authorization policies vicky weissman [email protected]

49
Authorization Policies Vicky Weissman [email protected]

Upload: kody-cousens

Post on 15-Dec-2015

220 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Authorization Policies

Vicky [email protected]

Page 2: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

What is a policy? A policy says that under certain

conditions an action is permitted or it is forbidden.

Examples If you pay 99 cents, then you may

download a song. If you do not have a student’s written

consent, then you may not access her transcript.

Page 3: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

What is a policy? A policy says that under certain

conditions an action is permitted or it is forbidden.

Examples If you pay 99 cents, then you may

download a song. If you do not have a student’s written

consent, then you may not access her transcript.

Page 4: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

What is a policy? A policy says that under certain

conditions an action is permitted or it is forbidden.

Examples If you pay 99 cents, then you may

download a song. If you do not have a student’s written

consent, then you may not access her transcript.

Page 5: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

The big picture We want to

write policies that govern access to digital content, and

have those policies enforced. Examples:

We want to restrict access to student, medical, and financial records.

We want online music and movie stores to be able to get money for their services.

Page 6: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

The Classic Solution Write licenses and laws to regulate

access to content. Rely on consumer ethics and

courts for enforcement.

Page 7: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Pros/cons Pros:

If licenses/laws are written in a natural language (e.g., English), you can capture all policies of practical interest.

Cons: How you detect violations? Do you really want to sue your

customers? RIAA says yes, most businesses say no.

Page 8: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

A better idea? Write the policies in such a way

that they can be enforced by computers (ACLs, passwords, …).

Now, you have to sue only people who circumvent the technology, or you can choose to tolerate the relatively few violations.

Page 9: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Problem: Expressivity If a language is restricted enough to

allow enforcement by computers, then it might not be sufficiently expressive.

Page 10: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Expressivity Argument 1: Enforceable policy languages

can’t be expressive enough, because they can’t capture `fuzzy’ concepts like fair use.

Response 1: Enforceable policies can approximate `fuzzy’ rights. E.g., NetLibrary allows each user to copy a

certain number of pages from an online text. Petitioning for greater use/ suing for violations

could be a fallback plan.

Page 11: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Expressivity 2 Argument 2: An enforceable language

can never capture all the policies that can be written in a natural language (English).

Response 2: True. But what do we really need to say. If a policy language can capture licenses/laws

that exist today (regulating digital content), then maybe it’s good enough.

Page 12: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Goal To have an enforceable policy

language that is sufficiently expressive to capture a wide range of the licenses/laws that exist today.

Page 13: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Meeting the goal A number of people claim to have

developed expressive enforceable policy languages.

2 popular choices are XrML (endorsed by Microsoft,…) and XaCML (endorsed by Sun, …).

Do either of these languages meet the goal?

Page 14: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Evaluating XrML and XaCML

Big idea Collect a bunch of licenses/laws. Try to write them in XrML and XaCML.

First step to presenting the results Give an overview of each language. Approach: present a basic policy language,

called MinLang, then explain how to change MinLang to get the others.

Page 15: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Syntax Principals

Agents (e.g., Alice, Bob) Resources

Digital content (e.g., a movie, an article) Actions

what principals can do (e.g., play, edit) Properties

attributes of a principal, resource, or action (e.g., trusted, high-res, dangerous).

Page 16: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Syntax (cont.)

Policy ::= x1 … xn (Condition … ConditionPerm(p, a,

r)) Perm(p, a, r) means p is permitted to do

action a to resource r. A policy is closed (no free variables).

Condition ::= Pr(e) | true Pr(e) means entity e (principal, resource,

or right) has property Pr.

Page 17: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Syntax (cont.)

Policy ::= x1 … xn (Condition … ConditionPerm(p, a,

r)) Perm(p, a, r) means p is permitted to do

action a to resource r. A policy is closed (no free variables).

Condition ::= Pr(e) | true Pr(e) means entity e (principal, resource,

or right) has property Pr.

Page 18: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Syntax (cont.)

Policy ::= x1 … xn (Condition … ConditionPerm(p, a,

r)) Perm(p, a, r) means p is permitted to do

action a to resource r. A policy is closed (no free variables).

Condition ::= Pr(e) | true Pr(e) means entity e (principal, resource,

or right) has property Pr.

Page 19: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Syntax (cont.)

Policy ::= x1 … xn (Condition … ConditionPerm(p, a,

r)) Perm(p, a, r) means p is permitted to do

action a to resource r. A policy is closed (no free variables).

