Safety Analysis of Usage Control
(UCON) Authorization Model
Xinwen Zhang, Ravi Sandhu, and Francesco Parisi-Presicce
George Mason University
AsiaCCS 2006
1
Context
USAGE
purpose
• electronic commerce
• information sharing
• etcetera
• multi-party security
objectives
• fuzzy objectives
INTEGRITY
modification
USAGE
CONFIDENTIALITY
disclosure
AVAILABILITY
access
Context

Privacy
Protection
Protection
Objectives

Intellectual
Property Rights
Protection
DRM


Sensitive
Information
Protection
Traditional
Trust
Access
Management
Control

Usage Control
Protection
Architectures

Server-side
Reference Monitor
(SRM)
Client-side
Reference Monitor SRM & CRM
(CRM)
Sensitive
information
protection
IPR protection
Privacy protection


Server-side
reference monitor
Client-side
reference monitor
SRM & CRM
UCON Model (Park and Sandhu 2004)
Continuity of
Decisions
Rights
(R)
Subjects
(S)
pre-decision
Objects
(O)
Usage
Decisions
Subject Attributes (SA)
before usage
ongoing usage
pre-updates
ongoing updates
Obliga
tions
(B)
Condi
tions
(C)





post-updates
Three phases of a usage process
Decision in first two phases
 pre-decision:


after usage
Mutability of
Attributes
Object Attributes (OA)
Authoriz
ations
(A)
ongoing-decisions
Attributes can be updated as side-effects of a usage:
 pre, ongoing, and post updates
 Attribute Mutability
Core models:
 preA0, preA1, preA2, preA3, onAx, preBx, onBx preCx onCx
A real model may be a combination of core models.
preA, preB, preC
ongoing-decisions: repeatedly
check during ongoing usage phase


onA, onB, onC
Decision Continuity
4
An Example

Resource-constrained access control

Limited number (10) of ongoing accesses to a single
object


Different revocation policies:




When 11th subject requesting new access, one ongoing
accessing will be revoked.
By start time: the longest ongoing usage is revoked
By idle time: the usage with the longest total idle time is
revoked
By total usage time: the usage with the longest accumulating
usage time is revoked.
Need decision continuity, attribute mutability, and
ongoing access revocations
5
Motivations

Two fundamental properties in access control:



Expressive Power
Safety Analysis
Formalization of UCON Model is required



for the precise semantics of the conceptual model
for policy definition
for the analysis of UCON properties.
6
Expressive Power & Safety Analysis

Expressive Power:



Safety problem:


The flexibility to express policies for different requirements.
Comparing expressive power among access control models
Given a system, specified by an initial state and a scheme, is
there a reachable state in which a subject has a particular
right on an object?
Expressive power and manageable safety analysis are
two conflicting properties of access control models:


In general, the more expressive power a model has, the
harder it is (if at all possible) to carry out safety analysis.
Examples: HRU, SPM, and TAM
7
Formalization of UCONA


We focus on UCON preA (UCONA) models in this paper
Attributes and values



A system state is (O, ), where




Each object is specified by the same set of attributes: ATT
Each attribute has a value domain: dom(a) for a  ATT
O is a set of objects (including subjects)
: O  ATT  dom(ATT)  {null}
SO
Three primitive actions for state transitions:


createObject o:

create a new object o

a  ATT, ’(o.a) = null
destroyObject o:



O’ = O – {o}
 o O’, a  ATT, ’(o.a) = (o.a)
updateAttribute o.a=v’:


’(o.a) = v’, v’ dom(a)
’(ent.att) = (ent.att) if ent  o or att  a
8
UCONA Policy



p1, …pi are attribute predicates on s and o;
atc1, … actk are actions on s and o;
creating policy:




If act1 is “creatObject o”;
Only o can be created – single parent policy;
s is parent, o is child;
Assumptions:


Atomic policy enforcement
Serialized accesses
9
Formal Model of UCONA

A UCONA scheme is a 4-tuple (ATT, R, P, C), where





ATT is a finite set of attribute names
R is a finite set of rights,
P is a finite set of predicates
C is a finite set of policies
A UCONA system is specified by a UCONA scheme and
an initial state t0=(O0, 0).
10
Policy Specification Flexibility





