A Distributed Calculus for Role-Based Access Control Chiara Braghin - PowerPoint PPT Presentation

A Distributed Calculus for Role-Based Access Control Chiara Braghin joint work with D. Gorla and V. Sassone MyThS Meeting, Venice, June, 14th, 2004 A Distributed Calculus for Role-Based Access Control – p.1/18

RBAC Why: Role-Based Access Control is attracting increasing attention because: it reduces complexity and cost of security administration; permission’s management is less error-prone; it is flexible (rôle’s hierarchy, separation of duty, etc.); it is least privilege -oriented. A Distributed Calculus for Role-Based Access Control – p.2/18

RBAC Why: Role-Based Access Control is attracting increasing attention because: it reduces complexity and cost of security administration; permission’s management is less error-prone; it is flexible (rôle’s hierarchy, separation of duty, etc.); it is least privilege -oriented. Our work: Formalize the behaviour of concurrent and distributed systems under security policies defined in a RBAC fashion, similar to the types developed in D π and Klaim to implement discretionary access control the types developed for Boxed Ambients to implement mandatory access control A Distributed Calculus for Role-Based Access Control – p.2/18

Contents the RBAC96 model a formal framework for concurrent systems running under a RBAC policy: an extension of the π -calculus a type system ensuring that the specified policy is respected during computations a bisimulation to reason on systems’ behaviours some useful applications of the theory: finding the ‘minimal’ schema to run a given system refining a system to be run under a given schema minimize the number of users in a given system. A Distributed Calculus for Role-Based Access Control – p.3/18

The Basic RBAC model USER ASSIGNMENT PERM. ASSIGNMENT USERS ROLES PERMISSIONS SESSIONS A Distributed Calculus for Role-Based Access Control – p.4/18

The starting point: π -calculus Concurrent processes communicating on channels . � � � � u � v � .P � [ u = v ] P � ( νa : R ) P Processes: P, Q ::= a ( x ) .P � � � � nil � P | Q � ! P A Distributed Calculus for Role-Based Access Control – p.5/18

The Syntax of our Calculus Concurrent processes communicating on channels . � � � � u � v � .P � [ u = v ] P � ( νa : R ) P Processes: P, Q ::= a ( x ) .P � � � � � � nil � P | Q � ! P � role R.P � yield R.P A Distributed Calculus for Role-Based Access Control – p.5/18

The Syntax of our Calculus Concurrent processes communicating on channels . � � � � u � v � .P � [ u = v ] P � ( νa : R ) P Processes: P, Q ::= a ( x ) .P � � � � � � nil � P | Q � ! P � role R.P � yield R.P r { | P | } ρ User Sessions: A Distributed Calculus for Role-Based Access Control – p.5/18

The Syntax of our Calculus Concurrent processes communicating on channels . � � � � u � v � .P � [ u = v ] P � ( νa : R ) P Processes: P, Q ::= a ( x ) .P � � � � � � nil � P | Q � ! P � role R.P � yield R.P � � � � ( νa r : R ) A � r { � A � B | P | } ρ Systems: A, B ::= 0 A Distributed Calculus for Role-Based Access Control – p.5/18

The Syntax of our Calculus Concurrent processes communicating on channels . � � � � u � v � .P � [ u = v ] P � ( νa : R ) P Processes: P, Q ::= a ( x ) .P � � � � � � nil � P | Q � ! P � role R.P � yield R.P � � � � ( νa r : R ) A � r { � A � B | P | } ρ Systems: A, B ::= 0 Channels are allocated to users to enable a distibuted implementation A Distributed Calculus for Role-Based Access Control – p.5/18

Dynamic Semantics It is given in the form of a reduction relation Communication: | a r � n � .P | s { } ρ � r { | a ( x ) .Q | } ρ ′ A Distributed Calculus for Role-Based Access Control – p.6/18

Dynamic Semantics It is given in the form of a reduction relation Communication: | Q [ n | a r � n � .P | s { } ρ � r { | a ( x ) .Q | } ρ ′ �− → s { | P | } ρ � r { x ] | } ρ ′ / A Distributed Calculus for Role-Based Access Control – p.6/18

Dynamic Semantics It is given in the form of a reduction relation Communication: | Q [ n | a r � n � .P | s { } ρ � r { | a ( x ) .Q | } ρ ′ �− → s { | P | } ρ � r { x ] | } ρ ′ / Rôle activation: r { | role R.P | } ρ A Distributed Calculus for Role-Based Access Control – p.6/18

Dynamic Semantics It is given in the form of a reduction relation Communication: | Q [ n | a r � n � .P | s { } ρ � r { | a ( x ) .Q | } ρ ′ �− → s { | P | } ρ � r { x ] | } ρ ′ / Rôle activation: r { | role R.P | } ρ �− → r { | P | } ρ ∪{ R } A Distributed Calculus for Role-Based Access Control – p.6/18

