Ninghui Li (Purdue University) 2 nd Int’l Summer School in Computation Logic June 17, 2004 Logic and Logic Programming in Distributed Access Control (Part.

Ninghui Li (Purdue University) 2 nd Int’l Summer School in Computation Logic June 17, 2004 Logic and Logic Programming in Distributed Access Control (Part Two) Ninghui Li Department of Computer Science and CERIAS Purdue University

2 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Outline Security analysis for RT 0 RT: a family of Role-based Trust-management languages Constraint Datalog as a semantic foundation for TM languages Open problems in trust management Other application areas of logic & logic programming in access control

3 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Security Analysis in Trust Management Publications:  Li, Winsborough & Mitchell: “Beyond Proof-of- Compliance: Safety and Availability Analysis in Trust Management”, S&P’03  Li, Mitchell & Winsborough: “Beyond Proof-of- Compliance: Security Analysis in Trust Management”, submitted.

4 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) The Abstract Security Analysis Problem Given an initial state P,  a query Q,  and a rule R that restricts how states can change (defines reachability among states); Ask  Is Q possible? (existential) whether  reachable P’ s.t. P’  Q  Is Q necessary?(universal) whether  reachable P’, P’  Q

5 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Statements in RT 0 = RT[ ,  ] Type-1: K.r  K 1  mem[K.r]  {K 1 }  K HR.manager  K Alice Type-2: K.r  K 1.r 1  mem[K.r]  mem[K 1.r 1 ]  K SSO.admin  K HR.manager

6 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Statements in RT[ ,  ] Type-3: K.r  K.r 1.r 2  Let mem[K.r 1 ] be {K 1, K 2, , K n } mem[K.r]  mem[K 1.r 2 ]  mem[K 2.r 2 ]    mem[K n.r 2 ]  K SSO.delegAccess  K SSO.admin.access Type-4: K.r  K 1.r 1  K 2.r 2  mem[K.r]  mem[K 1.r 2 ]  mem[K 2.r 2 ]  K SSO.access  K SSo.delegAccess  K HR.employee

7 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) The Query Q Form-1:mem[K.r]  {K 1, ,K n } ? Form-2: {K 1, ,K n }  mem[K.r] ? Form-3: mem[K 1.r 1 ]  mem[K.r] ?

8 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) The Semantic Relation  A statement  a Datalog rule  K.r  K 2  m(K, r, K 2 )  K.r  K 1.r 1  m(K, r, z) :- m(K 1, r 1, z)  … A state P  a Datalog program SP[P]  mem[K.r]  { K’ | m(K,r,K’) is in the minimal Herbrand model of SP[P] }

9 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Example Queries & Answers 1. K SSO.access  K SSO.admin 2. K SSO.admin  K HR.manager 3. K HR.employee  K HR.manager 4. K HR.manager  K Alice 5. K HR.employee  K David mem[K SSO.access]  {K David }? No {K Alice, K David }  mem[K SSO.employee]? Yes mem[K HR.employee]  mem[K SSO.access]? Yes

10 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) The Restriction Rule R R=(G,S)  G is a set of growth-restricted roles if A.r  G, then cannot add “A.r   ”  S is a set of shrink-restricted roles if A.r  S, then cannot remove “A.r   ” Motivation:  Definitions of roles that are not under one’s control may change

11 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Sample Analysis Queries Simple safety (existential form-1):  Is mem[K.r]  {K 1 } possible? Simple availability (universal form-1):  Is mem[K.r]  {K 1 } necessary? Bounded safety (universal form-2):  Is {K 1, ,K n }  mem[K.r] necessary? Containment (universal form-3):  Is mem[K 1.r 1 ]  mem[K.r] necessary?

