xacml function annotations
play

XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino - PowerPoint PPT Presentation

Department of Computer Sciences XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007 Department of Computer Sciences XACML OASIS standard for specifying access control policies in enterprise systems. XML


  1. Department of Computer Sciences XACML Function Annotations Prathima Rao Dan Lin Elisa Bertino IEEE POLICY 2007

  2. Department of Computer Sciences XACML • OASIS standard for specifying access control policies in enterprise systems. – XML based. • Need for efficient policy management. – Several analysis techniques • Similarity analysis – Relation between sets of permitted(denied) requests of policies. • Policy Ratification [1] – conflict detection, dominance check, coverage check etc. IEEE POLICY 2007

  3. Department of Computer Sciences Motivation • Policy analysis techniques often need to abstract a policy as a Boolean expression. • Example : <?xml version=“1.0” encoding=“UTF-8”?> <Policy PolicyId=“Bill-Policy” RuleCombiningAlgId=“permit-overrides”> <Rule RuleId=“R1” Effect=“Permit”> <Condition> <Apply FunctionId=“xacml:1.0:function:string-at-least-one-member-of”> E-Mail == .gov || <SubjectAttributeDesignator AttributeId=“E-Mail” Datatype=“#string”/> E-Mail == .edu <Apply FunctionId=“xacml:1.0:function:string-bag”> <AttributeValue Datatype=“#string”> .gov </AttributeValue> <AttributeValue Datatype=“#string”> .edu </AttributeValue> </Apply> </Apply> </Condition></Rule></Policy> IEEE POLICY 2007

  4. Department of Computer Sciences Motivation • XACML uses functions to express conditions on request attributes. – Not straightforward to abstract these functions into boolean expressions. – Need to know the behavioral semantics of these functions. – Standard XACML functions • Manually map each function to a boolean expression – User-defined XACML functions • Unknown semantics Need for a technique to explicitly convey the function semantics. IEEE POLICY 2007

  5. Department of Computer Sciences Annotation Syntax • <Annotation></Annotation> – AnnotationId attribute ~ FunctionId • <Operand></Operand> <Annotation AnnotationId = – Denotes function parameter “string-at-least-one-member-of”> – Datatype and Value attributes <Bi-Term> • <Uni-Operator></Uni-Operator> <Operand Datatype=“#string- – Unary operators -, ~ ..etc. bag” value = “&Param_1” /> • <Bi-Operator></Bi-Operator> <Bi-Operator> belongsto </Bi- – Binary operators including arithmetic (+, -, %, Operator> ..), logical (||, &), set (intersect, union, <Operand Datatype=“#string- belongsto..). bag” value = “&Param_2” /> • <Uni-Term></Uni-Term> </Bi-Term> – Term with one operand </Annotation> • <Bi-Term></Bi-Term> – Term with two operands • <Boolean-Form></Boolean-Form> – Boolean formula IEEE POLICY 2007

  6. Department of Computer Sciences Annotation Framework XACML POLICIES ANNOTATED P1 P2 Pn FUNCTION REPOSITORY ANNOTATION VERIFIER ANNOTATION MODULE FORMAT ANNOTATION SPECIFICATION INTERPRETER EXTERNAL XACML BOOLEAN FORMULAE POLICY ANALYSIS TOOL B1 B2 Bn IEEE POLICY 2007

  7. Department of Computer Sciences Annotation Example INPUT XACML POLICY ANNOTATION REPOSITORY <?xml version=“1.0” encoding=“UTF-8”?> <Annotation AnnotationId = <Annotation AnnotationId = <Policy PolicyId=“Bill-Policy” “string-at-least-one-member-of”> “string-at-least-one-member-of”> RuleCombiningAlgId=“permit-overrides”> <Bi-Term> <Rule RuleId=“R1” Effect=“Permit”> <Bi-Term> <Condition> <Operand Datatype=“#string- <Operand Datatype=“#string- bag” value = “&Param_1” /> <Apply FunctionId=“xacml:1.0:function:string- bag” value = {“E-Mail”} /> at-least-one-member-of”> <Bi-Operator> belongsto </Bi- <Bi-Operator> belongsto </Bi- <SubjectAttributeDesignator AttributeId=“E-Mail” Operator> Operator> Datatype=“#string”/> <Operand Datatype=“#string- <Apply <Operand Datatype=“#string- FunctionId=“xacml:1.0:function:string-bag”> bag” value = “&Param_2” /> bag” value = {“.gov”, “.edu”} /> <AttributeValue </Bi-Term> Datatype=“#string”> .gov </Bi-Term> </AttributeValue> </Annotation> </Annotation> <AttributeValue Datatype=“#string”> .edu </AttributeValue> </Apply> </Apply> </Condition></Rule></Policy> <Boolean-Form> E-Mail == .gov || E-Mail == .edu </Boolean-Form> IEEE POLICY 2007

  8. Department of Computer Sciences Annotation Consistency Verification • Policy analysis can be negatively influenced by incorrect annotations. – Need to verify consistency between annotation and associated functions. – Translate annotations to JML [2] post-conditions and use existing tools (JACK [3] ) to perform verification. • JML is a behavioral annotation language for Java methods and classes. – Use tools like WHY [4] . IEEE POLICY 2007

  9. Department of Computer Sciences Conclusions • Proposed an annotation framework for XACML policies. – Enhance policy documentation – Supplement policy analysis • Annotation syntax can express several categories of Boolean expressions that can be handled by state of the art policy analysis techniques. • Future Work – Extend support for XPATH functions IEEE POLICY 2007

  10. Department of Computer Sciences References • [1] Policy Ratification, Dakshi Agrawal, James Giles, Kang-Wong Lee, Jorge Lobo, POLICY 2005. • [2] JML: A notation for detailed design, Gary T. Leavens, Albert L. Baker and Clyde Ruby, Specifications of Businesses and Systems, 1999. • [3] Jack : Java applet correctness kit, L. Burdy and A. Requet, GDC 2002. • [4] The Why Certification Tool, J. C. Filliatre, http://why.lri.fr/. IEEE POLICY 2007

  11. Department of Computer Sciences Thank you ! IEEE POLICY 2007

Recommend


More recommend