Integrity Constraints For Access Control Models

Transcription

1 1 / 19 Integrity Constraints For Access Control Models Romuald THION, Stéphane COULONDRE November

2 2 / 19 Outline 1 Introduction

3 3 / 19 Problem statement From Role-BAC to time (Generalized-Temporal-RBAC, [Joshi05]), team (Team-BAC, [Thomas97a]), tasks (Workflow-RBAC, [Wainer03]), organizations (Organization-BAC, [Miège05])... Goals identify a generic formal framework, characterize constraints in access control models, automate integrity checking.

4 4 / 19 Contribution Proposition Use integrity constraints (a.k.a. data dependencies) from databases. Contribution a simple modelization framework for access control models, formal characterization of constraints in access control models, a set of tools for administrators built from formal ones.

5 5 / 19 Generic definition Access control model : AC = (sch, P, Σ) Close to the deductive databases paradigm : sch : concepts and relations, P : authorization principles, Σ : integrity constraints. First modelization step sch and P acknowledged from the access control community, generic enough to capture core concepts and principles of models, main focus on Σ

6 6 / 19 Basic modelization (meta)-modelization sch vocabulary of the access control model, P set of closed FOL formulae, capture the semantic of authorization, clear separation between extensional and intensional DB. Model theoretic DATALOG semantic intensive policy I = P (I) least logical model of P, uniqueness and finiteness.

7 7 / 19 Data dependencies integrity constraints over relational data, not that far from DATALOG FOL fragment parallel between growing expressivity of data dependencies classes, of access control models. Some data dependencies classes Constraint-Generating Dependencies (CGD), Nullity-Generating Dependencies (NGD), Tuple-Generating Dependencies (TGD), Constrained Tuple-Generating Dependencies (CTGD).

8 8 / 19 Application to access control Capture semantic of constraints of extensive relations of specialized kinds of hierarchies of mutual exclusion, and other properties. Overview of properties of models Σ Only policies that satisfy Σ are correct. Formal definition of correctness Let AC = (sch, P, Σ) an access control model. A policy I over this model is correct iff I SAT (Σ).

9 9 / 19 Properties of schema Constraints on I a user have to be associated to each session, this user is unique, active roles is a subset of granted ones, only one role in a session. Use of data dependencies Endosse(S, R) U Représente(S, U) Représente(S, U) Représente(S, U ) U = U Représente(S, U) Endosse(S, R) Habilite(U, R) Endosse(S, R) Endosse(S, R ) R = R

10 10 / 19 Properties of hierarchies Kinds of hierarchies Use of data dependencies Hérite C (C, C ) Hérite C (C, C) C = C Domine C (C, C ) Domine C (C, C ) C = C Domine C (C, C) Domine C (C, C) C = C C(C) C(C ) C Hérite C (C, C ) Hérite C (C, C ) C(C) C(C ) C Hérite C (C, C) Hérite C (C, C )

11 11 / 19 Properties of authorizations Common principles of x-bac no bypass of core concepts, close to tuple-generating dependencies cannot be expressed in DATALOG-like. [Ferraiolo03] Property 3.2 : A subject s can perform an operation op on object o only if there exists a role r that is included in the subject s active role set and there exists an permission that is assigned to r such that the permission authorizes the performance of op on o. Use of data dependencies Accès(U, A, O) R Habilite(U, R) Affecte(R, A, O)

12 12 / 19 Properties of mutual exclusion Several definitions user-based session-based action-based permission-based. Use of data dependencies Exclusion(R, R ) Habilite(U, R) Habilite(U, R ) Exclusion(R, R ) Endosse(S, R) Endosse(S, R ) Exclusion(R, R ) Affecte(R, A, O) Affecte(R, A, O) Exclusion(R, R ) Affecte(R, A, O) Affecte(R, A, O)

13 13 / 19 Conception of access control model At the very first step abstract verification, integrity of models, simplification of models Logical implication problem Σ = σ no given policy over the model, decidable/semi-decidable according to dependencies.

14 14 / 19 Proof/decision procedure dedicated to TTGD, TGD ou CTGD, the chases [Beeri84, Maher96, Coulondre03, Wang05], strictly more expressive than P, computation without rewriting. Used to prove back some theorems read and write access in MAC [Sandhu93], no root role with mutual exclusion [Benantar06], inclusion of dynamic authorizations in static ones [Ferraiolo03], propagation of exclusion through inheritance [Gavrila98].

15 15 / 19 Administration of policies Basic usages computation of intensive relations, querying of policies, comparison of policies, integrity checking. Satisfaction problem I SAT (Σ) given accesss control policy over a model decidable problem

16 16 / 19 Redundant properties Mutual exclusion [Gavrila98] σ 1 any two roles assigned for a same user are not in separation of duties Habilite(User, Role 1 ) Habilite(User, Role 2 ) Exclusion(Role 1, Role 2 ) σ 2 no role is mutually exclusive with itself Exclusion(Role, Role) σ 3 mutual exclusion is symetric Exclusion(Role 1, Role 2 ) Exclusion(Role 2, Role 1 ) σ 4 any two roles in ssd do not inherits one another Hérite(Role 1, Role 2 ) Exclusion(Role 1, Role 2 ) σ 5 there is no role inheriting two roles in ssd Exclusion(Role 1, Role 2 ) Hérite(Senior, Role 1 ) Hérite(Senior, Role 2 ) σ 6 If a role inherits another role and that role is in ssd with a third one, then the inheriting role is in ssd with the third one. Hérite(Senior, Role 1 ) Exclusion(Role 1, Role 2 ) Exclusion(Senior, Role 2 ).

17 17 / 19 Results let P Σ = {σ 1, σ 2, σ 3, σ 4, σ 5, σ 6 }, automated simplification P Σ\{σ 4 } = σ 4, par application de σ 3, σ 6 et σ 2, P Σ\{σ 5 } = σ 5, par application de σ 3, σ 6, σ 3, σ 6 et σ 2 Prototype LIBDEPENDENCIES Tgds in base : [0] (for all)[r1,r2] separation(r1,r2)->exclusion(r1,r2). [1] (for all)[r1,r2] exclusion(r1,r2)->exclusion(r2,r1). [2] (for all)[r] exclusion(r,r)->error(reflex) (1= 1). [3] (for all)[r,r1,r2] exclusion(r1,r2),herite(r,r1)->exclusion(r,r2) Goal : (for all)[r,r1,r2] exclusion(r1,r2),herite(r,r1),herite(r,r2)-> (1= 1) there is an inconsistency in the store, therefore F =g number of rules applied for closure F(l):7 this chase was : seconds long

18 18 / 19 Synthesis Main symbols Symbol AC = (sch, P, Σ) sch = edb idb P Σ = Σ edb Σ idb I = I s I d I = I s I d Description access control model deductive database schema principles deduction rules properties data dependencies policy (in extenso) instance of edb derived policy (in intenso) instance of sch least model de P

19 19 / 19 Discussion Fragment of FOL neither negation nor disjunction, existential quantifier and constraints, decidability according to data dependencies classes. Main assumptions some principles cannot be expressed, distinction between conception and administration.