Venkata Marella's presentation on Status Based Access Control

advertisement
Status Based Access Control
Venkata Marella
Introduction
• This model is applicable in situations where
- access policy information may be distributed and
independently maintained.
-the permissions to access the resources change
frequently.
- of agents that request access to protected resources,
are important in rendering a decision on allowing the
requested access or not.
- Access control checker can intelligently determine the
authorization that hold at any instance of time
• Challenge: Size, Complexity and dynamic nature of
some distributed systems.
• Key feature of SBAC model is that a decision on an
agent’s request to access is determined by considering
the agent’s ascribed-status, the agent’s action status and
any additional conditions of relevance in answering the
access request.
• Ascribed Status+Action Status=Overall status
Ascribed Status
• an ascribed-status is associated with a collection of
agents that is formed on the basis of some common
criterion that the agents of the collection share.
– Particular role
– A categorization of agents as a reason of sharing
common attributes
– Trustworthiness
– Discretionary assignment of agents to a group.
Action Status
• An agent’s action-status is determined from a history of
the deliberative actions performed by the agent
• An agent is viewed as a rational entity that can, within
certain constraints, choose the actions it performs.
• As access to resources is determined from an agent’s
status level, it immediately follows that, in SBAC, an
agent can determine its access to resources because
the agent can choose the actions it performs and thus its
action-status.
Example
• A human agent who is under eighteen years of age. The
agent’s age is the basis for an ascribed-status of minor(
not deliberate).
• Now, suppose that the agent performs the deliberative
action of stealing a car and assume that no mitigating
circumstances apply to excuse the act of stealing(
deliberate).
• Then, the ascribed-status of minor together with the
deliberative action of stealing a car (we assume that the
action is not coerced)might give the agent an overall
status of young offender
• The status of young offender may be used as a basis for
determining what actions an agent with young offender
status can and cannot do.
• For example, agents with the status of young offender
may be subject to a curfew order and, as a
consequence, the agent may not be permitted to leave
his/her registered address in the hours between 6 p.m. in
the evening and 8 a.m. on the following day
• The ascribed-status and action-status of an agent u that
requests to access a resource r is used to determine
what actions u is authorized to perform on r.
• Access control models, like SBAC, that take agent
actions into account and that allow agents to manage, to
some extent, their access to resources will be
increasingly important in distributed applications, such as
secure e-trading and e-contracting.
• Notions like job functions and roles are often of
peripheral (or no) significance.
• Instead, criteria such as the quantity of units ordered by
a customer agent via acts of purchasing may be used as
the basis for determining access to resources
Example
• Customers ordering large volumes of merchandise may,
from their history of purchases, be determined to have
preferred status and, as a consequence, may be
permitted to access special offers information that is not
accessible to customers without preferred status. By
addressing such requirements, the SBAC model
contributes to work by the access control community that
aims to increase the functionality and application of
access control models.
Important Issues
• dealing with changing access control
requirements that
can
be
effected
autonomously
• the identification of information resources in
distributed systems that may be used for
evaluating access requests
• the composition of SBAC policies
- we make use of the primitive notion of an event and
we show how a finite and efficiently implementable
axiomatization of an event-based, typed logical theory
can be constructed for dealing with changing access
control requirements.
- we introduce Identification-based Logic Programs
(IBLPs)
- we define a number of algebras for flexibly
composing SBAC policies (represented as IBLPs).
• The SBAC model and SBAC policies are specified in a
language that has a purely declarative semantics and
that can be directly translated into an executable form for
which efficient, sound, and complete operational
semantics exist for access request evaluation.
• IBLP language is based on a nonmonotonic semantics
that provides a basis for accommodating changing policy
requirements and for defining an access control checker
that is able to reflect upon its knowledge and to change
an access control policy dynamically and autonomously
in response to changes in its knowledge base.
Identification Based Logic Program
• Identification-based Logic Programs (IBLPs).
IBLPs are an annotated form of logic programs that allow
independently maintained and distributed information
sources to be specified and referenced in the process of
access request evaluation.
• IBLPs are based on a syntactic variant of normal logic
programs.
Definition 1. A normal clause is a formula of the form:
A ← A1, . . . , Am, not Am+1, . ., not Am+n (m≥ 0, n ≥ 0).
• A normal logic program is a set of normal clauses.
• The head A of the clause and each Ai are atoms
• A1, . . . , Am are called “positive literals”, and not Am+1, .
. . , not Am+n are “negative literals”; not denotes
negation-as-failure.
• A clause with an empty body is a fact.
• Rule is a non empty body.
• The literals are also known as conditions of the clause.
• We denote variables in clauses by using symbols that
start with a letter in the upper case; we denote constants
by using symbols that start with a letter in the lower
case.
• Each atom in the body of a clause is annotated
with the name of a uniquely identifiable
module, which may be stored on any file
server called Uniform Resource Identifiers
(URI).
• Uniform resource identifiers (URIs) provide a
unique global identity for referencing IBLPs.
