Moritz Y. Becker

Cassandra: distributed access control policies with tunable expressiveness

We study the specification of access control policy in large-scale distributed systems. Our work on real-world policies has shown that standard policy idioms such as role hierarchy or role delegation occur in practice in many subtle variants. A policy specification language should therefore be able to express this variety of features smoothly, rather than add them as specific features in an ad hoc way, as is the case in many existing languages. We present Cassandra, a role-based trust management system with an elegant and readable policy specification language based on Datalog with constraints. The expressiveness (and computational complexity) of the language can be adjusted by choosing an appropriate constraint domain. With just five special predicates, we can easily express a wide range of policies including role hierarchy, role delegation, separation of duties, cascading revocation, automatic credential discovery and trust negotiation. Cassandra has a formal semantics for query evaluation and for the access control enforcement engine. We use a goal-oriented distributed policy evaluation algorithm that is efficient and guarantees termination. Initial performance results for our prototype implementation have been promising.

Cassandra: flexible trust management, applied to electronic health records

We study the specification of access control policy in large-scale distributed systems. We present Cassandra, a language and system for expressing policy, and the results of a substantial case study, a security policy for a national electronic health record system, based on the requirements for the ongoing UK National Health Service procurement exercise. Cassandra policies are expressed in a language based on Datalog with constraints. The expressiveness of the language (and its computational complexity) can be tuned by choosing an appropriate constraint domain. Cassandra is role-based; it supports credential-based access control (e.g. between administrative domains); and rules can refer to remote policies (for automatic credential retrieval and trust negotiation). Moreover, the policy language is small, and it has a formal semantics for query evaluation and for the access control engine. For the case study we choose a constraint domain C/sub 0/ that is sufficiently expressive to encode many policy idioms. The case study turns out to require many subtle variants of these; it is important to express this variety smoothly, rather than add them as ad hoc features. By ensuring only a constraint compact fragment of C/sub 0/ is used, we guarantee a finite and computable fixed-point model. We use a top-down evaluation algorithm, for efficiency and to guarantee termination. The case study (with some 310 rules and 58 roles) demonstrates that this language is expressive enough for a real-world application; preliminary results suggest that the performance should be acceptable.

Design and Semantics of a Decentralized Authorization Language

We present a declarative authorization language that strikes a careful balance between syntactic and semantic simplicity, policy expressiveness, and execution efficiency. The syntax is close to natural language, and the semantics consists of just three deduction rules. The language can express many common policy idioms using constraints, controlled delegation, recursive predicates, and negated queries. We describe an execution strategy based on translation to datalog with constraints, and table-based resolution. We show that this execution strategy is sound, complete, and always terminates, despite recursion and negation, as long as simple syntactic conditions are met.

SecPAL: Design and semantics of a decentralized authorization language

We present a declarative authorization language. Policies and credentials are expressed using predicates defined by logical clauses, in the style of constraint logic programming. Access requests are mapped to logical authorization queries, consisting of predicates and constraints combined by conjunctions, disjunctions, and negations. Access is granted if the query succeeds against the current database of clauses. Predicates ascribe rights to particular principals, with flexible support for delegation and revocation. At the discretion of the delegator, delegated rights can be further delegated, either to a fixed depth, or arbitrarily deeply. Our language strikes a careful balance between syntactic and semantic simplicity, policy expressiveness, and execution efficiency. The syntax is close to natural language, and the semantics consists of just three deduction rules. The language can express many common policy idioms using constraints, controlled delegation, recursive predicates, and negated queries. We describe an execution strategy based on translation to Datalog with Constraints, and table-based resolution. We show that this execution strategy is sound, complete, and always terminates, despite recursion and negation, as long as simple syntactic conditions are met.

Specification and Analysis of Dynamic Authorisation Policies

This paper presents a language, based on transaction logic, for specifying dynamic authorisation policies, i.e., rules governing actions that may depend on and update the authorisation state. The language is more expressive than previous dynamic authorisation languages, featuring conditional bulk insertions and retractions of authorisation facts, non-monotonic negation, and nested action definitions with transactional execution semantics. Two complementary policy analysis methods are also presented, one based on AI planning for verifying reachability properties in finite domains, and the second based on automated theorem proving, for checking policy invariants that hold for all sequences of actions and in arbitrary, including infinite, domains. The combination of both methods can analyse a wide range of security properties, including safety, availability and containment.

