scott d stoller
play

Scott D. Stoller Scott Stoller, Stony Brook University 1 Outline - PowerPoint PPT Presentation

Dec 16, 2022 •356 likes •1.2k views

Trust Management Scott D. Stoller Scott Stoller, Stony Brook University 1 Outline Introduction to Trust Management Rule-Based Trust Management Scott Stoller, Stony Brook University 2 Essential Features: Attributes and Relations Policy can

  1. Trust Management Scott D. Stoller Scott Stoller, Stony Brook University 1

  2. Outline Introduction to Trust Management Rule-Based Trust Management Scott Stoller, Stony Brook University 2

  3. Essential Features: Attributes and Relations Policy can use application-specific attributes and relations. Example: Nurses in the workgroup treating a patient can access the patient's medical record. Attributes: isNurse(employee) Relations: treatedBy(patient,workgroup). Encoding such policies as identity-based policies is impractical: potential users are not known to resource owners in advance dangerous: attributes can change In traditional RBAC, users are added to roles based on identity, not attributes. Scott Stoller, Stony Brook University 3

  4. Essential Features: Attributes and Relations Attributes and relations can be defined in terms of other attributes and relations. Example: Nurses in the workgroup treating a patient can access the patient's medical record. A nurse is in the workgroup if a manager assigned the nurse to it. This allows interactions that are essential in decentralized systems. Standard RBAC does not support this. Each role is defined independently (aside from inheritance). Example: RBAC does not support policies like role1.members = role2.members ∩ role3.members Scott Stoller, Stony Brook University 4

  5. Essential Features: Delegation Policy administration is completely decentralized at the top level. No globally-trusted administrators. No root of trust. Policies interact through delegation of authority: rely on others for attribute values, access control decisions, etc. Example: Hospitals, doctor's offices, insurance companies, and government agencies share information (medical, financial, and personnel records) and have limited trust. Example: Student discount at research conference. Conference trusts Dept of Education (U.S., etc.) about universities. It trusts each university about enrollment. Scott Stoller, Stony Brook University 5

  6. Delegation of Permissions Delegation of permissions: a principal with a permission can grant it to other principals (under some conditions). Example: President of bank delegates permission to approve loans to VP while the President is on vacation. Example: A gives B access to file. B gives access to C. Delegation of authority is more general. Trust for information as well as authorization decisions. Principals can delegate permissions they don’t have. Example: Office of Grants Management can grant faculty permission to approve expenditures from an account. OGM cannot approve expenditures itself. Scott Stoller, Stony Brook University 6

  7. Essential Features of Trust Management Each policy statement is associated with a principal, called its source or issuer. Each principal's policy specifies which sources it trusts for which kinds of statements, thereby delegating some authority to those sources. Policies may refer to domain-specific attributes of and relationships between principals, resources, and other objects. Example: Acme Hospital says “ doc can access pat's medical record if AMA says doc is a licensed doctor and pat says doc is treating him." (patient consent) Scott Stoller, Stony Brook University 7

  8. Outline Intro to Trust Management Rule-Based Trust Management Scott Stoller, Stony Brook University 8

  9. Simple Rule-Based Trust Management Language Essentially Datalog. Start simple. Extend later. Atom: issuer.relation(arguments) Argument: constant, variable, or constant(arguments) Relation names and variables start with lowercase. Constants start with uppercase. Restrict the use of arguments so constants have bounded depth. In other words, allow tuples, not lists. Rule: atom :- atom1, atom2, ... If atom1 and atom2 and … hold, then atom holds. Fact: a rule with no hypotheses. Policy: a collection of facts and rules. Scott Stoller, Stony Brook University 9

  10. Simple Trust Management Language: Example By convention, issuer.allow(principal, operation(resource)) means issuer authorizes principal to perform operation on resource. This notation is similar to [Becker+ 2004]. The default issuer of an atom in a rule is the owner of the policy database containing the rule. Acme Hospital says “ doc can access pat's medical record if AMA says doc is a licensed doctor and pat says doc is treating him." AcmeHospital.allow(doc, Read(EPR(pat)) :- AMA.doctor(doc), pat.consentToTreatment(doc). Scott Stoller, Stony Brook University 10

