Policy Management

1
Policy Management

• Elisa Bertino, Ninghui Li (Purdue U.)
• Anupam Joshi (UMBC)
• Ravi Sandhu (UTSA)

2
Research Goals

• Identify the types of policy relevant to AISL
• Develop corresponding languages and formal models
• Implement policy languages
• Develop relevant policy tools to support the
  policy lifecycle
• Develop policy scenarios

3
Types of Policy

• Access control policies
• Controlling who is accessing which data
• Accountability policies
• Controlling how data is used and modified
• Trust policies
• Specifying criteria to determine which party to
  trust for what data/resource

4
Policy Lifecycle Diagram

• Develop new policy languages
• Extend current policy languages
• Develop formal models
• Policy refinement
• Policy integration
• Policy versioning

• Identify analysis types
• Develop tools

Specification
Analysis

• Collaborative enforcement (possibly
  privacy-preserving)
• Safe approximation
• Enforcement in information group-based sharing
• Enforcement in information dissemination-centric
  sharing

Deployment Enforcement
5
Policy Refinement

• Each refinement step must meet the following
  criteria Karat08
• Correct The set of refined policies correctly
  implements the higher-level policy.
• Consistent The refinement must not lead to
  conflicts between the derived policies or the
  other policies existing in the system.
• Valid The policies must be able to be enforced
  in the system context to which they will be
  applied.
• Minimal All policies in the derived policy set
  must be required for the correctness of the
  refinement.

J. Karat, C.M. Karat, E. Bertino, N. Li, Q. Ni,
C. Brodie, J. Lobo, S.B. Calo, L. F. Cranor, P.
Kamaraguru, P. Reerder, Policy Framework for
Security and Privacy Management, To appear in
IBM Systems Journal, 2008.
6
Current Results
EXAM Environment for Xacml policy Analysis
Management
EXAM is a comprehensive environment for analyzing
and managing access control policies. It supports
acquisition, editing and retrieval of policies in
addition to policy property analysis, policy
similarity analysis and policy integration.
7
Motivation
Need for tools for managing and analyzing
policies !
8
XACML

• EXtensible Access Control Markup Language.
• XML based
• OASIS standard language for specification of
  access control policies.
• Express many policies of interest to real world
  application

9
EXAM Overview Architecture

Query Dispatcher
PolicySimilarity Filter
Policy Integration Framework
Policy Similarity Analyzer
10
EXAM Overview Queries
Policy Analysis Query
ltPolicy IDPol1gt ltRule IDR11
EffectPermitgt ltTargetgt ltSubjectgt domain ?
.edu lt/Subjectgt ltResourcegt FileA
lt/Resourcegt ltActiongt Read lt/Actiongt lt/Targetgt ltCon
ditiongt800ltTimelt2200lt/Conditiongt
Metadata Query
Content Query
Effect Query
Multiple-Policy Query
Single-Policy Query
Discrimination Query
Property Verification Query
Common Property Query
ltPolicy IDPol2gt ltRule IDR11
EffectPermitgt ltTargetgt ltSubjectgt domain ?
.edu OR affiliation IBM lt/Subjectgt ltReso
urcegt FileA lt/Resourcegt ltActiongt Read
lt/Actiongt lt/Targetgt ltConditiongt600ltTimelt2000lt/
Conditiongt
Does Policy Pol2 deny read access on FileA
between 10pm and 12am ?
Find all requests permitted by both policies Pol1
and Pol2.
Find all requests which are permitted by Pol1 but
denied by Pol2.
11
Policy Similarity Analysis

• Goal
• Characterize the relationships among the sets of
  requests respectively authorized by a set of
  policies.
• Two techniques
• Policy Similarity Filter
• Less precise, faster.
• Policy Similarity Analyzer
• Precise, slower.

12
EXAM Overview Architecture

Query Dispatcher
PolicySimilarity Filter
Policy Integration Framework
Policy Similarity Analyzer
13
Policy Similarity Filter

• Quick and less precise.
• Inspired by Information Retrieval (IR)
  techniques.
• Policy similarity measure
• Assign a similarity score between two policies.
• Typical applications
• A quick filter phase to prune the set of policies
  to be analyzed by the precise policy similarity
  technique.
• A distance function for clustering policies.

14
Techniques - Overview
Target Similarity
Permit Rule Set Similarity
Deny Rule Set Similarity
Spolicy(P1, P2) wtST wpSPrule-set
wdSDrule-set
15
Rule Set Similarity

• The rule set similarity scores, SPrule-set and
  SDrule-set, are computed by averaging the
  similarity scores obtained between individual
  rules in the permit and deny rule sets.
• To obtain the individual rule similarity score,
  we compare each rule in one policy with a set of
  similar rules in another policy.
• Only similarity scores that are above a certain
  threshold ? are considered for computation of
  rule similarity.

