Title: Logical%20Model%20and%20Specification%20of%20Usage%20Control%20%20Xinwen%20Zhang,%20Jaehong%20Park%20Francesco%20Parisi-Presicce,%20Ravi%20Sandhu%20George%20Mason%20University
1Logical Model and Specification of Usage
ControlXinwen Zhang, Jaehong ParkFrancesco
Parisi-Presicce, Ravi SandhuGeorge Mason
University
2Outline
- Introduction of UCON
- Temporal Logic of Action (TLA)
- Logic Model for UCON with TLA
- Specification of Authorization Core Models
- Specification of Obligation Core Models
- Specification of Condition Core Models
- Applications of Logical Model
- Conclusions and Future Work
3UCON
- A unified framework for next generation access
control - A comprehensive model to represent the underlying
mechanism of existing access control models and
policies. - Try to extend the limits of traditional access
control models - Authorization only No obligation or condition
based control - Identity based only No attributes based support
- Decision is made before access No ongoing
control - No consumable rights - No mutable attributes
- Rights are pre-defined and granted to subjects
4UCON
- UCON provides a general model beyond DRM and
Trust management - Digital Rights Management (DRM)
- Mainly focus on intellectual property rights
protection with architecture and mechanism level
studies - Lack of access control model
- Trust Management
- Authorization for strangers access based on
credentials - Lack of an abstract model for attribute-based
authorization
5OM-AM Layered Approach
6Related Work UCON Model
- UCON
- A Unified model for next generation access
control, constructed by integrating obligations,
conditions as well as authorizations, and by
including continuity and mutability properties. - Components
- Subjects and attributes
- Objects and attributes
- Generic rights
- Decision components
- Authorization
- Obligations
- Conditions
7UCON Model
- Unique properties beyond traditional models
- 3 phases for single usage process
- Continuity of decisions Decision check can be
performed in the first 2 phases. - Mutability of attributes Attributes updated can
be performed as result of usage actions in all 3
phases.
8Core Models
- According to the authorization control attribute
update points, we have seven core authorization
models - preA0 control decision is determined before
access, and there is no attribute update. - preA1 control decision and and attribute update
before access. - preA3 control decision is determined before
access, and attribute update after access. - onA0 control decision is checked and determined
during usage, and there is no attribute update. - onA1 control decision is checked and determined
during usage, and there is attribute update
before access. - onA2 control decision is checked and determined
during usage, and there is attribute update
during usage. - onA3 control decision is checked and determined
during usage, and there is attribute update after
usage. - Similarly, a set of core models are defined with
obligations and conditions. - A real UCON system may be a hybrid of them.
9Outline
- Introduction of UCON
- Temporal Logic of Action (TLA)
- Logic Model for UCON with TLA
- Specification of Authorization Core Models
- Specification of Obligation Core Models
- Specification of Condition Core Models
- Applications of Logical Model
- Conclusions and Future Work
10Temporal Logic of Action
- Basic Terms
- Variables x, y
- Values 5, abc
- Constants
- A state is an assignment of values to variables
- Functions nonboolean expression with variables
and constants - Semantically, a function is a mapping from states
to values. - State Predicates boolean expression with
variables and constants - Semantically, a predicate is a mapping from
states to booleans. - Actions boolean expression with variables,
primed variables, and constants - Semantically, an action is a function assigning a
boolean to a pair of states (s,t), where s is the
old state with variables, and t is the new state
with primed variables.
11TLA
- Behavior a sequence of states lts0, s1, s2,,gt
e.g for action A of xy1, its value is where
is the value of x in state s1, and
is the value of y in state s0.
- Temporal operator (always)
12TLA
- Other temporal operators
- Eventually
- Past temporal operators
- Has-always-been, Once, Previous, Since
13Outline
- Introduction of UCON
- Temporal Logic of Action (TLA)
- Logic Model for UCON with TLA
- Specification of Authorization Core Models
- Specification of Obligation Core Models
- Specification of Condition Core Models
- Expressivity and Flexibility
- Conclusions and Future Work
14Logical Model of UCON States and Attributes
- A state of a UCON system is a set of assignments
of values to attributes - Subject attributes
- roleemployee
- security clearance secret
- credit amount 1000.00
- Object attributes
- typefile
- ACL(Alice, read),(Bob, write)
- System attributes
- system time
- platform location
- A special system attribute
- state(s,o,r)initial, requesting, denied,
accessing, revoked, end - To specify the status of a single access process
(s,o,r) - Authorization actions defined to change this
state.
15Logical Model of UCON Predicates
- Predicates boolean expression built from subject
attributes, object attributes, and system
attributes. - Mapping a state to True/False
- Unary predicates
- Alice.credit gt 1000, file1.classification
secure - Binary predicates
- Dominate(Alice.clearance, file1.classification)
- (Bob, read) ? file2.ACL
- Ternary predicate permit(s,o,r)
- Specify usage control decisions
- True if a s is allowed to access o with r.
