Logical Model and Specification of
Usage Control
Xinwen Zhang, Jaehong Park
Francesco Parisi-Presicce, Ravi Sandhu
George Mason University
Outline
•
•
•
•
•
•
•
•
Introduction of UCON
Temporal Logic of Action (TLA)
Logic Model for UCON with TLA
Specification of Authorization Core Models
Specification of Obligation Core Models
Specification of Condition Core Models
Applications of Logical Model
Conclusions and Future Work
2
UCON
• A unified framework for next generation access control
• A comprehensive model to represent the underlying
mechanism of existing access control models and policies.
• Try to extend the limits of traditional access control
models:
–
–
–
–
–
Authorization only – No obligation or condition based control
Identity based only – No attributes based support
Decision is made before access – No ongoing control
No consumable rights - No mutable attributes
Rights are pre-defined and granted to subjects
3
UCON
• UCON provides a general model beyond DRM
and Trust management:
– Digital Rights Management (DRM)
• Mainly focus on intellectual property rights protection with
architecture and mechanism level studies
• Lack of access control model
– Trust Management
• Authorization for strangers’ access based on credentials
• Lack of an abstract model for attribute-based authorization
4
OM-AM Layered Approach
5
Related Work: UCON Model
• UCON:
– A Unified model for next generation
access control, constructed by
integrating obligations, conditions as
well as authorizations, and by
including continuity and mutability
properties.
Rights
(R)
• Components:
–
–
–
–
Subjects and attributes
Objects and attributes
Generic rights
Decision components:
• Authorization
• Obligations
• Conditions
Subjects
(S)
Objects
(O)
Usage
Decisions
Subject Attributes (SA)
Object Attributes (OA)
Authoriz
ations
(A)
Obliga
tions
(B)
Condi
tions
(C)
6
UCON Model
• Unique properties beyond traditional models:
– 3 phases for single usage process
– Continuity of decisions: Decision check can be performed in the
first 2 phases.
– Mutability of attributes: Attributes updated can be performed as
result of usage actions in all 3 phases.
Continuity of
Decisions
pre-decision
ongoing-decision
before-usage
ongoing-Usage
pre-update
ongoing-update
Mutability of
Attributes
after-usage
post-update
7
Core Models
• According to the authorization control attribute update
points, we have seven core authorization models:
– preA0: control decision is determined before access, and there is no
attribute update.
– preA1: control decision and and attribute update before access.
– preA3: control decision is determined before access, and attribute update
after access.
– onA0: control decision is checked and determined during usage, and there
is no attribute update.
– onA1: control decision is checked and determined during usage, and there
is attribute update before access.
– onA2: control decision is checked and determined during usage, and there
is attribute update during usage.
– onA3: control decision is checked and determined during usage, and there
is attribute update after usage.
• Similarly, a set of core models are defined with obligations
and conditions.
8
• A real UCON system may be a hybrid of them.
Outline
•
•
•
•
•
•
•
•
Introduction of UCON
Temporal Logic of Action (TLA)
Logic Model for UCON with TLA
Specification of Authorization Core Models
Specification of Obligation Core Models
Specification of Condition Core Models
Applications of Logical Model
Conclusions and Future Work
9
Temporal Logic of Action
• Basic Terms:
–
–
–
–
Variables: x, y
Values: 5, “abc”
Constants
A state is an assignment of values to variables
• Functions: nonboolean expression with variables and
constants
– Semantically, a function is a mapping from states to values.
• State Predicates: boolean expression with variables and
constants
– Semantically, a predicate is a mapping from states to booleans.
• Actions: boolean expression with variables, primed
variables, and constants
– Semantically, an action is a function assigning a boolean to a pair of states
(s,t), where s is the old state with variables, and t is the new state with 10
primed variables.
TLA
• Behavior: a sequence of states <s0, s1, s2,…,>
•Semantics of an action A:
e.g: for action A of x’=y+1, its value is
where
is the value of x in state s1, and
value of y in state s0.
•Temporal operator:•(always)
is the
• Temporal Formula:
• Semantics:
11
TLA
• Other temporal operators:
– “Eventually”:
– “Next”:
– “Until”:
• Past temporal operators:
– Has-always-been, Once, Previous, Since
12
Outline
•
•
•
•
•
•
•
•
Introduction of UCON
Temporal Logic of Action (TLA)
Logic Model for UCON with TLA
Specification of Authorization Core Models
Specification of Obligation Core Models
Specification of Condition Core Models
Expressivity and Flexibility
Conclusions and Future Work
13
Logical Model of UCON:
States and Attributes
• A state of a UCON system is a set of assignments
of values to attributes:
– Subject attributes:
• role=“employee”
• security clearance = “secret”
• credit amount = $1000.00
– Object attributes:
• type=“file”
• ACL={(Alice, read),(Bob, write)}
– System attributes:
• system time
• platform location
– A special system attribute:
• state(s,o,r)={initial, requesting, denied, accessing, revoked, end}
• To specify the status of a single access process (s,o,r)
• Authorization actions defined to change this state.
14
Logical Model of UCON: Predicates
• Predicates: boolean expression built from
subject attributes, object attributes, and
system attributes.
– Mapping a state to True/False
– Unary predicates:
Alice.credit > $1000, file1.classification = “secure”
– Binary predicates:
Dominate(Alice.clearance, file1.classification)
(Bob, read)  file2.ACL
– Ternary predicate permit(s,o,r):
• Specify usage control decisions
• True if a s is allowed to access o with r.
15
Logic Model of UCON:
Actions
• Actions: boolean expressions
built from attributes in two
states.
