access control policy translation and verification within heterogeneous data federations gregory...
TRANSCRIPT
Access Control Policy Translation and Verification Within
Heterogeneous Data Federations
Gregory LeightonDenilson Barbosa
University of AlbertaJune 11, 2010
Outline• Problem setting, challenges, and background• Access control policy translation• Verification of translated access control policies
– Static analysis– Dynamic analysis
• Expressing translated policies in XACML• Open issues & future work
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 2
PROBLEM SETTING, CHALLENGES, & BACKGROUND
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 3
Problem Setting
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 4
Patient SSN
A. Smith 123456789
B. Wilson 345897567
Pname SSN Age
F. Brown 225467987 23
C. Murray
514376845 65
patients
patient patient
name ssn
patient
“A. Smith” “123456789”
name ssn
“B. Wilson” “345897567”
name ssn age
“C. Murray” “514376845” ”65”
Data Source 1 Data Source n
1 n
…
Each publishing functionI is a contract specifying howrelational database contents are exposed as XML to the largerdata federation
A1 An
…
Each data source also has an accesscontrol policy Ai defined over the local database
Each data source also defines an identity mapping function I, specifying an assignment of each local user to one or more federated identities
Challenges• Individual data sources are often independently maintained
– Each ACP is defined over a set of local identities– Need a centralized user authentication system capable of translating local
identities into federated identities valid across the federation, without violating need to know principle
• Many access control models for relational and XML data already exist… but translating from one to the other must be done manually and is non-trivial due to several factors– “Real world” relational ACPs can be very large (hundreds of rules defined over
a large set of database objects)– Hierarchical nature of XML introduces extra difficulties (when is it appropriate
for permissions to be propagated from a parent node to a child?)– Combining ACPs originating from different data sources can lead to policy
conflicts
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 5
• We represent the publishing function as a publishing transducer (Fan et al 2007)
where– Q is a set of states;– is a finite tag alphabet;– q0 is the designated start state associated with the root tag
r ; – is a finite set of transduction rules.Transduction rules are of the form
(q, a) (q1, a1, 1(x1; y1)),…, (qk, ak, k(xk; yk))
= (Q, , q0, )
XML Publishing Transducers
States inQ
Tags in Σ
Queries on D and/or localnode register
Conjunctive (=,≠)OR
F.O. (=)OR
inflationary fixpoint (=)
6ACP Translation/Verification Within Heterogeneous Data FederationsJune 11, 2010
_ _ _ _
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 7
ssn name age
123456789 Carol 31
197453163 Doug 45
(q0,patients)
(q1,patient) (q1,patient)
(q1,@ssn) (q1,name) (q1,age) (q1,@ssn) (q1name) (q1,age)
123456789 Carol 31 197453163 Doug 45
ssn name age
123456789 Carol 31
ssn
123456789
name
Carol
age
31
Transduction Rule:
ACCESS CONTROL POLICY TRANSLATION
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 8
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 9
Access Control Models for XML• Many XML access control models have been proposed,
specifying how permissions may be specified over an XML tree– Policy language (typically, an XPath fragment)– Rule scope (node, node+attributes, node+text, node+ descendents,…)– Conflict resolution policy, default semantics (allow vs. deny)
• But… these models say nothing about how an SQL access control policy can be equivalently expressed over a published XML tree!
• What’s needed: the ability to augment a publishing function with additional information needed to preserve the original SQL ACP A over the published XML document (D) – a secure publishing function ʹ
ACP Translation Framework
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 10
ACP Translator
Rel.SchemaS
Rel.ACPA
PublishingFunction
IdentityMapping
I
SecurePublishingFunction
We represent a secure publishing function as a secure publishing transducer (SPT), which extends the definition of a publishing transducer in two ways:
• Each tree node generated during the transduction process is assigned an access bitstring, recording the relevant permissions for that node
• Additional transduction rules are needed to model conditional access permissions (i.e., separate rules are needed to handle both possibilities: where the condition is/is not satisfied)
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 11
Preservation of Access Control Policies
A secure publishing function ʹ preserves an SQL access control policy A if, for each federated ID f and permission p, the following conditions are satisfied over the XML tree ʹ(D):
1. (Sufficiency condition) For every relational database object o made accessible to f by A under permission p, the XML representation of o in ʹ(D) is also accessible to f within the context of permission p.
2. (Necessity condition) The XML representation of a database object o in ʹ(D) is only made accessible to f within the context of p if o was originally made accessible to f by A under permission p.
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 12
Transduction RulesEach rule in has the form
where• is a state in ;• is a tag in ;• and each are access bitstrings; and• is a query on and/or the local node register.