12 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Security Analysis: Usage Cases Guarantee safety and availability properties of an access control system:  Properties one wants to guarantee are encoded in a set of queries & desirable answers  R represents how much control one has parts not under one’s control may change in R parts under one’s control are considered fixed in R  Before making changes, one can use analysis to guarantee properties are not violated

13 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) An Example 1. K SSO.access  K SSO.admin 2. K SSO.access  K SSO.delegAccess  K HR.employee 3. K SSO.admin  K HR.manager 4. K SSO.delegAccess  K SSO.admin.access 5. K HR.employee  K HR.manager 6. K HR.employee  K HR.engineer 7. K HR.manager  K Alice 8. Alice.access  K Bob Legend:fixed can grow, can shrink

14 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) A Simple Availability Query Query: Is mem[K SSO.access]  {K Alice } necessary? Answer:Yes. (Available) Why:Statments 1, 3, and 7 cannot be removed

15 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) A Simple Safety Query Query: Is mem[K SSO.access]  {K Eve } possible? Answer:Yes. (Unsafe) Why:Both K HR.engineer and K Alice.access may grow.

16 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) A Containment Analysis Query about Safety Query: Is mem[K HR.employee]  mem[K SSO.access] necessary? Answer: Yes. (Safe) Why: K SSO.access and K SSO.admin cannot grow and Statement 5 cannot be removed.

17 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) An Containment Analysis Query about Availability Query: Is mem[K SSO.access]  mem[K HR.manager] necessary? Answer: Yes. (Available) Why: Statements 1 and 3 cannot be removed

18 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Answering Form-1 and Form-2 Queries: Intuitions (1) RT[ ,  ] is monotonic  more statements derive more role memberships Form-1 queries are monotonic  mem[K.r]  {K1, ,Kn}  universal form-1 queries can be answered by considering a lower-bound (minimum) state  existential form-1 queries can be answered by considering an upper-bound (maximal) state

19 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Answering Form-1 and Form-2 Queries: Intuitions (2) Form-2 queries are anti-monotonic  {K1, ,Kn}  mem[K.r]  universal form-2 queries can be answered by considering the upper-bound state  existential form-1 queries can be answered by considering the lower-bound state Given P and R, the lower-bound state uniquely exists, we denote it P| R  it can be reached by removing all removable statements

20 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) The Lower-Bound Program LB(P,R) For each K.r  K 1 in P| R, add lb(K, r, K 1 ) For each K.r  K 1.r 1 in P| R, add lb(K, r, ?Z) :- lb(K 1, r 1, ?Z) For each K.r  K.r 1.r 2 in P| R, add lb(K, r, ?Z) :- lb(K, r 1, ?Y), lb(?Y, r 2, ?Z) For each K.r  K 1.r 1  K 2.r 2 in P| R, add lb(K, r, ?Z) :- lb(K 1, r 1, ?Z), lb(K 2, r 2, ?Z)

21 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Using the lower-bound program To answer whether a form-1 query mem[K.r]  {K 1, ,K n } is necessary,  check whether LB(P,R) |= lb(K,r,K 1 )  lb(K,r,K n ) To answer whether a form-2 query {K 1, ,K n }  mem[K.r] is possible  check whether {K 1, ,K n }  { Z | LB(P,R) |= lb(K,r,Z) }

22 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) The Upper-Bound Program UB(P,R) Add ub(T, ?r, ?Z) For each K.r that can grow, add ub(K, r, ?Z) For each K.r  K 1 in P, addub(K, r, K 1 ) For each K.r  K 1.r 1 in P, add ub(K, r, ?Z) :- ub(K 1, r 1, ?Z) For each K.r  K.r 1.r 2 in P, add ub(K, r, ?Z) :- ub(K, r 1, ?Y), ub(?Y, r 2, ?Z) For each K.r  K 1.r 1  K 2.r 2 in P, add ub(K, r, ?Z) :- ub(K 1, r 1, ?Z), ub(K 2, r 2, ?Z)

23 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Using the upper-bound program A form-1 query mem[K.r]  {K 1, ,K n } is possible iff. any of the following is true,  K.r is not growth restricted  up(K,r,T) is true  UB(P,R) |= ub(K,r,K 1 )  ub(K,r,K n ) A form-2 query {K 1, ,K n }  mem[K.r] is necessary iff.  {K 1, ,K n }  { Z | UB(P,R) |= ub(K,r,Z) }

