Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trust Management: Access policy and deduction John Mitchell.

Published byMyron Burke Modified over 9 years ago

Similar presentations

Presentation on theme: "Trust Management: Access policy and deduction John Mitchell."— Presentation transcript:

1

2 Trust Management: Access policy and deduction John Mitchell

3 Diffuse Computing Distributed Data Systems

4 Access control decision Given: user and request for privilege =  resource, right  Decide: whether to grant request Specify: who, what, when, why ? Resource User/ process filename read/write Also: authorization management, workflow, …

5 Goals uFlexible and scalable access control for large- scale, open, decentralized systems Resource sharing in decentralized systems –coalitions, multi-centric collaborative systems –grid computing Electronic commerce Health care systems Authorization management

6 Policy Language and Deduction uSay what you want Succinctly and directly With confidence that you said what you meant uEnforcement Deduction, proof of compliance uPolicy development tools Manage policy lifecycle Safety analysis, availability Core Issue

7 Single sign-on systems e.g. Securant, Netegrity, Oblix Rules Authentication Application Data LAN user name password

8 Distributed Access Control Deduction Engine Deduction Engine Policies Credentials Policies Credentials Certificate Authority Resource Monitors

9 Player Digital Distribution Dream ( ) Artist DistributorConsumer Policy Content Policy Content Military ORCON Policy Secure network transactions

10 Trust-Management (TM) uMulticentric access control using delegation access control decisions are based on distributed policy statements issued by multiple principals policy statements contain –attributes of principals such as permissions, roles, qualifications, characteristics –trust relationships uCommon characteristics of TM systems: treat public keys as principals to be authorized use digitally signed credentials for non-local statements

11 History uEarly TM languages PolicyMaker, KeyNote [Blaze, Feigenbaum, et al.] SPKI/SDSI [Ellison, Rivest, Lampson, et al.] uDatalog-based TM languages Delegation Logic [Li, Feigenbaum, and Grosof] SD3 [Jim] Binder [DeTreville] uSome other related work ABLP logic [Abadi, Burrows, Lampson, et al.] AF logic [Appel and Felton] QCM [Gunter and Jim]

12 Our Policy Framework: FOL ( ) uA policy statement has the form:  x1,…,  xm (Condition  (  ) Permitted(principal, privilege)) where Condition is a conjunction of literals; principal can be individual [HW], or group [LM] privilege can be action [HW], or group [LM] uAlso need formulas defining conditions Feigenbaum, Li Halpern, W Li, Mitchell, … Permitting policy [HW, LM] : positive conclusion Denying policy [HW] : negative conclusion

13 What is RT? uRT = Role-based Trust management uInnovative features of the RT family expressive delegation constructs permissions for structured resources tractable semantics based on Constraint Datalog strongly-typed credentials and vocabulary agreement efficient deduction with millions of distributed policy statements safety and availability analysis [Li, Mitchell, Winsborough]

14 Languages in RT Framework RT 0 : Decentralized Roles RT 1 : Parameterized Roles RT T : for Separation of Duties RT D : for Selective Use of Role memberships RT 2 : Logical Objects RT T and RT D can be used (either together or separately) with any of the five base languages: RT 0, RT 1, RT 2, RT 1 C, and RT 2 C RT 1 C : structured resources RT 2 C : structured resources [Li, Mitchell, Winsborough]

15 Example AliceEPub StateU is a university Alice is a student Grants access to university students Trusts universities to certify students Trusts ABU to certify universities StateU ABU

16 Example RT 0 credentials 1.StateU.stuID  Alice 2.ABU.accredited  StateU 3.EPub.university  ABU.accredited 4.EPub.student  EPub.university.stuID 5.EPub.access  EPub.student Together, the five statements prove that Alice is entitled to access

