Download presentation
Presentation is loading. Please wait.
Published byJose Gray Modified over 10 years ago
1
1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce Department of Information and Software Engineering School of Information Technology and Engineering George Mason University, Fall 2005
2
2 Outline Introduction Motivations & Problem Statement Background Usage control and TLA A Formalization of UCON A logical model to formalize state transitions in a single usage Policy specification flexibility of the logical model Expressive Power of UCON A model to formalize the global effects of a usage and accumulative results of a sequence of usages Relative expressive power between UCON A and traditional access control models Relative expressive power between UCON A and UCON B Safety Analysis of UCON Safety undecidability of the general UCON A model Safety decidable UCON A models Expressive power of safety decidable models Contribution Summary and Future Work
3
3 Motivations & Problem Statement Motivations of UCON A comprehensive unified model that fundamentally extends traditional access control models captures DRM and trust management systems A conceptual model has been presented by Park and Sandhu. Formalization of UCON Model is required for the precise semantics of the conceptual model for policy definition for the analysis of UCON properties. Two fundamental problems in access control: Expressive Power Safety Analysis
4
4 UCON Model (Park and Sandhu 2004) Attributes can be updated as side-effects of a usage: pre, ongoing, post and updates Attribute Mutability Core models: preA 0, preA 1, preA 2, preA 3, onA x, preB x, onB x preC x onC x A real model may be a combination of core models. Three phases of a usage process Decision in first two phases pre-decision: preA, preB, preC ongoing-decisions: repeatedly d ecision check during ongoing usage phase onA, onB, onC Decision Continuity
5
5 An Example Resource-constrained access control Limited number (10) of ongoing accesses to a single object When 11th subject requesting new access, one ongoing accessing will be revoked. Different revocation policies: By start time: the longest ongoing usage is revoked By idle time: the usage with the longest total idle time is revoked By total usage time: the usage with the longest accumulating usage time is revoked. Need decision continuity, attribute mutability, and ongoing access revocations
6
6 Temporal Logic of Actions (Lamport 1994) Basic terms of TLA: Variables and values State: assignment of values to variables Predicates: boolean expressions using variables in a single state Actions: boolean expressions using variables in two states. Future temporal operators: Past Temporal operators
7
7 Logical Model of UCON: Variables, States, Predicates Variables: role, group, clearance, credit Subject attributes: role, group, clearance, credit, etc. type, owner, access control list Object attributes: type, owner, access control list, etc. location, time, load System attributes: location, time, load, etc. A state of a UCON system is an assignment of values to attributes. Predicates: boolean expressions built from subject attributes, object attributes, and system attributes in a single state. Alice.credit > $1000, file1.classification = secure Dominate(Alice.clearance, file1.classification) (Bob, read) file2.ACL)
8
8 Logical Model of UCON: Actions Control actions: usage state (s,o,r) Actions changing the usage state of a single usage process (s,o,r) 6 values of state(s,o,r) 6 values of state(s,o,r) 5 actions 5 actions Update actions: s.credit=s.credit - $50.0 s.credit=s.credit - $50.0 Obligation actions: Actions that have to be performed before or during a usage May or may not be performed by the requesting subject and on the target object.
9
9 Logical Model of UCON (S, P A, P C, A A, A B ) The logical model of a UCON system is a 5-tuple: (S, P A, P C, A A, A B ), where S S is a set of sequences of states of the system, P A P A is a finite set of authorization predicates built from the attributes of subjects and objects, P C P C is a finite set of condition predicates built from the system attributes, A A A A is a finite set of control actions, A B A B is a finite set of obligation actions. A logic formula consisting of predicates, actions, and logical and temporal operators:
10
10 Specification of Core Models Ongoing authorizations: onA 123 Resource-constrained access control, revocation by idle time Object attribute: status (with value of busy or idle)idleTime Subject attributes: status (with value of busy or idle), idleTime
11
11 Specify General Policies Control Rules: Update Rules:
12
12 Specifying General Policies Completeness: Completeness: Any UCON policy can be specified by a non-empty set of control rules and a set of update rules. Soundness: Soundness: A non-empty set of control rules and a set of update rules can be satisfied by at least one UCON model.