16Logic Model of UCON Actions
- Actions boolean expressions built from
attributes in two states. - Alice.creditAlice.credit - 50.0
- Two types of actions
- Control actions change the state of single usage
process - Actions performed by the subject
- Actions performed by the system
- Obligation actions
- Actions that have to be performed before or
during an access. - May or may not be performed by the requesting
subject and on the target object.
17Logic Model of UCON
- The logical model of a UCON system is a 5-tuple
(S, PA, PC, AA, AB) , where - S is a sequence of states of the system,
- PA is a finite set of authorization predicates
built from the attributes of subjects and
objects, - PC is a finite set of condition predicates built
from the system attributes, - AA is a finite set of control actions,
- AB is a finite set of obligation actions.
- A UCON policy is a logic formula consisting of
predicates, actions, and logical and temporal
operators - Where a is an action, p is a predicate with term
t1,t2,tn
18Logical Model of UCON
19Outline
- Introduction of UCON
- Temporal Logic of Action (TLA)
- Logic Model for UCON with TLA
- Specification of Authorization Core Models
- Specification of Obligation Core Models
- Specification of Condition Core Models
- Applications of Logical Model
- Conclusions and Future Work
20Specification of Core Model
21Specification of Core Model
- Example 4 DRM pay-per-use application
22Specification of Core Model
23Specification of Core Model
24Specification of Core Model
25Specification of Core Model
- Example 7 Resource-constrained access control
- Limited number (10) of ongoing accessing for a
single object - Object attribute
- When 11th subject requesting new access, one
ongoing accessing will be revoked.
- a. the earliest usage will be revoked onA13
- Subject attribute startTime
26Specification of Core Model
- b. revocation by longest idle usage onA123
- Subject attributes status (with value of busy or
idle), idleTime
27Specification of Core Model
- c. revocation by longest total usage onA13
- Subject attribute usageTime
28Outline
- Introduction of UCON
- Temporal Logic of Action (TLA)
- Logic Model for UCON with TLA
- Specification of Authorization Core Models
- Specification of Obligation Core Models
- Specification of Condition Core Models
- Applications of Logical Model
- Conclusions and Future Work
29Obligations
- An obligation is an action described by ob(s, o,
r, sb, ob) - ob is the action name,
- (s, o, r) is a particular usage process requiring
the obligation, - sb, ob are obligation subject and object.
- Two types of obligations in UCON
- pre-obligations, which must have been performed
before access. - ongoing-obligations, which must be performed
during usage. - Obligations that have to be performed after an
access, since they only affect the future usage
process, are considered as global obligations
30Obligation Model
- Core obligation models
- preB0 A usage control decision is determined by
obligations before an access, and there is no
attribute update before, during, or after the
usage. - preB1 A usage control decision is determined by
obligations before an access, and one or more
subject or object attributes are updated before
the usage. - preB3 A usage control decision is determined by
obligations before an access, and one or more
subject or object attributes are updated after
the usage. - onB0 Usage control is checked and the decision
is determined by obligations during an access,
and there is no attribute update before, during,
or after the usage. - onB1 Usage control is checked and the decision
is determined by obligations during an access,
and one or more subject or object attributes are
updated before the usage. - onB2 Usage control is checked and the decision
is determined by obligations during an access,
and one or more subject or object attributes are
updated during the usage. - onB3 Usage control is checked and the decision
is determined by obligations during an access,
and one or more subject or object attributes are
updated after the usage.
31Specification of Core Model
32Specification of Core Model
33Specification of Core Model
34Outline
- Introduction of UCON
- Temporal Logic of Action (TLA)
- Logic Model for UCON with TLA
- Specification of Authorization Core Models
- Specification of Obligation Core Models
- Specification of Condition Core Models
- Applications of Logical Model
- Conclusions and Future Work
35Conditions
- Conditions are environment restrictions before or
during usage. - In UCON, a condition is a predicate built from
system attributes, such as time and location. - Two types of conditions
- pre-conditions conditions that must be true
before an access. - ongoing-conditions conditions that must be true
during the process of accessing an object. - preC0
- onC0
36Outline
- Introduction of UCON
- Temporal Logic of Action (TLA)
- Logic Model for UCON with TLA
- Specification of Authorization Core Models
- Specification of Obligation Core Models
- Specification of Condition Core Models
- Applications of Logical Model
- Conclusions and Future Work
37Application
38Application
39Application
- Chinese Wall Policy preA1
40Application
41Conclusions
- A logical model for UCON with
- States with
- subject attributes and values
- Object attributes and values
- System attribute and values
- Predicates
- Authorization predicates built from subject and
object attributes - Condition predicates built from system attributes
- Actions
- Attribute update actions
- Usage control actions
- Obligation actions
- Temporal formulas of usage control policies
- First-order logic specification of the UCON
models with new features of mutability and
continuality
42Future Work
- Formal study
- Enrich logical model, such as constraints,
delegations - Expressive power and safety analysis of UCON with
logical formalization - Development of architecture and mechanism for
UCON system - DRM technologies
- Trusted computing technologies