Logical%20Model%20and%20Specification%20of%20Usage%20Control%20%20Xinwen%20Zhang,%20Jaehong%20Park%20Francesco%20Parisi-Presicce,%20Ravi%20Sandhu%20George%20Mason%20University

1
Logical Model and Specification of Usage
ControlXinwen Zhang, Jaehong ParkFrancesco
Parisi-Presicce, Ravi SandhuGeorge Mason
University
2
Outline

• Introduction of UCON
• Temporal Logic of Action (TLA)
• Logic Model for UCON with TLA
• Specification of Authorization Core Models
• Specification of Obligation Core Models
• Specification of Condition Core Models
• Applications of Logical Model
• Conclusions and Future Work

3
UCON

• A unified framework for next generation access
  control
• A comprehensive model to represent the underlying
  mechanism of existing access control models and
  policies.
• Try to extend the limits of traditional access
  control models
• Authorization only No obligation or condition
  based control
• Identity based only No attributes based support
• Decision is made before access No ongoing
  control
• No consumable rights - No mutable attributes
• Rights are pre-defined and granted to subjects

4
UCON

• UCON provides a general model beyond DRM and
  Trust management
• Digital Rights Management (DRM)
• Mainly focus on intellectual property rights
  protection with architecture and mechanism level
  studies
• Lack of access control model
• Trust Management
• Authorization for strangers access based on
  credentials
• Lack of an abstract model for attribute-based
  authorization

5
OM-AM Layered Approach
6
Related Work UCON Model

• UCON
• A Unified model for next generation access
  control, constructed by integrating obligations,
  conditions as well as authorizations, and by
  including continuity and mutability properties.
• Components
• Subjects and attributes
• Objects and attributes
• Generic rights
• Decision components
• Authorization
• Obligations
• Conditions

7
UCON Model

• Unique properties beyond traditional models
• 3 phases for single usage process
• Continuity of decisions Decision check can be
  performed in the first 2 phases.
• Mutability of attributes Attributes updated can
  be performed as result of usage actions in all 3
  phases.

8
Core Models

• According to the authorization control attribute
  update points, we have seven core authorization
  models
• preA0 control decision is determined before
  access, and there is no attribute update.
• preA1 control decision and and attribute update
  before access.
• preA3 control decision is determined before
  access, and attribute update after access.
• onA0 control decision is checked and determined
  during usage, and there is no attribute update.
• onA1 control decision is checked and determined
  during usage, and there is attribute update
  before access.
• onA2 control decision is checked and determined
  during usage, and there is attribute update
  during usage.
• onA3 control decision is checked and determined
  during usage, and there is attribute update after
  usage.
• Similarly, a set of core models are defined with
  obligations and conditions.
• A real UCON system may be a hybrid of them.

9
Outline

• Introduction of UCON
• Temporal Logic of Action (TLA)
• Logic Model for UCON with TLA
• Specification of Authorization Core Models
• Specification of Obligation Core Models
• Specification of Condition Core Models
• Applications of Logical Model
• Conclusions and Future Work

10
Temporal Logic of Action

• Basic Terms
• Variables x, y
• Values 5, abc
• Constants
• A state is an assignment of values to variables
• Functions nonboolean expression with variables
  and constants
• Semantically, a function is a mapping from states
  to values.
• State Predicates boolean expression with
  variables and constants
• Semantically, a predicate is a mapping from
  states to booleans.
• Actions boolean expression with variables,
  primed variables, and constants
• Semantically, an action is a function assigning a
  boolean to a pair of states (s,t), where s is the
  old state with variables, and t is the new state
  with primed variables.

11
TLA

• Behavior a sequence of states lts0, s1, s2,,gt

• Semantics of an action A

e.g for action A of xy1, its value is where
is the value of x in state s1, and
is the value of y in state s0.

• Temporal operator (always)

• Temporal Formula

• Semantics

12
TLA

• Other temporal operators
• Eventually

• Next

• Until

• Past temporal operators
• Has-always-been, Once, Previous, Since

13
Outline

• Introduction of UCON
• Temporal Logic of Action (TLA)
• Logic Model for UCON with TLA
• Specification of Authorization Core Models
• Specification of Obligation Core Models
• Specification of Condition Core Models
• Expressivity and Flexibility
• Conclusions and Future Work

14
Logical Model of UCON States and Attributes

• A state of a UCON system is a set of assignments
  of values to attributes
• Subject attributes
• roleemployee
• security clearance secret
• credit amount 1000.00
• Object attributes
• typefile
• ACL(Alice, read),(Bob, write)
• System attributes
• system time
• platform location
• A special system attribute
• state(s,o,r)initial, requesting, denied,
  accessing, revoked, end
• To specify the status of a single access process
  (s,o,r)
• Authorization actions defined to change this
  state.

15
Logical Model of UCON Predicates

• Predicates boolean expression built from subject
  attributes, object attributes, and system
  attributes.
• Mapping a state to True/False
• Unary predicates
• Alice.credit gt 1000, file1.classification
  secure
• Binary predicates
• Dominate(Alice.clearance, file1.classification)
• (Bob, read) ? file2.ACL
• Ternary predicate permit(s,o,r)
• Specify usage control decisions
• True if a s is allowed to access o with r.

