YagueMana-sacmat05

download YagueMana-sacmat05

of 23

Transcript of YagueMana-sacmat05

  • 7/27/2019 YagueMana-sacmat05

    1/23

    A Semantic-based Access Control Model*

    Mariemma I. Yage, Antonio Maa{yague, amg}@lcc.uma.es

    Computer Science Department

    University of Mlaga. Spain.

    Abstract.Very dynamic environments with high volume of heterogeneous data, like semi-structured data systems, DRMrepositories, digital libraries, web services, distributed object systems, etc. require more flexible constructions for the ex-

    pression and management of access control systems than those provided by traditional access control models. This paperpresents the Semantic Access Control model; a new access control model that solves the problems of other access control

    models when applied to these environments. This model provides a high level of interoperability, scalability, flexibility,

    adaptability, applicability. It ensures semantic policy soundness, eases administration and avoids the registration phase.

    1 Introduction

    When security requirements for distributed applications are considered, authorization often emerges as a central element in

    the design of the whole security system. Many other security requirements depend on the flexibility, trustworthiness and ex-

    pressiveness of the authorization scheme. On the other hand, access control is the mechanism that allows resource owners

    to define, manage and enforce the access conditions that apply to each resource [1]. These two concepts are very closely re-

    lated because authorizations are usually the basis for the access decision in access control systems.

    The concepts upon which an access control model is defined determine the flexibility of the model to be applied in differ-

    ent environments and systems. Traditional access control models have been designed to solve the access control problem in

    some specific scenarios and applications. Let us briefly review these models and their target environments:

    o Discretionary Access Control (DAC) was designed for multi-user systems and databases. In this environment, a lim-

    ited number of previously-known users are considered. Changes are not very frequent and all resources are under

    control of a single authority. Consequently, DAC policies are based on user identity and a series of access rules that

    express what users can and cannot do [2].

    o Mandatory Access Control (MAC) originated in military environments, where the number of users can be high, but

    an static and linear hierarchy of users can be established. In this case the model is based on a hierarchy of security

    levels. MAC policies are based on the assignment of security levels to users and resources, defined by a central au-

    thority [3].

    * Work partially supported by Spanish Ministry of Science and Technology. Project TIC2002-04500-C02-02

  • 7/27/2019 YagueMana-sacmat05

    2/23

    o Role-Based Access Control (RBAC) was designed to overcome the problems of the previous models when applied to

    a more open environment such as corporate information systems. In these environments, users are usually classified

    following a tree-like hierarchy, established according to the position (role) of the user. RBAC policies define what

    roles can access each resource [4].

    Among these models, RBAC is commonly accepted as the most appropriate paradigm for the implementation of access

    control in complex scenarios. RBAC can be considered a mature and flexible technology. Numerous authors have discussed

    its properties and have presented different languages and systems that apply this paradigm [4-7].

    However, very dynamic environments with high volume of heterogeneous data, like semi-structured data systems, DRM

    repositories, digital libraries, web services, distributed object systems, etc. require more flexible constructions for the expres-

    sion of access control policies. In RBAC the s tructure of groups is defined by the security administrator and it is usually

    static. Although the grouping of users can suffice in many different situations, it is not flexible enough to cope with the re-

    quirements of more dynamic systems where the structure of groups can not be anticipated by the administrators of the ac-

    cess control system. In these scenarios new resources are incorporated to the system continuously and each resource may

    possibly need a different group structure and access control policy. Furthermore, the policy for a given resource may change

    frequently.

    Furthermore, traditional access control schemes are not suitable for scenarios where the local registration and authoriza-

    tion of users is not appropriate or with a very large number of registered users. In these systems it is not practical to keep ac-

    cess and authorization information for each user, for scalability reasons.

    As a consequence, we can conclude that a different approach is required in order to solve the scalability problems of

    these systems, to facilitate access control management and to provide means to express access conditions in a natural and

    flexible way. Our diagnostic is that the main problem with role based access control in this type of heterogeneous, open and

    dynamic environments is that the model is built on three predefined concepts: user, role and group. The definition of

    roles and the grouping of users can facilitate management, especially in corporation information systems, because roles and

    groups are easily identifiable and fit naturally in the context of the organizational structures of the companies. However,when applied to some new and more general access control scenarios, these concepts are somewhat artificial. There are situ-

    ations that are not well- handled by this model. For instance, consider the case of a very dynamic system where users attrib-

    utes (and therefore, the membership of the user to a given role) changes frequently. A solution is to determine role member-

    ship dynamically, but it requires an important effort to do so. Furthermore, in RBAC, a role must be defined for each different

  • 7/27/2019 YagueMana-sacmat05

    3/23

    set of access criteria required by the group of resources controlled. This means that when the number of resources and the

    heterogeneity of access conditions is very high, the administration of RBAC systems becomes very complex. In fact, taken

    to the limit, if each resource can be accessed by a different group of users, the number of roles can reach the number of re-

    sources and require the explicit association of users to all roles (resources) they can access.

    We believe that a more general approach is needed in order to be used in these new environments. For example, in the re-

    ferred situations, groups are an artificial substitute for a more general tool: the attribute. In fact, groups are usually defined

    on the basis of the values of some specific attributes (employer, position, ). Some attributes are even built into most of the

    current access control models. This is the case of the userelement; the identity is just one of the most useful attributes, but

    it is not necessary in all scenarios and, therefore, it should not be a built-in component of a general model.

    Finally, access control models must take into account that the creation and maintenance of access control policies is a dif-

    ficult and error prone activity. Therefore, we consider that access control models must be designed to facilitate and guaran-

    tee the correct administration of the system.

    The Semantic Access Control (SAC) model [8] provides an appropriate solution to aforementioned problems, especially

    for heterogeneous, distributed and large environments. As we will show later, the flexibility of the SAC model allows it to

    easily simulate other models such as MAC, DAC or RBAC.

    2 Fundamentals of the Semantic Access Control Model

    Most of current access control schemes base their authorization approaches on locally-issued credentials that are based on

    user identities. This type of credentials presents many drawbacks. Among them we highlight: (a) they are not interoperable;

    (b) the same credentials are issued many times for each user, what introduces management and inconsistency problems; (c)

    credentials are issued by the site administrator, however, in most cases, the administrator does not have enough information

    or resources to establish trustworthy credentials; and (d) they are dependent on user identity. However, in practice, it is fre-

    quent that the identity of the user is not relevant for the access decision. Sometimes it is even desirable that the identity is

    not considered or revealed. Furthermore, in systems based on identity, the lack of a global authentication infrastructure (a

    global Public Key Infrastructure, PKI) forces the use of local authentication schemes. In these cases, subscription is required

    and users have to authenticate themselves to every accessed source. To solve the aforementioned problems, single-sign-on

    mechanisms are becoming popular [9]. Although these mechanisms represent an improvement, they do not enable interoper-

  • 7/27/2019 YagueMana-sacmat05

    4/23

    ability maintaining the diversity. The reason is they are based on federation of sources and all federated sources must agree

    on a homogeneous access control scheme. Additionally, credentials remain local, not to a site, but to a set of them.

    On the other hand, digital certificates can securely convey authorizations or credentials. Attribute certificates bind attrib-

    utes to keys providing means for the deployment of scalable access control systems in the scenarios that we have depicted.

    These authorizations are interoperable and represent a general and trustworthy solution that can be shared by different sys-

    tems. Taking into account security, scalability and interoperability, the separation of the certification of attributes and access

    control management responsibilities is widely accepted as a scalable and flexible solution. In this case, the access control

    system needs to be complemented by an external component: the Privilege Management Infrastructuire PMI [10]. The main

    entities of a PMI, known as Source of Authorizations (SOAs), issue attribute certificates. Usually, each SOA certifies a small

    number of semantically related attributes. This scheme scales well in the number of users and also in the number of different

    factors (attributes) used by the access control system. The flexibility of this model is such that it can easily represent com-

    plex access conditions that are very difficult to express in other models.

    With this approach, each access control system selects the SOAs to trust and which combination of attributes to use. Be-

    cause they are separate systems, a mechanism to establish the trust between the access control and the PMI is required. In

    this work, we propose the use of metadata to describe the PMI as the key to achieve the necessary interoperability.

    On the other hand, when discussing how to establish the access conditions applicable to a particular resource, two main

    approaches must be considered: (i) conditions are established on the basis of the location of the resources or, (ii) conditions

    are based on the properties of the resources. The fact is that conditions and restrictions of access depend naturally on the

    semantic properties of the target resource that are neglected in structure-based approaches. Therefore, an approach based

    on semantic descriptions of the contents is much more flexible and natural. Moreover, it is easy to incorporate structure-

    based requirements in the semantic model. Additionally, the s tructure is much more volatile than the semantics. The incom-

    patibility between the structure required for the application domain and the ones that match the security requirements con-

    firms that structure-based approaches are not able to represent these situations in a natural way.

    Another drawback of structure-based approaches is that the number of policies becomes very large. In fact, these ap-

    proaches usually imply the definition of several policies for each resource. Positive and negative authorizations are used in

    these cases to facilitate the definition of simple policies and to reduce the number of policies. The price to pay is the intro-

    duction of ambiguities, which in turn requires the definition of conflict resolution rules. Consequently, the administration of

    the system becomes complex and difficult to understand increasing the chance of producing incorrect policies.

  • 7/27/2019 YagueMana-sacmat05

    5/23

    The access control model developed has been called Semantic Access Control (SAC) because semantics are the basis of the

    access conditions and its design follows a semantic approach. The SAC model is based on the semantic properties of the re-

    sources to be controlled, properties of the clients that request access to them, semantics about the context and finally, se-

    mantics about the attribute certificates trusted by the access control system.

    The semantic-based and modular approach adopted in SAC, facilitates the definition and management of policies avoiding

    the use of positive and negative authorizations. Tools provided to support the policy specification, composition and valida-

    tion also serve this objective [11]. The Semantic Access Control (SAC) model has been implemented on the basis of a lan-

    guage to specify the access control criteria and the semantic integration of an external authorization entity.

    1.1 The Semantic Policy Language, SPL

    SPL XML-Schema based policy definition language is designed to specify policies in a simple way, enabling a high level of

    expressiveness and an efficient evaluation.

