composite decentralized access control · 2018-09-05 · example: swegrid access control...
TRANSCRIPT
Composite DecentralizedAccess Control
Petar Tsankov, Srdjan Marinovic, Mohammad Torabi Dashti, David Basin
Institute of Information SecurityETH Zurich
Example: SweGrid
Access Control Requirements– A project leader delegates his authority
over resources to principals– A project leader composes the principals'
policies (e.g., using permit-override)
GoalProvides computational and storage resources to researchers
Delegation
Multiple principals can issue access rights
Researchers
access rights access rights
delegations
Projectleader
Dave
ProjectLeader
Bob
Researchers
Delegation
Multiple principals can issue access rights
Researchers
access rights access rights
delegations
Decentralized Access Control
Projectleader
Dave
ProjectLeader
Bob
Researchers
Composition
Policy decisions in large-scale systems– Grant, Deny, Not-applicable, Conflict
Dave
Project leader
+Bob
Composition operators, e.g.:● Permit-override● Deny-override● Conflict-override
+
Composite Access Control
Composition
Policy decisions in large-scale systems– Grant, Deny, Not-applicable, Conflict
Dave
Project leader
+Bob
Composition operators, e.g.:● Permit-override● Deny-override● Conflict-override
+
System Model
Subjects Resources
System ModelRequirements
control access
Subjects Resources
Principals
System Model
PEP
PDP
Requirements
control access
Subjects Resources
Principals
Policies
Related Work
Systems andstandards
Formalfoundations
Related Work
Systems andstandards
Formalfoundations DKAL ('08)
RT ('01)
SecPAL for Grid
Delegation
KeyNote PDP(RFC 2704)
...
Related Work
Systems andstandards
Formalfoundations
XACML v2.0
D-Algebra ('09)PTaCL ('12)
PBel ('08)DKAL ('08)RT ('01)
SecPAL for Grid
Delegation Composition
KeyNote PDP(RFC 2704)
......
Related Work
Systems andstandards
Formalfoundations
XACML v2.0
D-Algebra ('09)
SweGrid
PTaCL ('12)
PBel ('08)DKAL ('08)RT ('01)
XACML v3.0 ('13)SecPAL for Grid
WSO2 ID Server
Delegation CompositionDelegation + Composition
KeyNote PDP(RFC 2704)
......
Related Work
Systems andstandards
Formalfoundations
XACML v2.0
D-Algebra ('09)
SweGrid
PTaCL ('12)
PBel ('08)DKAL ('08)RT ('01)
XACML v3.0 ('13)SecPAL for Grid
WSO2 ID Server
BelLog
Delegation CompositionDelegation + Composition
KeyNote PDP(RFC 2704)
......
How to Build Access Control Systems
SpecifyPolicy
VerifyPolicy
ConstructPDP
➔ Formal semantics
➔ Support fordelegation
➔ Support forcomposition
➔ Analysis language
➔ Decision algorithms
➔ Efficient evaluation algorithm
How to Build Access Control Systems
SpecifyPolicy
VerifyPolicy
ConstructPDP
➔ Formal semantics
➔ Support fordelegation
➔ Support forcomposition
➔ Analysis language
➔ Decision algorithms
➔ Efficient evaluation algorithm
Belnap Logic + Datalog = BelLog
(Program)(rule)
(literal)(atom)Tr
uth
orde
ring
Knowledge ordering
Belnap Logic (stratified) Datalog
Belnap Logic + Datalog = BelLog
(Program)(rule)
(literal)(atom)Tr
uth
orde
ring
Knowledge ordering
Belnap Logic (stratified) Datalog
Belnap Logic + Datalog = BelLog
(Program)(rule)
(literal)(atom)Tr
uth
orde
ring
Knowledge ordering
Belnap Logic (stratified) Datalog
Belnap Logic + Datalog = BelLog
(Program)(rule)
(literal)(atom)Tr
uth
orde
ring
Knowledge ordering
Belnap Logic (stratified) Datalog
BelLog
(Program)(rule)(literal)(atom)
Negation on truthNegation on knowledge
Belnap Logic + Datalog = BelLog
(Program)(rule)
(literal)(atom)Tr
uth
orde
ring
Knowledge ordering
Belnap Logic (stratified) Datalog
BelLog
(Program)(rule)(literal)(atom)
Negation on truthNegation on knowledge
SemanticsExtend stratified Datalog to four-valued fixed-point semantics
BelLog Examples
BelLog Examples
Transitive delegation
BelLog Examples
Transitive delegation
Policy targets
BelLog Examples
Transitive delegation
Policy targets
Agreement
BelLog Examples
Transitive delegation
Conflict-override
Policy targets
Agreement
BelLog Examples
Transitive delegation
Conflict-override
Policy targets
Agreement
Other idioms?
