rule-based access-control evaluation through model-transformation
TRANSCRIPT
![Page 1: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/1.jpg)
Runtime Support for Rule-Based Access-ControlEvaluation through Model-Transformation
Salvador Martínez - UOC & Mines Nantes-inria-Lina, Nantes, FranceJokin García - IK4-IKERLAN, Arrasate, SpainJordi Cabot - ICREA UOC, Barcelona, Spain
![Page 2: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/2.jpg)
“The purpose of access control is to limit the Actions or operations that a legitimate user of a computer system can perform. Access control constrains what a user can do [...]. In this way access control seeks to prevent activity that could lead to a breach of security”. Sandhu, Ravi S., and Pierangela Samarati. IEEE communications magazine 32.9 (1994): 40-48.
SubjectAction Object
PermissionPermissionassignment
Rule: mechanism to assign permissions to Subjects.
Policy: a set of rules defining the security requirements of a system.
![Page 3: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/3.jpg)
Access-Control lists (ACL)
Attribute-based Access-Control (ABAC)
Discretionary Access-Control (DAC)
Mandatory Access-Control (MAC)
Identity-Based Access-Control (IBAC)
Organization-based Access-Control (OrBAC)
Role-based Access-Control (RBAC)
Temporal Role-based Access-Control (TRBAC)
Rule-based Access-Control (RAC)
![Page 4: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/4.jpg)
Infrastructure components for AC integration:
Design time(static)
Runtime(dinamic)
Divided in:
![Page 5: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/5.jpg)
Infrastructure: nowadays as reference monitor
1. Language for policies and access requests. (too many?)
2. Evaluation engine (PDP).
3. Interface mechanism between access-requests and resources (PEP). (solved by AOP and the like)
![Page 6: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/6.jpg)
Problem?
Focus is in Access-control languages and not in their evaluation.
Lack of reusable PDPs. Existing “reusable” PDPs are tight to concrete access-control languages (e.g. XACML, EPAL).
PDPs as black boxes, difficult to adapt to different situations.
We are obliged to reinvent the wheel!!
![Page 7: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/7.jpg)
Requirements: what would be a better situation?
Easy to use. Concrete syntax should be easy to adapt (without changing the rest)
The policy representation should be explicit. The evaluation execution should be adaptable: add tracing, enhance outcome, etc.
Efficiently capable to face complex escenarios (live evaluation): Lazy execution, incremental evaluation, reactivity...
![Page 8: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/8.jpg)
Request
Decision
Rule1 (conditions)-> decisionRule2 (conditions)-> decisionRule3 (conditions)-> decision
Evaluation Engine
Read policy
Rule1 match request (with conditions) to decisionRule2 match request (with conditions) to decisionRule3 match request (with conditions) to decision
Transformation Engine
Read transformationRequest Model Decision Model
find ruleevaluate conditionsissue decision
match requestevaluate guardscreate decision model
![Page 9: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/9.jpg)
Approach: ● Basic ready-to-use workflow ● Advanced fully-tunable workflow
![Page 10: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/10.jpg)
Basic Workflow
Policy
PEP-PDP
Decision
Write securitypolicy rulesusing policy language
Write accessrequests usingAccesslanguage
read
Issueaccessdecision
Rule r1 ( Subject S1 {attributes <'role' = 'Manager'>}, Object O1, Action Read) -> Accept
Rule r2 ( Subject S2 {attributes <'role' = 'Employee'>}, Object O1, Action Read) -> Deny
Access( Subject S1 {attributes <'role' = 'Manager'>}, Object O1, Action Read)
![Page 11: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/11.jpg)
Module SecurityPolicy create OUT: Evaluation from IN: Request;
nodefault rule rule1 { from s:Req!Requests ( s.filter(Sequence{Tuple{id='S1', attributes = Sequence{Tuple{name = 'role', value = 'manager'}}}, Tuple{id='O1', attributes = Sequence{}}, Tuple{id='read', attributes = Sequence{}}})) to t : Evaluation!Evaluation ( effect <- 'Permit', ruleId <- 'Rule1', ruleOrder <- 1)}nodefault rule rule2 { from s:Req!Requests ( s.filter(Sequence{Tuple{id='S2', attributes = Sequence{Tuple{name = 'role', value = 'employee'}}}, Tuple{id='O1', attributes = Sequence{}}, Tuple{id='read', attributes = Sequence{}}})) to t : Evaluation!Evaluation ( effect <- 'Deny', ruleId <- 'Rule2', ruleOrder <- 2)}
![Page 12: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/12.jpg)
Security Policy
Policy Model
Trasf. Model
HOT: Policy to
Transformation
Transformationcode
Request model Eval. model
Request metamodel
Evaluation metamodel
Transf. metamodel
RULE COMBINATIONALGORITHMS
-first match-deny overrides-accept overrides-others...