    Usual components of access policies include the target resource, the conditions under which access is granted/denied

    and, sometimes, access restrictions. As opposed to other languages, specifications in SPL do not include references to the

    target object. Instead, a separate specification called Policy Applicability Specification (PAS) is used to relate policies to ob-

    jects dynamically when a request is received. Both SPL Policies and PAS use semantic information about resources, included

    in SRRs, and other contextual information documents.

    SPL Policies and PAS can be parameterised allowing the definition of flexible and general policies, thus reducing the num-

    ber of different policies to manage. Parameters, which can refer to complex XML elements, are instantiated dynamically from

    semantic and contextual information.

    Additionally, policies can be composed importing components of other policies without ambiguity. This compositional

    approach allows us to define the abstract meaning of the elements of the policies, providing a mechanism to achieve abstrac-

    tion, which also helps in reducing the complexity of management. The schema for SPL specifications is represented as a set

    of XML-Schema templates that facilitate the creation of these specifications, allowing their automatic syntactic validation.

    Figure 3 shows the conceptual model of the SPL language. Detailed models of each component are included in Appendix

    A. SPL policies can include components defined locally as well as imported elements. The ability to import elements enables

    the modular composition of policies based on the XPath standard. An SPL Policy is composed of a set of access_Rule ele-

    ments. Every access_Rule defines a particular combination of attribute certificates required to gain access, associated with

  • 7/27/2019 YagueMana-sacmat05

    6/23

    an optional set of actions (such as Notify_To, Payment and Online_Permission) to be performed before access is granted. In

    this way provisional authorization or PBAC[12] is enabled in SPL.

    Imported ElementLocal Element

    SPL Policy

    PAS

    Context

    SRR

    Property

    Resource

    Parameter

    0..*

    0..1corresponds

    1..* 1..*

    relates

    0..*

    1..* 1

    relates

    0..*0..1

    extracted from

    1..*

    0..*

    described by 1..*

    0..*0..*

    1..*

    0..*

    0..1extracted from

    Fig. 3. Conceptual model of the SPL Language

    1.2 The Semantic Description of the Sources of Authorization

    Based on asymmetric cryptography, digital certificates are used to bind a public key to some information. Identity certific-

    ates (a.k.a. public-key certificates) are the most common type of digital certificates in use. They bind identity information to

    keys. On the other hand, attribute certificates [10] bind attributes to keys. Among other applications, they provide means for

    the deployment of scalable and flexible access control schemes, since access conditions are expressed in terms of sets of at-

    tributes instead of users or groups. Users must possess attribute certificates attesting that they meet the requirements. Op-

    posed to traditional access control schemes, a high number of users and attributes do not degrade performance and manage-

    ability of this solution.

    One of the main advantages of attribute certificates is that they can be used for various purposes. They may contain

    group membership, role, clearance, or any other form of authorization. A very essential feature is that attribute certificates

    can securely transport authorization information in distributed applications. This is especially relevant because, through at-

    tribute certificates, authorization information becomes mobile, which is highly convenient for scenarios such as those con-

    sidered in this work. This mobility provides the foundation for a better alternative to actual Single Sign-On schemes.

    The mobility feature has been used in applications since the publication of the 1997 ITU-T X.509 Recommendation.

    However, it has been used in a very inefficient way. That Recommendation introduced an ill-defined concept of attribute cer-

  • 7/27/2019 YagueMana-sacmat05

    7/23

    tificate that was not independent of the identity certificate. To be more precise, when using that solution, the change of priv-

    ileges indirectly forces a costly revocation of the identity related information. Moreover, that solution does not solve delega-

    tion and impersonation issues, which are especially relevant in many applications. The ITU-T 2000 Recommendation

    provides a more suitable solution because it clearly defines a framework, a Privilege Management Infrastructure, or PMI,

    where identity and attribute certificates, although related, can be independently managed.

    The objective of a PMI is to provide attribute certification services. It is then reasonable to expect that the PMI includes

    different certification authorities (SOAs), each one with a well-defined certification domain. That is, each SOA should be au-

    thoritative for a limited set of attributes and users. Ideally, each attribute would be certified only by one SOA. This raises the

    issue of the interoperability of the attribute certificates. Suppose John Doe is an authorized broker at the Chicago Board of

    Trade. Then John will have two separate certificates: an identity certificate attesting his identity information and an attribute

    certificate attesting he is an authorized broker at the Chicago Board of Trade. Both certificates can be related, for instance, by

    including the serial number and/or hash value of the identity certificate in the attribute certificate.

    If we focus simultaneously on security, scalability, interoperability and mobility, it is advantageous to separate the re-

    sponsibilities of access control management from certification of attributes. There are some reasons for this statement. In

    centralized access control schemes each application requires its own database or directory of authorizations, which must be

    administered and maintained. The result is that for every user, identities and profiles must be entered multiple times and syn-

    chronized dynamically, increasing the operating costs associated with change management and making the process cumber-

    some. However, the same users attributes are often used in multiple access decisions in different systems. We can conclude

    that users attributes can be shared by all access control systems, while access criteria are specific.

