1 Safety Analysis of Usage Control (UCON) Authorization Model Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce George Mason University AsiaCCS.

Slides:



Advertisements
Similar presentations
INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University.
Advertisements

INSTITUTE FOR CYBER SECURITY 1 The ASCAA * Principles Applied to Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
Cyber-Identity, Authority and Trust in an Uncertain World
1 Formal Model and Analysis of Usage Control Dissertation defense Student: Xinwen Zhang Director: Ravi S. Sandhu Co-director: Francesco Parisi-Presicce.
1 Trust Evidence in Heterogeneous Environments: Towards a Research Agenda Ravi Sandhu Executive Director and Endowed Professor May 2010
Cyber-Identity, Authority and Trust in an Uncertain World
INSTITUTE FOR CYBER SECURITY 1 Application-Centric Security: How to Get There Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber.
Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University
Cyber-Identity and Authorization in an Uncertain World Ravi Sandhu Laboratory for Information Security Technology Department of Information.
© 2004 Ravi Sandhu The Schematic Protection Model (SPM) Ravi Sandhu Laboratory for Information Security Technology George Mason University.
© Ravi Sandhu Cyber-Identity, Authority and Trust in an Uncertain World Prof. Ravi Sandhu Laboratory for Information Security Technology.
QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.
© 2004 Ravi Sandhu A Perspective on Graphs and Access Control Models Ravi Sandhu Laboratory for Information Security Technology George.
Attribute Mutability in Usage Control July 26, 2004, IFIP WG11.3 Jaehong Park, University of Maryland University College Xinwen Zhang, George Mason University.
A New Modeling Paradigm for Dynamic Authorization in Multi-Domain Systems MMM-ACNS, September 13, 2007 Manoj Sastry, Ram Krishnan, Ravi Sandhu Intel Corporation,
Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Antonio) Ravi Sandhu (UT San Antonio) William Winsborough.
INFS 767 Fall 2003 The RBAC96 Model Prof. Ravi Sandhu George Mason University.
Towards Usage Control Models: Beyond Traditional Access Control 7 th SACMAT, June 3, 2002 Jaehong Park and Ravi Sandhu Laboratory for Information Security.
Towards a VMM-based Usage Control Framework for OS Kernel Integrity Protection Min Xu George Mason University Xuxian Jiang George Mason University Ravi.
Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Institute for Cyber Security
© 2006 Ravi Sandhu Secure Information Sharing Enabled by Trusted Computing and PEI * Models Ravi Sandhu (George Mason University and TriCipher)
A Usage-based Authorization Framework for Collaborative Computing Systems Xinwen Zhang George Mason University Masayuki Nakae NEC Corporation Michael J.
Usage Control: UCON Ravi Sandhu. © Ravi Sandhu2 Problem Statement Traditional access control models are not adequate for todays distributed, network-
Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.
ACCESS CONTROL: THE NEGLECTED FRONTIER Ravi Sandhu George Mason University.
Usage Control: A Vision for Next Generation Access Control Oct 14, 2003 Ravi Sandhu and Jaehong Park ( Laboratory for Information Security.
ENGINEERING AUTHORITY AND TRUST IN CYBERSPACE: A ROLE-BASED APPROACH Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University.
A Logic Specification for Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University SACMAT 2004.
© Ravi Sandhu HRU and TAM Ravi Sandhu Laboratory for Information Security Technology George Mason University
Towards A Times-based Usage Control Model Baoxian Zhao 1, Ravi Sandhu 2, Xinwen Zhang 3, and Xiaolin Qin 4 1 George Mason University, Fairfax, VA, USA.
© 2006 Ravi Sandhu Cyber-Identity, Authority and Trust Systems Prof. Ravi Sandhu Professor of Information Security and Assurance Director,
© 2004 Ravi Sandhu The Typed Access Matrix Model (TAM) and Augmented TAM (ATAM) Ravi Sandhu Laboratory for Information Security Technology.
1 Privacy Prof. Ravi Sandhu Executive Director and Endowed Chair March 8, © Ravi Sandhu World-Leading Research.
1 Access Control Models Prof. Ravi Sandhu Executive Director and Endowed Chair January 25, 2013 & February 1, 2013
1 Grand Challenges in Data Usage Control Prof. Ravi Sandhu Executive Director and Endowed Chair
RBAC and Usage Control System Security. Role Based Access Control Enterprises organise employees in different roles RBAC maps roles to access rights After.
Attribute-Based Access Control Models and Beyond
Extended Role Based Access Control – Based Design and Implementation for a Secure Data Warehouse Dr. Bhavani Thuraisingham Srinivasan Iyer.
UCON M ODEL Huỳnh Châu Duy. OUTLINE UCON MODEL What? What for? When? Why? CORE MODELS 16 basic models Example COMPARISON Traditional access.
Chapter 4 The Relational Model.
1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.
© Synergetics Portfolio Security Aspecten.
Session 2 - Security Models and Architecture. 2 Overview Basic concepts The Models –Bell-LaPadula (BLP) –Biba –Clark-Wilson –Chinese Wall Systems Evaluation.
1 Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework ¹ Dep. of Information and Communication Technology,
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
Trust and Security for Next Generation Grids, Tutorial Usage Control for Next Generation Grids Introduction Philippe Massonet et al CETIC.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Policies September 7, 2010.
FlexFlow: A Flexible Flow Policy Specification Framework Shipping Chen, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems George.
CSC 8320 Advanced Operating System Discretionary Access Control Models Presenter: Ke Gao Instructor: Professor Zhang.
1 Usage Control (UCON) or ABAC on Steroids Prof. Ravi Sandhu Executive Director and Endowed Chair February 26, 2016
INSTITUTE FOR CYBER SECURITY 1 Purpose-Centric Secure Information Sharing Ravi Sandhu Executive Director and Endowed Professor Institute for Cyber Security.
Talk Outline Motivation and Background. Policy Contexts.
Role-Based Access Control (RBAC)
Institute for Cyber Security
Institute for Cyber Security
Past, Present and Future
Introduction to Cyber Security
Attribute-Based Access Control (ABAC)
Institute for Cyber Security
Institute for Cyber Security
Institute for Cyber Security
Attribute-Based Access Control (ABAC)
Security and Privacy in the Age of the Internet of Things:
Assured Information Sharing
Institute for Cyber Security
Cyber Security Research: A Personal Perspective
Access Control What’s New?
Attribute-Based Access Control (ABAC)
Cyber Security R&D: A Personal Perspective
Presentation transcript:

