formal model and analysis of usage control
DESCRIPTION
Formal Model and Analysis of Usage Control. Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce Department of Information and Software Engineering School of Information Technology and Engineering George Mason University, Fall 2005. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/1.jpg)
1
Formal Model and Analysis
of Usage Control
Dissertation defense
Student: Xinwen ZhangDirector: Ravi S. SandhuCo-director: Francesco Parisi-Presicce
Department of Information and Software EngineeringSchool of Information Technology and EngineeringGeorge Mason University, Fall 2005
![Page 2: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/2.jpg)
2
Outline Introduction
Motivations & Problem Statement Background
Usage control and TLA A Formalization of UCON
A logical model to formalize state transitions in a single usage Policy specification flexibility of the logical model
Expressive Power of UCON A model to formalize the global effects of a usage and accumulative results of a
sequence of usages Relative expressive power between UCONA and traditional access control models Relative expressive power between UCONA and UCONB
Safety Analysis of UCON Safety undecidability of the general UCONA model Safety decidable UCONA models Expressive power of safety decidable models
Contribution Summary and Future Work
![Page 3: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/3.jpg)
3
Motivations & Problem Statement
Motivations of UCON A comprehensive unified model that
fundamentally extends traditional access control models captures DRM and trust management systems
A conceptual model has been presented by Park and Sandhu. Formalization of UCON Model is required
for the precise semantics of the conceptual model for policy definition for the analysis of UCON properties.
Two fundamental problems in access control: Expressive Power Safety Analysis
![Page 4: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/4.jpg)
4
UCON Model (Park and Sandhu 2004)
Rights(R)
Authorizations
(A)
Subjects(S)
Objects(O)
Subject Attributes (SA) Object Attributes (OA)
Obligations(B)
Conditions(C)
UsageDecisions
Attributes can be updated as side-effects of a usage: pre, ongoing, post and updates Attribute Mutability
Core models: preA0, preA1, preA2, preA3, onAx, preBx, onBx preCx onCx
A real model may be a combination of core models.
before usage ongoing usage after usage
Continuity ofDecisions
pre-decision ongoing-decisions
pre-updates ongoing updates post-updates
Mutability ofAttributes
Three phases of a usage process Decision in first two phases
pre-decision: preA, preB, preC
ongoing-decisions: repeatedly decision check during ongoing usage phase
onA, onB, onC Decision Continuity
![Page 5: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/5.jpg)
5
An Example Resource-constrained access control
Limited number (10) of ongoing accesses to a single object When 11th subject requesting new access, one ongoing accessing will be
revoked. Different revocation policies:
By start time: the longest ongoing usage is revoked By idle time: the usage with the longest total idle time is revoked By total usage time: the usage with the longest accumulating usage time is
revoked. Need decision continuity, attribute mutability, and ongoing access
revocations
![Page 6: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/6.jpg)
6
Temporal Logic of Actions (Lamport 1994)
Basic terms of TLA: Variables and values State: assignment of values to variables Predicates: boolean expressions using
variables in a single state Actions: boolean expressions using
variables in two states. Future temporal operators:
Past Temporal operators
![Page 7: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/7.jpg)
7
Logical Model of UCON: Variables, States, Predicates
Variables: Subject attributes: role, group, clearance, creditrole, group, clearance, credit, etc. Object attributes: type, owner, access control listtype, owner, access control list, etc. System attributes: location, time, loadlocation, time, load, etc.
A state of a UCON system is an assignment of values to attributes.
Predicates: boolean expressions built from subject attributes, object attributes, and system attributes in a single state. Alice.credit > $1000, file1.classification = “secure”Dominate(Alice.clearance, file1.classification)(Bob, read) file2.ACL)
![Page 8: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/8.jpg)
8
Logical Model of UCON: Actions
Control actions: Actions changing the usage stateusage state of a single usage process (s,o,r)(s,o,r)
6 values of state(s,o,r)6 values of state(s,o,r) 5 actions 5 actions
Update actions: s.credit’=s.credit - $50.0s.credit’=s.credit - $50.0
Obligation actions: Actions that have to be performed before or during a usage May or may not be performed by the requesting subject and on the target object.
requesting accesing end
denied revocked
denyaccess revokeaccess
permitaccessendaccess
onupdate
initialtryaccess
preupdate
preupdate
postupdate
postupdate
![Page 9: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/9.jpg)
9
Logical Model of UCON
The logical model of a UCON system is a 5-tuple: (S, P(S, PAA, P, PCC, A, AAA, A, ABB)) , where
SS is a set of sequences of states of the system, PPAA is a finite set of authorization predicates built from the
attributes of subjects and objects, PPCC is a finite set of condition predicates built from the
system attributes, AAAA is a finite set of control actions, AABB is a finite set of obligation actions.