– Alice.credit’=Alice.credit - $50.0
• Two types of actions:
– Control actions: change the state
of single usage process
• Actions performed by the subject
• Actions performed by the system
– Obligation actions:
• Actions that have to be
performed before or during an
access.
• May or may not be performed by
the requesting subject and on the
target object.
16
Logic Model of UCON
• The logical model of a UCON system is a 5-tuple: (S, PA, PC, AA, AB) ,
where
– S is a sequence of states of the system,
– PA is a finite set of authorization predicates built from the attributes of
subjects and objects,
– PC is a finite set of condition predicates built from the system attributes,
– AA is a finite set of control actions,
– AB is a finite set of obligation actions.
• A UCON policy is a logic formula consisting of predicates, actions,
and logical and temporal operators:
– Where a is an action, p is a predicate with term t1,t2,…tn
17
Logical Model of UCON
• Semantics:
18
Outline
•
•
•
•
•
•
•
•
Introduction of UCON
Temporal Logic of Action (TLA)
Logic Model for UCON with TLA
Specification of Authorization Core Models
Specification of Obligation Core Models
Specification of Condition Core Models
Applications of Logical Model
Conclusions and Future Work
19
Specification of Core Model
• preA0:
• Example 2: BLP model
• Example 3: DAC with ACL
20
Specification of Core Model
• preA1:
• Example 4: DRM pay-per-use application
21
Specification of Core Model
• preA3:
22
Specification of Core Model
• onA0:
• Example 6:
23
Specification of Core Model
• onA1:
• onA2:
• onA3:
24
Specification of Core Model
• Example 7: Resource-constrained access control
– Limited number (10) of ongoing accessing for a single object
– Object attribute:
– When 11th subject requesting new access, one ongoing accessing will be
revoked.
• a. the earliest usage will be revoked: onA13
• Subject attribute: startTime
25
Specification of Core Model
• b. revocation by longest idle usage: onA123
• Subject attributes: status (with value of busy or idle), idleTime
26
Specification of Core Model
• c. revocation by longest total usage: onA13
• Subject attribute: usageTime
27
Outline
•
•
•
•
•
•
•
•
Introduction of UCON
Temporal Logic of Action (TLA)
Logic Model for UCON with TLA
Specification of Authorization Core Models
Specification of Obligation Core Models
Specification of Condition Core Models
Applications of Logical Model
Conclusions and Future Work
28
Obligations
• An obligation is an action described by ob(s, o, r, sb, ob)
– ob is the action name,
– (s, o, r) is a particular usage process requiring the obligation,
– sb, ob are obligation subject and object.
• Two types of obligations in UCON:
– pre-obligations, which must have been performed before access.
– ongoing-obligations, which must be performed during usage.
• Obligations that have to be performed after an access, since
they only affect the future usage process, are considered as
global obligations
29
Obligation Model
• Core obligation models:
– preB0: A usage control decision is determined by obligations before an access, and
there is no attribute update before, during, or after the usage.
– preB1: A usage control decision is determined by obligations before an access, and
one or more subject or object attributes are updated before the usage.
– preB3: A usage control decision is determined by obligations before an access, and
one or more subject or object attributes are updated after the usage.
– onB0: Usage control is checked and the decision is determined by obligations
during an access, and there is no attribute update before, during, or after the usage.
– onB1: Usage control is checked and the decision is determined by obligations
during an access, and one or more subject or object attributes are updated before
the usage.
– onB2: Usage control is checked and the decision is determined by obligations
during an access, and one or more subject or object attributes are updated during
the usage.
– onB3: Usage control is checked and the decision is determined by obligations
during an access, and one or more subject or object attributes are updated after the
usage.
30
Specification of Core Model
• preB1:
31
Specification of Core Model
• preB1:
32
Specification of Core Model
• onB0:
33
Outline
•
•
•
•
•
•
•
•
Introduction of UCON
Temporal Logic of Action (TLA)
Logic Model for UCON with TLA
Specification of Authorization Core Models
Specification of Obligation Core Models
Specification of Condition Core Models
Applications of Logical Model
Conclusions and Future Work
34
Conditions
• Conditions are environment restrictions before or during usage.
• In UCON, a condition is a predicate built from system attributes, such as
time and location.
• Two types of conditions:
– pre-conditions: conditions that must be true before an access.
– ongoing-conditions: conditions that must be true during the process of
accessing an object.
• preC0:
• onC0:
35
Outline
•
•
•
•
•
•
•
•
Introduction of UCON
Temporal Logic of Action (TLA)
Logic Model for UCON with TLA
Specification of Authorization Core Models
Specification of Obligation Core Models
Specification of Condition Core Models
Applications of Logical Model
Conclusions and Future Work
36
Application
• RBAC1 model: preA0
37
Application
• RBAC2: preA1
38
Application
• Chinese Wall Policy: preA1
39
Application
• MAC with high watermark
40
Conclusions
• A logical model for UCON with:
– States with:
• subject attributes and values
• Object attributes and values
• System attribute and values
– Predicates:
• Authorization predicates built from subject and object attributes
• Condition predicates built from system attributes
– Actions:
• Attribute update actions
• Usage control actions
• Obligation actions
– Temporal formulas of usage control policies
• First-order logic specification of the UCON models with
new features of mutability and continuality
41
Future Work
• Formal study:
– Enrich logical model, such as constraints,
delegations
– Expressive power and safety analysis of UCON
with logical formalization
• Development of architecture and
mechanism for UCON system
– DRM technologies
– Trusted computing technologies
42