Software Quality and Infrastructure Protection for Diffuse Computing FY2001 ONR CIP/SW URI Access Control and Policy Management Speaker: John Mitchell (Stanford)

SPYCE Objective: Scalable Distributed Assurance Develop fundamental understanding, models, algorithms, and network testbed, in order to reduce cost, improve performance, and provide higher reliability for networked operations across untrusted networks. Incentives, Privacy, and Anonymity Protocol Design and Analysis Trust Management Network Architecture Smart devices diffuse into the environment…. … with control and assurance Desktop ‘80s Room ‘40s Wearable ‘90s Pervasive ‘00s

Traction tProblem - Access policy: specification and enforcement tApproach - Tractable subsets of first-order logic tAccomplishments - Policy languages, algorithms, demo applications tTransitions to Industry - Collaboration, start-up, students to industry, industrial visitor to Stanford tFuture - Interface w/commercial approaches: XrML, EPAL, P3P - Policy development environment: algorithms, tools Present activity: Cornell, Stanford Past contributors: Penn, Yale

Policy at site A may govern resources at site B Protect distributed resources with distributed policy Distributed Access Control Policy Resource Policy Resource Policy Resource ID

Diffuse Computing Goals tFlexible and scalable access control for loosely-coupled, diffuse systems - Resource sharing  coalitions, multi-centric collaborative systems  grid computing - Personal Privacy  Protect suborganization’s input to diffuse system  Example: patient’s hospital records - Organizational Privacy  Protect institution’s assets from suborganizations  Example: coalition assets from coalition partners

Decentralized Policy Example AliceEPub StateU is a university Alice is a student Grants access to university students Trusts universities to certify students Trusts ABU to certify universities StateU ABU

Merging Policy Sets tCOTS information-sharing framework - Uses industry-standard policy P ind tMilitary wants to run COTS application, - Wants military policies P mil tMust detect and resolve conflicts - Integrate P ind and P mil

Enterprise Access Control Policy Who What When Where Who What When Where User Right Resource Constraint Joecan openfinancials.xls using wired SSL on his laptop Resource Why

Plan Analyze Enforce Measure Improve Policy Management Lifecycle

Policy Language and Deduction tSpecification - State policy succinctly and directly - Confident that policy captures intention tEnforcement - Deduction, proof of compliance tManage policy lifecycle - Policy development tools - Safety and availability analysis Core Issue

SPYCE Approach tTractable subsets of first-order logic - Datalog  If-then patterns without function symbols or negation  Standard database query formalism - Constraint Datalog  Constraints based on constraint domains  Hierarchies, intervals, discrete sets - Polarity-restricted FOL (“Lithium”)  Allows function symbols, negation  Supports modular combination of policies

General policy form tA policy statement has the form:  x 1,…,  x m (Condition  (  ) Permitted(principal, privilege)) where - Condition is a conjunction of literals; - principal is individual [HW] or group [LM] - privilege can be action [HW] or group [LM] Yale Feigenbaum, Li Cornell Halpern, Weissman Stanford Li, Mitchell, …

Role-based Trust-management (RT) RT 0 : Decentralized Roles RT 1 : Parameterized Roles RT T : for Separation of Duties RT D : for Selective Use of Role memberships RT 2 : Logical Objects RT T and RT D can be used (either together or separately) with any of the five base languages: RT 0, RT 1, RT 2, RT 1 C, and RT 2 C RT 1 C : structured resources RT 2 C : structured resources [Li, Mitchell, Winsborough, …]

Recall example AliceEPub StateU is a university Alice is a student Grants access to university students Trusts universities to certify students Trusts ABU to certify universities StateU ABU

Example RT 0 credentials 1.StateU.stuID  Alice 2.ABU.accredited  StateU 3.EPub.university  ABU.accredited 4.EPub.student  EPub.university.stuID 5.EPub.access  EPub.student Together, five statements prove Alice is entitled to access

Policy Diffusion Alice EPub StateU ABU ABU.accredited  StateU COE.stuID  Alice EPub.university  ABU.accredited EPub.student  EPub.university.stuID StateU.stuID  COE.stuID COE