24 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) What about Form-3 Queries? Form-3:mem[K 1.r 1 ]  mem[K.r] Neither monotonic nor anti-monotonic  cannot use the minimal state or the maximal state Difficulty: adding new members to K.r may affect K 1.r 1 We only consider analysis asking whether mem[K 1.r 1 ]  mem[K.r] is necessary  we call this containment analysis

25 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Complexity Results for Containment Analysis RT[]: just type 1 and 2 statements  containment analysis is in PTIME RT[  ]: type 1, 2, and 4 statements  containment analysis is coNP-complete RT[  ]: type 1, 2, and 3 statements  containment analysis is PSPACE-complete  remains PSPACE-complete without shrinking  coNP-complete without growing RT[ ,  ]: decidable in coNEXP

26 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Containment Analysis in RT[] Two cases that X.u contains K.r 1. the containment is forced by statements in P and cannot be removed 2. the containment is caused by nonexistence of statements  e.g., when no statement defines K.r and K.r cannot grow, K.r is contained in every role  direct translation of this intuition into a positive logic program does not work  e.g., P={“K.r  K 1.r 1 ”, “K 1.r 1  K.r”, “K.r  K 2 ”, “X.u  K 2 ”}, both K.r and K 1.r 1 are fixed, does X.u contain K.r?

27 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) The Containment Program for RT[]: BCP(P,R) Starts from LB(P,R) Add fc(?X,?u,?X,?u) For each K.r  K 1.r 1 in P| R, add fc(K,r,?Z,?w) :- fc(K 1,r 1,?Z,?w) For each K.r that can grow, add nc(?X,?u,K,r) :- ~ fc(?X,?u,K,r) For each K.r  K 1 in P s.t. K.r can’t grow, add nc(?X,?u,K,r) :- ~ fc(?X,?u,K,r), lb(?X,?u,K 1 ) For each K.r  K 1.r 1 in P s.t. K.r can’t grow, add nc(?X,?u,K,r) :- ~fc(?X,?u,K,r), nc(?X,?u,K 1,r 1 )

28 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Solving Containment Analysis in RT[] Using Negation BCP(P,R) is stratified  we use the perfect model semantics Theorem: BCP(P,R) |= nc(X,u,A,r) is true iff. X.u does not contain A.r

29 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Containment Analysis in RT[  ] is coNP- complete It is in coNP, because a counter example can be found by considering just one new principal That it is coNP-hard is shown by reducing the monotone 3-SAT problem to it  intersection is conjunction,  a role may be defined by multiple statements (implicit disjunction)  containment equivalent to determining validity of formulas like  1   2 where  1  are  2 positive propositional formulas

30 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Containment Analysis in RT[  ] First consider the case that no shrinking is allowed in R View statements as rewriting rules  A.r  D A r to D  A.r  B.r 1 A r toB r 1  A.r  A.r 1.r 2 A r toA r 1 r 2 A string has the form A r 1 r 2 r 3 r 4 Lemma 0: SP[P] proves m(A,r,D) iff. the string A r rewrites into D using P

31 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) RT[  ] and Pushdown Systems r Stack: State: A u1u1 u2u2... Apply the rewriting rule: A r to A r 1 r 2 r2r2 Stack: State: A u1u1 u2u2... r1r1 A string corresponds to a configuration “rewrites into” equivalent to “reaches”

32 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Characteristic Set of a Role Given P and R (shrinking forbidden), define:  strs P [A.r] = sets of strings A r rewrites to  X R = the set consisting of all principals all strings that start with a g-unrestricted role, i.e., B r 1 r 2 r 3 r 4 where B r 1 is g-unrestricted  X P,R [A.r] = strs P [A.r]  X R each string B r 1 r 2 r 3 r 4 in X P,R [A.r] is a distinct way of adding a member to A.r Lemma 1: Given P, R, X.u, A.r, mem[X.u]  mem[A.r] is necessary iff. X P,R [X.u]  X P,R [A.r]

33 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Lemma 2: Lemma 2: Given P, R (shrinking forbidden), and A.r, X P,R [A.r] is recognized by an NFA that has size poly in |P|+|R| Proof: X P,R [A.r] = strs P [A.r]  X R  strs P [A.r] is recognized by a poly-size NFA Bouajjani, Esparza & Maler: “Reachability Analysis of Pushdown Automata: Application to Model-Checking”, CONCUR’97  X R is recognized by a poly-size NFA  X P,R [A.r] is recognized by a poly-size NFA