13
13 Policy Specification Flexibility RBAC models (RBAC0, RBAC1, RBAC2) Chinese Wall policies Dynamic separation of duty MAC policy with high watermark property Healthcare information systems with authorizations and obligations
14
14 Expressive Power & Safety Analysis Expressive Power: The flexibility to express policies for variant requirements. Comparing expressive power between access control models Safety problem: initial state schemea reachable state By giving a system, specified by an initial state and a scheme, is there a reachable state in which a subject has a particular right on an object? Expressive power and safety analysis are two conflict problems for an access control model: In general, the more expressive power it has, the harder it is to computationally carry out safety analysis. Examples: HRU, SPM, and TAM
15
15 Formal Model of preA & preB global effect To formalize the global effect of a single usage process Instead of the detailed state transitions in single usage process by the logical model (O, ) A system state is (O, ), where O O is a set of objects : O ATT dom(ATT) {null} : O ATT dom(ATT) {null} S O S O Three primitive actions: createObject, destroyObject, updateAttribute createObject, destroyObject, updateAttribute preA policy: preB policy:
16
16 Formal Model of preA & preB (ATT, R, P, C) A UCON preA scheme is a 4-tuple (ATT, R, P, C), where ATT ATT is a finite set of attribute names R R is a finite set of rights, P P is a finite set of predicates C C is a finite set of policies state (O 0, 0 ) A UCON preA system is specified by a preA scheme and an initial state (O 0, 0 ). (ATT, R, P, B, C) A UCON preB scheme is a 5-tuple (ATT, R, P, B, C), where B B is a finite set of obligation actions state (O 0, 0 ) A UCON preB system is specified by a preB scheme and an initial state (O 0, 0 ).
17
17 Expressive Power of preA: iTunes-like Systems register user_register (s, u): true permit(s,u, register) createObject u; updateAttribute:s.regUsers' = s.regUsers {u}; updateAttribute: u.registered' = true; updateAttribute: u.platformList'=o; updateAttribute: u.orderList'=o; updateAttribute: u.credit' = 0.00; order (u, m): (u.registered=true) (u.credit m.price) (m u.orderList) permit(u,m,order) updateAttribute:u.orderList' = u.orderList {m}; updateAttribute: m.owner' = u; updateAttribute:u.credit' = u.credit - m.price; order play (p,m): (p.authorizedby null) (m.owner null) (p.authorizedby=m.owner) permit(p,m,play) play authorize_platform (u, p): (u.registered=true) (|u.platformList|<5) (p u.platformList) permit(u,p,authorize) updateAttribute: u.platformList' = u.platformList {p}; updateAttribute: p.authorizedBy' = u; deauthorize_platform (u, p): (u.registered=true) (p u.platformList) permit(u,p,deauthorize) updateAttribute: u.platformList' = u.platformList - {p}; updateAttribute: p.authorizedBy' = null; authorize deauthorize User iTunes music store Device Music file
18
18 Expressive Power of UCON preA The expressive power of UCON preA model has been formally studied by comparing it with traditional access control models: simulating the general SO-TAM model Simulating the general SO-ATAM model Theorem UCON preA is more expressive than TAM. UCON preA is at least as expressive as ATAM.
19
19 Relative Expressive Power of preA & preB Theorem UCON preA and preB have the same expressive power. A preA policy can be simulated by a preB policy. A preB policy can be simulated by a finite number of preA policies.
20
20 Safety Analysis of UCON preA Theorem The general preA model has undecidable safety. By reducing a general SO-TAM system to a preA system By simulating the operations of a general Turing machine with a preA model.
21
21 Safety Analysis of UCON preA Theorem The safety problem of a preA system is decidable if: the value domain of each attribute is finite, and there is no creating policy in the scheme. The complexity of the safety problem is: polynomial in the number of possible states of the system. NP-hard in number of policies in the scheme.Theorem The safety problem of a preA system is decidable if: the attribute creation graph is acyclic, and the attribute update graph has no cycle containing a create-parent attribute tuple, and in each creating policy, both the parent's and the child's attribute tuples are updated.