17 Limitation of KeyNote, SPKI 1.0 uCapability-based TM systems A credential delegates certain permissions from an issuer to a subject A chain of credentials authorizes subject at the end of a chain uUsing these systems in the EPub scenario EPub delegates the access permission to ABU ABU delegates the access permission to StateU StateU delegates the access permission to Alice uNot scalable! Separate chain of delegations for each student

18 Policy forms, RT 0 uSimple attribute assignment StateU.stuID  Alice uDelegation of attribute authority StateU.stuID  COE.stuID uAttribute inferencing EPub.access  EPub.student uAttribute-based delegation of authority EPub.student  EPub.university.stuID i.e. mem(EPub.student)   B  mem(EPub.university) mem(B.stuID) uConjunction EPub.access  EPub.student  ACM.member

19 Policy forms, RT 1 … uAttributes with fields StateU.stuID (name=.., program=.., …)  Alice EPub.access  StateU.stuID(program=“graduate”) uPermissions for structured resources e.g., allow connection to any host in a domain and at any port in a range

20 Datalog As A Foundation uNatural Security policy statements are if-then rules uPrecise Declarative and widely-understood semantics uTractable No function symbols  tractability Efficient goal-directed evaluation procedures uAvailable technology Extensive Datalog research in LP and DB

21 Datalog Semantics of RT 0 uEach statement translated into Datalog rule Type-1: A.r  D m(A, r, D) Type-2: A.r  B.r 1 m(A, r, z) :- m(B, r1, z) Type-3: A.r  A.r 1.r 2 m(A, r, z) :- m(A, r1, y), m(y, r2, z) Type-4: A.r  B 1.r 1  B 2.r 2 ...  B k.r k m(A, r, z) :- m(A, r1, y), m(y, r2, z)

22 Better: Constraint Datalog uWhy constraints: Datalog cannot easily express permissions about structured resources and ranges uWhat is Constraint Datalog Special form of CLP; query language for Constraint DB uA Constraint Datalog rule: R0(x0) :- R1(x1),..., Rn(xn),  (x0, x1, …, xn) –x0, x1, …, xn are tuples of variables –  is a constraint in all the variables

23 Example Policy with Constraints uA grants to B the permission to connect to hosts in the domain “stanford.edu” at port 80, valid from time t 1 to t 3, and allows B to further delegate grantConnect(A, B, h, p, v) :- h   edu,stanford , p=80, v  [t 1, t 3 ] grantConnect(A, x, h, p, v) :- grantConnect(B, x, h, p, v), h   edu,stanford , p=80, v  [t 1, t 3 ]

24 Useful Constraint Domains for TM uTree domains: Path expressions  a1,a2, ,ak  –E.g.,  pub,software  for /pub/software Primitive constraint: x=y or x   a1,a2, ,ak , where   {=, <, , ,  } uRange domains: each constant is a number Primitive constraint: x=y, x=c, or, x  (c1, c2) uDiscrete domains with finite sets: Primitive constraint: x=y, x  {c1,c2, ,cj}

25 RT 1 C : RT 1 with constraints uTheorem: Multi-sorted CDatalog program with multiple tractable constraint domains can be evaluated in polynomial time. uCorollary: The RT languages are tractable Statements in the RT languages can be translated into multi-sorted CDatalog program uExample: FileServer.access (path <  pub,software , type  {read,write,delete})  StateU.student (dept=‘CS’)

26 Using CDatalog to Analyze KeyNote uTheorem: it is undecidable whether a KeyNote assertion authorizes any request at all One constraint domain used in KeyNote involves Hilbert’s 10th problem: –find integer solutions to p(x 1,…,x k )=0 uMoral: KeyNote constraints too expensive Practical examples do not use these expensive features Logical perspective leads to expressive, tractable policy languages

27 Goal-directed Deduction for RT 0 uQueries: 1.Given A.r, determines its members –The backward search algorithm 2.Given D, determines the set of roles that D is a member of –The forward search algorithm 3.Given A.r and D, determines whether D is a member of A.r –The Bi-direction search algorithm