  11. Simple Trust Management Language: Example SUNY says its employees can read the campus directory. SUNY.allow(e, Read(Directory)) :- SUNY.employee(e) SUNY says X is a SUNY employee if a SUNY campus says X is a campus employee. SUNY.employee(e) :- SUNY.campus(c), c.employee(e) In this example, the conclusion of a rule is used as a premise of another rule. Variables that appear in premises and not in the conclusion are, in effect, existentially quantified. Scott Stoller, Stony Brook University 11

  12. Compliance Checking: Goal-Directed Alg. Boolean derivable(goal) for each rule r and substitution σ s.t. σ (r.conclusion)=goal for each premise p of r if derivable( σ (p)) continue; // try next premise else break; // this rule failed; try next rule return true // we proved the goal using this rule // no rule succeeded return false Scott Stoller, Stony Brook University 12

  13. Proof of Compliance The goal-directed algorithm can easily be extended to provide a proof that the goal is derivable. A proof is a tree formed from instantiated rules, with facts from the policy at the leaves, and with the goal at the root. a121 a122 a12 a12 a21 a1 a2 goal Scott Stoller, Stony Brook University 13

  14. Goal-Directed Algorithm: Tabling The simple goal-directed algorithm on previous slide may: re-derive the same goal many times Example: a12 and a21 could be the same. diverge on recursive policies Goal-directed evaluation with tabling: Cache all derived goals. Look in the cache for an existing goal that unifies with the new goal before attempting to derive the new goal. Scott Stoller, Stony Brook University 14

  15. Outline Introduction and Motivation Design Issues and Features Re-Delegation External Data Proof Search Separation of Duty Credential Gathering Separation of Privilege Policy Changes Roles Trust Negotiation Global and Local Names Constraints Trust Management Frameworks Sample Application Domains Scott Stoller, Stony Brook University 15

  16. Re-Delegation If A delegates a permission to B, can B re-delegate it to C? Example: Conference’s policy for reviewing papers A PC member can submit a review of a paper. allow(pcmem, Submit(Review(p))) :- PCmember(pcmem) A PC member can designate a subreviewer. allow(subrev, Submit(Review(p))) :- PCmember(pcmem), pcmem.subreviewer(subrev) Can subreviewer S1 delegate to sub-sub-reviewer S2? No. S1.subreviewer(S2) doesn’t work, because Conf.PCmember(S1) doesn't hold. S2 could write S1’s review, though. Scott Stoller, Stony Brook University 16

  17. Re-Delegation Re-delegation is allowed if relations are defined recursively. Conf: allow(rev, Submit(Review(p))) :- PCmember(rev) If rev can submit review, rev can designate subreviewer. allow(subrev, Submit(Review(p))) :- allow(rev, Submit(Review(p))), rev.allow(subrev, Submit(Review(p))) This allows delegation chains of arbitrary length. To allow delegation chains up to a specified length, use a subreviewer relation parameterized by the allowed delegation depth. Scott Stoller, Stony Brook University 17

  18. In compliance checking, who searches for proof? Resource owner, i.e., the policy enforcement mechanism Example: medical records database server Requester (needs resource owner's policy) [Bauer+05] Appropriate for embedded devices Example: Lock with Bluetooth on Mike's office door. The lock’s policy is: allow(e, Open()) :- Mike.allow(e, Open(OfficeDoor)) e's cell phone needs to present a proof of Mike.allow(e,Open(OfficeDoor)). The cell phone can communicate with Mike and his delegatees. The lock can't. Scott Stoller, Stony Brook University 18

