Trust Management: Access policy and

deduction

John Mitchell

Diffuse Computing

Distributed Data Systems

Access control decision

• Given: user and request for privilege = resource, right

• Decide: whether to grant request

• Specify: who, what, when, why

? ResourceUser/

process

filename

read/write

Also: authorization management, workflow, …

Goals

Flexible and scalable access control for large-scale, open, decentralized systems• Resource sharing in decentralized systems

– coalitions, multi-centric collaborative systems – grid computing

• Electronic commerce• Health care systems• Authorization management

Policy Language and Deduction

Say what you want• Succinctly and directly• With confidence that you said what you

meant

Enforcement• Deduction, proof of compliance

Policy development tools• Manage policy lifecycle• Safety analysis, availability

Core Issue

Single sign-on systemse.g. Securant, Netegrity, Oblix

Rules

Authentication Application

Data

Data

LAN

user namepassword

Distributed Access Control

DeductionEngine

DeductionEngine

PoliciesCredentials

PoliciesCredentials

Certificate Authority

Resource Monitors

Player

Digital Distribution Dream ( )

Artist Distributor Consumer

Policy

Content Policy

Content

Content

MilitaryORCONPolicy

Secure network transactions

Trust-Management (TM)

Multicentric access control using delegation• access control decisions are based on distributed

policy statements issued by multiple principals• policy statements contain

– attributes of principals such as permissions, roles, qualifications, characteristics

– trust relationships

Common characteristics of TM systems:• treat public keys as principals to be authorized• use digitally signed credentials for non-local

statements

History

Early TM languages• PolicyMaker, KeyNote [Blaze, Feigenbaum, et al.]

• SPKI/SDSI [Ellison, Rivest, Lampson, et al.]

Datalog-based TM languages• Delegation Logic [Li, Feigenbaum, and Grosof]

• SD3 [Jim]

• Binder [DeTreville]

Some other related work• ABLP logic [Abadi, Burrows, Lampson, et al.]

• AF logic [Appel and Felton]

• QCM [Gunter and Jim]

Our Policy Framework: FOL ( )

A policy statement has the form: x1,…, xm (Condition () Permitted(principal, privilege))

where• Condition is a conjunction of literals;• principal can be individual [HW], or group [LM]• privilege can be action [HW], or group [LM]

Also need formulas defining conditions

Feigenbaum, LiHalpern, W

Li, Mitchell, …

Permitting policy [HW, LM]: positive conclusionDenying policy [HW]: negative conclusion

What is RT?

RT = Role-based Trust management Innovative features of the RT family

• expressive delegation constructs• permissions for structured resources• tractable semantics based on Constraint

Datalog• strongly-typed credentials and vocabulary

agreement• efficient deduction with millions of distributed

policy statements• safety and availability analysis

[Li, Mitchell, Winsborough]

Languages in RT Framework

RT0: Decentralized Roles

RT1: Parameterized Roles

RTT : for Separation of Duties

RTD: for Selective Use of Role memberships

RT2: Logical Objects

RTT and RTD can be used (either together or separately) with any of the five base languages: RT0, RT1, RT2, RT1

C, and RT2C

RT1C: structured resources

RT2C: structured resources

[Li, Mitchell, Winsborough]

Example

AliceEPub

StateU is a university

Alice is a student

Grants access to university students

Trusts universities to certify students

Trusts ABU to certify universities

StateUABU

Example RT0 credentials

1. StateU.stuID Alice2. ABU.accredited StateU3. EPub.university ABU.accredited4. EPub.student EPub.university.stuID5. EPub.access EPub.student

Together, the five statements prove that Alice is entitled to access

Limitation of KeyNote, SPKI 1.0

Capability-based TM systems• A credential delegates certain permissions from an

issuer to a subject• A chain of credentials authorizes subject at the

end of a chain

Using these systems in the EPub scenario • EPub delegates the access permission to ABU• ABU delegates the access permission to StateU• StateU delegates the access permission to Alice

Not scalable!• Separate chain of delegations for each student

Policy forms, RT0

Simple attribute assignment • StateU.stuID Alice

Delegation of attribute authority • StateU.stuID COE.stuID

Attribute inferencing • EPub.access EPub.student

Attribute-based delegation of authority• EPub.student EPub.university.stuID

i.e. mem(EPub.student) Bmem(EPub.university) mem(B.stuID)

