CS590U Access Control: Theory and Practice. Lecture 18 (March 10) SDSI Semantics & The RT Family of Role-based Trust-management Languages

Similar documents
Outlines. Design of A Role -based Trustmanagement. Permission-based (capability-style) What We Mean by Trust- Management? Systems?

Understanding SPKI/SDSI Using First-Order Logic

CS590U Access Control: Theory and Practice. Lecture 15 (March 1) Overview of Trust Management

CERIAS Tech Report RTML: A ROLE-BASED TRUST-MANAGEMENT MARKUP LANGUAGE. Ninghui Li, John C. Mitchell

Constraint Solving. Systems and Internet Infrastructure Security

Distributed Credential Chain Discovery in Trust Management (Extended Abstract)

Towards Practical Automated Trust Negotiation

DATABASE THEORY. Lecture 11: Introduction to Datalog. TU Dresden, 12th June Markus Krötzsch Knowledge-Based Systems

Logic as a framework for NL semantics. Outline. Syntax of FOL [1] Semantic Theory Type Theory

Logic and Practice of Trust Management

Delegation Logic: A Logic-based Approach to Distributed Authorization

Advanced Access Control. Role-Based Access Control. Common Concepts. General RBAC Rules RBAC96

Inconsistency-tolerant logics

Lecture 1: Conjunctive Queries

Structural characterizations of schema mapping languages

Typed Lambda Calculus for Syntacticians

An Attribute-Based Access Matrix Model

Towards a Logical Reconstruction of Relational Database Theory

Chapter 2 & 3: Representations & Reasoning Systems (2.2)

Lecture 17 of 41. Clausal (Conjunctive Normal) Form and Resolution Techniques

Managing Inconsistencies in Collaborative Data Management

Conjunctive queries. Many computational problems are much easier for conjunctive queries than for general first-order queries.

Type Systems COMP 311 Rice University Houston, Texas

Review Material: First Order Logic (FOL)

CSC 501 Semantics of Programming Languages

Encryption as an Abstract Datatype:

Towards a Semantic Web Modeling Language

Security policies and access control

Logic (or Declarative) Programming Foundations: Prolog. Overview [1]

CMPS 277 Principles of Database Systems. Lecture #4

Foundations of AI. 9. Predicate Logic. Syntax and Semantics, Normal Forms, Herbrand Expansion, Resolution

Integrity Constraints For Access Control Models

Logical reconstruction of RDF and ontology languages

Back to the knights and knaves island

Datalog with Constraints: A Foundation for Trust Management Languages

DATABASE THEORY. Lecture 18: Dependencies. TU Dresden, 3rd July Markus Krötzsch Knowledge-Based Systems

KeyNote: Trust Management for Public-Key. 180 Park Avenue. Florham Park, NJ USA.

Knowledge Representations. How else can we represent knowledge in addition to formal logic?

Logic and its Applications

A prototype system for argumentation-based reasoning about trust

Module 6. Knowledge Representation and Logic (First Order Logic) Version 2 CSE IIT, Kharagpur

JOURNAL OF OBJECT TECHNOLOGY

15-819M: Data, Code, Decisions

Part I Logic programming paradigm

Programming Language Concepts: Lecture 19

RIF RuleML Rosetta Ring: Round-Tripping the Dlex Subset of Datalog RuleML and RIF-Core

HANDBOOK OF LOGIC IN ARTIFICIAL INTELLIGENCE AND LOGIC PROGRAMMING

Logic Programming and Resolution Lecture notes for INF3170/4171

A Language for Access Control in CORBA Security

THE RELATIONAL MODEL. University of Waterloo

8. Negation 8-1. Deductive Databases and Logic Programming. (Sommer 2017) Chapter 8: Negation

COMP4418 Knowledge Representation and Reasoning

Typed Lambda Calculus

Refinement Types as Proof Irrelevance. William Lovas with Frank Pfenning

Distributed Certificate-Chain Discovery in SPKI/SDSI

A Semantic Foundation for Trust Management Languages with Weights: An Application to the RT Family,

Copyright 2016 Ramez Elmasri and Shamkant B. Navathe

Data Integration: Logic Query Languages

Data integration lecture 3

Exercises Computational Complexity

Proseminar on Semantic Theory Fall 2013 Ling 720 An Algebraic Perspective on the Syntax of First Order Logic (Without Quantification) 1

SOFTWARE ENGINEERING DESIGN I

Database Theory VU , SS Introduction: Relational Query Languages. Reinhard Pichler