Datalog As A Foundation tNatural - Security policy statements are if-then rules tPrecise - Declarative and widely-understood semantics tTractable - No function symbols  tractability - Efficient goal-directed evaluation procedures tAvailable technology - Extensive Datalog research in LP and DB

Better: Constraint Datalog tWhy constraints: - Datalog cannot easily express permissions about structured resources and ranges tWhat is Constraint Datalog - Special form of CLP; query language for Constraint DB tA Constraint Datalog rule: - R 0 (x 0 ) :- R 1 (x 1 ),..., R n (x n ),  (x 0, x 1, …, x n )  x 0, x 1, …, x n are tuples of variables  is a constraint in all the variables

Example Policy with Constraints tA grants to B the permission to - connect to hosts in the domain “stanford.edu” - at port 80, - valid from time t 1 to t 3, and - allows B to further delegate grantConnect(A, B, h, p, v) :- h   edu,stanford , p=80, v  [t 1, t 3 ] grantConnect(A, x, h, p, v) :- grantConnect(B, x, h, p, v), h   edu,stanford , p=80, v  [t 1, t 3 ]

Useful Constraint Domains tTree domains: - Path expressions  a1,a2, ,ak   E.g.,  pub,software  for /pub/software - Primitive constraint: x=y or x   a1, ,ak , where   {=, <, , ,  } tRange domains: - Primitives: x=y, x=c, or, x  (c1, c2) tDiscrete domains with finite sets: - Primitive constraint: x=y, x  {c1,c2, ,cj}

RT Accomplishments tRT language design tRT deduction, trust negotiation - Fast distributed deduction, constraints tComparative analysis: KeyNote, SPKI 2.0 tSafety and availability analysis - HRU undecidability => RT poly-time, NP, Pspace tSample applications - August scheduling, UStorIt file sharing, ATN, … tTransitions - IBM privacy, InnerPresence, NTT DoCoMo, Hitachi

Complementary Approach tRT starts with a tractable fragment of first-order logic (Datalog) and extends it t[HW] start with an intractable language (first-order logic) and restricts it Result: [HW] can capture policies that forbid actions expressed using functions

Sample policies tMany policies explicitly forbid actions - `Smoking is prohibited in the dining areas of all restaurants seating more than 35 people’ NYC Smoke-Free Air Act - `The tickets may not be refunded’ is a policy of many theaters, special airline fares, … tFunctions are also useful  x 1 (Absent(x 1 ) => Permitted(Spouse(x 1 ), SpeakFor(x 1 ))) tExpressive: [HW] not easily expressed in RT tTractable: [HW] fragment decidable in poly time [Halpern, Weissman]

Multiple Policy Sets tBecause [HW] supports prohibitions, can detect conflicts between policies tE.g: detect conflicts between P ind and P mil - Find actions permitted, forbidden in P ind  P mil - Requires language that express prohibitions  If the policy language assumes any action that is not explicitly permitted is forbidden, then P ind and P mil conflict, unless they’re identical

Policy Combination Denied Permitted Denied Permitted Denied = + OK Denied Permitted Denied Permitted Denied = + ??

A Formal Foundation for XrML tXrML: a language for writing software licenses. - Very popular: to be supported by Microsoft, +++ tSpecification gives syntax, informal semantics, + algorithm to determine if a permission follows from a set of licenses. tWhat we’ve done: - Provided formal semantics for XrML - Found bugs in their algorithm - Proved their queries are NP-hard and - Found tractable fragments of XrML. tInteracting with XrML standards committee Current Work See Vicky’s poster for more details !

Critical Infrastructure Protection tMany critical infrastructures, national and DoD-specific, are decentralized tData sharing essential for operation, but data compromise can be catastrophic tResearch Question: How to share data safely, using policies that are easy to formulate, enforce, maintain tApproach: diffuse trust management

Assuring Software Quality tTechnology applicable to managing process interaction - Process A delegates rights to process B  For limited purpose, limited time, limited locations - Fine-grained control of process actions - Works for diffuse systems that escape normal controls imposed by localized OSs tDiffuse principle of least privilege

DoD Impact tDynamic coalitions - Partial sharing based on partial trust tJoint Vision 2010 / Joint Vision 2020 of “Network Centric” operations - Can use policy to push data, overcome network bandwidth limitations - Right data to right place at right time

Plans for Option tApplications and Transitions - Work with XrML developers on language and algorithm - IBM Privacy Project  Use RT algorithms for EPAL, P3P applications - Pursue commercial and DOD applications - Application to large policy sets (social security policies) tGeneralize results: RT  Datalog  PFOL tImprove implementation: RT 0  Datalog  PFOL tPolicy development environment and tools - User interface, XML-format, interoperability - Testing methodology, analysis methods

Architecture design for policy-based portal site Portal site Web service invoke service return results(customized by General Policy) User Service Provider access Authentication Authority Attribute Authority(A) Bob’s Policy(A) -Bob.Address <- CA -Bob.Job <- Student … General Policy -Discount <- Student … Web service Attribute Authority(B) Policy Decision Authority Bob’s Policy(B) -Bob.MembershipPoint <- high … invoke service return results(customized by Bob’s Policy(B)) Attribute Assertion Authentication Assertion Bob’s Policy(A) -Bob.Address <- CA -Bob.Job <- Student … federated ID User doesn’t have a federated ID User has a federated ID Role-based Trust Management (TM) language (SOAP) (SAML) UDDI Registry register discover create (UDDI) Policy Decision Authority Attribute Authority(B) Attribute Authority(A) Authentication Authority Credential Chains (Liberty Alliance) Hitachi

Secure service infrastructure for heterogeneous overlay networks  Communication  Cooperation  Incentives  Delivery “Diffusion”

Automated Trust Negotiation tCredentials may contain sensitive information - need protection just as other resources - deduction must be interactive tThe Trust Target Graph (TTG) protocol - supports RT 0, which has delegation - supports distributed discovery of statements - supports Ack policies, which also protects against unauthorized leakage of attribute information tCryptographic protocols for ATN - Oblivious Signature-Based Envelope (OSBE)

Safety and Availability Analysis tOrganizations delegate partial control - What happens if other organizations change policy in the future without my knowledge? tGiven policy P and restriction R on changes - Simple safety: Is A.r  {D} possible?  PTIME - Simple availability: Is A.r  {D} necessary?  PTIME - Bounded safety: Is {D1, …, Dn}  A.r necessary?  PTIME

Complexity of Containment Analysis tGiven P and R, is A.r  B.r1 necessary? - Simple delegation  PTIME  Uses logic programs with stratified negation - Intersection  coNP-complete  Equivalent to determining validity in propositional logic - Linking  PSPACE-complete  Equivalent to containment of languages accepted by NFA - Linking+Intersection  decidable in coNEXP  Exact complexity unknown Decidability, PTIME stand in contrast to the HRU model, in which simple safety is undecidable

Implementation Status tJava inference engine for RT 0 tPreliminary version of RTML - an XML-based Encoding of RT statements - XML Schemas and parser exist tApplications - U-STOR-IT: Web-based file storage and sharing - August: A Distributed Calendar Program - Automated Trust Negotiation Demo by NAI - TNT Trust Negotiation architecture at BYU

NEED TO UPDATE Future SPYCE Directions tAccomplishments - Framework and logic for policy definition - Algorithms for policy enforcement - Some experience with capturing practical policy requirements from a variety of applications tChallenges - Continue implementation and deployment efforts - Policy development algorithms and tools  Debugging and testing, safety and availability analysis - Additional challenges  Policy privacy, Automated trust negotiation, Revocation

Sample Applications tAugust Distributed Calendar tUSTORIT tSocial security database - policy to qualify for social security tLibrary policy - Have to administer copyright - Who is allowed to access course notes? tXrML - Commercial license and rights framework

August: Distributed Calendar tUsers define groups, maybe interdependent tEach user has a calendar and can specify policy which determines - who is allowed to view each part of the user's calendar - who is allowed to add an activity of a certain kinds at a certain time

U-STOR-IT: Web-based sharing tUser auth: SSL and X.509 certificates tUsers define interdependent groups tLocker - Hierarchical folder of heterogeneous files - Locker/file upload/access policy set by owner tPolicies translated into RT tImplement w/Java Servlets and MySQL

IBM collaboration, Startup