• Definition 2: Let R be a finite set of URIs. An
identification-based clause is a formula of the following
form (m≥ 0, n ≥ 0):
•
A ← A1⇐ v1, . . . , Am⇐υm, not Am+1⇐υm+1, . . . , not A1
Am+n⇐υm+n
where the head A and each Ai (1 ≤ i ≤ m+ n) are atoms,
and each υi (1 ≤ i ≤m+ n) is a URI in R.
An IBLP is a finite set of identification-based clauses.
where δ is a mapping δ : R −→ {P1, . . . , Pn}.
• Ai⇐υi is true (provable) iff Ai is true (provable) with
respect to the IBLP δ(υi), and not Ai⇐υi is true (provable)
iff Ai is not true with respect to δ(υi).
• Definition 3: Let R be a finite set of URIs and P1, . . . , Pn
be IBLPs. An IBLP configuration is a pair (R, δ) where δ
is a mapping δ : R → {P1, . . . , Pn}.
• Definition 4:
Let (R, δ) be an IBLP configuration, and let ui be a URI in
R. ∆υi denotes the normal logic program obtained by
replacing every occurrence of an atom of the form p(t1, .
. . , tk) ⇐ υ in the IBLP δ(υi) by the atom p:υ(t1, . . . , tk),
and every occurrence of an annotated atom of the form
p(t1, . . . , tk) in the IBLP δ(υi) by the atom p:υi(t1, . . . ,
tk). Let R = {υ1, . . . , υn}. The reduction of (R, δ), written
1(R, δ), is the normal logic program 1υ1 ∪ · · · ∪ 1υn.
• Definition 5: Let (R, δ) be an IBLP configuration. M is an
identification based (IB) stable model of (R, δ) iff M is a
stable model of the normal logic program ∆(R, δ).
• Definition 6: Although a reduction generates a normal
logic program from an IBLP by translating all URIannotated atoms to unannotated atoms, the IBLP syntax
is not redundant: a p(t1, . . . , tk)⇐υi condition in an IBLP
has an operational meaning as well as a logical
meaning.
SBAC MODEL AND POLICIES
• SBAC model and SBAC policies
- A countable set O of object identifiers.
- A countable set A of named actions
-A countable set L of status level identifiers
-A countable set E of event identifiers.
- A countable set U of agent identifiers.
- A countable set T of time points.
• An object is any thing that store information. an IBLP, a
database, individual facts within a database. All objects
have unique identity that is invariant; some object may
have properties.
• The set A of named actions includes
- the actions that may perform to change the status
-the actions the agent can perform as a
consequence of enjoying a particular status.
• A status level is a named position of an agent that is
relative to other status levels
of interest in a specific domain of discourse.
Example:
• 1.) Preferred Customer 2.) Ordinary Customer.
• Events are happenings at an instance of time. We adapt
a one point discrete view of time, with a beginning and
no endpoint.
• We assume that the time is bidirectional so that
proactive and post active may be made to represent the
access policy requirements and so that past, present
and future times can be used in our model as a basis to
make decisions.
• Preauthenticated agents may evaluate queries on
information sources protected by SBAC policies
expressed using IBLPs.
• An authorization is a 4-tuple (u, a, r, i) where u ∈ U is an
agent identifier, a ∈ A is an access privilege, r ∈ O is the
resource u requests to retrieve, and i ∈ O is the IBLP
from which u requests to retrieve r in i.
- how a history of events, relating to individual agents, is
represented as a set of facts.
- we use IBLP rules to express the core logical axioms
for our SBAC model
- we describe the formulation of a set 8 of IBLP rules
Event Description in IBLPs
• An agent’s access to the information resources that are
maintained by an organization Ω will depend, in part,
upon the transactions the requester agent engages in
with Ω. These transactions are expressed via a set of
application-specific security event descriptions (SEDs)
Definition:
• A security event description (SED) is a finite set of
ground 2-place facts (atoms) that describe an event,
uniquely identified by , i ∈ N, and which includes three
necessary facts, and n non-necessary facts (n ≥ 0).
• The three types of necessary facts in a SED and their
intended meanings are as follows:
—MOD(ψ-λ-φ) = happens(ei, ti) : the event ei happens
at time tj.
—MOD(ψ-λ-φ) = act(ei, al) : the event ei involves an
action al.
—MOD(ψ-λ-φ) = agent(ei, um) : the event ei involves the
agent um.
The happens(ei, ti) , act(ei, al) and agent(ei, um) facts in
an SED are used to represent a happening ei at a time ti
of act al performed by an agent um
Example
• Consider the following SED:
• {happens(e1, 20060612), agent(e1, bob), act(e1,
depositing), object(e1, a1), amount(e1, 1000)}.
• This SED describes an event e1 that happens on 12th
June 2006, and involves the agent Bob depositing an
amount of 1000 Euros into an object. bank account)
denoted by a1. The amount(e1, 1000) fact and the
object(e1, a1) fact are non-necessary facts.
Logical Axioms in IBLPs
• An agent U is currently assigned the status level L if an
event E happened at a time Ts, which is earlier than the
current time T, and resulted in the initiation of U’s
assignment to L, and this assignment has not been
ended before T as a consequence of an event E′
happening at a time T′ between Ts and T that causes U’s
assignment of the status level L to be terminated.
Proper Axioms
—A set of rules (AUX) that define the auxiliary predicates
that appear in the axioms
—A set of rules that specify permission-level
assignments (PLA);
—A set of rules that define denial-level assignments
(DLA);
—A set of rules (ACC) that are meta-level policy rules
—A (singleton) set of rules (AUT H) that specifies the
authorizations defined by a policy.
Extended SBAC
• In extended SBAC, we consider promissory actions and
hypothetical actions.
• A promissory action is a promise by an agent to perform
an action at some future time, that is, an agent may
promise to join a bank’s loyalty scheme by a set date.
These are useful in assigning temporary assignment of
status.
– Negative Promissory Actions
– Positive Promissory Actions
• Positive Promissory Actions: A positive promissory action
is an action of promising that an agent U makes at time
T1 that by some future time point T2 an action A will be
performed by U.
The following variant of the axiom may be used to
assign an agent U to a status level L1 on the basis
of U’s (positive) promissory action:
–
–
–
–
–
–
sla(U, L1) ← current time(T),
happens(E1, T1), agent(E1,U),
pp act(E1, A), T1 ≤ T,
sla init(E1,U, A, L1, T1),
not ended sla(U, L1, T1, T),
not expired sla(E1, T).
• Negative Promissory Actions: A negative promissory
action is an action of promising that an agent U makes at
time T1 that until some future time point T2 an action A
will not be performed by U.
–
–
–
–
–
sla(U, L1) ← current time(T),
happens(E1, T1), agent(E1,U),
h act(E1, A), T1 ≤ T,
sla init(E1,U, A, L1, T1),
not ended sla(U, L1, T1, T).
Practical Considerations
• On general complexity issues, we note that the key
decision problem of interest in the context of SBAC
policies is the problem of deciding whether a particular
instance of authorized is true in the IB-stable model for
an IBLP configuration.
• Four test for practical implementation
– Test 1. Query evaluation on a database db stored on a single
machine without an SBAC policy used to protect db.
– Test 2. Query evaluation on a database db protected by an
implementation of an SBAC policy and stored on the same
machine as db.
– Test 3. Status level computations using an SBAC policy that
accesses information from multiple distributed sites.
– Test 4. Remote access to a file of facts.
Two key observations emerge from our analysis of the
results generated from the testing:
- Using SBAC policies to protect information sources imposes
negligible extra overheads.
- Although communication costs dominate CPU costs dominate
CPU costs, the evaluation of realistic distributed computations
can be performed with adequate efficiency for realistic SBAC
policies.
SBAC Vs RBAC
• SBAC Model generalizes some RBAC Models.
• In RBAC, agents are assigned to one specific type of
ascribed status( i.e. role); once the role assignment is
made to the agent this persists as long as the security
administrator.
• SBAC allows any number of deliberate actions to be
performed by the agent to be performed by requester
agent.
• In constrained RBAC, contraints may be used to express
higher-level policy requirements that agent-role and
permission-role assignments.
• In SBAC, ACC is used for meta-policy specification, and
constraints, such as separation of status, can be
naturally accommodated.
• In contrast, in our approach, security administrators
define access control policies using predicates of their
own choosing , and test for stratifiability of policy
specifications.
Conclusion
• SBAC policies are appropriate to use in dynamically
changing, distributed computing contexts in which, for
instance, the notion of a job function does not
necessarily apply and where it is important to
accommodate rational agents that can pursue individual
goals rather than performing a particular function within a
particular organizational structure.
References
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
ABADI, M., BURROWS, M., LAMPSON, B. W., AND PLOTKIN, G. D. 1993. A calculus for access
control in distributed systems. ACM Trans. Program. Lang. Syst., 15, 4, 706–734.
ANTONIOU, G. AND VAN HARMELEN, F. 2004. A Semantic Web Primer. MIT Press.
APT, K. 1997. From Logic Programming to Prolog. Prentice Hall.
APT, K. AND BEZEM, M. 1991. Acyclic programs. New Generation Comput., 9, 3/4, 335–364.
APT, K. R. AND BLAIR, H. 1990. Arithmetic classification of perfect models of stratified programs.
XIII, 1–17.
BACON, J., MOODY, K., AND YAO, W. 2002. A model of OASIS RBAC and its support for active
security. ACM Trans. Inf. Syst. Secur., 5, 4, 492–540.
BARAL, C. AND GELFOND, M. 1994. Logic programming and knowledge representation. JLP
19/20, 73–148.
BARKER, S., LEUSCHEL, M., AND VAREA, M. 2004. Efficient and flexible access control via logic
program specialisation. In Proceedings of the ACM/SIGPLAN Workshop on Partial Evaluation
and Semantics-Based Program Manipulation (PEPM’04), 190–199.
BARKER, S., LEUSCHEL, M., AND VAREA, M. 2008. Efficient and flexible access control via Jones
optimality logic program specialisation. Higher-Order Symbol. Comput. 21, 1–2, 5–35.
Download