Authorization in Trust Management: Features and Foundations

Distributed Access Control. Trust Management Approach. Characteristics. Another Example. An Example

Kalliopi Kravari 1, Konstantinos Papatheodorou 2, Grigoris Antoniou 2 and Nick Bassiliades 1

CSC 474/574 Information Systems Security

Database Theory VU , SS Introduction to Datalog. Reinhard Pichler. Institute of Logic and Computation DBAI Group TU Wien

CERIAS Tech Report

A Retrospective on Datalog 1.0

Advanced Logic and Functional Programming

Overview. CS389L: Automated Logical Reasoning. Lecture 6: First Order Logic Syntax and Semantics. Constants in First-Order Logic.

Situation Calculus and YAGI

A Structural Operational Semantics for JavaScript

Supplementary Notes on Abstract Syntax

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

Com S 541. Programming Languages I

AURA: A programming language for authorization and audit

Operational Semantics

Introduction to the Lambda Calculus

Solutions to Exercises

Uncertain Data Models

Comparing the Expressive Power of Access Control Models

Knowledge Representation

A review of First-Order Logic

Propositional Logic. Part I

Automata Theory for Reasoning about Actions

LOGIC AND DISCRETE MATHEMATICS

The Inverse of a Schema Mapping

Enhanced Entity-Relationship (EER) Modeling

Propositional Calculus: Boolean Functions and Expressions. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

Infinite Derivations as Failures

Propositional Logic. Andreas Klappenecker

Principles of Programming Languages Lecture 13: Paradigms: Logic Programming.

Selecting Topics for Web Resource Discovery: Efficiency Issues in a Database Approach +

A Haskell and Information Flow Control Approach to Safe Execution of Untrusted Web Applications

Lecture 5 - Axiomatic semantics

CSC 742 Database Management Systems

[Ch 6] Set Theory. 1. Basic Concepts and Definitions. 400 lecture note #4. 1) Basics

CMPS 277 Principles of Database Systems. Lecture #3

Transcription:

CS590U Access Control: Theory and Practice Lecture 18 (March 10) SDSI Semantics & The RT Family of Role-based Trust-management Languages

Understanding SPKI/SDSI Using First-Order Logic Ninghui Li and John C. Mitchell International Journal of Information Security. Preliminary version in CSFW 2003.

What is a Semantics? Elements of a semantics syntax for statements syntax for queries an entailment relation that determines whether a query Q is true given a set P of statements 3

Why a Formal Semantics? What can we gain by a formal semantics understand what queries can be answered defines the entailment relation in a way that is precise, easy to understand, and easy to compute How can one say a semantics is good subjective metrics: simple, natural, close to original intention defines answers to a broad class of queries can use existing work to provide efficient deduction procedures for answering those queries 4

Summary of SDSI Semantics Rewriting based can answer queries such as can one string rewrites into another one Set based can answer queries such as which principals are in the valuation of a string Logic programming based First-Order Logic based 5

A Logic-Programming-based Semantics Translate each 4-tuple into a LP clause Using a ternary predicate m m(k, A, K ) is true if K V (K A) (K A K ) (K A K 1 A 1 ) to m(k, A, K ) to m(k, A,?x) :- m(k 1, A 1,?x) (K A K 1 A 1 A 2 ) to m(k,a,?x) :- m(k 1,A 1,?y 1 ), m(?y 1,A 2,?x) (K A K 1 A 1 A 2 A 3 ) to m(k,a,?x) :- m(k 1,A 1,?y 1 ), m(?y 1,A 2,?y 2 ), m(?y 2,A 3,?x) The minimal Herbrand model determines the semantics 6

Example From To (k C mit k M ) (k M faculty k EECS faculty) (k C access k C mit faculty secretary) m(k C, mit, k M ). m(k M, faculty, Z) :- m(k EECS, faculty, Z). m(k C, access, Z) :- m(k C, mit, Y 1 ), m(y 1, faculty, Y 2 ), m(y 2, secretary, Z). 7

Set semantics is equivalent to LP semantics The least Herbrand model of SP[P] is equivalent to the least valuation, i.e., K V P (K A) iff. m(k,a,k ) is in the least Herbrand model of SP[P] Same limitation as set-based semantics does not define answers to containment between arbitrary name strings 8

An Alternative Way of Defining the LP-based Semantics (1) Define a macro contains contains[ω][k ] means that K V (ω) contains[k][k ] (K= K ) contains[k A][K ] m(k, A, K ) contains[k A 1 A 2 A n ][K ] $y (m(k, A 1, y) contains[y A 2 A n ][K ]) where n>1 9

