Types for Role-based Access Control of
Dynamic Web Data
Mariangiola Dezani-Ciancaglini1 Silvia Ghilezan2 Svetlana Jakši´c2 Jovanka Pantovi´c2
1Università di Torino 2University of Novi Sad
Outline
1 Motivation
Related Work
Access control -rXdπ-calculus
2 rXdπ-calculus Syntax Semantics 3 Types Types Safety
Outline
1 Motivation
Related Work
Access control -rXdπ-calculus
2 rXdπ-calculus Syntax Semantics 3 Types Types Safety
Distributed systems - decentralised
peer-to-peer networks
• management of semi-structured and distributed data
• processes with differentroleshave different access rights
• different access policies in different locations
• exchange between data and processes preserving access control
• dynamic changes of access rights • One solution - typed models
• control of access
Distributed systems - decentralised
peer-to-peer networks
• management of semi-structured and distributed data
• processes with differentroleshave different access rights
• different access policies in different locations
• exchange between data and processes preserving access control
• dynamic changes of access rights
• One solution - typed models • control of access
Related work
• Xdπcalculus - extension of Active XML - Gardner, Maffeis
• localised mobile processes
• distributed, dynamic, semi-structured web data
• Variety of type systems fordπand related calculi
• controlling the use of accesses and mobility of processes
• Security types for Xdπ
Dezani, Ghilezan, Pantovic, Varacca, 2008
• partially ordered set (with bottom) as security levels
• control of movements rights
Distributed Network
Location
T
R
l
Location
Access Rights
T
R
lT
R
mT
S
l Security conditions• not all data is visible to all processes
Roles
stvpr login{st} connection{pr} enable(st)loginprqpr CLASSROOM login{st} connection{st} PUBLICRoles
stvpr login{st} connection{pr} enable(st)loginprqpr CLASSROOM login{st} connection{st} PUBLICRoles
stvpr login{st} connection{pr} enable(st)loginprqpr CLASSROOM login{st} connection{st} PUBLICOutline
1 Motivation Related Work
Access control -rXdπ-calculus
2 rXdπ-calculus Syntax Semantics 3 Types Types Safety
Locations, Networks
T
R
l
• Eachlocationconsists of data in a form of a tree and a process
• A well-formednetworkis a parallel composition (|) of
locationswith different names.
Data
CLASSROOM login{st} a{st} conncetion{pr} p@λ R PUBLIC login{st} a{st} connection{st} p@λ R • R-scripted process • p-path • p@λ-pointer• run,read,change
Data
CLASSROOM login{st} a{st} conncetion{pr} p@λ R PUBLIC login{st} a{st} connection{st} p@λ R • R-scripted process • p-path • p@λ-pointer• run,read,change
Processes
π-calculusP ::= 0 the nil process
|| P|P composition of processes
|| ¯cTvhvi output valuevon a channelc || cTv(x).P input parameterized by a variablex || !cTv(x).P replication of an input process
Processes
π-calculusP ::= 0 the nil process
|| P|P composition of processes
|| ¯cTvhvi output valuevon a channelc || cTv(x).P input parameterized by a variablex || !cTv(x).P replication of an input process
dπ-calculus
P ::= goλ.R migrate to locationλ,continue asR
Xdπ-calculus
P ::= runp run command || readp(χ).P read command || changep(χ,V).P change command
Processes
rXdπ-calculus
P ::= enable(r)p.P gives permission to the roler
to access data on the pathp
|| disable(r)p.P removes the rolerfrom roles that are
allowed to access data on the pathp
R ::= Pqρ single process with rolesρ
|| R|R parallel composition of processes with roles
Interactions in the System
• Communication
• Movement
• Interaction with local data
• Permission change
Interactions in the System
• CommunicationT
P
q
ρ
Q
q
σ
l • Movement• Interaction with local data
• Permission change
Interactions in the System
• Communication • MovementT
P
q
ρ
lT
Q
q
σ
m• Interaction with local data
• Permission change
Interactions in the System
• Communication
• Movement
• Interaction with local data
T
P
