An Algebra for Composing Access Control Policies (2002)
description
Transcript of An Algebra for Composing Access Control Policies (2002)
![Page 1: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/1.jpg)
An Algebra for Composing Access
Control Policies(2002)
Author: PIERO BONATTI, SABRINA DE CAPITANI DI, PIERANGELA SAMARATIPresenter: Siqing DuDate: 09-22-05
![Page 2: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/2.jpg)
Introduction Increase expressiveness and flexibility of
authorization languages Supporting multiple polices in a single
framework Existing frameworks translate and merge
different component policies into a single “program” (problems)
Policy composition framework An algebra for combining security policies
with formal semantics
![Page 3: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/3.jpg)
Characteristics of A Composition Framework Heterogeneous policy support Support for unknown policies Controlled interface Expressiveness Support of different abstraction levels Formal semantics
![Page 4: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/4.jpg)
An Algebra of Polices Preliminary Concepts Authorization Term (s, o, a) {SxOxA} A Policy is defined as a set of ground
authorization terms (triples). An authorization constraint language Lacon
A rule language Lrule
A semantic function closure p(Lrule) x p(SxOxA) --> p(SxOxA)
![Page 5: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/5.jpg)
Some simplification Basic predicates, with at most three
arguments, from distinct basic domains (S, A, O)
Hierarchical relationship within elements of a domain
(s op s0) op={≥,≤,<,>,=} Horn clauses
![Page 6: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/6.jpg)
Policy Expressions Syntax (BNF)
E: nonterminal policy expressions id: token type of policy identifiers T: template C: constructs describing Lacon
R: constructs describing Lrule
![Page 7: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/7.jpg)
Operation Definition (1) Environments e a partial mapping from policy identifiers to
sets of ground authorizations
Addition (+) It merges two policies by returning their
union.
![Page 8: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/8.jpg)
Operation Definition (2) Conjunction (&)
It merges two policies by returning their intersection.
Subtraction (-). It restricts a policy by eliminating all the
accesses in a second policy.
![Page 9: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/9.jpg)
Operation Definition (3) Closure (*) It closes a policy under a set of inference
(derivation) rules.
Scoping restriction (ˆ) It restricts the application of a policy to a
given set of subjects, objects, and actions.
c: constraints : substitution
![Page 10: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/10.jpg)
Operation Definition (4) Overriding (o). It replaces part of a policy with a
corresponding fragment of a second policy. The portion to be replaced is specified by means of a third policy.
for instance,
![Page 11: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/11.jpg)
Operation Definition (5) Template ( ). It defines a partially
specified policy that can be completed by supplying the parameters.
![Page 12: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/12.jpg)
![Page 13: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/13.jpg)
Example1: Hospital Three departments: Radiology, Surgery,
Medicine No access to the lab_tests data unless
patient consent
Two divisions of Medical dept.: Cardiology and Oncology
![Page 14: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/14.jpg)
![Page 15: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/15.jpg)
Example2 : University Laboratories Student must be authorized by laboratory
tutors (Smith, machine1,login) and department administration (cs101,cs-lab,login)
Forbidden to students blacklisted only a permission from provost can override
![Page 16: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/16.jpg)
![Page 17: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/17.jpg)
Reasoning based on Formal Semantics
![Page 18: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/18.jpg)
Evaluating Policy Expressions Translating algebraic expressions into equivalent
logic programs (pe2lp) In order to provide executable specifications
compatible with different evaluation strategies. pe2lp creates a distinct predicate symbol for each
policy identifier and for each internal node in the syntax tree of the given algebraic expression.
Labeling an operator with a distinct integer. Formally, such extended expressions are called labeled policy expressions.
![Page 19: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/19.jpg)
Expressiveness Analysis with Respect to First-order Logic The basic core of this algebra captures
only a strict subset of FOL Equivalence Let E be a policy expression, and F be a
formula in L with one free variable x. We say that E and F are equivalent if and only if for all environments e defined for all free identifiers of E, and for all relations satisfy
![Page 20: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/20.jpg)
Evaluation with Respect to the Desiderata (1) Heterogeneous policies can be supported either
by exploiting the algebra constructs to represent the different policies or by referring to heterogeneous policies through policy identifiers then interpreted by means of wrappers.
Unknown policies are supported by means of policy identifiers that can remain unbound in the environment.
Interference of program rules and authorizations coming from different policies is controlled by restricting rule application to specific policies by means of the closure construct.
![Page 21: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/21.jpg)
Evaluation with Respect to the Desiderata (2) Expressiveness is achieved by the
different operators that easily allow the formulation of protection restrictions as illustrated in the examples and discussions contained herein.
Different abstraction levels are naturally supported by the component-based approach.
Formal semantics can be exploited to reason about properties of the specifications.
![Page 22: An Algebra for Composing Access Control Policies (2002)](https://reader031.fdocuments.us/reader031/viewer/2022020106/56815f79550346895dce80b8/html5/thumbnails/22.jpg)
Concluding Remarks Main contributions:
Analyzed the problem of composing security policies in a modular and incremental fashion.
Identified six desiderata for policy composition framework
Proposed an algebra of security policies and a composition language.
Proposed an implementation approach based on logic programming and partial evaluation techniques.
Provided and extensive preliminary analysis of the algebra.