A logic formula consisting of predicates, actions, and logical and temporal operators:
![Page 10: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/10.jpg)
10
Specification of Core Models
Ongoing authorizations: onA123 Resource-constrained access control, revocation by idle time
Object attribute: Subject attributes: status (with value of busy or idle)status (with value of busy or idle), idleTimeidleTime
![Page 11: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/11.jpg)
11
Specify General Policies Control Rules:
Update Rules:
![Page 12: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/12.jpg)
12
Specifying General Policies
Completeness: Completeness: Any UCON policy can be specified by
a non-empty set of control rules and a set of update rules.
Soundness:Soundness: A non-empty set of control rules and
a set of update rules can be satisfied by at least one UCON model.
![Page 13: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/13.jpg)
13
Policy Specification Flexibility
RBAC models (RBAC0, RBAC1, RBAC2)
Chinese Wall policies Dynamic separation of duty MAC policy with high watermark
property Healthcare information systems
with authorizations and obligations
![Page 14: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/14.jpg)
14
Expressive Power & Safety Analysis
Expressive Power: The flexibility to express policies for variant requirements. Comparing expressive power between access control
models Safety problem:
By giving a system, specified by an initial stateinitial state and a schemescheme, is there a reachable statea reachable state in which a subject has a particular right on an object?
Expressive power and safety analysis are two conflict problems for an access control model:
In general, the more expressive power it has, the harder it is to computationally carry out safety analysis.
Examples: HRU, SPM, and TAM
![Page 15: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/15.jpg)
15
Formal Model of preA & preB
To formalize the global effectglobal effect of a single usage process Instead of the detailed state transitions in single usage
process by the logical model A system state is (O, (O, )), where
OO is a set of objects : O : O ATT ATT dom(ATT) dom(ATT) {null} {null} S S O O
Three primitive actions: createObject, destroyObject, updateAttributecreateObject, destroyObject, updateAttribute
preA policy: preB policy:
![Page 16: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/16.jpg)
16
Formal Model of preA & preB A UCON preA scheme is a 4-tuple (ATT, R, P, C)(ATT, R, P, C), where
ATTATT is a finite set of attribute names RR is a finite set of rights, PP is a finite set of predicates CC is a finite set of policies
A UCON preA system is specified by a preA scheme and an initial state (Ostate (O00, , 00)).
A UCON preB scheme is a 5-tuple (ATT, R, P, B, C)(ATT, R, P, B, C), where
B B is a finite set of obligation actions A UCON preB system is specified by a preB scheme and an
initial state (Ostate (O00, , 00)).
![Page 17: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/17.jpg)
17
Expressive Power of preA: iTunes-like Systems
register
user_register (s, u):true permit(s,u, register)createObject u;updateAttribute:s.regUsers' = s.regUsers {u};updateAttribute: u.registered' = true; updateAttribute: u.platformList'=o;updateAttribute: u.orderList'=o;updateAttribute: u.credit' = 0.00;
order (u, m):(u.registered=true) (u.credit m.price) (mu.orderList) permit(u,m,order)updateAttribute:u.orderList' = u.orderList {m};updateAttribute: m.owner' = u;updateAttribute:u.credit' = u.credit - m.price;
order
play (p,m): (p.authorizedby null) (m.owner null) (p.authorizedby=m.owner) permit(p,m,play)
play
authorize_platform (u, p):(u.registered=true) (|u.platformList|<5) (p u.platformList) permit(u,p,authorize)updateAttribute: u.platformList' = u.platformList {p};updateAttribute: p.authorizedBy' = u;
deauthorize_platform (u, p):(u.registered=true) (p u.platformList) permit(u,p,deauthorize)updateAttribute: u.platformList' = u.platformList - {p};updateAttribute: p.authorizedBy' = null;
authorize
deauthorize
User
iTunes music store
Device
Music file
![Page 18: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/18.jpg)
18
Expressive Power of UCON preA
The expressive power of UCON preA model has been formally studied by comparing it with traditional access control models:
simulating the general SO-TAM model Simulating the general SO-ATAM model
TheoremTheorem
UCON preA is more expressive than TAM.
UCON preA is at least as expressive as ATAM.
![Page 19: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/19.jpg)
19
Relative Expressive Power ofpreA & preB
TheoremTheoremUCON preA and preB have the same expressive
power.
A preA policy can be simulated by a preB policy. A preB policy can be simulated by a finite number of preA
policies.
![Page 20: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/20.jpg)
20
Safety Analysis of UCON preA
TheoremTheoremThe general preA model has undecidable
safety.
By reducing a general SO-TAM system to a preA system By simulating the operations of a general Turing machine with a preA
model.
![Page 21: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/21.jpg)
21
Safety Analysis of UCON preATheoremTheorem
The safety problem of a preA system is decidable if: the value domain of each attribute is finite, and there is no creating policy in the scheme.
The complexity of the safety problem is: polynomial in the number of possible states of the system. NP-hard in number of policies in the scheme.
TheoremTheoremThe safety problem of a preA system is decidable if:
the attribute creation graph is acyclic, and the attribute update graph has no cycle containing a create-parent attribute
tuple, and in each creating policy, both the parent's and the child's attribute tuples are
updated.
