composite decentralized access control · 2018-09-05 · example: swegrid access control...
TRANSCRIPT
![Page 1: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/1.jpg)
Composite DecentralizedAccess Control
Petar Tsankov, Srdjan Marinovic, Mohammad Torabi Dashti, David Basin
Institute of Information SecurityETH Zurich
![Page 2: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/2.jpg)
Example: SweGrid
Access Control Requirements– A project leader delegates his authority
over resources to principals– A project leader composes the principals'
policies (e.g., using permit-override)
GoalProvides computational and storage resources to researchers
![Page 3: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/3.jpg)
Delegation
Multiple principals can issue access rights
Researchers
access rights access rights
delegations
Projectleader
Dave
ProjectLeader
Bob
Researchers
![Page 4: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/4.jpg)
Delegation
Multiple principals can issue access rights
Researchers
access rights access rights
delegations
Decentralized Access Control
Projectleader
Dave
ProjectLeader
Bob
Researchers
![Page 5: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/5.jpg)
Composition
Policy decisions in large-scale systems– Grant, Deny, Not-applicable, Conflict
Dave
Project leader
+Bob
Composition operators, e.g.:● Permit-override● Deny-override● Conflict-override
+
![Page 6: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/6.jpg)
Composite Access Control
Composition
Policy decisions in large-scale systems– Grant, Deny, Not-applicable, Conflict
Dave
Project leader
+Bob
Composition operators, e.g.:● Permit-override● Deny-override● Conflict-override
+
![Page 7: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/7.jpg)
System Model
Subjects Resources
![Page 8: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/8.jpg)
System ModelRequirements
control access
Subjects Resources
Principals
![Page 9: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/9.jpg)
System Model
PEP
PDP
Requirements
control access
Subjects Resources
Principals
Policies
![Page 10: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/10.jpg)
Related Work
Systems andstandards
Formalfoundations
![Page 11: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/11.jpg)
Related Work
Systems andstandards
Formalfoundations DKAL ('08)
RT ('01)
SecPAL for Grid
Delegation
KeyNote PDP(RFC 2704)
...
![Page 12: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/12.jpg)
Related Work
Systems andstandards
Formalfoundations
XACML v2.0
D-Algebra ('09)PTaCL ('12)
PBel ('08)DKAL ('08)RT ('01)
SecPAL for Grid
Delegation Composition
KeyNote PDP(RFC 2704)
......
![Page 13: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/13.jpg)
Related Work
Systems andstandards
Formalfoundations
XACML v2.0
D-Algebra ('09)
SweGrid
PTaCL ('12)
PBel ('08)DKAL ('08)RT ('01)
XACML v3.0 ('13)SecPAL for Grid
WSO2 ID Server
Delegation CompositionDelegation + Composition
KeyNote PDP(RFC 2704)
......
![Page 14: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/14.jpg)
Related Work
Systems andstandards
Formalfoundations
XACML v2.0
D-Algebra ('09)
SweGrid
PTaCL ('12)
PBel ('08)DKAL ('08)RT ('01)
XACML v3.0 ('13)SecPAL for Grid
WSO2 ID Server
BelLog
Delegation CompositionDelegation + Composition
KeyNote PDP(RFC 2704)
......
![Page 15: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/15.jpg)
How to Build Access Control Systems
SpecifyPolicy
VerifyPolicy
ConstructPDP
➔ Formal semantics
➔ Support fordelegation
➔ Support forcomposition
➔ Analysis language
➔ Decision algorithms
➔ Efficient evaluation algorithm
![Page 16: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/16.jpg)
How to Build Access Control Systems
SpecifyPolicy
VerifyPolicy
ConstructPDP
➔ Formal semantics
➔ Support fordelegation
➔ Support forcomposition
➔ Analysis language
➔ Decision algorithms
➔ Efficient evaluation algorithm
![Page 17: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/17.jpg)
Belnap Logic + Datalog = BelLog
(Program)(rule)
(literal)(atom)Tr
uth
orde
ring
Knowledge ordering
Belnap Logic (stratified) Datalog
![Page 18: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/18.jpg)
Belnap Logic + Datalog = BelLog
(Program)(rule)
(literal)(atom)Tr
uth
orde
ring
Knowledge ordering
Belnap Logic (stratified) Datalog
![Page 19: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/19.jpg)
Belnap Logic + Datalog = BelLog
(Program)(rule)
(literal)(atom)Tr
uth
orde
ring
Knowledge ordering
Belnap Logic (stratified) Datalog
![Page 20: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/20.jpg)
Belnap Logic + Datalog = BelLog
(Program)(rule)
(literal)(atom)Tr
uth
orde
ring
Knowledge ordering
Belnap Logic (stratified) Datalog
BelLog
(Program)(rule)(literal)(atom)
Negation on truthNegation on knowledge
![Page 21: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/21.jpg)
Belnap Logic + Datalog = BelLog
(Program)(rule)
(literal)(atom)Tr
uth
orde
ring
Knowledge ordering
Belnap Logic (stratified) Datalog
BelLog
(Program)(rule)(literal)(atom)
Negation on truthNegation on knowledge
SemanticsExtend stratified Datalog to four-valued fixed-point semantics
![Page 22: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/22.jpg)
BelLog Examples
![Page 23: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/23.jpg)
BelLog Examples
Transitive delegation
![Page 24: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/24.jpg)
BelLog Examples
Transitive delegation
Policy targets
![Page 25: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/25.jpg)
BelLog Examples
Transitive delegation
Policy targets
Agreement
![Page 26: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/26.jpg)
BelLog Examples
Transitive delegation
Conflict-override
Policy targets
Agreement
![Page 27: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/27.jpg)
BelLog Examples
Transitive delegation
Conflict-override
Policy targets
Agreement
Other idioms?