28 Credential Graph for Policy uNodes: A.r and e for each statement A.r  e in P uCredential edges: A.r  e for each statement A.r  e in P uSummary edges: A.r1.r2  B.r2 if there is a path from B to A.r1 A1.r1  …  Ak.rk  D if there are paths from D to each Aj.rj uTheorem: Reachability in the credential graph is sound and complete for RT 0

29 Example Bidirection Search on A Credential Graph EPub.university StateU ABU.accredited EPub.student EPub.university.stuID Credential Summary Key Alice StateU.stuID COE.stuID

30 Worst-Case Complexity uBackward: time O(N 3 +NM), space O(NM) N is the number of rules M is the sum of the sizes of all rules, –A.r  f 1  f k having size k, other credentials have size 1 uForward and bi-direction time O(N 2 M), space O(NM) uSame as previous work for SDSI [Clarke, et al.] but our algorithms are goal directed, making them much better in practice

31 Who stores credentials? Alice EPub StateU ABU ABU.accredited  StateU COE.stuID  Alice EPub.university  ABU.accredited EPub.student  EPub.university.stuID StateU.stuID  COE.stuID COE

32 Automated Trust Negotiation uCredentials may contain sensitive information need protection just as other resources deduction must be interactive uThe Trust Target Graph (TTG) protocol supports RT0, which has delegation supports distributed discovery of statements supports Ack policies, which also protects against unauthorized leakage of attribute information uCryptographic protocols for ATN Oblivious Signature-Based Envelope (OSBE)

33 Safety and Availability Analysis uOrganizations delegate partial control What happens if other organizations change policy in the future without my knowledge? uGiven policy P and restriction R on changes Simple safety: Is A.r  {D} possible?  PTIME Simple availability: Is A.r  {D} necessary?  PTIME Bounded safety: Is {D1, …, Dn}  A.r necessary?  PTIME

34 Complexity of Containment Analysis uGiven P and R, is A.r  B.r1 necessary? Simple delegation  PTIME –Uses logic programs with stratified negation Intersection  coNP-complete –Equivalent to determining validity in propositional logic Linking  PSPACE-complete –Equivalent to containment of languages accepted by NFA Linking+Intersection  decidable in coNEXP –Exact complexity unknown Decidability, PTIME stand in contrast to the HRU model, in which simple safety is undecidable

35 Implementation Status uJava inference engine for RT 0 uPreliminary version of RTML an XML-based Encoding of RT statements XML Schemas and parser exist uApplications U-STOR-IT: Web-based file storage and sharing August: A Distributed Calendar Program Automated Trust Negotiation Demo by NAI TNT Trust Negotiation architecture at BYU

36 Publications on RT uLanguage specification, distributed deduction [ACM CCS’01] [JCS] [IEEE S&P’02] uConstraint Datalog [PADL’03] [CSFW’03] uSummary of RT [DISCEX’03] uInteractive deduction, protecting sensitive credentials [IEEE Policy’ 02] [ACM WPES’02] uSafety and availability analysis of RT policies [IEEE S&P’03]

37 Ongoing Work Related to RT uFoundation of distributed trust management: more expressive constraints additional safety and availability analysis problems uAlgorithms: deduction algorithms for the full RT framework trust negotiation with more expressive RT languages uSystems: RTML as a more expressive PKI complete implementation of RT and more applications

38 Policy with negation, functions uMany applications explicitly forbid actions. `Smoking is prohibited in the dining areas of all restaurants seating more than 35 people’ is part of the NYC Smoke-Free Air Act. `The tickets may not be refunded’ is a policy of many theaters, special airline fares, … uFunctions may be useful  x 1, x 2 (OnSite(x 1 )  Permitted(x 2, copy(x 1 ))) uThese policies cannot be written directly in Datalog, Constraint Datalog [Halpern, Lagoze, Weissman]

