Cassandra distributed access control policies with tunable expressiveness


Published on

J Gabriel Lima -

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cassandra distributed access control policies with tunable expressiveness

  1. 1. Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker Peter Sewell Computer Laboratory, University of Cambridge JJ Thomson Avenue, Cambridge, United Kingdom {moritz.becker, peter.sewell} Abstract attributes about entities holding them. In systems support- ing trust negotiation [19], peers establish trust between We study the specification of access control policy in each other by exchanging sets of suitable credentials. A large-scale distributed systems. Our work on real-world policy specification language is used to define a system’s policies has shown that standard policy idioms such as role security policy, a set of rules specifying the security goals hierarchy or role delegation occur in practice in many sub- in a high-level language. This approach separates pol- tle variants. A policy specification language should there- icy from implementation, simplifies security administration fore be able to express this variety of features smoothly, and facilitates policy evolution. rather than add them as specific features in an ad hoc way, The diversity of emerging applications with widely dif- as is the case in many existing languages. fering security requirements has led to the development of a We present Cassandra, a role-based trust management variety of increasingly expressive policy specification lan- system with an elegant and readable policy specification guages (e.g. [5, 6, 9, 11, 14, 13, 12, 7]). Existing ones are language based on Datalog with constraints. The expres- extended to accommodate more complex policies. For ex- siveness (and computational complexity) of the language ample, the role-based trust management language RT0 [14] can be adjusted by choosing an appropriate constraint do- was extended to RT1 to handle parameterised roles, and main. With just five special predicates, we can easily ex- to RT T to express separation of duties [13]. Another ex- C press a wide range of policies including role hierarchy, tension of RT , RT1 [12], provides constructs for limiting role delegation, separation of duties, cascading revoca- the range of role parameters using constraints. However, tion, automatic credential discovery and trust negotiation. adding constructs to a language in an ad hoc fashion to in- Cassandra has a formal semantics for query evaluation and crease its expressiveness has several disadvantages. Firstly, for the access control enforcement engine. We use a goal- it is unlikely that the extension will cover all policies of in- oriented distributed policy evaluation algorithm that is ef- terest; secondly, the semantics and implementations of the ficient and guarantees termination. Initial performance re- language have to be changed; thirdly, languages with many sults for our prototype implementation have been promis- constructs are harder to understand and to reason about; ing. and lastly, policy evaluation usually becomes computa- tionally more expensive with increasing expressiveness (in some cases, the language is even Turing-complete). 1. Introduction We have designed a trust management system, Cassandra, in which the expressiveness of the policy speci- The emergence of wide-area network-based services fication language can be adjusted by selecting an appropri- poses new and challenging problems to security manage- ate constraint domain. The advantage of this approach is ment. The networks in question are generally heteroge- that the expressiveness (and hence the computational com- neous, decentralised and large-scale, with possibly millions plexity) can be chosen depending on the requirements of of autonomous entities (which may be individuals, agents, the application, and can easily be changed without having organisations or other administrative domains) that wish to to change the language semantics. In our prototype imple- share their resources in a secure and controlled fashion. mentation of Cassandra, a constraint domain is a separate Collaborating entities may be mutual strangers at first, thus module that can be plugged into the policy evaluation en- access control cannot be based on identity, as it is the case gine. We have identified a condition on constraint domains, in traditional approaches. constraint compactness, which ensures that policy evalua- In the trust management approach [5], authorisation is tion is decidable and guaranteed to terminate. based on credentials, digitally signed certificates asserting By factoring out the constraint domain, the languageProceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)0-7695-2141-X/04 $ 20.00 © 2004 IEEE
  2. 2. ing a credential that can be used to support another request Cassandra Entity remote query somewhere else. The access control engine handles the re- C quest by invoking the policy evaluation engine, which in Policy Access Control Engine invoke perform action turn queries the local Cassandra policy. The expressive- Evaluator query ness of the policy specification language depends on the activate role globally chosen constraint domain, C, an independent mod- Interface modify Policy deactivate role (rules & credentials) ule that is plugged into the policy evaluation engine. As policies can refer to policies of other entities, policy eval- request credential grant access Resources uation may trigger queries of remote policies (possibly the (Actions) requester’s) over the network. The answer of the policy evaluation engine is used by the access control engine to decide whether the request is to be granted. As a result of a request, the local policy may be modified. For example, Figure 1. Cassandra components. if a role is activated, this new fact is put into the policy; similarly, deactivation of roles causes facts to be removed syntax and semantics are kept small and simple. In par- from the policy. ticular, Cassandra has no explicit provisions for standard Cassandra’s policy specification language is based on policy idioms such as role hierarchy, separation of duties DatalogC , a generic extension of negation-free Datalog or delegation; instead, it is truly policy-neutral in that it (Prolog without function symbols) where the expressive- can encode such idioms (and many variants). Its expres- ness can be tuned by varying the constraint domain param- siveness suffices for policies found in highly complex real- eter C [10]. A DatalogC rule is of the form world applications; this has been shown by our work on a p0 (e0 ) ← p1 (e1 ), .., pn (en ), c large-scale security