1 / 40

Timed Constraint Programming: A Declarative Approach to Usage Control

Timed Constraint Programming: A Declarative Approach to Usage Control. Radha Jagadeesan, Will Marrero, Corin Pitcher (DePaul University) Vijay Saraswat (IBM Research). Usage Control. Scope of Usage Control [Park, Sandhu 2002] Traditional access control Trust management

vala
Download Presentation

Timed Constraint Programming: A Declarative Approach to Usage Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Timed Constraint Programming:A Declarative Approach to Usage Control Radha Jagadeesan, Will Marrero, Corin Pitcher (DePaul University) Vijay Saraswat (IBM Research)

  2. Usage Control • Scope of Usage Control [Park, Sandhu 2002] • Traditional access control • Trust management • Digital rights management • Temporal aspects of UCON policies • Terminate ongoing sessions when resource consumption is too high • Change access rights during an emergency • Enforcement of dynamic separation of duty concerns PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  3. This Talk • Policy algebra for Usage Control, following timed concurrent constraint programming paradigm • Declarative • Default constraint programming addresses negative authorization requirements • Reactive computing addresses history-sensitive requirements • Policy analysis • Equational reasoning • Model checking PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  4. Outline • Motivation • Policy algebra • Untimed • Timed • Policy analysis PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  5. UCON: Traditional Access Control • Can a subject perform an action on an object? • Policy captured as an access matrix and enforced by a monitor • Centralized authority PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  6. Access Control Lists (ACLs) • Access Control Lists (ACLs) associated with objects • Problem: ACL management is too burdensome • Solution: make use of the object hierarchy PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  7. ACLs with Inheritance • On hierarchically structured objects, MS Windows permits inheritance with ACLs. • Reduces redundancy • Inheritance is optional, so we can always start from the empty ACL if necessary PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  8. ACLs with Inheritance • Suppose that Alice should not be able to access File 1 • Failing to inherit from Dir 3 to File 1 causes loss of access to Bob and Charlie • Bob and Charlie must be added back explicitly PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  9. ACLs with Negative Entries • Negative ACL entries reduce redundancy • But conflicts must be resolved, e.g., • By order • By prioritization of negative entries PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  10. Declarative Components • Deduction can be used to describe • Existing access control systems – for analysis • New access control systems – for implementation and analysis • Constraints used in policies for NSA’s SELinux to restrict permissible domain transitions PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  11. UCON: Trust Management • Trust Management: decentralized authorities • PolicyMaker [Blaze, Feigenbaum, Lacy] • SPKI/SDSI [Ellison, Rivest et al] • RT family [Li, Mitchell] • RT1c – deduction and constraints PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  12. UCON: Digital Rights Management • Familiar examples: • Movie can be played just once • Movie can be played repeatedly within 24 hours of first play • More generally, history-sensitive policies that control ongoing access to resources • Non-trivial behavior in the accessing state of a session initial state requesting accessing end denied revoked PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  13. UCON: Digital Rights Management • Sessions may affect one another • In the event of an attack, revoke existing web sessions and only allow administrators to login via a local console • Ryutov and Neuman’s GAA-API provides similar capabilities • Broad applicability • Officer on traffic duty receives limited access to FBI database if query to state database flags driver as a “person of interest” [Anon, NSA] • Doctor may perform an operation only when the patient has signed a consent form [Park & Sandhu] PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  14. Separation of Duty • The Separation of Duty (SoD) principle limits the harm that can be caused by one person acting alone • Example policy: no-one can approve their own purchase requests • Static SoD – no-one can be both an approver and a purchaser (too restrictive) • History-based SoD – the desired policy (requires runtime monitoring) PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  15. The Chinese Wall Security Policy • Brewer and Nash’s Chinese Wall security policy is a history-based SoD specified in terms of conflict of interest • A law firm working as both prosecution and defense counsel must partition staff carefully and prevent information leaks • Staff are initially unassigned • Upon reading a prosecution file, they are forbidden from accessing defense files in the future • Generally, resources are assigned owners, and the owners may be in conflict • Prevents accidental or malicious leakage by users / Trojan horses, but not water fountain gossip PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  16. Outline • Motivation • Policy algebra • Untimed • Timed • Policy analysis PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  17. Policy Algebra • Existing declarative policy algebras for untimed policies • Existing work on timed policies lacks notions such as multiform time and preemption identified by the reactive systems community • Adapt existing work on an approach to reactive systems using Timed Default concurrent constraint programming PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  18. Outline • Motivation • Policy algebra • Untimed • Timed • Policy analysis PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  19. Untimed Fragment: 3-Valued Logic • 3-valued logic • true – grant access • false – deny access •  - neither grant nor deny access • Operators: • P and Q • P or Q • not (P) • P def Q • P left Q Q P Q P PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  20. Untimed Fragment: Constraint Store • Concurrent constraint programming paradigm • From store-as-valuation to store-as-constraint • Constraint system includes entailment relation • “read” becomes “ask”, using entailment to query store • “write” becomes “tell”, adding to the store • Ask: if a then P else Q • Runs P if “a” is entailed by the store • Otherwise runs Q • Tell: discussed later PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  21. Untimed Fragment: Functions • Policy language permits (recursive) functions • Policy function CheckAccess with username parameter u • CheckAccess(u) :: if uStudents then true else  PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  22. Test negative entries on current path p Test positive entries on current path p Test inherited rights from parent directory, if any Otherwise access is denied CheckACL(u,p) :: (if uNegACL(p) then false) def (if uPosACL(p) then true) def (if p≠/  pInherits then CheckACL(u,parent(p)) ) def false Access Control Lists PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  23. Outline • Motivation • Policy algebra • Untimed • Timed • Policy analysis PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  24. Reactive Systems • Reactive systems continuously react to their environment at a speed determined by their environment [Halbwachs] • Well-established theory and tools, e.g., Esterel, Lustre, Signal PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  25. Reactive Systems • View temporal policies as reactive systems [McDougall et al] • The environment is the security monitor • Queries whether requests should be granted • Passes relevant events to the policy, e.g., time passing or attack detected Environment Policy query(…) false event(…) query(…) true PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  26. Timed Concurrent Constraint Programming • Timed cc and Timed Default cc – extensions of concurrent constraint programming for reactive systems • Each time instant (reacting to environmental stimulus) has its own store • Process residual remains for next time instant ask / tell store0 P0 ask / tell store1 P1 ask / tell store2 P2 PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  27. Timed Fragment: Operators • next(tell(a)) – tells constraint a to store in next time instant • hence(P) – runs fresh copy of P at every subsequent time instant • time P on-present a (time P on-absent a)– runs P when a is (is not) entailed by the store • Other temporal operators are definable • always(P) • first a do P • P until a PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  28. Example: Timed Policy Change • Prevent access to files during time frame delimited by start / stop events • System load becomes too high • Intrusion detection system identifies an attack • Deletion / modification of files forbidden during criminal investigation CheckACLTimedPolicyChange(u,p) :: (if pAffected  Started then false) def CheckACL(u,p) PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  29. Example: Timed Policy Change • Upon a Start event, tell Started to future stores • Stop event preempts execution of inner process always ( if Start then (always (next (tell (Started)))) until Stop ) PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  30. The Chinese Wall Security Policy • Assume an owner function and a conflict relation conf in the constraint system CheckACLWithCW(u,p) :: (if CheckACL(u,p) then if X. ((conf(X,owner(p)) /\ read(u,X)) else true left always (next(tell(read(u,owner(p)))))) def false PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  31. Outline • Motivation • Policy algebra • Untimed • Timed • Policy analysis PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  32. Policy Analysis • Does a policy behave as we expect? • Two approaches • Equational reasoning based on a bisimilarity relation • Model checking PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  33. Equational Reasoning • A policy is a process that reacts to additions to the store, and produces an output result (true, false, or ) • By coinduction, define bisimilarity as the greatest relation that cannot distinguish processes using • Same additions to the store for both processes • Observing the output result • Theorem: bisimilarity is a congruence PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  34. Model Checking • Goal: reuse existing technology if possible • Construct a transition system for a policy, where transitions indicate queries (with response) or events supplied by the environment • With recursion and finiteness restrictions, the transition system is finite • By a translation into Timed Default cc and a theorem due to Saraswat, Jagadeesan, Gupta PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  35. Model Checking • Interesting properties can be expressed using linear temporal logic (LTL) • Simple safety (from Li, Mitchell, Winsborough 2003): Does there exist a reachable state in which a (presumably untrusted) principal u has access to a resource p? • G (¬grant(u,p)) • Analysis with state-dependent restrictions, e.g., for the Chinese Wall policy with a finite set of users and two resources p1 and p2 that are in conflict • u. G (grant(u,p1)  G (¬grant(u,p2))) PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  36. Summary • There is a need for history-sensitive policies • Constraints already appear in security theory and practice • This paper: a temporal policy algebra • Combines constraint entailment and negation • Declarative timed features from reactive programming languages • Policy analysis via coinductive equational reasoning and model checking PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  37. Future Work • Implementation in progress (based on jcc) • Case studies • Practical model checking? PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  38. Thank You! PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  39. PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

  40. Properties PPDP 2005 - Timed Constraint Programming: A Declarative Approach to Usage Control

More Related