Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Policy John Mitchell Stanford University. Research directions uProblem Access policy: specification and enforcement uApproach Tractable subsets.

Publish Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Policy John Mitchell Stanford University. Research directions uProblem Access policy: specification and enforcement uApproach Tractable subsets."— Presentation transcript:

1 Access Policy John Mitchell Stanford University

2 Research directions uProblem Access policy: specification and enforcement uApproach Tractable subsets of first-order logic uAccomplishments Policy languages, algorithms, demo applications uTransitions to Industry Collaboration, start-up, students to industry, industrial visitor to Stanford uContinuing efforts Interface w/commercial approaches: XrML, EPAL, P3P Policy development environment: algorithms, tools

3 Policy at site A may govern resources at site B Protect distributed resources with distributed policy Distributed Access Control Policy Resource Policy Resource Policy Resource ID

4 Decentralized Policy Example AliceEPub StateU is a university Alice is a student Grants access to university students Trusts universities to certify students Trusts ABU to certify universities StateU ABU

5 Policy Combination uBuild policy templates Policy 1: Generic hospital/clinic policy Policy 2: Additional decisions for this clinic uCoalitions Policy 1: Your company Policy 2: Another company that makes a business deal with you

6 Plan Analyze Enforce Measure Improve Policy Management Lifecycle

7 Policy lifecycle issues uRequirements capture What should the policy say? uDevelopment Adapt standard modules; build new ones; combine uEvaluation Does the policy say what we want? –Analysis Testing Debugging uCompliance Can the policy be enforced by info system? uMaintenance Change as needed as requirements evolve

8 Policy Language and Deduction uSpecification State policy succinctly and directly Confident that policy captures intention uEnforcement Deduction, proof of compliance uManage policy lifecycle Policy development tools Safety and availability analysis Core Issue

9 SPYCE Approach uTractable subsets of first-order logic Datalog –If-then patterns without function symbols or negation –Standard database query formalism Constraint Datalog –Constraints based on constraint domains –Hierarchies, intervals, discrete sets Polarity-restricted FOL (“Lithium”) –Allows function symbols, negation –Supports modular combination of policies

10 General policy form uA policy statement has the form:  x 1,…,  x m (Condition  (+/-) Permitted(principal, privilege)) where Condition is a conjunction of literals; principal is individual [HW] or group [LM] privilege can be action [HW] or group [LM] Yale Feigenbaum, Li Cornell Halpern, Weissman Stanford Li, Mitchell, …

11 Role-based Trust-management (RT) RT 0 : Decentralized Roles RT 1 : Parameterized Roles RT T : for Separation of Duties RT D : for Selective Use of Role memberships RT 2 : Logical Objects RT T and RT D can be used (either together or separately) with any of the five base languages: RT 0, RT 1, RT 2, RT 1 C, and RT 2 C RT 1 C : structured resources RT 2 C : structured resources [Li, Mitchell, Winsborough, …]

12 Recall example AliceEPub StateU is a university Alice is a student Grants access to university students Trusts universities to certify students Trusts ABU to certify universities StateU ABU

13 Example RT 0 credentials 1.StateU.stuID  Alice 2.ABU.accredited  StateU 3.EPub.university  ABU.accredited 4.EPub.student  EPub.university.stuID 5.EPub.access  EPub.student Together, five statements prove Alice is entitled to access

14 Distributed Policy Alice EPub StateU ABU ABU.accredited  StateU COE.stuID  Alice EPub.university  ABU.accredited EPub.student  EPub.university.stuID StateU.stuID  COE.stuID COE

15 Privacy uPolicy Companies state privacy policy on web site This is legally binding uOutsourcing and coalitions Many companies outsource specific functions Partners may not have same privacy policies Partners may have conflicting business objectives

16 Web Architecture and Privacy Database System Application Enterprise Portal Policy!Enforcement?

17 Who cares about privacy? uCompanies with P3P policy P3P policy makes promise to customers Company is legally obligated to comply uOrganizations facing compliance Healthcare, financial institutions Government uCompanies with customer assets “Privacy” means that customer assets are not compromised Banks must preserve secrecy of customer SSN

18 JetBlue information flow Source: A Anton JetBlue info collected by OpenSkies is shared info with Torch Concepts. Torch combined JB info with data from Acxiom, has no stated privacy policy.

19 EPAL Concepts uCondition, ruling, obligations If condition then outcome Outcome = ruling  obligations Ruling = { yes, no, don’t care} Obligations: actions that must occur uExamples If employee owns the file then yes If anyone accesses data then don’t care and log the request IBM privacy language

20 Policy Combination Denied Permitted Denied Permitted Denied = + OK Denied Permitted Denied Permitted Denied = + ??

21 Policy language design space Permit only Permit / Deny Resolve contradiction Can be contradictory EPAL Ordered

22 EPAL order priority uIntuitive ? Need to give exception before general case –Birds can fly –Penguins cannot fly uEfficiency Cannot evaluate sub-policies in parallel uScalability How to combine separate sub-policies?

23 Some examples uUnreachable If male then yes If female then no If manager then no uInapplicable If manager then yes If VP then no If male then no u Ineffective If VP then {run} If manager then {run, jump} u Redundant If manager then {run, jump} If VP then {run} A policy editor could detect these situations Big problem: combination of EPAL policies may not be EPAL policy

24 Datalog As A Foundation uNatural Security policy statements are if-then rules uPrecise Declarative and widely-understood semantics uTractable No function symbols  tractability Efficient goal-directed evaluation procedures uAvailable technology Extensive Datalog research in LP and DB

25 Better: Constraint Datalog uWhy constraints: Datalog cannot easily express permissions about structured resources and ranges uWhat is Constraint Datalog Special form of CLP; query language for Constraint DB uA Constraint Datalog rule: R 0 (x 0 ) :- R 1 (x 1 ),..., R n (x n ),  (x 0, x 1, …, x n ) –x 0, x 1, …, x n are tuples of variables –  is a constraint in all the variables

26 Example Policy with Constraints uA grants to B the permission to connect to hosts in the domain “stanford.edu” at port 80, valid from time t 1 to t 3, and allows B to further delegate grantConnect(A, B, h, p, v) :- h   edu,stanford , p=80, v  [t 1, t 3 ] grantConnect(A, x, h, p, v) :- grantConnect(B, x, h, p, v), h   edu,stanford , p=80, v  [t 1, t 3 ]

27 Useful Constraint Domains uTree domains: Path expressions  a1,a2, ,ak  –E.g.,  pub,software  for /pub/software Primitive constraint: x=y or x   a1, ,ak , where   {=, <, , ,  } uRange domains: Primitives: x=y, x=c, or, x  (c1, c2) uDiscrete domains with finite sets: Primitive constraint: x=y, x  {c1,c2, ,cj}

28 RT Accomplishments uRT language design uRT deduction, trust negotiation Fast distributed deduction, constraints uComparative analysis: KeyNote, SPKI 2.0 uSafety and availability analysis HRU undecidability => RT poly-time, NP, Pspace uSample applications August scheduling, UStorIt file sharing, ATN, … uTransitions IBM privacy, InnerPresence, NTT DoCoMo, Hitachi

29 Implementation Status uJava inference engine for RT 0 uPreliminary version of RTML an XML-based Encoding of RT statements XML Schemas and parser exist uApplications U-STOR-IT: Web-based file storage and sharing August: A Distributed Calendar Program Automated Trust Negotiation Demo by NAI TNT Trust Negotiation architecture at BYU

30 Architecture design for policy-based portal site Portal site Web service invoke service return results(customized by General Policy) User Service Provider access Authentication Authority Attribute Authority(A) Bob’s Policy(A) -Bob.Address <- CA -Bob.Job <- Student … General Policy -Discount <- Student … Web service Attribute Authority(B) Policy Decision Authority Bob’s Policy(B) -Bob.MembershipPoint <- high … invoke service return results(customized by Bob’s Policy(B)) Attribute Assertion Authentication Assertion Bob’s Policy(A) -Bob.Address <- CA -Bob.Job <- Student … federated ID User doesn’t have a federated ID User has a federated ID Role-based Trust Management (TM) language (SOAP) (SAML) UDDI Registry register discover create (UDDI) Policy Decision Authority Attribute Authority(B) Attribute Authority(A) Authentication Authority Credential Chains (Liberty Alliance) Hitachi

31 Open Problems uEvaluation Complete study of EPAL uExtend RT languages Denying policies – for policy combination Obligations uDistributed enforcement algorithms uPolicy lifecycle tools Safety analysis, resolve conflicts in policy combination Enforcement policy  Advertised policy ?

