Download presentation
Presentation is loading. Please wait.
Published byBryan Short Modified over 11 years ago
1
1 Safety Analysis of Usage Control (UCON) Authorization Model Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce George Mason University AsiaCCS 2006
2
Context electronic commerce information sharing etcetera multi-party security objectives fuzzy objectives INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure USAGE purpose USAGE
3
Context Protection Objectives Sensitive information protection IPR protection Privacy protection Protection Architectures Server-side reference monitor Client-side reference monitor SRM & CRM
4
4 UCON Model (Park and Sandhu 2004) Attributes can be updated as side-effects of a usage: pre, ongoing, and post updates Attribute Mutability Core models: preA 0, preA 1, preA 2, preA 3, onA x, preB x, onB x preC x onC x A real model may be a combination of core models. Three phases of a usage process Decision in first two phases pre-decision: preA, preB, preC ongoing-decisions: repeatedly check during ongoing usage phase onA, onB, onC Decision Continuity
5
5 An Example Resource-constrained access control Limited number (10) of ongoing accesses to a single object When 11th subject requesting new access, one ongoing accessing will be revoked. Different revocation policies: By start time: the longest ongoing usage is revoked By idle time: the usage with the longest total idle time is revoked By total usage time: the usage with the longest accumulating usage time is revoked. Need decision continuity, attribute mutability, and ongoing access revocations
6
6 Motivations Two fundamental properties in access control: Expressive Power Safety Analysis Formalization of UCON Model is required for the precise semantics of the conceptual model for policy definition for the analysis of UCON properties.
7
7 Expressive Power & Safety Analysis Expressive Power: The flexibility to express policies for different requirements. Comparing expressive power among access control models Safety problem: initial statescheme a reachable state Given a system, specified by an initial state and a scheme, is there a reachable state in which a subject has a particular right on an object? Expressive power and manageable safety analysis are two conflicting properties of access control models: In general, the more expressive power a model has, the harder it is (if at all possible) to carry out safety analysis. Examples: HRU, SPM, and TAM
8
8 Formalization of UCON A We focus on UCON preA (UCON A ) models in this paper Attributes and values ATT Each object is specified by the same set of attributes: ATT dom(a) a ATT Each attribute has a value domain: dom(a) for a ATT (O, ) A system state is (O, ), where O O is a set of objects (including subjects) : O ATT dom(ATT) {null} : O ATT dom(ATT) {null} S O S O Three primitive actions for state transitions: createObject o: createObject o: create a new object o a ATT, (o.a) = null a ATT, (o.a) = null destroyObject o: destroyObject o: O = O – {o} O = O – {o} o O, a ATT, (o.a) = (o.a) o O, a ATT, (o.a) = (o.a) updateAttribute o.a=v: updateAttribute o.a=v: (o.a) = v, v dom(a) (o.a) = v, v dom(a) (ent.att) = (ent.att) if ent o or att a (ent.att) = (ent.att) if ent o or att a
9
9 UCON A Policy p 1, …p i so p 1, …p i are attribute predicates on s and o; atc 1, … act k so atc 1, … act k are actions on s and o; creating policy: act 1 creatObject o If act 1 is creatObject o; o Only o can be created – single parent policy; so s is parent, o is child; Assumptions: Atomic policy enforcement Serialized accesses
10
10 Formal Model of UCON A (ATT, R, P, C) A UCON A scheme is a 4-tuple (ATT, R, P, C), where ATT ATT is a finite set of attribute names R R is a finite set of rights, P P is a finite set of predicates C C is a finite set of policies state t 0 =(O 0, 0 ) A UCON A system is specified by a UCON A scheme and an initial state t 0 =(O 0, 0 ).
