Timed Constraint Programming: A Declarative Approach to Usage Control
description
Transcript of Timed Constraint Programming: A Declarative Approach to Usage Control
Timed Constraint Programming:A Declarative Approach to Usage Control
Radha Jagadeesan, Will Marrero, Corin Pitcher (DePaul University)
Vijay Saraswat (IBM Research)
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 2
Usage Control
Scope of Usage Control [Park, Sandhu 2002] Traditional access control Trust management Digital rights management
Temporal aspects of UCON policies Terminate ongoing sessions when resource
consumption is too high Change access rights during an emergency Enforcement of dynamic separation of duty
concerns
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 3
This Talk
Policy algebra for Usage Control, following timed concurrent constraint programming paradigm Declarative Default constraint programming addresses negative
authorization requirements Reactive computing addresses history-sensitive
requirements Policy analysis
Equational reasoning Model checking
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 4
Outline
Motivation Policy algebra
Untimed Timed
Policy analysis
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 5
UCON: Traditional Access Control
Can a subject perform an action on an object? Policy captured as an access matrix and enforced by
a monitor Centralized authority
Dir 1 Dir 2 Dir 3 File 1 File 2
Alice read read read read read
Bob read read read read
Charlie read read read
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 6
Access Control Lists (ACLs)
Access Control Lists (ACLs) associated with objects
Problem: ACL management is too burdensome
Solution: make use of the object hierarchy
Dir 1A
Dir 2A, B
Dir 3A, B, C
File 1A, B, C
File 2A, B, C
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 7
ACLs with Inheritance
On hierarchically structured objects, MS Windows permits inheritance with ACLs.
Reduces redundancy Inheritance is optional,
so we can always start from the empty ACL if necessary
Dir 1A
Dir 2A, B
Dir 3A, B, C
File 1A, B, C
File 2A, B, C
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 8
ACLs with Inheritance
Suppose that Alice should not be able to access File 1
Failing to inherit from Dir 3 to File 1 causes loss of access to Bob and Charlie
Bob and Charlie must be added back explicitly
Dir 1A
Dir 2A, B
Dir 3A, B, C
File 1B, C
File 2A, B, C
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 9
ACLs with Negative Entries
Negative ACL entries reduce redundancy
But conflicts must be resolved, e.g., By order By prioritization of
negative entries
Dir 1+A
Dir 2+A, +B
Dir 3+A, +B, +C
File 1-A, +A, +B, +C
File 2+A, +B, +C
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 10
Declarative Components
Deduction can be used to describe Existing access control systems – for analysis New access control systems – for
implementation and analysis Constraints used in policies for NSA’s
SELinux to restrict permissible domain transitions
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 11
UCON: Trust Management
Trust Management: decentralized authorities PolicyMaker [Blaze, Feigenbaum, Lacy] SPKI/SDSI [Ellison, Rivest et al] RT family [Li, Mitchell]
RT1c – deduction and constraints
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 12
UCON: Digital Rights Management
Familiar examples: Movie can be played just once Movie can be played repeatedly within 24 hours of first play
More generally, history-sensitive policies that control ongoing access to resources
Non-trivial behavior in the accessing state of a session
initialstate
requesting accessing end
denied revoked
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 13
UCON: Digital Rights Management
Sessions may affect one another In the event of an attack, revoke existing web sessions
and only allow administrators to login via a local console
Ryutov and Neuman’s GAA-API provides similar capabilities
Broad applicability Officer on traffic duty receives limited access to FBI
database if query to state database flags driver as a “person of interest” [Anon, NSA]
Doctor may perform an operation only when the patient has signed a consent form [Park & Sandhu]
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 14
Separation of Duty
The Separation of Duty (SoD) principle limits the harm that can be caused by one person acting alone
Example policy: no-one can approve their own purchase requests
Static SoD – no-one can be both an approver and a purchaser (too restrictive)
History-based SoD – the desired policy (requires runtime monitoring)
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 15
The Chinese Wall Security Policy
Brewer and Nash’s Chinese Wall security policy is a history-based SoD specified in terms of conflict of interest
A law firm working as both prosecution and defense counsel must partition staff carefully and prevent information leaks
Staff are initially unassigned Upon reading a prosecution file, they are forbidden
from accessing defense files in the future Generally, resources are assigned owners, and the
owners may be in conflict Prevents accidental or malicious leakage by users /
Trojan horses, but not water fountain gossip
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 16
Outline
Motivation Policy algebra
Untimed Timed
Policy analysis
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 17
Policy Algebra
Existing declarative policy algebras for untimed policies
Existing work on timed policies lacks notions such as multiform time and preemption identified by the reactive systems community
Adapt existing work on an approach to reactive systems using Timed Default concurrent constraint programming
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 18
Outline
Motivation Policy algebra
Untimed Timed
Policy analysis
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 19
Untimed Fragment: 3-Valued Logic
3-valued logic true – grant access false – deny access - neither grant nor
deny access Operators:
P and Q P or Q not (P) P def Q P left Q
P def Q
true false true true true true
false false false false
