xacml function annotations
play

XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino - PowerPoint PPT Presentation

Nov 21, 2023 •212 likes •341 views

Department of Computer Sciences XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of Computer Sciences XACML OASIS standard for specifying access control policies in enterprise systems. XML

  1. Department of Computer Sciences XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007

  2. Department of Computer Sciences XACML • OASIS standard for specifying access control policies in enterprise systems. – XML based. • Need for efficient policy management. – Several analysis techniques • Similarity analysis – Relation between sets of permitted(denied) requests of policies. • Policy Ratification [1] – conflict detection, dominance check, coverage check etc. IEEE POLICY 2007

  3. Department of Computer Sciences Motivation • Policy analysis techniques often need to abstract a policy as a Boolean expression. • Example : <?xml version=“1.0” encoding=“UTF-8”?> <Policy PolicyId=“Bill-Policy” RuleCombiningAlgId=“permit-overrides”> <Rule RuleId=“R1” Effect=“Permit”> <Condition> <Apply FunctionId=“xacml:1.0:function:string-at-least-one-member-of”> E-Mail == .gov || <SubjectAttributeDesignator AttributeId=“E-Mail” Datatype=“#string”/> E-Mail == .edu <Apply FunctionId=“xacml:1.0:function:string-bag”> <AttributeValue Datatype=“#string”> .gov </AttributeValue> <AttributeValue Datatype=“#string”> .edu </AttributeValue> </Apply> </Apply> </Condition></Rule></Policy> IEEE POLICY 2007

  4. Department of Computer Sciences Motivation • XACML uses functions to express conditions on request attributes. – Not straightforward to abstract these functions into boolean expressions. – Need to know the behavioral semantics of these functions. – Standard XACML functions • Manually map each function to a boolean expression – User-defined XACML functions • Unknown semantics Need for a technique to explicitly convey the function semantics. IEEE POLICY 2007

  5. Department of Computer Sciences Annotation Syntax • <Annotation></Annotation> – AnnotationId attribute ~ FunctionId • <Operand></Operand> <Annotation AnnotationId = – Denotes function parameter “string-at-least-one-member-of”> – Datatype and Value attributes <Bi-Term> • <Uni-Operator></Uni-Operator> <Operand Datatype=“#string- – Unary operators -, ~ ..etc. bag” value = “&Param_1” /> • <Bi-Operator></Bi-Operator> <Bi-Operator> belongsto </Bi- – Binary operators including arithmetic (+, -, %, Operator> ..), logical (||, &), set (intersect, union, <Operand Datatype=“#string- belongsto..). bag” value = “&Param_2” /> • <Uni-Term></Uni-Term> </Bi-Term> – Term with one operand </Annotation> • <Bi-Term></Bi-Term> – Term with two operands • <Boolean-Form></Boolean-Form> – Boolean formula IEEE POLICY 2007

  6. Department of Computer Sciences Annotation Framework XACML POLICIES ANNOTATED P1 P2 Pn FUNCTION REPOSITORY ANNOTATION VERIFIER ANNOTATION MODULE FORMAT ANNOTATION SPECIFICATION INTERPRETER EXTERNAL XACML BOOLEAN FORMULAE POLICY ANALYSIS TOOL B1 B2 Bn IEEE POLICY 2007