policy for a national electronic health where the pi are predicate names and the ei are (possi- record system [3]. bly empty) expression tuples (that may contain variables) In §2 we give an informal overview of Cassandra’s pol- matching the parameter types of the predicate. p0 (e0 ) is icy specification language. Unlike most other systems, the head of the rule, and the sequence of predicates on the Cassandra not only formally specifies the policy language right hand side of the arrow is the body of the rule; c is a but also the access control semantics governing the dy- constraint on the parameters occuring in the rest of the rule. namic behaviour of an entire Cassandra network. This Intuitively, to deduce the head of a rule, all body predicates operational semantics is described in §3. §4 shows how must be deducable in such a way that the constraint is also examples of standard policies, including role validity peri- satisfied. A set of DatalogC rules can then be interpreted as ods, role hierarchy, separation of duties, role delegation and the deductive closure of the set. trust negotiation policies, can be expressed in Cassandra. The constraint of a rule, c, is a formula from some fixed The policy specification language and semantics are for- constraint domain C, a language of first order formulae mally defined and an algorithm for policy evaluation is containing at least true, false and the identity predicate given in §5. §6 briefly discusses our case study on secu- “=” between C-expressions (variables, entities and possibly rity policies for a national electronic health record system. other constructs). It must be closed under variable renam- We also discuss our prototype implementation and prelim- ing, conjunction (∧) and disjunction (∨). Furthermore, it inary experimental results. Finally we discuss related work must be equipped with an interpretation that defines when and conclude. formulae are satisfied. The expressiveness of DatalogC depends on the chosen 2. Policy specification overview constraint domain C. For example, the least expressive con- straint domain is the one where the only atomic constraints Cassandra is a trust management system allowing a po- are equalities between variables and constants. Choosing tentially large network of entities to share their resources this trivial constraint domain reduces the expressiveness of under well-defined restrictions, specified by local access the language to standard Datalog or Horn clauses without control policies, even if they are mutual strangers. Every function symbols. More powerful constraint domains often entity runs its own copy of a Cassandra service, which include boolean, arithmetic and set constraints, and make acts as a protective layer around the resources. Figure 1 use of more complex expressions such as tuples, set expres- shows the internal components of a Cassandra service. In- sions and (side-effect free) function applications (e.g. to ac- teraction with other entities is done via the interface that cess the current time). The computational complexity of defines requests for performing an action (i.e. accessing a evaluating DatalogC programs increases with expressive- resource), activating and deactivating a role, and request- ness: with set constraints it is already possible to encodeProceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)0-7695-2141-X/04 $ 20.00 © 2004 IEEE
  3. 3. the Hamiltonian cycle problem, and thus all NP-complete context. Intuitively, if a predicate loc@iss.p(e) appears in problems. Care must be taken not to choose a constraint the body of a rule in E’s policy, and loc is equal to E, domain that is too expressive as this can result in programs it is deduced locally from E’s policy (if iss is not equal in which queries are undecidable. We will later introduce to E, this must be a foreign credential). If, however, loc the notion of constraint compactness to restrict constraint is not equal to E, this means that the authority over the domains to those that guarantee termination of queries. predicate is delegated to the remote entity loc, so E re- In Cassandra, access control is role-based, and roles, as quests a credential iss.p(e) from loc over the network. loc well as actions, are parameterised. Role-based access con- will allow this only if her local policy lets her deduce both trol (RBAC) [17, 8] was initially introduced to simplify se- canReqCred(E, iss.p(e)) and iss.p(e). If these conditions curity administration of large enterprises. In the context of are met, a credential containing iss.p(e) (issued and signed distributed trust management, roles can more generally be by iss) is sent back to E. A more formal treatment of the used as a representation of authenticated subject attributes language semantics is given in §5.1. in decentralised access control [13]. Formally, a role is a typed role name applied to an expression (that may con- 3. Access Control Semantics tain variables) of a matching type, e.g. Manager(Sales- dept). Similarly, an action is an action name applied to an Cassandra acts as a protective layer around the shared expression, e.g. Read-file(file). For the remainder of the resources, allowing network access only through an inter- paper, variables will be written in small letters and italics face. This interface defines requests for performing an ac- (e.g. f ile), generic constants in italics but capitalised (e.g. tion, activating a role, deactivating a role, and for request- some entity E), and concrete constants in typewriter font ing a credential. Incoming requests are checked by the ac- (e.g. Sales-dept). cess control engine against the local policy (Figure 1). En- Policies are specified by rules defining predicates that tities can support their requests by submitting credentials govern access control decisions: permits defines who can to the service; the service will then use the assertions in the perform which action; canActivate specifies who can acti- credentials along with its own local policy to evaluate the vate which roles (and thus implicitly defines the role mem- query. Granting a request can have side-effects on policies, bership relation); hasActivated specifies who is currently e.g. when a role is activated, a corresponding hasActivated active in which role; canDeactivate specifies who can re- credential rule is added to the policy. voke which role; isDeactivated is used to define automat- We have formally specified the operational semantics of ically triggered role revocation; and finally, canReqCred the access control engine by a labelled transition system rules specify the conditions to be satisfied before the ser- where the labels are the requests and the