Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authorization Policies Vicky Weissman

Similar presentations


Presentation on theme: "Authorization Policies Vicky Weissman"— Presentation transcript:

1 Authorization Policies Vicky Weissman

2 What is a policy? A policy says that under certain conditions an action is permitted or it is forbidden. Examples If you pay 99 cents, then you may download a song. If you do not have a student’s written consent, then you may not access her transcript.

3 What is a policy? A policy says that under certain conditions an action is permitted or it is forbidden. Examples If you pay 99 cents, then you may download a song. If you do not have a student’s written consent, then you may not access her transcript.

4 What is a policy? A policy says that under certain conditions an action is permitted or it is forbidden. Examples If you pay 99 cents, then you may download a song. If you do not have a student’s written consent, then you may not access her transcript.

5 The big picture We want to write policies that govern access to digital content, and have those policies enforced. Examples: We want to restrict access to student, medical, and financial records. We want online music and movie stores to be able to get money for their services.

6 The Classic Solution Write licenses and laws to regulate access to content. Rely on consumer ethics and courts for enforcement.

7 Pros/cons Pros: If licenses/laws are written in a natural language (e.g., English), you can capture all policies of practical interest. Cons: How you detect violations? Do you really want to sue your customers? RIAA says yes, most businesses say no.

8 A better idea? Write the policies in such a way that they can be enforced by computers (ACLs, passwords, …). Now, you have to sue only people who circumvent the technology, or you can choose to tolerate the relatively few violations.

9 Problem: Expressivity If a language is restricted enough to allow enforcement by computers, then it might not be sufficiently expressive.

10 Expressivity Argument 1: Enforceable policy languages can’t be expressive enough, because they can’t capture `fuzzy’ concepts like fair use. Response 1: Enforceable policies can approximate `fuzzy’ rights. E.g., NetLibrary allows each user to copy a certain number of pages from an online text. Petitioning for greater use/ suing for violations could be a fallback plan.

11 Expressivity 2 Argument 2: An enforceable language can never capture all the policies that can be written in a natural language (English). Response 2: True. But what do we really need to say. If a policy language can capture licenses/laws that exist today (regulating digital content), then maybe it’s good enough.

12 Goal To have an enforceable policy language that is sufficiently expressive to capture a wide range of the licenses/laws that exist today.

13 Meeting the goal A number of people claim to have developed expressive enforceable policy languages. 2 popular choices are XrML (endorsed by Microsoft,…) and XaCML (endorsed by Sun, …). Do either of these languages meet the goal?

14 Evaluating XrML and XaCML Big idea Collect a bunch of licenses/laws. Try to write them in XrML and XaCML. First step to presenting the results Give an overview of each language. Approach: present a basic policy language, called MinLang, then explain how to change MinLang to get the others.

15 Syntax Principals Agents (e.g., Alice, Bob) Resources Digital content (e.g., a movie, an article) Actions what principals can do (e.g., play, edit) Properties attributes of a principal, resource, or action (e.g., trusted, high-res, dangerous).

16 Syntax (cont.) Policy ::=  x 1 …  x n (Condition  …  Condition  Perm(p, a, r)) Perm(p, a, r) means p is permitted to do action a to resource r. A policy is closed (no free variables). Condition ::= Pr(e) | true Pr(e) means entity e (principal, resource, or right) has property Pr.

17 Syntax (cont.) Policy ::=  x 1 …  x n (Condition  …  Condition  Perm(p, a, r)) Perm(p, a, r) means p is permitted to do action a to resource r. A policy is closed (no free variables). Condition ::= Pr(e) | true Pr(e) means entity e (principal, resource, or right) has property Pr.

18 Syntax (cont.) Policy ::=  x 1 …  x n (Condition  …  Condition  Perm(p, a, r)) Perm(p, a, r) means p is permitted to do action a to resource r. A policy is closed (no free variables). Condition ::= Pr(e) | true Pr(e) means entity e (principal, resource, or right) has property Pr.

19 Syntax (cont.) Policy ::=  x 1 …  x n (Condition  …  Condition  Perm(p, a, r)) Perm(p, a, r) means p is permitted to do action a to resource r. A policy is closed (no free variables). Condition ::= Pr(e) | true Pr(e) means entity e (principal, resource, or right) has property Pr.