    Suppose now that our friend John Doe is also member of the Chicago Siesta Club (CSC), a public library, Greenpeace, etc.

    If centralized access control schemes are used in these institutions, each one will have to locally register the different attrib-

    utes of John Doe that are applicable to their access control policies. For instance, if the CSC has a discount for Greenpeace

    members then it is necessary that the membership of John to Greenpeace is recorded in the local database of users of the

    CSC. How can CSC be sure that John is member of Greenpeace? What if John leaves Greenpeace? How does CSC know

    about this? On the contrary, if the attribute certification function is separated then access control systems responsibilities

    are limited to establishing the local access control policies, making the system simpler, more dynamic and flexible, and more

    secure. Obviously, this approach requires that the access control system is complemented by an external component provid-

    ing certification functions. Precisely, the PMI is that component.

  • 7/27/2019 YagueMana-sacmat05

    8/23

    A consequence of the separation of access control and authorization functions (now provided by the PMI) is that the ac-

    cess control administrators do not have control over some factors that are used in their access control systems. Con-

    sequently, a mechanism to establish the trust between these administrators and the PMI is required. We have addressed this

    problem using semantic information about the certifications issued by each SOA. This assists the security administrators in

    the creation and semantic validation of access control policies.

    In our approach, every SOA produces and digitally signs a set of Source Of Authorization Descriptions (SOADs) that ex-

    press the semantics of the attribute certificates it issues [13]. These metadata documents describe the different attributes cer-

    tified by a SOA, including names, descriptions and relations of attributes. SOADs are used to establish the trust between the

    PMI and the access control systems. They convey the information needed by the access control system to understand the

    semantics of the attribute certificates, which is essential in order to take appropriate access decisions. The information con-

    tained in SOADs is also essential for the semantic validation of the policies, enabling the detection of semantically incom-

    plete (or incorrect) policies. In fact, the set of SOADs represents the semantic description of the PMI. Full integration of the

    PMI can be achieved transparently for the rest of the system based on this description.

    3 Formal Model of the Semantic Access Control

    In this section we propose a formal model of SAC, as the basis for the processing of the Semantic Policy Language (SPL)

    specifications. The basic concepts upon which this formal model is constructed are defined as follows:

  • 7/27/2019 YagueMana-sacmat05

    9/23

    Definition 1. A target is any entity that may hold properties. In the SAC model, a target can be a client or a re-

    source and properties are represented as attributes.

    Definition 2. Attributes represent properties about targets. An attribute is represented by a triplet (p,o,v) wherep is

    a property name, o is a logical operator and v is a value. For instance, the property of being adult in

    Spain is (age, >, 18). The fact that a target tholds theattribute a is denoted as a(t).

    Definition 3. A set of attributes, in the followingAttributeSet, represents an unordered collection of attributes.

    Definition 4. A Source of Authorization, a.k.a. SOA, is a certification entity responsible of issuing attribute certific-

    ates attesting certain properties about targets. Each SOA has a certification domain, i.e. a set of tar-

    gets and properties that can be certified by this SOA. For instance, the SOA of an university may is-

    sue certificates related to the enrollment of its students in courses, but not about their marital status.Likewise, it can not issue certificates related to the enrollment of students from other universities.

    Definition 5. An attribute certificate is a sentence signed by a SOA attesting a(t) , i.e. attesting that target t

    holds the attribute a. It is denoted as a,t. We assume, without loss of generality, that the holdert

    of this attribute certificate will be identified by its public key1.

    Definition 6. Let T be the set of all targets in the certification domain of. An attribute certificate class, denoted

    as a, represents the semantics of the set of all instances (attribute certificates) a,t where tT.

    Definition 7. The relationships among different attribute certificate classes are satisfied by all their instances.

    Therefore, let R be a relationship among attribute certificates classes, then

    (a R b) ( t1 T,, t2 T, a,t1 R b,t2)

    Definition 8. A SOA rule is a sentence related to a SOA stating that two attribute classes a and b are in-

    terrelated. A SOA rule is expressed as

    a relational_operatorb

    1 In asymmetric encryption schemes each user has a pair of related keys. One of these keys, the Public Key, is publicly distrib-

    uted while the other one, the Private Key, must be kept secret. Public Key's are included in digital certificates, so that other users can

    verify their authenticity.

  • 7/27/2019 YagueMana-sacmat05

    10/23

    Note that a SOAD can only contain rules to state facts about internal certificates (certificates issued by the corresponding

    SOA). It can include relations between internal and external certificates, but these relations must be interpreted to be direc-

    tional.

    Definition 9. A SOA description, orSOAD, is the set of all SOA rules describing aSOA. The SOAD describing is

    denoted as SOAD.

    Definition 10. Let a and b be two attribute certificates classes. Let denote a given set of facts specified af-

    terwards. We say a implies b, denoted as a b, if a SOA rule or a series of them exists

    in SOAD such that b is logically implied by a. It is written as:

    SOAD, a b

    That is, from the attribute certificate class a, applying the rules expressed in the SOAD of, we can deduce the attribute

    certificate class b

    Definition 11. Let a and b two attribute certificates classes. We say a excludes b, denoted as a

    b, if there exists a SOA rule or a series of them in SOAD such that:

    SOAD, a b

    That is, from the attribute certificate class a, applying the rules expressed in the SOAD of, we can deduce that b

    does not hold.

