A System to Specify and Manage Multipolicy Access Control Models - - PowerPoint PPT Presentation

a system to specify and manage multipolicy access control
SMART_READER_LITE
LIVE PREVIEW

A System to Specify and Manage Multipolicy Access Control Models - - PowerPoint PPT Presentation

May 28, 2023 366 likes •676 views

Policy 2002: IEEE 3rd International Workshop on Policies for Distributed Systems and Networks Hosted by the Naval Postgraduate School , Monterey, California, U.S.A. June 5-7, 2002 A System to Specify and Manage Multipolicy Access Control Models

slide-1
SLIDE 1

A System to Specify and Manage Multipolicy Access Control Models

Policy 2002: IEEE 3rd International Workshop on Policies for Distributed Systems and Networks Hosted by the Naval Postgraduate School, Monterey, California, U.S.A. June 5-7, 2002 Elisa Bertino

DSI Università degli Studi di Milano bertino@dsi.unimi.it

Barbara Catania

DISI Università degli Studi di Genova catania@disi.unige.it

Elena Ferrari

DSCFM Università degli Studi dell’Insubria Elena.Ferrari@uninsubria.it

Paolo Perlasca

DSI Università degli Studi di Milano perlasca@dsi.unimi.it

slide-2
SLIDE 2

Summary

  • The general problem: Data Security
  • MACS: a multipolicy access control system
  • The architecture of MACS
  • How MACS works
  • Conclusions and future work
slide-3
SLIDE 3

Data Security

  • Data are an important strategic and operational

asset for any organization

  • Damages and misuses of data affect not only a

single user or an application; they may have disastrous consequences on the entire

  • rganization.

Data must be protected !

slide-4
SLIDE 4

Data Security

Data Security requires:

  • Confidentiality
  • Integrity
  • Availability

Data Security Availability Confidentiality Integrity

slide-5
SLIDE 5

– the selection of some mechanism to enforce the specified policy

Data Security

  • A comprensive solution for Data Security consists
  • f:

– the identification of the security requirements – the specification of a security policy

Security Requirements Security Policy Identification Specification

slide-6
SLIDE 6

Data Security: Access Control System

  • An access control system regulates the operations that

can be executed on data and resources to be protected

– an access control policy can be enforced through a set of authorization rules, establishing the operations and rights that subjects can exercise on the protected objects – the reference monitor determines whether an access requests can be authorized or not, according to the authorization rules enforcing the selected policy Access Control System

Authorization Rules Access Control Policy Monitor Authorized Denied Access Request <s,o,p>

O

  • S

s P p

slide-7
SLIDE 7

Issues in Data Security

  • A variety of access control policies have been so

far defined

  • Articulated access control requirements are not

adequately supported by a single-policy access control mechanism

Access Control System Access Control Policy Access Control Policy Access Control Policy Access Control Policy

slide-8
SLIDE 8

What MACS is?

  • MACS is a multipolicy access control system

supporting both the specification and the implementation of a large variety of access control models

MACS Multipolicy Access Control System Mandatory Models Discretionary Models User-defined Models RBAC Models

slide-9
SLIDE 9

What MACS is?

  • MACS is flexible and extensible since:

– it can easily accommodates new access control requirements – it allows the administrator to define its own access control policies and/or models in addition to those already provided by the system

slide-10
SLIDE 10

What MACS is?

  • MACS is based on a formal language and

provides a set of tools helping the administrator in the specification and analysis of access control models and authorization management

  • Model Specification and Analysis
  • Authorization Management

MACS Multipolicy Access Control System Language + Tools Language + Tools

slide-11
SLIDE 11

MACS MACS

How?

  • Under MACS multiple access control policies can co-

exist within the same system

  • The basic idea is to apply different policies to different

disjoint sets of the objects to be protected

S P O O2 Access Control Policy P2 O1 Access Control Policy P1 ACM M1 ACM M2

slide-12
SLIDE 12

How?

  • An access request involving an object o is

authorized or denied according to the policy enforced by the specific component model containing o

MACS Access Control Policy P1

Authorization Rules

(s,o,p) O1

  • ACM

M1 Authorized Or Denied

slide-13
SLIDE 13

MACS: the language

  • MACS is based on the C-Datalog language which

is an Object-Oriented extension of Datalog

  • C-Datalog supports:

– classical object-oriented concepts, such as classes,

  • bjects and inheritance (used to represent subjects,
  • bjects, privileges, sessions,…)

– typical logic-based concepts, such as deductive rules (used to represent authorization and constraint rules)

Object Oriented Concepts Logic-based Concepts C-Datalog ACM

slide-14
SLIDE 14

MACS: the language

  • Each instance of an ACM is a logical program

composed of C-Datalog rules defined against a C- Datalog schema specifying the structure of the elements existing in the system

slide-15
SLIDE 15

MACS: the architecture

  • The architecture of MACS consists of two main

environments with different tasks:

– the Multipolicy Management Environment (MME):

  • Generation of a template (a template partially specifies the

components belonging to each instance of a model)

  • Static analysis of the generated template

– the Run-Time Environment (RTE):

  • Generation of an authorization base according to the template
  • Verification of end-user and SA requests
slide-16
SLIDE 16

MACS: the template

  • A multipolicy template specifies, for each

component model:

– the set of objects to be protected by this component model – a set of data and rules representing the structural components on which the model is based – a set of rules establishing how authorizations are derived and propagated along the hierarchical

