September 2006 1 XACML: Consistency analysis Luigi Logrippo Université du Québec University of Ottawa

Slides:



Advertisements
Similar presentations
Testing Relational Database
Advertisements

QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.
Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität.
1 Authorization XACML – a language for expressing policies and rules.
2-May-15 GUI Design. 2 HMI design There are entire college courses taught on HMI (Human-Machine Interface) design This is just a very brief presentation.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
Conventional design Identifies functions and data structures as separate entities Identifies functions and data structures as separate entities Then Defines.
Programming with Alice Computing Institute for K-12 Teachers Summer 2011 Workshop.
Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.
Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais.
8.2 Discretionary Access Control Models Weiling Li.
Introduction to Database Management  Department of Computer Science Northern Illinois University January 2001.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.
A Privacy Policy Enforcement System Kaniz Fatema David Chadwick Stijn Lievens University of Kent School of Computing Canterbury, UK Primelife IFIP Summer.
Chapter 9 Describing Process Specifications and Structured Decisions
Academic Advisor: Prof. Ronen Brafman Team Members: Ran Isenberg Mirit Markovich Noa Aharon Alon Furman.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
IS550: Software requirements engineering Dr. Azeddine Chikh 4. Validation and management.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
Configuration Management
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 10 Slide 1 Formal Specification.
Logic Gates Circuits to manipulate 0’s and 1’s. 0’s and 1’s used for numbers Also to make decisions within the computer. In that context, 1 corresponds.
Review for Final Exam Systems of Equations.
Fundamentals of Python: From First Programs Through Data Structures
WRITING EFFECTIVE S. Before writing the Make a plan! Think about the purpose of the Think about the person who will read the and.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML Briefing for PMRM TC Hal Lockhart July 8, 2014.
The Game of Algebra or The Other Side of Arithmetic The Game of Algebra or The Other Side of Arithmetic © 2007 Herbert I. Gross by Herbert I. Gross & Richard.
456/556 Introduction to Operations Research Optimization with the Excel 2007 Solver.
Dataface API Essentials Steve Hannah Web Lite Solutions Corp.
September Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais
Chapter 9 Describing Process Specifications and Structured Decisions
Authorization Infrastructure, a Standards View Hal Lockhart OASIS.
ITEC224 Database Programming
1 Luigi Logrippo Kamel Adi Inconsistency and incompleteness in security policies
CatBAC: A Generic Framework for Designing and Validating Hybrid Access Control Models Bernard Stepien, University of Ottawa Hemanth Khambhammettu Kamel.
 To explain the importance of software configuration management (CM)  To describe key CM activities namely CM planning, change management, version management.
Linear Programming McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
XACML – The Standard Hal Lockhart, BEA Systems. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.
1 Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework ¹ Dep. of Information and Communication Technology,
©1999 Addison Wesley Longman Slide 1.1 Business Processes 3.
Problem Solving Techniques. Compiler n Is a computer program whose purpose is to take a description of a desired program coded in a programming language.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
Formal Semantics for Rule-Based Systems 報告者:黃怡玲 指導教授:丁德榮.
C HAPTER 34 Code Blue Health Sciences Edition 4. Confidentiality of sensitive information is an important issue in healthcare. Breaches of confidentiality.
Computer Science 1 Detection of Multiple-Duty-Related Security Leakage in Access Control Policies JeeHyun Hwang 1, Tao Xie 1, and Vincent Hu 2 North Carolina.
11 Restricting key use with XACML* for access control * Zack’-a-mul.
1 Access Control Policies: Modeling and Validation Luigi Logrippo & Mahdi Mankai Université du Québec en Outaouais.
Department of Computer Science PCL: A Policy Combining Language EXAM: Environment for Xacml policy Analysis & Management Access Control Policy Combining.
1 Program Development  The creation of software involves four basic activities: establishing the requirements creating a design implementing the code.
Old Dominion University1 eXtensible Access Control Markup Language [OASIS Standard] Kailash Bhoopalam Java and XML.
Condition Testing. Condition testing is a test case design method that exercises the logical conditions contained in a program module. A simple condition.
1 Ontology based Policy Interoperability Dr. Latifur Khan Tahseen Al-Khateeb Mohammad Alam Mohammad Farhan Husain.
Access Control Policy Languages in XML Lê Anh Vũ Võ Thành Vinh
ALLOY: A Formal Methods Tool Glenn Gordon Indiana University of Pennsylvania COSC 481- Formal Methods Dr. W. Oblitey 26 April 2005.
Chapter 3 Systems of Equations. Solving Systems of Linear Equations by Graphing.
1 Week 1 Introduction, Writing a Program, Building a System Software Engineering Fall Term 2015 Marymount University School of Business Administration.
Database Management.
Normalization Karolina muszyńska
Condition Testing.
Validating Access Control Policies with Alloy
Security policy systems and their consistency problems
A handbook on validation methodology. Metrics.
Presentation transcript:

