Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Logic, Policy Languages, and Relationship-Based Access Control Philip W. L. Fong Department of Computer Science University of Calgary Calgary, Alberta, Canada
ALPP’2015, Lexington, KY, USA
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
A Curious Question
I wondered . . . Rather than lamenting the lack of privacy in FB, what can we learn from it?
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Relationship-Based Access Control (ReBAC)
ReBAC Authorization decisions are based on how access requestor is related to resource owner. Protection state is a social network.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Relationship-Based Access Control (ReBAC)
ReBAC Authorization decisions are based on how access requestor is related to resource owner. Protection state is a social network. Thesis ReBAC is a general-purpose access control paradigm that can be applied to organizational settings outside of the social computing domain.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
State of the Art
A first, large-scale implementation of ReBAC has been attempted for an open-source electronic health records system, OpenMRS [SACMAT’2015].
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Related Work
Barbara Carminati (U Insubria) Yuan Cheng, Jaehong Park and Ravi Sandhu (U Texas San Antonio) Jason Crampton and James Sellwood (Royal Holloway)
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Outline
1
Relationship-Based Access Control
2
Policy Languages
3
Policy Analyses
4
Research Questions
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Outline
1
Relationship-Based Access Control
2
Policy Languages
3
Policy Analyses
4
Research Questions
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Pre-History
Role-Based Access Control (RBAC) p1 p2
R
up
p3 Permissions p1 , p2 and p3 are granted to those resource requestors v who satisfies the unary predicate up(v ).
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Relationship-Based Access Control (ReBAC) Definition (Protection State) The protection state of ReBAC is a social network, which is a directed graph . . . . . . with edges labelled by relation identifiers. patient parent parent agent
Relation Identifier
agent
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Relationship-Based Access Control (ReBAC)
Definition (Policy) Access control policies of ReBAC have the form: “Grant p if rp.” The policy grants permission p if relationship predicate rp(G, u, v ) is satisfied by the current social network G, the resource owner u and the access requestor v . p
Philip Fong
rp
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Beyond Roles and Attributes
Example (CODASPY’2011) “Not all doctors may access. Only my family doctor may access.” doctor / req own
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Delegation of Trust
Example (CODASPY’2011) “The assistant of my family doctor may access.” own
doctor
Philip Fong
/
assistant
/ req
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Delegation of Trust
Example (CODASPY’2011) “The assistant of my family doctor may access.” own
doctor
/
assistant
/ req
Note: Consult CODASPY’2011 for a case study of Electronic Health Records system, which contains many more examples of trust delegation.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Exploiting Graph Topology (1) Example (ESORICS’2009) “Grant access if at least 3 colleagues recommend.” 9 colleague
own
colleague
recommends
/
colleague
recommends
% / req 9
recommends
%
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Exploiting Graph Topology (2) Example (ESORICS’2009) “Grant access if belong to common clique of size k .” =O` friend
}
owna o
/ req > !~
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Exploiting Graph Topology (2) Example (ESORICS’2009) “Grant access if belong to common clique of size k .” =O` friend
}
owna o
/ req > !~
Note: See ESORICS’2009 for more examples of topology-based policies. Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
ReBAC Maturing Cramption & Sellwood proposed 2 innovations [SACMAT’2014]: Authorization graph: graph of both users and resources, and their relationships. Authorization principals: ReBAC analogue of roles. p1 p2
AP
rp
p3
Implemented for OpenMRS [SACMAT’2015].
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Outline
1
Relationship-Based Access Control
2
Policy Languages
3
Policy Analyses
4
Research Questions
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Research Challenge
Research Challenge What formal language shall one use for specifying a relationship predicate rp(G, u, v )?
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Research Challenge
Research Challenge What formal language shall one use for specifying a relationship predicate rp(G, u, v )? A modal approach . . .