    Definition 12. Let a y b two classes of attribute certificates. We say a is inconsistent with b, denoted

    as a b, ifa excludes b and/orb excludes a, that is:

    SOAD, a b and/or SOAD, b a

    Definition 13. Let a and b two classes of attribute certificates. We say a is consistent with b, denoted

    as a b, if no SOA rule or series of them exists in SOAD such that:

    SOAD, a b

    and no SOA rule or series of them exists in SOAD such that:

    SOAD, b a

  • 7/27/2019 YagueMana-sacmat05

    11/23

    4 Semantic Validation of Policies

    The creation and maintenance of access control policies is a difficult and error prone activity. SAC includes components for

    the automated validation of policies at different levels. The syntax of SPL policies is validated against the corresponding

    XML Schema. We have developed a specific Semantic Policy Validator (SPV) as part of the Policy Assistant component to

    perform different types of semantic validation. These validations are supported by the semantic information defined by

    means of XML metadata.

    SPV allows policies to be validated in the context where they will be applied. By using semantic information about the

    context, the administrator is able to include relevant contextual considerations in a transparent manner.

    The semantics of the policies depend heavily on the semantics of the attribute certificates. In the SAC access control

    model the SOAD metadata model conveys the semantics of the attribute certificates providing semantic information that will

    be essential in the process of access decision. The semantic information about the attribute certificates issued by each SOA

    also assist the security administrator through the process of specification of the access control policies, as it conveys the

    meaning of each attribute. Additionally, the semantic information represented by the SOAD model enables the automatic de-

    tection of inconsis tent policies, through the SPV tool developed with this objective. The SPV makes logic inference process -

    es using the rules defined in the SOAD documents.

    The ability to perform a semantic validation of access control policies is an essential design goal of the SAC model. Both

    the SPL language and the SOAD documents have been designed to serve this objective. The semantic validation ensures

    that the policies written by the security administrator produce the desired effects. The SPV can perform the following types

    of validations, which are described in detail in Appendix B:

    1. Test Case Validation: Given a request to access a resource and a set of attribute certificates, this algorithm outputs the

    sets of attribute certificates needed for accessing that resource. Most of times, this feature will be used to check that a set

    of attribute certificates is incompatible with the access criteria for that resource. For instance, the administrator of our uni-

    versity can use this validation to guarantee that it is not possible for a student to access a given resource (i.e., documents

    containing marks). During the validation process, the SPV generates the sets of attribute certificates that are not excluded

    by the input set, and checks the generated ones against all possible combinations of attribute certificates that grant ac-

    cess to the resource.

  • 7/27/2019 YagueMana-sacmat05

    12/23

    2. Access Validation: Given a request to access a resource, this algorithm outputs the sets of certificates that grant access to

    that resource. For this validation process, the SPV generates the policy for the resource and all sets of attribute certifi-

    cates equivalent to those required by the policy.

    3. Full Validation: The goal of this process is to check which resources can be accessed given a set of attribute certificates.

    Therefore, SPV generates the policy for each resource and, afterwards, all attribute certificates that can be derived from

    the input set of attribute certificates. Finally, it informs of every resource that can be accessed using the input attribute

    certificate set.

    5 Related Work

    Recent literature in the area of access control for distributed heterogeneous resources from multiple sources shows the use

    of attribute certificates and PMIs. Firstly, we highlight two research projects, Akenti[14] and Permis [15]. Akenti Project pro-

    poses an access control system to restrict access to distributed resources controlled by multiple stakeholders. The require-

    ment for the stakeholders to trust the rest of the servers in the network, as well as some security vulnerabilities related to the

    existence of positive and negative use-conditions, are the main drawbacks of Akenti.

    Two relevant proposals for access control to XML documents are the Author-X system [16] and the FASTER project [17].

    They differ with our proposal in that both systems have been specifically developed for XML documents, opposite to the

    general definition of resource in this work. However, they share some features with our solution. While AuthorX policy lan-

    guage uses Data Type Definitions (DTDs) [18], our Semantic Policy Language (SPL) and FASTER use XML-Schema [19], the

    W3C successor of DTDs. Author-X is based on credentials that are issued by the access control administrator. Therefore, in

    practice, each credential will be useful only for a single source, limiting interoperability. A direct consequence of this ap-

    proach is that users must subscribe to sources before they can access their contents. Opposite to this, in our Semantic Ac-

    cess Control Model (SAC) we have semantically integrated a Privilege Management Infrastructure that will be the respons -

    ible of issuing digitally signed attribute certificates.

