On the Modeling and Analysis of Obligations Keith Irwin, Ting Yu (North Carolina State University) William H. Winsborough (University of Texas at San Antonio) Presenter: Zhenhua Liu Date: April 22 nd , 2009

Related Works Motivation Contributions A meta-model for obligations State transition Example of obligation system Definition of Accountable State AConcrete Model Basic Algorithms Conclusion & Future Works


Traditional security policies largely focus on the specification and management of access control requirements. ( who can access what objects during which period)

Obligation requirements are involved nowadays (i.e. Subscriber is obliged to pay fee before a certain deadline)

Related Works P1

Current policy languages that supports the specification of obligation in security policies:

XACML and KAoS (limited model to describe obl)

Ponder and Rei (time constraints, deadline) Heimdall (keeps track of pending obl) Sailer and Morciniec( 3rd party to monitor obl)

Related Works P2

Bettini ( choose appropriate policy rules andextended their policy model to handle obl violations)

Above-mentioned works focus on specification and monitoring of obligation,

This paper formally defines secure state, complexity of checking whether current state is secure (complimentary)

Related Works P3

Current works that analyze systems with obligations to determine whether subjects have sufficient right to fulfill their obligations

Firozabadi( static allotments of resources) Kamoda (unable to model when user actions

can change the state of the system)

Related Works P4

Current works that has been done on access control policies.

Determining accountable state is analogous to but more complicated thanComplicance checking in access control( e.g.

whether an action should be allowed based on an access control policies)

Related Works P5

Although several security policy languages have been proposed for describing obligation requirements,

Some questions like how to define secure states and how to ensure the security of a system, have not yet been adequately investigated


Propose a formal metamodel to capture a system and its possible states.

Give a formal definition of secure states for obligation management.

Study the problem of checking whether a state is accountable

Study the accountability problem in the context of a authorization system with obligations


Positive Obligation: Requirement for a subject to take some action

at some time in the future Negative Obligation: Requirement for a subject NOT to take some

action at some time in the future

Unenforcable: any action cannot be forced by a systemMonitorable: be able to monitor the status of an obligation.

Properties of Obligations

Model an obligation as a tuple

obj(s, a, O, [ts, te])

s is a subject, a is an action, [ts, te] is a time window during which s is

obliged to take action a, O is finite sequence of zero or more objects

on which the action must be performed

A Metamodel for systems with Obligations

Invalid: if te is already passed when it is assigned Fulfilled : if an obligation has been assigned and its

action has been carried out during time window [ts, te]

Violated : if an obligation has been assigned, has not

been fulfilled, and is not invalid, but te has passed Pending: if an obligation is not invalid but has not yet

become fulfilled or violated, then it is pending

Four states of obj(s, a, O, [ts, te])

Assumption:• discrete system time• each action can be finished in a single clock tick

For instance: the state of a system at time t0 is st0 , and Alice takes

an action at t0 , This change will not change. Instead the

state at time t0 +1 will be affected by Alice’s action.

State Transition

Defining Obligation-abiding transition

Policy Description: 1. after collecting submitted papers, the

program chair of a conference assigns papers to reviewers

2. Once the assignment is done, each reviewer is obliged to submit their reviews by a certain deadline

3. If a reviewer submits a review for a paper, she’s obliged to attend the discussion of the paper, which decides whether the paper should be accepted

An Example of Obligation System

How to use this meta-model to represent a Simple Conference Reviewing System

Subjects s are the registered users in the system Objects o are submitted papers Actions a allowed(assigning papers to reviewers,

submitting a review and joining discussion of a paper The σ-proportion of the system state represents

attributes of subjects and objects.

An Example of Obligation System

Example of policy description of the system using proposed meta-model

Page 18: On the Modeling and Analysis of Obligations

Add pending obligation into the systemSuppose on 06/01/06 the program chair assignsAlice to review papers p1, p2 and p3.

Obl1= obl( Alice, submit_review(Alice,p1), [06/01/06, 07/15/06])Obl2= obl( Alice, submit_review(Alice,p2), [06/01/06, 07/15/06])Obl3= obl( Alice, submit_review(Alice,p3), [06/01/06, 07/15/06])

Goal To make sure that a system always stays in secure

states and never transits into insecure states. Accountability Find out whose fault it is when it’s possible that

some obligation go unfulfilled, rather than require that it is impossible for obligation to be violated

Security Goals In Systems with Obligations

Different interpretation of Obligations (if everybody else fulfills their obligations)

1. Strongly accountable System guarantees that subject take action a at

any time between [ts, te] 2. Weakly accountable

Subject can at least take action a at the end point te

3. Uncommon System ensures only that there exists some time

within the frame when the user will be able to fulfill his obligation

Defining Accountable states

Defining Strongly Accountable State

Defining Weakly Accountable state

Given a state in a system , how to determine whether it is accountable?

Using Turing Machine to do a reduction of the halting problem to the accountability problem.

The Accountability Problem

No cascading obligations the action to fulfill an obligation doesn’t incur

further obligations

Monotonity if the condition on a policy is true for a subject,

it will remain true in all future states

Commutative actions the execution order of two actions don’t matter

Three conditions of obligation sytem

Three Theorems of Accountability Problem

Add some restrictions to the proposed meta-model to make accountability problem tractable:

A Concrete Model

Assumption An current accountable state stcur=<tcur, Mcur,

Bcur> a obligation b=<b.s, b.a, b.ts,b.te> Positive test

Purposedetermine whether we should add a new

obligation b in order to keep the system in an accountable state

Basic Algorithm

Basic Algorithm 1. Check Rights2. Check effect

of b on obl it overlaps.

3. Check effect of b on later obligations.

If (found overlapping revoke action) test cannot be guaranteedelse if (privilege exists in the stcur) if (there is prior revoke action) pick a br to maximize br.te else test can be guranteedelse if( privilege does not exist in stcur) if ( exists some grant obligation for tested permission) pick some bg so as to mamiize bg.ts

else the test cannot be guaranteed

If (b revokes or grants a right which could cause the condition of an obligation it overlaps to be false) the state is not accountable

The obl b either grants or revokes some right.Oligation which depend on the presence or absence of this rigt need to be considered.To check them, we reat step 1 of

Page 29: On the Modeling and Analysis of Obligations

Identify more properties of obligation policies Support commonly available features in today’s

access control system Extend the meta-model to support event-triggered


Conclusion & Future works