  19. Credential Gathering Credential: signed certificate containing a policy statement, usually a fact (in some systems, a fact or rule). To import a credential [iss.r(args)] signed by K: if K is iss ’s key, and the signature is valid, then add iss.r(args) to the policy; otherwise, the credential is invalid. Compliance checking requires credentials for all subgoals with remote issuers. Example: AcmeHospital.allow(doc, Read(EPR(pat)) :- AMA.doctor(doc), pat.consentToTreatment(doc). Scott Stoller, Stony Brook University 19

  20. Where To Get Credentials? From issuer Example: request AMA.doctor(doc) from AMA From requester Example: request AMA.doctor(doc) from doc doc may have it or may request it from AMA. From a location specified in the policy (instead of hard- coding the decision in the evaluation algorithm). Details on the next slide. Scott Stoller, Stony Brook University 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Testing Concurrent Java Programs Using Randomized Scheduling Scott D. Stoller Computer Science

Testing Concurrent Java Programs Using Randomized Scheduling Scott D. Stoller Computer Science

Testing Concurrent Java Programs Using Randomized Scheduling Scott D. Stoller Computer Science Department State University of New York at Stony Brook http://www.cs.sunysb.edu/stoller/ 1 Goal Pillars of Run-Time Verification monitoring :

208 views • 18 slides
Domain Partitioning for Open Reactive Systems Scott D. Stoller Computer Science Department

Domain Partitioning for Open Reactive Systems Scott D. Stoller Computer Science Department

Domain Partitioning for Open Reactive Systems Scott D. Stoller Computer Science Department State University of New York at Stony Brook http://www.cs.sunysb.edu/stoller/ 1 The Problem Consider open reactive system with typed method-call

438 views • 17 slides
Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer

Policy Analysis for Security-Enhanced Linux Beata Sarna-Starosta and Scott D. Stoller Computer Science Department State University of New York at Stony Brook http://www.cs.sunysb.edu/stoller/ 1 Security-Enhanced Linux (SELinux) SELinux =

695 views • 21 slides
Optimistic Synchronization-Based State-Space Reduction Scott D. Stoller State University of New

Optimistic Synchronization-Based State-Space Reduction Scott D. Stoller State University of New

Optimistic Synchronization-Based State-Space Reduction Scott D. Stoller State University of New York at Stony Brook Ernie Cohen Microsoft 1 Coarsening the Granularity of Transitions Each transition of reduced (coarse-grained) system R ( S )

195 views • 16 slides
Invariants in Distributed Algorithms Y. Annie Liu, Scott D. Stoller Computer Science Department

Invariants in Distributed Algorithms Y. Annie Liu, Scott D. Stoller Computer Science Department

Invariants in Distributed Algorithms Y. Annie Liu, Scott D. Stoller Computer Science Department Stony Brook University joint work with Saksham Chand, Bo Lin, and Xuetian Weng Distributed algorithms and correctness distributed systems:

773 views • 39 slides
Wave-U-Net A Multi-Scale Neural Network for End-to-End Audio Source Separation DANIEL STOLLER 1 ,

Wave-U-Net A Multi-Scale Neural Network for End-to-End Audio Source Separation DANIEL STOLLER 1 ,

Wave-U-Net A Multi-Scale Neural Network for End-to-End Audio Source Separation DANIEL STOLLER 1 , SEBASTIAN EWERT 2 , SIMON DIXON 1 1 QUEEN MARY UNIVERSITY OF LONDON 2 SPOTIFY Motivation Task: Audio source separation Example: Singing voice

856 views • 7 slides
Jointly Detecting and Separating Singing Voice: A Multi-Task Approach Daniel Stoller 1 , Sebastian

Jointly Detecting and Separating Singing Voice: A Multi-Task Approach Daniel Stoller 1 , Sebastian

Jointly Detecting and Separating Singing Voice: A Multi-Task Approach Daniel Stoller 1 , Sebastian Ewert 2 , Simon Dixon 1 1 Centre for Digital Music Queen Mary University of London 2 Spotify London LVA ICA 05.07.2018 Work was conducted

531 views • 34 slides
Fast, Scalable Disk Imaging with Frisbee University of Utah Mike Hibler, Leigh Stoller, Jay