39 Tractability with function symbols uKey idea: Restrict bipolars A literal l is bipolar in a formula f if –Positive l in f is unifiable with a negated l’ in f –E.g. R(Alice, x) is bipolar in R(Alice, x)   R(y, Bob) uIf E is environment and P is policy such that every var in lhs of a policy also appears in rhs E is a conjunction of ground literals, and there are no bipolar literals in P Then queries answered in time |P||E| Remains polytime under weaker assumptions

40 Explanation of restrictions uEvery variable on the lhs also on the rhs Permissions (prohibitions) depend only on attributes of individual and action being regulated uEnvironment E a conjunction of ground literals Reasonable if the environment is a database, and/or set of certificates uNo bipolar literals in policy P Reasonable if –permitted is not in any policy’s premise –All policies are permitting (or all denying)

41 Mixed policy sets uThm: For any env E, policy P, can reformulate as such that Permissions follow from E’ and permitting policies in P’ only Prohibitions follow from E’ and denying policies in P’ only Quadratic increase in size uThe fragment can capture a number of policy sets Samples collected from libraries Samples collected from government docs Most of the XrML core, and all of Content Schema More information: Vicky Weissman poster

42 Future SPYCE Directions uAccomplishments Framework and logic for policy definition Algorithms for policy enforcement Some experience with capturing practical policy requirements from a variety of applications uChallenges Continue implementation and deployment efforts Policy development algorithms and tools –Debugging and testing, safety and availability analysis Additional challenges –Policy privacy, Automated trust negotiation, Revocation

43 Sample Applications uAugust Distributed Calendar uUSTORIT uSocial security database policy to qualify for social security Also: tax law database uLibrary policy Have to administer copyright Who is allowed to access course notes? uXrML Commercial license and rights framework

Download ppt "Trust Management: Access policy and deduction John Mitchell."

Similar presentations

ROWLBAC – Representing Role Based Access Control in OWL

ROWLBAC – Representing Role Based Access Control in OWL
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
CH-4 Ontologies, Querying and Data Integration. Introduction to RDF(S) RDF stands for Resource Description Framework. RDF is a standard for describing.

CH-4 Ontologies, Querying and Data Integration. Introduction to RDF(S) RDF stands for Resource Description Framework. RDF is a standard for describing.
D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.

D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Rule based Trust management using RT - second lecture Sandro Etalle thanks to Ninghui Li - Purdue William H. Winsborough – University of Texas S. Antonio.

Rule based Trust management using RT - second lecture Sandro Etalle thanks to Ninghui Li - Purdue William H. Winsborough – University of Texas S. Antonio.
Logic.

Logic.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.

Administrative Policies in XACML Erik Rissanen Swedish Institute of Computer Science.
Access Control Methodologies

Access Control Methodologies
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Trust Management I Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy.

Trust Management I Anupam Datta Fall A: Foundations of Security and Privacy.
Trust Management II Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy.

Trust Management II Anupam Datta Fall A: Foundations of Security and Privacy.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
Making certificates programmable1 John DeTreville Microsoft Research April 24, 2002.

Making certificates programmable1 John DeTreville Microsoft Research April 24, 2002.
Ninghui Li (Purdue University) Logic and Logic Programming in Distributed Access Control (Part One) Ninghui Li Department of Computer Science and CERIAS.

Ninghui Li (Purdue University) Logic and Logic Programming in Distributed Access Control (Part One) Ninghui Li Department of Computer Science and CERIAS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Implementing a Distributed Firewall

Implementing a Distributed Firewall
Using First-order Logic to Reason about Policies Vicky Weissman Joint work with: Joseph Halpern and Carl Lagoze.

Using First-order Logic to Reason about Policies Vicky Weissman Joint work with: Joseph Halpern and Carl Lagoze.
A Formal Foundation for ODRL What’s ODRL?  An XML-based language for writing software licenses. Language specification includes:  syntax  English interpretation.

A Formal Foundation for ODRL What’s ODRL?  An XML-based language for writing software licenses. Language specification includes:  syntax  English interpretation.

Similar presentations

Ads by Google