OASIS: Architecture, Model and Management of Policy

Similar documents
An Architecture for Distributed OASIS Services

Policy Storage for Role-Based Access Control Systems

Meta-Policies for Distributed Role-Based Access Control Systems

TRUST IDENTITY. Trusted Relationships for Access Management: AND. The InCommon Model

Event-Based Middleware: A New Paradigm for Wide-Area Distributed Systems?

Integrating SysML and OWL

Liberty Alliance Project

National Identity Exchange Federation. Terminology Reference. Version 1.0

Approved 10/15/2015. IDEF Baseline Functional Requirements v1.0

Revocation Schemes for Delegated Authorities

The Maude LTL Model Checker and Its Implementation

Identity Provider for SAP Single Sign-On and SAP Identity Management

Grid Security Policy

March 2, Homepage:

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Federating Heterogeneous Event Services

Announcements. me your survey: See the Announcements page. Today. Reading. Take a break around 10:15am. Ack: Some figures are from Coulouris

Pattern composition in graph transformation rules

Programming Languages Third Edition

COURSE OUTLINE: OD10961B Automating Administration with Windows PowerShell

U.S. Department of Defense. High Level Architecture Interface Specification. Version 1.3

Lesson 13 Securing Web Services (WS-Security, SAML)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

An Attribute-Based Access Matrix Model

Identity-based Access Control

DEPARTMENT OF COMPUTER SCIENCE

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Leslie Lamport: The Specification Language TLA +

Canadian Access Federation: Trust Assertion Document (TAD)

1. Federation Participant Information DRAFT

Canadian Access Federation: Trust Assertion Document (TAD)

Intercloud Security. William Strickland COP 6938 Fall 2012 University of Central Florida 10/08/2012

Monitoring the Behaviour of Distributed Systems

UNICORE Globus: Interoperability of Grid Infrastructures

FIPA Agent Software Integration Specification

Canadian Access Federation: Trust Assertion Document (TAD)

How to Make a Correct Multiprocess Program Execute Correctly on a Multiprocessor

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

Type systems. Types in access control and privacy. Outline. 1. Dynamic Web Data. p-calculus Dp XDp

Fortgeschrittene objektorientierte Programmierung (Advanced Object-Oriented Programming)

Problems in Reputation based Methods in P2P Networks

(1) Jisc (Company Registration Number ) whose registered office is at One Castlepark, Tower Hill, Bristol, BS2 0JA ( JISC ); and

On the BEAM Implementation

From DSS to MILS (Extended Abstract)

Automatic Verification of Closures and Lambda-Functions in Python Master s Thesis Project Description

COMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University

Flight Systems are Cyber-Physical Systems

Advanced Access Control. Role-Based Access Control. Common Concepts. General RBAC Rules RBAC96

Wescom Solutions, Inc. Practitioner Engagement Android Version CFR EPCS Certification Report

Introduction to OpenOnload Building Application Transparency and Protocol Conformance into Application Acceleration Middleware

City, University of London Institutional Repository

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

On Object Orientation as a Paradigm for General Purpose. Distributed Operating Systems

The design of a programming language for provably correct programs: success and failure

Conceptual Database Modeling

ECA Trusted Agent Handbook

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

KeyNote: Trust Management for Public-Key. 180 Park Avenue. Florham Park, NJ USA.

Overview of Akamai s Personal Data Processing Activities and Role

Dynamic Information Management and Exchange for Command and Control Applications

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Covert Identity Information in Direct Anonymous Attestation (DAA)

Security in the Web Services Framework

Incremental Runtime Verification of Probabilistic Systems

A Framework for Enforcing Constrained RBAC Policies

Analysis Techniques. Protocol Verification by the Inductive Method. Analysis using theorem proving. Recall: protocol state space.