transitions are be- vice is willing to issue and disclose a credential. User- tween sets of policies of all entities. Due to lack of space, defined auxiliary predicates are also allowed. we will only give a brief overview of the request defini- In the trust management approach, access control de- tions. cisions are based on credentials asserting properties about Performing an action. Suppose the requester E at- the holders. In Cassandra, the properties asserted by cre- tempts to perform the (parameterised) action A on S’s dentials are (constrained) predicates. Therefore, in order Cassandra service. E’s request is granted if permits(E, A) to satisfy a predicate in a rule body, either the predicate is deducible from S’s policy (and submitted credentials). can be deduced from the local policy or it is asserted by a foreign credential issued and signed by some other en- Role activation. Suppose E attempts to activate the (pa- tity. Such credentials are either already stored locally, or rameterised) role R on S’s Cassandra service. The request are submitted to the service, or automatically fetched by the is granted if the role has not already been activated and if service from some other entity. To put constraints on the is- canActivate(E, R) can be deduced from S’s policy (and suer and the storage location of credentials, each Cassandra submitted credentials). As a result of this transition, the predicate has an issuer and a location (constant or vari- corresponding hasActivated credential rule is added to S’s able) parameter, and is written loc@iss.p(e). For example, policy. Alice@UCam.canActivate(Alice, Student(Maths)) is a Role deactivation. Suppose E requests to deactivate predicate asserting that Alice is a Maths student. If this V ’s role R on S’s Cassandra service. The request is predicate is part of a rule body, Cassandra can contact Al- granted if V is really currently active in the role R and ice over the network (unless this is Alice’s local policy) and if canDeactivate(E, V, R) is deducible from S’s policy request the corresponding credential issued by the Univer- (and submitted credentials). Depending on the local policy sity of Cambridge. rules, this deactivation may also trigger the deactivation of We will often write iss.p(e) as shorthand for other role activations in S’s policy (local cascading deacti- E@iss.p(e) and p(e) for E@E.p(e), if E is clear from the vation). For this purpose, we need to compute the set of allProceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)0-7695-2141-X/04 $ 20.00 © 2004 IEEE
  4. 4. hasActivated credential rules in S’s policy for which a cor- canActivate(x, Doc()) ← responding isDeactivated credential can be derived under canActivate(x, CertDoc(t)), the assumption isDeactivated(V, R). The role activations CurTime() − Years(1) ≤ t ≤ CurTime() in this set are then removed from S’s policy. Auxiliary roles. Sometimes a role is used solely to ex- press some property about its members and can be used Requesting Credentials. Suppose E requests the cre- without prior activation. In this rule, a logged-in user can dential I.p(x) ← c (a digital certificate asserting p(x) ← c, read a file provided that the system can deduce she is the issued and signed by I) from S. S’s service first computes owner of that file. Ownership is here expressed with the the answer to the query canReqCred(E, I.p(x)) ← c. The auxiliary Owner role that need not be activated. answer is a constraint c0 restricting the values that x can permits(x, Read(f ile)) ← take. hasActivated(x, Login()), If I and S are identical, the answer c1 of the query canActivate(x, Owner(f ile)) p(x) ← c0 is computed, and, if c1 is satisfiable, the new credential S.p(x) ← c1 is issued and sent to E. If I and Role hierarchy. In this variant of parameterised role hi- S are different, this means that the requested credential is a erarchy, members of a superior role (Engineer working foreign credential held by S, so it cannot be freshly issued in some department) are automatically also members of a and signed. In this case, S sends E all her credentials of more basic role (Employee working in the same depart- the form I.p(x) ← c2 such that c2 is at least as restrictive ment). canActivate(x, Employee(dep)) ← as c0 . canActivate(x, Engineer(dep)) Separation of duties. In this common example for sepa- 4. Standard policies ration of duties, a payment transaction requires two phases, initiation and authorisation, which have to be executed Unlike other policy specification languages, Cassandra by two different people. The rule implements the dy- does not have special constructs for expressing standard namic and parameterised variant of separation of duties: an policies such as role hierarchies, separation of duties or Authoriser of a payment must not have activated the delegation. Indeed, we can show that Cassandra, equipped Init role for the same payment. This restriction is imple- with a sufficiently powerful constraint domain, can express mented by the user-defined countInitiators predicate. Its these policies in a concise and readable way. Having no definition is given by the second rule, an example of an ag- constructs in the language for specific policy idioms not gregate rule. The count z aggregate operator counts how only keeps the language and its semantics small and sim- many different values of z satisfy the body. Therefore, the ple; it also avoids the necessity of having to constantly parameter n is 0 only if x has not activated the Init role extend the language. Furthermore, our work on policies for the same payment. for a national electronic health record infrastructure has canActivate(x, Authoriser(payment)) ← shown that, in large-scale real-world applications, these countInitiators(n, x, payment), n = 0 “standard” policies occur in many variants and combina- countInitiators(count z , x, payment) ← tions with subtle but significant semantic differences [3]. hasActivated(z, Init(payment)), z = x Cassandra was designed in such a way that the whole range Role delegation. Here, an administrator can delegate her of policy variants can be expressed without additional fea- role to somebody else by activating the DelegateAdm tures. It should be noted that Cassandra was designed role for the delegatee. The delegatee can then subsequently specifically for authorisation policies; in particular, we do activate the administrator role. The first parameter of the not deal with obligation policies specifying the automatic administrator role specifies who the delegator was. The triggering of actions (as in [7]). second parameter n is an integer for restricting the length of In the following, we show how standard policies