Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policy Description & Enforcement Languages Anis Yousefi

Published byFay Diana Boone Modified over 9 years ago

Similar presentations

Presentation on theme: "Policy Description & Enforcement Languages Anis Yousefi"— Presentation transcript:

1 Policy Description & Enforcement Languages Anis Yousefi anis.yousefi@mehr.sharif.edu

2 sharif university of technology2 Outline  Motivation and background  Related work Rei: A RDF Schema-based language for policy specification. KAoS: A policy representation language based on OWL. Ponder: An object-oriented policy language for the management of distributed systems and networks.  Some issues

3 sharif university of technology3 Motivation  A key need for the vision of the Semantic Web and Pervasive Computing to succeed is the ability to handle security and privacy and the ability to automate these protocols.  A good approach: Policy based security and privacy protection  Until recently: semantic web languages representing web content & services  Our goal: to find suitable semantic web languages to describe and reason about policies

4 sharif university of technology4 Policy Advantages  Automated system management & Controlling the behavior of complex systems  Allowing administrators to modify system behavior without changing source code or requiring the consent or cooperation of the components being governed  separation of rules that govern the behavior of a system from the functionality provided by that system

5 sharif university of technology5 Benefits of policy-based approaches  Reusability  Efficiency  Extensibility  Context sensitivity  Verifiability  Support for both simple & sophisticated components  Protection from poorly designed, buggy or malicious components  Reasoning about component behavior

6 sharif university of technology6 Approach  It is not feasible to expect all entities to use the same terminology to represent security protocols and information.  This forces the use of a semantic language like RDF-S, DAML+OIL or OWL whose constructs help entities better understand the meaning of the security information.  A security framework for the Semantic Web and PerCompEnv needs to be flexible, semantically rich and simple enough to automate.

7 sharif university of technology7 Possible Representation of polices on each layer  Object-Oriented language Ponder  XML XACML, P3P  RDF + RDF Schema Rei  OWL (DAML + OIL) KAoS  Rules (logic) …

8 sharif university of technology8 KAoS  Collection of componentized agent services compatible with several agent frameworks : Corba, Nomads, …  KAoS domain services provide the capability for groups of software components, people, resources, and other entities to be organized into domains and subdomains to facilitate agent-agent collaboration and external policy administration.  KAoS policy services allow for the specification, management, conflict resolution, and enforcement of policies within domains. Policies are currently represented in DAML+OIL as ontologies. (soon OWL)

9 sharif university of technology9 KAoS Policy Ontology  KPO (KAos Policy Ontology): distinguish between authorizations & obligations  Obligations: constraints that require some action to be performed or else serve to waive such a requirement  Authorizations: constraints that permit or forbid some action  Policy type: Positive|negative Obligation|Authorization  Policy: instance of policy type  Properties & Property restrictions

10 sharif university of technology10 Example of DAML policy representation in KAoS  Members of domain A are permitted to communicate to the outside of its domain using encrypted communication

11 sharif university of technology11 features  Work with arbitrary written components  Dynamic runtime policy changes  Extensible to a variety of execution platforms which policy enforcement mechanisms may be written  Robust & Adaptable – attack or failure of components  Easy-to-use policy-based administration tools: GUI for monitoring, visualizing & dynamically modifying policies at runtime

12 sharif university of technology12 KPAT  KAos Policy Administration Tool  Graphical tool for policy specification, revision & application, brows and load ontologies, deconflict newly defined policies.  Policy templates: high level, domain specific abstraction  Rich set of queries

13 sharif university of technology13 Conflict detection - KAoS  At specification time: add new policy to dirctory service  Three types of conflict positive vs. negative authorization positive vs. negative obligation positive obligation vs. negative authorization  The algorithms rely on Stanford ’ s Java Theorem Prover (JTP)

14 sharif university of technology14 Policy deployment Model-KAos  Domain manager: management of domains of agents and assures policy consistency at all the levels of the domain hierarchy  Directory Service: overall policy management  Gaurds: interpret policies and pass them on to enforcers  Enforcers: platform-specific components

15 sharif university of technology15 Rei: A policy language  Policy framework: specification, analysis & reasoning in PerComp  The Rei deontic concept-based policy language allows users to express and represent the concepts of rights, prohibitions, obligations, and dispensations. (+,- A,O in KAoS & Ponder)  Rei relies on an application-independent ontology to represent the concepts of rights, prohibitions, obligations, dispensations, and policy rules.