11
11 Policy Specification Flexibility DRM policies RBAC models (RBAC0, RBAC1, RBAC2) Chinese Wall policies Dynamic separation of duty MAC policy with high watermark property
12
12 Expressive Power of UCON A : iTunes-like Systems register user_register (s, u): true permit(s,u, register) createObject u; updateAttribute:s.regUsers' = s.regUsers {u}; updateAttribute: u.registered' = true; updateAttribute: u.platformList'=o; updateAttribute: u.orderList'=o; updateAttribute: u.credit' = 0.00; order (u, m): (u.registered=true) (u.credit m.price) (m u.orderList) permit(u,m,order) updateAttribute:u.orderList' = u.orderList {m}; updateAttribute: m.owner' = u; updateAttribute:u.credit' = u.credit - m.price; order play (p,m): (p.authorizedby null) (m.owner null) (p.authorizedby=m.owner) permit(p,m,play) play authorize_platform (u, p): (u.registered=true) (|u.platformList|<5) (p u.platformList) permit(u,p,authorize) updateAttribute: u.platformList' = u.platformList {p}; updateAttribute: p.authorizedBy' = u; deauthorize_platform (u, p): (u.registered=true) (p u.platformList) permit(u,p,deauthorize) updateAttribute: u.platformList' = u.platformList - {p}; updateAttribute: p.authorizedBy' = null; authorize deauthorize User iTunes music store Device Music file
13
13 Expressive Power of UCON A The expressive power of the UCON A model has been formally studied by comparing it with traditional access control models: simulating the general SO-TAM model simulating the general SO-ATAM model Theorem a)UCON A is more expressive than TAM. b)UCON A is at least as expressive as ATAM.
14
14 Safety Analysis of UCON A Theorem Safety is undecidable in the general UCON A model. By reducing a general SO-TAM system to a UCON A system By simulating the operations of a general Turing machine with a UCON A model.
15
15 Safety Analysis of UCON A Theorem The safety problem of a UCON A system is decidable if: the value domain of each attribute is finite, and there is no creating policy in the scheme. Proof idea: Reduce a UCON A system with these restrictions to a FSM, where the safety problem is mapped to the empty language problem recognized by the FSM. The complexity of the safety problem is: polynomial in the number of possible states of the system. NP-hard in number of policies in the scheme.
16
16 Safety Analysis of UCON A Theorem The safety problem of a UCON A system is decidable if: the attribute creation graph is acyclic, and the attribute update graph has no cycle containing a create-parent attribute tuple, and in each creating policy, both the parent's and the child's attribute tuples are updated. Proof idea: restrictions on creating policies c(s,o)updateAttribute s.a (s.a) (s.a) If c(s,o) is a creating policy, then it has must have updateAttribute s.a action, and (s.a) (s.a) (s.a) (s.a) There is no policies that can update (s.a) to (s.a) in any state.
17
17 Expressive Power of Decidable UCON A RBAC96 model with URA97 or PRA97 scheme S, P, R, UA, UAA, PA, RH, P O x R A state in RBAC96: S, P, R, UA, UAA, PA, RH, where P O x R can_assign ARxCRx2 R, can_revoke ARx2 R URA97 scheme: can_assign ARxCRx2 R, can_revoke ARx2 R can_assign(ar, cr, [r 1,r 2 ]) or can_revoke(ar, [r 1,r 2 ]) A can_assign(ar, cr, [r 1,r 2 ]) or can_revoke(ar, [r 1,r 2 ]) can be reduced to a set of UCON A policies: r i [r 1,r 2 ], cr = x y r i [r 1,r 2 ], cr = x y
18
18 Expressive Power of Decidable UCON A consumable rights DRM applications with consumable rights Limited number of copies order (s, o): (s.credit o.price) (o.owner = null) permit(s,o,order) updateAttribute: s.credit'=s.credit - o.price; updateAttribute: o.owner=s; updateAttribute:o.copylicense=10; order allow_copy (s, o): (o.owner=s) (o.copylicense > 0) permit(s,o,allowcopy) updateAttribute: o.allowcopy = true; allowcopy copy (o 1, o 2 ): (o 1.allowcopy=true) permit(o 1,o 2,copy) createObject o 2 ; updateAttribute: o 2.sn' = o 1.copylicense; updateAttribute: o 1.copylicense' = o 1.copylicense-1; updateAttribute: o 1.allowcopy' = false; copy
19
19 Contribution Summary expressive power Formal study of the expressive power of UCON A : UCON A is at least as expressive as ATAM. Safety analysis Safety analysis of UCON A : Safety undecidability of the general model Two safety-decidable models with restrictions on the form of the policies in the general model Expressive power of the decidable models by simulating RBAC96 with URA97 or PRA97 DRM applications
20
20 Ongoing and Future Work Comparing expressive power between UCON authorization and obligations models Efficiently decidable UCON models An administrative model of UCON Expressive power and safety analysis of UCON ongoing models. UCON architectures and mechanisms
21
21 Thank you! Q & A
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.