1 Safety Analysis of Usage Control (UCON) Authorization Model Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce George Mason University AsiaCCS 2006

Context electronic commerce information sharing etcetera multi-party security objectives fuzzy objectives INTEGRITY modification AVAILABILITY access CONFIDENTIALITY disclosure USAGE purpose USAGE

Context Protection Objectives Sensitive information protection IPR protection Privacy protection Protection Architectures Server-side reference monitor Client-side reference monitor SRM & CRM

4 UCON Model (Park and Sandhu 2004) Attributes can be updated as side-effects of a usage: pre, ongoing, and post updates Attribute Mutability Core models: preA 0, preA 1, preA 2, preA 3, onA x, preB x, onB x preC x onC x A real model may be a combination of core models. Three phases of a usage process Decision in first two phases pre-decision: preA, preB, preC ongoing-decisions: repeatedly check during ongoing usage phase onA, onB, onC Decision Continuity

5 An Example Resource-constrained access control Limited number (10) of ongoing accesses to a single object When 11th subject requesting new access, one ongoing accessing will be revoked. Different revocation policies: By start time: the longest ongoing usage is revoked By idle time: the usage with the longest total idle time is revoked By total usage time: the usage with the longest accumulating usage time is revoked. Need decision continuity, attribute mutability, and ongoing access revocations

6 Motivations Two fundamental properties in access control: Expressive Power Safety Analysis Formalization of UCON Model is required for the precise semantics of the conceptual model for policy definition for the analysis of UCON properties.

7 Expressive Power & Safety Analysis Expressive Power: The flexibility to express policies for different requirements. Comparing expressive power among access control models Safety problem: initial statescheme a reachable state Given a system, specified by an initial state and a scheme, is there a reachable state in which a subject has a particular right on an object? Expressive power and manageable safety analysis are two conflicting properties of access control models: In general, the more expressive power a model has, the harder it is (if at all possible) to carry out safety analysis. Examples: HRU, SPM, and TAM

8 Formalization of UCON A We focus on UCON preA (UCON A ) models in this paper Attributes and values ATT Each object is specified by the same set of attributes: ATT dom(a) a ATT Each attribute has a value domain: dom(a) for a ATT (O, ) A system state is (O, ), where O O is a set of objects (including subjects) : O ATT dom(ATT) {null} : O ATT dom(ATT) {null} S O S O Three primitive actions for state transitions: createObject o: createObject o: create a new object o a ATT, (o.a) = null a ATT, (o.a) = null destroyObject o: destroyObject o: O = O – {o} O = O – {o} o O, a ATT, (o.a) = (o.a) o O, a ATT, (o.a) = (o.a) updateAttribute o.a=v: updateAttribute o.a=v: (o.a) = v, v dom(a) (o.a) = v, v dom(a) (ent.att) = (ent.att) if ent o or att a (ent.att) = (ent.att) if ent o or att a

9 UCON A Policy p 1, …p i so p 1, …p i are attribute predicates on s and o; atc 1, … act k so atc 1, … act k are actions on s and o; creating policy: act 1 creatObject o If act 1 is creatObject o; o Only o can be created – single parent policy; so s is parent, o is child; Assumptions: Atomic policy enforcement Serialized accesses

10 Formal Model of UCON A (ATT, R, P, C) A UCON A scheme is a 4-tuple (ATT, R, P, C), where ATT ATT is a finite set of attribute names R R is a finite set of rights, P P is a finite set of predicates C C is a finite set of policies state t 0 =(O 0, 0 ) A UCON A system is specified by a UCON A scheme and an initial state t 0 =(O 0, 0 ).