Fast, Scalable Disk Imaging with Frisbee University of Utah Mike Hibler, Leigh Stoller, Jay

Fast, Scalable Disk Imaging with Frisbee University of Utah Mike Hibler, Leigh Stoller, Jay Lepreau, Robert Ricci, Chad Barb 1 Key Points Frisbee clones whole disks from a server to many clients using multicast ! Fast " 34 seconds for

494 views • 35 slides
Automotive Systems Presse- und Finanzanalystenreise 24./25.09.03 Erwin Stoller CEO, Rieter

Automotive Systems Presse- und Finanzanalystenreise 24./25.09.03 Erwin Stoller CEO, Rieter

Automotive Systems Presse- und Finanzanalystenreise 24./25.09.03 Erwin Stoller CEO, Rieter Automotive Systems Agenda Geschftsgang 01 Strategie 02 Ausblick 03 Presse- und Analystenreise 2003 24./25.09.03 / Sto/JW 2 Rieter Automotive

494 views • 34 slides
Knit: Component Composition for Systems Software Alastair Reid, Matthew Flatt, Leigh Stoller,

Knit: Component Composition for Systems Software Alastair Reid, Matthew Flatt, Leigh Stoller,

Knit: Component Composition for Systems Software Alastair Reid, Matthew Flatt, Leigh Stoller, Jay Lepreau, Eric Eide University of Utah Knit 1 Why Components? Everyone is writing too much code Not enough code reuse Hard to

744 views • 30 slides
Rieter Automotive Systems Presentation by Erwin Stoller CEO Rieter Automotive Systems Sept. 30

Rieter Automotive Systems Presentation by Erwin Stoller CEO Rieter Automotive Systems Sept. 30

Rieter Automotive Systems Presentation by Erwin Stoller CEO Rieter Automotive Systems Sept. 30 / Oct. 1, 2004 Presse- und Finanzanalystenreise 30.9.04 1 Rieter Automotive Systems Agenda 1. Market Development Markets, Products,

542 views • 29 slides
Facilities Master Plan Update COCC Board of Directors June 14, 2017 Mark Stoller Opsis

Facilities Master Plan Update COCC Board of Directors June 14, 2017 Mark Stoller Opsis

Facilities Master Plan Update COCC Board of Directors June 14, 2017 Mark Stoller Opsis Architects Matt McCoy COCC VP for Administration Planning Context Campus Master Plan Process Visioning Purpose: Bridging the Gap External Analysis

291 views • 16 slides
Incrementalization Across Object Abstraction Y. Annie Liu Computer Science Department State

Incrementalization Across Object Abstraction Y. Annie Liu Computer Science Department State

Incrementalization Across Object Abstraction Y. Annie Liu Computer Science Department State University of New York at Stony Brook joint work with Scott Stoller, Michael Gorbovitski, Tom Rothamel, and Ellen Liu 1 Object abstraction

420 views • 27 slides
Efficient Runtime Invariant Checking: A Framework and Case S tudy Michael Gorbovitski Y. Annie

Efficient Runtime Invariant Checking: A Framework and Case S tudy Michael Gorbovitski Y. Annie

Efficient Runtime Invariant Checking: A Framework and Case S tudy Michael Gorbovitski Y. Annie Liu Tom Rothamel Scott D. Stoller Computer Science Department State University of New York at Stony Brook Invariants An invariant is a predicate

532 views • 17 slides
SCOTT RIT-PAC III Objectives Describe the SCOTT RIT-PAC III and its components

SCOTT RIT-PAC III Objectives Describe the SCOTT RIT-PAC III and its components

SCOTT RIT-PAC III Objectives Describe the SCOTT RIT-PAC III and its components Daily check and inspection Basic Operation List and describe the options you have with the low pressure side of the pack Describe and

399 views • 38 slides
Integrated Scientific Workflow Management for the Emulab Network Testbed Eric Eide Eide , Leigh