Condition ::= Pr(e) | true Pr(e) means entity e (principal, resource,

or right) has property Pr.

Page 20: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Syntax (cont.)

Policy ::= x1 … xn (Condition … ConditionPerm(p, a,

r)) Perm(p, a, r) means p is permitted to do

action a to resource r. A policy is closed (no free variables).

Condition ::= Pr(e) | true Pr(e) means entity e (principal, resource,

or right) has property Pr.

Page 21: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Examples Can write:

`Alice is permitted to read file f’ as

true Perm(Alice, read, f) and `Anyone who pays 99 cents may

download a song’ as x1x2(Paid99Cents(x1) Song(x2) Perm(x1, download, x2)).

Page 22: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Examples Can write:

`Alice is permitted to read file f’ as

true Perm(Alice, read, f) and `Anyone who pays 99 cents may

download a song’ as x1x2(Paid99Cents(x1) Song(x2) Perm(x1, download, x2)).

Page 23: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Examples Can write:

`Alice is permitted to read file f’ as

true Permitted(Alice, read, f) and

`Anyone who pays 99 cents may download a song’ as x1x2(Paid99Cents(x1) Song(x2) Perm(x1, download, x2)).

Page 24: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Permissions Given a set of policies, when does a

permission hold? Example

Given the policy `anyone who pays 99 cents may download a song’, can we determine whether Alice may download the theme song to Sesame Street?

No. To answer the question, we need to know if Alice has paid 99 cents.

Page 25: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Permissions (cont) Assume an environment E that tells us

basic facts about the world. E = Pr1(e1) … Prn(en) Assume {p1, …, pm} is the set of policies.

A principal p is permitted to do an action a to a resource r iff

E p1 … pm Perm(p, a, r)

is valid.

Page 26: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Example Suppose that Alice has paid 99 cents, the

theme song to Sesame Street is a song, and anyone who pays 99 cents may download a song.

May Alice download the theme song? Let

E = Paid99Cents(Alice) Song(Sesame Street)P = x1x2(Paid99Cents(x1) Song(x2)

Perm(x1, download, x2)). E P Perm(Alice, download, Sesame Street)

is valid, so Alice has permission.

Page 27: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Example Suppose that Alice has paid 99 cents, the

theme song to Sesame Street is a song, and anyone who pays 99 cents may download a song.

May Alice download the theme song? Let

E = Paid99Cents(Alice) Song(Sesame Street)P = x1x2(Paid99Cents(x1) Song(x2)

Perm(x1, download, x2)). E P Perm(Alice, download, Sesame Street)

is valid, so Alice has permission.

Page 28: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Example Suppose that Alice has paid 99 cents, the

theme song to Sesame Street is a song, and anyone who pays 99 cents may download a song.

May Alice download the theme song? Let

E = Paid99Cents(Alice) Song(Sesame Street)P = x1x2(Paid99Cents(x1) Song(x2)

Perm(x1, download, x2)). E P Perm(Alice, download, Sesame Street)

is valid, so Alice has permission.

Page 29: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Example Suppose that Alice has paid 99 cents, the

theme song to Sesame Street is a song, and anyone who pays 99 cents may download a song.

May Alice download the theme song? Let

E = Paid99Cents(Alice) Song(Sesame Street)P = x1x2(Paid99Cents(x1) Song(x2)

Perm(x1, download, x2)). E P Perm(Alice, download, Sesame Street)

is valid, so Alice has permission.

Page 30: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

That’s all folks… for the basic language. How is XrML different?

XrML is an XML-based language, so the syntax is more verbose/unwieldy, but plays better with other data.

There are fundamental differences too…

Page 31: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Whose the policymaker? MinLang assumes we’re given a set of

policies from some trusted source. XrML assumes anyone can write a

policy. E.g. Alice can write the policy `Alice may

eat a gazillion cookies’. But the policy holds iff it was written

by `the system’ or by someone who was permitted to write it.

Page 32: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Example The System says `Mom may write any policy’.

This policy holds. Mom says `The babysitter may write any policy

governing Alice’s eating’. This policy holds.

The babysitter says `Alice may eat apples.’ This policy holds.

Alice says `Alice may eat cookies’. This policy does not hold.

