Policy-driven Distributed University of Illinois Marianne Winslett - - PDF document

policy driven distributed
SMART_READER_LITE
LIVE PREVIEW

Policy-driven Distributed University of Illinois Marianne Winslett - - PDF document

Apr 07, 2023 215 likes •766 views

1 Marianne Winslett / POLICY 2007 Policy-driven Distributed University of Illinois Marianne Winslett Status and Prospects Authorization: (sanitized version) 2 A tale of two trends Marianne Winslett / POLICY 2007 3 Organizational

slide-1
SLIDE 1

Marianne Winslett / POLICY 2007

1

Policy-driven Distributed Authorization:

Status and Prospects (sanitized version)

Marianne Winslett University of Illinois

slide-2
SLIDE 2

Marianne Winslett / POLICY 2007

2

A tale of two trends

slide-3
SLIDE 3

Marianne Winslett / POLICY 2007

3

Organizational boundaries used to be solid

slide-4
SLIDE 4

Marianne Winslett / POLICY 2007

4

Now boundaries are fuzzy

Why?

slide-5
SLIDE 5

Marianne Winslett / POLICY 2007

5

Competitive pressures are dissolving boundaries

Organization Organization Supplies Supplies It It Who Who Who Who Supplies Supplies It It Partner Partner Partner Partner Partner Partner Partner Partner

slide-6
SLIDE 6

Marianne Winslett / POLICY 2007

6

Example: supply chains

Walmart Walmart Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier 2nd level Supplier 2nd level Supplier 2nd level Supplier 2nd level Supplier 2nd level Supplier 2nd level Supplier

slide-7
SLIDE 7

Marianne Winslett / POLICY 2007

7

Example: first responders

EOC EOC Police Police Fire Fire Public Transit Public Transit Red Cross Red Cross Medical Medical Illinois Railroad Illinois Railroad School District School District Chemical Owner Chemical Owner

slide-8
SLIDE 8

Marianne Winslett / POLICY 2007

8

Example: any large enterprise

Organization Organization Japanese Division Japanese Division Accounting Accounting HR HR Product Line 1 Product Line 1 Product Line 2 Product Line 2 Product Line 3 Product Line 3 European Division European Division Accounting Accounting HR HR Product Line 4 Product Line 4 Product Line 5 Product Line 5 Product Line 6 Product Line 6 US Division US Division Accounting Accounting HR HR Product Line 7 Product Line 7 Product Line 8 Product Line 8 Product Line 9 Product Line 9

slide-9
SLIDE 9

Marianne Winslett / POLICY 2007

9

Distinction between insiders and

  • utsiders becomes unclear

Organization

slide-10
SLIDE 10

Marianne Winslett / POLICY 2007

10

Corporations are also facing new pressures for accountability

slide-11
SLIDE 11

Marianne Winslett / POLICY 2007

11

Accountability includes knowing who can/did do what to your data when

slide-12
SLIDE 12

Marianne Winslett / POLICY 2007

12

Emp3

Industry is taking several steps to meet these needs

Strong authentication (X.509) Centralize role definitions, base on attributes Get access control out of apps (some day)

SAP CRM ERP SAP Access Policy Access Policy Access Policy Access Policy Emp1 Emp4 Emp2 Emp

slide-13
SLIDE 13

Marianne Winslett / POLICY 2007

13

So enterprises are moving toward attribute-based access control

Based off centralized LDAP + X.509 Avoids inconsistency due to distribution Easier to maintain, compared to ACLs

HR HR HR HR HR HR Walmart Walmart Walmart’s supplier Walmart’s supplier Walmart’s supplier’s supplier Walmart’s supplier’s supplier Less insider threat

slide-14
SLIDE 14

Marianne Winslett / POLICY 2007

14

Doesn’t this sound like a good thing?

slide-15
SLIDE 15

Marianne Winslett / POLICY 2007

15

Why this scares me:

Automated exploitation of policy errors

slide-16
SLIDE 16

Marianne Winslett / POLICY 2007

16

Why this scares me:

Cent ralized aut horizat ion services can be at t acked

slide-17
SLIDE 17

Marianne Winslett / POLICY 2007

17

Why this scares me:

Understanding policies

Industrial policy languages were not int ended for rigorous analysis or user- friendliness

Analysis tools

slide-18
SLIDE 18

Marianne Winslett / POLICY 2007

18

Do things look more promising

  • utside of industry?