    Different XML-based languages have been proposed for access control, digital rights management, authentication and

    authorization. Although many similarities and interesting features can be found among them, some other features, such as

    policy parameterisation and composition are not supported. Moreover, some features provided by those languages are not

    appropriate in heterogeneous and dynamic scenarios. The most relevant is XACML [20], an OASIS standard that proposes

  • 7/27/2019 YagueMana-sacmat05

    13/23

    two XML-based languages to describe access control policies and access decision requests and responses. Although

    XACML and SAC share some similarities, there are important differences, such as:

    o In the XACML Specification the term attribute is used in place of the terms group and role. In SAC, the term attribute is

    generic, and can be used to represent any kind of property of the access requester (application, web service, user) or

    the resource to be accessed.

    o Separate XACML policies can be combined into a single policy. XACML provides means to specify precise procedures

    for combining the results of the evaluation of the basic policies. The rule-combining algorithm defines a procedure for

    arriving at an authorization decision given the individual results of evaluation of a set of rules. Some predefined al-

    gorithms are included for: deny-overrides, permit-overrides, first applicable and only-one applicable. Summarizing, policy

    composition in XACML is limited to the combination of partial access decisions. On the other hand, SAC policies are

    built on the basis of semantics of the access control criteria. Consequently, the composition of different access control

    policies is performed on the basis of the semantics of these policies, allowing rich combination of access criteria, not

    only of partial access decisions.

    o Allocation of policies to resources in XACML is explicit and static. Opposite to this, SAC defines a mechanism for the

    dynamic allocation of policies to resources, based on semantics of the latter.

    o XACML provides facilities for content-based access when the information resource can be represented as an XML doc-

    ument. SAC supports content-based naturally imposing no restriction on the format: every kind of resource (a physical

    resource, a digital document with any format ) can have an associated document, describing its semantics.

    o The architecture of XACML is one of its main contributions. XACML proposes a very flexible scheme based on the

    definition of Policy Enforcement Points (PEPs), Policy Decision Points (PDPs), etc. The fully distributed and open ap-

    proach of SAC makes possible that the inclusion of PEPs and PDPs does not require any modification on the SAC mod-

    el. As with the case of XACML, SAC policies may be written and analyzed independently of the specific environment in

    which they are to be enforced.

    o Finally, the SAC model considers the execution of some actions during the enforcement of the access request, therefore

    providing full support for Provisional-Based Access Control (PBAC). XACML only supports a predefined set of these

    actions.

    An additional advantage of SAC is that semantic and contextual validation of policies is made possible.

  • 7/27/2019 YagueMana-sacmat05

    14/23

    6 Conclusions and Future Work

    RBAC is commonly accepted as the most appropriate paradigm for the implementation of access control in complex scenari-

    os. However, very dynamic environments with high volume of heterogeneous data require more flexible constructions for the

    expression and management of access control policies. Furthermore, traditional access control schemes are not suitable for

    scenarios where the local registration and authorization of users is not appropriate As a consequence, we can conclude that

    a different approach is required in order to solve the scalability problems of these systems, to facilitate access control man-

    agement and to provide means to express access conditions in a natural and flexible way. Distributed authorization infra-

    structures (PMIs) can be very useful for solving these problems, but in this case a mechanism to establish the trust between

    the PMI and the access control system is required. Finally, access control models must be designed to facilitate and guaran-

    tee the correct administration of the system.

    The Semantic Access Control (SAC) model presented in this paper provides an appropriate solution to aforementioned

    problems, especially for heterogeneous, distributed and large environments. The SAC model can easily simulate MAC, DAC

    and RBAC models. To facilitate the definition and management of policies, we have taken an approach based on the modular

    definition of policies that can be composed without ambiguity. The SPL language it is based on semantic properties about

    the resources to be accessed, the PMI and the context. These semantics are used during the specification of access control

    criteria, dynamic policy allocation, parameter instantiation and policy validation. Additionally, means for the integration of an

    external PMI supported by semantic information about the certification entities have been proposed.

    References

    1. Samarati, P., de Capitani di Vimercati, S.: Access Control: Policies, Models, and Mechanisms. In FOSAD 2000. LNCS 2171, pp. 137- 196,

    2001.

    2. Baraani, A., Pieprzyk, J., Safavi-Naini, R.: Security In Databases: A Survey Study. http://citeseer.nj.nec.com/baraani-dastjerdi96secur-

    ity.html. 1996.

    3. Qian, X., Lunt, T.F.: A MAC policy framework for multilevel relational databases. IEEE Transactions on Knowledge and Data Engineer-

    ing, 8(1):1-14. February 1996

    4. Sandhu, R.S., E.J. Coyne, H.L. Feinstein, and C.E. Youman,Role-Based Access Control Models. IEEE Computer, 1996. 29(2): pp.

    38-47.

    5. Baldwin, R. W.Naming and Grouping Privileges to Simplify Security Management in Large Database. Proceedings of IEEE Com-

    puter Society Symposium on Research in Security and Privacy, pp. 61-70, Oakland, CA, April 1990.

    6. Osborn, S.; Sandhu, R.; Munawer, Q. Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Con-trol Policies. ACM Transactions on Information and System Security, 3(2) pp. 85-106. 2000.

    7. Sandhu, R.; Ferraiolo, D.; Kuhn R. The NIST Model for Role-Based Access Control: Towards a Unified Standard. Proccedings of the

    fifth ACM Workshop on Role-based Access Control. pp. 47-63. 2000.