Page 33: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Why is this useful? Suppose we’re given a set of policies,

each tagged by the identity of its author, the Systems only policy is `Carl Lagoze

may write any policy’, and it follows that Alice is permitted to

turn in her assignment late. Then we can conclude that Carl allows

Alice to turn in her assignment late.

Page 34: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

But wait there’s more… In XrML, a policy can grant a

permission based on which permissions have been granted by other principals. E.g. In XrML, Alice’s Mom could write

`if Carl allows Alice to turn in her assignment late, then Alice is permitted to take an afternoon nap’.

Page 35: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Is this capability important? Yes. Examples

Digital libraries often have the policy `if the government allows someone to access our usage records, then the access is permitted.’

Similar recognition of state/federal authority appear elsewhere.

Page 36: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Another difference In XrML, the action `adopting’ can be

done to a resource that is a role. E.g. Alice may adopt the role `freshmen’.

Now, a policy can look more like an environment fact. E.g. `anyone permitted to adopt the role

`freshman’ may adopt the role `student’’ (i.e., all freshmen are students).

Page 37: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Not quite enough Real licenses include fairly complex

environment facts. E.g. If you try to make a purchase from

iTunes using a gift certificate and the purchase price is more than the balance on the certificate, then the difference is charged to your credit card.

XrML is step in the right direction, but isn’t enough to capture everything.

Page 38: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Another problem: Prohibitions Real licenses forbid certain actions. Example

MIT has course materials online. According to their online license,

users are forbidden to use the material for commercial purposes.

In XrML, we cannot write that an action is forbidden.

Page 39: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

A partial solution XrML assumes that an action is forbidden

unless it’s explicitly permitted. This might be good enough, but we’re not

really capturing the policymaker’s intent. And we can’t write policies that depend on a

policymaker’s indifference. E.g., An instructor can’t say `a student may

audit my class if the university doesn’t object’.

Page 40: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

A better solution Add negation to XrML. This can be done, although some

care is needed to keep the language tractable (enforceable by computers).

Page 41: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Another problem: Obligations Real licenses talk about the obligations

of the consumer and the content provider. E.g. Licenses often obligate the consumer

to defend the provider from any legal action resulting from the consumer’s use of the content.

Providers often say that they are obligated to replace faulty content or give the consumer a full refund.

Page 42: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Adding obligations to XrML Adding obligations is fairly

straightforward. But some thought needs to go into

determining the relationship between permissions and obligations. E.g. Are all obligatory actions permitted?

Also, it’s not clear how an obligation can be enforced.

Page 43: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Summary of XrML Pros:

Can capture policies that grant permissions depending on who has granted other permissions. (E.g. if Carl allows Alice to turn in her homework late, then she may take a nap.)

Can capture some environment facts, such as `all freshmen are students’.

Page 44: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Summery of XrML (cont) Cons:

XrML cannot capture all of the environment facts that appear in licenses.

XrML cannot capture policies that forbid an action. (E.g. Alice may not use the content for commercial purposes.)

XrML cannot capture obligations. (E.g. if the content is buggy, the provider is obligated to give a refund.)

Page 45: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

XaCML XaCML can capture policies that forbid

actions. An answer to a query, such as `may Alice

download the theme song to Sesame Street’, can be `yes, the action is permitted’, `no, the action is forbidden’, `indeterminate, the action isn’t regulated’, `yes, if she does some action’

(e.g., pay 99 cents). This should be quite useful in practice!

Page 46: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

XaCML (cont) XaCML supports some use of

disjunction (or) in policies. This doesn’t add expressive power, but

can make languages more concise. E.g., Consider the policy `If Alice is

over 18 or has parental consent, then she may access file f’. In MinLang, this would be written as 2

policies. In XaCML, it’s just one.

Page 47: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

XaCML (cont) XaCML allows the policymaker to

define when a permission follows from a set of policies based on which policies permit/forbid the action.

A policymaker could say that an action is permitted if the permission follows from one of the government’s policies or if none of the policies imply that the action is forbidden.

Page 48: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Problems In XaCML, we cannot capture

policies that depend on what other principals permit/forbid (if Carl allows Alice to turn in her homework late, then she may nap),

environment facts (e.g., all freshmen are students), and

obligations.

Page 49: Authorization Policies Vicky Weissman vickyw@cs.cornell.edu

Summary Real licenses do not seem to require

so much expressive power that it is impossible to create an appropriate policy language.

But XrML and XaCML are not sufficiently expressive to capture the licenses of digital content providers.

So there is work to be done.