Timed Constraint Programming: A Declarative Approach to Usage Control

Timed Constraint Programming:A Declarative Approach to Usage Control

Radha Jagadeesan, Will Marrero, Corin Pitcher (DePaul University)

Vijay Saraswat (IBM Research)

PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 2

Usage Control

Scope of Usage Control [Park, Sandhu 2002] Traditional access control Trust management Digital rights management

Temporal aspects of UCON policies Terminate ongoing sessions when resource

consumption is too high Change access rights during an emergency Enforcement of dynamic separation of duty

concerns


This Talk

Policy algebra for Usage Control, following timed concurrent constraint programming paradigm Declarative Default constraint programming addresses negative

authorization requirements Reactive computing addresses history-sensitive

requirements Policy analysis

Equational reasoning Model checking


Outline

Motivation Policy algebra

Untimed Timed

Policy analysis


UCON: Traditional Access Control

Can a subject perform an action on an object? Policy captured as an access matrix and enforced by

a monitor Centralized authority

Dir 1 Dir 2 Dir 3 File 1 File 2

Alice read read read read read

Bob read read read read

Charlie read read read


Access Control Lists (ACLs)

Access Control Lists (ACLs) associated with objects

Problem: ACL management is too burdensome

Solution: make use of the object hierarchy

Dir 1A

Dir 2A, B

Dir 3A, B, C

File 1A, B, C

File 2A, B, C


ACLs with Inheritance

On hierarchically structured objects, MS Windows permits inheritance with ACLs.

Reduces redundancy Inheritance is optional,

so we can always start from the empty ACL if necessary

Dir 1A

Dir 2A, B

Dir 3A, B, C

File 1A, B, C

File 2A, B, C


ACLs with Inheritance

Suppose that Alice should not be able to access File 1

Failing to inherit from Dir 3 to File 1 causes loss of access to Bob and Charlie

Bob and Charlie must be added back explicitly

Dir 1A

Dir 2A, B

Dir 3A, B, C

File 1B, C

File 2A, B, C


ACLs with Negative Entries

Negative ACL entries reduce redundancy

But conflicts must be resolved, e.g., By order By prioritization of

negative entries

Dir 1+A

Dir 2+A, +B

Dir 3+A, +B, +C

File 1-A, +A, +B, +C

File 2+A, +B, +C


Declarative Components

Deduction can be used to describe Existing access control systems – for analysis New access control systems – for

implementation and analysis Constraints used in policies for NSA’s

SELinux to restrict permissible domain transitions


UCON: Trust Management

Trust Management: decentralized authorities PolicyMaker [Blaze, Feigenbaum, Lacy] SPKI/SDSI [Ellison, Rivest et al] RT family [Li, Mitchell]

RT1c – deduction and constraints


UCON: Digital Rights Management

Familiar examples: Movie can be played just once Movie can be played repeatedly within 24 hours of first play

More generally, history-sensitive policies that control ongoing access to resources

Non-trivial behavior in the accessing state of a session

initialstate

requesting accessing end

denied revoked


UCON: Digital Rights Management

Sessions may affect one another In the event of an attack, revoke existing web sessions

and only allow administrators to login via a local console

Ryutov and Neuman’s GAA-API provides similar capabilities

Broad applicability Officer on traffic duty receives limited access to FBI

database if query to state database flags driver as a “person of interest” [Anon, NSA]

Doctor may perform an operation only when the patient has signed a consent form [Park & Sandhu]


Separation of Duty

The Separation of Duty (SoD) principle limits the harm that can be caused by one person acting alone

Example policy: no-one can approve their own purchase requests

Static SoD – no-one can be both an approver and a purchaser (too restrictive)

History-based SoD – the desired policy (requires runtime monitoring)


The Chinese Wall Security Policy

Brewer and Nash’s Chinese Wall security policy is a history-based SoD specified in terms of conflict of interest

A law firm working as both prosecution and defense counsel must partition staff carefully and prevent information leaks

Staff are initially unassigned Upon reading a prosecution file, they are forbidden

from accessing defense files in the future Generally, resources are assigned owners, and the

owners may be in conflict Prevents accidental or malicious leakage by users /

Trojan horses, but not water fountain gossip


Outline


Untimed Timed

Policy analysis


Policy Algebra

Existing declarative policy algebras for untimed policies

Existing work on timed policies lacks notions such as multiform time and preemption identified by the reactive systems community

Adapt existing work on an approach to reactive systems using Timed Default concurrent constraint programming


Outline


Untimed Timed

Policy analysis


Untimed Fragment: 3-Valued Logic

3-valued logic true – grant access false – deny access - neither grant nor

deny access Operators:

