PolicyMorph: Interactive Policy Transformations for a Logical AttributeBased Access Control Framewor

1
PolicyMorph Interactive Policy Model
Transformations for a Logical ABAC Framework
Michael LeMay Omid Fatemieh Carl A. Gunter
2
Outline

• Motivation
• Introduction
• Logical Attribute-Based Policies
• Logical Constraints
• Access Control Models
• Model Transformations
• Prototype Implementation and Test Case
• Conclusion

2
3
Motivation

• Difficult or impossible for policy administrator
  to formally encode all desired policy constraints

All Possible Policy Models
Models DesiredbyAdministrator
Models Accepted byFormal Constraints
3
4
Motivation Example

• Consider Access control policy for
  Personally-Identifiable Information (PII)
  contained in online retailers database
• Regulated by retailers privacy policy maintain
  confidentiality of customer information from
  third party partners and marketing
• Assume some employees employed in both
  information systems support and marketing
  departments
• Such an employee could be responsible for
  customer email list
• Privacy policy prohibits this separation of duty
  violation, and constraint checker detects
  violation.

4
5
Motivation Example (cont.)

• Task must be assigned to some other employee
• Constraint checker unaware of external
  considerations essential to task reassignment,
  such as existing workloads of employees, relevant
  skills, etc.
• Policy model administration tool presents
  administrator a list of possible employees to
  which task could be reassigned, and administrator
  selects most suitable option.

5
6
Introduction

• Model transformation tool for logical
  attribute-based policies
• Uses first-order logical constraints to detect
  bad model configurations
• Suggests possible model transformations to bring
  model into conformance
• Evaluates effects of transformations

6
7
Access Control Architecture
AttributeAssn.
7
8
Logical Attribute-Based Policies

• Order-sorted first-order logic
• S subjects (s)
• O objects (d)
• Entities supersort of S and O (e)
• Actions performed by subjects upon objects (?)
• Contexts runtime information incorporated into
  decisions (?)
• Justifications compound terms specifying every
  reason a positive access decision was made (?)

8
9
Policy Models

• 5-tuple
• A sort containing attributes
• reflexive, transitive,
  anti-symmetric relation defining attribute
  hierarchy
• associates
  attributes with entities

9
10
Major Concepts

• Policies
• Contexts
• Justifications
• Set of Reasons
• Set of rule names

10
11
Sample Justification Reasons
Possible reasons in justifications
HasAttr(TA(CS423)) HasSubAttr(TA) IsNamed(Amber)
HasAttr(RA) NotHasSubAttr(TA) IsNamed(Curtiss) Not
IsNamed(Amber)
11
12
Logical Constraints

• Signature
• f any first-order formula
• ? justification specifying why constraint has
  been violated

12
13
Model Transformations

• Generated from constraint justifications to bring
  model into conformance

13
14
Transformation Animations
Elimination
Introduction
Egress Transfer
Ingress Transfer
14
15
Transformation Suggestions

• Framework suggests possible transformations
  based on reasons in justifications from
  constraints

15
16
Transformation Suggestions (cont.)
16
17
Sample Suggestions
Possible suggestions for reasons
HasAttr(Curtiss, RA) Eliminate(Curtiss,
RA) NotHasSubAttr(TA) Introduce(Curtiss,
TA(CS423))
17
18
Prototype Implementation

• SWI-Prolog access control engine
• Text-mode interactive model validation and
  transformation tool

18
19
Model Validation Tool
19
20
Test Case Scenario 1

• TA separation of duty enforcement
• Constraint It should never be true that any TA
  shares a TA room with another TA from one of the
  courses in which the first TA is enrolled.
• Model
• 408 subjects
• 172 objects
• Similar to CS department at UIUC

20
21
Constraint Encoding
21
22
Constraint Violations

• Sample
• Curtiss and Amber are assigned to the same TA
  room, and Amber is Curtiss TA!

22
23
Scenario
Amber
Curtiss
Student
TA
TA
TA room
TA room
Course CS523
Course CS461
Room 4023
23
24
Suggested Solutions

• remove ta(cs461) from the subject curtiss
• transfer ta(cs461) to amber
• transfer ta(cs461) to corwin
• transfer ta(cs461) to alice
• ...
• remove student(cs523) from the subject curtiss
• transfer student(cs523) to alice
• ...
• remove ta(cs523) from the subject amber
• transfer ta(cs523) to curtiss
• transfer ta(cs523) to corwin
• transfer ta(cs523) to alice
• remove ta_room(cs523) from the object
  room(rm4023)
• transfer ta_room(cs523) to room(rm4001)
• transfer ta_room(cs523) to room(rm4002)
• ...
• remove ta_room(cs461) from the object
  room(rm4023)
• transfer ta_room(cs461) to room(rm4001)

24
25
Scenario
Amber
Curtiss
Room 4001
Student
TA
TA
TA room
TA room
TA room
Course CS523
Course CS461
Room 4023
25
26
Prototype Interface with Janus

• Uses Prolog foreign-language interface to allow a
  Java Building Automation System (BAS) simulator
  (Janus) to use the Prolog Access Decision
  Function (ADF), as a test case
• Complete system and demo video available at
  http//seclab.uiuc.edu/policymorph

26
27
Test Case System Architecture
27
28
Selected Related Works

• Fisler, K., Krishnamurthi, S., Meyerovich, L. A.,
  and Tschantz, M. C. 2005. Verification and
  change-impact analysis of access-control
  policies. In Proceedings of the 27th
  international Conference on Software Engineering
  (ICSE 05).

28
29
Selected Related Works (cont.)

• Boyer, J. P., Tan, K., and Gunter, C. A. 2006.
  Privacy Sensitive Location Information Systems in
  Smart Buildings, In Proceedings of the 3rd
  International Conference on Security in Pervasive
  Computing (SPC 06).

29
30
Conclusion

• PolicyMorph leverages an administrators human
  knowledge to select a desirable policy model from
  among all those that satisfy a set of constraints

30
31
Questions?

• Contact info mdlemay2_at_cs.uiuc.edu
• Project webpage http//seclab.uiuc.edu/policymorp
  h
• Thank you!

31