A Distributed Calculus for Role-Based Access Control Chiara Braghin - - PowerPoint PPT Presentation

a distributed calculus for role based access control
SMART_READER_LITE
LIVE PREVIEW

A Distributed Calculus for Role-Based Access Control Chiara Braghin - - PowerPoint PPT Presentation

Dec 26, 2022 238 likes •616 views

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and V. Sassone MyThS Meeting, Venice, June, 14th, 2004 A Distributed Calculus for Role-Based Access Control p.1/18 RBAC Why: Role-Based Access

slide-1
SLIDE 1

A Distributed Calculus for Role-Based Access Control

Chiara Braghin joint work with D. Gorla and V. Sassone MyThS Meeting, Venice, June, 14th, 2004

A Distributed Calculus for Role-Based Access Control – p.1/18

slide-2
SLIDE 2

RBAC

Why: Role-Based Access Control is attracting increasing attention because: it reduces complexity and cost of security administration; permission’s management is less error-prone; it is flexible (rôle’s hierarchy, separation of duty, etc.); it is least privilege-oriented.

A Distributed Calculus for Role-Based Access Control – p.2/18

slide-3
SLIDE 3

RBAC

Why: Role-Based Access Control is attracting increasing attention because: it reduces complexity and cost of security administration; permission’s management is less error-prone; it is flexible (rôle’s hierarchy, separation of duty, etc.); it is least privilege-oriented. Our work: Formalize the behaviour of concurrent and distributed systems under security policies defined in a RBAC fashion, similar to the types developed in Dπ and Klaim to implement discretionary access control the types developed for Boxed Ambients to implement mandatory access control

A Distributed Calculus for Role-Based Access Control – p.2/18

slide-4
SLIDE 4

Contents

the RBAC96 model a formal framework for concurrent systems running under a RBAC policy: an extension of the π-calculus a type system ensuring that the specified policy is respected during computations a bisimulation to reason on systems’ behaviours some useful applications of the theory: finding the ‘minimal’ schema to run a given system refining a system to be run under a given schema minimize the number of users in a given system.

A Distributed Calculus for Role-Based Access Control – p.3/18

slide-5
SLIDE 5

The Basic RBAC model

USERS ROLES PERMISSIONS SESSIONS

USER ASSIGNMENT

  • PERM. ASSIGNMENT

A Distributed Calculus for Role-Based Access Control – p.4/18

slide-6
SLIDE 6

The starting point: π-calculus

Concurrent processes communicating on channels. Processes: P, Q ::= a(x).P

  • uv.P
  • [u = v]P
  • (νa:R)P
  • nil
  • P|Q
  • !P

A Distributed Calculus for Role-Based Access Control – p.5/18

slide-7
SLIDE 7

The Syntax of our Calculus

Concurrent processes communicating on channels. Processes: P, Q ::= a(x).P

  • uv.P
  • [u = v]P
  • (νa:R)P
  • nil
  • P|Q
  • !P
  • role R.P
  • yield R.P

A Distributed Calculus for Role-Based Access Control – p.5/18

slide-8
SLIDE 8

The Syntax of our Calculus

Concurrent processes communicating on channels. Processes: P, Q ::= a(x).P

  • uv.P
  • [u = v]P
  • (νa:R)P
  • nil
  • P|Q
  • !P
  • role R.P
  • yield R.P

User Sessions: r{ |P| }ρ

A Distributed Calculus for Role-Based Access Control – p.5/18

slide-9
SLIDE 9

The Syntax of our Calculus

Concurrent processes communicating on channels. Processes: P, Q ::= a(x).P

  • uv.P
  • [u = v]P
  • (νa:R)P
  • nil
  • P|Q
  • !P
  • role R.P
  • yield R.P

Systems: A, B ::= 0

  • r{

|P| }ρ

  • A B
  • (νar :R)A

A Distributed Calculus for Role-Based Access Control – p.5/18

slide-10
SLIDE 10

The Syntax of our Calculus

Concurrent processes communicating on channels. Processes: P, Q ::= a(x).P

  • uv.P
  • [u = v]P
  • (νa:R)P
  • nil
  • P|Q
  • !P
  • role R.P
  • yield R.P