An Alternative Way of Defining the LP-based Semantics (2) Translates a 4-tuple (K A ω) into a FOL sentence z (contains[k A][z] contains[ω][z]) This sentence is also a Datalog clause A set P of 4-tuples defines a Datalog program, denoted by SP[P] The minimal Herbrand model of SP[P] defines the semantics 10

An Example of Translation From (K C access K C mit faculty secretary) to z ( contains[k C access][z] contains[k C mit faculty secretary][z] ) to z ( m(k C, access, z) $y 1 (m(k C, mit, y 1 ) contains[y 1 faculty secretary][z] ) to z y 1 (m(k C, access, z) m(k C, mit, y 1 ) y 2 (m(y 1, faculty, y 2 ) contains[y 2 secretary] [z] ) to z y 1 y 2 (m(k C, access, z) m(k C, mit, y 1 ) m(y 1, faculty, y 2 ) m(y 2, secretary, z]) ) 11

A First-Order Logic (FOL) Semantics A set P of 4-tuples defines a FOL theory, denoted by Th[P] A query is a FOL formula ω 1 rewrites into ω 2 is translated into z (contains[ω 1 ][z] contains[ω 2 ][z]) Other FOL formulas can also be used as queries Logical implication determines semantics 12

FOL Semantics is Extension of LP Semantics LP semantics is FOL semantics with queries limited to LP queries m(k,a,k ) is in the least Herbrand model of SP[P] iff. Th[P] = m(k,a,k ) 13

Equivalence of Rewriting Semantics and FOL Semantics Theorem: for string rewriting queries, the string rewriting semantics is equivalent to the FOL semantics Given a set P of 4-tuples, it is possible to rewrite ω 1 into ω 2 using the 4-tuples in P if and only if Th[P] ² "z (contains[ω 1 ][z] contains[ω 2 ][z]) 14

Advantages of FOL semantics: Computation efficiency A large class of queries can be answered efficiently using logic programs including rewriting queries e.g., whether ω rewrites into K B 1 B 2 under P can be answered by determining whether SP[P (K A ω) (K B 1 K 1 ) (K 1 B 2 K 2 )] ² m(k,a, K 2 ) where K, K 1, and K 2 are new principals this proof procedure is sound and complete this result also follows from results in proof theory regarding Harrop Hereditary formulas 15

Advantages of FOL semantics: Extensibility Additional kinds of queries can be formulated and answered, e.g., z (m(k 1, A 1, z) m(k 1, A 2, z)) z (m(k 2, A 1, z) m(k 2, A 2, z)) Additional forms of statements can be easily handled, e.g., (K A K 1 A 1 K 2 A 2 ) maps to z (m(k,a,z) m(k 1,A 1,z) m(k 2,A 2,z)) 16

Summary: 4 Semantics for SDSI String Rewriting: difficult to extend Set: limited in queries First-Order Logic Logic Programming 17

Advantages of FOL Semantics: Summary Simple captures the set-based intuition defined using standard FOL Extensible additional policy language features can be handled easily allow more meaningful queries Computation efficiency 18

Design of A Role-based Trustmanagement Framework Ninghui Li, John C. Mitchell & William H. Winsborough IEEE S&P 2002

Features of the RT family of TM languages Expressive delegation constructs Permissions for structured resources A tractable logical semantics based on Constraint Datalog Strongly-typed credentials and vocabulary agreement Efficient deduction with large number of distributed policy statements Security analysis 20

Expressive Features (part one) I. Simple attribute assignment StateU.stuID Alice II. III. IV. Delegation of attribute authority Attribute inferencing StateU.stuID COE.stuID EPub.access EPub.student Attribute-based delegation of authority EPub.student EPub.university.stuID 21

Expressive Features (part two) V. Conjunction EPub.access EPub.student ACM.member VI. Attributes with fields StateU.stuID (name=.., program=.., ) Alice EPub.access StateU.stuID(program= graduate ) VII. Permissions for structured resources e.g., allow connection to any host in a domain and at any port in a range 22

The Languages in the RT Framework RT T : for Separation of Duties RT 0 : Decentralized Roles RT 1 : Parameterized Roles RT D : for Selective Use of Role memberships RT 2 : Logical Objects RT 1C : structured resources RT 2C : structured resources RT T and RT D can be used (either together or separately) with any of the five base languages: RT 0, RT 1, RT 2, RT 1C, and RT 2 C 23