Example access bitstring: 11 11 10 00
1st bit: Carol holds “select” permission 2nd bit: Carol holds grant option for
“select”3rd bit: Carol holds “insert” permission4th bit: Carol does not hold grant option for
“insert”5th bit: Doug holds “select” permission6th bit: Doug does not hold grant option for
“select”7th bit: Doug does not hold “insert” permission8th bit: Doug does not hold grant option for
“insert”
In general, bitstrings will be of length
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 13
Expressibility ProblemFor arbitrary relational database D with schema S, relational ACP
A, and publishing function , can one always find a secure publishing function ʹthat preserves A over (D)?
• Result: an algorithm for solving the expressibility problem (see paper)– Applicable when can be expressed as a publishing
transducer– Time complexity:
VERIFICATION OF TRANSLATED ACCESS CONTROL POLICIES
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 14
Verification of Translated ACPsTwo Problem Variants
Dynamic Verification Static Verification
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 15
Policy Verifier
S A I
(D) (D)?
Policy Verifier
S A I
?
D
Inputs: rel. schema S; rel. ACP A; identity mapping function I; S.P.T. ; database instance D (for dynamic variant only)
Dynamic Verification
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 16
Applicable for scenarios where database contents do not change frequently (e.g., archival data)
Procedure:1.Derive S.P.T. from supplied inputs S, A, I, and 2.For specific database instance D, obtain XML trees
X1 = (D) and X2 = (D) and ensure that, at eachtree position, the corresponding nodes in X1 and X2
i. Have the same labelii. Have the same number of childreniii. Have the same bitstring assignment
Static Verification
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 17
Procedure: 1.Derive S.P.T. from supplied inputs , S, A, and I2.Verification of supplied S.P.T. succeeds iff the
following conditions are met:i. For every database D conforming to schema S,
(D) = (D)ii. Relational ACP A and access bitstrings in share
the same semantics
Verification of Translated ACPs Computational Complexity
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 18
We consider the complexity of deciding both problem variants for various classes of S.P.T.s SPT(L,S,A), where
• L denotes the language of queries appearing in transduction rules (FO or CQ);• S is either TP or RL, indicating whether each node register in produced XML tree stores a single tuple or a relation; and• A specifies the complexity of queries appearing in the relational ACP rules (FO or CQ)
SPTnr(L,S,A) denotes subclass of S.P.T.’s w/o recursion in transduction rules
Verification of Translated ACPs Computational Complexity
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 19
SPT class Dynamic Verification
Static Verification
SPT(L,rl, A) 2EXPTIME undecidable
SPT(L,tp,A) EXPTIME undecidable
SPTnr(FO,tp, A) PTIME undecidable
SPTnr(CQ,tp, A) PTIME 3P-complete
Dynamic verification: complexity is dominated by cost of materializing XML trees, given S.P.T.s and
Static verification: complexity is dominated by need to decide equivalence b/w S.P.T.s and
EXPRESSING TRANSLATED ACPS IN XACML
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 20
Generating XACML From a Translated ACP
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 21
XACML Generator
XACML Policy
Process is done at the schema level – only once for each
Generated XACML policy is applicable to all generated XML trees (D)
Expressing Translated ACPs in XACML
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 22
Procedure:1.Construct a rule reachability graph (RRG) from transduction rules in
• Nodes are transduction rules; edge (i, j) indicates that i-th rule contains reference to j-th rule in its RHS and is labelled with the associated query
2.Traverse RRG in preorder• If last travelled edge is labelled with a conditional query, need to
resolve the condition into an equivalent XPath expression (see paper)• Each time the bitstrings for a parent and child node in the RRG differ, a
new XACML policy rule is created3.Created XACML policy rules sharing the same subset of federated IDs as their subject are combined into a single policy rule
Future Work
June 11, 2010 ACP Translation/Verification Within Heterogeneous Data Federations 23
Policy Translation • Automating the discovery of a “smallest set” of federated identities needed to preserve semantics of each relational ACP, while also obeying need to know principle• Minimization of secure publishing transducers
• Minimizing number of transduction rules• Minimizing queries in each transduction rule
Policy Verification• In general, verification is difficult or undecidable – can subclasses of S.P.T.s for which verification is more tractable be identified?• Consider additional problem variants
• Translated policy is specified as an XACML policy, not a S.P.T.• List of federated users is not fixed – requires reasoning about ACPs instead of bitstrings
Final Slide
• Thank you• Questions?
June 11, 2010 24ACP Translation/Verification Within Heterogeneous Data Federations