![Page 28: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/28.jpg)
➔ Formal semantics
➔ Support fordelegation
➔ Support forcomposition
➔ Analysis language
➔ Decision algorithms
➔ Efficient evaluation algorithm
How to Build Access Control Systems
SpecifyPolicy
VerifyPolicy
ConstructPDP
![Page 29: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/29.jpg)
Policy Analysis
Does the policy meet its requirements?
RequirementsPolicy
![Page 30: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/30.jpg)
Policy Analysis
Does the policy meet its requirements?
RequirementsPolicy
Questions
![Page 31: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/31.jpg)
Policy Analysis
Does the policy meet its requirements?
RequirementsPolicy
Questions
Analyzer
![Page 32: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/32.jpg)
Policy Analysis
Does the policy meet its requirements?
RequirementsPolicy
Questions
Analyzer
Counter-example
Policychecked
Fix
![Page 33: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/33.jpg)
Policy Analysis
Does the policy meet its requirements?
RequirementsPolicy
Questions
Analyzer
Counter-example
Policychecked
Fix
How do we write this?
![Page 34: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/34.jpg)
Policy Analysis
Does the policy meet its requirements?
RequirementsPolicy
Questions
Analyzer
Counter-example
Policychecked
Fix
How do we write this?
Decidability?Complexity?
![Page 35: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/35.jpg)
Analysis Questions
Syntax
– Is policy P2 more permissive than P1 for all inputs that satisfy the condition c?
(condition)
(question)
![Page 36: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/36.jpg)
Analysis Questions
All requests Requests granted by P2
Requestsgranted by P1
Syntax
– Is policy P2 more permissive than P1 for all inputs that satisfy the condition c?
(condition)
(question)
For a given input:
![Page 37: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/37.jpg)
Analysis Questions
All requests Requests granted by P2
Requestsgranted by P1
Syntax
– Is policy P2 more permissive than P1 for all inputs that satisfy the condition c?
(condition)
(question)
For a given input:
![Page 38: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/38.jpg)
Analysis Questions
All requests Requests granted by P2
Requestsgranted by P1
Syntax
– Is policy P2 more permissive than P1 for all inputs that satisfy the condition c?
(condition)
(question)
For a given input: Check for all inputs that satisfy the condition
![Page 39: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/39.jpg)
Example: Analysis Question
RequirementIf the requester is a project leader, then grant access.
Policy
![Page 40: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/40.jpg)
Example: Analysis Question
RequirementIf the requester is a project leader, then grant access.
Analysis Question
Policy
![Page 41: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/41.jpg)
Analysis
![Page 42: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/42.jpg)
Analysis
Theorem 1Policy containment is undecidable
![Page 43: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/43.jpg)
Analysis
Theorem 2 Policy containment for unary-input policies* is in CO-NEXP-COMPLETE
Theorem 1Policy containment is undecidable
*Unary-input policies– Example:
![Page 44: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/44.jpg)
Analysis
Theorem 3Policy containment for a finite universe is in CO-NP-COMPLETE
Theorem 2 Policy containment for unary-input policies* is in CO-NEXP-COMPLETE
Theorem 1Policy containment is undecidable
*Unary-input policies– Example:
![Page 45: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/45.jpg)
➔ Formal semantics
➔ Support fordelegation
➔ Support forcomposition
➔ Analysis language
➔ Decision algorithms
➔ Efficient evaluation algorithm
How to Build Access Control Systems
SpecifyPolicy
VerifyPolicy
ConstructPDP
![Page 46: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/46.jpg)
Constructing PDPs
Policy Interpreterhttp://bellog.org
GitHubhttps://github.com/ptsankov/bellog/
Theorem 4 Policy entailment is in PTIME
![Page 47: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/47.jpg)
Limitations
– Analysis of administrative changes– Analysis complexity and tool support– Usability
![Page 48: Composite Decentralized Access Control · 2018-09-05 · Example: SweGrid Access Control Requirements – A project leader delegates his authority over resources to principals –](https://reader035.vdocuments.mx/reader035/viewer/2022070707/5ea1cc566545b717e1056e32/html5/thumbnails/48.jpg)
BelLog Contributions
A foundation for composite decentralized
access controlPolicy analysis
framework
BelLog PDP (www.bellog.org)