Conjunction • EPub.access EPub.student ACM.member

Policy forms, RT1 …

Attributes with fields• StateU.stuID (name=.., program=.., …)

Alice• EPub.access

StateU.stuID(program=“graduate”)

Permissions for structured resources• e.g., allow connection to any host in a

domain and at any port in a range

Datalog As A Foundation

Natural• Security policy statements are if-then rules

Precise• Declarative and widely-understood semantics

Tractable• No function symbols tractability• Efficient goal-directed evaluation procedures

Available technology• Extensive Datalog research in LP and DB

Datalog Semantics of RT0

Each statement translated into Datalog rule

Type-1: A.r D m(A, r, D)

Type-2: A.r B.r1 m(A, r, z) :- m(B, r1, z)

Type-3: A.r A.r1.r2m(A, r, z) :- m(A, r1, y), m(y, r2, z)

Type-4: A.r B1.r1 B2.r2 ... Bk.rk

m(A, r, z) :- m(A, r1, y),

m(y, r2, z)

Better: Constraint Datalog

Why constraints: • Datalog cannot easily express permissions about

structured resources and ranges

What is Constraint Datalog• Special form of CLP; query language for

Constraint DB

A Constraint Datalog rule: • R0(x0) :- R1(x1), ..., Rn(xn), (x0, x1, …, xn)

– x0, x1, …, xn are tuples of variables

is a constraint in all the variables

Example Policy with Constraints

A grants to B the permission to• connect to hosts in the domain “stanford.edu” • at port 80,

• valid from time t1 to t3 , and

• allows B to further delegate

grantConnect(A, B, h, p, v) :-

h edu,stanford, p=80, v [t1, t3]

grantConnect(A, x, h, p, v) :- grantConnect(B, x, h, p, v), h edu,stanford, p=80, v [t1, t3]

Useful Constraint Domains for TM

Tree domains: • Path expressions a1,a2 , ,ak

– E.g., pub,software for /pub/software

• Primitive constraint: x=y or x a1,a2 , ,ak, where {=, <, , , }

Range domains:• each constant is a number• Primitive constraint: x=y, x=c, or, x (c1 ,

c2)

Discrete domains with finite sets:• Primitive constraint: x=y, x {c1,c2 , ,cj}

RT1C : RT1 with constraints

Theorem: • Multi-sorted CDatalog program with multiple

tractable constraint domains can be evaluated in polynomial time.

Corollary: The RT languages are tractable• Statements in the RT languages can be

translated into multi-sorted CDatalog program

Example: • FileServer.access (path < pub,software,

type{read,write,delete}) StateU.student (dept=‘CS’)

Using CDatalog to Analyze KeyNote

Theorem: it is undecidable whether a KeyNote assertion authorizes any request at all• One constraint domain used in KeyNote

involves Hilbert’s 10th problem: – find integer solutions to p(x1,…,xk)=0

Moral: KeyNote constraints too expensive• Practical examples do not use these

expensive features

Logical perspective leads to expressive, tractable policy languages

Goal-directed Deduction for RT0

Queries:1. Given A.r, determines its members

– The backward search algorithm

2. Given D, determines the set of roles that D is a member of– The forward search algorithm

3. Given A.r and D, determines whether D is a member of A.r– The Bi-direction search algorithm

Credential Graph for Policy

Nodes:• A.r and e for each statement A.r e in P

Credential edges:• A.r e for each statement A.r e in P

Summary edges:• A.r1.r2 B.r2 if there is a path from B to A.r1• A1.r1 … Ak.rk D if there are paths from D to each Aj.rj

Theorem: Reachability in the credential graph is sound and complete for RT0

Example Bidirection Search on A Credential Graph

EPub.university

StateU

ABU.accredited

EPub.student

EPub.university.stuID

Credential

Summary

Key

Alice

StateU.stuID

COE.stuID

Worst-Case Complexity

Backward: time O(N3+NM), space O(NM)• N is the number of rules• M is the sum of the sizes of all rules,

– A.r f1fk having size k, other credentials have size 1

Forward and bi-direction time O(N2M), space O(NM) Same as previous work for SDSI [Clarke, et

al.]• but our algorithms are goal directed, making

them much better in practice

Who stores credentials?