34 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Containment Analysis in RT[  ] is in PSPACE Theorem: Given P, R (shrinking forbidden), X.u, A.r, determining whether mem[X.u]  mem[A.r] is necessary is in PSPACE  follows from Lemma 1 and 2 and the fact that determining containment of languages accepted by NFA’s is in PSPACE

35 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Containment Analysis in RT[  ] is PSPACE-hard Theorem: Given P, R (shrinking forbidden), X.u, A.r, determining whether mem[X.u]  mem[A.r] is necessary is PSPACE-hard  Reducing determining containment of languages over the alphabet {0,1} that are defined by right- linear grammars to the problem.

36 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Proof of PSPACE-hardness From grammar to P:  N 1 ::= N 2 1A.N 1 = A.N 2.r 1  N 2 ::= 0A.N 2 = B.r 0 The restriction rule R:  all A.N i ’s are g-restricted  B.r 0 and B.r 1 are g-unrestricted Language[N 1 ] maps to X P,R [A.N 1 ]  N 1 generates 1010 iff. B.r 1.r 0.r 1.r 0  X P,R [A.N 1 ]

37 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Theorem (shrinking allowed) Given P, R (shrinking allowed), X.u, A.r, determining whether mem[X.u]  mem[A.r] is necessary is in PSPACE  For every subset of P that can be obtained by legally removing statements in P, run the algorithm that does not allow shrinking

38 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Containment Analysis in RT[   ] Theorem: Given P (in RT[   ]), R, X.u, A.r, determining whether mem[X.u]  mem[A.r] is necessary is in coNEXP  although infinitely many new principals and statements may be added, if a counter example exists, then a counter example of size exponential in P exists  if two new principals have the same memberships in all roles appearing in P, then the two principals can be collapsed into one

39 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Summary of Complexities for Containment Analysis Type-1 and 2: PTIME Type-1, 2, and 3: PSPACE-complete Type-1, 2, and 4: coNP-complete Type-1, 2, 3, and 4: PSPACE-hard, coNEXP

41 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) RT: a family of Role-based Trust- management languages Publications:  Li, Mitchell & Winsborough: “Design of A Role- based Trust-management Framework”, S&P’02

42 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Features of the RT family of TM languages Expressive delegation constructs Permissions for structured resources A tractable logical semantics based on Constraint Datalog Strongly-typed credentials and vocabulary agreement Efficient deduction with large number of distributed policy statements Security analysis

43 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Expressive Features (part one) I. Simple attribute assignment StateU.stuID  Alice II. Delegation of attribute authority StateU.stuID  COE.stuID III. Attribute inferencing EPub.access  EPub.student IV. Attribute-based delegation of authority EPub.student  EPub.university.stuID

44 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Expressive Features (part two) V. Conjunction EPub.access  EPub.student  ACM.member VI. Attributes with fields  StateU.stuID (name=.., program=.., …)  Alice  EPub.access  StateU.stuID(program=“graduate”) VII. Permissions for structured resources  e.g., allow connection to any host in a domain and at any port in a range

45 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) The Languages in the RT Framework RT 0 : Decentralized Roles RT 1 : Parameterized Roles RT T : for Separation of Duties RT D : for Selective Use of Role memberships RT 2 : Logical Objects RT T and RT D can be used (either together or separately) with any of the five base languages: RT 0, RT 1, RT 2, RT 1 C, and RT 2 C RT 1 C : structured resources RT 2 C : structured resources

46 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) RT 1 = RT 0 + Parameterized Roles Motivations: to represent  attributes that have fields, e.g., digital ids, diplomas  relationships between principals, e.g., physicianOf, advisorOf  role templates, e.g., project leaders Approach:  a role term R has a role name and a list of fields

47 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) RT 1 (Examples) Example 1: Alpha allows manager of an employee to evaluate the employee: Alpha.evaluatorOf(employee=y)  Alpha.managerOf(employee=y) Example 2: EPub allows CS students to access certain resources: EPub.access(action=‘read’, resource=‘file1’)  EPub.university.stuID(dept=‘CS’)

