SBAC: A Semantic Based Access Control Model

1
SBAC A Semantic Based Access Control Model
NordSec 2006
2
Motivation

• Access Control is a mechanism that allows owners
  of resources define, manage and enforce access
  conditions applicable to each resource.
• But, how powerful are the current access control
  models and mechanisms?
• Are they able to express complex access control
  policies?

3
Motivation (cntd.)

• A complex access control policy example
• How to represent this policy in a computer?
• How can a computer understand whether X is a
  friend of Y?
• How can a computer decide whether to permit or
  deny X from settling money to the Z account of Y?
• How computers can understand the Semantics of
  these kinds of policies?
• How the computer can use these semantics to do
  inferences in making access control decisions.

A Bank authority is not allowed to settle money
to accounts of his friends in that bank.
4
Outline

• Semantics representation mechanisms
• SBAC
• Introduction
• Authorization rules
• Semantic Authorization inference
• Authorization Propagation
• Using rules for better expressivity
• Experimental results

5
Semantic-awareness

• For semantic-aware access control, we need a
  means for representing semantics.

6
Vocabulary
7
Taxonomy
8
Ontology
9
SBAC
10
SBAC

• Makes its decisions in three domains
• Objects domain
• Objects are entities that are accessed and/or
  modified.
• Subjects domain
• Subjects are active entities that require access
  to objects.
• Actions domain
• Actions are operations that subjects perform on
  objects.
• Each domain is represented by an ontology
• Subject Ontology (SO)
• Object Ontology (OO)
• Action Ontology (AO)

11
An Example Object Ontology
12
An Example Subject Ontology
13
An Example Action Ontology
14
Authorization Rules

• An authorization rule is in the form of
  in which s is an entity defined in SO, o
  is an entity defined in OO, and a is an entity
  defined in AO.
• This rule determines whether a subject which
  presents credential s can have the access right a
  on object o or not.
• Authorization rules are stored in an
  Authorization Base (AB).

15
Implicit Authorization rules
(S, Account, read)

(S, Long Term Deposit, read)
16
Semantic Authorization Inference
17
Ontology Languages

• Graphical notations
• Semantic networks
• Topic maps
• UML
• RDF
• Logic based
• Description Logics (e.g., OIL, DAMLOIL, OWL)
• Rules (e.g., RuleML, Prolog)
• First Order Logic

18
OWL (Ontology Web Language)

• OWL is an XML based ontology language and is now
  a W3C (World Wide Web Consortium) Recommendation.

19
An Example OWL ontology

• ltowlClass rdfIDPerson /gt
• ltowlClass rdfIDMangt
• ltrdfssubClassOf rdfresourcePerson /gt
• ltowldisjointWith rdfresourceWoman /gt
• lt/owlClassgt
• ltowlClass rdfIDWomangt
• ltrdfssubClassOf rdfresourcePerson /gt
• ltowldisjointWith rdfresourceMan /gt
• lt/owlClassgt
• ltowlClass rdfIDFathergt
• ltrdfssubClassOf rdfresourceMan /gt
• lt/owlClassgt
• ltowlClass rdfIDMothergt
• ltrdfssubClassOf rdfresourceWoman /gt
• lt/owlClassgt
• ltowlClass rdfIDParentgt
• ltowlunionOf rdfparseType"Collection"gt
• ltowlClass rdfabout"Father"/gt
• ltowlClass rdfabout"Mother"/gt

20
Inference on OWL Ontologies

• A lot of different relationships can be defined
  between concepts in an OWL ontology
• subClassOf
• equivalentClass
• disjointWith
• intersectionOf
• unionOf
• complementOf
• Therefore complex inference engines are required
  for reasoning on all of these relationships.
• From an access control point of view all of these
  relationships can be reduced to the subClassOf
  relation.

21
Reduction to subClassOf

• A equivalentClass B
• A subClassOf B
• B subClassOf A
• A unionOf B,C,D
• B subClassOf A
• C subClassOf A
• D subClassOf A

22
Authorization Propagation

• Propagation in the subject domain

(Credit Card, Account, withdraw)
(Master Card, Account, withdraw)
23
Authorization Propagation

• Propagation in the object domain

(Credit Card, Account, withdraw)
(Credit Card, Short Term Deposit, withdraw)
24
Authorization Propagation

• Propagation in the action domain

(Credit Card, Account, FullAccess)
(Credit Card, Account, Withdraw)
25
Authorization Propagation

• Propagation in the action domain

(Credit Card, Account, -Withdraw)
(Credit Card, Account, -FullAccess)
26
Using Rules for Better Expressivity
A Bank authority is not allowed to settle money
to accounts of his friends in that bank.
27
Using Rules for Better Expressivity
A Bank authority is not allowed to settle money
to accounts of his friends in that bank.
X is_A Person Y is_A Person X friendOf Y B is_A
Bank Y bankAuthorityOf B Z accountIn B X ownerOf Z
(Y,Z,-settlement)
Note that, e.g. if in your knowledge base you
have John is_A Parent, the computer itself must
deduce that John is_A Person.
28
Some Experimental Results
29
Smaller Ontologies

• Triples are used for storing ontologies in
  memory
• (Bob, is_A, Person)
• (Alice, is_A, Person)
• (Alice, friendOf, Bob)

30
Smaller Ontologies (cntd.)

• More complex constructs such as unionOf are also
  translated to triples
• A unionOf B,C,D
• (A, unionOf, A0) (A0, first, B) (A0, rest,
  A1) (A1, first, C)
• (A1, rest, A2) (A2, first, D) (A2, rest,
  nil)

31
Smaller Ontologies (cntd.)
Number of triples 2n1
Number of triples n
32
Smaller Ontologies (cntd.)
33
Lower reasoning time
Times are in milliseconds
34
Summary Conclusions

• We showed how ontologies can be used in
  representing semantics of access control domains.
• We showed how these semantics can be used for
  inferring new implicit rules.
• We also showed how rules can be used for
  increasing the expressivity.
• The experimental results showed better reasoning
  time when working with reduced ontologies.

35
Thanks for your attention!

• Questions?

36
Definitions

• Semantic Web is an extension of the current Web
  which gives information a well-defined meaning,
  makes machines capable of interpreting and
  processing the information.
• An access control mechanism should assure that
• Only eligible users are authorized to be granted
  an access right.
• Each eligible user must be able to access all the
  resources that s/he is authorized for.

37
Reduction in the scope of OWL class axioms
38
Reduction in the scope of OWL individual axioms
39
Reduction in the scope of OWL property
restrictions
40
Actions in SBAC