September XACML: Consistency analysis Luigi Logrippo Université du Québec University of Ottawa

2 XACML A language to specify access control constraints to computing resources To files, equipment, web services … OASIS standard

3 Applications Access control is becoming very important in the presence of strict accessibility and privacy laws And the possibility of remote access via web services Example: in a hospital Statistician can access files for reading patient data, but not names Physician can access for read/write most info for her patients But not billing info Patient can read selected information on her record Accountant can… etc. etc.

4 A professor can perform any action on the file of the course she teaches Professor Example of XACML Rule

5 XACML architecture (from the standard) Policy Enforcement Point Policy Decision Point Policy Application Point Policy Information Point

6 XACML structure Policy sets include sets of Policies which are sets of Rules We will consider here only rules Without policy sets or policies

7 Goals Study different relationships between rules and policies Determine the impact of these relationships, leading to possible inconsistencies Inconsistencies can lead to privacy breaches Or system malfunctions Resolution of inconsistencies, in view of the relationships Focus on XACML, but trying to generalize

8 Rule structure in XACML Condition A condition is a Boolean function. If the Condition evaluates to true, then the Rule's Effect (Permit or Deny) is returned. If the Condition evaluates to false, the Condition doesn't apply (NotApplicable). Evaluation of a Condition can also result in an error (Indeterminate). Target A Target is essentially a set of simplified conditions for the Subject, Resource and Action that must be met for a PolicySet, Policy or Rule to apply to a given request. We will discuss mostly targets

9 Targets A target associates a request for resource to an applicable Policy Set, Policy, or Rule It expresses simple conditions that the request must meet for the Policy Set, Policy, or Rule to be applicable Does the request come from a ‘doctor’ who wants to ‘read’ ‘her patient’s file’? If so, permit Each Rule, Policy, Policy set, can return with any of: Permit Deny Not Applicable Indeterminate (essentially, an error to be solved at the user level)

10 Possible relationships between targets Disjunction Non-empty intersection Inclusion Equality Of: Subjects Resources Actions

11 Disjunction There is disjunction between targets if subjects, resources, and actions are all distinct Disjunction between the targets of two policy sets, policies, or rules means that there is no case in which both are applicable OK, then

12 Non-empty Intersection There is nonempty intersection between two targets if: The set of subjects intersect and The set of resources intersect and The set of actions intersect Example: (deny) (Executives) (databases A, B, C) (action read, write) (accept) (Employees) (database B, D) (action write) Executives, being employees, have conflicting write rights on B

13 Inclusion of target T1 in target T2 (special case of nonempty intersection) There is inclusion between two targets if: The set of subjects of T1 is included in the set of subjects of T2 and The set of resources of T1 is included in the set of resources of T2 and The set of actions of T1 is included in the set of actions of T2 Example: (accept) (executives) (databases B) (action write) (deny) (employees) (database A,B,C) (any action)