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Modal Logic [CODASPY’2011] Idea: rp specified as a formula in a multimodal logic.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Modal Logic [CODASPY’2011] Idea: rp specified as a formula in a multimodal logic. Syntax: φ, ψ ::= > | req | ¬φ | φ ∧ ψ | hli φ where l ∈ L is a relation identifier.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Modal Logic [CODASPY’2011] Idea: rp specified as a formula in a multimodal logic. Syntax: φ, ψ ::= > | req | ¬φ | φ ∧ ψ | hli φ where l ∈ L is a relation identifier. Semantics: The sequent “G, u, v |= φ” asserts that owner u and requestor v are related in a manner specified by φ.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Modal Logic [CODASPY’2011] Idea: rp specified as a formula in a multimodal logic. Syntax: φ, ψ ::= > | req | ¬φ | φ ∧ ψ | hli φ where l ∈ L is a relation identifier. Semantics: The sequent “G, u, v |= φ” asserts that owner u and requestor v are related in a manner specified by φ. G, u, v G, u, v G, u, v G, u, v G, u, v
|= > |= req |= ¬φ |= φ ∧ ψ |= hli φ
iff iff iff iff iff u
i
always u=v not G, u, v |= φ G, u, v |= φ and G, u, v |= ψ ... / ∃
Philip Fong
φ
/ v
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Derived Forms
⊥ = ¬> φ ∨ ψ = ¬(¬φ ∧ ¬ψ) [l] φ = ¬hli ¬φ
G, u, v |= [l] φ whenever: u
i
/ ∀
Philip Fong
φ
/ v
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Example (1)
Example (Grant access to grand parents.) Formula: hparenti hparenti req Graphically: own
parent
Philip Fong
/
parent
/ req
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Example (2)
Example (Grant access to a sibling who is not married.) Formula: hsiblingi (req ∧ [spouse] ⊥) Graphically: own
sibling
Philip Fong
/ req
spouse
/ ×
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Limitations [SACMAT’2011]
Modal logic cannot express the following policy: 9 colleague
own
colleague
recommends
/
colleague
recommends
% / req 9
recommends
%
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Hybrid Logic Fragment [CODASPY’2012] Syntax: φ ::= > | x | ¬φ | φ1 ∧ φ2 | hliφ | @x φ | ↓ x φ
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Hybrid Logic Fragment [CODASPY’2012] Syntax: φ ::= > | x | ¬φ | φ1 ∧ φ2 | hliφ | @x φ | ↓ x φ Semantics: Crawler perspective: G, u, g |= φ G: social network u: current location of crawler g: valuation function, mapping variables to vertices
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Hybrid Logic Fragment [CODASPY’2012] Syntax: φ ::= > | x | ¬φ | φ1 ∧ φ2 | hliφ | @x φ | ↓ x φ Semantics: G, u, g |= ↓ x φ
whenever
Philip Fong
G, u, g[x 7→ u] |= φ
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Hybrid Logic Fragment [CODASPY’2012] Syntax: φ ::= > | x | ¬φ | φ1 ∧ φ2 | hliφ | @x φ | ↓ x φ Semantics: G, u, g |= ↓ x φ
whenever
G, u, g[x 7→ u] |= φ
mark crawler location as x
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Hybrid Logic Fragment [CODASPY’2012] Syntax: φ ::= > | x | ¬φ | φ1 ∧ φ2 | hliφ | @x φ | ↓ x φ Semantics: G, u, g |= ↓ x φ G, u, g |= x
whenever
whenever
Philip Fong
G, u, g[x 7→ u] |= φ
u = g(x)
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Hybrid Logic Fragment [CODASPY’2012] Syntax: φ ::= > | x | ¬φ | φ1 ∧ φ2 | hliφ | @x φ | ↓ x φ Semantics: G, u, g |= ↓ x φ G, u, g |= x
whenever
whenever
G, u, g[x 7→ u] |= φ
u = g(x)
i.e., check that crawler is at vertex marked as x
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Hybrid Logic Fragment [CODASPY’2012] Syntax: φ ::= > | x | ¬φ | φ1 ∧ φ2 | hliφ | @x φ | ↓ x φ Semantics: G, u, g |= ↓ x φ G, u, g |= x G, u, g |= @x φ
whenever
whenever whenever
Philip Fong
G, u, g[x 7→ u] |= φ
u = g(x) G, g(x), g |= φ
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Hybrid Logic Fragment [CODASPY’2012] Syntax: φ ::= > | x | ¬φ | φ1 ∧ φ2 | hliφ | @x φ | ↓ x φ Semantics: G, u, g |= ↓ x φ G, u, g |= x
whenever
whenever
G, u, g |= @x φ
whenever
G, u, g[x 7→ u] |= φ
u = g(x) G, g(x), g |= φ
i.e., jump to vertex marked as x, then continue crawling u
Philip Fong
jump
/ g(x)
φ
/
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Formula as Policy