    8. Yage, M.I., Maa, A., Lpez, J., Troya, J.M.:Applying the Semantic Web Layers to Access Control. Proc. Int. Workshop on Web

    Semantics, Dexa 2003. IEEE Computer Society Press. September 2003.

    9. Sundsted, T. With Liberty and single sign-on for all. The Liberty Alliance Project seeks to solve the current online identity crisis,Available http://www.javaworld.com/javaworld/jw-02-2002/jw-0215-liberty_p.html, 2002.

  • 7/27/2019 YagueMana-sacmat05

    15/23

    10. ITU-T Recommendation X.509: Information Technology - Open systems interconnection The Directory: Public-key and attributecertificate frameworks, Available ht tp://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509

    11. Yage, M.I. Modelo basado en Metadatos para la Integracin Semntica en Entornos Distribuidos. Aplicacin al Escenario deControl de Accesos. Ph.D. dissertation. Computer Science Department, University of Mlaga.

    12. Kudo, M., Hada, S. XML Document Security based on Provisional Authorisation. 7th ACM Conference on Computer and Commu-

    nications Security. 2000.

    13. Yage, M.I., Maa, A., Lpez, J., Pimentel, E., Troya, J.M. A Secure Solution for Commercial Digital Libraries. Online InformationReview Journal, 27(3), 147-159. 2003.

    14. Thompson, M., et al., Certificate-based Access Control for Widely Distributed Resources, Eighth USENIX Security Symposium.1999.

    15. Chadwick, D. W., An X.509 Role-based Privilege Management Infrastructure, Global Infosecurity. 2002.16. Bertino, E., Castano, S., Ferrari, E. Securing XML documents with Author-X. IEEE Internet Computing, 5(3):21-31, May/June 2001.17. Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.A Fine-Grained Access Control System for XML Documents.

    In ACM Transactions on Information and System Security (TISSEC), vol. 5, n. 2, May 2002, pp. 169-202.18. World Wide Web Consortium. Guide to the W3C XML Specification ("XMLspec") DTD, Version 2.1.

    http://www.w3.org/XML/1998/06/xmlspec-report.htm19. World Wide Web Consortium,XML-Schema, http://www.w3.org/XML/Schema20. OASIS. XACML 1.1 Specification Set. Available http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml. 2003.

  • 7/27/2019 YagueMana-sacmat05

    16/23

    Appendix A. Conceptual models of the SAC components

    Conceptual model of SPL

    ImportedAccessRules

    Attribute

    +AttributeDescription[0..1]+AttributeID[0..1]

    +Equivalence[0..1] = "Enabled"

    +Predicate[0..1] = "Equals"...

    ImportedAccessRule

    ImportedAttributeSet

    LocalAccessRule

    LocalAttributeSet

    LocalAccessRules

    ImportedAttributeValue

    ImportedAttributeName

    ImportedSOA_ID

    ImportedPolicy

    LocalAttributeValue

    AttributeName

    Policy

    +PolicyDescription[0..1]

    +PolicyID[0..1]

    LocalAttributeName

    AttributeValue

    AttributeSet

    -AttributeSetDescription

    -AttributeSetID-AttributeSetName

    LocalPolicy

    AccessRule

    +Name[0..1]

    +Public[0..1] = "true"

    +ValidFrom[0..1]

    +ValidUntil[0..1]

    SOA_ID

    LocalSOA_ID

    AccessRulesParameter

    Import

    +URL+XPath

    Action

    0..*

    0..* 1..*

    1..*

    1..*

  • 7/27/2019 YagueMana-sacmat05

    17/23

    Conceptual model of PAS

    Condition

    +Predicate[0..1] = "Equals"

    Policy

    +PolicyDescription[0..1]

    +PolicyID[0..1]

    PAS

    ActualParameter

    Object

    FormalParameterObjectLocation

    PropertyName PropertyValue

    Instantiation

    Operation

    Parameter

    0..*

    0..*

    0..*

    0..*

    Conceptual model of SRR

    Property

    +Predicate[0..1] = "Equals"

    PropertyName PropertyValue

    SRR

    Resource

    -XPath

    1..*

  • 7/27/2019 YagueMana-sacmat05

    18/23

    Conceptual model of SOAD

    SOAAttribute

    +Predicate[0..1] = "Equals"

    ...

    AttributeValueAttributeName

    ACRelationsSOA_ID ACDeclarations

    SOA_ID

    SOAAttributeSet

    SOARule

    Relation

    SOAD

    0..1

    1..*

    21..*

    1..*

  • 7/27/2019 YagueMana-sacmat05

    19/23

    Appendix B. Pseudo-code of the semantic validation algorithms

    Test-case Validation algorithm

    Input:Resource, resource requested for the accessCCA, set of Attribute Certificates

    Output:Display Report

    Process:P= Generate_Policy (Resource)

    (* returns a composed and instantiated policy from all policies defined for Re-source *)L = Generate_Compatible (CCA)

    (* returns a list of sets of attribute certificates compatible with CCA*)WHILE L.notEmpty() DOCA = L.first