Operational Semantics

Distributed Systems Programming (F21DS1) Formal Verification

PERMIS An Application Independent Authorisation Infrastructure. David Chadwick

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Monitoring Choreographed Services

Applying the Semantic Web Layers to Access Control

Implementing Trusted Digital Repositories

ABSTRACT. Web Service Atomic Transaction (WS-AT) is a standard used to implement distributed

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Substitution in Structural Operational Semantics and value-passing process calculi

Proving the Correctness of Distributed Algorithms using TLA

Annotation Component in KiWi

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

10961B: Automating Administration with Windows PowerShell

[MS10961]: Automating Administration with Windows PowerShell

Verfying the SSH TLP with ProVerif

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Language-Based Information- Flow Security

Konstantinos Sagonas and Michael Leuschel. ACM Computing Surveys, Vol. 30, No. 3es, September 1998

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Knowledge representation Semantic networks and frames

Identity Mixer: From papers to pilots and beyond. Gregory Neven, IBM Research Zurich IBM Corporation

eidas Interoperability Architecture Version November 2015

COMPUTATIONAL SEMANTICS WITH FUNCTIONAL PROGRAMMING JAN VAN EIJCK AND CHRISTINA UNGER. lg Cambridge UNIVERSITY PRESS

Doctoral Studies and Research Proposition. Diversity in Peer-to-Peer Networks. Mikko Pervilä. Helsinki 24 November 2008 UNIVERSITY OF HELSINKI

Lecture 6. Abstract Interpretation

Formal Modeling for Persistence Checking of Signal Transition Graph Specification with Promela

CS 395T. Analyzing SET with Inductive Method

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Techniques for the unambiguous specification of software

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

DATA PROTECTION POLICY THE HOLST GROUP

Transcription:

OASIS: Architecture, Model and Management of Policy Ken Moody Computer Laboratory, University of Cambridge

1 Overview OASIS : Architecture, Model and Policy 1. background to the research people, projects (motivation - EHRs for the UK NHS) 2. fundamentals of OASIS architecture Role-Based Access Control with parameters Interoperation of Federated Services Support for Active Security 3. establishing a useful Model for OASIS Many-sorted First-Order Predicate Calculus 4. database and meta-data support for distributed applications development of an active predicate store on top of PostgreSQL active policy management, meta-policies and verification 5. FUTURE WORK

2 Experimenting with OASIS people OPERA Group Computer Lab, Cambridge (UK) Jean Bacon, Ken Moody (Faculty) John H Hine sabbatical visitor, 1999 VU of Wellington (NZ) PhD students Walt Yao, Wei Wang (employed on EPSRC grants) András Belokosztolszki, David Eyers (independently funded) Nathan Dimmock, Brian Shand (Trust-based access control) research grants relating more or less specifically to RBAC (EPSRC) evaluating the use of OASIS for EHRs in the UK NHS (EPSRC) using an active database to manage access control policy (EU Framework 5) SECURE Trust-based AC for wide-area computing

3 OASIS Access Control you've gotta ROLL with it.. (pop culture) principals (clients?) PERSISTENT typically a person or job-title named by e.g. NHS_number TRANSIENT a computer process or agent named by e.g. session_public-key scalability of POLICY expression classify clients by ROLE (parametrised?), ROLE names specific to each service e.g. doctor, logged-in_user ("Fred") potential for giving client anonymity if required specify control of access in terms of ROLEs (of this and possibly other services) as held by TRANSIENT PRINCIPALs each service defines its own rules for ROLE entry

4 Long-lived rights for PERSISTENT PRINCIPALs APPOINTMENTs (bound to PERSISTENT NAMEs) grant entry to a new ROLE conditionally on OTHER ROLEs held + constraints on their parameters administered via specific ROLE(s) (direct expression of management policy?) Managing ROLE MEMBERSHIP and APPOINTMENT CREDENTIALs via a signed certificate ("capability"), format determined by the issuing service issued to and managed by a principal, TRANSIENT or PERSISTENT a credential record (maintained at the issuing service) asserts the validity of each issued certificate linked to the active conditions for ROLE membership enables rapid and selective revocation + dependent on asynchronous notification

