Policy Management

Department of Computer Science

Policy Management

Elisa Bertino, Ninghui Li (Purdue U.)

Anupam Joshi (UMBC)

Ravi Sandhu (UTSA)

use

acquire

discover

veracity

vector

volu

me

velocity


Research Goals

• Identify the types of policy relevant to AISL

• Develop corresponding languages and formal models

• Implement policy languages

• Develop relevant policy tools to support the policy lifecycle

• Develop policy scenarios


Types of Policy

– Access control policies • Controlling who is accessing which data

– Accountability policies • Controlling how data is used and modified

– Trust policies• Specifying criteria to determine which party to

trust for what data/resource


Policy Lifecycle Diagram

Specification Analysis

Deployment&Enforcement

•Collaborative enforcement (possibly privacy-preserving)•Safe approximation•Enforcement in information group-based sharing•Enforcement in information dissemination-centric sharing

•Develop new policy languages•Extend current policy languages•Develop formal models•Policy refinement•Policy integration•Policy versioning

•Identify analysis types•Develop tools


Policy Refinement

Each refinement step must meet the following criteria [Karat08]:

• Correct — The set of refined policies correctly implements the higher-level policy.

• Consistent — The refinement must not lead to conflicts between the derived policies or the other policies existing in the system.

• Valid — The policies must be able to be enforced in the system context to which they will be applied.

• Minimal — All policies in the derived policy set must be required for the correctness of the refinement.

J. Karat, C.M. Karat, E. Bertino, N. Li, Q. Ni, C. Brodie, J. Lobo, S.B. Calo, L. F. Cranor, P. Kamaraguru, P. Reerder, “Policy Framework for Security and Privacy Management”, To appear in IBM Systems Journal, 2008.


EXAMEnvironment for Xacml policy Analysis & Management

EXAM is a comprehensive environment for analyzing and managing access control policies. It supports acquisition, editing and retrieval of policies in addition to policy property analysis, policy similarity analysis and policy integration.

Current Results


Motivation

Proliferation of Policies !!

Need for tools for managing and

analyzing policies !


XACML • EXtensible Access Control Markup Language.

– XML based – OASIS standard language for specification of access control

policies.– Express many policies of interest to real world application


EXAM Overview: Architecture

PolicyRepository

PolicySimilarity

Filter

Policy Similarity Analyzer

Query Dispatcher

User

User Interface

…User User

Policy Annotation

Policy Integration Framework


EXAM Overview : QueriesPolicy Analysis Query

Metadata Query Content Query Effect Query

Single-Policy QueryMultiple-Policy Query

Property Verification Query

Common Property Query

Discrimination Query

<Policy ID=“Pol1”>

<Rule ID=“R11” Effect=“Permit”>

<Target>

<Subject> domain {“.edu”} </Subject>

<Resource> FileA </Resource>

<Action> Read </Action>

</Target>

<Condition>8:00<=Time<=22:00</Condition>

<Policy ID=“Pol2”>

<Rule ID=“R11” Effect=“Permit”>

<Target>

<Subject> domain {“.edu”} OR

affiliation = “IBM”

</Subject>

<Resource> FileA </Resource>

<Action> Read </Action>

</Target>

<Condition>6:00<=Time<=20:00</Condition>

Does Policy Pol2 deny read access on FileA between 10pm and 12am ?

Find all requests permitted by both policies Pol1 and Pol2.

Find all requests which are permitted by Pol1 but denied by Pol2.


Policy Similarity Analysis• Goal

– Characterize the relationships among the sets of requests respectively authorized by a set of policies.

• Two techniques– Policy Similarity Filter

• Less precise, faster.

– Policy Similarity Analyzer• Precise, slower.



PolicyRepository

PolicySimilarity

Filter


Query Dispatcher

User

User Interface

…User User

Policy Annotation



Policy Similarity Filter

• Quick and less precise.• Inspired by Information Retrieval (IR) techniques.• Policy similarity measure

– Assign a similarity score between two policies.

• Typical applications– A quick filter phase to prune the set of policies to be

analyzed by the precise policy similarity technique.

– A distance function for clustering policies.


ExampleDATA OWNER POLICY 1

DATA OWNER POLICY 2

0

0.71


ExampleDATA OWNER POLICY 1

RESOURCE OWNER POLICY 3

0.4



PolicyRepository

PolicySimilarity

Filter


Query Dispatcher

User

User Interface

…User User

Policy Annotation



Policy Similarity Analyzer(PSA)• Uses Multi-Terminal Binary Decision Diagram (MTBDD)

based representation of a policy.• Combines model-checking and satisfiability checking to

perform similarity analysis on policies with different types of constraints on attributes– One variable equality constraints

• Affiliation = “IBM”, Role != “Student”

– One variable inequality constraints• Age < 50, 8<=Time<=22

– Linear constraints• Bonus + 2 * Salary <= 250000

– Compound Boolean constraints• (Nationality = “US” Clearance = “High)


MTBDD - Multi-Terminal Binary Decision Diagram

• Rooted, directed acyclic graph.– Represent functions of the form f : Bn -> R

• In a policy MTBDD internal nodes represent the predicates on attributes and the terminals denote the policy decisions Permit, Deny or NotApplicable.

Pol1

Permit : (fileName = fileA) (time < 17:00 age > 18)

f

t

a

NA Y

<Policy ID = Pol1><Rule Effect = Permit> <Target><Resource>(fileName = fileA) </Resource>

<Condition> (time < 17:00 age > 18) </Condition></Target> </Rule> </Policy>


P1 P2 Auxiliary Rule

YNA

CMTBDD

N-CP N-N Y-N Y-Y

NA CP

Query: What requests are permitted by both policies?

MTBDD MTBDD MTBDD

Policy Comparison

N NA Y N

….. …..


EXAM Overview : Architecture

PolicyRepository

PolicySimilarity

Filter


Query Dispatcher

User

User Interface

…User User

Policy Annotation



Policy Integration• A Fine-grained Integration Algebra (FIA)

– 3-valued (Permit, Deny, NotApplicable)– Specify behavior at the granularity of requests and effects– Restrict domain of applicability– Support expressive policy languages like XACML

• Framework for specifying integration constraints and generating integrated policies. – MTBDD based implementation of FIA– Generation of integrated policy in XACML syntax.


Fine-grained Integration Algebra (FIA)

Vocabulary of attribute names and domains

Policy constants

Permit policy Deny policy

Binary operators

Addition Intersection

Unary operators

Negation Domain Projection


FIA - Theoretical Results• Expressivity

– FIA can express all XACML policy combining algorithms

– FIA can express policy “jumps”– FIA can model closed policies and open policies

• Completeness– A completeness notion has been developed,

based on the concept of policy combination matrix, and FIA is complete with respect to such notion

• Minimality– Identification of the minimal complete subsets of

the FIA operators


XACML Policy Generation

YNA

A

B

01

10

pos=manager

act=read

PolicyID = Example

<RuleID=R1 Effect=Permit>

<Target>

<Subject pos=manager \>

<Action act=read \>

<\Target>

<\Rule>


Next Steps

• Develop visualization techniques for policy analysis results

• Extend EXAM with a tool for synonym dictionary management, ontologies

Department of Computer ScienceNovel Reference XACML Architecture for

Multi-party collaborative Enforcement

PolicyAuthoring

Local PolicyRepository

Request Dispatcher/Decision Coordinator

PDP PDP

Local PolicyRepository

… …

DecompositionConstraint

PolicyDecomposition

constraint

global policy

PEP

request

ObligationService

obligations

request

global Policyabstract

ContextHandler

request

ContextHandler

request

… …

SubjectResource

Environment

attribute SubjectResource

Environment

attribute

attribute attribute

decision

decision

decision

decision

decision decision

policy policy

Global PolicyRepository

global policy


• Combining policies is necessary in AISL• XACML has several fixed Policy Combining Algorithms (PCAs) for

combining policies– deny-overrides, permit-overrides, first-applicable, only-one-

applicable• We propose the Policy Combining Language (PCL)

– allows expression of useful new PCAs• e.g., weak consensus, strong consensus, weak majority, and

strong majority– elegantly handles policy evaluation errors– is fully backward compatible with XACML– enables optimized evaluation using automata theory

Extending XACML for Multi-party collaborative Enforcement


Next Steps

• Develop an implementation of the extended XACML algorithms and of the policy distribution and enforcement algorithms

• Investigate cryptographic approaches

Documents

Policy Management