14 Equality (special case of nonempty intersection) Subjects, target, action are all the same Almost certainly, an error

15 Other cases? Is it useful to consider other cases? E.g. The set of subjects of T1 is included in the set of cases of T2 But the set of actions of T2 is included in the set of actions of T1 Possibly, for diagnostics to user …

16 Resolution in XACML PDP, Policy Decision Point, takes the decision for a specific request Contrary to firewalls, all rules are evaluated If all rules agree, they provide a decision In case of nonempty intersection (which is implied by inclusion or equality), more than one rule is applicable

17 Combining algorithms In XACML, the user can provide to PDP Rule Combining Algorithms (to decide disagreements of rules within a Policy). Policy Combining Algorithms (to decide disagreements of policies within a Policy Set)

18 Four standard rule combining algorithms are predefined Permit override: if there is a permit, the final decision is a permit, even if there are denials Deny override: the converse First applicable (as for firewalls) Only-one-applicable: if different rules or policies lead to different conclusions, then the result is indeterminate : ( error) Presupposes the existence of an external instance which takes a decision Other rule combining algorithms can be defined by user

19 User Interfaces for policy creation Ideally, policies should be created and modified directly by privacy specialists Often people with limited computing expertise These people should be able to Enter policies by clicking on boxes Or in English-like language Obtain diagnostics in clear Exercise different cases What will happen if Joe wants to write on file X? Need of appropriate GUIs

20 Decisions and user intentions Since systems can have many rules, the existence of different rules for the same cases indicates the possibility of user error Some user intention which is not properly represented This is particularly obvious in the case of target/condition equality If there are two rules that apply exactly to the same cases, there is a mistake One of the two should be removed In addition, inclusions and non-empty intersections are suspicious

21 Difficulty of the problem While detecting non-empty intersections, inclusions or equalities is conceptually easy in targets It is slightly more difficult in conditions, which can be arbitrary Boolean expressions In the end, these both appear to be constraint satisfaction problems (exponential?) Examples we have seen have few variables, thus problem is still tractable But in the case of conditions there can be more variables to be considered

22 Tools for detecting intersections Coq, a theorem-proving tool developed at INRIA Alloy, a model-checker developed at MIT Z-Eves Constraint programming languages, e.g. Prolog Implementation in standard programming languages such as C is possible, but requires more work

23 Case of policies with priorities (e.g. first applicable: case of firewalls) Interesting situations to be identified: Shadowing: the cases of a lower priority policy are all included in the cases of a higher priority policy Lower priority policy is redundant Includes case where two rules have equal domains Specialization: cases of a higher priority policy are all included (proper inclusion) in the cases of a lower priority policy This is the case of exceptions, usually OK But user should be informed Other cases of nonempty intersection betw. high and low prio. policies: These cases are usually suspicious!

24 User Interface User should be informed of all cases where different outcomes are possible, independent of combining algorithms Similar to compilation errors in programming languages, User should be requested to decide whether each case is OK or should be corrected What means of correction should be provided to user?

25 Choices provided to user Remove a policy Disable a policy (deactivate, but leave it for possible future use) Edit – Modify a policy Change the priorities of policies Add new policies, possibly exceptions Tolerate the conflict

26 Suggestions to user If Shadowing (a ‘dead’ policy) Remove - disable one or more policies? Reverse priorities? Edit one or more policies? If Specialization (an exception) Check that exception is wanted If user says ‘no’ then other actions are suggested Other cases Remove or disable one or more policies? Replace or edit policies for more appropriate ones? Once changes have been made, the set of policies must be rechecked: Iterative process

27 XACML and beyond XACML goes beyond firewalls, in that it addresses the issue of access control at the enterprise level However research is continuing on appropriate access control languages in view of general or specific enterprise access control needs

28 Conclusions Strict accessibility and privacy laws will require increasing attention to this area Security can be compromised by inappropriately formulated access control rules Formal methods will allow formal auditing of accessibility and privacy policies, as precise as formal accounting of financial records! Tools to do this are available, but must be adapted

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.