Timed Constraint Programming: A Declarative Approach to Usage Control

1
Timed Constraint ProgrammingA Declarative
Approach to Usage Control

• Radha Jagadeesan, Will Marrero, Corin Pitcher
  (DePaul University)
• Vijay Saraswat (IBM Research)

2
Usage Control

• Scope of Usage Control Park, Sandhu 2002
• Traditional access control
• Trust management
• Digital rights management
• Temporal aspects of UCON policies
• Terminate ongoing sessions when resource
  consumption is too high
• Change access rights during an emergency
• Enforcement of dynamic separation of duty concerns

3
This Talk

• Policy algebra for Usage Control, following timed
  concurrent constraint programming paradigm
• Declarative
• Default constraint programming addresses negative
  authorization requirements
• Reactive computing addresses history-sensitive
  requirements
• Policy analysis
• Equational reasoning
• Model checking

4
Outline

• Motivation
• Policy algebra
• Untimed
• Timed
• Policy analysis

5
UCON Traditional Access Control

• Can a subject perform an action on an object?
• Policy captured as an access matrix and enforced
  by a monitor
• Centralized authority

6
Access Control Lists (ACLs)

• Access Control Lists (ACLs) associated with
  objects
• Problem ACL management is too burdensome
• Solution make use of the object hierarchy

7
ACLs with Inheritance

• On hierarchically structured objects, MS Windows
  permits inheritance with ACLs.
• Reduces redundancy
• Inheritance is optional, so we can always start
  from the empty ACL if necessary

8
ACLs with Inheritance

• Suppose that Alice should not be able to access
  File 1
• Failing to inherit from Dir 3 to File 1 causes
  loss of access to Bob and Charlie
• Bob and Charlie must be added back explicitly

9
ACLs with Negative Entries

• Negative ACL entries reduce redundancy
• But conflicts must be resolved, e.g.,
• By order
• By prioritization of negative entries

10
Declarative Components

• Deduction can be used to describe
• Existing access control systems for analysis
• New access control systems for implementation
  and analysis
• Constraints used in policies for NSAs SELinux to
  restrict permissible domain transitions

11
UCON Trust Management

• Trust Management decentralized authorities
• PolicyMaker Blaze, Feigenbaum, Lacy
• SPKI/SDSI Ellison, Rivest et al
• RT family Li, Mitchell
• RT1c deduction and constraints

12
UCON Digital Rights Management

• Familiar examples
• Movie can be played just once
• Movie can be played repeatedly within 24 hours of
  first play
• More generally, history-sensitive policies that
  control ongoing access to resources
• Non-trivial behavior in the accessing state of a
  session

initial state
requesting
accessing
end
denied
revoked
13
UCON Digital Rights Management

• Sessions may affect one another
• In the event of an attack, revoke existing web
  sessions and only allow administrators to login
  via a local console
• Ryutov and Neumans GAA-API provides similar
  capabilities
• Broad applicability
• Officer on traffic duty receives limited access
  to FBI database if query to state database flags
  driver as a person of interest Anon, NSA
• Doctor may perform an operation only when the
  patient has signed a consent form Park Sandhu

14
Separation of Duty

• The Separation of Duty (SoD) principle limits the
  harm that can be caused by one person acting
  alone
• Example policy no-one can approve their own
  purchase requests
• Static SoD no-one can be both an approver and a
  purchaser (too restrictive)
• History-based SoD the desired policy (requires
  runtime monitoring)

15
The Chinese Wall Security Policy

• Brewer and Nashs Chinese Wall security policy is
  a history-based SoD specified in terms of
  conflict of interest
• A law firm working as both prosecution and
  defense counsel must partition staff carefully
  and prevent information leaks
• Staff are initially unassigned
• Upon reading a prosecution file, they are
  forbidden from accessing defense files in the
  future
• Generally, resources are assigned owners, and the
  owners may be in conflict
• Prevents accidental or malicious leakage by users
  / Trojan horses, but not water fountain gossip

16
Outline

• Motivation
• Policy algebra
• Untimed
• Timed
• Policy analysis

17
Policy Algebra

• Existing declarative policy algebras for untimed
  policies
• Existing work on timed policies lacks notions
  such as multiform time and preemption identified
  by the reactive systems community
• Adapt existing work on an approach to reactive
  systems using Timed Default concurrent constraint
  programming

18
Outline

• Motivation
• Policy algebra
• Untimed
• Timed
• Policy analysis

19
Untimed Fragment 3-Valued Logic

• 3-valued logic
• true grant access
• false deny access
• ? - neither grant nor deny access
• Operators
• P and Q
• P or Q
• not (P)
• P def Q
• P left Q

Q
P
Q
P
20
Untimed Fragment Constraint Store

• Concurrent constraint programming paradigm
• From store-as-valuation to store-as-constraint
• Constraint system includes entailment relation
• read becomes ask, using entailment to query
  store
• write becomes tell, adding to the store
• Ask if a then P else Q
• Runs P if a is entailed by the store
• Otherwise runs Q
• Tell discussed later

21
Untimed Fragment Functions

• Policy language permits (recursive) functions
• Policy function CheckAccess with username
  parameter u
• CheckAccess(u)
• if u?Students then true else ?