Information governance in NHS's NPfIT: A case for policy specification

PURPOSE The National Health Services (NHSs) National Programme for Information Technology (NPfIT) in the UK with its proposed nation-wide online health record service poses serious technical challenges, especially with regard to access control and patient confidentiality. The complexity of the confidentiality requirements and their constantly evolving nature (due to changes in law, guidelines and ethical consensus) make traditional technologies such as role-based access control (RBAC) unsuitable. Furthermore, a more formal approach is also needed for debating about and communicating on information governance, as natural-language descriptions of security policies are inherently ambiguous and incomplete. Our main goal is to convince the reader of the strong benefits of employing formal policy specification in nation-wide electronic health record (EHR) projects. APPROACH Many difficulties could be alleviated by specifying the requirements in a formal authorisation policy language such as Cassandra. The language is unambiguous, declarative and machine-enforceable, and is based on distributed constrained Datalog. Cassandra is interpreted within a distributed Trust Management environment, where digital credentials are used for establishing mutual trust between strangers. RESULTS To demonstrate how policy specification can be applied to NPfIT, we translate a fragment of natural-language NHS specification into formal Cassandra rules. In particular, we present policy rules pertaining to the management of Clinician Sealed Envelopes, the mechanism by which clinical patient data can be concealed in the nation-wide EHR service. Our case study exposes ambiguities and incompletenesses in the informal NHS documents. CONCLUSIONS We strongly recommend the use of trust management and policy specification technology for the implementation of nation-wide EHR infrastructures. Formal policies can be used for automatically enforcing confidentiality requirements, but also for specification and communication purposes. Formalising the requirements also reveals ambiguities and missing details in the currently used informal specification documents.

The role of abduction in declarative authorization policies

Declarative authorization languages promise to simplify the administration of access control systems by allowing the authorization policy to be factored out of the implementation of the resource guard. However, writing a correct policy is an error-prone task by itself, and little attention has been given to tools and techniques facilitating the analysis of complex policies, especially in the context of access denials. We propose the use of abduction for policy analysis, for explaining access denials and for automated delegation. We show how a deductive policy evaluation algorithm can be conservatively extended to perform abduction on Datalog-based authorization policies, and present soundness, completeness and termination results.

A logic for state-modifying authorization policies

We present a logic for specifying policies where access requests can have effects on the authorization state. The logic is semantically defined by a mapping to Transaction Logic. Using this approach, updates to the state are factored out of the resource guard, thus enhancing maintainability and facilitating more expressive policies that take the history of access requests into account. We also present a sound and complete proof system for reasoning about sequences of access requests. This gives rise to a goal-oriented algorithm for finding minimal sequences that lead to a specified target authorization state.

Abductive Authorization Credential Gathering

A central task in the context of logic-based decentralized authorization languages is that of gathering credentials from credential providers, required by the resource guard’s policy to grant a user’s access request. This paper presents an abduction-based algorithm that computes a specification of missing credentials without communicating with remote credential providers. The specification is used to gather credentials from credential providers in a single pass, without involving any communication with the resource guard. The credentials gathered thus are pushed to the resource guard at authorization time. This approach decouples authorization from credential gathering, and, in comparison to server-side pull methods, reduces the number of messages sent between participants, and allows for environments in which some credential providers are unknown or unavailable to the resource guard at authorization time.

Information Flow in Credential Systems

This paper proposes a systematic study of information flow in credential-based declarative authorization policies. It argues that a treatment in terms of information flow is needed to adequately describe, analyze and mitigate a class of probing attacks which allow an adversary to infer any confidential fact within a policy. Two information flow properties that have been studied in the context of state transition systems, non-interference and opacity, are reformulated in the current context of policy languages. A comparison between these properties reveals that opacity is the more useful, and more general of the two; indeed, it is shown that non-interference can be stated in terms of opacity. The paper then presents an inference system for non-opacity, or detectability, in Datalog-based policies. Finally, a pragmatic method is presented, based on a mild modification of the mechanics of delegation, for preventing a particularly dangerous kind of probing attack that abuses delegation of authority.