To check if policy φ holds, check the following G, u, [own 7→ u, req 7→ v ] |= φ
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Enter Temporal Operators [CCS’2013] Motivation What if I want to grant access only to first-time customers?
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Enter Temporal Operators [CCS’2013] Motivation What if I want to grant access only to first-time customers? This has to do with how users had been related to one another in the past.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Enter Temporal Operators [CCS’2013] Motivation What if I want to grant access only to first-time customers? This has to do with how users had been related to one another in the past.
Community-based Secure Sharing (CSC) Adding LTL-style past-time temporal operators to the hybrid logic above.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Enter Temporal Operators [CCS’2013] Motivation What if I want to grant access only to first-time customers? This has to do with how users had been related to one another in the past.
Community-based Secure Sharing (CSC) Adding LTL-style past-time temporal operators to the hybrid logic above.
Enforcement If the syntax of the policy language is properly restricted, then such policies can be enforced by tracking only ONE social network. In some sense, a ReBAC protection state is all you need.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Outline
1
Relationship-Based Access Control
2
Policy Languages
3
Policy Analyses
4
Research Questions
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Relationality [CODASPY’2012] Recall policies are predicates of the form rp(G, u, v ).
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Relationality [CODASPY’2012] Recall policies are predicates of the form rp(G, u, v ). We often desires predicates that are “relational”: 1
value is invariant to graph isomorphism
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Relationality [CODASPY’2012] Recall policies are predicates of the form rp(G, u, v ). We often desires predicates that are “relational”: 1 2
value is invariant to graph isomorphism value remains stable unless connectivity between u and v are changed in G
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Relationality [CODASPY’2012] Recall policies are predicates of the form rp(G, u, v ). We often desires predicates that are “relational”: 1 2
value is invariant to graph isomorphism value remains stable unless connectivity between u and v are changed in G
All of FB’s standard policies (e.g., friends, friends-of-friends) are relational.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Relationality [CODASPY’2012] Recall policies are predicates of the form rp(G, u, v ). We often desires predicates that are “relational”: 1 2
value is invariant to graph isomorphism value remains stable unless connectivity between u and v are changed in G
All of FB’s standard policies (e.g., friends, friends-of-friends) are relational. The following predicates are NOT relational: 1
Return true iff v is a friend of Alice.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Relationality [CODASPY’2012] Recall policies are predicates of the form rp(G, u, v ). We often desires predicates that are “relational”: 1 2
value is invariant to graph isomorphism value remains stable unless connectivity between u and v are changed in G
All of FB’s standard policies (e.g., friends, friends-of-friends) are relational. The following predicates are NOT relational: 1 2
Return true iff v is a friend of Alice. Return true iff v has a vertex degree of 100 or more.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Relationality [CODASPY’2012] Recall policies are predicates of the form rp(G, u, v ). We often desires predicates that are “relational”: 1 2
value is invariant to graph isomorphism value remains stable unless connectivity between u and v are changed in G
All of FB’s standard policies (e.g., friends, friends-of-friends) are relational. The following predicates are NOT relational: 1 2
Return true iff v is a friend of Alice. Return true iff v has a vertex degree of 100 or more.