22
Access Control Lists

• Test negative entries on current path p
• Test positive entries on current path p
• Test inherited rights from parent directory, if
  any
• Otherwise access is denied

• CheckACL(u,p)
• (if u?NegACL(p) then false)
• def
• (if u?PosACL(p) then true)
• def
• (if p?/ ? p?Inherits then
• CheckACL(u,parent(p))
• )
• def
• false

23
Outline

• Motivation
• Policy algebra
• Untimed
• Timed
• Policy analysis

24
Reactive Systems

• Reactive systems continuously react to their
  environment at a speed determined by their
  environment Halbwachs
• Well-established theory and tools, e.g., Esterel,
  Lustre, Signal

25
Reactive Systems

• View temporal policies as reactive systems
  McDougall et al
• The environment is the security monitor
• Queries whether requests should be granted
• Passes relevant events to the policy, e.g., time
  passing or attack detected

Environment
Policy
query()
false
event()
query()
true
26
Timed Concurrent Constraint Programming

• Timed cc and Timed Default cc extensions of
  concurrent constraint programming for reactive
  systems
• Each time instant (reacting to environmental
  stimulus) has its own store
• Process residual remains for next time instant

ask / tell
store0
P0
ask / tell
store1
P1
ask / tell
store2
P2
27
Timed Fragment Operators

• next(tell(a)) tells constraint a to store in
  next time instant
• hence(P) runs fresh copy of P at every
  subsequent time instant
• time P on-present a (time P on-absent a) runs P
  when a is (is not) entailed by the store
• Other temporal operators are definable
• always(P)
• first a do P
• P until a

28
Example Timed Policy Change

• Prevent access to files during time frame
  delimited by start / stop events
• System load becomes too high
• Intrusion detection system identifies an attack
• Deletion / modification of files forbidden during
  criminal investigation
• CheckACLTimedPolicyChange(u,p)
• (if p?Affected ? Started then false)
• def CheckACL(u,p)

29
Example Timed Policy Change

• Upon a Start event, tell Started to future stores
  
• Stop event preempts execution of inner process
• always (
• if Start then
• (always (next (tell (Started)))) until Stop
• )

30
The Chinese Wall Security Policy

• Assume an owner function and a conflict relation
  conf in the constraint system
• CheckACLWithCW(u,p)
• (if CheckACL(u,p) then
• if ?X. ((conf(X,owner(p)) /\ read(u,X)) else
• true
• left
• always (next(tell(read(u,owner(p))))))
• def false

31
Outline

• Motivation
• Policy algebra
• Untimed
• Timed
• Policy analysis

32
Policy Analysis

• Does a policy behave as we expect?
• Two approaches
• Equational reasoning based on a bisimilarity
  relation
• Model checking

33
Equational Reasoning

• A policy is a process that reacts to additions to
  the store, and produces an output result (true,
  false, or ?)
• By coinduction, define bisimilarity as the
  greatest relation that cannot distinguish
  processes using
• Same additions to the store for both processes
• Observing the output result
• Theorem bisimilarity is a congruence

34
Model Checking

• Goal reuse existing technology if possible
• Construct a transition system for a policy, where
  transitions indicate queries (with response) or
  events supplied by the environment
• With recursion and finiteness restrictions, the
  transition system is finite
• By a translation into Timed Default cc and a
  theorem due to Saraswat, Jagadeesan, Gupta

35
Model Checking

• Interesting properties can be expressed using
  linear temporal logic (LTL)
• Simple safety (from Li, Mitchell, Winsborough
  2003) Does there exist a reachable state in
  which a (presumably untrusted) principal u has
  access to a resource p?
• G (grant(u,p))
• Analysis with state-dependent restrictions, e.g.,
  for the Chinese Wall policy with a finite set of
  users and two resources p1 and p2 that are in
  conflict
• ?u. G (grant(u,p1) ? G (grant(u,p2)))

36
Summary

• There is a need for history-sensitive policies
• Constraints already appear in security theory and
  practice
• This paper a temporal policy algebra
• Combines constraint entailment and negation
• Declarative timed features from reactive
  programming languages
• Policy analysis via coinductive equational
  reasoning and model checking

37
Future Work

• Implementation in progress (based on jcc)
• Case studies
• Practical model checking?

38

• Thank You!

39
(No Transcript)
40
Properties