Systems: A, B ::= 0

  • r{

|P| }ρ

  • A B
  • (νar :R)A

Channels are allocated to users to enable a distibuted implementation

A Distributed Calculus for Role-Based Access Control – p.5/18

slide-11
SLIDE 11

Dynamic Semantics

It is given in the form of a reduction relation Communication: s{ |arn.P| }ρ r{ |a(x).Q| }ρ′

A Distributed Calculus for Role-Based Access Control – p.6/18

slide-12
SLIDE 12

Dynamic Semantics

It is given in the form of a reduction relation Communication: s{ |arn.P| }ρ r{ |a(x).Q| }ρ′ − → s{ |P| }ρ r{ | Q[n / x] | }ρ′

A Distributed Calculus for Role-Based Access Control – p.6/18

slide-13
SLIDE 13

Dynamic Semantics

It is given in the form of a reduction relation Communication: s{ |arn.P| }ρ r{ |a(x).Q| }ρ′ − → s{ |P| }ρ r{ | Q[n / x] | }ρ′ Rôle activation: r{ |role R.P| }ρ

A Distributed Calculus for Role-Based Access Control – p.6/18

slide-14
SLIDE 14

Dynamic Semantics

It is given in the form of a reduction relation Communication: s{ |arn.P| }ρ r{ |a(x).Q| }ρ′ − → s{ |P| }ρ r{ | Q[n / x] | }ρ′ Rôle activation: r{ |role R.P| }ρ − → r{ |P| }ρ∪{R}

A Distributed Calculus for Role-Based Access Control – p.6/18

slide-15
SLIDE 15

Dynamic Semantics

It is given in the form of a reduction relation Communication: s{ |arn.P| }ρ r{ |a(x).Q| }ρ′ − → s{ |P| }ρ r{ | Q[n / x] | }ρ′ Rôle activation: r{ |role R.P| }ρ − → r{ |P| }ρ∪{R} Rôle deactivation: r{ |yield R.P| }ρ

A Distributed Calculus for Role-Based Access Control – p.6/18

slide-16
SLIDE 16

Dynamic Semantics

It is given in the form of a reduction relation Communication: s{ |arn.P| }ρ r{ |a(x).Q| }ρ′ − → s{ |P| }ρ r{ | Q[n / x] | }ρ′ Rôle activation: r{ |role R.P| }ρ − → r{ |P| }ρ∪{R} Rôle deactivation: r{ |yield R.P| }ρ − → r{ |P| }ρ−{R}

A Distributed Calculus for Role-Based Access Control – p.6/18

slide-17
SLIDE 17

RBAC schema

Permissions are capabilities that enable process actions. Thus,

A

= {R↑, R?, R!}R∈R is the set of permissions.

A Distributed Calculus for Role-Based Access Control – p.7/18

slide-18
SLIDE 18

RBAC schema

Permissions are capabilities that enable process actions. Thus,

A

= {R↑, R?, R!}R∈R is the set of permissions. In our framework, the RBAC schema is a pair of finite relations (U ; P ), such that

U ⊆fin (Nu ∪ C) × R P ⊆fin R × A

A Distributed Calculus for Role-Based Access Control – p.7/18

slide-19
SLIDE 19

An Example

A banking scenario: two users, the client r and the bank s cashiers are modelled as channels c1, . . . , cn of user s the rôles available are client and cashier.

r{ |role client.enqueuesr.dequeue(z).zreq1. · · · .zreqk.zstop.yield client| }ρ

  • s{

|(ν free)(!enqueue(x).free(y).dequeuexy | Πn

i=1freescs i

| Πn

i=1 !ci(x).( [x = withdrw_req] <

✂ ✄☎ ✆ ✝ ✞ ✟
  • ✄✡✠
✁ ✝ ✠ ✆ ☛ ☞ ✆✌ ✟

> | [x = dep_req] <

✂ ✄☎ ✆ ✄ ✆ ✍ ✎ ✌ ✞ ✟ ✠ ✆ ☛ ☞ ✆✌ ✟

> | . . . | [x = stop]freescs

i ) )|

}ρ′

A Distributed Calculus for Role-Based Access Control – p.8/18

slide-20
SLIDE 20

Static Semantics - Types

The syntax of types: Types T ::= UT | C User Types UT ::= ρ[a1 : R1(T1), . . . , an : Rn(Tn)] Channel Types C ::= R(T)

