Multiple Access Control Policies• A Unified Framework for Enforcing Multiple Access Control Policies [by Jajodia and Samarti]• Authorization in Distributed Systems: A New Approach [by Woo and Lam]• References: * A logical Framework for Reasoning on Data Access Control Policies ACM Trans. Bertino and Catania. Vol. 6, No. 1.

* The well-founded Semantics for General Logic Programs. Gelder and Ross.

Definition

Access control policies are devised for controlling access to information.

Policy requires its own language, which specifies policy bases.

Policy base encodes a set of authorization requirements and is given a precise semantics based upon a formal notion of authorization policy.

Multiple Access Control Policies

Problem: Protection requirements within a system vary dramatically, and no single policy may simultaneously satisfy them all.

This paper presents a flexible authorization manager (FAM) that enforce multiple access control policies within a unified system.

FAM is based on a language through which users can specify authorizations and access control policies.

The FAM language contains three components.

• Data objects of different types

• Hierarchy

• Language specifications

Formalization

A data system DS consists of a 4-tuple (Obj, T, S, A), where Obj, T, S, A are object, type, subject, action.

User Hierarchy. A DS is said to be user-hierarchical iff there exists a finite partially ordered set (G, ) such that: x is a -minimal element of G iff x U

Authorization Specifications consist of constant symbols, variable symbols and predicate symbols.

Predicate symbols:– cando– dercando– do– done– error– dirin– in– typeof– owner

Examples

cando(file1, Employees, +write) . cando(file1, s, +write) in(s, Employees) dercando(o,s,+a) cando(o,s,+a)&in(s,s) dercando(file1,s,-read) dercando(file2,s

,read) & in(s,s) & in(s,s) dercando(o,s,-write) done(o,s,read) &

typeof(o, Exams) & typeof(o, Solutions)

error(o,s,a) cando(o,s,+a)&cando(o,s,-a) error(o,s,a) done(o,s,read) &

done(o,s,read) & typeof(o,Budget-A) & typeof(o, Budget-B)

FAM-programs

An authorization specification AS is said to be a FAM-program iff the set of decision (do) rules in AS is:– Clash-free and– For each triple (o,u,a), there exists at least one

weakly applicable do-rule in AS.

Clash-free

do(file1, X,+read) dirin(X, Employees)

do(file1, X, -read) dirin (X, Policeman)

Weakly Applicable

Consider the triple (file1, john, read)

do(file1, s,+a) dercando(file1, s, +a)

do(o, s, +read) ¬dercando(o, s, +read)& ¬dercando(o, s, -read)&typeof(o, Pblc-docs)

CAM-program

An authoization specification AS is said to be a semi-CAM program iff each do rule in AS has a head of the form do(OT, ST,+AT)

do(O, U, -A) ¬do(O, U, +A)

FAM policy library

Closed, open and hybrid Hybrid: no overriding, subgroup overriding,

and path overriding. Conflict resolution:

– No conflicts allowed– Permissions take precedence– Denials take precedence

Examples

Closed policy– dercando (o, u, +a) cando(o, s, +a) & in(u, s)– do(o, u, +a) dercando(o, u, +a)– error(o, s, a) cando(o, s, -a)– do(o, u, -a) ¬do(o, u, +a)

Open policy– dercando (o, u, -a) cando(o, s, -a) & in(u, s)– do(o, u, +a) ¬dercando(o, u, -a)

Subgroup overrides along a path– dercando(o, s, +a) cando(o, s, +a)– dercando(o, s, -a) cando(o, s, -a)– dercando(o, s, +a) dercando(o, s, +a)&

¬cando(o, s, -a) & dirin(s, s)– dercando(o, s, -a) dercando(o, s, -a)&

¬cando(o, s, +a)& dirin(s, s)

Authorization in Distributed Systems Problem: need to have a language that is

expressive enough for specifying commonly encountered authorization requirements. The requirements here include multiple access policies and supporting distributed environment.

Authorization policy

An authorization policy over a set of subjects S, a set of objects O and a set of access rights R is a 4-tuple (P+, P-, N+, N-) where each component is a subset of {(r, s, o) | r R, s S, o O}

A grant (r, s, o) iff (r, s, o) P+

A deny (r, s, o) iff (r, s, o) N+

A fail (r, s, o) iff (r, s, o) P+ N+

Examples

Let V = {x, y,…}, P = {p,q}, S = {A, B, G}, O = {X, Y, Z}

read-(G, x) read+(A, X) read+(A, Y) x G read-(G, Y) read-(x, Y) ¬p write+(x, Z) ¬read+(x, y)

Closed Policy Base

A base is closed if it contains only closed rules, which contains no literal variables.

B admits two extensions {write+(A,Y)} and {write+(A,X)}

),(

),(:,

),(

),(:

XAwrite

YAwrite

YAwrite

XAwriteB

Generalized Form

Let be a ruleg

ffd

':

)](,[

)'](,[:)](,[)](,[

gGI

fGIfGIdGI

}|)](,{[)](,[ BddGIBGI

Open Policy Base

Each open rule in B as standing for all its ground instances (closed rules).

If S={A,B} and O = {X,Y}

),(

),(:),(

yxread

yxreadXxwrite

),(

),(:),(,

),(

),(:),(,

),(

),(:),(,

),(

),(:),(

YBread

YBreadXBwrite

XBread

XBreadXBwrite

YAread

YAreadXAwrite

XAread

XAreadXAwrite

Exceptions

),(

),(:),(

),(),(

),(

),(

Xxread

XxexceptXxwrite

XxexceptYxread

XxexceptGx

XAwrite

B

Examples of Policy Base

If a subject s has not been explicitly granted a right r to an object o, then s will inherit a denial of r to o if it belongs to a group g that has a denial of r to o.

),(

),(:),(1 osr

osrogrgsd

The Bad vs. Evil

[Woo] cannot resolve conflicts.– Horizontal composition

• Each SSO specifies a policy base for a part of a system and multiple SSOs may cover the whole system. The policies may compliment or conflict among them.

– Vertical compositionVertical composition• An SSO is responsible for his subordinate An SSO is responsible for his subordinate

administrators. The leaf policy bases are mot administrators. The leaf policy bases are mot specific and detailed than the root policy base. A specific and detailed than the root policy base. A composition of this would give rise to conflicts.composition of this would give rise to conflicts.

[Jajodia] propose a logic language for expressing authorization rules and show how this language can express most of the access control policies. Programs that can be written in this language are a subset of stratified datalog program and therefore they are able to express only a limited set of authorization specifications.

Thank you