SLIDE 1
Example: SweGrid
Access Control Requirements
– A project leader delegates his authority
- ver resources to principals
– A project leader composes the principals'
Composite Decentralized Access Control Petar Tsankov , Srdjan - - PowerPoint PPT Presentation
Composite Decentralized Access Control Petar Tsankov , Srdjan - - PowerPoint PPT Presentation
Composite Decentralized Access Control Petar Tsankov , Srdjan Marinovic, Mohammad Torabi Dashtj, David Basin Instjtute of Informatjon Security ETH Zurich Example: SweGrid Goal Provides computatjonal and storage resources to researchers
SLIDE 2
SLIDE 3
Delegatjon
Multjple principals can issue access rights
Researchers access rights access rights delegatjons Project leader Dave Project Leader Bob Researchers
SLIDE 4
Delegatjon
Multjple principals can issue access rights
Researchers access rights access rights delegatjons
Decentralized Access Control
Project leader Dave Project Leader Bob Researchers
SLIDE 5
Compositjon
Policy decisions in large-scale systems
– Grant, Deny, Not-applicable, Confmict
Dave Project leader
+
Bob
Compositjon
- perators, e.g.:
- Permit-override
- Deny-override
- Confmict-override
+
SLIDE 6
Composite Access Control
Compositjon
Policy decisions in large-scale systems
– Grant, Deny, Not-applicable, Confmict
Dave Project leader
+
Bob
Compositjon
- perators, e.g.:
- Permit-override
- Deny-override
- Confmict-override
+
SLIDE 7
System Model
Subjects Resources
SLIDE 8
System Model
Requirements control access Subjects Resources Principals
SLIDE 9
System Model
PEP PDP Requirements control access Subjects Resources Principals Policies
SLIDE 10
Related Work
Systems and standards Formal foundatjons
SLIDE 11
Related Work
Systems and standards Formal foundatjons DKAL ('08)
RT ('01) SecPAL for Grid
Delegatjon
KeyNote PDP (RFC 2704)
...
SLIDE 12
Related Work
Systems and standards Formal foundatjons
XACML v2.0 D-Algebra ('09) PTaCL ('12) PBel ('08) DKAL ('08) RT ('01) SecPAL for Grid
Delegatjon Compositjon
KeyNote PDP (RFC 2704)
... ...
SLIDE 13
Related Work
Systems and standards Formal foundatjons
XACML v2.0 D-Algebra ('09) SweGrid PTaCL ('12) PBel ('08) DKAL ('08) RT ('01) XACML v3.0 ('13) SecPAL for Grid WSO2 ID Server
Delegatjon Compositjon Delegatjon + Compositjon
KeyNote PDP (RFC 2704)
... ...
SLIDE 14
Related Work
Systems and standards Formal foundatjons
XACML v2.0 D-Algebra ('09) SweGrid PTaCL ('12) PBel ('08) DKAL ('08) RT ('01) XACML v3.0 ('13) SecPAL for Grid WSO2 ID Server
BelLog
Delegatjon Compositjon Delegatjon + Compositjon
KeyNote PDP (RFC 2704)
... ...
SLIDE 15
How to Build Access Control Systems
Specify Policy Verify Policy Construct PDP
➔ Formal semantjcs ➔ Support for
delegatjon
➔ Support for
compositjon
➔ Analysis language ➔ Decision algorithms ➔ Effjcient evaluatjon
algorithm
SLIDE 16
How to Build Access Control Systems
Specify Policy Verify Policy Construct PDP
➔ Formal semantjcs ➔ Support for
delegatjon
➔ Support for
compositjon
➔ Analysis language ➔ Decision algorithms ➔ Effjcient evaluatjon
algorithm
SLIDE 17
Belnap Logic + Datalog = BelLog
(Program) (rule) (literal) (atom) Truth ordering Knowledge ordering
Belnap Logic (stratjfjed) Datalog
SLIDE 18
Belnap Logic + Datalog = BelLog
(Program) (rule) (literal) (atom) Truth ordering Knowledge ordering
Belnap Logic (stratjfjed) Datalog
SLIDE 19
Belnap Logic + Datalog = BelLog
(Program) (rule) (literal) (atom) Truth ordering Knowledge ordering
Belnap Logic (stratjfjed) Datalog
SLIDE 20
Belnap Logic + Datalog = BelLog
(Program) (rule) (literal) (atom) Truth ordering Knowledge ordering
Belnap Logic (stratjfjed) Datalog
BelLog
(Program) (rule) (literal) (atom) Negatjon on truth Negatjon on knowledge
SLIDE 21
Belnap Logic + Datalog = BelLog
(Program) (rule) (literal) (atom) Truth ordering Knowledge ordering
Belnap Logic (stratjfjed) Datalog
BelLog
(Program) (rule) (literal) (atom) Negatjon on truth Negatjon on knowledge
Semantjcs
Extend stratjfjed Datalog to four- valued fjxed-point semantjcs
SLIDE 22
BelLog Examples
SLIDE 23
BelLog Examples
Transitjve delegatjon
SLIDE 24
BelLog Examples
Transitjve delegatjon Policy targets
SLIDE 25
BelLog Examples
Transitjve delegatjon Policy targets Agreement
SLIDE 26
BelLog Examples
Transitjve delegatjon Confmict-override Policy targets Agreement
SLIDE 27
BelLog Examples
Transitjve delegatjon Confmict-override Policy targets Agreement
Other idioms?