48 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) RT 1 (Technical Details) A credential takes one of the following form: 1. A.r(h 1,..., h n )  D 2. A.r(h 1,..., h n )  B.r 1 (s 1,..., s m ) 3. A.r(h 1,..., h n )  A.r 1 (t 1,..., t L ).r 2 (s 1,..., s m ) 4. A.R  B 1.R 1  B 2.R 2 ...  B k.R k Each variable  must have a consistent data type across multiple occurrences  can have zero or more static constraints  must be safe, i.e., must appear in the body

49 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Semantics and Complexity for RT 1 LP semantics makes each role name a predicate  E.g., A.r(h 1, …, h n )  B.r 1 (s 1, …, s m ) translates to r(A, h 1, …, h n, ?X) :- r 1 (B, s 1, …, s m, ?X) Apply known complexity results: The atomic implications of SP( P ) can be computed in O(N v+3 )  v is the max number of variables per statement  Each role name has a most p arguments  N = max(N 0, pN 0 ), N 0 is the number of statements in P

50 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) RT 2 = RT 1 + Logical Objects Motivations:  to group logically related objects together and assign permissions about them together Approach: introducing o-sets, which are  similar to roles, but have values that are sets of things other than entities  defined through o-set definition credentials, which are similar to role-definition credentials in RT 1

51 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) RT 2 (Examples) Example 1: Alpha allows members of a project team to read documents of this project Alpha.documents(projectB)  “design_Doc_for_projectB” Alpha.team(projectB)  Bob Alpha.fileAccess(read, ?F  Alpha.documents(?proj))  Alpha.team(?proj) Example 2: Alpha allows manager of the owner of a file to access the file Alpha.read(?F)  Alpha.manager(?E  Alpha.owner(?F))

52 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) RT T: Supporting Threshold and Separation-of-Duty Threshold: require agreement among k principals drawn from a given list SoD: requires two or more different persons be responsible for the completion of a sensitive task  want to achieve SoD without mutual exclusion, which is nonmonotonic Though related, neither subsumes the other RT T introduces a primitive that supports both: manifold roles

53 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Manifold Roles While a standard role is a set of principals, a manifold role is a set of sets of principals A set of principals that together occupy a manifold role can collectively exercise privileges of that role Two operators: ⊙, ⊗  A.R 1 ⊗ B.R 2 contains sets of two distinct principals, one a member of A.R 1, the other of B.R 2  A.R 1 ⊙ B.R 2 does not require them to be distinct

54 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) RT T (Examples) Example 1: require a manager and an accountant  A.approval  A.manager  A.accountant  members(A.approval)  {{x,y} | x  A.manager, y  A.accountant} Example 2: require a manager and a different accountant  A.approval  A.manager  A.accountant  members(A.approval)  {{x,y} | x  y, x  A.manager, y  A.accountant}

55 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) RT T (Examples) Example 3: require three different managers  A.approval  A.manager  A.manager  A.manager  members(A.approval)  {{x,y,z} | x  y  z  A.manager}

56 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) RT T Syntax Manifold roles can be used in basic RT statements Also add two new types of policy statement  A.R  A 1.R 1 ⊙ A 2.R 2 ⊙ … ⊙ A k.R k members(A.R) ⊇ {s 1 ∪ … ∪ s k | s i ∊ members(A i.R i ) for 1 ≤ i ≤ k }  A.R  A 1.R 1 ⊗ A 2.R 2 ⊗ … ⊗ A k.R k members(A.R) ⊇ {s 1 ∪ … ∪ s k | (s i ∊ members(A i.R i ) & s i ∩ s i ≠ ∅) for 1 ≤ i ≠ j ≤ k }

57 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) RT T Complexity ADSD must declare a size for each manifold role Given a set P of RT T statements, let t be the maximal size of all roles in P. The atomic implications of P can be computed in time O (MN v+2t ).

