access control policy translation and verification within heterogeneous data federations gregory...

Access Control Policy Translation and Verification Within

Heterogeneous Data Federations

Gregory LeightonDenilson Barbosa

University of AlbertaJune 11, 2010

Outline• Problem setting, challenges, and background• Access control policy translation• Verification of translated access control policies

– Static analysis– Dynamic analysis

• Expressing translated policies in XACML• Open issues & future work

June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 2

PROBLEM SETTING, CHALLENGES, & BACKGROUND


Problem Setting


Patient SSN

A. Smith 123456789

B. Wilson 345897567

Pname SSN Age

F. Brown 225467987 23

C. Murray

514376845 65

patients

patient patient

name ssn

patient

“A. Smith” “123456789”

name ssn

“B. Wilson” “345897567”

name ssn age

“C. Murray” “514376845” ”65”

Data Source 1 Data Source n

1 n

…

Each publishing functionI is a contract specifying howrelational database contents are exposed as XML to the largerdata federation

A1 An

…

Each data source also has an accesscontrol policy Ai defined over the local database

Each data source also defines an identity mapping function I, specifying an assignment of each local user to one or more federated identities

Challenges• Individual data sources are often independently maintained

– Each ACP is defined over a set of local identities– Need a centralized user authentication system capable of translating local

identities into federated identities valid across the federation, without violating need to know principle

• Many access control models for relational and XML data already exist… but translating from one to the other must be done manually and is non-trivial due to several factors– “Real world” relational ACPs can be very large (hundreds of rules defined over

a large set of database objects)– Hierarchical nature of XML introduces extra difficulties (when is it appropriate

for permissions to be propagated from a parent node to a child?)– Combining ACPs originating from different data sources can lead to policy

conflicts


• We represent the publishing function as a publishing transducer (Fan et al 2007)

where– Q is a set of states;– is a finite tag alphabet;– q0 is the designated start state associated with the root tag

r ; – is a finite set of transduction rules.Transduction rules are of the form

(q, a) (q1, a1, 1(x1; y1)),…, (qk, ak, k(xk; yk))

= (Q, , q0, )

XML Publishing Transducers

States inQ

Tags in Σ

Queries on D and/or localnode register

Conjunctive (=,≠)OR

F.O. (=)OR

inflationary fixpoint (=)

6ACP Translation/Verification Within Heterogeneous Data FederationsJune 11, 2010

_ _ _ _


ssn name age

123456789 Carol 31

197453163 Doug 45

(q0,patients)

(q1,patient) (q1,patient)

(q1,@ssn) (q1,name) (q1,age) (q1,@ssn) (q1name) (q1,age)

123456789 Carol 31 197453163 Doug 45

ssn name age

123456789 Carol 31

ssn

123456789

name

Carol

age

31

Transduction Rule:

ACCESS CONTROL POLICY TRANSLATION



Access Control Models for XML• Many XML access control models have been proposed,

specifying how permissions may be specified over an XML tree– Policy language (typically, an XPath fragment)– Rule scope (node, node+attributes, node+text, node+ descendents,…)– Conflict resolution policy, default semantics (allow vs. deny)

• But… these models say nothing about how an SQL access control policy can be equivalently expressed over a published XML tree!

• What’s needed: the ability to augment a publishing function with additional information needed to preserve the original SQL ACP A over the published XML document (D) – a secure publishing function ʹ

ACP Translation Framework


ACP Translator

Rel.SchemaS

Rel.ACPA

PublishingFunction

IdentityMapping

I

SecurePublishingFunction

We represent a secure publishing function as a secure publishing transducer (SPT), which extends the definition of a publishing transducer in two ways:

• Each tree node generated during the transduction process is assigned an access bitstring, recording the relevant permissions for that node

• Additional transduction rules are needed to model conditional access permissions (i.e., separate rules are needed to handle both possibilities: where the condition is/is not satisfied)


Preservation of Access Control Policies

A secure publishing function ʹ preserves an SQL access control policy A if, for each federated ID f and permission p, the following conditions are satisfied over the XML tree ʹ(D):

1. (Sufficiency condition) For every relational database object o made accessible to f by A under permission p, the XML representation of o in ʹ(D) is also accessible to f within the context of permission p.

2. (Necessity condition) The XML representation of a database object o in ʹ(D) is only made accessible to f within the context of p if o was originally made accessible to f by A under permission p.


Transduction RulesEach rule in has the form

where• is a state in ;• is a tag in ;• and each are access bitstrings; and• is a query on and/or the local node register.

