1
Safety Analysis of Usage Control (UCON) Authorization
Model
Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-PresicceGeorge Mason University
AsiaCCS 2006
Context
• electronic commerce• information sharing• etcetera• multi-party security objectives• fuzzy objectives
INTEGRITYmodification
AVAILABILITYaccess
CONFIDENTIALITYdisclosure
USAGEpurpose
USAGE
Context
Protection Objectives
Sensitive information protection
IPR protection Privacy protection
Protection Architectures
Server-side reference monitor
Client-side reference monitor
SRM & CRMServer-side
Reference Monitor(SRM)
Client-sideReference Monitor
(CRM)
TraditionalAccessControl
TrustManagement
Usage ControlSensitive
InformationProtection
IntellectualProperty Rights
Protection
PrivacyProtection
DRM
SRM & CRM
4
UCON Model (Park and Sandhu 2004)
Rights(R)
Authorizations
(A)
Subjects(S)
Objects(O)
Subject Attributes (SA) Object Attributes (OA)
Obligations(B)
Conditions(C)
UsageDecisions
Attributes can be updated as side-effects of a usage: pre, ongoing, and post updates Attribute Mutability
Core models: preA0, preA1, preA2, preA3, onAx, preBx, onBx preCx onCx
A real model may be a combination of core models.
before usage ongoing usage after usage
Continuity ofDecisions
pre-decision ongoing-decisions
pre-updates ongoing updates post-updates
Mutability ofAttributes
Three phases of a usage process Decision in first two phases
pre-decision: preA, preB, preC
ongoing-decisions: repeatedly check during ongoing usage phase
onA, onB, onC Decision Continuity
5
An Example Resource-constrained access control
Limited number (10) of ongoing accesses to a single object When 11th subject requesting new access, one ongoing accessing will be
revoked. Different revocation policies:
By start time: the longest ongoing usage is revoked By idle time: the usage with the longest total idle time is revoked By total usage time: the usage with the longest accumulating usage time is
revoked. Need decision continuity, attribute mutability, and ongoing access
revocations
6
Motivations
Two fundamental properties in access control: Expressive Power Safety Analysis
Formalization of UCON Model is required for the precise semantics of the conceptual
model for policy definition for the analysis of UCON properties.
7
Expressive Power & Safety Analysis
Expressive Power: The flexibility to express policies for different
requirements. Comparing expressive power among access control models
Safety problem: Given a system, specified by an initial stateinitial state and a schemescheme,
is there a reachable statea reachable state in which a subject has a particular right on an object?
Expressive power and manageable safety analysis are two conflicting properties of access control models:
In general, the more expressive power a model has, the harder it is (if at all possible) to carry out safety analysis.
Examples: HRU, SPM, and TAM
8
Formalization of UCONA
We focus on UCON preA (UCONA) models in this paper Attributes and values
Each object is specified by the same set of attributes: ATTATT Each attribute has a value domain: dom(a) dom(a) for a a ATT ATT
A system state is (O, (O, )), where OO is a set of objects (including subjects) : O : O ATT ATT dom(ATT) dom(ATT) {null} {null} S S O O
Three primitive actions for state transitions: createObject o: createObject o:
create a new object o a a ATT, ATT, ’(o.a) = null ’(o.a) = null
destroyObject o: destroyObject o: O’ = O – {o}O’ = O – {o} oo O’, O’, a a ATT, ATT, ’(o.a) = ’(o.a) = (o.a) (o.a)
updateAttribute o.a=v’:updateAttribute o.a=v’: ’’(o.a) = v’, v’(o.a) = v’, v’ dom(a) dom(a) ’’(ent.att) = (ent.att) = (ent.att) if ent (ent.att) if ent o or att o or att a a
9
UCONA Policy
pp11, …p, …pii are attribute predicates on ss and oo; atcatc11, … act, … actkk are actions on ss and oo; creating policy:
If actact1 1 is “creatObject o” “creatObject o”; Only oo can be created – single parent policy; ss is parent, oo is child;
Assumptions: Atomic policy enforcement Serialized accesses
10
Formal Model of UCONA
A UCONA scheme is a 4-tuple (ATT, R, P, C)(ATT, R, P, C), where
ATTATT is a finite set of attribute names RR is a finite set of rights, PP is a finite set of predicates CC is a finite set of policies
A UCONA system is specified by a UCONA scheme and an initial state tstate t00=(O=(O00, , 00)).