can be the delegation chain: the delegatee can activate the admin- written in Cassandra. istrator role only with a “rank” n that is strictly less than the delegator’s rank n but must be at least 0. Setting the Role validity periods. In the following rule, a certified parameter to 1 for non-delegated administrators (i.e. those doctor (with certification issued at time t) is also member at the top of a delegation chain) amounts to non-transitive of the role Doc() if t is at most one year ago. This is an delegation. Removing the constraint on n in the second example where the freshness requirement of a certification rule results in unbounded delegation chains. is set by the acceptor, not by the certificate issuer (as rec- canActivate(x, DelegateAdm(y, n)) ← ommended in [16]). The chosen constraint domain must hasActivated(x, Adm(z, n)) contain a (side-effect free) built-in function that returns the canActivate(y, Adm(x, n )) ← current time, and integer order constraints. hasActivated(x, DelegateAdm(y, n)), 0 ≤ n < nProceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)0-7695-2141-X/04 $ 20.00 © 2004 IEEE
  5. 5. With the following rule, the delegated role is automatically its CertHealthOrg credential, signed by the registration revoked if the delegation role of the delegator is deacti- authority of East England, to certified EHR servers. vated. canReqCred(x, y.canActivate(z, CertHealthOrg()) ← isDeactivated(y, Adm(x, n )) ← x@auth.canActivate(x, CertEHRServ()), isDeactivated(x, DelegateAdm(y, n)) y = RegAuthEastEngland ∧ z = Addenbrookes, auth ∈ RegAuthorities() However, we need to specify who is allowed to deactivate a delegation role. In grant-dependent revocation (first rule The x@auth prefix specifies that the required credential below), only the delegator herself has this power. In grant- must be signed by some registration authority and that it is independent revocation (second rule below), every admin- to be retrieved automatically from x; in this case, x will istrator (who has at least as high a rank as the delegator) have been instantiated to be the EHR server. The EHR can deactivate the delegation. server will in turn have canReqCred policy rules specifying canDeactivate(x, z, DelegateAdm(y, n)) ← x = z to whom its CertEHRServ credential may be disclosed. canDeactivate(x, z, DelegateAdm(y, n)) ← As this example shows, a simple request can trigger mul- hasActivated(x, Adm(w, n )), n ≤ n tiple phases of credential exchanges between two or more A rather paranoid policy may specify cascading revocation: entities over the network until a sufficient level of mutual if a delegated administrator is revoked from her role, all her trust has been established. delegation must also be revoked recursively. isDeactivated(x, DelegateAdm(y, n)) ← isDeactivated(z, DelegateAdm(x, n )) 5. Language semantics and evaluation The trust management system Oasis [21] has a language This section defines the syntax and semantics of construct for role appointment, a generalisation of role del- Cassandra’s policy specification language. We also de- egation. Our work on real-world policies suggests that vari- scribe a goal-oriented algorithm for evaluating policy ants of general appointment are indeed far more frequent queries that is sound and complete with respect to the lan- than role delegation [3]. Appointment and other stateful guage, and discuss a condition for guaranteed termination policies can be expressed in Cassandra in a very similar of query evaluation. way as shown above for delegation. Automatic trust negotiation & credential discovery. 5.1. Language Semantics Suppose the following rule is part of the policy of a server holding the electronic health records (EHR) for some part of the UK’s population. To activate the doctor role, x must Each entity Eloc on the network protects its resources be a certified doctor in some health organisation org, and with a (possibly empty) Cassandra policy, a finite set of furthermore the organisation must be a certified health or- Cassandra policy rules of the form ganisation. Both requirements must be satisfied in the form Eloc @Eiss .p0 (e0 ) ← of credentials signed by some entity auth belonging to a loc1 @iss1 .p1 (e1 ), .., locn @issn .pn (en ), c. locally defined set of registration authorities. canActivate(x, Doc(org)) ← The location and the issuer of the rule, Eloc and Eiss , are auth.canActivate(x, CertDoc(org)), entity constants, and the loci and issi are entities or entity org@auth.canActivate(org, CertHealthOrg()), auth ∈ RegAuthorities() typed variables. The pi (ei ) are well-typed predicates, and c is a constraint from the globally chosen constraint domain In the rule above, there is no location prefix in front of the C. first body predicate, so the doctor certification credential A rule with empty body of the form is required to already be in the local policy or have been submitted by x together with the role activation request. Eloc @Eiss .p0 (e0 ) ← c No automatic credential requests are issued the credential is not found. On the other hand, there is a location prefix is called a credential rule or just a credential. (These cor- org in front of the second body predicate: the health organ- respond to facts in Logic Programming.) If it is sent over isation credential is automatically requested from org, or, the network, it can be thought of as a certificate asserting more precisely, the entity the variable org stands for during p0 (e0 ), signed and issued by Eiss , and belonging to and actual evaluation. However, the health organisation (say, stored at Eloc . The location and the issuer of a rule are usu- Addenbrooke’s Hospital) will allow this retrieval request ally identical; only in the case of a credential rule can they only if its canReqCred policy allows it. With the follow- be different, as Eloc may hold a foreign credential signed ing rule, Addenbrooke’s specifies that it is willing to reveal by a different entity Eiss .Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)0-7695-2141-X/04 $ 20.00 © 2004 IEEE