    L = L.nextReport(CA, P)ENDWHILE

    Report algorithm

    Input:CCA, set of Attribute CertificatesP, Composed and instantiated policy

    Output:Display Report

    Process:FOR EACH AccessRule IN PFOR EACH AttributeSet IN AccessRuleIF AttributeSet CCA THENWrite(Access granted by the rule , Accessrule.Name, AttributeSet: , At-tributeSet.Name,With conditions to execute the Actions: , AccessRule.Action)

    ENDIFENDFORENDFOR

  • 7/27/2019 YagueMana-sacmat05

    20/23

    Generate_Compatible_List algorithm

    Input:

    CCA, original set of Attribute CertificatesTrustedSOADs, SOADs trusted by the administrator

    Output:

    CIC, set of classes of Attribute Certificates consistent with the input CCAProcess:

    CIC= FOR EACH bi IN TrustedSOADs DOIF (TrustedSOADs, CCA bi) THENCIC= CIC {bi}

    ENDIFENDFORRETURN (CIC)

    Generate_Compatible algorithm

    Input:

    CCA, original set of classes of Attribute CertificatesOutput:

    LIC, List of Sets of classes of Attribute Certificates consistentwith the input CCA

    Process:

    LIC= Empty_List()Let be Compti = Generate_Compatible_List(CCA)

    (* We generate list of certificates not excluded by CCA *)FOR EACH bj IN Compati DOIF (bj CCA) THEN

    Let be Incompat={ I CCA / TrustedSOADs, I bj}(*Incompat: list of Ik where Ik is a subset of CCA certificates which areincompatible with b

    j *)

    IF Incompat THENFOR EACH Ik IN IncompatLIC.ADD(Generate_Compatible((CCA Ik) {bj})

    ENDFORELSE (* We add one compatible *)

    CCA= CCA {bj})ENDIF

    ENDIFENDFORLIC.Add(CCA)RETURN (LIC)

  • 7/27/2019 YagueMana-sacmat05

    21/23

    Access Validation algorithm

    Input:

    Resource, resource requested for the accessOutput:

    CAExpression, expression of attribute certificates joined by AND and OR operatorsProcess:P= Generate_Policy (Resource)

    (* returns a composed and instantiated policy from all policies defined for Re-source *)CAExpression= Generate_CAExpr(P)Generated= Generate_Acceptable_Certificates(Attribute,Generated))CAExpression.Reduce ()

    (* Morgan laws to reduce expressions*)RETURN (CAExpression)

    Generate_CAExpr algorithmInput:P, Policy for the resource

    Output:CAExpression, expression with combinations of attribute certificates of the poli-cy P.

    Process:CAExpression= FOR EACH AccessRule IN PFOR EACH AttributeSet IN AccessRuleComb= FOR EACH Attribute IN AttributeSetComb.Addr_AND(Attribute)ENDFORCAExpression.Add_OR(Comb)

    ENDFORENDFORRETURN (CAExpression)

  • 7/27/2019 YagueMana-sacmat05

    22/23

    Generate_Acceptable_Certificates_Attr algorithm

    Input:Attribute, attribute from which we are looking for compatible attributes withGenerated, set of attributes yet generated

    TrustedSOADs, SOADs trusted by the administratorOutput:CAExpression, expression with combinations of attribute certificates acceptedadditionally to the input ones (we can derive the input attributes from these)Generated, set of attributes yet generated

    Process:(* A SOA rule is a sentence by a SOA stating the relationship between two

    classes of attributes a and b: a logical_operator b *)CAExpression= CAExpression.AddOR(attribute)Generated = Generated {attribute}FOR EACH SOARule IN TrustedSOADs

    IF attribute SOARule.BODY() THEN

    CAExpression.AddOR(Generate_Aceptable_Certificates(SOARule.HEAD(), Gener-ated))

    ENDIFENDFORRETURN (CAExpression)

    Generate_Acceptable_Certificates algorithm

    Input:CAExpression, expression with combinations of attribute certificatesGenerated, set of attributes yet generated

    Output:CAExpression, expression with combinations of attribute certificates acceptablebesides the input ones (i.e. they allow the derivation of the input attributesfrom them)Generated, set of attributes yet generated

    Process:FOR EACH Attribute IN CAExpressionIF (Attribute.Equivalence) AND (Attribute Generated) THEN

    CAExpression.SustituteNodes(Attribute,Generate_Acceptable_Certificates_Attr(Attribute,Generated))ENDIF

    ENDFORRETURN(CAExpression)

  • 7/27/2019 YagueMana-sacmat05

    23/23

    Full Validation algorithm

    Input:

    CCA, set of attribute certificatesOutput:

    Display reportProcess:L= Generate_Derived(CCA)

    (* returns a set of attributes derived from input CCA*)FOR EACH Resource DOP= Generate_Policy(Resource)Report(L,P)

    ENDFOR

    Generate_Derived algorithm

    Input:CCA, set of attribute certificatesTrustedSOADs, SOADs trusted by the administrator

    Output:CIC, set of classes of attribute certificates which we can derive from CCA

    Process:CIC= CCADerived = { I / TrustedSOADs, CIC I }WHILE Derived CIC DO

    CIC = CIC DerivedDerived = { I / TrustedSOADs, CIC I }

    ENDWHILERETURN (CIC)