  7. Department of Computer Sciences Annotation Example INPUT XACML POLICY ANNOTATION REPOSITORY <?xml version=“1.0” encoding=“UTF-8”?> <Annotation AnnotationId = <Annotation AnnotationId = <Policy PolicyId=“Bill-Policy” “string-at-least-one-member-of”> “string-at-least-one-member-of”> RuleCombiningAlgId=“permit-overrides”> <Bi-Term> <Rule RuleId=“R1” Effect=“Permit”> <Bi-Term> <Condition> <Operand Datatype=“#string- <Operand Datatype=“#string- bag” value = “&Param_1” /> <Apply FunctionId=“xacml:1.0:function:string- bag” value = {“E-Mail”} /> at-least-one-member-of”> <Bi-Operator> belongsto </Bi- <Bi-Operator> belongsto </Bi- <SubjectAttributeDesignator AttributeId=“E-Mail” Operator> Operator> Datatype=“#string”/> <Operand Datatype=“#string- <Apply <Operand Datatype=“#string- FunctionId=“xacml:1.0:function:string-bag”> bag” value = “&Param_2” /> bag” value = {“.gov”, “.edu”} /> <AttributeValue </Bi-Term> Datatype=“#string”> .gov </Bi-Term> </AttributeValue> </Annotation> </Annotation> <AttributeValue Datatype=“#string”> .edu </AttributeValue> </Apply> </Apply> </Condition></Rule></Policy> <Boolean-Form> E-Mail == .gov || E-Mail == .edu </Boolean-Form> IEEE POLICY 2007

  8. Department of Computer Sciences Annotation Consistency Verification • Policy analysis can be negatively influenced by incorrect annotations. – Need to verify consistency between annotation and associated functions. – Translate annotations to JML [2] post-conditions and use existing tools (JACK [3] ) to perform verification. • JML is a behavioral annotation language for Java methods and classes. – Use tools like WHY [4] . IEEE POLICY 2007

  9. Department of Computer Sciences Conclusions • Proposed an annotation framework for XACML policies. – Enhance policy documentation – Supplement policy analysis • Annotation syntax can express several categories of Boolean expressions that can be handled by state of the art policy analysis techniques. • Future Work – Extend support for XPATH functions IEEE POLICY 2007

  10. Department of Computer Sciences References • [1] Policy Ratification, Dakshi Agrawal, James Giles, Kang-Wong Lee, Jorge Lobo, POLICY 2005. • [2] JML: A notation for detailed design, Gary T. Leavens, Albert L. Baker and Clyde Ruby, Specifications of Businesses and Systems, 1999. • [3] Jack : Java applet correctness kit, L. Burdy and A. Requet, GDC 2002. • [4] The Why Certification Tool, J. C. Filliatre, http://why.lri.fr/. IEEE POLICY 2007

  11. Department of Computer Sciences Thank you ! IEEE POLICY 2007

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling

XACML-Grid and XACML-NRP Attributes and Policy Profiles and Policy Obligations Handling Overview by Yuri Demchenko On behalf of OSG/EGEE AuthZ Interoperability WG and Phosphorus project SNE Group, University of Amsterdam TF-EMC2 Meeting 3

633 views • 50 slides
XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS

XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS

XACML and Role-Based Access Control Jason Crampton Royal Holloway, University of London DIMACS Workshop on Secure Web Services and e-Commerce XACML and RBAC/Introduction Jason Crampton Programme Examine the XACML standard and the XACML RBAC

499 views • 32 slides
XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored

XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored

XACML eXtensible Access Control Markup Language Dennis Kafura Derived from materials authored by: Hal Lockhart Entegrity Solutions and OASIS XACML Draft Standard CS 6204, Spring 2005 1 2 Dataflow Model From: OASIS XACML Specification

929 views • 16 slides
1 Reflection on code annotations Classification of Code Annotations (1) Code annotations may

1 Reflection on code annotations Classification of Code Annotations (1) Code annotations may

SW Development and WCET analysis for real-time applications SW is mostly written in imperative programming Classifications of Code languages Annotations and Discussion of Trend: graphical interfaces like state charts Compiler-Support

361 views • 3 slides
From Open Annotations to W3C Web Annotations (and the impact on IIIF Presentation API 3.0)

From Open Annotations to W3C Web Annotations (and the impact on IIIF Presentation API 3.0)

From Open Annotations to W3C Web Annotations (and the impact on IIIF Presentation API 3.0) Simeon Warner (Cornell University) https://orcid.org/0000-0002-7970-7855 much input from Rob Sanderson (J. Paul Getty Trust)

340 views • 14 slides
8 JDT embraces Type Annotations JDT embraces Type Annotations Java 8 ready Stephan Herrmann GK