A Distributed Calculus for Role-Based Access Control – p.9/18

slide-21
SLIDE 21

Static Semantics - Types

The syntax of types: Types T ::= UT | C User Types UT ::= ρ[a1 : R1(T1), . . . , an : Rn(Tn)] Channel Types C ::= R(T) Γ; ρ ⊢P

r P states that P respects Γ and P when it is run in a session of r

with rôles ρ activated

A Distributed Calculus for Role-Based Access Control – p.9/18

slide-22
SLIDE 22

Static Semantics - Types

The syntax of types: Types T ::= UT | C User Types UT ::= ρ[a1 : R1(T1), . . . , an : Rn(Tn)] Channel Types C ::= R(T) Γ; ρ ⊢P

r P states that P respects Γ and P when it is run in a session of r

with rôles ρ activated A typing environment is a mapping from user names and variables to user types that respects the assignments in U

A Distributed Calculus for Role-Based Access Control – p.9/18

slide-23
SLIDE 23

Static Semantics - The Type System

An example: performing input actions. (T-Input) Γ ⊢ a: R(T) R?∈ P (ρ) Γ, x → T; ρ ⊢P

r P

Γ; ρ ⊢P

r a(x).P

A Distributed Calculus for Role-Based Access Control – p.10/18

slide-24
SLIDE 24

Static Semantics - The Type System

An example: performing input actions. (T-Input) Γ ⊢ a: R(T) R?∈ P (ρ) Γ, x → T; ρ ⊢P

r P

Γ; ρ ⊢P

r a(x).P

Type Safety: Let A be a well-typed system for (U ; P ). Then, whenever A ≡ (ν ar:R)(A′ r{ |b(x).P| }ρ), it holds that either br:S ∈ ar:R and S? ∈ P (ρ),

  • r br ∈

ar and S? ∈ P (ρ), where {S} = U (br)

A Distributed Calculus for Role-Based Access Control – p.10/18

slide-25
SLIDE 25

The Example Again

The banking scenario again: now each available operation is modelled as a different channel (wdrw = withdraw, opn = open account, cc = credit card request) the communication among different channels requires different rôles

P is such that {(rich_client, cc!) , (rich, rich_client↑)} ⊆ P .

A Distributed Calculus for Role-Based Access Control – p.11/18

slide-26
SLIDE 26

The Example Again

The banking scenario again: now each available operation is modelled as a different channel (wdrw = withdraw, opn = open account, cc = credit card request) the communication among different channels requires different rôles

P is such that {(rich_client, cc!) , (rich, rich_client↑)} ⊆ P .

⊢ r{ |role client.enqueuesr.dequeue(z).zcreditcard_req.ccssignature.zstop| }{user}

A Distributed Calculus for Role-Based Access Control – p.11/18

slide-27
SLIDE 27

The Example Again

The banking scenario again: now each available operation is modelled as a different channel (wdrw = withdraw, opn = open account, cc = credit card request) the communication among different channels requires different rôles

P is such that {(rich_client, cc!) , (rich, rich_client↑)} ⊆ P .

⊢ r{ |role client.enqueuesr.dequeue(z).zcreditcard_req.ccssignature.zstop| }{user} ⊢ r{ |role rich_client.enqueuesr.dequeue(z).zcreditcard_req.ccssignature.zstop| }{rich}

A Distributed Calculus for Role-Based Access Control – p.11/18

slide-28
SLIDE 28

LTS Semantics

The labels of the LTS are derived from those of the π-calculus: µ ::= τ | arn | arn : R | arn | arn : R the LTS relates configurations, i.e. pairs (U ; P ) ⊲ A made up of a RBAC schema (U ; P ) and a system A. Example: (LTS-F-Input)