5 A service secured by OASIS access control Principal 1 2 credentials RMC Role Entry Policy Credential Records Access Control 3 4 RMC OASIS secured service RMC = role membership certificate = role entry = use of service

Issuing and Using Appointment Certificates 6 1 credentials Principal A 2 RMC 6 AC 3 RMCs 5 AC RC Principal B Role Entry Credential Records Access Control Policy 4 AC issuing service 1. principal A enters role AC-issuer 2. RMC as AC-issuer returned 3. AC-issuer requests an AC for principal B 4. validated request passed on 5. AC and RC returned to principal A 6. principal A passes AC to principal B but keeps RC Principal B 7 8 credentials RMC Role Entry Policy............. 7. principal B enters a role using AC as one credential Credential Records Access Control 9 10 RMCs OASIS secured service 8. RMC returned to principal B 9, 10. standard use of OASIS secured service RMC = role membership certificate, AC = appointment certificate, RC = revocation certificate = obtaining and using credentials for role entry = use of service

Overall EHR Architecture 7 to audit warehouses Audit Service Naming & Location Services Index Service index component creation Patient data generation Client browser Web Server Patient data storage reliable message transport service secured with Oasis access control reliable, distributed, replicated national services data-provider architecture end systems including legacy systems

8 The OASIS Model Based on Many-Sorted First Order Predicate Calculus sorts correspond to the datatypes in parameter value domains predicate constants are interpreted as access control system entities + environmental constraints which test context rules are conjunctive (non-recursive Horn clauses) Many-Sorted algebra of terms (no surprises) + function symbols context sensitive + constants 0-ary functions (e.g. current_time) syntax for parameter slots depends on the predicate type and the position in the rule can include named variables as parameters (modes in- and out- ) variable instances must match during rule interpretation (unification) no theorem proving required, an efficient plan can be derived statically

9 Predicates taking part in rule evaluation Access Control System Entities Role Membership Certificates have typed parameters Appointment Certificates also have typed parameters Privileges ( correspond to e.g. method invocations ) granularity of privileges may be coarser Environmental Constraints standard example is database lookup ( use modes in- and out- ) explicit predicates for testing time ( various aspects ) for efficiency require support from an active platform ( COBEA ) in order to support role membership conditions also helpful for caching authorising conditions

10 Role Activation Rules Syntax r, r *,... a, a,... e, e *,... 1 2 1 2 1 2 T r where each r is a Role Membership Certificate predicate i and each a is an Appointment Certificate predicate j and each e is an Environmental Constraint k These are the preconditions ( * indicates that the condition must remain valid ) + r is the Target Role T Interpretation r i and a j are simply matched against the required certificates e invoke predicates to test the current context ( e.g. active database ) k matched parameters give values for slots in the Target RMC

11 Authorisation Rules Syntax r, e, e,... p 1 1 2 T where r is the authorising Role Membership Certificate 1 and each e is an Environmental Constraint k These are the authorising conditions. + Here p is the Target Privilege Instance T Interpretation the Target Privilege Instance is derived from the invocation parameter values are set by pattern matching from r and p 1 T can cache values of e with support from an active platform k

12 Aims of the OASIS Model High-level goals the rules should express policy precisely, and it should be explicable the model should act as a target for high-level policy languages + have experimented with Attempto controlled English the consistency of policies derived from multiple sources should be decidable it must be easy to provide tools to support managers of applications + support for interoperation across changes of policy locally + via active predicate extension to the PostgreSQL DBMS rule evaluation must be efficient ( particularly for authorization ) + static analysis to establish a plan for parameter matching + caching of results of environmental predicates System-related goals continuous monitoring of security conditions use snapshot semantics to reason about policy (no explicit transitions) use platform properties to reason about the behaviour under partition