Bilateral trust Sensitive policies and credentials We understand this theory pretty well

slide-19
SLIDE 19

Marianne Winslett / POLICY 2007

19

Trust-negotiation-like approaches will inevitably come into use

Authorization Server receives Alice’s LAN access request Alice discloses her employee ID, proves ownership

  • Auth. Server discloses its patch

level credential, proves ownership

  • Auth. Server grants access

to certain portions of LAN

Beijing Office Network Authorization Server’s TrustBuilder Security Agent Alice’s TrustBuilder Security Agent

  • Auth. Server discloses access policy (on-

site access for WidgetCorp employees

  • nly)

Alice discloses her policy for disclosing her WidgetCorp employee ID Patch 4

C I s c o

Patch 4

C I s c o

Patch 4

C I s c o

P a t c h 4

C I s c
  • C
I s c
slide-20
SLIDE 20

Marianne Winslett / POLICY 2007

20

But this only means more policies, more complex decisions to explain

“ Ohhhhhhh . . . Look at t hat , Schust er . . . Dogs are so cut e when t hey t ry t o comprehend quant um mechanics”

  • -Gary Larson
slide-21
SLIDE 21

Marianne Winslett / POLICY 2007

21

Traditional access control is transparent; TN is not

You are in the right group

slide-22
SLIDE 22

Marianne Winslett / POLICY 2007

22

Great ideas can fail if they don’t consider the human factor

The success of at t ribut e-based policies for securit y and privacy, and ult imat ely t he open and compliant syst ems t hey enable, relies on t he abilit y of humans to comprehend and manage these policies.

slide-23
SLIDE 23

Marianne Winslett / POLICY 2007

23

Policy HCI is my #1 open problem

Real-world case studies of policy management activities, to learn how users think about these activities User interfaces to help people understand and modify large, complex sets of policies

slide-24
SLIDE 24

Marianne Winslett / POLICY 2007

24

Example: Allegis policy middleware company

Software for cross-organizational access to customer relationship management applications Allegis does not allow its clients to update their policies themselves Only policy specialists can be trusted to understand and update the policies correctly Even they may struggle to specify, modify, and comprehend complex policies--- note CRM focus

slide-25
SLIDE 25

Marianne Winslett / POLICY 2007

25

Large policies are as complex as any software

Declarative policy languages are not a panacea

Consider hundreds of pages of (declarative) SQL SELECT a1.Name, a1.Sales, SUM(a2.Sales)/(SELECT SUM(Sales) FROM Total_Sales) Pct_To_Total FROM Total_Sales a1, Total_Sales a2 WHERE a1.Sales <= a2.sales or (a1.Sales=a2.Sales and a1.Name = a2.Name) GROUP BY a1.Name, a1.Sales ORDER BY a1.Sales DESC, a1.Name DESC; … And any bugs may be found and exploited automatically

slide-26
SLIDE 26

Marianne Winslett / POLICY 2007

26

What if companies manage their own policies, as is natural with ABAC?

How can a decision-maker with limited technical expert ise quickly underst and a part icular policy t hat suddenly becomes crucial? What if the company’ s policy admin quits or is sick? How can a new hire quickly underst and policies? Ordinary users: Why was t his decision made? How can I get it reversed? What if I …

slide-27
SLIDE 27

Marianne Winslett / POLICY 2007

27

A proof is not an explanation

Proofs are fundamental in TN But almost no one can understand a proof Need heuristics to turn proofs into explanations, both for ordinary users and administrators An explanation of why you didn’ t get access, or how to get access, or what these policies say, doesn’ t start from a proof

slide-28
SLIDE 28

Marianne Winslett / POLICY 2007

28

A possible solution: visual metaphors

Roles Policies Resources Credentials Users

Subject Request Resource

Patient Doctor Nurse Administrator Conceal Demographic conceal control

...

Entity

Release Prescription X-ray Lab report The patient, Adam, wants to conceal prescriptions after May 2006* and lab reports after June 2006** from Dr. Gurtner [his previous physician]. Adam

Explanation

Conceal-request(Jay, [(X-Ray, 5/2003, 7/2003)], Dr_Gupta, 5/2003) Conceal-request(Ragib, [(Demographic)], Dr_Snir, 8/2000) Conceal-request(Adam, [(Lab_Report, 6/2006), (Prescriptions, 5/2006)], Dr_Gurtner, NOW) Conceal-request(Megan, [(Prescriptions, 1/2005)], Dr_Nelson, 12/2004)

File Window Actions Edit

**

Patient Doctor Nurse Administrator Gurtner

*

Source Code

Context sensitive menus could be used to set temporal and other related constraints, indicated with small icons Adjustable borders allow the source code and explanation windows to be selectively positioned or closed

Visual View

Figure . Early design schematic for a visual interface for managing security policies.

slide-29
SLIDE 29

Marianne Winslett / POLICY 2007

29

A possible solution: use AI to convert proofs into explanations

slide-30
SLIDE 30

Marianne Winslett / POLICY 2007

30

Policy analysis is the #2 open problem

We need to develop tools for analyzing large sets

  • f policies

Safety Availability What-if? Why?

both for policy administrators and ordinary users even in heterogeneous systems. Challenges #1 & #2 should keep us busy for the next decade!

slide-31
SLIDE 31

Marianne Winslett / POLICY 2007

31

Lack of real-world experience is challenge #3

Cassandra health care policies Shibboleth installations--- but only one-shot unilateral trust, with a closed set of

  • rganizations

We need more feedback from the real world to ensure that we are addressing the most important problems in policy-based authorization!

slide-32
SLIDE 32

Marianne Winslett / POLICY 2007

32

Vulnerability to attack is #4

Cent ralized aut horizat ion servers are attractive target TN is heavyweight DDoS is so easy

slide-33
SLIDE 33

Marianne Winslett / POLICY 2007

33

TN is heavyweight

Multiple rounds of exchange (Nested) third-party interactions

? ? ? ? ? ? ?? ?? ? ? ?? ?? ? ?

Complex decision making processes Expensive crypto This is a liability. Solutions will require a multi-faceted approach.

slide-34
SLIDE 34

Marianne Winslett / POLICY 2007

34

Poor understanding of systems issues is #5

How should we build the policy engine?

Cert ainly not a Dat alog t heorem prover! How can we integrate it with strategic decisions? How can we make t he policy engine reusable in

  • t her cont ext s (e.g., for analysis)?

How can we make a TN implementation flexible?

slide-35
SLIDE 35

Marianne Winslett / POLICY 2007

35

TrustBuilder2 addresses the flexibility problem

Audit Service Obligation Service Strategy Module Query Interface Compliance Checker Credential Verifier

C I s c
  • Alice’s Credentials P

Alice’s Policies External Query Processor

P O

Bob’s Disclosures Alice’s Disclosures

O

Alice’s Obligations

User-Supplied Plug-ins

  • Anomaly Det ection
  • Logging, visualization, or

inst rument at ion

  • Policy composit ion or

rewriting

  • State inspection
  • Disclosure modificat ion
  • Et c.

External Network

User Defined Email Issue Certificate Log Visualization User Defined

Message serialization Caching Policy satisfaction checking

slide-36
SLIDE 36

Marianne Winslett / POLICY 2007

36

Policy compliance checking is slow

Policy

Theorem Prover Minimize/maximize “value” of next disclosure

slide-37
SLIDE 37

Marianne Winslett / POLICY 2007

37

Choice of “best” way to satisfy a policy depends on strategic goals

Service availabilit y

e.g., closeness to ideal completeness

Privacy preservat ion

e.g., control leaks or minimize “ value” of disclosed

credentials

Computational overheads Storage requirements

slide-38
SLIDE 38

Marianne Winslett / POLICY 2007

38

Rete is fast for compliance checking

Less than 4 seconds to find hundreds of satisfying sets, pick the one with minimal weight (new work) Ships with Trustbuilder2!

slide-39
SLIDE 39

Marianne Winslett / POLICY 2007

39

Delegation and replication can improve availability, performance of decentralized ABAC

Worker 1 Worker 2 Worker 4 Worker m

Auth. Server 1 Auth. Server 2 Auth. Server n

Client Client Client Client Client Client

Load Balancer (e.g., Wackamole§)

… …

Interactive negotiation protocol Transcript generation Transcript broadcast Transcript verification Access token generation (threshold cryptography)

? ?

§ Y. Amir, R. Caudy, A. Munjal, T. Schlossnagle, C. Tutu, “N-Way Fail-Over Infrastructure for Reliable Servers

and Routers,” IEEE International Conference on Dependable Systems and Networks (DSN ‘03), June 2003.

slide-40
SLIDE 40

Marianne Winslett / POLICY 2007

40

How to integrate strategic decisions with other functionality?