22
22 Expressive Power of Decidable preA RBAC96 model with URA97 scheme The decidable model can express an RBAC96 model with URA97 scheme. consumable rights. The decidable model can express DRM applications with consumable rights. order (s, o): (s.credit o.price) (o.owner = null) permit(s,o,order) updateAttribute: s.credit'=s.credit - o.price; updateAttribute: o.owner=s; updateAttribute:o.copylicense=10; order allow_copy (s, o): (o.owner=s) (o.copylicense > 0) permit(s,o,allowcopy) updateAttribute: o.allowcopy = true; allowcopy copy (o 1, o 2 ): (o 1.allowcopy=true) permit(o 1,o 2,copy) createObject o 2 ; updateAttribute: o 2.sn' = o 1.copylicense; updateAttribute: o 1.copylicense' = o 1.copylicense-1; updateAttribute: o 1.allowcopy' = false; copy
23
23 Contribution Summary A logical model A logical model of UCON is developed: Precisely defining the semantics of the conceptual model Specifying policies for general UCON models with completeness and soundness Policy specification flexibility by defining policies for various applications expressive power Formal study of the expressive power of UCON preA and preB: preA is at least as expressive as ATAM. preA and preB have the same expressive power. Safety analysis Safety analysis of UCON preA: Safety undecidability of the general model Two safety decidable models with restrictions on the general model Expressive power of the decidable models by simulating RBAC and DRM applications
24
24 Future Work An administrative model of UCON Efficiently decidable UCON models Expressive power and safety analysis of UCON ongoing models. UCON architectures and mechanisms
25
25 Related Publications Xinwen Zhang, Sejong Oh, and Ravi Sandhu, PBDM: A Flexible Delegation Model in RBAC, 8th ACM Symposium on Access Control Models and Technologies (SACMAT), 2003. Xinwen Zhang, Jaehong Park, Francesco Parisi-Presicce, and Ravi Sandhu, A Logical Specification for Usage Control, ACM SACMAT, 2004. Jaehong Park, Xinwen Zhang, and Ravi Sandhu, Attribute Mutabiligy in Usage Control, Annual IFIP WG 11.3 Working Conference on Data and Applications Security, 2004. Xinwen Zhang, Jaehong Park, Francesco Parisi-Presicce, and Ravi Sandhu, Formal Model and Policy Specification of Usage Control, ACM Transactions on Information and System Security (TISSEC), to appear. Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce, Safety Analysis of Usage Control Authorization Model, to appear in ACM Symposium on Information, Computer, and Communication Security, 2006. Xinwen Zhang, Masayuki Nakae, Ravi Sandhu, Michael J. Covington, A Usage- based Authorization Framework for Collaborative Computing Systems, in submission.
26
26 Thank you! Q & A
27
27 Backup
28
28 OM-AM Framework (Sandhu 2000)
29
29 Specifying Core Models PreA 0 PreA 1 An example: Dynamic Separation of Duty (DSOD) preparesissue A subject who prepares a check cannot issue it:
30
30 Expressive Power of preA A model for iTunes-like systems (ATT, R, P, C) A UCON preA sheme (ATT, R, P, C), where R={register, order, authorize, deauthorize, play} R={register, order, authorize, deauthorize, play} ATT: ATT: a set of attribute names
31
31 Relative Expressive Power of preA & preB A preB system can be simulated with a preA system: policy_B(s,o,o b ): (s.role=ITE_faculty) (o.statement = o b ) sign(s,o b ) permit(s,o,r) access policy_A1(s,o b ): true permit(s,o b,sign) updateAttribute:s.signed = o b ; sign Policy_A2 (s,o): (s.role=ITE_faculty) (o.statement=s.signed) permit(s,o,r) updateAttribute: s.signed=null; access
32
32 Relative Expressive Power of preA & preB A preA system can be simulated with a preB system: policy_A(s,o): (s.role=ITE_faculty) permit(s,o,r) access policy_B(s,o): (s.role=ITE_faculty) try_access(s,o) permit(s,o,r) access
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.