13 Work in progress related to the OASIS Model Supporting a federation of management domains applications such as EHRs must accept policy from multiple sources require tools so that applications can discover how to obtain privileges require conventions for naming external environmental constraints must check consistency of policies derived from multiple sources + generate a policy synthesis automatically Use of an active predicate store coordinating policy change in a federated management structure + automatic generation of Service Level Agreements storing access control meta-data to support a policy adviser + for policy administrators, application programmers implementing environmental predicates efficiently for authorization

14 The problems of reasoning within the OASIS Model Expressive power of the computational model in general environmental constraints can express arbitrary computations + hence environmental predicates are not in general decidable + but support in active PostgreSQL extensions for binary relations + conjunctive form of rules predicates can only restrict access need for decidable sublanguages to express e.g. temporal constraints opaqueness of the binding of predicates to their implementations need for a formal specification (assertion) of the properties of predicates + requires integration into the policy store technology Implicit behaviour of the active platform monitoring membership conditions requires a notification mechanism + mustn't be any side effects on the Access Control System validity of external predicates depends on the integrity of the network + network partition is detected using a heartbeat protocol in what sense is the procedure of falsification under partition a safe one?

15 Meta-policies as a means of coordinating a policy federation Reference: András Belokosztolszki and Ken Moody Meta-Policies for Distributed Role-Based Access Control Systems, Proc. Policy 2002 (Monterey, June 2002), IEEE CS Press, pp. 106-115. Intuition behind our approach to meta-policies (decidable and compositional) formalization of an interface specification at policy level + specify invariance properties to which local managers must comply + allow certification of participants in a federated application (NHS) + provide a stable framework to support interoperation of domains components comprising the formal specification of a meta-policy + type system information data types, objects, functions + access control system signatures roles, appointments Current progress with the experimental framework ( proving hard! ) matching policy instances against a meta-policy (checking compliance) managing service level agreements automatically across change of policy

16 This talk: Other talks: http://www.cl.cam.ac.uk/~km/uofhull-talk.pdf http://www.cl.cam.ac.uk/~km/active_db-ab.pdf http://www.cl.cam.ac.uk/~km/mw2000-talk.pdf http://www.cl.cam.ac.uk/~km/mw2001-talk.pdf http://www.cl.cam.ac.uk/~km/nl_policy.pdf Computer Laboratory OPERA Group Web pages http://www.cl.cam.ac.uk/research/srg/opera/publications/index.html (all of these papers can be downloaded from the publications pages) Research Overviews Jean Bacon, Ken Moody, John Bates, Richard Hayton, Chaoying Ma, Andrew McNeil, Oliver Seidel, Mark Spiteri, "Generic Support for Distributed Applications" Jean Bacon, Ken Moody, IEEE Computer, March 2000, pp. 68-76. "Towards Open, Secure, Widely Distributed Services" Communications of the ACM, June 2002, pp. 59-64.

Other papers most relevant to this talk 17 R. Hayton, J. Bacon, and K. Moody ARCHITECTURE "OASIS: Access Control in an Open, Distributed Environment" Proc IEEE Symposium on Security and Privacy, Oakland CA, May 1998, pp. 3-14. J. Hine, W. Yao, J. Bacon, and K. Moody "An Architecture for Distributed OASIS Services" Proceedings of Middleware2000, LNCS 1795, Springer-Verlag, Heidelberg and New York, April 2000, pp. 107-123. J. Bacon, M. Lloyd, and K. Moody "Translating Role-based Access Control within Context" Proceedings of Policy2001, LNCS 1995, Springer-Verlag, Heidelberg and New York, Jan 2001, pp. 107-119. J. Bacon, K. Moody, and W. Yao (expanded from SACMAT 2001) MODEL "A Model of OASIS Role-Based Access Control and its Support for Active Security" ACM TISSEC, Vol. 5, No. 4, November 2002, pp. 492-540. J. Bacon, K. Moody, and W. Yao IMPLEMENTATION "Access Control and Trust in the Use of Widely Distributed Services" Proceedings of Middleware2001, LNCS 2218, Springer, Nov 2001, pp. 295-310.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback