280 likes | 507 Views
Multiple Access Control Policies. A Unified Framework for Enforcing Multiple Access Control Policies [by Jajodia and Samarti] Authorization in Distributed Systems: A New Approach [by Woo and Lam] References:
E N D
Multiple Access Control Policies A Unified Framework for Enforcing Multiple Access Control Policies [by Jajodia and Samarti] Authorization in Distributed Systems: A New Approach [by Woo and Lam] References: * A logical Framework for Reasoning on Data Access Control Policies ACM Trans. Bertino and Catania. Vol. 6, No. 1. * The well-founded Semantics for General Logic Programs. Gelder and Ross.
Definition • Access control policies are devised for controlling access to information. • Policy requires its own language, which specifies policy bases. • Policy base encodes a set of authorization requirements and is given a precise semantics based upon a formal notion of authorization policy.
Multiple Access Control Policies • Problem: Protection requirements within a system vary dramatically, and no single policy may simultaneously satisfy them all. • This paper presents a flexible authorization manager (FAM) that enforce multiple access control policies within a unified system. • FAM is based on a language through which users can specify authorizations and access control policies.
The FAM language contains three components. • Data objects of different types • Hierarchy • Language specifications
Formalization • A data system DS consists of a 4-tuple (Obj, T, S, A), where Obj, T, S, A are object, type, subject, action. • User Hierarchy. A DS is said to be user-hierarchical iff there exists a finite partially ordered set (G, ) such that: x is a -minimal element of G iff x U
Authorization Specifications consist of constant symbols, variable symbols and predicate symbols. • Predicate symbols: • cando • dercando • do • done • error • dirin • in • typeof • owner
Examples • cando(file1, Employees, +write) . • cando(file1, s, +write) in(s, Employees) • dercando(o,s,+a) cando(o,s,+a)&in(s,s) • dercando(file1,s,-read) dercando(file2,s ,read) & in(s,s) & in(s,s) • dercando(o,s,-write) done(o,s,read) & typeof(o, Exams) & typeof(o, Solutions)
error(o,s,a) cando(o,s,+a)&cando(o,s,-a) • error(o,s,a) done(o,s,read) & done(o,s,read) & typeof(o,Budget-A) & typeof(o, Budget-B)
FAM-programs • An authorization specification AS is said to be a FAM-program iff the set of decision (do) rules in AS is: • Clash-free and • For each triple (o,u,a), there exists at least one weakly applicable do-rule in AS.
Clash-free do(file1, X,+read) dirin(X, Employees) do(file1, X, -read) dirin (X, Policeman) • Weakly Applicable Consider the triple (file1, john, read) do(file1, s,+a) dercando(file1, s, +a) do(o, s, +read) ¬dercando(o, s, +read)& ¬dercando(o, s, -read)&typeof(o, Pblc-docs)
CAM-program • An authoization specification AS is said to be a semi-CAM program iff each do rule in AS has a head of the form do(OT, ST,+AT) do(O, U, -A) ¬do(O, U, +A)
FAM policy library • Closed, open and hybrid • Hybrid: no overriding, subgroup overriding, and path overriding. • Conflict resolution: • No conflicts allowed • Permissions take precedence • Denials take precedence
Examples • Closed policy • dercando (o, u, +a) cando(o, s, +a) & in(u, s) • do(o, u, +a) dercando(o, u, +a) • error(o, s, a) cando(o, s, -a) • do(o, u, -a) ¬do(o, u, +a) • Open policy • dercando (o, u, -a) cando(o, s, -a) & in(u, s) • do(o, u, +a) ¬dercando(o, u, -a)
Subgroup overrides along a path • dercando(o, s, +a) cando(o, s, +a) • dercando(o, s, -a) cando(o, s, -a) • dercando(o, s, +a) dercando(o, s, +a)& ¬cando(o, s, -a) & dirin(s, s) • dercando(o, s, -a) dercando(o, s, -a)& ¬cando(o, s, +a)& dirin(s, s)
Authorization in Distributed Systems • Problem: need to have a language that is expressive enough for specifying commonly encountered authorization requirements. The requirements here include multiple access policies and supporting distributed environment.
Authorization policy • An authorization policy over a set of subjects S, a set of objects O and a set of access rights R is a 4-tuple (P+, P-, N+, N-) where each component is a subset of {(r, s, o) | r R, s S, o O} • A grant (r, s, o) iff (r, s, o) P+ • A deny (r, s, o) iff (r, s, o) N+ • A fail (r, s, o) iff (r, s, o) P+ N+
Examples • Let V = {x, y,…}, P = {p,q}, S = {A, B, G}, O = {X, Y, Z} • read-(G, x) • read+(A, X) read+(A, Y) • x G read-(G, Y) read-(x, Y) • ¬p write+(x, Z) ¬read+(x, y)
Closed Policy Base • A base is closed if it contains only closed rules, which contains no literal variables. B admits two extensions {write+(A,Y)} and {write+(A,X)}
Generalized Form • Let be a rule
Open Policy Base • Each open rule in B as standing for all its ground instances (closed rules). • If S={A,B} and O = {X,Y}
Examples of Policy Base • If a subject s has not been explicitly granted a right r to an object o, then s will inherit a denial of r to o if it belongs to a group g that has a denial of r to o.
The Bad vs. Evil • [Woo] cannot resolve conflicts. • Horizontal composition • Each SSO specifies a policy base for a part of a system and multiple SSOs may cover the whole system. The policies may compliment or conflict among them. • Vertical composition • An SSO is responsible for his subordinate administrators. The leaf policy bases are mot specific and detailed than the root policy base. A composition of this would give rise to conflicts.
[Jajodia] propose a logic language for expressing authorization rules and show how this language can express most of the access control policies. Programs that can be written in this language are a subset of stratified datalog program and therefore they are able to express only a limited set of authorization specifications.