We designed a type system for checking if a given hybrid logic formula is relational. Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Sybil Attacks [S&P’2011]
Attacker creates multiple pseudonymous identities . . . . . . uses combined influence to bypass access control mechanism. No “hard” mechanisms to prevent creation of pseudonymous identities.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Example (1) Access policy = “somewhat related” . . .
accessor
owner
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Example (2) Access policy = “somewhat related” and “popular”
accessor
owner
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Example (3) Attacker: “somewhat related” but not “popular”
? attacker
owner
How does the attacker gain access? Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Example (4) Sybil attack fake
attacker
owner
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Static Analysis
We devised a static analysis for checking the policy configuration of a social network system to ensure that such Sybil Attacks are impossible [S&P’2011].
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Outline
1
Relationship-Based Access Control
2
Policy Languages
3
Policy Analyses
4
Research Questions
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Administrative Model for ReBAC Definition (Administrative Model) “Programmable” administrative actions that lead to transition of protection state.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Administrative Model for ReBAC Definition (Administrative Model) “Programmable” administrative actions that lead to transition of protection state. Example Alice purchases a property from Bob, with Carlie as the agent. Their relationships change as a result of this transaction.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Administrative Model for ReBAC Definition (Administrative Model) “Programmable” administrative actions that lead to transition of protection state. Example Alice purchases a property from Bob, with Carlie as the agent. Their relationships change as a result of this transaction. Research Questions What would an administrative model for ReBAC look like? How can action languages help? Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Safety Analysis Safety Analysis Given a protection state, can the repeated application of administrative actions lead to a certain untrusted party gaining access?
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Safety Analysis Safety Analysis Given a protection state, can the repeated application of administrative actions lead to a certain untrusted party gaining access? Known to be hard in the general case.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Safety Analysis Safety Analysis Given a protection state, can the repeated application of administrative actions lead to a certain untrusted party gaining access? Known to be hard in the general case. Any subprogram that are amenable to efficient analysis?
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Safety Analysis Safety Analysis Given a protection state, can the repeated application of administrative actions lead to a certain untrusted party gaining access? Known to be hard in the general case. Any subprogram that are amenable to efficient analysis? Research Question Can action language technologies be employed to conduct safety analysis for ReBAC in an efficient manner?
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Availability Analysis Resiliency Given a protection state, will the accidental dissolving/forging of relationships cause a resource to become inaccessible?
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Availability Analysis Resiliency Given a protection state, will the accidental dissolving/forging of relationships cause a resource to become inaccessible? Feasibility Given a protection state, does there exist a way to repair the social network (dissolving/forging relationships) so that a resource become accessible?
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Availability Analysis Resiliency Given a protection state, will the accidental dissolving/forging of relationships cause a resource to become inaccessible? Feasibility Given a protection state, does there exist a way to repair the social network (dissolving/forging relationships) so that a resource become accessible? We have recently shown that, under certain restrictions on relationship predicates, the above two problems are in the second level of the polynomial hierarchy.
Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Availability Analysis Resiliency Given a protection state, will the accidental dissolving/forging of relationships cause a resource to become inaccessible? Feasibility Given a protection state, does there exist a way to repair the social network (dissolving/forging relationships) so that a resource become accessible? We have recently shown that, under certain restrictions on relationship predicates, the above two problems are in the second level of the polynomial hierarchy. ASP enthusiasts would probably recognize an opportunity. Philip Fong
Logic, Policy Languages, and ReBAC
Relationship-Based Access Control Policy Languages Policy Analyses Research Questions
Questions?
Thank You!
Philip Fong
Logic, Policy Languages, and ReBAC