Canonical Completeness in Lattice-Based Languages for Attribute-Based Access Control Jason Crampton Conrad Williams Royal Holloway University of London Royal Holloway University of London Egham, TW20 0EX, United Kingdom Egham, TW20 0EX, United Kingdom [email protected] [email protected] ABSTRACT whether a user request to access a resource (an “access re- The study of canonically complete attribute-based access quest”) should be permitted or not. In its simplest form control (ABAC) languages is relatively new. A canonically an authorization decision function either returns an allow or complete language is useful as it is functionally complete deny decision. and provides a “normal form” for policies. However, previ- Most implementations of access control use authorization ous work on canonically complete ABAC languages requires policies, where a user request to access a resource is eval- that the set of authorization decisions is totally ordered, uated with respect to a policy that defines which requests which does not accurately reflect the intuition behind the are authorized. Many recent languages for the specification use of the allow, deny and not-applicable decisions in ac- of authorization policies are designed for “open”, distributed cess control. A number of recent ABAC languages use a systems (rather than the more traditional “closed”, central- fourth value and the set of authorization decisions is par- ized systems in which the set of users was assumed to be tially ordered. In this paper, we show how canonical com- known in advance). Such languages do not necessarily rely pleteness in multi-valued logics can be extended to the case on user identities to specify policies; instead, policies are de- where the set of truth values forms a lattice. This enables fined in terms of other user and resource attributes. The us to investigate the canonical completeness of logics having most widely used attribute-based access control (ABAC) a partially ordered set of truth values, such as Belnap logic, language is XACML [14, 17]. However, XACML suffers from and show that ABAC languages based on Belnap logic, such poorly defined and counterintuitive semantics [10, 15], and is as PBel, are not canonically complete. We then construct a inconsistent in its articulation of policy evaluation. PTaCL canonically complete four-valued logic using connections be- is a more formal language for specifying authorization poli- tween the generators of the symmetric group (defined over cies [6], providing a concise syntax for policy targets and the set of decisions) and unary operators in a canonically precise semantics for policy evaluation. suitable logic. Finally, we propose a new authorization lan- Crampton and Williams [7] recently introduced the no- 6 tion of canonical completeness for ABAC languages, show- guage PTaCL4 , an extension of PTaCL, which incorporates a lattice-ordered decision set and is canonically complete. ing that XACML and PTaCL are not canonically complete 6 and developing a variant of PTaCL that is canonically com- We then discuss how the advantages of PTaCL4 can be leveraged within the framework of XACML. plete. These results apply to languages that support three decision values, which are assumed to be totally ordered. However, there are certain situations where it is useful to Keywords have four decisions available, and some languages, such as XACML; PTaCL; decision operators; combining algorithms; PBel [4], BelLog [18] and Rumpole [12], use four decisions, functional completeness; canonical completeness which are partially ordered. arXiv:1702.04173v1 [cs.CR] 14 Feb 2017 In this paper, we extend existing results to languages that 1. INTRODUCTION support four decision values, which need not be totally or- dered. We show that PBel [4], perhaps the best-known Access control is one of the most important security ser- four-valued ABAC language, is not canonically complete. vices in multi-user computer systems, providing a mech- anism for constraining the interaction between (authenti- We then develop a canonically complete ABAC language, cated) users and protected resources. Generally, access based on PTaCL syntax and semantics. The language is abstract, but its operators could be implemented as com- control is implemented by an authorization service, which bining algorithms in XACML, thereby leveraging the fea- includes an authorization decision function for deciding tures that XACML provides for specifying attribute-based Permission to make digital or hard copies of all or part of this work for personal or requests and targets, the evaluation of targets with respect classroom use is granted without fee provided that copies are not made or distributed to requests, and the storage and evaluation of policies. for profit or commercial advantage and that copies bear this notice and the full citation In Section 2 we discuss background material and related on the first page. Copyrights for components of this work owned by others than the work, which provides us with the primary motivation for this author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission paper: to develop a canonically complete 4-valued logic to and/or a fee. Request permissions from [email protected]. support a tree-structured authorization language. The main CODASPY’17, March 22-24, 2017, Scottsdale, AZ, USA contributions of this work are: c 2017 ACM. ISBN 978-1-4503-4523-1/17/03. $15.00 DOI: http://dx.doi.org/10.1145/3029806.3029808 to extend Jobe’s work on canonical completeness in • S1 0123 S2 0123 S3 0123 multi-valued logics to the case where the set of truth (0,2) (1,1) (3,0) 0 0010 0 0000 0 0000 values forms a lattice (Section 3.2); 1 0000 1 0200 1 0000 • to establish that existing 4-valued logics are not canon- 2 0000 2 0000 2 0000 ically complete (Section 3.3); 3 0000 3 0000 3 3000 • to construct a canonically complete 4-valued logic 1 2 3 (Section 4); Figure 1: Selection operators S(0,2), S(1,1) and S(3,0) • to construct a 4-valued, canonically complete autho- rization language for ABAC (Section 5). Selection operators play a central role in the development of canonically complete logics because an arbitrary function We conclude the paper with a summary of our contribu- f : V n → V can be expressed in terms of selection operators. tions and a discussion of future work. Consider, for example, the function 2. BACKGROUND AND RELATED WORK 1 if x = 0, y = 2, In this section, we summarize background material 2 if x = y = 1, f(x,y)= and related work, including tree-structured ABAC lan- 3 if x = 3, y = 0, guages, canonical completeness, and four-valued languages 0 otherwise. for ABAC, thereby providing motivation for the work in the remainder of the paper. Then it is easy to confirm that 1 2 3 2.1 Completeness in Multi-valued Logics f(x,y) ≡ S(0,2)(x,y) g S(1,1)(x,y) g S(3,0)(x,y). Let V be a set of truth values. The set of formulae Φ(L) c c c Moreover, S(a,b)(x,y) ≡ Sa(x) f Sb (y) for any a,b,c,x,y ∈ that can be written in a (multi-valued) propositional logic V . Thus, L = (V, Ops) is defined by V and the set of operators Ops. 1 1 2 2 3 3 For brevity, we will write L when V and Ops are obvious f(x,y) ≡ (S0 (x)fS2 (y))g(S1 (x)fS1 (y))g(S3 (x)fS0 (y)) from context. g Let V be a totally ordered set of m truth values, In other words, we can express f as the “disjunction” ( ) of “conjunctions” (f) of unary selection operators. {0,...,m − 1}, with 0 < 1 < · · · < m − 1. Then we say n L = (V, Ops) is canonically suitable if and only if there More generally, given the truth table of function f : V → V , we can write down an equivalent function in terms of exist two formulas φmax and φmin of arity 2 in Φ(L) such selection operators. Specifically, let that φmax(x,y) returns max {x,y} and φmin(x,y) returns min {x,y}. We will usually write φmax and φmin using the A = {a ∈ V n : f(a) > 0} ; infix operators g and f respectively. then, for all x ∈ V n, Example 1. Standard propositional logic with truth val- f(x) ues 0 and 1, and operators ∨ and ¬, representing dis- f(x)= j Sa (x). junction and negation, respectively, is canonically suitable: a∈A φ x,y x y φ x,y x y max( ) is simply ∨ , while min( ) is ¬(¬ ∨ ¬ ) Jobe established a number of results connecting the func- (that is, conjunction). tional completeness of a logic with the unary selection oper- n ators, summarized in the following theorem. A function f : V → V is completely specified by a truth table containing n columns and mn rows. However, not every truth table can be represented by a formula in a given Theorem 1 (Jobe [9, Theorems 1, 2; Lemma 1]). A logic L is functionally complete if and only if each unary logic L =(V, Ops). L is said to be functionally complete if for n selection operator is equivalent to some formula in L. every function f : V → V , there is a formula φ ∈ Φ(L) of arity n whose evaluation corresponds to the truth table. In The normal form of formula φ in a canonically suitable Section 2.2, we explain why we may regard a tree-structured logic is a formula φ′ that has the same truth table as φ and authorization language as a logic defined by a set of decisions has the following properties: and the set of policy-combining operators.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages12 Page
-
File Size-