Integrated Scientific Workflow Management for the Emulab Network Testbed Eric Eide Eide , Leigh

Integrated Scientific Workflow Management for the Emulab Network Testbed Eric Eide Eide , Leigh Eric , Leigh Stoller Stoller, , Tim Stack, Juliana Freire Freire, , Tim Stack, Juliana and Jay Lepreau Lepreau and Jay University of Utah,

430 views • 17 slides
Simo Sorce Red Hat, Inc. Red Hat Enterprise IPA, Technical Notes What is IPA ? IPA stands for:

Simo Sorce Red Hat, Inc. Red Hat Enterprise IPA, Technical Notes What is IPA ? IPA stands for:

Simo Sorce Red Hat, Inc. Red Hat Enterprise IPA, Technical Notes What is IPA ? IPA stands for: Identity, Policy, Audit IPA is about managing user/machine identities and related security policies IPA v1 is focused around solving the problem of

487 views • 23 slides
WordPress Day 2 1 Day 1 Review Describe the difference between a static website, a dynamic

WordPress Day 2 1 Day 1 Review Describe the difference between a static website, a dynamic

TWD 25 WordPress Day 2 1 Day 1 Review Describe the difference between a static website, a dynamic website, and a content management system. Describe the layers of a CMS like WordPress. Compare basic aspects of the most used content

1.23k views • 89 slides
Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman)

Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman)

Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman) horms@verge.net.au October 2000 http://verge.net.au/linux/has/ http://ultramonkey.sourceforge.net/ Introduction: In the Begining May 1998:

670 views • 56 slides
Beyond LSP Getting Your Language into Theia and VS Code Dr. Jan Khnlein @jankoehnlein The

Beyond LSP Getting Your Language into Theia and VS Code Dr. Jan Khnlein @jankoehnlein The

Beyond LSP Getting Your Language into Theia and VS Code Dr. Jan Khnlein @jankoehnlein The Goal Custom domain-specific language Rich text editor support With diagram support as VS Code Extension! 2 VS Code... Isn't this

625 views • 39 slides
HTTP Parameter Pollution Vulnerabilities in Web Applications @ BlackHat Europe 2011 @ Marco

HTTP Parameter Pollution Vulnerabilities in Web Applications @ BlackHat Europe 2011 @ Marco

HTTP Parameter Pollution Vulnerabilities in Web Applications @ BlackHat Europe 2011 @ Marco embyte Balduzzi embyte(at)madlab(dot)it http://www.madlab.it Contents 1 Introduction 2 2 HTTP Parameter Pollution Attacks 3 2.1 Parameter

461 views • 19 slides
Environment Analysis of Higher-Order Languages Matthew Might Georgia Institute of Technology 7

Environment Analysis of Higher-Order Languages Matthew Might Georgia Institute of Technology 7

Environment Analysis of Higher-Order Languages Matthew Might Georgia Institute of Technology 7 June 2007 1 Thesis Environment analysis is feasible and useful for higher-order languages. 2 Points Environment analysis is feasible :

1.91k views • 166 slides
The California Consumer Privacy Act and Impact for Network Measurement and Research Scott Jordan

The California Consumer Privacy Act and Impact for Network Measurement and Research Scott Jordan

The California Consumer Privacy Act and Impact for Network Measurement and Research Scott Jordan University of California, Irvine Who has responsibilities? CCPA (California) GDPR (Europe) business: controller: for

459 views • 16 slides
Policy Advisory Committee 17 April 2018 Meeting - PAC # 15 1 Policy Advisory Committee - Agenda

Policy Advisory Committee 17 April 2018 Meeting - PAC # 15 1 Policy Advisory Committee - Agenda

Policy Advisory Committee 17 April 2018 Meeting - PAC # 15 1 Policy Advisory Committee - Agenda 6. Policy changes arising from the introduction of GDPR 1. Apologies (absentees) a. Privacy Policy 2. Minutes of the Meeting of PAC # 14

710 views • 34 slides

More recommend