Upload
yetta-turner
View
19
Download
0
Embed Size (px)
DESCRIPTION
Towards a Policy Aware Web. Vladimir Kolovski, Yarden Katz, Jim Hendler, Danny Weitzner, Tim Berners-Lee. Why do we need policy awareness. Inflexible and simplistic access control on the web No ability to specify fine-grained access control Workarounds are tedious Privacy issue - PowerPoint PPT Presentation
Citation preview
mindswapmaryland information and network dynamics lab semantic web agents project
Towards a Policy Aware Web
Vladimir Kolovski, Yarden Katz, Jim Hendler, Danny
Weitzner, Tim Berners-Lee
04/19/23 SWPW Presentation 2
mindswapmaryland information and network dynamics lab semantic web agents project
Why do we need policy awareness
• Inflexible and simplistic access control on the web
• No ability to specify fine-grained access control– Workarounds are tedious
• Privacy issue– Lacking in privacy protection mechanisms– Individual privacy might be compromised and
liberties put at risk if the information were public
• All this leads to reluctance to share information
04/19/23 SWPW Presentation 3
mindswapmaryland information and network dynamics lab semantic web agents project
Our Approach• Targeted at casual web users
– Easy to write expressive policies• Language with a large library of useful constructs
– Relatively low enforcement burden
• We propose a rule-based infrastructure that leverages the current web– Allows for publication of declarative access
policies– Policies at the level of individual URI– Greater control in the hands of the information
owner
04/19/23 SWPW Presentation 4
mindswapmaryland information and network dynamics lab semantic web agents project
Why Rule-Based?• Problems with identity- and role-
based approaches– Difficult to set up in a fine grained way– Classes (atomic roles) must be set up in
advance– Want to specify policies based on
attributes of entities• Without knowing their identity
• With rules we are able to specify policies based on descriptions
04/19/23 SWPW Presentation 5
mindswapmaryland information and network dynamics lab semantic web agents project
Rule-Based Mechanisms• Two types of rule-based access
mechanisms:– Mandatory access control
• Strictly hierarchical, at universities and governments
• The organization enforces security policies, not the individual information owner
– Discretionary access control• Access control given to information owner• Approach used in PAW
04/19/23 SWPW Presentation 6
mindswapmaryland information and network dynamics lab semantic web agents project
Rules Language• Requirements:
– Consistent with Web architecture principles– Used and tested within the web community– Allows to publish, browse, retrieve policies
using HTTP• Our language of choice was N3
– extends RDF model• Important feature – proof generation on
client side
04/19/23 SWPW Presentation 7
mindswapmaryland information and network dynamics lab semantic web agents project
Architecture Diagram
04/19/23 SWPW Presentation 8
mindswapmaryland information and network dynamics lab semantic web agents project
Reasoning Support for PAW• cwm as a forward chaining N3 reasoner• Currently generates a proof by serializing
the intermediate steps as “reasons” when running the rules engine
• Generated proofs rather large in size– Needs pruning– Scale it better by integrating a RETE engine
• Proof checking function relatively simple– Can be optimized, too
04/19/23 SWPW Presentation 9
mindswapmaryland information and network dynamics lab semantic web agents project
Example• Using REIN as the policy framework and
cwm as the proof generator/checker
• Photo sharing between members of a girl scout troop – Photos taken at meetings of the troop can be shared
with any current member of the troop. – Photos of the girls winning awards can be shared with
anyone currently in the troop, or who was ever a member. These award photos can also be shared with the public if, and only if, the girl's parents allow it
04/19/23 SWPW Presentation 10
mindswapmaryland information and network dynamics lab semantic web agents project
Example• Judy wants to access the picture, makes a request:
<Request rdf:about="judy-req#req"> <requester rdf:parseType="Resource">
<session:secret>judy-passwd</session:secret> </requester> <resource rdf:resource="http://demo.policyawareweb.org/images/group.jpg"/></Request>
• If Judy is allowed to access the picture, she receives::requester http:can-get <http://www.policyawareweb.org/group-photo.jpg>
• In order to generate a proof, Judy runs her request against the policy with cwm’s –why option.
• Examples available at http://groups.csail.mit.edu/dig/2005/09/rein/examples/
04/19/23 SWPW Presentation 11
mindswapmaryland information and network dynamics lab semantic web agents project
Architecture Diagram
04/19/23 SWPW Presentation 12
mindswapmaryland information and network dynamics lab semantic web agents project
Related Work• Proof-Carrying Authorization (PCA)
– Web access control system based on a higher-order, undecidable logic
– Proof of access on client side can be generated using a subset of higher-order logic
• This subset maps to a simple and decidable application-specific logic
– Drawback: client proofs blow up in size
• PeerTrust/PeerAccess– Bilateral trust – Sensitive policies– Trust established incrementally– Peertrust - policy and negotiation language based on distributed logic
programs
04/19/23 SWPW Presentation 13
mindswapmaryland information and network dynamics lab semantic web agents project
Contributions• The field of distributed web access control is
already mature, what do we bring to the table?• Our contribution is in putting the following things
together:– PCA-like distributed proof of policy compliance– Freely shared, transparent policies– “Webby” reasoner, able to publish, browse and
retrieve rules on the fly and allowing for fine-grained specification of policies.
04/19/23 SWPW Presentation 14
mindswapmaryland information and network dynamics lab semantic web agents project
Challenges and Future Work• Revisiting proof generation/ checking
– Generated proofs for simple policies are over 300KB, cwm takes more than 10s to reason over them
– Should we move to a backward chaining reasoner?– Integrate our RETE engine in cwm
• Handling inconsistency– Inconsistencies unavoidable because of open ended
nature of the web– Investigate ways to be robust in the face of
inconsistency• UI and support for writing policies
– Casual users don’t want to hack N3
04/19/23 SWPW Presentation 15
mindswapmaryland information and network dynamics lab semantic web agents project
Questions?
Thanks for your attention