  6. 6. We will omit the prefix Eloc from a rule if it is clear from equal to some the context, and also Eiss , loci and issi if they are equal to (ci ∧ yloc= Eloc ∧ yiss= Eiss ) Eloc . such that Eloc @Eiss .q(y) ← ci is already in I. Access control decisions are based on policy queries which have the same form as credentials: Alternatively, yloc may refer to some remote entity Eloc @Eiss .p0 (e0 ) ← c. The answer to a query is a set Eloc = Eloc , so Pi has to be deduced from Eloc ’s policy. of constraints ci such that Eiss .p0 (e0 ) ← c ∧ ci can be As this amounts to a credential request and Eloc ’s creden- deduced from Eloc ’s policy. For example, the query tials are protected by canReqCred rules, the corresponding canReqCred predicate must also be satisfied, as well as Pi UCam@UCam.canActivate(x, Student(subj)) ← itself. In this case, ci is some constraint in subj = Maths ∃C xe . (ci ∧ ci ∧ yloc= Eloc ∧ may return the constraints {x = Alice, x = Bob}, and yiss= Eiss ∧ xe= Eloc ) the query such that both credentials Eloc @Eloc .canReqCred(xe , yiss .q(y)) ← ci and UCam@UCam.canActivate(x, Student(subj)) ← x = Alice ∧ subj = Maths Eloc @Eiss .q(y) ← ci are already in I. The consequence operator TP (I) is continuous on the would simply return {true}. powerset of credentials and thus has a unique least fixed- The semantics of a policy is defined by the set of all cre- n point n≥0 TP (∅) which we call the fixed-point semantics dentials that can be deduced from it. To formally define the of P. It coincides with our intuitive notion of deductive notion of deduction, we extend the notion of consequence closure of the policy rules. operator known from constraint logic programming [18]. Sometimes we need to know not only whether a pred- We construct a consequence operator TP , where P is the icate can be satisfied but also how often. For example, it finite union of the policies of all entities. Given a set of is often necessary to know that nobody has activated a cer- credentials I (which we distinguish only up to variable re- tain role, i.e. the corresponding hasActivated predicate can naming), TP (I) returns the set of all credentials that can be satisfied 0 times. For these purposes, we define rules be deduced from I and the policies in P in one step. with aggregation operators [15]. (These require the con- The definition of TP assumes the existence of two com- straint domain C to contain equalities over set and integer putable operations on C-constraints, ∃C and ⇒C . ∃C x. (c) constants and variables.) A Cassandra aggregation rule is computes the existential quantifier elimination of x and re- of the form turns the set of conjuncts in the disjunctive normal form Eloc @Eloc .p(aggop x , y) ← Eloc @iss.q(x), c (DNF) of the result. If V is a set of variables, we also write ∃C (c) for the set of conjuncts in the DNF of c, with all where the aggregation operator aggop is either group or −V free variables apart from the ones in V existentially elimi- count. The predicate q(x) is required to be one that can nated. (This is in effect a projection of c onto the variables be satisfied with only finitely many different parameters on V .) Eloc , and x must contain x. If the operator is group, the ⇒C is a computable subsumption relation on C- first argument of p stands for the finite set of all different constraints: if c1 ⇒C c2 returns true then c1 is subsumed values of x such that the rule body can be satisfied. If the by c2 , i.e. all substitutions that satisfy c1 also satisfy c2 . operator is count, it stands for the cardinality of that set. Then the consequence operator TP (I) is defined to con- For example, tain all credentials of the form Eloc @Eiss .p(x) ← c0 (for getSetOfActiveDoctors(group x , spcty) ← some entities Eloc , Eiss ) if I contains no other credential hasActivated(x, Doctor(spcty)) that already subsumes it: if Eloc @Eiss .p(x) ← c0 ∈ I and finds the set of all active doctors with specialty spcty. c0 ⇒C c0 then c0 = c0 ; and furthermore, if there is some matching rule 5.2. Evaluation Eloc @Eiss .p(x) ← P1 , .., Pn , c in P (i.e. in the policy of Eloc ) such that there is a constraint Recall that the access control engine makes access con- c0 with the following property: trol decisions by invoking the policy evaluation engine, c0 ∈ ∃C (c1 ∧ .. ∧ cn ), and c0 is satisfiable, for some −x which queries the local policy. We now describe the al- constraints c1 , .., cn , such that each ci is a contribution from gorithms used in the policy evaluation engine. Pi . We say ci is a contribution from Pi ≡ yloc @yiss .q(y) In deductive databases, queries are usually evaluated if one of the following two cases hold. against a model that is pre-computed with a bottom-up Either yloc is taken to be local, so Pi has to be deduced algorithm that, starting from basic facts, iteratively adds from Eloc ’s own local policy. This means that ci must be derived facts until the fixed-point semantics is reached.Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)0-7695-2141-X/04 $ 20.00 © 2004 IEEE
  7. 7. This would not be an acceptable evaluation strategy for existing answer d, combine it with the current constraint Cassandra: firstly, the constraints may contain (side-effect and call the Clause Resolution procedure on the remaining free) function calls that depend on the environment, for ex- predicates in the list, or the Answer Projection procedure, ample for getting the current time, and therefore cannot be if the remaining list is empty. We also need to store the in- pre-computed; secondly, the fact that rule bodies can refer formation that this query waits for answers from the proof to remote predicates would require a distributed form of of P ← c . bottom-up evaluation which would be highly impractical; If, however, no such P ← c exists yet, we need and thirdly, the model would have to be re-computed after to spawn a new query for P ← c and wait for its an- every activation or deactivation of roles as role activation swers. If the location of P is remote, a credential request and deactivation modify policies. is sent to the remote entity. The remote entity will then The standard SLD top-down resolution algorithm call its Query Projection procedure on the list containing known from Logic Programming (e.g. Prolog) is not suit- canReqCred(Eloc , P ) and P with the constraint c. able either as it may run into infinite loops even when the fixed-point semantics is finite. Instead, Cassandra uses a Answer Projection. This procedure is called when the modified version of Toman’s memoing algorithm for evalu- list of body predicates is empty. The remaining constraint ating constraint extensions of Datalog [18]. Based on SLG is then projected onto the free variables of the query pred- resolution, it combines advantages of both the top-down icate. The resulting constraints are stored in the answers and the bottom-up approaches: it is goal-oriented and yet table and propagated to all queries currently waiting for preserves the termination properties of the bottom-up al- such answers, and execution is resumed there. If the wait- gorithms by memoing (tabling) already seen subgoals and ing party is a remote entity, the answers are sent to it over their answers. To solve a subgoal for which a table en- the network in the form of credentials. The remote entity try already exists, the algorithm uses the tabled answers as will then invoke its Answer Projection procedure on these solutions; whenever new answers are added for the entry, answers. they are automatically propagated to other waiting evalua- On exit, the table entry for the original query will be tion branches. If no relevant entry exists for the subgoal, a populated with all its answers. The algorithm is sound and new table entry is created and populated. We have extended complete with respect to the language semantics. the algorithm in [18] to deal with goals referring to remote As in other database applications, we require query eval- entities. uation to always terminate. Clearly, if the chosen constraint Suppose the query Eloc @Eiss .p0 (x0 ) ← c0 is to be domain C is too expressive, it is possible to write poli- evaluated by the Cassandra service of Eloc . Evaluation is cies and queries that are uncomputable. Often, the features started by calling the Clause Resolution procedure on the that make it too expressive seem rather innocuous at first query. glance. For example, constraint domains with untyped tu- Clause Resolution. Find all policy rules with a matching ple constructors or with negative gap-order constraints of head, i.e. of the form the form x − c < y (where c is a positive integer constant) Eloc @Eiss .p0 (x0 ) ← P1 , .., Pn , c1 . enable the construction of undecidable policies. For all such c1 , compute c2 ≡ c0 ∧ c1 if the result is sat- Constraint compactness [18] is a sufficient condition on isfiable. If the rule body is non-empty (n ≥ 1), call the constraint domains to guarantee a finite and hence com- Query Projection procedure on the list P1 , .., Pn , c2 . Other- putable fixed-point semantics for any finite global policy wise call the Answer Projection procedure on the combined set P. A constraint domain C is said to be constraint com- constraint c2 . pact if any infinite set of C-constraints in which only finitely many variables and constants occur has a finite subset sub- Query Projection. This procedure operates on a list of suming the entire set, that is, for every constraint c in the predicates P1 , .., Pn and a constraint c. Using the ∃C opera- infinite set there is a constraint c in the finite set such that tion, project the constraint onto the free variables of the first c ⇒C c . predicate P1 in the list and compute the DNF constraint set. Unfortunately, constraint compactness severely restricts For all ci from this set, call the Answer Propagation proce- the expressiveness of the constraint language and is also dure on P1 ← ci , and the (possibly empty) list of remaining often hard to prove. We use static groundness analysis [1] predicates, P2 , .., Pn . to restrict policies in such a way that variables occuring in Answer Propagation. This procedure operates on a sub- specific constructs will always have been grounded (so a goal P ← c, and a list of remaining predicates P2 , .., Pn . unique value can be deduced for each) by the time exis- Check whether we have already encountered a query P ← tential quantifier elimination is performed on them, given c such that c ⇒C c , in which case the current goal can the query patterns from §3 (e.g. canActivate queries are al- be solved using answers from that query. For each already ways fully grounded), so these constructs can be ignored.Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)0-7695-2141-X/04 $ 20.00 © 2004 IEEE
  8. 8. We also use static groundness analysis to ensure that the constraints[3]. It is constraint-compact and thus guarantees location prefix of body predicates becomes ground by the query termination, but its relatively high expressiveness time we evaluate it: otherwise the evaluator would have to still makes it possible in principle to write policies that are query many different entities (all, in the worst case), which prohibitively expensive to evaluate. However, such policies is clearly unpractical. do not seem to occur in practice, as the recursion depth is usually small and variables are instantiated to ground val- 6. Discussion ues early on. Implementation and performance. A prototype of EHR case study. Cassandra’s design process was par- Cassandra has been implemented in OCaml. The code is tially guided by our case study [3] on an access control factored into independent modules as depicted in Figure policy for a national electronic health record (EHR) sys- 1. In particular, constraint domain implementations can be tem. The background of the case study is the British Na- plugged into the policy evaluation engine as separate mod- tional Health Service’s current plan to develop an electronic ules, as long as they provide fundamental operations of pro- data spine that will contain “cradle-to-grave” medical data jection, satisfiability and subsumption checking. We have for all patients in England. The project is highly risky and implemented the constraint domain used for the EHR case challenging for several reasons: it is extremely large-scale study, including a type inference mechanism that allows us with 100 million records and billions of accesses per year; to omit explicit variable typing. the requirements are likely to change frequently, in partic- At the time of writing, role deactivation and credential ular those concerning access control; and it is inherently requests and the static groundness analyser are still in the distributed with interacting health organisations, registra- process of being implemented. Furthermore, the current tion authorities and the data-spine. These challenges can prototype only simulates the distributed system, and issued best be met by a distributed trust management system that credentials are implemented without encryption and public allows policies to be specified in a sufficiently expressive key signatures. high-level language. The prototype was tested with the policies from the EHR In our case study, we propose a distributed three-level case study. The system behaved as expected and handled infrastructure to cope with the large scale. Based on official all requests, including the most complex ones, within frac- specification documents, we have developed Cassandra tions of a second. The preliminary results suggest that policies for the entire infrastructure. Our proposed poli- Cassandra is indeed suitable for large-scale real-world ap- cies contain a total of 310 rules, define 58 parameterised plication. Of course, authoritative results can only be pro- roles and implement all the required access control rules. duced after completion of a more complete and optimised The requirements are not only highly complex but also implementation and under more realistic