➔ Formal semantics
➔ Support fordelegation
➔ Support forcomposition
➔ Analysis language
➔ Decision algorithms
➔ Efficient evaluation algorithm
How to Build Access Control Systems
SpecifyPolicy
VerifyPolicy
ConstructPDP
Policy Analysis
Does the policy meet its requirements?
RequirementsPolicy
Policy Analysis
Does the policy meet its requirements?
RequirementsPolicy
Questions
Policy Analysis
Does the policy meet its requirements?
RequirementsPolicy
Questions
Analyzer
Policy Analysis
Does the policy meet its requirements?
RequirementsPolicy
Questions
Analyzer
Counter-example
Policychecked
Fix
Policy Analysis
Does the policy meet its requirements?
RequirementsPolicy
Questions
Analyzer
Counter-example
Policychecked
Fix
How do we write this?
Policy Analysis
Does the policy meet its requirements?
RequirementsPolicy
Questions
Analyzer
Counter-example
Policychecked
Fix
How do we write this?
Decidability?Complexity?
Analysis Questions
Syntax
– Is policy P2 more permissive than P1 for all inputs that satisfy the condition c?
(condition)
(question)
Analysis Questions
All requests Requests granted by P2
Requestsgranted by P1
Syntax
– Is policy P2 more permissive than P1 for all inputs that satisfy the condition c?
(condition)
(question)
For a given input:
Analysis Questions
All requests Requests granted by P2
Requestsgranted by P1
Syntax
– Is policy P2 more permissive than P1 for all inputs that satisfy the condition c?
(condition)
(question)
For a given input:
Analysis Questions
All requests Requests granted by P2
Requestsgranted by P1
Syntax
– Is policy P2 more permissive than P1 for all inputs that satisfy the condition c?
(condition)
(question)
For a given input: Check for all inputs that satisfy the condition
Example: Analysis Question
RequirementIf the requester is a project leader, then grant access.
Policy
Example: Analysis Question
RequirementIf the requester is a project leader, then grant access.
Analysis Question
Policy
Analysis
Analysis
Theorem 1Policy containment is undecidable
Analysis
Theorem 2 Policy containment for unary-input policies* is in CO-NEXP-COMPLETE
Theorem 1Policy containment is undecidable
*Unary-input policies– Example:
Analysis
Theorem 3Policy containment for a finite universe is in CO-NP-COMPLETE
Theorem 2 Policy containment for unary-input policies* is in CO-NEXP-COMPLETE
Theorem 1Policy containment is undecidable
*Unary-input policies– Example:
➔ Formal semantics
➔ Support fordelegation
➔ Support forcomposition
➔ Analysis language
➔ Decision algorithms
➔ Efficient evaluation algorithm
How to Build Access Control Systems
SpecifyPolicy
VerifyPolicy
ConstructPDP
Constructing PDPs
Policy Interpreterhttp://bellog.org
GitHubhttps://github.com/ptsankov/bellog/
Theorem 4 Policy entailment is in PTIME
Limitations
– Analysis of administrative changes– Analysis complexity and tool support– Usability
BelLog Contributions
A foundation for composite decentralized
access controlPolicy analysis
framework
BelLog PDP (www.bellog.org)