58 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Implementation and Application Status of RT Java Implementation of inference engine for RT 0 Preliminary version of RTML  an XML-based Encoding of RT statements  XML Schemas and parser exist Applications  U-STOR-IT: Web-based file storage and sharing  August: A Distributed Calendar Program  Automated Trust Negotiation Demo by NAI

60 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Constraint Datalog Publications:  Li & Mitchell: “Datalog with Constraints: A Foundation for Trust-management Languages”, PADL’03.

61 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Datalog As A Foundation Natural  Security policy statements are if-then rules Precise  Declarative and widely-understood semantics Tractable  No function symbols  tractability  Efficient goal-directed evaluation procedures Available technology  Extensive Datalog research in LP and DB

62 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Introducing Constraint Datalog (CDatalog) Limitation of Datalog:  cannot express permissions about structured resources and ranges A CDatalog rule: R 0 (x 0 ) :- R 1 (x 1 ),..., R n (x n ),  (x 0, x 1, …, x n )  x 0, x 1, …, x n are tuples of variables   is a constraint in all the variables CDatalog is  a special form of CLP  a query language for Constraint Databases

63 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Example A grants to B the permission to connect to hosts in the domain “stanford.edu” at any port between 8000 and 8443.  grantConnect(A, B, h, p) :- h   edu,stanford , p  [8000,8443]. A allows B to further delegate any part of this permission  grantConnect(A, x, h, p) :- grantConnect(B, x, h, p), h   edu,stanford , p  [8000,8443].

64 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Example (continued) B grants to D the permission to connect to the host “cs.stanford.edu” and any host in this domain at any port  grantConnect(B, D, h, p) :- h   edu,stanford,cs . Query: which hosts does A allow D to connect to at port 8080?  query(h) :- grantConnect(A, D, h, p), p=8080.

65 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Example: Evaluation Process 1. grantConnect(A, x, h, p) :- grantConnect(B, x, h, p), h   edu,stanford , p  [8000,8443]. 2. grantConnect(B, D, h, p) :- h   edu,stanford,cs . Chaining 1 and 2, we get grantConnect(A, D, h, p) :- h   edu,stanford,cs , p  [8000,8443]. Chaining with query(h) :- grantConnect(A, D, h, p), p=8080. we get query(h) :- h   edu,stanford,cs   Need to find a constraint on h that is equivalent to   p (h   edu,stanford,cs   p  [8000,8443]  p=8080) Requires quantifier elimination

66 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Formal Definitions A constraint domain ( ,D,L)   is a signature, i.e., a set of constants, predicates, function symbols  D is a  -structure  L is a class of quantifier-free first-order formulas called primitive constraints A constraint in variables x 1,x 2, ,x k is a finite conjunction of primitive constraints

67 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Formal Definitions (continued) A constraint domain ( ,D,L) admits quantifier elimination if for every formula  *  (x 1,x 2, ,x k ), it is possible to compute an equivalent disjunction of constraints:   1 ’(#)   2 ’(#) ...   m ’(#),  where *  {x 1,x 2, ,x k } and # = {x 1,x 2, ,x k }  *

68 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Example Constraint Domains Equality constraint domains:  x=y or x=c Order constraint domains:  x=y, x c Linear constraint domains:  c 1 x 1 +c 2 x 2 +  +c k x k  c 0, in which   {=, ,,  } Polynomial constraint domains:  p(x 1,x 2, ,x k )  0, in which p is a polynomial in the variables

69 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Some Useful Constraint Domains in TM Tree domains:  each constant:  a 1,a 2, ,a k . E.g.,  pub,software   a primitive constraint: x=y or x   a 1,a 2, ,a k , in which   {=, <, , ,  } Range domains:  each constant is a number  a primitive constraint: x=y, x=c, or, x  (c 1, c 2 ) Discrete domains with sets:  a primitive constraint: x=y, x  {c 1,c 2, ,c j }

70 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Four Classes of Constraint Domains 1. does not admit quantifier elimination  e.g., polynomial constraints over integers p(x 1,x 2, ,x k )  0, as it subsumes Hilbert’s Tenth Problem 2. admit quantifier elimination, but evaluating CDatalog program may not terminate  e.g., linear constraints c 1 x 1 +c 2 x 2 +  +c k x k  c 0 3. evaluating CDatalog programs takes exponential time 4. tractable: evaluating CDatalog programs takes polynomial time