16
Similarity between Two Rules
RULEi
Sc(ri, rj)
CONDITION
SS(ri, rj)
SUBJECT
SR(ri, rj)
RESOURCE
ACTION
SA(ri, rj)
St(ri, rj) ws SS(ri, rj) wr SR(ri, rj) wa
SA(ri, rj)
Srule(ri, rj) wt St(ri, rj) wc SC(ri, rj)
17
Similarity between Two Rule Elements (SltELEMENTgt )

• Each rule element ( Subject, Resource, Action and
  Condition) is represented as a set of (attribute,
  value) pairs of the form
• (attr_name1, attr_value1), (attr_name2,
  attr_value2)
• Attribute values are distinguished as categorical
  and numerical.
• Categorical values belong to some domain
  specific ontology
• Numerical values that belong to integer, real
  or date/time data type.
• SltELEMENTgt between two rule elements is computed
  by comparing the corresponding attribute-value
  pairs

18
Similarity score for categorical values
1.3.2
19
Similarity score for numerical values

• The similarity between two numerical values is
  computed based on their difference.

Snumerical(v1, v2) v1 - v2
Max(v1, v2)
20
Example
DATA OWNER POLICY 2
DATA OWNER POLICY 1
0

0.71
21
Example
RESOURCE OWNER POLICY 3
DATA OWNER POLICY 1
0.4
22
EXAM Overview Architecture

Query Dispatcher
PolicySimilarity Filter
Policy Integration Framework
Policy Similarity Analyzer
23
Policy Similarity Analyzer(PSA)

• Uses Multi-Terminal Binary Decision Diagram
  (MTBDD) based representation of a policy.
• Combines model-checking and satisfiability
  checking to perform similarity analysis on
  policies with different types of constraints on
  attributes
• One variable equality constraints
• Affiliation IBM, Role ! Student
• One variable inequality constraints
• Age lt 50, 8ltTimelt22
• Linear constraints
• Bonus 2 Salary lt 250000
• Compound Boolean constraints
• (Nationality US ? Clearance High)

24
MTBDD - Multi-Terminal Binary Decision Diagram

• Rooted, directed acyclic graph.
• Represent functions of the form f Bn -gt R
• In a policy MTBDD internal nodes represent the
  predicates on attributes and the terminals denote
  the policy decisions Permit, Deny or
  NotApplicable.

ltPolicy ID Pol1gt ltRule Effect Permitgt
ltTargetgt ltResourcegt(fileName fileA)
lt/Resourcegt ltConditiongt (time lt 1700 ? age gt 18)
lt/Conditiongt lt/Targetgt lt/Rulegt lt/Policygt
Pol1 Permit (fileName fileA) ? (time lt 1700
? age gt 18)?
25
Policy Similarity Analyzer (PSA)

• Performs the following steps
• Policy preprocessing
• Unified node and auxiliary rule generation
• Policy transformation
• MTBDD construction
• Transform each policy into a MTBDD
• Policy comparison
• Combine policy MTBDDs and perform comparison

26
Policy Comparison
P2
Auxiliary Rule
P1
MTBDD
MTBDD
MTBDD
CMTBDD
..
..
27
EXAM Overview Architecture

Query Dispatcher
PolicySimilarity Filter
Policy Integration Framework
Policy Similarity Analyzer
28
Policy Integration

• A Fine-grained Integration Algebra (FIA)
• 3-valued (Permit, Deny, NotApplicable)
• Specify behavior at the granularity of requests
  and effects
• Restrict domain of applicability
• Support expressive policy languages like XACML
• Framework for specifying integration constraints
  and generating integrated policies.
• MTBDD based implementation of FIA
• Generation of integrated policy in XACML syntax.

29
Fine-grained Integration Algebra (FIA)
Vocabulary of attribute names and domains
Unary operators Negation Domain Projection
Policy constants Permit policy Deny policy
Binary operators Addition Intersection
30
FIA - Theoretical Results

• Expressivity
• FIA can express all XACML policy combining
  algorithms
• FIA can express policy jumps
• FIA can model closed policies and open policies
• Completeness
• A completeness notion has been developed, based
  on the concept of policy combination matrix, and
  FIA is complete with respect to such notion
• Minimality
• Identification of the minimal complete subsets of
  the FIA operators

31
P1
MTBDD

P2
Addition
32
XACML Policy Generation
PolicyID Example ltRuleIDR1 EffectPermitgt
ltTargetgt ltSubject posmanager \gt
ltAction actread \gt lt\Targetgt
lt\Rulegt
posmanager
1
0
actread
1
0
Y
33
Next Steps

• Develop visualization techniques for policy
  analysis results
• Extend EXAM with a tool for synonym dictionary
  management, ontologies

34
Novel Reference XACML Architecture for
Multi-party collaborative Enforcement
Policy Authoring
Decomposition Constraint
constraint
Request Dispatcher/ Decision Coordinator
Policy Decomposition

PDP
PDP
Local Policy Repository
Local Policy Repository
35
Extending XACML for Multi-party collaborative
Enforcement

• Combining policies is necessary in AISL
• XACML has several fixed Policy Combining
  Algorithms (PCAs) for combining policies
• deny-overrides, permit-overrides,
  first-applicable, only-one-applicable
• We propose the Policy Combining Language (PCL)
• allows expression of useful new PCAs
• e.g., weak consensus, strong consensus, weak
  majority, and strong majority
• elegantly handles policy evaluation errors
• is fully backward compatible with XACML
• enables optimized evaluation using automata theory

36
Next Steps

• Develop an implementation of the extended XACML
  algorithms and of the policy distribution and
  enforcement algorithms
• Investigate cryptographic approaches