Department of Computer Science
disco
ver
velocity
volume
veracity
acq
uire
use
Policy Management
vector
Elisa Bertino, Ninghui Li (Purdue U.)
Anupam Joshi (UMBC)
Ravi Sandhu (UTSA)
Department of Computer Science
Research Goals
• Identify the types of policy relevant to AISL
• Develop corresponding languages and formal
models
• Implement policy languages
• Develop relevant policy tools to support the
policy lifecycle
• Develop policy scenarios
Department of Computer Science
Types of Policy
– Access control policies
•
Controlling who is accessing which data
– Accountability policies
•
Controlling how data is used and modified
– Trust policies
•
Specifying criteria to determine which party to
trust for what data/resource
Department of Computer Science
Policy Lifecycle Diagram
•Develop new policy languages
•Extend current policy languages
•Develop formal models
•Policy refinement
•Policy integration
•Policy versioning
Specification
Deployment&
Enforcement
•Identify analysis types
•Develop tools
Analysis
•Collaborative enforcement
(possibly privacy-preserving)
•Safe approximation
•Enforcement in information groupbased sharing
•Enforcement in information
dissemination-centric sharing
Department of Computer Science
Policy Refinement
Each refinement step must meet the following criteria [Karat08]:
• Correct — The set of refined policies correctly implements
the higher-level policy.
• Consistent — The refinement must not lead to conflicts
between the derived policies or the other policies existing in
the system.
• Valid — The policies must be able to be enforced in the
system context to which they will be applied.
• Minimal — All policies in the derived policy set must be
required for the correctness of the refinement.
J. Karat, C.M. Karat, E. Bertino, N. Li, Q. Ni, C. Brodie, J. Lobo, S.B. Calo, L. F. Cranor,
P. Kamaraguru, P. Reerder, “Policy Framework for Security and Privacy Management”,
To appear in IBM Systems Journal, 2008.
Department of Computer Science
Current Results
EXAM
Environment for Xacml policy Analysis & Management
EXAM is a comprehensive environment for analyzing and
managing access control policies. It supports acquisition,
editing and retrieval of policies in addition to policy property
analysis, policy similarity analysis and policy integration.
Department of Computer Science
Motivation
Proliferation of Policies !!
Need for tools for managing and
analyzing policies !
Department of Computer Science
XACML
• EXtensible Access Control Markup Language.
– XML based
– OASIS standard language for specification of access control
policies.
– Express many policies of interest to real world application
Department of Computer Science
EXAM Overview: Architecture
User
User
…
User
User Interface
Query Dispatcher
Policy
Annotation
Policy
Repository
Policy
Similarity
Filter
Policy Similarity
Analyzer
Policy
Integration
Framework
Department of Computer Science
EXAM Overview : Queries
Policy Analysis Query
<Policy ID=“Pol1”>
<Rule ID=“R11” Effect=“Permit”>
<Target>
<Subject> domain  {“.edu”} </Subject>
<Resource> FileA </Resource>
<Action> Read </Action>
</Target>
<Condition>8:00<=Time<=22:00</Condition>
Metadata Query
Multiple-Policy Query
Discrimination
Query
<Policy ID=“Pol2”>
<Rule ID=“R11” Effect=“Permit”>
<Target>
<Subject> domain  {“.edu”} OR
affiliation = “IBM”
</Subject>
<Resource> FileA </Resource>
<Action> Read </Action>
</Target>
<Condition>6:00<=Time<=20:00</Condition>
Content Query Effect Query
Single-Policy Query
Common
Property Verification
Property Query
Query
Does Policy Pol2 deny read access on FileA
between 10pm and 12am ?
Find all requests permitted by both policies Pol1
and Pol2.
Find all requests which are permitted by Pol1 but
denied by Pol2.
Department of Computer Science
Policy Similarity Analysis
• Goal
– Characterize the relationships among the sets of
requests respectively authorized by a set of
policies.
• Two techniques
– Policy Similarity Filter
• Less precise, faster.
– Policy Similarity Analyzer
• Precise, slower.
Department of Computer Science
EXAM Overview: Architecture
User
User
…
User
User Interface
Query Dispatcher
Policy
Annotation
Policy
Repository
Policy
Similarity
Filter
Policy Similarity
Analyzer
Policy
Integration
Framework
Department of Computer Science
Policy Similarity Filter
• Quick and less precise.
• Inspired by Information Retrieval (IR) techniques.
• Policy similarity measure
– Assign a similarity score between two policies.
• Typical applications
– A quick filter phase to prune the set of policies to be
analyzed by the precise policy similarity technique.
– A distance function for clustering policies.