![Page 22: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/22.jpg)
22
Expressive Power of Decidable preA
The decidable model can express an RBAC96 model with URA97 RBAC96 model with URA97 schemescheme.
The decidable model can express DRM applications with consumable consumable rights.rights.
order (s, o):(s.credit o.price) (o.owner = null) permit(s,o,order)updateAttribute: s.credit'=s.credit - o.price;updateAttribute: o.owner=s;updateAttribute:o.copylicense=10;order
allow_copy (s, o):(o.owner=s) (o.copylicense > 0) permit(s,o,allowcopy)updateAttribute: o.allowcopy = true;
allowcopy
copy (o1, o2):(o1.allowcopy=true) permit(o1,o2,copy)createObject o2;updateAttribute: o2.sn' = o1.copylicense;updateAttribute: o1.copylicense' = o1.copylicense-1;updateAttribute: o1.allowcopy' = false;
copy
![Page 23: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/23.jpg)
23
Contribution Summary A logical modelA logical model of UCON is developed:
Precisely defining the semantics of the conceptual model Specifying policies for general UCON models with completeness and
soundness Policy specification flexibility by defining policies for various
applications
Formal study of the expressive powerexpressive power of UCON preA and preB: preA is at least as expressive as ATAM. preA and preB have the same expressive power.
Safety analysisSafety analysis of UCON preA: Safety undecidability of the general model Two safety decidable models with restrictions on the general model Expressive power of the decidable models by simulating RBAC and
DRM applications
![Page 24: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/24.jpg)
24
Future Work
An administrative model of UCON Efficiently decidable UCON models Expressive power and safety
analysis of UCON ongoing models. UCON architectures and
mechanisms
![Page 25: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/25.jpg)
25
Related Publications Xinwen Zhang, Sejong Oh, and Ravi Sandhu, PBDM: A Flexible
Delegation Model in RBAC, 8th ACM Symposium on Access Control Models and Technologies (SACMAT), 2003.
Xinwen Zhang, Jaehong Park, Francesco Parisi-Presicce, and Ravi Sandhu, A Logical Specification for Usage Control, ACM SACMAT, 2004.
Jaehong Park, Xinwen Zhang, and Ravi Sandhu, Attribute Mutabiligy in Usage Control, Annual IFIP WG 11.3 Working Conference on Data and Applications Security, 2004.
Xinwen Zhang, Jaehong Park, Francesco Parisi-Presicce, and Ravi Sandhu, Formal Model and Policy Specification of Usage Control, ACM Transactions on Information and System Security (TISSEC), to appear.
Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce, Safety Analysis of Usage Control Authorization Model, to appear in ACM Symposium on Information, Computer, and Communication Security, 2006.
Xinwen Zhang, Masayuki Nakae, Ravi Sandhu, Michael J. Covington, A Usage-based Authorization Framework for Collaborative Computing Systems, in submission.
![Page 26: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/26.jpg)
26
Thank you!
Q & A
![Page 27: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/27.jpg)
27
Backup
![Page 28: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/28.jpg)
28
OM-AM Framework (Sandhu 2000)
What ?
How ?
Objectives
Mechanisms
Architectures
Models
OM-AM Framework
Policy Neutral
Sever-pull, User-pull,federated, etc.
Secure Cookies,Digital Certificates, SAML, etc.
RBAC96, ARBAC97, etc.
RBAC System
DRM Technologies,Attribute Certificates,
Trusted Computing, XrML/XACML, etc.
UCON System
Policy Neutral
UCONABC Model
Client-side RM,Server-side RM, etc.
Assurance
![Page 29: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/29.jpg)
29
Specifying Core Models PreA0
PreA1
An example: Dynamic Separation of Duty (DSOD) A subject who preparesprepares a check cannot issueissue it:
![Page 30: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/30.jpg)
30
Expressive Power of preA A model for iTunes-like systems
A UCON preA sheme (ATT, R, P, C)(ATT, R, P, C), where R={register, order, authorize, deauthorize, play}R={register, order, authorize, deauthorize, play} ATT: ATT: a set of attribute names
![Page 31: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/31.jpg)
31
Relative Expressive Power ofpreA & preB
A preB system can be simulated with a preA system: policy_B(s,o,ob):
(s.role=ITE_faculty) (o.statement = ob) sign(s,ob) permit(s,o,r)
access
policy_A1(s,ob):true permit(s,ob,sign)updateAttribute:s.signed’ = ob;
sign
Policy_A2 (s,o):(s.role=ITE_faculty) (o.statement=s.signed) permit(s,o,r)updateAttribute: s.signed’=null;
access
![Page 32: Formal Model and Analysis of Usage Control](https://reader036.vdocuments.us/reader036/viewer/2022081506/568144e8550346895db1b970/html5/thumbnails/32.jpg)
32
Relative Expressive Power ofpreA & preB
A preA system can be simulated with a preB system:
policy_A(s,o):(s.role=ITE_faculty) permit(s,o,r)
access
policy_B(s,o):(s.role=ITE_faculty) try_access(s,o) permit(s,o,r)
access