An Algebra for Composing Access Control Policies (2002) Author: PIERO BONATTI, SABRINA DE CAPITANI DI, PIERANGELA SAMARATI Presenter: Siqing Du Date:

Introduction  Increase expressiveness and flexibility of authorization languages  Supporting multiple polices in a single framework  Existing frameworks translate and merge different component policies into a single “program” (problems)  Policy composition framework  An algebra for combining security policies with formal semantics

Characteristics of A Composition Framework  Heterogeneous policy support  Support for unknown policies  Controlled interface  Expressiveness  Support of different abstraction levels  Formal semantics

An Algebra of Polices Preliminary Concepts  Authorization Term (s, o, a) {SxOxA}  A Policy is defined as a set of ground authorization terms (triples).  An authorization constraint language L acon  A rule language L rule  A semantic function closure p(L rule ) x p( SxOxA ) --> p( SxOxA )

Some simplification  Basic predicates, with at most three arguments, from distinct basic domains (S, A, O)  Hierarchical relationship within elements of a domain (s op s0) op={≥,≤,,=}  Horn clauses

Policy Expressions  Syntax (BNF) E: nonterminal policy expressions id: token type of policy identifiers T: template C: constructs describing L acon R: constructs describing L rule

Operation Definition (1)  Environments e a partial mapping from policy identifiers to sets of ground authorizations  Addition (+) It merges two policies by returning their union.

Operation Definition (2)  Conjunction (&) It merges two policies by returning their intersection.  Subtraction (-). It restricts a policy by eliminating all the accesses in a second policy.

Operation Definition (3)  Closure (*) It closes a policy under a set of inference (derivation) rules.  Scoping restriction (ˆ) It restricts the application of a policy to a given set of subjects, objects, and actions. c: constraints : substitution

Operation Definition (4)  Overriding (o). It replaces part of a policy with a corresponding fragment of a second policy. The portion to be replaced is specified by means of a third policy. for instance,

Operation Definition (5)  Template ( ). It defines a partially specified policy that can be completed by supplying the parameters.

Example1: Hospital  Three departments: Radiology, Surgery, Medicine  No access to the lab_tests data unless patient consent  Two divisions of Medical dept.: Cardiology and Oncology

Example2 : University Laboratories  Student must be authorized by laboratory tutors (Smith, machine1,login) and department administration (cs101,cs- lab,login)  Forbidden to students blacklisted only a permission from provost can override

Reasoning based on Formal Semantics

Evaluating Policy Expressions  Translating algebraic expressions into equivalent logic programs (pe2lp)  In order to provide executable specifications compatible with different evaluation strategies.  pe2lp creates a distinct predicate symbol for each policy identifier and for each internal node in the syntax tree of the given algebraic expression.  Labeling an operator with a distinct integer. Formally, such extended expressions are called labeled policy expressions.

Expressiveness Analysis with Respect to First-order Logic  The basic core of this algebra captures only a strict subset of FOL  Equivalence Let E be a policy expression, and F be a formula in L with one free variable x. We say that E and F are equivalent if and only if for all environments e defined for all free identifiers of E, and for all relations satisfy

Evaluation with Respect to the Desiderata (1)  Heterogeneous policies can be supported either by exploiting the algebra constructs to represent the different policies or by referring to heterogeneous policies through policy identifiers then interpreted by means of wrappers.  Unknown policies are supported by means of policy identifiers that can remain unbound in the environment.  Interference of program rules and authorizations coming from different policies is controlled by restricting rule application to specific policies by means of the closure construct.

Evaluation with Respect to the Desiderata (2)  Expressiveness is achieved by the different operators that easily allow the formulation of protection restrictions as illustrated in the examples and discussions contained herein.  Different abstraction levels are naturally supported by the component-based approach.  Formal semantics can be exploited to reason about properties of the specifications.

Concluding Remarks  Main contributions: Analyzed the problem of composing security policies in a modular and incremental fashion. Identified six desiderata for policy composition framework Proposed an algebra of security policies and a composition language. Proposed an implementation approach based on logic programming and partial evaluation techniques. Provided and extensive preliminary analysis of the algebra.