Dynamic Semantics It is given in the form of a reduction relation Communication: | Q [ n | a r � n � .P | s { } ρ � r { | a ( x ) .Q | } ρ ′ �− → s { | P | } ρ � r { x ] | } ρ ′ / Rôle activation: r { | role R.P | } ρ �− → r { | P | } ρ ∪{ R } Rôle deactivation: r { | yield R.P | } ρ A Distributed Calculus for Role-Based Access Control – p.6/18

Dynamic Semantics It is given in the form of a reduction relation Communication: | Q [ n | a r � n � .P | s { } ρ � r { | a ( x ) .Q | } ρ ′ �− → s { | P | } ρ � r { x ] | } ρ ′ / Rôle activation: r { | role R.P | } ρ �− → r { | P | } ρ ∪{ R } Rôle deactivation: r { | yield R.P | } ρ �− → r { | P | } ρ −{ R } A Distributed Calculus for Role-Based Access Control – p.6/18

RBAC schema Permissions are capabilities that enable process actions. Thus, △ = { R ↑ , R ? , R ! } R ∈R is the set of permissions. A A Distributed Calculus for Role-Based Access Control – p.7/18

RBAC schema Permissions are capabilities that enable process actions. Thus, △ = { R ↑ , R ? , R ! } R ∈R is the set of permissions. A In our framework, the RBAC schema is a pair of finite relations ( U ; P ) , such that U ⊆ fin ( N u ∪ C ) × R P ⊆ fin R × A A Distributed Calculus for Role-Based Access Control – p.7/18

✠ � ✂ ✄☎ ✆ ✝ ✞ ✟ ✁ � ✁ ✝ � ✆ ☛ ☞ ✁ ✂ ✟ ✟ ✟ ✆✌ ☞ ☛ ✆ ✠ ✞ ✄☎ ✌ ✎ ✍ ✆ ✄ ✆ ✆✌ An Example A banking scenario: two users, the client r and the bank s cashiers are modelled as channels c 1 , . . . , c n of user s the rôles available are client and cashier . | role client . enqueue s � r � . dequeue ( z ) .z � req 1 � . · · · .z � req k � .z � stop � . yield client | r { } ρ � | ( ν free )(! enqueue ( x ) . free ( y ) . dequeue x � y � i =1 free s � c s Π n s { | i � | Π n i =1 ! c i ( x ) . ( [ x = withdrw _ req ] < > | ✄✡✠ [ x = dep _ req ] < > | . . . | [ x = stop ] free s � c s i � ) ) | } ρ ′ A Distributed Calculus for Role-Based Access Control – p.8/18

Static Semantics - Types The syntax of types: | T ::= UT C Types UT ::= ρ [ a 1 : R 1 ( T 1 ) , . . . , a n : R n ( T n )] User Types C ::= R ( T ) Channel Types A Distributed Calculus for Role-Based Access Control – p.9/18

Static Semantics - Types The syntax of types: | T ::= UT C Types UT ::= ρ [ a 1 : R 1 ( T 1 ) , . . . , a n : R n ( T n )] User Types C ::= R ( T ) Channel Types Γ; ρ ⊢ P r P states that P respects Γ and P when it is run in a session of r with rôles ρ activated A Distributed Calculus for Role-Based Access Control – p.9/18

Static Semantics - Types The syntax of types: | T ::= UT C Types UT ::= ρ [ a 1 : R 1 ( T 1 ) , . . . , a n : R n ( T n )] User Types C ::= R ( T ) Channel Types Γ; ρ ⊢ P r P states that P respects Γ and P when it is run in a session of r with rôles ρ activated A typing environment is a mapping from user names and variables to user types that respects the assignments in U A Distributed Calculus for Role-Based Access Control – p.9/18

Static Semantics - The Type System An example: performing input actions. (T-Input) R ? ∈ P ( ρ ) Γ ⊢ a : R ( T ) Γ , x �→ T ; ρ ⊢ P r P Γ; ρ ⊢ P r a ( x ) .P A Distributed Calculus for Role-Based Access Control – p.10/18

Static Semantics - The Type System An example: performing input actions. (T-Input) R ? ∈ P ( ρ ) Γ ⊢ a : R ( T ) Γ , x �→ T ; ρ ⊢ P r P Γ; ρ ⊢ P r a ( x ) .P Type Safety: Let A be a well-typed system for ( U ; P ) . Then, whenever a r : R )( A ′ � r { A ≡ ( ν � | b ( x ) .P | } ρ ) , it holds that a r : R and S ? ∈ P ( ρ ) , either b r : S ∈ � or b r �∈ � a r and S ? ∈ P ( ρ ) , where { S } = U ( b r ) A Distributed Calculus for Role-Based Access Control – p.10/18

The Example Again The banking scenario again: now each available operation is modelled as a different channel ( wdrw = withdraw, opn = open account, cc = credit card request ) the communication among different channels requires different rôles P is such that { ( rich _ client , cc ! ) , ( rich , rich _ client ↑ ) } ⊆ P . A Distributed Calculus for Role-Based Access Control – p.11/18