U (ar) = {R}

R? ∈ P (ρ) n ∈ dom(U ) (U ; P ) ⊲ r{ |a(x).P| }ρ

arn:S

− − − − → (U ⊎ {n : S}; P ) ⊲ r{ | P[n / x] | }ρ

A Distributed Calculus for Role-Based Access Control – p.12/18

slide-29
SLIDE 29

Bisimulation Equivalence

We can define a standard bisimulation over the LTS (Bisimulation) It is a binary symmetric relation S between configurations such that, if (D, E) ∈ S and D

µ

− → D′, there exists a configuration E′ such that E

ˆ µ

= ⇒ E′ and (D′, E′) ∈ S. Bisimilarity, ≈, is the largest bisimulation. the bisimulation is adequate with respect to a standardly defined (typed) barbed congruence.

A Distributed Calculus for Role-Based Access Control – p.13/18

slide-30
SLIDE 30

Some Algebraic Laws

if an action is not enabled, then the process cannot evolve: r{ |α.P| }ρ ≈ 0 if P (ρ) does not enable α

A Distributed Calculus for Role-Based Access Control – p.14/18

slide-31
SLIDE 31

Some Algebraic Laws

if an action is not enabled, then the process cannot evolve: r{ |α.P| }ρ ≈ 0 if P (ρ) does not enable α Differently from some distributed calculi, a terminated session does not affect the evolution of the system: r{ |nil| }ρ ≈ 0

A Distributed Calculus for Role-Based Access Control – p.14/18

slide-32
SLIDE 32

Some Algebraic Laws

if an action is not enabled, then the process cannot evolve: r{ |α.P| }ρ ≈ 0 if P (ρ) does not enable α Differently from some distributed calculi, a terminated session does not affect the evolution of the system: r{ |nil| }ρ ≈ 0 the user performing an output action is irrelevant; the only relevant aspect is the set of permissions activated when performing the action: r{ |bsn.nil| }ρ ≈ t{ |bsn.nil| }ρ

A Distributed Calculus for Role-Based Access Control – p.14/18

slide-33
SLIDE 33

Finding the “Minimal” Schema

Goal: to look for a ‘minimal’ schema to execute a given system A while mantaining its behaviour w.r.t. (U ; P ) Algorithm: fix a metrics (number of rôles in the schema, permissions associated to each rôle, etc.) define the set CONF A = {(U ′; P ′) ⊲ A : (U ′; P ′) is a RBAC schema} of configurations for A partition CONF A w.r.t. ≈ and consider the equivalence class containing (U ; P ) ⊲ A choose the minimal schema according to the chosen metrics

A Distributed Calculus for Role-Based Access Control – p.15/18

slide-34
SLIDE 34

Refining Systems

Goal: to add rôle activations/deactivations within a system in such a way that the resulting system can be executed under a given schema (U ; P ) we want a rôle to be active only when needed the refining procedure replaces any input/output prefix α occurring in session r{ | · · · | }ρ with the sequence of prefixes role R.α.yield R where R is formed by rôles assigned to r, activable when having activated ρ and enabling the execution of α the refining procedure adapts the type system Improvement: we can give an algorithm to minimize the number of these actions added

A Distributed Calculus for Role-Based Access Control – p.16/18

slide-35
SLIDE 35

Relocating Activities

Goal: to transfer a process from one user to another without changing the overall system behaviour, in order to minimize the number of users in a system it is possible to infer axiomatically judgments of the form: (U ; P ) ⊲ r{ |P| }ρ ≈ (U ; P ) ⊲ s{ |P| }ρ This judgment says that the process P can be executed by r and s without affecting the overall system behaviour. Thus, the session r{ |P| }ρ can be removed. If no other session of r is left in the system, then r is a useless user and is erased.

A Distributed Calculus for Role-Based Access Control – p.17/18

slide-36
SLIDE 36

Conclusion

We have defined a formal framework for reasoning about concurrent systems running under an RBAC schema; a number of papers deal with the specification and verification of RBAC schema; Future Works: extend the framework to deal with more complex RBAC models; prove that bisimilarity is complete for barbed congruence; study information flow in terms of RBAC? http://www.dsi.unive.it/~dbraghin/publications.html

A Distributed Calculus for Role-Based Access Control – p.18/18