Department of Computer Science
DATA OWNER POLICY 2
DATA OWNER POLICY 1
Example
0
0.71
Department of Computer Science
Example
RESOURCE OWNER POLICY 3
DATA OWNER POLICY 1
0.4
Department of Computer Science
EXAM Overview: Architecture
User
User
…
User
User Interface
Query Dispatcher
Policy
Annotation
Policy
Repository
Policy
Similarity
Filter
Policy Similarity
Analyzer
Policy
Integration
Framework
Department of Computer Science
Policy Similarity Analyzer(PSA)
• Uses Multi-Terminal Binary Decision Diagram (MTBDD)
based representation of a policy.
• Combines model-checking and satisfiability checking to
perform similarity analysis on policies with different types
of constraints on attributes
– One variable equality constraints
• Affiliation = “IBM”, Role != “Student”
– One variable inequality constraints
• Age < 50, 8<=Time<=22
– Linear constraints
• Bonus + 2 * Salary <= 250000
– Compound Boolean constraints
• (Nationality = “US”  Clearance = “High)
Department of Computer Science
MTBDD - Multi-Terminal Binary
Decision Diagram
• Rooted, directed acyclic graph.
– Represent functions of the form f : Bn -> R
• In a policy MTBDD internal nodes represent the
predicates on attributes and the terminals denote the
policy decisions Permit, Deny or NotApplicable.
f
<Policy ID = Pol1>
<Rule Effect = Permit> <Target>
<Resource>(fileName = fileA) </Resource>
t
<Condition> (time < 17:00  age > 18) </Condition>
</Target> </Rule>
</Policy>
Pol1
Permit : (fileName = fileA)  (time < 17:00  age > 18)
a
NA
Y
Department of Computer Science
Policy Comparison
P2
P1
MTBDD
NA
Y
Auxiliary Rule
MTBDD
N
NA
Y
MTBDD
NA
N
Query: What requests
are permitted by both
policies?
CMTBDD
…..
N-CP
CP
N-N
Y-N
Y-Y
…..
Department of Computer Science
EXAM Overview : Architecture
User
User
…
User
User Interface
Query Dispatcher
Policy
Annotation
Policy
Repository
Policy
Similarity
Filter
Policy Similarity
Analyzer
Policy
Integration
Framework
Department of Computer Science
Policy Integration
• A Fine-grained Integration Algebra (FIA)
–
–
–
–
3-valued (Permit, Deny, NotApplicable)
Specify behavior at the granularity of requests and effects
Restrict domain of applicability
Support expressive policy languages like XACML
• Framework for specifying integration constraints
and generating integrated policies.
– MTBDD based implementation of FIA
– Generation of integrated policy in XACML syntax.
Department of Computer Science
Fine-grained Integration Algebra (FIA)
Vocabulary of
attribute names
and domains
Policy constants
Permit policy
Deny policy
Binary operators
Addition
Intersection
Unary operators
Negation
Domain Projection
Department of Computer Science
FIA - Theoretical Results
• Expressivity
– FIA can express all XACML policy combining
algorithms
– FIA can express policy “jumps”
– FIA can model closed policies and open policies
• Completeness
– A completeness notion has been developed,
based on the concept of policy combination
matrix, and FIA is complete with respect to such
notion
• Minimality
– Identification of the minimal complete subsets of
the FIA operators
Department of Computer Science
XACML Policy Generation
A pos=manager
<RuleID=R1 Effect=Permit>
1
0
B act=read
0
NA
PolicyID = Example
1
Y
<Target>
<Subject pos=manager \>
<Action act=read \>
<\Target>
<\Rule>
Department of Computer Science
Next Steps
• Develop visualization techniques for
policy analysis results
• Extend EXAM with a tool for synonym
dictionary management, ontologies
Department of Computer Science
Novel Reference XACML Architecture for
Multi-party collaborative Enforcement
request
Decomposition
Constraint
PEP
global policy
constraint
Policy
Decomposition
……
Policy
Authoring
decision
request
obligations
decision
global Global Policy global Request Dispatcher/
policy Repository Policy Decision Coordinator
abstract
……
request
Subject
Resource
Environment
attribute
decision
Context
Handler
attribute
decision
PDP
policy
Local Policy
Repository
Obligation
Service
decision
request
Subject
Resource
Environment
attribute
Context
Handler
attribute
decision
PDP
policy
Local Policy
Repository
Department of Computer Science
Extending XACML for Multi-party
collaborative Enforcement
• Combining policies is necessary in AISL
• XACML has several fixed Policy Combining Algorithms (PCAs) for
combining policies
– deny-overrides, permit-overrides, first-applicable, only-oneapplicable
• We propose the Policy Combining Language (PCL)
– allows expression of useful new PCAs
• e.g., weak consensus, strong consensus, weak majority, and
strong majority
– elegantly handles policy evaluation errors
– is fully backward compatible with XACML
– enables optimized evaluation using automata theory
Department of Computer Science
Next Steps
• Develop an implementation of the
extended XACML algorithms and of the
policy distribution and enforcement
algorithms
• Investigate cryptographic approaches
Descargar

EXAM - a Comprehensive Environment for the Analysis of