Title: CS343 Access Control in PRPL
1CS343 Access Control in PRPL
- Greg Bayer, Debangsu Sengupta, Antone Vogt, Tom
Wang
2Problem Access Control
- New domain for which to provide Access Control
- Semantic Web rich, but unstructured
- Need for Fine-Grained sharing
- Incompatible data sources from multiple systems
3Problem Usual solutions
- Expose complexity to user
- Ex Distributed file systems, ACLs
- Or, too coarse-grained
- Ex Share with everyone or friends (Facebook)
- Access control files on a specific system, not
your data wherever it may be - Static access control systems
- Does not scale new systems all the time
4Our Solution Attribute-Based (ABAC)
- Leverage harvesters' knowledge of data context
- Support arbitrary, harvester-defined ontologies
- Infer Attributes from Semantic Web Information
- Provide access control for PRPL data based on
these attributes - fine-grained
- easy-to-use
- semantic rules automatically apply to new data
5Demo
6What we learned
- The context extracted by harvester (screen
scraping, XML feeds) is sufficient for
interesting access control tasks. - Can leverage semantic web tools RDF/RDFS, OWL,
SPARQL, etc. - Intuitive UI representation is critical
- Must be flexible/extensible to express complex
rules - Good framework Prefuse
- Much work to be done to express complex access
control policies intuitively - Email recipient/attachments scenario
7Future work
- Demonstrate more complex rules in the system and
UI. - Email recipients scenario.
- Blacklist rules / Conflicts between rules
- Prune attributes displayed in tree using machine
learning methods. - Time Frame 1-2 months
- Automatic rules generations
- Sophisticated heuristics
- Time frame 3 months
- Publish content owners rules - alternative use
- Ex. Express sharing rules in PRPL UI, publish to
facebook - Pull from PRPL-compliant web service
- Time frame 1 month
8Future work
- Scalability
- Expressivity / performance tradeoff. Different
inference engines. - Cache rules / relationships in database
- Time frame 2-3 months
- Authentication
- Study integration with OAuth, single sign-on
services like Shibboleth. - Time frame 2-3 months.
-
- Usability studies.
- Do users like our solution? Focus groups.
- Time frame 1 month.
- Build system statistics module.
- E.g. number of steps taken by user to complete
common rules assignment tasks. - Time frame 1 month
9PRPL Index Server with Access Control
10Questions/comments/suggestions?
11Backup slides
12Surprises for the project
- Coarse grained sharing
- Not flexible enough for PRPL.
- Better Fine - grained mechanism.
- Traditional RBAC / ACL.
- Complexity exposed to user. Difficult to express
simple tasks. Static hierarchical data not
available in PRPL context. - Better Attribute links from persons to resources
- Static / manually assigned attributes
- Works within organizations. Inappropriate for
web-based open systems. - Better Relations defined from attributes
gathered/inferred from harvesting. - Complexity shown to user e.g. ACL
- Better Hide complexity. Tradeoff between complex
rules and ones that can be easily expressed. - Allow users to verify.
13Features
- Attribute-based
- Use common access control ontology that is
customized by groups suggested for the user. - Ontology for persons and resources. Can leverage
existing work in the areas. - Relationships and rules generation to augment
access control ontology. - Currently, heuristics based.
- Groups are represented as attributes for both
persons and resources. - Toolset Jena, Sparql, RDF/XML, RDFS, OWL
ontology, reasoners.
14Features ctd
- Easy to use minimize use effort / transparency
- Intuitive UI
- Use familiar patterns to establish links between
Persons and objects. - Translate content owner actions to rules.
- Currently support accept/deny rules.
- Extensible
- Underlying model based on standard GraphML.
- Can include complicated rules and expose
attributes. - Tree view to browse through persons and files
hierarchies - Search feature on both sides.
15- Slides From First
- Presentation
- (in-class discussion)
16Access Control in PRPL
- Basic idea
- Fine-grained data sharing
- In PRPL
- Index Server
- Perimeter security
- Index data is unencrypted.
- Data Server
- Encrypted data - pictures, sensitive documents.
- Policy-based encryption
17Access Control Fundamentals
- RBAC
- Commonly used in enterprise
- Role concept is central
- Principals (users) map to 1 or more roles.
- Permissions on objects (r/w/x) map to 1 or more
roles. - Attribute-based Access Control
- Roles are determined from attributes extracted
from subjects and objects.
18Attribute-Based Access Control
- Object attributes
- Types of objects Files, Folders, URI's
- Attribute Ski photos
- Subject/Principal attributes
- Examples of subjects Tom, Harry
- Attributes Friends, family, colleagues
- Harvest attributes from semantic web (social
network information).
19Concept
- Coalition Alliances and collaboration between
individuals from multiple organizations. - Dynamic coalition Entities join or leave in an
ad-hoc manner.
20Access Control policy fundamentals
- Principals Users including owners and
requesters. - Objects Files, services etc.
- Policy definition
- Which principals have access to what resources
and has the ability to do what activities. - Dynamic access control Principal (subject)
information must be derived from user attributes.
21Attribute based approach
- Determine user and object attributes.
- Infer which user attributes are semantically
relevant to object attributes. - Identify mapping relationships that enable
mapping between user attributes, job functions
(attributes), and object attributes. - Prune the semantically relevant attributes.
- Identify which are unlikely to be held by those
principals outside the role.
22Attributes User
- User attributes
- Manual - generally
- Certifiable or organizationally assigned
- User Attribute Base Set of all user attributes.
- Example 2. Tom, who works at LM company, has the
following attribute set UAB(Tom)
(hasDegreebachelors),(performsJobsoftware),
(assignedToprojectBlue),(hasExpertiseInjava),
(officeLocNVC1).
23Attributes Object
- Object attributes
- Manual
- Manual tagging, file name, file description
- Automatic
- Inference based on content, keywords, owners,
owner relationships etc. - Object attribute base (OAB) Set of all object
attributes. - Example 3
- "Component 1 software" (C1) object attribute set
(hasContentjava), (hasContentfinancial)(hasCon
tentsoftware), (createdUnderProjectBlue).
24Link user and object attributes
- Use concept hierarchy
- Example relationships used
- Subclass
- Synonyms.
- Superclass
- Compatible - common parent.
- .....
-
......
25Matching
- Semantic Match
- Between subject (user) attribute/value pair and
object attribute/value pair if... - Both
- The attributes are linked
- And
- The values and are synonymous or
- The object value is a subclass of the object
value.
26PRPL Access Control Module
27Attribute Relationships
- Relationship expansion.
- Existing database / auto generated
- From User
- Examples
- Object "Wedding photos" -gt "Photos"
- Subject "CS343 friends" -gt"Stanford"
- .....
-
.......
28Smart Security
- Multiple levels of security
- Whitelist - Very secure.
- Blacklist - Open.
- Grey / Smart / adaptive security - Our focus
- Smart security consists of
- Automatic attribute-relationship generation
- Subject attributes
- Object attributes
- Automatic rule generation
- Rule Subjects with certain attributes can read
objects with certain attributes
29Subject Relationships, Our Approach
- Auto-attribute generation based on
- Existing information online, as in Tokyo paper
- FOAF, event attendee acquaintance
- Email conversations.
- User tuning
- Group "Stanford friends" and "UMass friends"
into "University friends" attribute - Harvesting Scenairo
- 4 of us have exchanged 25 mails, 10 attachments,
calendar data, Facebook events.gt Harvester
creates group for sharing data
30Object Attributes
- File extensions help classify file types
- .doc, .jpg, .html
- Extract information from existing sites
- Example Tags of photos from Flickr
- Assumption Semantic webgt Metadata should be
rich source of information
31Automatic Rule Generation
- Infer rules based on past actions / history of
- owner, friends.
- Aggregate rules based on overall PRPL data.
- Hard-coded rules based on default rules database.
- Family ltgt "Family photos"
- Share info with participants
- Event info with event attendees
- Project info with project members
32Easy-To-Use Goals
- Minimize user effort
- System transparency
33Typical User Interface
- GUI allows users to manipulate directly or
indirectly the internal access control
mechanismgt Burden too heavy even for simple
task - Problem Internal access control mechanism too
arcane and difficult - In the paper ACL-based Access Control
34Beyond IAM, What does easy-to-use really mean?
- Owner should see and understand what the
principal -gt object mappings are. - Transparent to owner
- Default "Smart" security should be "good enough"
for most owners. (predictable) - Can track success with how often users make
changes. -
- .....
35What does easy-to-use mean? ...ctd
- Specific fine-grained updates from owner should
be easy(match the way the user thinks about the
task of sharing) - Smart security will periodically provide access
control suggestions based on mining recent data
in owner's social networks. - Recent Gmail, Facebook activity.
36Default view
- Medium level of specificity
- Files and people
- Security hints button
- System rules view
37Security model
- Multiple levels of security
- Whitelist , blacklist, smart security
- Smart security provided at different times
- Initial configuration - when user first links up
their accounts. - Users verify the suggested model.
- User modifies and creates finer-grained lists
(optional) - Periodic updates
- Suggestions provided based on user's activity
- User accepts / rejects suggestion. System updates
based on user input.
38HCI/UI elements
- Most General
- Attribute view
- Connections between object attributes and subject
attributes - Example
- Work emails and attachments -gt shared with
"Colleagues". - Vacation pictures -gt Family.
39HCI/UI elements continued...
- Most specific
- By source
- Filtering attributes
- Creating rules
- Examples
- Emails from gmail account1 -gt shared with theater
group - Emails from gmail account2 -gt shared with all
family. - Facebook photos tagged ski -gt shared with ski
club friends.
40UI Preview rules
- Preview all rules
- Manually created and auto-generated rules.
- Why
- Provide system visibility / transparency to user.
- Example Display link.
- Ski trip photos
- NOT shared with ALL
- Shared with Ski club friends, family
- Wedding photos
- Shared with ALL
- Not shared with ex.
41UI Preview object access
- Idea Given all the rules mapping, who can view a
given object. - Owner selects Objects - e.g. Ski trip photos -gt
John - System displays
- List of users that can view the photos
- Which rule(s) triggered this access.
- e.g. Photos -gt Friends.
42UI Preview subject access
- Question Which pictures can grandma view?
- Owner selects a user in the network.
- System displays
- List of objects grandma has access to.
- Which rule(s) triggered this access.
- "Personal photos" -gt family
- Specific example if possible.
43(No Transcript)
44Implementation components
- Access control
- Attribute query
- Relationship expansion
- Ontology / synonyms
- Owner defined grouping
- Rule matching engine
- User Interface
- See slides before
45Contribution - our 'twist' ltinsert group twist
picgt
- Prototype components
- Access control module
- User interface
- Basic heuristics for auto-generation
- Provide groundwork for further exploration
- Access control architecture
- Rule generation ideas
- UI based on our model
- Semantic attribute based Access Control
- Prototypeindex server perimeter access control
- Easy-to-use
- visualization / interface
- Smart security
- Automatic rules generation on attributes