11
Policy Specification Flexibility
DRM policies RBAC models (RBAC0, RBAC1,
RBAC2) Chinese Wall policies Dynamic separation of duty MAC policy with high watermark
property
12
Expressive Power of UCONA: iTunes-like Systems
register
user_register (s, u):true permit(s,u, register)createObject u;updateAttribute:s.regUsers' = s.regUsers {u};updateAttribute: u.registered' = true; updateAttribute: u.platformList'=o;updateAttribute: u.orderList'=o;updateAttribute: u.credit' = 0.00;
order (u, m):(u.registered=true) (u.credit m.price) (mu.orderList) permit(u,m,order)updateAttribute:u.orderList' = u.orderList {m};updateAttribute: m.owner' = u;updateAttribute:u.credit' = u.credit - m.price;
order
play (p,m): (p.authorizedby null) (m.owner null) (p.authorizedby=m.owner) permit(p,m,play)
play
authorize_platform (u, p):(u.registered=true) (|u.platformList|<5) (p u.platformList) permit(u,p,authorize)updateAttribute: u.platformList' = u.platformList {p};updateAttribute: p.authorizedBy' = u;
deauthorize_platform (u, p):(u.registered=true) (p u.platformList) permit(u,p,deauthorize)updateAttribute: u.platformList' = u.platformList - {p};updateAttribute: p.authorizedBy' = null;
authorize
deauthorize
User
iTunes music store
Device
Music file
13
Expressive Power of UCONA
The expressive power of the UCONA model has been formally studied by comparing it with traditional access control models:
simulating the general SO-TAM model simulating the general SO-ATAM model
TheoremTheorem
a) UCONA is more expressive than TAM.
b) UCONA is at least as expressive as ATAM.
14
Safety Analysis of UCONA
TheoremTheoremSafety is undecidable in the general UCONA
model.
By reducing a general SO-TAM system to a UCONA system By simulating the operations of a general Turing machine with a
UCONA model.
15
Safety Analysis of UCONA
TheoremTheorem The safety problem of a UCONA system is decidable if:
the value domain of each attribute is finite, and there is no creating policy in the scheme.
Proof idea: Reduce a UCONA system with these restrictions to a FSM, where the
safety problem is mapped to the empty language problem recognized by the FSM.
The complexity of the safety problem is: polynomial in the number of possible states of the system. NP-hard in number of policies in the scheme.
16
Safety Analysis of UCONA
TheoremTheorem The safety problem of a UCONA system is decidable if:
the attribute creation graph is acyclic, and the attribute update graph has no cycle containing a create-parent
attribute tuple, and in each creating policy, both the parent's and the child's attribute
tuples are updated.
Proof idea: restrictions on creating policies If c(s,o)c(s,o) is a creating policy, then it has must have “updateAttribute updateAttribute
s.as.a” action, and ’(s.a) ’(s.a) (s.a) (s.a) There is no policies that can update ’(s.a) ’(s.a) to (s.a) (s.a) in any state.
17
Expressive Power of Decidable UCONA
RBAC96 model with URA97 or PRA97 scheme A state in RBAC96: S, P, R, UA, UAA, PA, RH, S, P, R, UA, UAA, PA, RH, where P P O x O x
RR URA97 scheme: can_assign can_assign ARxCRx2 ARxCRx2RR, can_revoke , can_revoke
ARx2ARx2RR
A can_assign(ar, cr, [r can_assign(ar, cr, [r11,r,r22]) or can_revoke(ar, [r]) or can_revoke(ar, [r11,r,r22]) ]) can be reduced to a set of UCONA policies:
rri i [r [r11,r,r22], cr = x ], cr = x yy
18
Expressive Power of Decidable UCONA
DRM applications with consumable rightsconsumable rights Limited number of copies
order (s, o):(s.credit o.price) (o.owner = null) permit(s,o,order)updateAttribute: s.credit'=s.credit - o.price;updateAttribute: o.owner=s;updateAttribute:o.copylicense=10;order
allow_copy (s, o):(o.owner=s) (o.copylicense > 0) permit(s,o,allowcopy)updateAttribute: o.allowcopy = true;
allowcopy
copy (o1, o2):(o1.allowcopy=true) permit(o1,o2,copy)createObject o2;updateAttribute: o2.sn' = o1.copylicense;updateAttribute: o1.copylicense' = o1.copylicense-1;updateAttribute: o1.allowcopy' = false;
copy
19
Contribution Summary
Formal study of the expressive powerexpressive power of UCONA: UCONA is at least as expressive as ATAM.
Safety analysisSafety analysis of UCONA: Safety undecidability of the general model Two safety-decidable models with restrictions on the
form of the policies in the general model Expressive power of the decidable models by
simulating RBAC96 with URA97 or PRA97 DRM applications
20
Ongoing and Future Work
Comparing expressive power between UCON authorization and obligations models
Efficiently decidable UCON models An administrative model of UCON Expressive power and safety
analysis of UCON ongoing models. UCON architectures and mechanisms
21
Thank you!
Q & A