Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.

Logical Model and Specification of Usage Control

Xinwen Zhang, Jaehong ParkFrancesco Parisi-Presicce, Ravi Sandhu

George Mason University

2

Outline

• Introduction of UCON• Temporal Logic of Action (TLA)• Logic Model for UCON with TLA• Specification of Authorization Core Models• Specification of Obligation Core Models• Specification of Condition Core Models• Applications of Logical Model• Conclusions and Future Work

3

UCON

• A unified framework for next generation access control

• A comprehensive model to represent the underlying mechanism of existing access control models and policies.

• Try to extend the limits of traditional access control models: – Authorization only – No obligation or condition based control

– Identity based only – No attributes based support

– Decision is made before access – No ongoing control

– No consumable rights - No mutable attributes

– Rights are pre-defined and granted to subjects

4

UCON

• UCON provides a general model beyond DRM and Trust management:– Digital Rights Management (DRM)

• Mainly focus on intellectual property rights protection with architecture and mechanism level studies

• Lack of access control model

– Trust Management• Authorization for strangers’ access based on credentials

• Lack of an abstract model for attribute-based authorization

5

OM-AM Layered Approach

6

Related Work: UCON Model

Rights(R)

Authorizations

(A)

Subjects(S)

Objects(O)

Subject Attributes (SA) Object Attributes (OA)

Obligations(B)

Conditions(C)

UsageDecisions

• UCON: – A Unified model for next generation access

control, constructed by integrating obligations, conditions as well as authorizations, and by including continuity and mutability properties.

• Components:– Subjects and attributes– Objects and attributes– Generic rights– Decision components:

• Authorization• Obligations• Conditions

7

UCON Model• Unique properties beyond traditional models:

– 3 phases for single usage process

– Continuity of decisions: Decision check can be performed in the first 2 phases.

– Mutability of attributes: Attributes updated can be performed as result of usage actions in all 3 phases.

before-usage ongoing-Usage after-usage

Continuity ofDecisions

pre-decision ongoing-decision

pre-update ongoing-update post-update

Mutability ofAttributes

8

Core Models• According to the authorization control attribute update points, we have

seven core authorization models:– preA0: control decision is determined before access, and there is no attribute update. – preA1: control decision and and attribute update before access. – preA3: control decision is determined before access, and attribute update after access. – onA0: control decision is checked and determined during usage, and there is no attribute

update. – onA1: control decision is checked and determined during usage, and there is attribute update

before access. – onA2: control decision is checked and determined during usage, and there is attribute update

during usage.– onA3: control decision is checked and determined during usage, and there is attribute update

after usage.

• Similarly, a set of core models are defined with obligations and conditions.

• A real UCON system may be a hybrid of them.

9

Outline


10

Temporal Logic of Action

• Basic Terms:– Variables: x, y – Values: 5, “abc”– Constants– A state is an assignment of values to variables

• Functions: nonboolean expression with variables and constants– Semantically, a function is a mapping from states to values.

• State Predicates: boolean expression with variables and constants– Semantically, a predicate is a mapping from states to booleans.

• Actions: boolean expression with variables, primed variables, and constants– Semantically, an action is a function assigning a boolean to a pair of states

(s,t), where s is the old state with variables, and t is the new state with primed variables.

11

TLA• Behavior: a sequence of states <s0, s1, s2,…,>

•Semantics of an action A:

•Temporal operator: (always)�

• Temporal Formula:

• Semantics:

e.g: for action A of x’=y+1, its value is

where is the value of x in state s1, and is the value of y in state s0.

12

TLA• Other temporal operators:

– “Eventually”:

– “Next”:

– “Until”:

• Past temporal operators:– Has-always-been, Once, Previous, Since

13

Outline

• Introduction of UCON• Temporal Logic of Action (TLA)• Logic Model for UCON with TLA• Specification of Authorization Core Models• Specification of Obligation Core Models• Specification of Condition Core Models• Expressivity and Flexibility• Conclusions and Future Work

14

Logical Model of UCON: States and Attributes

• A state of a UCON system is a set of assignments of values to attributes: – Subject attributes:

• role=“employee”• security clearance = “secret”• credit amount = $1000.00

– Object attributes: • type=“file”• ACL={(Alice, read),(Bob, write)}

– System attributes: • system time• platform location

– A special system attribute: • state(s,o,r)={initial, requesting, denied, accessing, revoked, end}• To specify the status of a single access process (s,o,r)• Authorization actions defined to change this state.

15

Logical Model of UCON: Predicates

• Predicates: boolean expression built from subject attributes, object attributes, and system attributes.– Mapping a state to True/False– Unary predicates:

Alice.credit > $1000, file1.classification = “secure”– Binary predicates:

Dominate(Alice.clearance, file1.classification) (Bob, read) file2.ACL

– Ternary predicate permit(s,o,r): • Specify usage control decisions• True if a s is allowed to access o with r.