20 Syntax (cont.) Policy ::=  x 1 …  x n (Condition  …  Condition  Perm(p, a, r)) Perm(p, a, r) means p is permitted to do action a to resource r. A policy is closed (no free variables). Condition ::= Pr(e) | true Pr(e) means entity e (principal, resource, or right) has property Pr.

21 Examples Can write: `Alice is permitted to read file f’ as true  Perm(Alice, read, f) and `Anyone who pays 99 cents may download a song’ as  x 1  x 2 (Paid99Cents(x 1 )  Song(x 2 )  Perm(x 1, download, x 2 )).

22 Examples Can write: `Alice is permitted to read file f’ as true  Perm(Alice, read, f) and `Anyone who pays 99 cents may download a song’ as  x 1  x 2 (Paid99Cents(x 1 )  Song(x 2 )  Perm(x 1, download, x 2 )).

23 Examples Can write: `Alice is permitted to read file f’ as true  Permitted(Alice, read, f) and `Anyone who pays 99 cents may download a song’ as  x 1  x 2 (Paid99Cents(x 1 )  Song(x 2 )  Perm(x 1, download, x 2 )).

24 Permissions Given a set of policies, when does a permission hold? Example Given the policy `anyone who pays 99 cents may download a song’, can we determine whether Alice may download the theme song to Sesame Street? No. To answer the question, we need to know if Alice has paid 99 cents.

25 Permissions (cont) Assume an environment E that tells us basic facts about the world. E = Pr 1 (e 1 )  …  Pr n (e n ) Assume {p 1, …, p m } is the set of policies. A principal p is permitted to do an action a to a resource r iff E  p 1  …  p m  Perm(p, a, r) is valid.

26 Example Suppose that Alice has paid 99 cents, the theme song to Sesame Street is a song, and anyone who pays 99 cents may download a song. May Alice download the theme song? Let E = Paid99Cents(Alice)  Song(Sesame Street) P =  x 1  x 2 (Paid99Cents(x 1 )  Song(x 2 )  Perm(x 1, download, x 2 )). E  P  Perm(Alice, download, Sesame Street) is valid, so Alice has permission.

27 Example Suppose that Alice has paid 99 cents, the theme song to Sesame Street is a song, and anyone who pays 99 cents may download a song. May Alice download the theme song? Let E = Paid99Cents(Alice)  Song(Sesame Street) P =  x 1  x 2 (Paid99Cents(x 1 )  Song(x 2 )  Perm(x 1, download, x 2 )). E  P  Perm(Alice, download, Sesame Street) is valid, so Alice has permission.

28 Example Suppose that Alice has paid 99 cents, the theme song to Sesame Street is a song, and anyone who pays 99 cents may download a song. May Alice download the theme song? Let E = Paid99Cents(Alice)  Song(Sesame Street) P =  x 1  x 2 (Paid99Cents(x 1 )  Song(x 2 )  Perm(x 1, download, x 2 )). E  P  Perm(Alice, download, Sesame Street) is valid, so Alice has permission.

29 Example Suppose that Alice has paid 99 cents, the theme song to Sesame Street is a song, and anyone who pays 99 cents may download a song. May Alice download the theme song? Let E = Paid99Cents(Alice)  Song(Sesame Street) P =  x 1  x 2 (Paid99Cents(x 1 )  Song(x 2 )  Perm(x 1, download, x 2 )). E  P  Perm(Alice, download, Sesame Street) is valid, so Alice has permission.

30 That’s all folks… for the basic language. How is XrML different? XrML is an XML-based language, so the syntax is more verbose/unwieldy, but plays better with other data. There are fundamental differences too…

31 Whose the policymaker? MinLang assumes we’re given a set of policies from some trusted source. XrML assumes anyone can write a policy. E.g. Alice can write the policy `Alice may eat a gazillion cookies’. But the policy holds iff it was written by `the system’ or by someone who was permitted to write it.

32 Example The System says `Mom may write any policy’. This policy holds. Mom says `The babysitter may write any policy governing Alice’s eating’. This policy holds. The babysitter says `Alice may eat apples.’ This policy holds. Alice says `Alice may eat cookies’. This policy does not hold.