DRM policies
RBAC models (RBAC0, RBAC1, RBAC2)
Chinese Wall policies
Dynamic separation of duty
MAC policy with high watermark
property
11
Expressive Power of UCONA:
iTunes-like Systems
user_register (s, u):
true  permit(s,u, register)
createObject u;
updateAttribute:s.regUsers' = s.regUsers  {u};
updateAttribute: u.registered' = true;
updateAttribute: u.platformList'=o;
updateAttribute: u.orderList'=o;
updateAttribute: u.credit' = 0.00;
iTunes music store
register
order (u, m):
(u.registered=true)  (u.credit  m.price)  (mu.orderList)
permit(u,m,order)
updateAttribute:u.orderList' = u.orderList  {m};
updateAttribute: m.owner' = u;
updateAttribute:u.credit' = u.credit - m.price;
order
User
authorize
play
Music file
deauthorize
authorize_platform (u, p):
(u.registered=true)  (|u.platformList|<5)  (p u.platformList)
permit(u,p,authorize)
updateAttribute: u.platformList' = u.platformList  {p};
updateAttribute: p.authorizedBy' = u;
deauthorize_platform (u, p):
(u.registered=true)  (p u.platformList)  permit(u,p,deauthorize)
updateAttribute: u.platformList' = u.platformList - {p};
updateAttribute: p.authorizedBy' = null;
Device
play (p,m):
(p.authorizedby  null)  (m.owner  null) 
(p.authorizedby=m.owner)  permit(p,m,play)
12
Expressive Power of

UCONA
The expressive power of the UCONA model has been
formally studied by comparing it with traditional
access control models:


simulating the general SO-TAM model
simulating the general SO-ATAM model
Theorem
a) UCONA is more expressive than TAM.
b) UCONA is at least as expressive as ATAM.
13
Safety Analysis of UCONA
Theorem
Safety is undecidable in the general UCONA model.


By reducing a general SO-TAM system to a UCONA system
By simulating the operations of a general Turing machine with a UCONA model.
14
Safety Analysis of UCONA
Theorem

The safety problem of a UCONA system is decidable if:



Proof idea:


the value domain of each attribute is finite, and
there is no creating policy in the scheme.
Reduce a UCONA system with these restrictions to a FSM, where the safety
problem is mapped to the empty language problem recognized by the
FSM.
The complexity of the safety problem is:


polynomial in the number of possible states of the system.
NP-hard in number of policies in the scheme.
15
Safety Analysis of UCONA
Theorem

The safety problem of a UCONA system is decidable if:




the attribute creation graph is acyclic, and
the attribute update graph has no cycle containing a create-parent attribute
tuple, and
in each creating policy, both the parent's and the child's attribute tuples are
updated.
Proof idea: restrictions on creating policies


If c(s,o) is a creating policy, then it has must have “updateAttribute s.a”
action, and ’(s.a)  (s.a)
There is no policies that can update ’(s.a) to (s.a) in any state.
16
Expressive Power of Decidable UCONA

RBAC96 model with URA97 or PRA97 scheme



A state in RBAC96: S, P, R, UA, UAA, PA, RH, where P  O x R
URA97 scheme: can_assign  ARxCRx2R, can_revoke  ARx2R
A can_assign(ar, cr, [r1,r2]) or can_revoke(ar, [r1,r2]) can be
reduced to a set of UCONA policies:

ri  [r1,r2], cr = x y
17
Expressive Power of Decidable UCONA

DRM applications with consumable rights

Limited number of copies
order (s, o):
(s.credit  o.price)  (o.owner = null)  permit(s,o,order)
updateAttribute: s.credit'=s.credit - o.price;
updateAttribute: o.owner=s;
updateAttribute:o.copylicense=10;
order
allowcopy
copy
copy (o1, o2):
(o1.allowcopy=true)  permit(o1,o2,copy)
createObject o2;
updateAttribute: o2.sn' = o1.copylicense;
updateAttribute: o1.copylicense' = o1.copylicense-1;
updateAttribute: o1.allowcopy' = false;
allow_copy (s, o):
(o.owner=s)  (o.copylicense > 0)  permit(s,o,allowcopy)
updateAttribute: o.allowcopy = true;
18
Contribution Summary

Formal study of the expressive power of UCONA:


UCONA is at least as expressive as ATAM.
Safety analysis of UCONA:



Safety undecidability of the general model
Two safety-decidable models with restrictions on the
form of the policies in the general model
Expressive power of the decidable models by simulating


RBAC96 with URA97 or PRA97
DRM applications
19
Ongoing and Future Work





Comparing expressive power between
UCON authorization and obligations
models
Efficiently decidable UCON models
An administrative model of UCON
Expressive power and safety analysis of
UCON ongoing models.
UCON architectures and mechanisms
20
Thank you!
Q&A
21