P and Q P or Q not (P) P def Q P left Q

P def Q

true false true true true true

false false false false

true false

P Q

P left Q

true false true true true true

false false false false

P Q


Untimed Fragment: Constraint Store

Concurrent constraint programming paradigm From store-as-valuation to store-as-constraint Constraint system includes entailment relation “read” becomes “ask”, using entailment to

query store “write” becomes “tell”, adding to the store

Ask: if a then P else Q Runs P if “a” is entailed by the store Otherwise runs Q

Tell: discussed later


Untimed Fragment: Functions

Policy language permits (recursive) functions Policy function CheckAccess with

username parameter u CheckAccess(u) ::

if uStudents then true else


Access Control Lists

1. Test negative entries on current path p

2. Test positive entries on current path p

3. Test inherited rights from parent directory, if any

4. Otherwise access is denied

CheckACL(u,p) ::

(if uNegACL(p) then false)

def

(if uPosACL(p) then true)

def

(if p≠/ pInherits then CheckACL(u,parent(p))

)

def

false


Outline


Untimed Timed

Policy analysis


Reactive Systems

Reactive systems continuously react to their environment at a speed determined by their environment [Halbwachs]

Well-established theory and tools, e.g., Esterel, Lustre, Signal


Reactive Systems

View temporal policies as reactive systems [McDougall et al]

The environment is the security monitor Queries whether

requests should be granted

Passes relevant events to the policy, e.g., time passing or attack detected

Environment Policy

query(…)

query(…)

event(…)

false

true


Timed Concurrent Constraint Programming

Timed cc and Timed Default cc – extensions of concurrent constraint programming for reactive systems

Each time instant (reacting to environmental stimulus) has its own store

Process residual remains for next time instant

store0 P0

ask / tell

store1 P1

ask / tell

store2 P2

ask / tell


Timed Fragment: Operators

next(tell(a)) – tells constraint a to store in next time instant

hence(P) – runs fresh copy of P at every subsequent time instant

time P on-present a (time P on-absent a) – runs P when a is (is not) entailed by the store

Other temporal operators are definable always(P) first a do P P until a


Example: Timed Policy Change

Prevent access to files during time frame delimited by start / stop events System load becomes too high Intrusion detection system identifies an attack Deletion / modification of files forbidden during

criminal investigation

CheckACLTimedPolicyChange(u,p) ::

(if pAffected Started then false) def CheckACL(u,p)


Example: Timed Policy Change

Upon a Start event, tell Started to future stores Stop event preempts execution of inner process

always (

if Start then

(always (next (tell (Started)))) until Stop

)

Time 0 1 2 3

Input event Start Stop

Store Started Started


The Chinese Wall Security Policy

Assume an owner function and a conflict relation conf in the constraint system

CheckACLWithCW(u,p) ::

(if CheckACL(u,p) then

if X. ((conf(X,owner(p)) /\ read(u,X)) else true

left

always (next(tell(read(u,owner(p))))))

def false


Outline


Untimed Timed

Policy analysis


Policy Analysis

Does a policy behave as we expect? Two approaches

Equational reasoning based on a bisimilarity relation

Model checking


Equational Reasoning

A policy is a process that reacts to additions to the store, and produces an output result (true, false, or )

By coinduction, define bisimilarity as the greatest relation that cannot distinguish processes using Same additions to the store for both processes Observing the output result

Theorem: bisimilarity is a congruence


Model Checking

Goal: reuse existing technology if possible Construct a transition system for a policy,

where transitions indicate queries (with response) or events supplied by the environment

With recursion and finiteness restrictions, the transition system is finite By a translation into Timed Default cc and a

theorem due to Saraswat, Jagadeesan, Gupta


Model Checking

Interesting properties can be expressed using linear temporal logic (LTL)

Simple safety (from Li, Mitchell, Winsborough 2003): Does there exist a reachable state in which a (presumably untrusted) principal u has access to a resource p? G (¬grant(u,p))

Analysis with state-dependent restrictions, e.g., for the Chinese Wall policy with a finite set of users and two resources p1 and p2 that are in conflict u. G (grant(u,p1) G (¬grant(u,p2)))


Summary

There is a need for history-sensitive policies Constraints already appear in security theory

and practice This paper: a temporal policy algebra

Combines constraint entailment and negation Declarative timed features from reactive

programming languages Policy analysis via coinductive equational

reasoning and model checking


Future Work

Implementation in progress (based on jcc) Case studies Practical model checking?


Thank You!


Properties

Timed cc Policy Language

Timed Default cc

No restrictions after default

Write into current store

No logical inconsistencies

Timed Constraint Programming: A Declarative Approach to Usage Control

Documents

Transcript of Timed Constraint Programming: A Declarative Approach to Usage Control