true false
P Q
P left Q
true false true true true true
false false false false
P Q
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 20
Untimed Fragment: Constraint Store
Concurrent constraint programming paradigm From store-as-valuation to store-as-constraint Constraint system includes entailment relation “read” becomes “ask”, using entailment to
query store “write” becomes “tell”, adding to the store
Ask: if a then P else Q Runs P if “a” is entailed by the store Otherwise runs Q
Tell: discussed later
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 21
Untimed Fragment: Functions
Policy language permits (recursive) functions Policy function CheckAccess with
username parameter u CheckAccess(u) ::
if uStudents then true else
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 22
Access Control Lists
1. Test negative entries on current path p
2. Test positive entries on current path p
3. Test inherited rights from parent directory, if any
4. Otherwise access is denied
CheckACL(u,p) ::
(if uNegACL(p) then false)
def
(if uPosACL(p) then true)
def
(if p≠/ pInherits then CheckACL(u,parent(p))
)
def
false
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 23
Outline
Motivation Policy algebra
Untimed Timed
Policy analysis
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 24
Reactive Systems
Reactive systems continuously react to their environment at a speed determined by their environment [Halbwachs]
Well-established theory and tools, e.g., Esterel, Lustre, Signal
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 25
Reactive Systems
View temporal policies as reactive systems [McDougall et al]
The environment is the security monitor Queries whether
requests should be granted
Passes relevant events to the policy, e.g., time passing or attack detected
Environment Policy
query(…)
query(…)
event(…)
false
true
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 26
Timed Concurrent Constraint Programming
Timed cc and Timed Default cc – extensions of concurrent constraint programming for reactive systems
Each time instant (reacting to environmental stimulus) has its own store
Process residual remains for next time instant
store0 P0
ask / tell
store1 P1
ask / tell
store2 P2
ask / tell
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 27
Timed Fragment: Operators
next(tell(a)) – tells constraint a to store in next time instant
hence(P) – runs fresh copy of P at every subsequent time instant
time P on-present a (time P on-absent a) – runs P when a is (is not) entailed by the store
Other temporal operators are definable always(P) first a do P P until a
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 28
Example: Timed Policy Change
Prevent access to files during time frame delimited by start / stop events System load becomes too high Intrusion detection system identifies an attack Deletion / modification of files forbidden during
criminal investigation
CheckACLTimedPolicyChange(u,p) ::
(if pAffected Started then false) def CheckACL(u,p)
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 29
Example: Timed Policy Change
Upon a Start event, tell Started to future stores Stop event preempts execution of inner process
always (
if Start then
(always (next (tell (Started)))) until Stop
)
Time 0 1 2 3
Input event Start Stop
Store Started Started
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 30
The Chinese Wall Security Policy
Assume an owner function and a conflict relation conf in the constraint system
CheckACLWithCW(u,p) ::
(if CheckACL(u,p) then
if X. ((conf(X,owner(p)) /\ read(u,X)) else true
left
always (next(tell(read(u,owner(p))))))
def false
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 31
Outline
Motivation Policy algebra
Untimed Timed
Policy analysis
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 32
Policy Analysis
Does a policy behave as we expect? Two approaches
Equational reasoning based on a bisimilarity relation
Model checking
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 33
Equational Reasoning
A policy is a process that reacts to additions to the store, and produces an output result (true, false, or )
By coinduction, define bisimilarity as the greatest relation that cannot distinguish processes using Same additions to the store for both processes Observing the output result
Theorem: bisimilarity is a congruence
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 34
Model Checking
Goal: reuse existing technology if possible Construct a transition system for a policy,
where transitions indicate queries (with response) or events supplied by the environment
With recursion and finiteness restrictions, the transition system is finite By a translation into Timed Default cc and a
theorem due to Saraswat, Jagadeesan, Gupta
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 35
Model Checking
Interesting properties can be expressed using linear temporal logic (LTL)
Simple safety (from Li, Mitchell, Winsborough 2003): Does there exist a reachable state in which a (presumably untrusted) principal u has access to a resource p? G (¬grant(u,p))
Analysis with state-dependent restrictions, e.g., for the Chinese Wall policy with a finite set of users and two resources p1 and p2 that are in conflict u. G (grant(u,p1) G (¬grant(u,p2)))
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 36
Summary
There is a need for history-sensitive policies Constraints already appear in security theory
and practice This paper: a temporal policy algebra
Combines constraint entailment and negation Declarative timed features from reactive
programming languages Policy analysis via coinductive equational
reasoning and model checking
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 37
Future Work
Implementation in progress (based on jcc) Case studies Practical model checking?
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 38
Thank You!
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 39
PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control 40
Properties
Timed cc Policy Language
Timed Default cc
No restrictions after default
Write into current store
No logical inconsistencies