Policy Description & Enforcement Languages Anis Yousefi [email protected]

Policy Description & Enforcement Languages

Anis [email protected]

sharif university of technology 2

Outline Motivation and background Related work

Rei: A RDF Schema-based language for policy specification.

KAoS: A policy representation language based on OWL.

Ponder: An object-oriented policy language for the management of distributed systems and networks.

Some issues


Motivation A key need for the vision of the Semantic Web a

nd Pervasive Computing to succeed is the ability to handle security and privacy and the ability to automate these protocols.

A good approach: Policy based security and privacy protection

Until recently: semantic web languages representing web content & services

Our goal: to find suitable semantic web languages to describe and reason about policies


Policy Advantages Automated system management &

Controlling the behavior of complex systems Allowing administrators to modify system

behavior without changing source code or requiring the consent or cooperation of the components being governed

separation of rules that govern the behavior of a system from the functionality provided by that system


Benefits of policy-based approaches Reusability Efficiency Extensibility Context sensitivity Verifiability Support for both simple & sophisticated

components Protection from poorly designed, buggy or

malicious components Reasoning about component behavior


Approach It is not feasible to expect all entities to use the

same terminology to represent security protocols and information.

This forces the use of a semantic language like RDF-S, DAML+OIL or OWL whose constructs help entities better understand the meaning of the security information.

A security framework for the Semantic Web and PerCompEnv needs to be flexible, semantically rich and simple enough to automate.


Possible Representation of polices on each layer Object-Oriented language

Ponder XML

XACML, P3P RDF + RDF Schema

Rei OWL (DAML + OIL)

KAoS Rules (logic)

…


KAoS Collection of componentized agent services compatible

with several agent frameworks : Corba, Nomads, …

KAoS domain services provide the capability for groups of software components, people, resources, and other entities to be organized into domains and subdomains to facilitate agent-agent collaboration and external policy administration.

KAoS policy services allow for the specification, management, conflict resolution, and enforcement of policies within domains. Policies are currently represented in DAML+OIL as ontologies. (soon OWL)


KAoS Policy Ontology

KPO (KAos Policy Ontology): distinguish between authorizations & obligations

Obligations: constraints that require some action to be performed or else serve to waive such a requirement

Authorizations: constraints that permit or forbid some action

Policy type: Positive|negative Obligation|Authorization Policy: instance of policy type Properties & Property restrictions


Example of DAML policy representation in KAoS Members of domain A are permitted to communicate to the

outside of its domain using encrypted communication


features Work with arbitrary written components Dynamic runtime policy changes Extensible to a variety of execution

platforms which policy enforcement mechanisms may be written

Robust & Adaptable – attack or failure of components

Easy-to-use policy-based administration tools: GUI for monitoring, visualizing & dynamically modifying policies at runtime


KPAT

KAos Policy Administration Tool Graphical tool for policy specification,

revision & application, brows and load ontologies, deconflict newly defined policies.

Policy templates: high level, domain specific abstraction

Rich set of queries


Conflict detection - KAoS At specification time: add new policy to d

irctory service Three types of conflict

positive vs. negative authorization positive vs. negative obligation positive obligation vs. negative authorizatio

n The algorithms rely on Stanford’s Java

Theorem Prover (JTP)


Policy deployment Model-KAos Domain manager: management of domains

of agents and assures policy consistency at all the levels of the domain hierarchy

Directory Service: overall policy management

Gaurds: interpret policies and pass them on to enforcers

Enforcers: platform-specific components


Rei: A policy language Policy framework: specification, analysis & reasoning in

PerComp The Rei deontic concept-based policy language allows u

sers to express and represent the concepts of rights, prohibitions, obligations, and dispensations. (+,- A,O in KAoS & Ponder)

Rei relies on an application-independent ontology to represent the concepts of rights, prohibitions, obligations, dispensations, and policy rules.


Rei elements

Policy: rules, entities, domain, (rights,…)

Basic ontology include actions: unique action ID, target obj, pre-defined cond, effects

Speech acts: dynamically exchange rights & obligations between entities

Meta-policies: resolve policy conflicts


Example of Rei policy specification Rei’s concepts of rights, permissions, obligati

ons, dispensations, and policy rules are represented as Prolog predicates.

NO GUI Role-based access control policies


Reasoning - Rei The Rei framework provides a policy engine tha

t reasons about the policy specifications. The engine accepts policy specification in both the R

ei language and in RDF-S, consistent with the Rei ontology.

RDF to (subject, predicate, object) The engine is consistent and complete and allo

ws queries according to the Prolog language about any policies, meta-policies, and domain dependent knowledge that have been loaded in its knowledge base.


Conflict detection - Rei Modality conflicts +overlap in subject, tar

get & action Meta Policies

Setting priorities between policies or rules Setting modality precedence


Policy deployment model-Rei

Policy engine: reason about policies & reply to queries

No enforcement model No protection from malicious or non-

compliant components or agents


Ponder Declarative object-oriented language Specification of management policies for distributed

object systems

Basic Policy: rules governing choices in system behavior Set of subjects and set of targets with management

responsibility: have the authority to initiate a management decision

Composite Policy: grouping basic policies of organization Role: groups of policies governing the behavior of the

same subject by specifying its rights & duties Relationship: right & duties of rules towards each other


Ponder policy Two fundamental policy types

obligation authorization

obligation: the actions that policy subjects must perform on target entities when specific relevant events occurs

authorization: what operations a subject is authorized to do on target objects

Management domains: group of objects to which policies apply


Policy specification

Type policy: user defined policy types Parameterized : context specific Policy instances No default rules: permit or forbid

action?


An example of Ponder authorization policy

The policy specifies that the professor principals have read access to all the exercise files of their students only during the opening hours of the school, i.e. from 7 am to 7 pm and from Monday to Friday.


Ponder tools Ponder provides various graphical

tools for editing, updating, removing, and browsing Ponder policies.

There are also tools for syntactic and semantic analysis of policy specifications and for transforming Ponder language specifications directly into XML or Java code that can be interpreted at runtime.


Conflict detection - Ponder A prototype conflict detection tool to detect

overlaps and conflicts between policies. Modality conflicts: policies with modalities of

opposite signs that refer to the same subjects, targets & actions

Ex: conflicts between permissions & prohibitions or between obligations and prohibitions

Application specific conflicts: policy content & external criteria

Ex: conflict between an obligation to access a resource and a limitation on the resource availability


Policy deployment model-Ponder Policy specification Ponder compiler: java class, java object Runtime changes not possible Distribution and enforcement model:

distinguish between authorization and obligation policies

Specification of the interfaces for enforcement agents but NO implementation

Some systems implement in application domain


Issues Choice should be driven by the characteristics of the application

domain and by Simplicity, readability, analyzability scalability and enforceability requirements

Ontology advantages: Complex systems: multiple levels of abstraction Description of the environment using concepts: simplifying the desc

ription, facilitating analysis & reasoning, conflict detection Simplify the access to policy information: quering the ontology acco

tding its schema dynamically calculating relations between policies and environment Sharing: negotiate between entities and agree

Technical difficulties Complex syntax Long declarative description Hyperlinks & references to external resources (Ponder, DAML) Gap between specifiactionand implementation of policies


References G. Tonti, etc, "Semantic Web Languages for Policy Representat

ion and Reasoning: A Comparison of KAos, Rei, and Ponder", ISWC'03, 2003

A. Uszok, etc, "KAoS Policy and Domain Services: Toward a Description-Logic Approach to Policy Representation, Deconfliction, and Enforcement", Policy'03, 2003

L. Kagal, etc, "A Policy Based Approach to Security for the Semantic Web", ISWC'03, 2003

N. Damianou, etc, "The Ponder Policy Specification Language", Policy'01, 2001

T. Finin, etc, "Agents, Trust, and Information Access on the Semantic Web", ACM SIGMOD Record, 2002

Y. Hu, etc, "Trust on the Semantic Web Pyramid: Some Issues and Challenges", ISWC'03, 2003

L. Kagal, etc, "Authorization and Privacy for Semantic Web Services", IEEE Computer Society, 2004

Documents

Policy Description & Enforcement Languages Anis Yousefi [email protected]