settings; we have contain principles unseen in traditional access control mod- for example so far only tested the system with up to 10,000 els. For example, the policies need to handle explicit pa- patients [3]. tient consent, third-party disclosure consent, individualised Our experiments have highlighted another requirement access decisions (e.g. a patient could prohibit access to for policy-based trust management systems that neither our record items concerning a certain medical subject to a spe- nor existing systems currently fulfil: human users expect cific doctor), appointment of agents acting on a patient’s textual justifications of access control decisions, especially behalf and workgroup-based access control (e.g. based on if their request is denied; they feel rather frustrated and ward or consultant team membership). helpless if the answer is simply “request denied”, espe- One of the main lessons learnt from the case study is that cially if the policy is complex or unknown to the user. Such standard policy idioms such as role appointment occur in explanations could be collected from annotations of policy many different variants. We thus had to design Cassandra rules used during deduction. The problem is non-trivial as in such a way that it could express all of these elegantly. deduction proofs can be long and access denials can have Our approach was to identify the small number of underly- many and far-reaching reasons. More worryingly, the tex- ing primitives concerning role membership, activation and tual justification may reveal more (and perhaps, sensitive) deactivation, and to base the language solely on those. The information than could have been deduced from the fact distributed nature of the EHR policies also necessitated fea- of request denial alone: consider, for example, a response tures for automatic credential discovery and credential pro- such as “access denied because your daughter has prohib- tection (automatic trust negotiation). ited you from accessing all her records with the subject For the case study, we devised a sufficiently expressive ‘abortion’ ”. constraint domain containing tuple expressions and pro- jections, disequalities, integer order inequalities, built-in Related work. A large amount of work has been done functions to access state-dependent data and set inclusion on security policy specification in a non-trust-managementProceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)0-7695-2141-X/04 $ 20.00 © 2004 IEEE
  9. 9. context. For instance, Barker [2] uses constraint logic pro- from both issuer and the subject entity. A distinctive fea- gramming to encode RBAC policies in a non-distributed ture of the RT framework is that RT credentials contain a environment; as such, his approach does not deal with cre- link to a so-called Application Domain Specification Doc- dentials, trust management and trust negotiation. Policy- ument (ADSD) that defines a common vocabulary (types Maker [5] introduced the trust management paradigm, and of role parameters, natural language descriptions of role its successor, KeyNote [4] defined the first policy specifi- names etc.) for collaborating entities. cation language. Since then, many other trust management SD3 is another Datalog-based trust management system systems have been proposed for policy specification and [11]. Similar to Cassandra, SD3 predicates can be prefixed distributed access control (e.g. SPKI/SDSI [6], QCM [9], with an issuer (a public key), thereby delegating author- SD3 [11], RT [13], Oasis [21], Ponder[7]). ity of predicate definition to that key. A predicate can fur- The Cassandra policy specification language was in- ther be tagged with an IP address which is used to refer to spired by Oasis, a role-based trust management system in a remote policy. SD3 is a very general system that does which Datalog-based rules specify which credentials are not specify any access control meaning for any predicates prerequisite for role activation and deactivation [21]. Oasis and can be viewed as Cassandra without constraints, roles has a special construct for role appointment, which was in- and access control semantics. SD3 passes the proof tree troduced as a useful generalisation of the delegation mech- from its highly optimised policy evaluation engine through anisms found in many other languages. Our case study sup- a simple and small proof checker to reduce the size of its ports the claim that role appointment (and its variants) is a trusted computing base. This would be a technique that very useful policy idiom. Oasis is the only other system could also be applied to Cassandra. we are aware of that supports cascading role revocation. Its The problem of trust negotiation has been addressed in revocation mechanism works even across the network be- [19], where various different negotiation strategies (which, tween collaborating entities. This is implemented using a when and in which order credentials are disclosed) are dis- distributed event infrastructure. Another difference is that cussed. Their Credential Access Policy (CAP) corresponds in Oasis, revocation is triggered whenever a specified sub- to Cassandra’s canReqCred rules specifying the prerequi- set of the role activation prerequisites ceases to hold. In sites for credential disclosure. Cassandra’s uniform treat- contrast, role deactivations in Cassandra are allowed to be ment of rules during evaluation gives us trust negotiation triggered by conditions that have nothing to do with the role almost “for free”, with a negotiation strategy similar to activation prerequisites. Oasis does not deal with automatic their “Parsimonious Strategy”. It has been pointed out credential discovery and trust negotiation. It also does not that this strategy can leak information about possession of possess a full formal semantics and does not guarantee ter- credentials without actually disclosing them. The “Eager mination of queries. Strategy” does not have this problem but is less efficient. [20] prevents the problem by adding another policy protec- The RT family of role-based trust management lan- tion layer. [22] argue that entities should be given the free- guages [13] bears some similarities to our system. In RT, dom to choose their own negotiation policy. They identify the Datalog-based rules, or credentials, as they are called, a large family of strategies that are mutually compatible. specify only the role membership relation: either directly, by role hierarchy, by (direct or attribute-based) delegation of authority, or any combination of these. The subjects of Conclusions and future work. We have developed a the rule head and the body conditions are implicitly the trust