Example access bitstring: 11 11 10 00

1st bit: Carol holds “select” permission 2nd bit: Carol holds grant option for

“select”3rd bit: Carol holds “insert” permission4th bit: Carol does not hold grant option for

“insert”5th bit: Doug holds “select” permission6th bit: Doug does not hold grant option for

“select”7th bit: Doug does not hold “insert” permission8th bit: Doug does not hold grant option for

“insert”

In general, bitstrings will be of length


Expressibility ProblemFor arbitrary relational database D with schema S, relational ACP

A, and publishing function , can one always find a secure publishing function ʹthat preserves A over (D)?

• Result: an algorithm for solving the expressibility problem (see paper)– Applicable when can be expressed as a publishing

transducer– Time complexity:

VERIFICATION OF TRANSLATED ACCESS CONTROL POLICIES


Verification of Translated ACPsTwo Problem Variants

Dynamic Verification Static Verification


Policy Verifier

S A I

(D) (D)?

Policy Verifier

S A I

?

D

Inputs: rel. schema S; rel. ACP A; identity mapping function I; S.P.T. ; database instance D (for dynamic variant only)

Dynamic Verification


Applicable for scenarios where database contents do not change frequently (e.g., archival data)

Procedure:1.Derive S.P.T. from supplied inputs S, A, I, and 2.For specific database instance D, obtain XML trees

X1 = (D) and X2 = (D) and ensure that, at eachtree position, the corresponding nodes in X1 and X2

i. Have the same labelii. Have the same number of childreniii. Have the same bitstring assignment

Static Verification


Procedure: 1.Derive S.P.T. from supplied inputs , S, A, and I2.Verification of supplied S.P.T. succeeds iff the

following conditions are met:i. For every database D conforming to schema S,

(D) = (D)ii. Relational ACP A and access bitstrings in share

the same semantics

Verification of Translated ACPs Computational Complexity


We consider the complexity of deciding both problem variants for various classes of S.P.T.s SPT(L,S,A), where

• L denotes the language of queries appearing in transduction rules (FO or CQ);• S is either TP or RL, indicating whether each node register in produced XML tree stores a single tuple or a relation; and• A specifies the complexity of queries appearing in the relational ACP rules (FO or CQ)

SPTnr(L,S,A) denotes subclass of S.P.T.’s w/o recursion in transduction rules

Verification of Translated ACPs Computational Complexity


SPT class Dynamic Verification

Static Verification

SPT(L,rl, A) 2EXPTIME undecidable

SPT(L,tp,A) EXPTIME undecidable

SPTnr(FO,tp, A) PTIME undecidable

SPTnr(CQ,tp, A) PTIME 3P-complete

Dynamic verification: complexity is dominated by cost of materializing XML trees, given S.P.T.s and

Static verification: complexity is dominated by need to decide equivalence b/w S.P.T.s and

EXPRESSING TRANSLATED ACPS IN XACML


Generating XACML From a Translated ACP


XACML Generator

XACML Policy

Process is done at the schema level – only once for each

Generated XACML policy is applicable to all generated XML trees (D)

Expressing Translated ACPs in XACML


Procedure:1.Construct a rule reachability graph (RRG) from transduction rules in

• Nodes are transduction rules; edge (i, j) indicates that i-th rule contains reference to j-th rule in its RHS and is labelled with the associated query

2.Traverse RRG in preorder• If last travelled edge is labelled with a conditional query, need to

resolve the condition into an equivalent XPath expression (see paper)• Each time the bitstrings for a parent and child node in the RRG differ, a

new XACML policy rule is created3.Created XACML policy rules sharing the same subset of federated IDs as their subject are combined into a single policy rule

Future Work


Policy Translation • Automating the discovery of a “smallest set” of federated identities needed to preserve semantics of each relational ACP, while also obeying need to know principle• Minimization of secure publishing transducers

• Minimizing number of transduction rules• Minimizing queries in each transduction rule

Policy Verification• In general, verification is difficult or undecidable – can subclasses of S.P.T.s for which verification is more tractable be identified?• Consider additional problem variants

• Translated policy is specified as an XACML policy, not a S.P.T.• List of federated users is not fixed – requires reasoning about ACPs instead of bitstrings

Final Slide

• Thank you• Questions?

June 11, 2010 24ACP Translation/Verification Within Heterogeneous Data Federations

access control policy translation and verification within heterogeneous data federations gregory...

Documents