16

Logic Model of UCON: Actions

• Actions: boolean expressions built from attributes in two states. – Alice.credit’=Alice.credit - $50.0

• Two types of actions:– Control actions: change the state of single usage process

• Actions performed by the subject• Actions performed by the system

– Obligation actions:• Actions that have to be performed before or during an access. • May or may not be performed by the requesting subject and on the target object.

17

Logic Model of UCON

• The logical model of a UCON system is a 5-tuple: (S, PA, PC, AA, AB) , where

– S is a sequence of states of the system,– PA is a finite set of authorization predicates built from the attributes of subjects

and objects,– PC is a finite set of condition predicates built from the system attributes,– AA is a finite set of control actions,– AB is a finite set of obligation actions.

• A UCON policy is a logic formula consisting of predicates, actions, and logical and temporal operators:

– Where a is an action, p is a predicate with term t1,t2,…tn

18

Logical Model of UCON

• Semantics:

19

Outline


20

Specification of Core Model

• preA0:

• Example 2: BLP model

• Example 3: DAC with ACL

21


• preA1:

• Example 4: DRM pay-per-use application

22


• preA3:

23


• onA0:

• Example 6:

24

Specification of Core Model• onA1:

• onA2:

• onA3:

25

Specification of Core Model• Example 7: Resource-constrained access control

– Limited number (10) of ongoing accessing for a single object

– Object attribute:

– When 11th subject requesting new access, one ongoing accessing will be revoked.

• a. the earliest usage will be revoked: onA13

• Subject attribute: startTime

26


• b. revocation by longest idle usage: onA123

• Subject attributes: status (with value of busy or idle), idleTime

27


• c. revocation by longest total usage: onA13

• Subject attribute: usageTime

28

Outline


29

Obligations

• An obligation is an action described by ob(s, o, r, sb, ob)– ob is the action name, – (s, o, r) is a particular usage process requiring the obligation, – sb, ob are obligation subject and object.

• Two types of obligations in UCON:– pre-obligations, which must have been performed before access.– ongoing-obligations, which must be performed during usage.

• Obligations that have to be performed after an access, since they only affect the future usage process, are considered as global obligations

30

Obligation Model

• Core obligation models: – preB0: A usage control decision is determined by obligations before an access, and

there is no attribute update before, during, or after the usage.– preB1: A usage control decision is determined by obligations before an access, and

one or more subject or object attributes are updated before the usage.– preB3: A usage control decision is determined by obligations before an access, and

one or more subject or object attributes are updated after the usage.– onB0: Usage control is checked and the decision is determined by obligations during

an access, and there is no attribute update before, during, or after the usage.– onB1: Usage control is checked and the decision is determined by obligations during

an access, and one or more subject or object attributes are updated before the usage.– onB2: Usage control is checked and the decision is determined by obligations during

an access, and one or more subject or object attributes are updated during the usage.– onB3: Usage control is checked and the decision is determined by obligations during

an access, and one or more subject or object attributes are updated after the usage.

31


• preB1:

32


• preB1:

33


• onB0:

34

Outline

• Introduction of UCON• Temporal Logic of Action (TLA)• Logic Model for UCON with TLA• Specification of Authorization Core Models• Specification of Obligation Core Models• Specification of Condition Core Models • Applications of Logical Model• Conclusions and Future Work

35

Conditions

• Conditions are environment restrictions before or during usage. • In UCON, a condition is a predicate built from system attributes, such as time and location. • Two types of conditions:

– pre-conditions: conditions that must be true before an access.– ongoing-conditions: conditions that must be true during the process of accessing an object.

• preC0:

• onC0:

36

Outline


37

Application

• RBAC1 model: preA0

38

Application

• RBAC2: preA1

39

Application

• Chinese Wall Policy: preA1

40

Application

• MAC with high watermark

41

Conclusions

• A logical model for UCON with: – States with:

• subject attributes and values• Object attributes and values• System attribute and values

– Predicates:• Authorization predicates built from subject and object attributes • Condition predicates built from system attributes

– Actions:• Attribute update actions• Usage control actions• Obligation actions

– Temporal formulas of usage control policies

• First-order logic specification of the UCON models with new features of mutability and continuality

42

Future Work

• Formal study:– Enrich logical model, such as constraints,

delegations – Expressive power and safety analysis of UCON

with logical formalization

• Development of architecture and mechanism for UCON system– DRM technologies– Trusted computing technologies

Logical Model and Specification of Usage Control Xinwen Zhang, Jaehong Park Francesco Parisi-Presicce, Ravi Sandhu George Mason University.

Documents

ucon ucon

ucon model ucon

control decision

core authorization models

logical model of ucon

generation access control

set of core models

system attributes