16
Logic Model of UCON Actions

• Actions boolean expressions built from
  attributes in two states.
• Alice.creditAlice.credit - 50.0
• Two types of actions
• Control actions change the state of single usage
  process
• Actions performed by the subject
• Actions performed by the system
• Obligation actions
• Actions that have to be performed before or
  during an access.
• May or may not be performed by the requesting
  subject and on the target object.

17
Logic Model of UCON

• The logical model of a UCON system is a 5-tuple
  (S, PA, PC, AA, AB) , where
• S is a sequence of states of the system,
• PA is a finite set of authorization predicates
  built from the attributes of subjects and
  objects,
• PC is a finite set of condition predicates built
  from the system attributes,
• AA is a finite set of control actions,
• AB is a finite set of obligation actions.
• A UCON policy is a logic formula consisting of
  predicates, actions, and logical and temporal
  operators
• Where a is an action, p is a predicate with term
  t1,t2,tn

18
Logical Model of UCON

• Semantics

19
Outline

• Introduction of UCON
• Temporal Logic of Action (TLA)
• Logic Model for UCON with TLA
• Specification of Authorization Core Models
• Specification of Obligation Core Models
• Specification of Condition Core Models
• Applications of Logical Model
• Conclusions and Future Work

20
Specification of Core Model

• preA0

• Example 2 BLP model

• Example 3 DAC with ACL

21
Specification of Core Model

• preA1

• Example 4 DRM pay-per-use application

22
Specification of Core Model

• preA3

23
Specification of Core Model

• onA0

• Example 6

24
Specification of Core Model

• onA1

• onA2

• onA3

25
Specification of Core Model

• Example 7 Resource-constrained access control
• Limited number (10) of ongoing accessing for a
  single object
• Object attribute
• When 11th subject requesting new access, one
  ongoing accessing will be revoked.

• a. the earliest usage will be revoked onA13
• Subject attribute startTime

26
Specification of Core Model

• b. revocation by longest idle usage onA123
• Subject attributes status (with value of busy or
  idle), idleTime

27
Specification of Core Model

• c. revocation by longest total usage onA13
• Subject attribute usageTime

28
Outline

• Introduction of UCON
• Temporal Logic of Action (TLA)
• Logic Model for UCON with TLA
• Specification of Authorization Core Models
• Specification of Obligation Core Models
• Specification of Condition Core Models
• Applications of Logical Model
• Conclusions and Future Work

29
Obligations

• An obligation is an action described by ob(s, o,
  r, sb, ob)
• ob is the action name,
• (s, o, r) is a particular usage process requiring
  the obligation,
• sb, ob are obligation subject and object.
• Two types of obligations in UCON
• pre-obligations, which must have been performed
  before access.
• ongoing-obligations, which must be performed
  during usage.
• Obligations that have to be performed after an
  access, since they only affect the future usage
  process, are considered as global obligations

30
Obligation Model

• Core obligation models
• preB0 A usage control decision is determined by
  obligations before an access, and there is no
  attribute update before, during, or after the
  usage.
• preB1 A usage control decision is determined by
  obligations before an access, and one or more
  subject or object attributes are updated before
  the usage.
• preB3 A usage control decision is determined by
  obligations before an access, and one or more
  subject or object attributes are updated after
  the usage.
• onB0 Usage control is checked and the decision
  is determined by obligations during an access,
  and there is no attribute update before, during,
  or after the usage.
• onB1 Usage control is checked and the decision
  is determined by obligations during an access,
  and one or more subject or object attributes are
  updated before the usage.
• onB2 Usage control is checked and the decision
  is determined by obligations during an access,
  and one or more subject or object attributes are
  updated during the usage.
• onB3 Usage control is checked and the decision
  is determined by obligations during an access,
  and one or more subject or object attributes are
  updated after the usage.

31
Specification of Core Model

• preB1

32
Specification of Core Model

• preB1

33
Specification of Core Model

• onB0

34
Outline

• Introduction of UCON
• Temporal Logic of Action (TLA)
• Logic Model for UCON with TLA
• Specification of Authorization Core Models
• Specification of Obligation Core Models
• Specification of Condition Core Models
• Applications of Logical Model
• Conclusions and Future Work

35
Conditions

• Conditions are environment restrictions before or
  during usage.
• In UCON, a condition is a predicate built from
  system attributes, such as time and location.
• Two types of conditions
• pre-conditions conditions that must be true
  before an access.
• ongoing-conditions conditions that must be true
  during the process of accessing an object.
• preC0
• onC0

36
Outline

• Introduction of UCON
• Temporal Logic of Action (TLA)
• Logic Model for UCON with TLA
• Specification of Authorization Core Models
• Specification of Obligation Core Models
• Specification of Condition Core Models
• Applications of Logical Model
• Conclusions and Future Work

37
Application

• RBAC1 model preA0

38
Application

• RBAC2 preA1

39
Application

• Chinese Wall Policy preA1

40
Application

• MAC with high watermark

41
Conclusions

• A logical model for UCON with
• States with
• subject attributes and values
• Object attributes and values
• System attribute and values
• Predicates
• Authorization predicates built from subject and
  object attributes
• Condition predicates built from system attributes
  
• Actions
• Attribute update actions
• Usage control actions
• Obligation actions
• Temporal formulas of usage control policies
• First-order logic specification of the UCON
  models with new features of mutability and
  continuality

42
Future Work

• Formal study
• Enrich logical model, such as constraints,
  delegations
• Expressive power and safety analysis of UCON with
  logical formalization
• Development of architecture and mechanism for
  UCON system
• DRM technologies
• Trusted computing technologies