  • rganization of the structural component

– a set of rules specifying integrity constraints – a conflict resolution function to deal with conflicting authorizations

slide-17
SLIDE 17

RBAC Component Model

On

R1 R2 R3 R4

P

Permission-role Assignments Constraints (SSD, DSD)

+

User-role Assignments

User

Partially Specified Model + Fully Specified Model

slide-18
SLIDE 18

MACS: the MME environment

  • The main modules of the MME environment are:

– the Graphic Template Interface (GTI) – the Static Analyzer

  • The Graphic Template Interface supports the PA

during the generation of a template, whereas the Static Analyzer checks consistency of the generated template

slide-19
SLIDE 19

The MME performs the following tasks: Generation of a template Static analysis of the generated template

GTI Graphic Template Interface Access Control Models Library Policy Administrator PA MULTIPOLICY MANAGEMENT ENVIRONMENT Multipolicy Template Static Analyzer Formal Language Specification Protected Objects A D B C G F E Conflicts Resolution Functions Library

A. Partitioning of protected objects B. Assignment of an ACM to each partition C. Assignment of a CRF to each ACM D. Generation of the template E. Analysis of generated template F. Feedback analysis answers G. Run-time environment

slide-20
SLIDE 20

MACS: the Run-time environment

  • The main modules of the Run-Time Environment

are:

– the Authorization Manager Front-End – the Access Control Compiler and Checker – the Authorization Analyzer

  • The Authorization Manager Front-End manages

end-user and SA requests

slide-21
SLIDE 21

MACS: the AC compiler & checker

  • The main tasks of the Access Control Compiler

and Checker are:

– the generation of an Authorization Base according to the policies stated by the PA – the verification of end-user and SA requests

  • The Authorization Analyzer:

– supports the compiler during the generation process of an Authorization Base and – checks consistency and correctness of the generated set

  • f authorizations
slide-22
SLIDE 22

RUN-TIME ENVIRONMENT Authorization Manager Front-end Authorization Base Access Control Compiler and Checker Authorization Analyzer Multipolicy Template Instance a b c d f g e Security Administrator SA (Administrative Operations) End-user (Access Requests)

The Run-Time Environment performs the following tasks: Generation of an authorization base Verification of End-user and SA requests

a. Complete the template b. Send the template instance to the compiler c. Check consistency and correctness d. Send a feedback to SA e. Generate a consistent AB f. Submit SA requests f. Submit End-user requests

G

slide-23
SLIDE 23

MACS: how it works

  • An Access Control Model Schema (ACMS)

defines the structural components on which the model is based

  • Access Control Model Instance (ACMI)

provides information concerning the component instances, that is, the “actual” subjects, objects, privileges and sessions, and the authorizations and constraint rules used to instantiate the model

slide-24
SLIDE 24

MACS: how it works

  • The components of an ACMI can be organized as

follows:

– Domain classes represent the structure of the basic components (s, o, p, and sessions) of an ACM, whereas domain instances represent the actual components (instances are represented as set of facts) – Domain structure information represents relationships existing between basic components – The authorization component contains a set of facts and rules representing direct authorizations – The propagation component contains a set of rules by which additional authorizations can be derived – The constraint component consists of a set of rules specifying static and dynamic constraints on the basic components

slide-25
SLIDE 25

ACMI

  • DC
  • DSC
  • AC
  • PC
  • CC

Domain Component Domain Structure Component Authorization Component Propagation Component Constraint Component

Object(self:#8,name:Salaries,access_class:Secret) g1 g2 g3 g4 g5 SubG(G1:g5,G2:g4) InSubG(G1: g4,G2: g1) ⇓ InSubG(G1: g5,G2: g1) InSubG(G1:X,G2:Y) ← SubG(G1:X,G2:Y) InSubG(G1:X,G2:Y) ← SubG(G1:X,G2:Z) , InSubG(G1:Z,G2:Y)

ACMS

  • bject(self:object,name:string,access_class:string)

group(self:group,name:string) SubG(G1:group,G2:group) Object(self:<value>,name:<value>,access_class:<value>)

slide-26
SLIDE 26

MACS: how it works

  • An Access Control Multipolicy Template

(ACMpT) of arity n is a set of n tuples such that:

– each of them is a partially specified ACMI handling a specific partition of objects to be protected and solving conflicts according to a specific conflict resolution function

  • When all ACMIs are fully specified, we refer to

them as an Access Control Multipolicy Template Instance (ACMpTI)

slide-27
SLIDE 27

MACS: how it works

  • The semantics of an ACMpTI is the union of the

semantics of its component ACMPs, whereas an authorization base is the consistent set of authorizations specified by its semantics

ACMPi

ACMP of the ACMIi

ACMpTI

Fn ACMIn On ……………….. ……………….. F1 ACMI1 O1 Mi

Semantics of the ACMPi

ACMP1 ACMPn ………………..

Authorization Base Authorization Base

……………….. M1 Mn

slide-28
SLIDE 28

Conclusions

  • We have presented MACS, a flexible multipolicy

access control system, supporting the specification and the analysis of a large variety of ACMs

  • It is based on a logical language providing a

formal basis for the development of advanced analysis tools

  • The prototype implementation is based on Eclipse
slide-29
SLIDE 29

Future work

  • We are formally studying the problem of

authorization and template analysis

– we are also investigating the computational cost of this analysis

  • We plan to support multiple policies for the same
  • bjects