Access control systems often use rule based frameworks to
express access policies. These frameworks not only simplify the representation
of policies, but also provide reasoning capabilities that can be used
to verify the policies. In this work, we propose to use defeasible reasoning
to simplify the specification of role-based access control policies and
make them modular and more robust. We use the Flora-2 rule-based
reasoner for representing a role-based access control policy. Our early
experiments show that the wide range of features provided by Flora-2
greatly simplifies the task of building the requisite ontologies and the
reasoning components for such access control systems.
RuleML2015: Representing Flexible Role-Based Access Control Policies Using Objects and Defeasible Reasoning
1. Representing Flexible Role-Based Access Control
Policies Using Objects and Defeasible Reasoning
Reza Basseda 1 Tiantian Gao 1 Michael Kifer 1
Steven Greenspan 2 Charley Chell 2
1Stony Brook University
2CA, Inc.
August 3, 2015
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 1 / 17
2. The Problem
Flexible Access Control
CA, Inc. wanted a resilient, customizable, maintainable access control
policy for managing its worldwide information resources
Customization to be done by security people, not programmers or
knowledge engineers
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 2 / 17
3. The Problem
Flexible Access Control
CA, Inc. wanted a resilient, customizable, maintainable access control
policy for managing its worldwide information resources
Customization to be done by security people, not programmers or
knowledge engineers
Rule systems are commonly used to specify access policies, but to
meet the requirements of customizability and maintainability we
identified three requirements:
Support for defeasible reasoning
Object-oriented features
Higher-order reasoning
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 2 / 17
4. The Problem
Flexible Access Control
CA, Inc. wanted a resilient, customizable, maintainable access control
policy for managing its worldwide information resources
Customization to be done by security people, not programmers or
knowledge engineers
Rule systems are commonly used to specify access policies, but to
meet the requirements of customizability and maintainability we
identified three requirements:
Support for defeasible reasoning
Object-oriented features
Higher-order reasoning
Flora-2: satisfies all three requirements
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 2 / 17
5. Defeasible Reasoning
What is defeasible reasoning?
A type of non-monotonic reasoning
Priorities over conclusions.
Conclusions can be defeated by other conclusion.
Example of an access control policy:
Typically, every student is authorized to use every device
Those who have abused a device before lose access to that device.
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 3 / 17
6. Defeasible Reasoning
What is defeasible reasoning?
A type of non-monotonic reasoning
Priorities over conclusions.
Conclusions can be defeated by other conclusion.
Example of an access control policy:
Typically, every student is authorized to use every device
Those who have abused a device before lose access to that device.
John is a student and a printer is a device.
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 3 / 17
7. Defeasible Reasoning
What is defeasible reasoning?
A type of non-monotonic reasoning
Priorities over conclusions.
Conclusions can be defeated by other conclusion.
Example of an access control policy:
Typically, every student is authorized to use every device
Those who have abused a device before lose access to that device.
John is a student and a printer is a device.
John is authorized to use a printer.
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 3 / 17
8. Defeasible Reasoning
What is defeasible reasoning?
A type of non-monotonic reasoning
Priorities over conclusions.
Conclusions can be defeated by other conclusion.
Example of an access control policy:
Typically, every student is authorized to use every device
Those who have abused a device before lose access to that device.
John is a student and a printer is a device.
John is authorized to use a printer.
John has abused the printer.
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 3 / 17
9. Defeasible Reasoning
What is defeasible reasoning?
A type of non-monotonic reasoning
Priorities over conclusions.
Conclusions can be defeated by other conclusion.
Example of an access control policy:
Typically, every student is authorized to use every device
Those who have abused a device before lose access to that device.
John is a student and a printer is a device.
John is authorized to use a printer.
John has abused the printer.
John is authorized to use a printer.
General non-monotonic reasoning frameworks:
Circumscription.
Default logic.
Autoepistemic logic.
Negation as failure (of different kinds)
Not designed for making changes modular.
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 3 / 17
10. Defeasible Reasoning
Logic Programming with Defaults and Argumentation
Theories (LPDA)
Suitable theories come from the family of Defeasible Logics (Nute)
There are many different kinds. We use Logic Programming with
Defaults and Argumentation theories (LPDA).
Defaults, Exceptions with Prioritized rules, and Argumentation
Theories.
Easily adapts to frequent changes.
Itself is a family of logics that can be tailored to various needs.
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 4 / 17
11. Defeasible Reasoning
LPDA
Strict Rules vs. Defeasible Rules
L : −Body. // strict
@r L : −Body // defeasible
Special predicates:
opposes.
Indicates which conclusions are incompatible with each other.
overrides.
Tells which rules have higher priorities.
Argumentation theory
Specifies the conditions under which incompatible conclusions defeat
each other.
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 5 / 17
12. Defeasible Reasoning
Example
@{id1} authorized(?Principal,?Dev) :-
device(?Dev), principal(?Principal).