8 JDT embraces Type Annotations JDT embraces Type Annotations Java 8 ready Stephan Herrmann GK

8 8 JDT embraces Type Annotations JDT embraces Type Annotations Java 8 ready Stephan Herrmann GK Software 8 Eclipse and Java 8 Java 8 features supported: JSR308 - Type Annotations. JEP120 - Repeating Annotations. JEP118 -

745 views • 35 slides
@:annotations Aviral Goel, Jan Vitek, Petr Maj Use-case: Argument checking mean.default &lt;-

@:annotations Aviral Goel, Jan Vitek, Petr Maj Use-case: Argument checking mean.default &lt;-

@:annotations Aviral Goel, Jan Vitek, Petr Maj Use-case: Argument checking mean.default &lt;- function(x, trim = 0, na.rm = FALSE, ...) { if( !is.numeric(x)&amp;&amp;!is.complex(x)&amp;&amp;!is.logical(x) ) { warning(&quot;...not

955 views • 25 slides
XACML, ABAC, Privacy preserving access-controls Oleksandr

XACML, ABAC, Privacy preserving access-controls Oleksandr

XACML, ABAC, Privacy preserving access-controls Oleksandr Bodriagov School of Computer Science and Communica9on KTH - The Royal Ins9tute of

509 views • 25 slides
DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian van Oostenbrugge

DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian van Oostenbrugge

DEVELOPMENT OF A NEW POLICY EVALUATION PROCEDURE FOR XACML Jorian van Oostenbrugge Supervisor: Fatih Turkmen August 19, 2016 System and Network Engineering University of Amsterdam WHY Customer data more and more valuable Data stored

565 views • 20 slides
Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri

Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri

Using SAML and XACML for Complex Resource Provisioning in Grid based Applications Yuri Demchenko, Leon Gommans, Cees de Laat System and Network Engineering Group University of Amsterdam POLICY2007 Workshop 13-15 June 2007, Bologna Outline

532 views • 25 slides
Web Annotations Building the Experience Annotation An annotation is something added. It is not

Web Annotations Building the Experience Annotation An annotation is something added. It is not

Web Annotations Building the Experience Annotation An annotation is something added. It is not the primary content, or even the secondary content. It is the association. Annotation (cont.) Annotations exist already - Links - Block quotes

452 views • 14 slides
MODELLING AND EXCHANGING ANNOTATIONS FOR EUROPEANA PROJECTS Hugo Manguinhas, Antoine Isaac,

MODELLING AND EXCHANGING ANNOTATIONS FOR EUROPEANA PROJECTS Hugo Manguinhas, Antoine Isaac,

MODELLING AND EXCHANGING ANNOTATIONS FOR EUROPEANA PROJECTS Hugo Manguinhas, Antoine Isaac, Valentine Charles, Sergiu Gordea, Maarten Brinkerink, Alessio Piccioli, Breandn Knowlton SWIB15: Semantic Web in Libraries Why are annotations

465 views • 17 slides
CrowdTruth Metrics for Capturing Ambiguity Interlinking Workers, Annotations and Input Data

CrowdTruth Metrics for Capturing Ambiguity Interlinking Workers, Annotations and Input Data

CrowdTruth Metrics for Capturing Ambiguity Interlinking Workers, Annotations and Input Data Traditional Humans provide annotations establishing the ground Human truth = the correct output for each example (the gold standard ) Annotation

317 views • 10 slides
Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed

Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed

Extending XACML Authorisation Model to Support Policy Obligations Handling in Distributed Applications Yuri Demchenko SNE Group, University of Amsterdam On behalf of Y. Demchenko, C. de Laat, O. Koeroo, H. Sagehaug MGC 2008 - 6th

488 views • 31 slides
Poselets: Body Part Detectors Trained Using 3D Human Pose Annotations Lubomir Bourdev and

Poselets: Body Part Detectors Trained Using 3D Human Pose Annotations Lubomir Bourdev and