16 sharif university of technology16 Rei elements  Policy: rules, entities, domain, (rights, … )  Basic ontology include actions: unique action ID, target obj, pre- defined cond, effects  Speech acts: dynamically exchange rights & obligations between entities  Meta-policies: resolve policy conflicts

17 sharif university of technology17 Example of Rei policy specification  Rei ’ s concepts of rights, permissions, obligations, dispensations, and policy rules are represented as Prolog predicates.  NO GUI  Role-based access control policies

18 sharif university of technology18 Reasoning - Rei  The Rei framework provides a policy engine that reasons about the policy specifications. The engine accepts policy specification in both the Rei language and in RDF-S, consistent with the Rei ontology. RDF to (subject, predicate, object)  The engine is consistent and complete and allows queries according to the Prolog language about any policies, meta-policies, and domain dependent knowledge that have been loaded in its knowledge base.

19 sharif university of technology19 Conflict detection - Rei  Modality conflicts +overlap in subject, target & action  Meta Policies Setting priorities between policies or rules Setting modality precedence

20 sharif university of technology20 Policy deployment model-Rei  Policy engine: reason about policies & reply to queries  No enforcement model  No protection from malicious or non- compliant components or agents

21 sharif university of technology21 Ponder  Declarative object-oriented language  Specification of management policies for distributed object systems  Basic Policy: rules governing choices in system behavior Set of subjects and set of targets with management responsibility: have the authority to initiate a management decision  Composite Policy: grouping basic policies of organization Role: groups of policies governing the behavior of the same subject by specifying its rights & duties Relationship: right & duties of rules towards each other

22 sharif university of technology22 Ponder policy  Two fundamental policy types obligation authorization  obligation: the actions that policy subjects must perform on target entities when specific relevant events occurs  authorization: what operations a subject is authorized to do on target objects  Management domains: group of objects to which policies apply

23 sharif university of technology23 Policy specification  Type policy: user defined policy types  Parameterized : context specific  Policy instances  No default rules: permit or forbid action?

24 sharif university of technology24 An example of Ponder authorization policy The policy specifies that the professor principals have read access to all the exercise files of their students only during the opening hours of the school, i.e. from 7 am to 7 pm and from Monday to Friday.

25 sharif university of technology25 Ponder tools  Ponder provides various graphical tools for editing, updating, removing, and browsing Ponder policies.  There are also tools for syntactic and semantic analysis of policy specifications and for transforming Ponder language specifications directly into XML or Java code that can be interpreted at runtime.

26 sharif university of technology26 Conflict detection - Ponder  A prototype conflict detection tool to detect overlaps and conflicts between policies. Modality conflicts: policies with modalities of opposite signs that refer to the same subjects, targets & actions Ex: conflicts between permissions & prohibitions or between obligations and prohibitions Application specific conflicts: policy content & external criteria Ex: conflict between an obligation to access a resource and a limitation on the resource availability

27 sharif university of technology27 Policy deployment model- Ponder  Policy specification  Ponder compiler: java class, java object  Runtime changes not possible  Distribution and enforcement model: distinguish between authorization and obligation policies  Specification of the interfaces for enforcement agents but NO implementation  Some systems implement in application domain

28 sharif university of technology28 Issues  Choice should be driven by the characteristics of the application domain and by Simplicity, readability, analyzability scalability and enforceability requirements  Ontology advantages: Complex systems: multiple levels of abstraction Description of the environment using concepts: simplifying the description, facilitating analysis & reasoning, conflict detection Simplify the access to policy information: quering the ontology accotding its schema dynamically calculating relations between policies and environment Sharing: negotiate between entities and agree  Technical difficulties Complex syntax Long declarative description Hyperlinks & references to external resources (Ponder, DAML) Gap between specifiactionand implementation of policies