q
ρ
l
• Permission change
Interactions in the System
• Communication
• Movement
• Interaction with local data
• Permission change
T
P
q
ρ
l
Operational Semantics - Example
@ aα bβ@l cρ b β @ dγ l (readaα(y(β)@x(σ,E,D)).changeaα(y1(β)@x1(σ,E,D),R) .gox.enable(r)yqρ)qρ 0Operational Semantics - Example
@ aα bβ@l cρ b β @ dγ l (readaα(y(β)@x(σ,E,D)).changeaα(y1(β)@x1(σ,E,D),R) .gox.enable(r)yqρ)qρ 0Operational Semantics - Example
@ aα bβ@l cρ b β @ dγ l (changeaα(y1(β)@x1(σ,E,D),R).gol.enable(r)bβqρ)qρ 0Operational Semantics - Example
@ aα bβ@l cρ b β @ dγ l (changeaα(y1(β)@x1(σ,E,D),R).gol.enable(r)βbqρ)qρ0Operational Semantics - Example
@ aα R cρ b β @ dγ l (gol.enable(r)bβqρ)qρ 0Operational Semantics - Example
@ aα R cρ b β @ dγ l (gol.enable(r)bβqρ)qρ 0Operational Semantics - Example
@ aα R cρ b β @ dγ l enable(r)bβqρOperational Semantics - Example
@ aα R cρ b β @ dγ l enable(r)bβqρOperational Semantics - Example
@ aα R cρ b β @ dγ∪{r} lOutline
1 Motivation Related Work
Access control -rXdπ-calculus
2 rXdπ-calculus Syntax Semantics 3 Types Types Safety
Type System
Main goals
• to control communication of values
• to control migration and activation of processes
• to control access to data and their modification Location Policy
(σ,E,D)
• σ: set of minimal roles which can access data
• E: policy for role enabling
Type System
Main goals
• to control communication of values
• to control migration and activation of processes
• to control access to data and their modification
Location Policy
(σ,E,D)
• σ: set of minimal roles which can access data
• E: policy for role enabling
Type System - Example
Type System - Example
stvstivasvprofvdeanwhere i∈I.
FACULTY: (σF,EF,DF)
σF={sti} EF= ({prof},as) DC= ({dean},sti) FACULTY
Type System - Example
stvstivasvprofvdeanwhere i∈I.
FACULTY: (σF,EF,DF) σF={sti} EF= ({prof},as) DC= ({dean},sti) service{sti} records{pr} booklet{sti} mark mark FACULTY
Type System - Example
stvstivasvprofvdeanwhere i∈I.
FACULTY: (σF,EF,DF) σF={sti} EF= ({prof},as) DC= ({dean},sti) service{sti} records{pr} booklet{sti} mark mark FACULTY enable(as)serviceprqpr
Type System - Example
stvstivasvprofvdeanwhere i∈I.
FACULTY: (σF,EF,DF) σF={sti} EF= ({prof},as) DC= ({dean},sti) service{sti} records{pr} booklet{sti} mark mark FACULTY
Type System - Example
stvstivasvprofvdeanwhere i∈I.
FACULTY: (σF,EF,DF) σF={sti} EF= ({prof},as) DC= ({dean},sti) service{sti} records{pr} booklet{sti} mark mark FACULTY enable(sti)serviceprqpr
Safety properties
• (Subject reduction) If`N:Net andN→N0, then `N0:Net.
• Properties of location policies and communication:
P0 All trees and processes in a location agree with the location policy;
P1 A process with roles can communicate only values with characteristic roles accessible to the process.
• Properties of migration between locations:
P2 A process with roles can migrate to another location only if it is well typed for that location.
• Properties of access of processes to local data trees:
P3 A process with roles looks for a path in the local tree only if the path is accessible to the process.
Safety properties
• Properties of manipulation of local data trees by processes:
P4 A script is activated in a location only if the corresponding process with roles can stay in that location;
P5 A process with roles generated by a read command in a location can stay in that location;
P6 A process with roles can erase a subtree of data only if it can access all data;
P7 A tree built by a change command in a location can stay in that location;
P8 A process with roles can add a role to an edge in the local tree only if this is allowed by the location policy;
P9 A tree built by an enable command in a location can stay in that location;
P10 A process with roles can erase a role from an edge in the local tree only if this is allowed by the location policy;
RDP 2011
Announcement
May 29 to June 3, 2011 Novi Sad, Serbia
