Title: PolicyMorph: Interactive Policy Transformations for a Logical AttributeBased Access Control Framewor
1PolicyMorph Interactive Policy Model
Transformations for a Logical ABAC Framework
Michael LeMay Omid Fatemieh Carl A. Gunter
2Outline
- Motivation
- Introduction
- Logical Attribute-Based Policies
- Logical Constraints
- Access Control Models
- Model Transformations
- Prototype Implementation and Test Case
- Conclusion
2
3Motivation
- Difficult or impossible for policy administrator
to formally encode all desired policy constraints
All Possible Policy Models
Models DesiredbyAdministrator
Models Accepted byFormal Constraints
3
4Motivation Example
- Consider Access control policy for
Personally-Identifiable Information (PII)
contained in online retailers database - Regulated by retailers privacy policy maintain
confidentiality of customer information from
third party partners and marketing - Assume some employees employed in both
information systems support and marketing
departments - Such an employee could be responsible for
customer email list - Privacy policy prohibits this separation of duty
violation, and constraint checker detects
violation.
4
5Motivation Example (cont.)
- Task must be assigned to some other employee
- Constraint checker unaware of external
considerations essential to task reassignment,
such as existing workloads of employees, relevant
skills, etc. - Policy model administration tool presents
administrator a list of possible employees to
which task could be reassigned, and administrator
selects most suitable option.
5
6Introduction
- Model transformation tool for logical
attribute-based policies - Uses first-order logical constraints to detect
bad model configurations - Suggests possible model transformations to bring
model into conformance - Evaluates effects of transformations
6
7Access Control Architecture
AttributeAssn.
7
8Logical Attribute-Based Policies
- Order-sorted first-order logic
- S subjects (s)
- O objects (d)
- Entities supersort of S and O (e)
- Actions performed by subjects upon objects (?)
- Contexts runtime information incorporated into
decisions (?) - Justifications compound terms specifying every
reason a positive access decision was made (?)
8
9Policy Models
- 5-tuple
- A sort containing attributes
- reflexive, transitive,
anti-symmetric relation defining attribute
hierarchy -
- associates
attributes with entities
9
10Major Concepts
- Policies
- Contexts
- Justifications
- Set of Reasons
- Set of rule names
10
11Sample Justification Reasons
Possible reasons in justifications
HasAttr(TA(CS423)) HasSubAttr(TA) IsNamed(Amber)
HasAttr(RA) NotHasSubAttr(TA) IsNamed(Curtiss) Not
IsNamed(Amber)
11
12Logical Constraints
- Signature
- f any first-order formula
- ? justification specifying why constraint has
been violated
12
13Model Transformations
- Generated from constraint justifications to bring
model into conformance
13
14Transformation Animations
Elimination
Introduction
Egress Transfer
Ingress Transfer
14
15Transformation Suggestions
- Framework suggests possible transformations
based on reasons in justifications from
constraints
15
16Transformation Suggestions (cont.)
16
17Sample Suggestions
Possible suggestions for reasons
HasAttr(Curtiss, RA) Eliminate(Curtiss,
RA) NotHasSubAttr(TA) Introduce(Curtiss,
TA(CS423))
17
18Prototype Implementation
- SWI-Prolog access control engine
- Text-mode interactive model validation and
transformation tool
18
19Model Validation Tool
19
20Test Case Scenario 1
- TA separation of duty enforcement
- Constraint It should never be true that any TA
shares a TA room with another TA from one of the
courses in which the first TA is enrolled. - Model
- 408 subjects
- 172 objects
- Similar to CS department at UIUC
20
21Constraint Encoding
21
22Constraint Violations
- Sample
- Curtiss and Amber are assigned to the same TA
room, and Amber is Curtiss TA!
22
23Scenario
Amber
Curtiss
Student
TA
TA
TA room
TA room
Course CS523
Course CS461
Room 4023
23
24Suggested Solutions
- remove ta(cs461) from the subject curtiss
- transfer ta(cs461) to amber
- transfer ta(cs461) to corwin
- transfer ta(cs461) to alice
- ...
- remove student(cs523) from the subject curtiss
- transfer student(cs523) to alice
- ...
- remove ta(cs523) from the subject amber
- transfer ta(cs523) to curtiss
- transfer ta(cs523) to corwin
- transfer ta(cs523) to alice
-
- remove ta_room(cs523) from the object
room(rm4023) - transfer ta_room(cs523) to room(rm4001)
- transfer ta_room(cs523) to room(rm4002)
- ...
- remove ta_room(cs461) from the object
room(rm4023) - transfer ta_room(cs461) to room(rm4001)
24
25Scenario
Amber
Curtiss
Room 4001
Student
TA
TA
TA room
TA room
TA room
Course CS523
Course CS461
Room 4023
25
26Prototype Interface with Janus
- Uses Prolog foreign-language interface to allow a
Java Building Automation System (BAS) simulator
(Janus) to use the Prolog Access Decision
Function (ADF), as a test case - Complete system and demo video available at
http//seclab.uiuc.edu/policymorph
26
27Test Case System Architecture
27
28Selected Related Works
- Fisler, K., Krishnamurthi, S., Meyerovich, L. A.,
and Tschantz, M. C. 2005. Verification and
change-impact analysis of access-control
policies. In Proceedings of the 27th
international Conference on Software Engineering
(ICSE 05).
28
29Selected Related Works (cont.)
- Boyer, J. P., Tan, K., and Gunter, C. A. 2006.
Privacy Sensitive Location Information Systems in
Smart Buildings, In Proceedings of the 3rd
International Conference on Security in Pervasive
Computing (SPC 06).
29
30Conclusion
- PolicyMorph leverages an administrators human
knowledge to select a desirable policy model from
among all those that satisfy a set of constraints
30
31Questions?
- Contact info mdlemay2_at_cs.uiuc.edu
- Project webpage http//seclab.uiuc.edu/policymorp
h - Thank you!
31