Policy-Based SystemsSystem Security

Previous lectures• We have discussed the 4 main models of access control:• Discretionary Access Control (DAC)• Mandatory Access Control (MAC)

• Bell-LaPadula for Confidentiality• Biba for Integrity

• Role-based Access Control (RBAC)• Usage Control (UCON)

Policy-based Access Control(P-bAC)• A policy is a rule governing the behaviour of a system.• In P-aBC, an authorization policy governs the access rights of

subjects over targets• targets and objects have the same meaning

P-bAC Advantages• Policies are specified independently of entities• Provide at a glance a coherent view of the access control in a

system• Give a neat separation between access control logic and the

enforcement mechanism

P-bAC Approaches• There are several approaches that use policies for access

control:• XACML• Ponder2• Policy Description Language (PDL)• REI• Firewall rules

Authorization Policies

subject, action, targetwhen condition then decision

• Subject: entity that wants to perform an action• Action: an operation on the resources (open, read, write, etc.)• Target: a resource on which a subject wants to operate• Condition: a Boolean expression to represent context• Decision: policy outcome (allow, deny, kill, ask, etc.)

Policy Enforcement Architecture

IETF - RFC 2753

Policy Enforcement Point (PEP)• The point where the policy decisions are actually enforced• PEP collects information about:• who the subject is• what action is going to execute• which target is going to be accessed

Example – Intercepting• I want to perform a read operation on foo• The PEP intercepts the action and creates a tuple (Andrew,

read, foo)• The PEP passes the tuple to the Policy Decision Point (PDP)

Example – Retrieving Policies• Once the PDP receives the tuple, it retrieves the relevant

policies from the PR matching the tuple

Example – Evaluating• Once the PDP receives the tuple, it retrieves the relevant

policies from the PR matching the tuple• Ask the PIP for the current time• Now the PDP is able to evaluate the policy• Because the condition part is true, the decision returned by

the policy is allow

Example – Enforcing• The PDP informs the PEP that the operation can be allowed• The PEP lets the operation being executed

Fine-grained control thru PEP• Traditionally access control mechanisms are concerned with

checking before the access takes place• A finer grained control can be achieved by placing multiple

Policy Enforcement Points (PEP) between the subject and target

Same Access Multiple PEPs

Distributed Enforcing

Policy Combination - I• Both policies matches the tuple from PEP• Both policies are valid when evaluated by the PDP• Which one should be applied?

Policy Combination - II• Both policies matches the tuple from PEP• Both policies are valid when evaluated by the PDP• Which one should be applied?

Conflict Resolution• A robust P-bAC system has to provide a conflict resolution

mechanism• The conflict resolution has to be performed at the PDP to

return a univocal decision to the PEP• Several conflict resolution techniques:• Policy order• Decision priority• Specificity of policy arguments• …

Ordered Conflict Resolution• The first policy that applies is used• In this case the PDP returns the decision deny• This mechanism is used in Firewall rules

Decision Priority Conflict Resolution• Requires a ordered decision set• In this case the PDP returns the decision allow

Most Specific Policy First• The policy with the most specific arguments takes priority• In this case the PDP returns allow• It might be used in combination with other resolution

strategies (e.g., when arguments have similar specificity)

Policy Engineering• A P-bAC mechanism is very flexible but when the number of

policies becomes too large it might be difficult to manage• Conflict resolution might help, but still is up to the security

admin to be able to manage the life cycle of policies

Questions?