RT 1 = RT 0 + Parameterized Roles Motivations: to represent attributes that have fields, e.g., digital ids, diplomas relationships between principals, e.g., physicianof, advisorof role templates, e.g., project leaders Approach: a role term R has a role name and a list of fields 24

RT 1 (Examples) Example 1: Alpha allows manager of an employee to evaluate the employee: Alpha.evaluatorOf(employee=y) Alpha.managerOf(employee=y) Example 2: EPub allows CS students to access certain resources: EPub.access(action= read, resource= file1 ) EPub.university.stuID(dept= CS ) 25

RT 1 (Technical Details) A credential takes one of the following form: 1. K.r(h 1,..., h n ) K 2 2. K.r(h 1,..., h n ) K 1.r 1 (s 1,..., s m ) 3. K.r(h 1,..., h n ) K.r 1 (t 1,..., t L ).r 2 (s 1,..., s m ) 4. K.R K 1.R 1 K 2.R 2... K k.r k Each variable must have a consistent data type across multiple occurrences can have zero or more static constraints must be safe, i.e., must appear in the body 26

Semantics and Complexity for RT 1 LP semantics makes each role name a predicate E.g., K.r(h 1,, h n ) K 1.r 1 (s 1,, s m ) translates to r(k, h 1,, h n,?x) :- r 1 (K 1, s 1,, s m,?x) Apply known complexity results: The atomic implications of SP(P ) can be computed in O(N v+3 ) v is the max number of variables per statement Each role name has a most p arguments N = max(n 0, pn 0 ), N 0 is the number of statements in P 27

RT 2 = RT 1 + Logical Objects Motivations: to group logically related objects together and assign permissions about them together Approach: introducing o-sets, which are similar to roles, but have values that are sets of things other than entities defined through o-set definition credentials, which are similar to role-definition credentials in RT 1 28

RT 2 (Examples) Example 1: Alpha allows members of a project team to read documents of this project Alpha.documents(projectB) design_doc_for_projectb Alpha.team(projectB) Bob Alpha.fileAccess(read,?F Alpha.documents(?proj)) Alpha.team(?proj) Example 2: Alpha allows manager of the owner of a file to access the file Alpha.read(?F) Alpha.manager(?E Alpha.owner(?F)) 29

RT T: Supporting Threshold and Separation-of-Duty Threshold: require agreement among k principals drawn from a given list SoD: requires two or more different persons be responsible for the completion of a sensitive task want to achieve SoD without mutual exclusion, which is nonmonotonic Though related, neither subsumes the other RT T introduces a primitive that supports both: manifold roles 30

Manifold Roles While a standard role is a set of principals, a manifold role is a set of sets of principals A set of principals that together occupy a manifold role can collectively exercise privileges of that role Two operators:?,? K 1.R 1? K 2.R 2 contains sets of two distinct principals, one a member of K 1.R 1, the other of K 2.R 2 K 1.R 1? K 2.R 2 does not require them to be distinct 31

RT T (Examples) Example 1: require a manager and an accountant K.approval K.manager K.accountant members(k.approval) {{x,y} x K.manager, y K.accountant} Example 2: require a manager and a different accountant K.approval K.manager K.accountant members(k.approval) {{x,y} x y, x K.manager, y K.accountant} 32

RT T (Examples) Example 3: require three different managers K.approval K.manager K.manager K.manager members(k.approval) {{x,y,z} x y z K.manager} 33

RT T Syntax Manifold roles can be used in basic RT statements Also add two new types of policy statement K.R K 1.R 1? K 2.R 2?? K k.r k members(k.r)? {s 1?? s k s i?members(k i.r i ) for 1 = i = k } K.R K 1.R 1? K 2.R 2?? K k.r k members(k.r)? {s 1?? s k (s i?members(k i.r i ) & s i n s i? Ø) for 1 = i? j = k } 34

RT T Complexity ADSD must declare a size for each manifold role Given a set P of RT T statements, let t be the maximal size of all roles in P. The atomic implications of P can be computed in time O (MN v+2t ). 35

Implementation and Application Status of RT Java Implementation of inference engine for RT 0 Preliminary version of RTML an XML-based Encoding of RT statements XML Schemas and parser exist Used in an ATN demo Applications U-STOR-IT: Web-based file storage and sharing August: A Distributed Calendar Program Automated Trust Negotiation Demo by NAI 36

Next Lecture Security analysis in Trust Management 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback