1 / 28

Multiple Access Control Policies

Multiple Access Control Policies. A Unified Framework for Enforcing Multiple Access Control Policies [by Jajodia and Samarti] Authorization in Distributed Systems: A New Approach [by Woo and Lam] References:

ann
Télécharger la présentation

Multiple Access Control Policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multiple Access Control Policies A Unified Framework for Enforcing Multiple Access Control Policies [by Jajodia and Samarti] Authorization in Distributed Systems: A New Approach [by Woo and Lam] References: * A logical Framework for Reasoning on Data Access Control Policies ACM Trans. Bertino and Catania. Vol. 6, No. 1. * The well-founded Semantics for General Logic Programs. Gelder and Ross.

  2. Definition • Access control policies are devised for controlling access to information. • Policy requires its own language, which specifies policy bases. • Policy base encodes a set of authorization requirements and is given a precise semantics based upon a formal notion of authorization policy.

  3. Multiple Access Control Policies • Problem: Protection requirements within a system vary dramatically, and no single policy may simultaneously satisfy them all. • This paper presents a flexible authorization manager (FAM) that enforce multiple access control policies within a unified system. • FAM is based on a language through which users can specify authorizations and access control policies.

  4. The FAM language contains three components. • Data objects of different types • Hierarchy • Language specifications

  5. Formalization • A data system DS consists of a 4-tuple (Obj, T, S, A), where Obj, T, S, A are object, type, subject, action. • User Hierarchy. A DS is said to be user-hierarchical iff there exists a finite partially ordered set (G, ) such that: x is a -minimal element of G iff x  U

  6. Authorization Specifications consist of constant symbols, variable symbols and predicate symbols. • Predicate symbols: • cando • dercando • do • done • error • dirin • in • typeof • owner

  7. Examples • cando(file1, Employees, +write)  . • cando(file1, s, +write)  in(s, Employees) • dercando(o,s,+a)  cando(o,s,+a)&in(s,s) • dercando(file1,s,-read)  dercando(file2,s ,read) & in(s,s) & in(s,s) • dercando(o,s,-write)  done(o,s,read) & typeof(o, Exams) & typeof(o, Solutions)

  8. error(o,s,a)  cando(o,s,+a)&cando(o,s,-a) • error(o,s,a)  done(o,s,read) & done(o,s,read) & typeof(o,Budget-A) & typeof(o, Budget-B)

  9. FAM-programs • An authorization specification AS is said to be a FAM-program iff the set of decision (do) rules in AS is: • Clash-free and • For each triple (o,u,a), there exists at least one weakly applicable do-rule in AS.

  10. Clash-free do(file1, X,+read)  dirin(X, Employees) do(file1, X, -read)  dirin (X, Policeman) • Weakly Applicable Consider the triple (file1, john, read) do(file1, s,+a)  dercando(file1, s, +a) do(o, s, +read)  ¬dercando(o, s, +read)& ¬dercando(o, s, -read)&typeof(o, Pblc-docs)

  11. CAM-program • An authoization specification AS is said to be a semi-CAM program iff each do rule in AS has a head of the form do(OT, ST,+AT) do(O, U, -A)  ¬do(O, U, +A)

  12. FAM policy library • Closed, open and hybrid • Hybrid: no overriding, subgroup overriding, and path overriding. • Conflict resolution: • No conflicts allowed • Permissions take precedence • Denials take precedence

  13. Examples • Closed policy • dercando (o, u, +a)  cando(o, s, +a) & in(u, s) • do(o, u, +a)  dercando(o, u, +a) • error(o, s, a)  cando(o, s, -a) • do(o, u, -a)  ¬do(o, u, +a) • Open policy • dercando (o, u, -a)  cando(o, s, -a) & in(u, s) • do(o, u, +a)  ¬dercando(o, u, -a)

  14. Subgroup overrides along a path • dercando(o, s, +a)  cando(o, s, +a) • dercando(o, s, -a)  cando(o, s, -a) • dercando(o, s, +a)  dercando(o, s, +a)& ¬cando(o, s, -a) & dirin(s, s) • dercando(o, s, -a)  dercando(o, s, -a)& ¬cando(o, s, +a)& dirin(s, s)

  15. Authorization in Distributed Systems • Problem: need to have a language that is expressive enough for specifying commonly encountered authorization requirements. The requirements here include multiple access policies and supporting distributed environment.

  16. Authorization policy • An authorization policy over a set of subjects S, a set of objects O and a set of access rights R is a 4-tuple (P+, P-, N+, N-) where each component is a subset of {(r, s, o) | r  R, s  S, o  O} • A grant (r, s, o) iff (r, s, o)  P+ • A deny (r, s, o) iff (r, s, o)  N+ • A fail (r, s, o) iff (r, s, o)  P+  N+

  17. Examples • Let V = {x, y,…}, P = {p,q}, S = {A, B, G}, O = {X, Y, Z} • read-(G, x) • read+(A, X)  read+(A, Y) • x  G  read-(G, Y)  read-(x, Y) • ¬p  write+(x, Z)  ¬read+(x, y)

  18. Closed Policy Base • A base is closed if it contains only closed rules, which contains no literal variables. B admits two extensions {write+(A,Y)} and {write+(A,X)}

  19. Generalized Form • Let be a rule

  20. Open Policy Base • Each open rule in B as standing for all its ground instances (closed rules). • If S={A,B} and O = {X,Y}

  21. Exceptions

  22. Examples of Policy Base • If a subject s has not been explicitly granted a right r to an object o, then s will inherit a denial of r to o if it belongs to a group g that has a denial of r to o.

  23. The Bad vs. Evil • [Woo] cannot resolve conflicts. • Horizontal composition • Each SSO specifies a policy base for a part of a system and multiple SSOs may cover the whole system. The policies may compliment or conflict among them. • Vertical composition • An SSO is responsible for his subordinate administrators. The leaf policy bases are mot specific and detailed than the root policy base. A composition of this would give rise to conflicts.

  24. [Jajodia] propose a logic language for expressing authorization rules and show how this language can express most of the access control policies. Programs that can be written in this language are a subset of stratified datalog program and therefore they are able to express only a limited set of authorization specifications.

  25. Thank you

More Related