Poselets: Body Part Detectors Trained Using 3D Human Pose Annotations Lubomir Bourdev and Jitendra Malik Experiments Presented by Randall Smith Friday, November 2, 12 1 Outline Introduction Dataset Overview Annotations

733 views • 52 slides
Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado

Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado

Using XACML for access control in Social Networks Anna Carreras, Eva Rodrguez, Jaime Delgado Distributed Multimedia Applications Group (DMAG) Universitat Politcnica de Catalunya (UPC) W3C Workshop on Access Control Application Scenarios

712 views • 24 slides
Lecture 29 Log into Linux. Copy files on csserver from /home/hwang/cs215/lecture29/*.*

Lecture 29 Log into Linux. Copy files on csserver from /home/hwang/cs215/lecture29/*.*

Lecture 29 Log into Linux. Copy files on csserver from /home/hwang/cs215/lecture29/*.* Reminder: Project 5 and Homework 7 are due on Wednesday. Questions? Monday, November 1 CS 215 Fundamentals of Programming II - Lecture 29 1

362 views • 19 slides
Operators Lecture 3 COP 3014 Fall 2020 September 1, 2020 Operators Special built-in symbols

Operators Lecture 3 COP 3014 Fall 2020 September 1, 2020 Operators Special built-in symbols

Operators Lecture 3 COP 3014 Fall 2020 September 1, 2020 Operators Special built-in symbols that have functionality, and work on operands operand an input to an operator Arity - how many operands an operator takes unary

456 views • 14 slides
Busy Developer's Guide to Building A Virtual Machine Ted Neward Neward &amp; Associates

Busy Developer's Guide to Building A Virtual Machine Ted Neward Neward &amp; Associates

Busy Developer's Guide to Building A Virtual Machine Ted Neward Neward &amp; Associates http://www.tedneward.com | ted@tedneward.com Objectives Building a virtual machine understanding a VM can come from building one so let's build

288 views • 26 slides
Agenda APT demo (what is the Green Dance?) Pancakes How to hand-in Types and values

Agenda APT demo (what is the Green Dance?) Pancakes How to hand-in Types and values

Agenda APT demo (what is the Green Dance?) Pancakes How to hand-in Types and values in detail Eclipse demo 1/14/2013 CompSci101 Peter Lorensen 1 How to teach pancake flipping http://www.youtube.com/watch?v=W_gxLKSsSIE

403 views • 11 slides
CS 162 Intro to Programming II Operator Overloading 1

CS 162 Intro to Programming II Operator Overloading 1

CS 162 Intro to Programming II Operator Overloading 1 11.6 Operator Overloading Operators such as = , + , and others can be redefined for use with objects of a class The name of the function for

240 views • 12 slides
1 The EiffelMath routine Naming (classes, features, variables) Traditional advice (for

1 The EiffelMath routine Naming (classes, features, variables) Traditional advice (for

Operands and options Programming in the Large Bertrand Meyer Lesson 18 Two possible kinds of argument to a feature: Operands: values on which feature will operate. Options: modes that govern how feature will operate. Example: printing a

341 views • 4 slides
Assignment II: Calculator Brain Objective In this assignment, youre going to push your

Assignment II: Calculator Brain Objective In this assignment, youre going to push your

CS193P IOS APPLICATION DEVELOPMENT WINTER 2017 Assignment II: Calculator Brain Objective In this assignment, youre going to push your calculators capabilities a bit further by allowing a variable as an input to the calculator and

94 views • 8 slides
Intermediate Representation Construction in a Nutshell Christoph Mallon and Johannes Doerfert

Intermediate Representation Construction in a Nutshell Christoph Mallon and Johannes Doerfert

Intermediate Representation Construction in a Nutshell Christoph Mallon and Johannes Doerfert 18. Dezember 2015 1 / 17 Code Generation for Expresssions = y + x 1 Do not evaluate expression Create code , which, when run , evaluates

628 views • 17 slides

More recommend