71 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Hierarchical constraint domains are tractable Unary constraint domains: each primitive constraint either has the form x=y or contains just one variable, such a unary constraint is called a basic constraint Hierarchical constraint domains: for any two basic constraints  1 (x) and  2 (x), either  1 (x)   2 (x) is unsatisfiable or one of the constraints implies the other Theorem: Hierarchical domains are tractable  key observation, no new basic constraint needs to be introduced in the evaluation procedure Example: tree domains

72 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Linearly Decomposable constraint domains are tractable Linearly decomposable constraint domains: there exists a constant d such that, given any set C of basic constraints, one can compute a set C’ such that |C’|  d|C|, and the conjunction of any subset of C  C’ can be represented by the disjunctions of constraints in C’. Theorem: Linearly decomposable domains are tractable Example: range domains  C = {x  (1,10), x  (*,5], x=(2,*)}  C’ = { x  (*,1], x  (1,2], x  (2,5], x  (5,10), x  [10,*)}

73 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) RT 1 C : RT 1 with constraints Example:  FS.access (path   pub,software , type  {read,write,delete})  Purdue.student (dept=‘CS’)

74 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Other Applications of Constraint Datalog Theorem: it is undecidable to compute the set of all requests that one KeyNote assertion authorizes. Theorem: SPKI’s 5-tuple reduction is semantically incomplete

76 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Open Problems in RT Security analysis  Exact complexity bound for containment analysis in RT[ ,  ]  Average-case complexity and heuristic algorithms for containment analysis  Other (maybe non-static) state change restrictions and other queries  Suggest modifications to security policies to satisfy security properties  Consider other features in the RT framework, RT 1, RT T

77 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Open Problems in RT Extending the language  maybe with negation-as-failure turns out to be useful when modeling security analysis in RBAC that uses mutually exclusive roles, seems related with stable model semantics Distributed deduction for RT 1, RT 1 C  combine top-down and bottom-up search with application domain information

79 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Automated Trust Negotiation (Interactive Deduction) Winsborough, Seamons & Jones. Automated Trust Negotiation. DISCEX’00. Yu, Winslett & Seamons: “Supporting Structured Credentials and Sensitive Policies through Interoperable Strategies for Automated Trust Negotiation”. TISSEC 2003. Seamons, Winslett & Yu: “Limiting the Disclosure of Access Control Policies During Automated Trust Negotiation”, NDSS’01 Winsborough & Li: “Towards Practical Automated Trust Negotiation”, Policy’02 Winsborough & Li: “Safety in Automated Trust Negatiation”, S&P’04.

80 2 nd Int’l Summer School in Computation Logic June 17, 2004 Ninghui Li (Purdue University) Datalog-based Access Control Languages Woo & Lam: “Authorization in Distributed Systems: A New Approach,” JCS’94. Bertino, Jajodia, Samarati: “A Flexible Authorization Mechanism for Relational Data Management Systems”. TOIS’99. Jajodia, Samarati, Sapino, Subrahmanian: “Flexible support for multiple access control policies”. TODS’01. Bertino, Catania, Ferrari & Perlasca: “A logical framework for reasoning about access control models”, TISSEC’03.

Ninghui Li (Purdue University) 2 nd Int’l Summer School in Computation Logic June 17, 2004 Logic and Logic Programming in Distributed Access Control (Part.

Similar presentations

Presentation on theme: "Ninghui Li (Purdue University) 2 nd Int’l Summer School in Computation Logic June 17, 2004 Logic and Logic Programming in Distributed Access Control (Part."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Ninghui Li (Purdue University) 2 nd Int’l Summer School in Computation Logic June 17, 2004 Logic and Logic Programming in Distributed Access Control (Part.

Similar presentations

Presentation on theme: "Ninghui Li (Purdue University) 2 nd Int’l Summer School in Computation Logic June 17, 2004 Logic and Logic Programming in Distributed Access Control (Part."— Presentation transcript:

Similar presentations

About project

Feedback