Refining Transf.
refines
implements
Policy. metamodel
1
2
3
41
2
3
4
Language dependent
Language independentinjection
Advanced Workflow
![Page 13: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/13.jpg)
Implementation with ATL (and other modeling tools)
![Page 14: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/14.jpg)
1.Policy Metamodel& Injection
![Page 15: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/15.jpg)
XText Grammar… Policy: rules+=Rule*;
Rule returns Rule: 'Rule' id=ID '(' lhs=LHS ')' '->' rhs=RHS;
LHS returns LHS: conditionfields += ConditionField ("," conditionfields += ConditionField)*;
RHS returns RHS: decisions+=AccessDecision;
ConditionField: (Subject | Object | Action) ( '{'('attributes' '<' attributes+=Attribute ( "," attributes+=Attribute)* '>' )? '}')? ;
Attribute returns Attribute: {Attribute} name=EString '=' value=EString;......
![Page 16: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/16.jpg)
2. HOT: From policies to trans. specifications
What the HOT transformation does:
1. Creates a transformation module from the policy root.
2. Creates OCL operations to factorize the encoding of access-request conditions into OCL predicates.
3. Creates an ATL rule for each access-control rule with:
- Match : Request element
- A guard calling the OCL operation that evaluates the conditions
- Generates as output an Evaluation element with a decision (and some tracing info.)
![Page 17: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/17.jpg)
HOT: Looks… scary? It is at least tedious...rule Rule2MatchedRule { from s : Policy!Rule to mr : ATL!MatchedRule ( name <- s.id, isNoDefault <- true, isAbstract <- false, isRefining <- false, inPattern <- ip, outPattern <- op ), -- start from part ip : ATL!InPattern ( elements <- Sequence{ipe}, filter <- filter ), ipe : ATL!SimpleInPatternElement( varName <- 's', type <- ipet ), -- start filter filter: ATL!OperationCallExp ( operationName <- 'filter' ),
fvar: ATL!VariableExp ( referredVariable <- ipe, appliedProperty <- filter),fseq: ATL!SequenceExp( parentOperation <- filter),fsub: ATL!TupleExp ( collection <- fseq --retrieve subject attributes),fobj: ATL!TupleExp ( collection <- fseq --retrieve objetc attributes),fact: ATL!TupleExp ( collection <- fseq --retrieve action attributes),--end filteripet : ATL!OclModelElement ( name <- 'Request', model <- om),
om : ATL!OclModel ( name <- 'Request' ),--end from part--begin to partop : ATL!OutPattern ( elements <- Sequence{ope}),ope : ATL!SimpleOutPatternElement( varName <- 't', type <- opet, bindings <- Sequence{b1, b2} ),opet : ATL!OclModelElement ( name <- 'Evaluation', model <- om2),om2 : ATL!OclModel ( name <- 'Evaluation'),--begin bindingsb1 : ATL!Binding ( propertyName <- 'effect', value <- se1),
![Page 18: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/18.jpg)
HOT: Generating it from the Policy metamodel
rule Rule2MatchedRule { from s : Policy!Rule to mr : ATL!MatchedRule ( name <- s.id, isNoDefault <- true, isAbstract <- false, isRefining <- false, inPattern <- ip, outPattern <- op
Modular Acceleo templates
Metamodel ATL HOT
![Page 19: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/19.jpg)
3. Conflict Resolutioncreate OUT: Evaluation refining IN: Evaluation;
helper context Evaluation!Evaluationdef:isFirstMatch():Boolean = let allEvaluations : Sequence(Evaluation!Evaluation) = Evaluation!Evaluation.allInstances() ->asSequence() in allEvaluations->iterate(p; y : Boolean = true | if p.request.toInteger() < self.request.toInteger() then false else if y = true then true else false endif endif);
rule Evaluation { from s : Evaluation!Evaluation(s.isFirstMatch()) to t : Evaluation!Evaluation ()}
Resolution algorithms as refining transformations on Evaluations:
- First match
- Deny overrides
- Accept overrides
- Others
Completely independent from the policy language.
![Page 20: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/20.jpg)
Performance Evaluation
![Page 21: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/21.jpg)
Conclusions
Model transformation engines can be used as AC evaluation engines.
An important amount of work can be delegated to “generators”.
Performance (often a problem in MDE) is in par with other implementations.
Future work
Multi-policy environments.
Experimenting alternatives execution modes (Lazy, incremental, reactive, parallel).
Validation and Verification of the policy by using MT V&V techniques.
![Page 22: Rule-Based Access-Control Evaluation through Model-Transformation](https://reader036.vdocuments.us/reader036/viewer/2022081401/5870ebc51a28abcf288b6dd5/html5/thumbnails/22.jpg)
Questions time!!