29 sharif university of technology29 References  G. Tonti, etc, "Semantic Web Languages for Policy Representation and Reasoning: A Comparison of KAos, Rei, and Ponder", ISWC'03, 2003  A. Uszok, etc, "KAoS Policy and Domain Services: Toward a Description-Logic Approach to Policy Representation, Deconfliction, and Enforcement", Policy'03, 2003  L. Kagal, etc, "A Policy Based Approach to Security for the Semantic Web", ISWC'03, 2003  N. Damianou, etc, "The Ponder Policy Specification Language", Policy'01, 2001  T. Finin, etc, "Agents, Trust, and Information Access on the Semantic Web", ACM SIGMOD Record, 2002  Y. Hu, etc, "Trust on the Semantic Web Pyramid: Some Issues and Challenges", ISWC'03, 2003  L. Kagal, etc, "Authorization and Privacy for Semantic Web Services", IEEE Computer Society, 2004

Download ppt "Policy Description & Enforcement Languages Anis Yousefi"

Similar presentations

Ontology-Based Computing Kenneth Baclawski Northeastern University and Jarg.

Ontology-Based Computing Kenneth Baclawski Northeastern University and Jarg.
ROWLBAC – Representing Role Based Access Control in OWL

ROWLBAC – Representing Role Based Access Control in OWL
1 Ontolog OOR Use Case Review Todd Schneider 1 April 2010 (v 1.2)

1 Ontolog OOR Use Case Review Todd Schneider 1 April 2010 (v 1.2)
TU e technische universiteit eindhoven / department of mathematics and computer science Modeling User Input and Hypermedia Dynamics in Hera Databases and.

TU e technische universiteit eindhoven / department of mathematics and computer science Modeling User Input and Hypermedia Dynamics in Hera Databases and.
CH-4 Ontologies, Querying and Data Integration. Introduction to RDF(S) RDF stands for Resource Description Framework. RDF is a standard for describing.

CH-4 Ontologies, Querying and Data Integration. Introduction to RDF(S) RDF stands for Resource Description Framework. RDF is a standard for describing.
Semantic Web Thanks to folks at LAIT lab Sources include :

Semantic Web Thanks to folks at LAIT lab Sources include :
1 UIM with DAML-S Service Description Team Members: Jean-Yves Ouellet Kevin Lam Yun Xu.

1 UIM with DAML-S Service Description Team Members: Jean-Yves Ouellet Kevin Lam Yun Xu.
A Cooperative Approach to Support Software Deployment Using the Software Dock by R. Hall, D. Heimbigner, A. Wolf Sachin Chouksey Ebru Dincel.

A Cooperative Approach to Support Software Deployment Using the Software Dock by R. Hall, D. Heimbigner, A. Wolf Sachin Chouksey Ebru Dincel.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 2.
Introduction to Databases

Introduction to Databases
Interoperability of Distributed Component Systems Bryan Bentz, Jason Hayden, Upsorn Praphamontripong, Paul Vandal.

Interoperability of Distributed Component Systems Bryan Bentz, Jason Hayden, Upsorn Praphamontripong, Paul Vandal.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
KAoS Semantic Policy and Domain Services An Application of DAML/OWL to a Web-Services Based Grid Architecture.

KAoS Semantic Policy and Domain Services An Application of DAML/OWL to a Web-Services Based Grid Architecture.
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.

1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.
File Systems and Databases

File Systems and Databases
UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.

UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.
Community Manager A Dynamic Collaboration Solution on Heterogeneous Environment 2006.06.26 Hyeonsook Kim  2006 CUS. All rights reserved.

Community Manager A Dynamic Collaboration Solution on Heterogeneous Environment Hyeonsook Kim  2006 CUS. All rights reserved.
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense

Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense

Similar presentations

Ads by Google