Separation of duty with privilege calculus

1. Separation of duty with privilege calculus Chenggong Lv RSKT2008 2008-05

2. Outlines • Background • Problems • Privilege Calculus • An example

3. Backgrounds and Problems • Good access control needs clear separation of duty • We can use • Role • Constraint • Role activation • Delegation

4. Problems • Conflicts of constraint • Its’ hard to detect and resolve automatically. • Complicated activation and delegation • It’s difficult to trace and regulate in a good visible manner.

5. Assumptions • Pi-calculus • Present interaction into a pair of complimentary actions • Reduce process into a sequence of observed actions. • Interaction commitment • It’s an ontological commitment • If an interaction is observed, its commitments are known • The construct ‘privilege’ is the referent of interaction commitment.

6. Basic concepts of privilege calculus • The privilege is a dyad, (f/e, c) • Employment, f/e To employ a function f for an entity e. • Condition, c To reflect a situation with specific facts • Operations • Privilege mergence, p * q • Privilege composition, p + q • Laws of computation

7. Example: PAL namespace "example" { let doc1 is TechDoc reader := (read + list)/TechDoc manager := (reader + write + remove)/TechDoc bob := reader + write/TechDoc may := manager phone := read + list officepc := read + list + write + remove } • All of italic red words are privileges • Constructs defined with privileges • Entity • Role • User • Operation • Location

8. Example: interaction • User Bob has signed in a session. session1 = bob ∗ officepc • Bob tries to read the document, doc1. readguard = read ∗ [session1 ∗∼(read/doc1)] Guarding privilege is a privilege of framework to regulate an interaction. • More complicated interaction pattern writegurad = write ∗ [session3∗∼(write/doc1)] writableguard = writable ∗ [doc1∗∼(writable)] interactionguard=writeguard + writableguard • Regulating component’s interactions is the duty of framework.

9. Question?