32 Critical Infrastructure Protection uMany critical infrastructures, national and DoD-specific, are decentralized uData sharing essential for operation, but data compromise can be catastrophic uResearch Question: How to share data safely, using policies that are easy to formulate, enforce, maintain uApproach: diffuse trust management

33 Assuring Software Quality uTechnology applicable to managing process interaction Process A delegates rights to process B –For limited purpose, limited time, limited locations Fine-grained control of process actions Works for diffuse systems that escape normal controls imposed by localized OSs uDiffuse principle of least privilege

34 DoD Impact uDynamic coalitions Partial sharing based on partial trust uJoint Vision 2010 / Joint Vision 2020 of “Network Centric” operations Can use policy to push data, overcome network bandwidth limitations Right data to right place at right time

35 Plans uApplications and Transitions Work with XrML developers on language and algorithm IBM Privacy Project –Extend RT algorithms to EPAL, P3P applications Pursue commercial and DOD applications Larger policy sets, Network policies uGeneralize results: RT  Datalog  PFOL uImprove implementation: RT 0  Datalog  PFOL uPolicy development environment and tools User interface, XML-format, interoperability Testing methodology, analysis methods

36

37

38 Automated Trust Negotiation uCredentials may contain sensitive information need protection just as other resources deduction must be interactive uThe Trust Target Graph (TTG) protocol supports RT 0, which has delegation supports distributed discovery of statements supports Ack policies, which also protects against unauthorized leakage of attribute information uCryptographic protocols for ATN Oblivious Signature-Based Envelope (OSBE)

39 August: Distributed Calendar uUsers define groups, maybe interdependent uEach user has a calendar and can specify policy which determines who is allowed to view each part of the user's calendar who is allowed to add an activity of a certain kinds at a certain time

40 U-STOR-IT: Web-based sharing uUser auth: SSL and X.509 certificates uUsers define interdependent groups uLocker Hierarchical folder of heterogeneous files Locker/file upload/access policy set by owner uPolicies translated into RT uImplement w/Java Servlets and MySQL

Download ppt "Access Policy John Mitchell Stanford University. Research directions uProblem Access policy: specification and enforcement uApproach Tractable subsets."

Similar presentations

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Operating System Security

Operating System Security
D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.

D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.
Rule based Trust management using RT - second lecture Sandro Etalle thanks to Ninghui Li - Purdue William H. Winsborough – University of Texas S. Antonio.

Rule based Trust management using RT - second lecture Sandro Etalle thanks to Ninghui Li - Purdue William H. Winsborough – University of Texas S. Antonio.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.

Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell (Stanford), and Helen Nissenbaum (NYU) TRUST Winter.
1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.

1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.
Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.

Enterprise Privacy Promises and Enforcement Adam Barth John C. Mitchell.
Trust Management I Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy.

Trust Management I Anupam Datta Fall A: Foundations of Security and Privacy.
Trust Management II Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy.

Trust Management II Anupam Datta Fall A: Foundations of Security and Privacy.
Software Quality and Infrastructure Protection for Diffuse Computing FY2001 ONR CIP/SW URI Principal Investigator: Andre Scedrov Institution: University.

Software Quality and Infrastructure Protection for Diffuse Computing FY2001 ONR CIP/SW URI Principal Investigator: Andre Scedrov Institution: University.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Policy Languages and Enforcement John Mitchell Stanford 4 th IAPP Privacy Summit February 2004.

Policy Languages and Enforcement John Mitchell Stanford 4 th IAPP Privacy Summit February 2004.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
An Introduction to Decentralized Trust Management Sandro Etalle University of Twente thanks to William H. Winsborough – University of Texas S. Antonio.

An Introduction to Decentralized Trust Management Sandro Etalle University of Twente thanks to William H. Winsborough – University of Texas S. Antonio.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Understanding Active Directory

Understanding Active Directory
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Chapter 1 Overview of Databases and Transaction Processing.

Chapter 1 Overview of Databases and Transaction Processing.

Similar presentations

Ads by Google