Audit Service Obligation Service Strategy Module Query Interface Compliance Checker Credential Verifier

C I s c
  • Alice’s Credentials P

Alice’s Policies External Query Processor

O

Alice’s Obligations User Defined Email Issue Certificate Log Visualization User Defined

Policy satisfaction checking

I have no idea

slide-41
SLIDE 41

Marianne Winslett / POLICY 2007

41

Five other cool problems

  • 1. How to implement sticky policies?
  • 2. Can TN research give insights into distributed

proof construction?

  • 3. Theoretical ABAC / TN issues (pick one)
  • 4. How to build a reputation system in a world

without global identities?

  • 5. Can programming languages use TN?
slide-42
SLIDE 42

Marianne Winslett / POLICY 2007

42

How to implement sticky policies?

I have no idea.

slide-43
SLIDE 43

Marianne Winslett / POLICY 2007

43

TN has close ties to distributed proof construction

Logics Policy languages Strategies and proof tactics

Trust negotiation

Bonatti and Samarati (CCS 2000) Yu, Winslet t , and Seamons (TISSEC 2003) Li and Mit chell (DISCEX 2003) Becker and Sewell (POLICY 2004) Bert ino, Ferrari, Squincciarini (IEEE TKDE 2004) Li, Li, and Winsborough (CCS 2005) And many others…

Distributed proof construction

Bauer, Gariss, and Reiter (Oakland 2005) Winslett, Zhang, and Bonatti (CCS 2005) Minami and Kot z (JPMC 2005, Pervasive 2006)

slide-44
SLIDE 44

Marianne Winslett / POLICY 2007

44

Example distributed proof of authorization

P0 P1 ?grant(adam, projector) P2 ?role(adam, presenter) P3 ?loc(adam, 2124) P4 P5 ?own(adam, cell42) ?loc(cell42, 2124) true true true true true

Querier

slide-45
SLIDE 45

Marianne Winslett / POLICY 2007

45

Without concrete user identities, how can we build support services?

E.g., Reputation, audit, collusion detection Attribute certificates need not be bound to a particular identity

Observation: Each entity is described uniquely by

the collection of credentials that she possesses

slide-46
SLIDE 46

Marianne Winslett / POLICY 2007

46

A Simple Pseudo-Identity

This is the same person…

CA1 CA2 CB1 CB2 CA3 CA4 CB3 CA1 CA4 CA2

X X

CA1 CA4 CB1 CA1 CA2 CB1

slide-47
SLIDE 47

Marianne Winslett / POLICY 2007

47

Virtual fingerprints are privacy- preserving pseudonyms

C1 C3 C4 C2 Cn

. . .

h(C1) h(C3) h(C4) h(C2) h(Cn)

. . .

A description, d, …

hash

… maps to … … a virtual fingerprint, f

slide-48
SLIDE 48

Marianne Winslett / POLICY 2007

48

We can query reputation information associated with virtual fingerprints

DB Rating collection and update Query rQ Selection Aggregation rQ

Collect ion, updat e, and select ion independent of aggregation

Improved reputation functions can be incorporated Existing reputation models can now be used in ABAC systems

slide-49
SLIDE 49

Marianne Winslett / POLICY 2007

49

A theory problem: access decisions may not be “safe”

GeoTech DB? Ops group? Purchase > $10k?

GeoTech Bob

BBB credential Access granted! Purchase > $10k credential

APeC Ops

Ops group credential. BBB?

APeC Ops APeC Finance

√ √ √

X

Inconsistent State!

slide-50
SLIDE 50

Marianne Winslett / POLICY 2007

50

Incremental evaluation of credential validity may not be enough

View Real World

APeC Finance APeC Finance APeC Ops APeC Ops

X

P

Similar consistency problems arise in other domains

slide-51
SLIDE 51

Marianne Winslett / POLICY 2007

51

Several possible levels of consistency

Incremental

Credent ials validat ed as t hey are received

Internal

Credent ials valid simult aneously at some time

during protocol

Endpoint

Credent ials valid simult aneously at decision

point

Interval

Credent ials valid from t ime received unt il

decision point

Restrictiveness

slide-52
SLIDE 52

Marianne Winslett / POLICY 2007

52

Internal consistency = transactional semantics

st art end

Parties have no incentive to cooperate in the traditional transactional manner, but new implementation approaches can be used

slide-53
SLIDE 53

Marianne Winslett / POLICY 2007

53

In sum: my top 10 open problems for policy-based authorization

  • 1. Policy HCI
  • 2. Need for real-world feedback
  • 3. Policy analysis
  • 4. Vulnerability to attack
  • 5. Systems issues (especially integration of

strategic decisions with the rest of the system)

  • 6. 7. 8. 9. 10. Other fun stuff