11 Policy Specification Flexibility DRM policies RBAC models (RBAC0, RBAC1, RBAC2) Chinese Wall policies Dynamic separation of duty MAC policy with high watermark property

12 Expressive Power of UCON A : iTunes-like Systems register user_register (s, u): true permit(s,u, register) createObject u; updateAttribute:s.regUsers' = s.regUsers {u}; updateAttribute: u.registered' = true; updateAttribute: u.platformList'=o; updateAttribute: u.orderList'=o; updateAttribute: u.credit' = 0.00; order (u, m): (u.registered=true) (u.credit m.price) (m u.orderList) permit(u,m,order) updateAttribute:u.orderList' = u.orderList {m}; updateAttribute: m.owner' = u; updateAttribute:u.credit' = u.credit - m.price; order play (p,m): (p.authorizedby null) (m.owner null) (p.authorizedby=m.owner) permit(p,m,play) play authorize_platform (u, p): (u.registered=true) (|u.platformList|<5) (p u.platformList) permit(u,p,authorize) updateAttribute: u.platformList' = u.platformList {p}; updateAttribute: p.authorizedBy' = u; deauthorize_platform (u, p): (u.registered=true) (p u.platformList) permit(u,p,deauthorize) updateAttribute: u.platformList' = u.platformList - {p}; updateAttribute: p.authorizedBy' = null; authorize deauthorize User iTunes music store Device Music file

13 Expressive Power of UCON A The expressive power of the UCON A model has been formally studied by comparing it with traditional access control models: simulating the general SO-TAM model simulating the general SO-ATAM model Theorem a)UCON A is more expressive than TAM. b)UCON A is at least as expressive as ATAM.

14 Safety Analysis of UCON A Theorem Safety is undecidable in the general UCON A model. By reducing a general SO-TAM system to a UCON A system By simulating the operations of a general Turing machine with a UCON A model.

15 Safety Analysis of UCON A Theorem The safety problem of a UCON A system is decidable if: the value domain of each attribute is finite, and there is no creating policy in the scheme. Proof idea: Reduce a UCON A system with these restrictions to a FSM, where the safety problem is mapped to the empty language problem recognized by the FSM. The complexity of the safety problem is: polynomial in the number of possible states of the system. NP-hard in number of policies in the scheme.

16 Safety Analysis of UCON A Theorem The safety problem of a UCON A system is decidable if: the attribute creation graph is acyclic, and the attribute update graph has no cycle containing a create-parent attribute tuple, and in each creating policy, both the parent's and the child's attribute tuples are updated. Proof idea: restrictions on creating policies c(s,o)updateAttribute s.a (s.a) (s.a) If c(s,o) is a creating policy, then it has must have updateAttribute s.a action, and (s.a) (s.a) (s.a) (s.a) There is no policies that can update (s.a) to (s.a) in any state.

17 Expressive Power of Decidable UCON A RBAC96 model with URA97 or PRA97 scheme S, P, R, UA, UAA, PA, RH, P O x R A state in RBAC96: S, P, R, UA, UAA, PA, RH, where P O x R can_assign ARxCRx2 R, can_revoke ARx2 R URA97 scheme: can_assign ARxCRx2 R, can_revoke ARx2 R can_assign(ar, cr, [r 1,r 2 ]) or can_revoke(ar, [r 1,r 2 ]) A can_assign(ar, cr, [r 1,r 2 ]) or can_revoke(ar, [r 1,r 2 ]) can be reduced to a set of UCON A policies: r i [r 1,r 2 ], cr = x y r i [r 1,r 2 ], cr = x y

18 Expressive Power of Decidable UCON A consumable rights DRM applications with consumable rights Limited number of copies order (s, o): (s.credit o.price) (o.owner = null) permit(s,o,order) updateAttribute: s.credit'=s.credit - o.price; updateAttribute: o.owner=s; updateAttribute:o.copylicense=10; order allow_copy (s, o): (o.owner=s) (o.copylicense > 0) permit(s,o,allowcopy) updateAttribute: o.allowcopy = true; allowcopy copy (o 1, o 2 ): (o 1.allowcopy=true) permit(o 1,o 2,copy) createObject o 2 ; updateAttribute: o 2.sn' = o 1.copylicense; updateAttribute: o 1.copylicense' = o 1.copylicense-1; updateAttribute: o 1.allowcopy' = false; copy

19 Contribution Summary expressive power Formal study of the expressive power of UCON A : UCON A is at least as expressive as ATAM. Safety analysis Safety analysis of UCON A : Safety undecidability of the general model Two safety-decidable models with restrictions on the form of the policies in the general model Expressive power of the decidable models by simulating RBAC96 with URA97 or PRA97 DRM applications

20 Ongoing and Future Work Comparing expressive power between UCON authorization and obligations models Efficiently decidable UCON models An administrative model of UCON Expressive power and safety analysis of UCON ongoing models. UCON architectures and mechanisms

21 Thank you! Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.