@{id2} neg authorized(?Principal,?Dev) :-
abused(?Principal,?Dev).
overrides(id2,id1).
opposes( authorized(?Principal,?Dev),
neg authorized(?Principal,?Dev) ).
principal(Mary).
principal(John).
device(printer).
abuse(John,printer).
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 6 / 17
13. Policies with Objects and Defeasible Rules
Using Classes and Objects
Classes: Represent different resources and roles used by policies.
Semantic integrity constraints.
Guide policy development.
Subclasses behavior overrides that of classes
Mechanism similar to defeasibility, but simpler and works at the
structural level.
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 7 / 17
14. Policies with Objects and Defeasible Rules
Classes and Objects
Class Signatures in Flora-2
Person[|
firstName => string,
lastName => string
|].
Employee::Person[|
employmentYear => integer,
department => Department,
profession => string,
rank => Rank,
loc(?) => Location
|].
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 8 / 17
15. Policies with Objects and Defeasible Rules
Flexibility via Patching
Defeasible rules
Patching mechanism via defeasible reasoning:
Override default rules of a policy with new rules.
For instance, P might be a policy with a default rule
@r L :- Body.
Changing the policy by adding a more specific rule for certain cases:
@r L : −Body .
overrides(r , r) : −Cond.
opposes(L, L ).
When Cond holds, rule r is used instead of r.
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 9 / 17
16. Policies with Objects and Defeasible Rules
Flexibility via Patching
Disable a rule
Another way: canceling a rule (instead of overriding).
cancel(r) : −Cond2.
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 10 / 17
17. Policies with Objects and Defeasible Rules
Flexibility via Patching
Disable a rule
Another way: canceling a rule (instead of overriding).
cancel(r) : −Cond2.
Patching is local, modular, does not require expertise in logic — can
be done though high-level interface
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 10 / 17
18. Policies with Objects and Defeasible Rules
Policies using Monolithic Rules vs. Policies based on
Defeasible Rules
Monolithic rules vs. Defeasible rules
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 11 / 17
19. Policies with Objects and Defeasible Rules
Policies using Monolithic Rules vs. Policies based on
Defeasible Rules
Modifying old rules vs. Adding patch rules
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 11 / 17
20. Policies with Objects and Defeasible Rules
Policies using Monolithic Rules vs. Policies based on
Defeasible Rules
Modifying old rules vs. Adding patch rules
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 11 / 17
21. Policies with Objects and Defeasible Rules
Policies using Monolithic Rules vs. Policies based on
Defeasible Rules
More mangling the old rules vs. Patching modularly
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 11 / 17
22. Complex Example
More Complex Example
A policy that responds to queries of the form
?- grantAccess(?E, ?R, ?T, ?D)
where:
?E: Employee (Principal)
?R: Resource
?T: Time of Access
?D: Date of Access
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 12 / 17
23. Complex Example
More Complex Example
% Indicates that the employee ?E is allowed to access resource ?R
% at time ?T of day ?D.
@locAccess
grantAccess(?E,?R,?,?D) :-
?E:Employee[department-> ?DE],
?R:Resource[owner-> ?DE],
locRisk(?E,?D,?K), // estimates the risk (?K) of granting access to ?E on day ?D
?K < 3.
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 13 / 17
24. Complex Example
More Complex Example
Required change: include the risk based on the time of access, if the
employee is away from the home department.
@{timeAccess}
neg grantAccess(?E,?R,?T,?D) :-
?E:Employee,
?R:Resource,
?E.department.location != ?E.loc(?D),
?E[timeWorked(?D) -> ?T],
timeRisk(?T,?K),
?K > 5.
overrides(timeAccess,locAccess).
timeRisk(?T,?TD) :- ?TD is abs(?T - 13).
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 14 / 17
25. Complex Example
More Complex Example
Another modification: Use employee’s local time rather than resource’s
// This rule says that the employee ?E can
// access resource ?R at time ?T on day ?D, if the access happens within
// the local normal working hours. Other than that, the conditions are the
// same as for rule locAccess.
@flexAccess
grantAccess(?E,?R,?T,?D) :-
?E[department-> ?DE],
?R[owner-> ?DE],
?E.loc(?D) != ?R.location,
timeRisk(?E,?T,?D,?TR), // assesses the risk (?TR) based on time of day
?TR < 5.
overrides(flexAccess,timeAccess).
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 15 / 17
26. Conclusion
Conclusion
Defeasible reasoning can yield significant benefits in the area of
role-based access control systems.
Complex modifications to access control policies can be naturally done
in a logic programming framework with defeasible reasoning.
Institutional hierarchies of policy makers and reflecting those
hierarchies in a policy — ditto.
Higher-order rules can represent parameterized policies, reducing the
number of rules (not discussed in the talk).
Future work:
Investigate more complex access control models
Deeper use of object-oriented features, higher-orderness.
Michael Kifer (Stony Brook University) RBAC Using Objects and Defeasibility RuleML 2015 16 / 17