management system, Cassandra, with a role-based same, which is sufficient to express delegation but not con- policy specification language in which the expressiveness venient for appointment policies. In RT’s youngest off- can be tuned according to need by choosing an appropriate C spring, RT1 [12], rules are translated into DatalogC . Con- constraint domain. Apart from management of role permis- straints are used only to define a range on each role param- sions, activations and (cascading) deactivations, the system eter; constraints between two parameters are not permitted also uniformly provides flexible automatic credential re- in order to keep policies more comprehensible and to guar- trieval and automatic trust negotiation. With the constraint antee tractability. We find that a more liberal use of con- domain we devised for the EHR case study, Cassandra’s straints is useful and necessary, as our EHR policy shows, expressiveness surpasses that of existing systems while pre- and can still be efficient in practice. RT roles are prefixed serving a strong termination property. The policy language with the issuing entity, just like Cassandra’s predicates are, is small, simple and devoid of any redundant constructs but do not specify the location where a matching creden- such as delegation or hierarchies and yet it can express tial may be found. RT solves this by statically specifying a wide variety of policies. Cassandra, including the lan- for each role name whether credentials defining such roles guage, the access control engine and the goal-oriented dis- are stored with the issuer or the subject. Our EHR pol- tributed policy evaluation algorithm, is fully and formally icy has rules in which predicates have locations different specified and thus amenable to formal reasoning.Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)0-7695-2141-X/04 $ 20.00 © 2004 IEEE
  10. 10. We plan to use Cassandra’s formal framework to prove [9] C. A. Gunter and T. Jim. Policy-directed certificate re- security properties about specific policies. Along the same trieval. Software - Practice and Experience, 30(15):1609– lines, we wish to formalise a low-level model of Cassandra 1640, 2000. that specifies the underlying network protocols, the pub- [10] J. Jaffar and M. J. Maher. Constraint logic programming: lic key infrastructure and the design of certificates. We will a survey. Journal of Logic Programming, 19/20:503–581, 1994. also investigate possibilities for making answers to requests [11] T. Jim. SD3: A trust management system with certified more descriptive and user-friendly without leaking sensi- evaluation. In Proceedings of the 2001 IEEE Symposium tive information. on Security and Privacy, pages 106–115, 2001. To gather more reliable test results, we need to build a [12] N. Li and J. C. Mitchell. Datalog with constraints: A foun- complete prototype that is truly distributed and uses digital dation for trust management languages. In Proceedings of certificates for sending credentials over the network. We the 5th International Symposium on Practical Aspects of hope to improve efficiency by using a standard relational Declarative Languages, pages 58–73, 2003 2003. database for policy rule lookups. Such an implementation [13] N. Li, J. C. Mitchell, and W. H. Winsborough. Design of a role-based trust management framework. In Proceedings of will enable us to test real-world policies in a more realistic the 2002 IEEE Symposium on Security and Privacy, pages setting, with millions of role activations and entities that 114–130, 2002. interact via an unreliable network. [14] N. Li, W. H. Winsborough, and J. C. Mitchell. Distributed credential chain discovery in trust management: extended Acknowledgments We acknowledge support from a abstract. In ACM Conference on Computer and Communi- cations Security, pages 156–165, 2001. Gates Cambridge Scholarship (Becker), a Royal Society [15] P. Revesz. Introduction to constraint databases. Springer University Research Fellowship (Sewell), EPSRC grant Verlag, 2002. GRN24872, and EC FET-GC project IST-2001-33234 [16] R. L. Rivest. Can we eliminate certificate revocations lists? PEPITO. The authors thank Arne Heizmann for corrections In Financial Cryptography, pages 178–183, 1998. and comments. We also thank the reviewers for their valu- [17] R. Sandhu. Rationale for the RBAC96 family of access con- able comments. trol models. In Proceedings of the 1st ACM Workshop on Role-Based Access Control, 1997. [18] D. Toman. Memoing evaluation for constraint extensions of References datalog. Constraints, 2(3/4):337–359, 1997. [19] W. Winsborough, K. Seamons, and V. Jones. Automated [1] N. Baker and H. Sondergaard. Definiteness analysis for trust negotiation. In DARPA Information Survivability Con- CLP(R). In Australian Computer Science Conference, ference and Exposition, volume 1, pages 88–102, 2000. pages 321–332, 1993. [20] W. H. Winsborough and N. Li. Towards practical auto- mated trust negotiation. In Proceedings of the 3rd Inter- [2] S. Barker and P. J. Stuckey. Flexible access control national Workshop on Policies for Distributed Systems and policy specification with constraint logic programming. Networks, pages 92–103, 2002. ACM Transactions on Information and System Security, [21] W. Yao, K. Moody, and J. Bacon. A model of OASIS 6(4):501–546, 2003. role-based access control and its support of active secu- [3] M. Y. Becker and P. Sewell. Cassandra: Flexible trust rity. ACM Transactions on Information and System Secu- management, applied to electronic health records. In Pro- rity, 5(4), 2002. ceedings of the 17th IEEE Computer Security Foundations [22] T. Yu, M. Winslett, and K. E. Seamons. Supporting struc- Workshop, June 2004. To appear. tured credentials and sensitive policies through interopera- [4] M. Blaze, J. Feigenbaum, and A. D. Keromytis. KeyNote: ble strategies for automated trust negotiation. ACM Trans- Trust management for public-key infrastructures (position actions on Information and System Security, 6(1):1–42, paper). Lecture Notes in Computer Science, 1550:59–63, 2003. 1999. [5] M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management. In IEEE Symposium on Security and Privacy, pages 164–173, 1996. [6] D. Clarke, J.-E. Elien, C. Ellison, M. Fredette, A. Morcos, and R. L. Rivest. Certificate chain discovery in SPKI/SDSI. Journal of Computer Security, 9(4):285–322, 2001. [7] N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The Ponder policy specification language. In Policy Workshop, 2001. [8] D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. 4, (3):224–274, 2001.Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)0-7695-2141-X/04 $ 20.00 © 2004 IEEE