AliceEPub

StateU

ABUABU.accredited

StateU

COE.stuID AliceEPub.university ABU.accreditedEPub.student

EPub.university.stuID

StateU.stuID COE.stuID

COE

Automated Trust Negotiation

Credentials may contain sensitive information• need protection just as other resources• deduction must be interactive

The Trust Target Graph (TTG) protocol• supports RT0, which has delegation• supports distributed discovery of statements• supports Ack policies, which also protects against

unauthorized leakage of attribute information

Cryptographic protocols for ATN• Oblivious Signature-Based Envelope (OSBE)

Safety and Availability Analysis

Organizations delegate partial control • What happens if other organizations change

policy in the future without my knowledge?

Given policy P and restriction R on changes• Simple safety: Is A.r {D} possible?

PTIME• Simple availability: Is A.r {D} necessary?

PTIME• Bounded safety: Is {D1, …, Dn} A.r

necessary? PTIME

Complexity of Containment Analysis

Given P and R, is A.r B.r1 necessary?• Simple delegation PTIME

– Uses logic programs with stratified negation

• Intersection coNP-complete– Equivalent to determining validity in propositional

logic

• Linking PSPACE-complete– Equivalent to containment of languages accepted

by NFA

• Linking+Intersection decidable in coNEXP– Exact complexity unknown

Decidability, PTIME stand in contrast to the HRU model, in which simple safety is undecidable

Implementation Status

Java inference engine for RT0

Preliminary version of RTML• an XML-based Encoding of RT statements• XML Schemas and parser exist

Applications• U-STOR-IT: Web-based file storage and

sharing• August: A Distributed Calendar Program• Automated Trust Negotiation Demo by NAI• TNT Trust Negotiation architecture at BYU

Publications on RT

Language specification, distributed deduction

[ACM CCS’01] [JCS] [IEEE S&P’02] Constraint Datalog [PADL’03] [CSFW’03]

Summary of RT [DISCEX’03]

Interactive deduction, protecting sensitive credentials [IEEE Policy’ 02] [ACM WPES’02]

Safety and availability analysis of RT policies

[IEEE S&P’03]

Ongoing Work Related to RT

Foundation of distributed trust management:• more expressive constraints• additional safety and availability analysis problems

Algorithms:• deduction algorithms for the full RT framework• trust negotiation with more expressive RT

languages

Systems:• RTML as a more expressive PKI• complete implementation of RT and more

applications

Policy with negation, functions

Many applications explicitly forbid actions. • `Smoking is prohibited in the dining areas of all

restaurants seating more than 35 people’ is part of the NYC Smoke-Free Air Act.

• `The tickets may not be refunded’ is a policy of many theaters, special airline fares, …

Functions may be useful x1, x2 (OnSite(x1) Permitted(x2, copy(x1)))

These policies cannot be written directly in Datalog, Constraint Datalog

[Halpern, Lagoze, Weissman]

Tractability with function symbols

Key idea: Restrict bipolars• A literal l is bipolar in a formula f if

– Positive l in f is unifiable with a negated l’ in f– E.g. R(Alice, x) is bipolar in R(Alice, x) R(y, Bob)

If E is environment and P is policy such that• every var in lhs of a policy also appears in rhs • E is a conjunction of ground literals, and• there are no bipolar literals in P

Then queries answered in time |P||E|

Remains polytime under weaker assumptions

Explanation of restrictions

Every variable on the lhs also on the rhs• Permissions (prohibitions) depend only on

attributes of individual and action being regulated

Environment E a conjunction of ground literals• Reasonable if the environment is a database,

and/or set of certificates

No bipolar literals in policy P• Reasonable if

– permitted is not in any policy’s premise– All policies are permitting (or all denying)

Mixed policy sets

Thm: For any env E, policy P, can reformulate as <E’,P’> such that • Permissions follow from E’ and permitting policies in

P’ only• Prohibitions follow from E’ and denying policies in P’

only• Quadratic increase in size

The fragment can capture a number of policy sets• Samples collected from libraries• Samples collected from government docs• Most of the XrML core, and all of Content Schema

More information: Vicky Weissman poster

Future SPYCE Directions

Accomplishments• Framework and logic for policy definition• Algorithms for policy enforcement• Some experience with capturing practical policy

requirements from a variety of applications

Challenges• Continue implementation and deployment efforts• Policy development algorithms and tools

– Debugging and testing, safety and availability analysis

• Additional challenges– Policy privacy, Automated trust negotiation, Revocation

Sample Applications

August Distributed Calendar USTORIT Social security database

• policy to qualify for social security• Also: tax law database

Library policy• Have to administer copyright• Who is allowed to access course notes?

XrML• Commercial license and rights framework