33 Why is this useful? Suppose we’re given a set of policies, each tagged by the identity of its author, the Systems only policy is `Carl Lagoze may write any policy’, and it follows that Alice is permitted to turn in her assignment late. Then we can conclude that Carl allows Alice to turn in her assignment late.

34 But wait there’s more… In XrML, a policy can grant a permission based on which permissions have been granted by other principals. E.g. In XrML, Alice’s Mom could write `if Carl allows Alice to turn in her assignment late, then Alice is permitted to take an afternoon nap’.

35 Is this capability important? Yes. Examples Digital libraries often have the policy `if the government allows someone to access our usage records, then the access is permitted.’ Similar recognition of state/federal authority appear elsewhere.

36 Another difference In XrML, the action `adopting’ can be done to a resource that is a role. E.g. Alice may adopt the role `freshmen’. Now, a policy can look more like an environment fact. E.g. `anyone permitted to adopt the role `freshman’ may adopt the role `student’’ (i.e., all freshmen are students).

37 Not quite enough Real licenses include fairly complex environment facts. E.g. If you try to make a purchase from iTunes using a gift certificate and the purchase price is more than the balance on the certificate, then the difference is charged to your credit card. XrML is step in the right direction, but isn’t enough to capture everything.

38 Another problem: Prohibitions Real licenses forbid certain actions. Example MIT has course materials online. According to their online license, users are forbidden to use the material for commercial purposes. In XrML, we cannot write that an action is forbidden.

39 A partial solution XrML assumes that an action is forbidden unless it’s explicitly permitted. This might be good enough, but we’re not really capturing the policymaker’s intent. And we can’t write policies that depend on a policymaker’s indifference. E.g., An instructor can’t say `a student may audit my class if the university doesn’t object’.

40 A better solution Add negation to XrML. This can be done, although some care is needed to keep the language tractable (enforceable by computers).

41 Another problem: Obligations Real licenses talk about the obligations of the consumer and the content provider. E.g. Licenses often obligate the consumer to defend the provider from any legal action resulting from the consumer’s use of the content. Providers often say that they are obligated to replace faulty content or give the consumer a full refund.

42 Adding obligations to XrML Adding obligations is fairly straightforward. But some thought needs to go into determining the relationship between permissions and obligations. E.g. Are all obligatory actions permitted? Also, it’s not clear how an obligation can be enforced.

43 Summary of XrML Pros: Can capture policies that grant permissions depending on who has granted other permissions. (E.g. if Carl allows Alice to turn in her homework late, then she may take a nap.) Can capture some environment facts, such as `all freshmen are students’.

44 Summery of XrML (cont) Cons: XrML cannot capture all of the environment facts that appear in licenses. XrML cannot capture policies that forbid an action. (E.g. Alice may not use the content for commercial purposes.) XrML cannot capture obligations. (E.g. if the content is buggy, the provider is obligated to give a refund.)

45 XaCML XaCML can capture policies that forbid actions. An answer to a query, such as `may Alice download the theme song to Sesame Street’, can be `yes, the action is permitted’, `no, the action is forbidden’, `indeterminate, the action isn’t regulated’, `yes, if she does some action’ (e.g., pay 99 cents). This should be quite useful in practice!

46 XaCML (cont) XaCML supports some use of disjunction (or) in policies. This doesn’t add expressive power, but can make languages more concise. E.g., Consider the policy `If Alice is over 18 or has parental consent, then she may access file f’. In MinLang, this would be written as 2 policies. In XaCML, it’s just one.

47 XaCML (cont) XaCML allows the policymaker to define when a permission follows from a set of policies based on which policies permit/forbid the action. A policymaker could say that an action is permitted if the permission follows from one of the government’s policies or if none of the policies imply that the action is forbidden.

48 Problems In XaCML, we cannot capture policies that depend on what other principals permit/forbid (if Carl allows Alice to turn in her homework late, then she may nap), environment facts (e.g., all freshmen are students), and obligations.

49 Summary Real licenses do not seem to require so much expressive power that it is impossible to create an appropriate policy language. But XrML and XaCML are not sufficiently expressive to capture the licenses of digital content providers. So there is work to be done.


Download ppt "Authorization Policies Vicky Weissman"

Similar presentations


Ads by Google