environment’s information come from? This suggests that: –The environment must be a transition system, to model the program’s execution and the passage of time –Each state must consist of an instance of the edb relations referred to by the policy

16 To design a secure system with the help of state machine models: define state set so that it captures “security” check that initial state of the system is ‘secure’ check that all state transitions starting in a “secure” state yield a “secure” state Security is then preserved by all state transitions. The system will always be ‘secure’. State Machine Model

17

18 Modeling the Policy and its Dynamic Environment in One Model

19 One Big Automaton (after step 1) Start has-reviewed (B,P) assigned (Bob,Paper1) has-reviewed (Bob,Paper1) assigned(R,P) phase(S) deny(Alice,read-scores,paper1) read-scores Deny permit(Alice,submit-paper,paper1,phase(submission)) permit(Bob,submit-review,paper1,phase(review)) permit(Bob,read-scores,paper1,phase(meeting)) permit At any point in time, the dynamic environment provides a database of facts. This changing environment is modeled as a FSA where states are defined by facts at different points in time

20 One Big Automaton just for Permission Start has-reviewed (B,P) assigned (Bob,Paper1) has-reviewed (Bob,Paper1) assigned(R,P) phase(S) permit(Alice,submit-paper,paper1,phase(submission)) permit(Bob,submit-review,paper1,phase(review)) permit(Bob,read-scores,paper1,phase(meeting)) permit t1 t2 t3 Time

21 Analyzing and Comparing Policies Two fundamental analyses are: safety (does a policy prohibit users from doing something undesirable) availability (does a policy permit a user to do something that they are allowed to do).

22 Goal Reachability Is there some accessible state in the dynamic access model satisfy some Boolean query (expression) over policy facts? To evaluate the goal at a particular state in a model is to evaluate the associated Boolean query on the database of facts at that state

23 Example: Finding an accessible state satisfying the formula Goal Reachability

24 Checking Contextual Policy Containment Rename the predicates in the two policies so they are disjoint Take the union of the two policies Use model checking to verify the temporal logic sentence The Expensive Way

25 But the notion of accessibility is different depending on whether a rule is considered in isolation or as part of a larger policy ?? Consider each rule as a single policy in its own right Check individual rules are contained in (whole) policies The less Expensive Way This motivates the following refinement of contextual containment

26 Example: Consider when a policy author wants to replace the following rule ρ1 for reviewers’ access to paper reviews with rule ρ2: Semantic ambiguity ?? So, the syntactic analysis is insufficient, in general. Algorithms (12) and (16)

27 Related Works Bell and LaPadula [6] were the first to use state transition systems to model programs guarded by access control policies. They have defined the states of the system in such a way as to embody all the information which considered pertinent to security considerations.

28 Related Works …continue Harrison, Ruzzo and Ullman [18], presented a formal model of access control which has become known as HRU. A state of an HRU system is denoted by a set of objects, some of which are subjects, and a protection matrix giving the current access rights between pairs of subjects and objects. A policy is a set of commands, each parameterized by objects and specifying some possible transformation on the access matrix.

29 Related Works …continue Talel Abdessalem and Imen Ben Dhia [6, bibliography] propose an access control model for online social networks based on connection characteristics between users, in an extended sense that includes indirect connections. This model provides a conditional access to shared resources based on reachability constraints, between the owner and the requester of a piece of information.

30 Related Works …continue Ninghui Li and Mahesh V. [32] proposed to use security analysis techniques to maintain desirable security properties while delegating administrative privileges. They gave a precise definition of a family of security analysis problems in RBAC, which is more general than safety analysis that is studied in the literature. They also show that two classes of problems in the family can be reduced to similar analysis in the RT 0 trust- management language, thereby establishing an interesting relationship between RBAC and the RT (Role-based Trust-management) framework.

31 Conclusions The subtlety in this work arises because of complexities of the policies and their environments. The notions of uniform contextual containment and equivalence defined in this paper are fundamental concepts for a theory of policies. The work in this paper can be used to analyze any situation where the program’s execution is governed by a logical policy. Access-control policies are hard to get right.

32 I have questions… THANK YOU

33 Bibliography 1.G. F. Luger, W. A. Stubblefield., “AI Algorithms, Data Structures, and Idioms in Prolog, Lisp, and Java”, Pearson Education, (2009). 2.K. Ramamohanarao and J. Harland, “An Introduction to Deductive Database Languages and Systems”, VLDB Journal, Vol. 3, , (1994). 3.M. A. Harrison, W. L. Ruzzo, and J. D. Ullman, “Protection in operating systems”, Communications of the ACM, 19(8):461–471, Aug. (1976). 4.Morrie Gasser, “ BUILDING A SECURE COMPUTER SYSTEM”, Van Nostrand Reinhold, (1988). 5.Vincent C. Hu David F. Ferraiolo D. Rick Kuhn, “ Assessment of Access Control Systems”, Interagency Report 7316, NIST, (2006). 6.Talel Abdessalem and Imen Ben Dhia, “Access Control in Social Networks: A reachability- Based Approach”, In ACM Proceedings of the 2012 Joint EDBT/ICDT Workshops, (2012).