SLIDE 28
➔ Formal semantjcs ➔ Support for
delegatjon
➔ Support for
compositjon
➔ Analysis language ➔ Decision algorithms ➔ Effjcient evaluatjon
algorithm
How to Build Access Control Systems
Specify Policy Verify Policy Construct PDP
SLIDE 29
Policy Analysis
Does the policy meet its requirements?
Requirements Policy
SLIDE 30
Policy Analysis
Does the policy meet its requirements?
Requirements Policy Questjons
SLIDE 31
Policy Analysis
Does the policy meet its requirements?
Requirements Policy Questjons Analyzer
SLIDE 32
Policy Analysis
Does the policy meet its requirements?
Requirements Policy Questjons Analyzer
Counter- example Policy checked
Fix
SLIDE 33
Policy Analysis
Does the policy meet its requirements?
Requirements Policy Questjons Analyzer
Counter- example Policy checked
Fix
How do we write this?
SLIDE 34
Policy Analysis
Does the policy meet its requirements?
Requirements Policy Questjons Analyzer
Counter- example Policy checked
Fix
How do we write this? Decidability? Complexity?
SLIDE 35
Analysis Questjons
Syntax
– Is policy P2 more permissive than P1 for all inputs
that satjsfy the conditjon c?
(conditjon) (questjon)
SLIDE 36
Analysis Questjons
All requests
Requests granted by P2 Requests granted by P1
Syntax
– Is policy P2 more permissive than P1 for all inputs
that satjsfy the conditjon c?
(conditjon) (questjon)
For a given input:
SLIDE 37
Analysis Questjons
All requests
Requests granted by P2 Requests granted by P1
Syntax
– Is policy P2 more permissive than P1 for all inputs
that satjsfy the conditjon c?
(conditjon) (questjon)
For a given input:
SLIDE 38
Analysis Questjons
All requests
Requests granted by P2 Requests granted by P1
Syntax
– Is policy P2 more permissive than P1 for all inputs
that satjsfy the conditjon c?
(conditjon) (questjon)
For a given input: Check for all inputs that satjsfy the conditjon
SLIDE 39
Example: Analysis Questjon
Requirement
If the requester is a project leader, then grant access.
Policy
SLIDE 40
Example: Analysis Questjon
Requirement
If the requester is a project leader, then grant access.
Analysis Questjon Policy
SLIDE 41
Analysis
SLIDE 42
Analysis
Theorem 1
Policy containment is undecidable
SLIDE 43
Analysis
Theorem 2
Policy containment for unary-input policies* is in CO-NEXP-COMPLETE
Theorem 1
Policy containment is undecidable
*Unary-input policies
– Example:
SLIDE 44
Analysis
Theorem 3
Policy containment for a fjnite universe is in CO-NP-COMPLETE
Theorem 2
Policy containment for unary-input policies* is in CO-NEXP-COMPLETE
Theorem 1
Policy containment is undecidable
*Unary-input policies
– Example:
SLIDE 45
➔ Formal semantjcs ➔ Support for
delegatjon
➔ Support for
compositjon
➔ Analysis language ➔ Decision algorithms ➔ Effjcient evaluatjon
algorithm
How to Build Access Control Systems
Specify Policy Verify Policy Construct PDP
SLIDE 46
Constructjng PDPs
Policy Interpreter htup://bellog.org GitHub htups://github.com/ptsankov/bellog/ Theorem 4
Policy entailment is in PTIME
SLIDE 47
Limitatjons
– Analysis of administratjve changes – Analysis complexity and tool support – Usability
SLIDE 48