Authorization Policies

1
Authorization Policies

• Vicky Weissman
• vickyw_at_cs.cornell.edu

2
What is a policy?

• A policy says that under certain conditions an
  action is permitted or it is forbidden.
  
• Examples
• If you pay 99 cents, then you may download a
  song.
  
• If you do not have a students written consent,
  then you may not access her transcript.

3
What is a policy?

• A policy says that under certain conditions an
  action is permitted or it is forbidden.
  
• Examples
• If you pay 99 cents, then you may download a
  song.
  
• If you do not have a students written consent,
  then you may not access her transcript.

4
What is a policy?

• A policy says that under certain conditions an
  action is permitted or it is forbidden.
  
• Examples
• If you pay 99 cents, then you may download a
  song.
  
• If you do not have a students written consent,
  then you may not access her transcript.

5
The big picture

• We want to
• write policies that govern access to digital
  content, and
  
• have those policies enforced.
• Examples
• We want to restrict access to student, medical,
  and financial records.
  
• We want online music and movie stores to be able
  to get money for their services.

6
The Classic Solution

• Write licenses and laws to regulate access to
  content.
  
• Rely on consumer ethics and courts for
  enforcement.

7
Pros/cons

• Pros
• If licenses/laws are written in a natural
  language (e.g., English), you can capture all
  policies of practical interest.
  
• Cons
• How you detect violations?
• Do you really want to sue your customers?
• RIAA says yes, most businesses say no.

8
A better idea?

• Write the policies in such a way that they can be
  enforced by computers (ACLs, passwords, ).
  
• Now, you have to sue only people who circumvent
  the technology, or you can choose to tolerate the
  relatively few violations.

9
Problem Expressivity

• If a language is restricted enough to allow
  enforcement by computers, then it might not be
  sufficiently expressive.
  

10
Expressivity

• Argument 1 Enforceable policy languages cant be
  expressive enough, because they cant capture
  fuzzy concepts like fair use.
  
• Response 1 Enforceable policies can approximate
  fuzzy rights.
  
• E.g., NetLibrary allows each user to copy a
  certain number of pages from an online text.
  
• Petitioning for greater use/ suing for violations
  could be a fallback plan.

11
Expressivity 2

• Argument 2 An enforceable language can never
  capture all the policies that can be written in a
  natural language (English).
  
• Response 2 True. But what do we really need to
  say.
  
• If a policy language can capture licenses/laws
  that exist today (regulating digital content),
  then maybe its good enough.

12
Goal

• To have an enforceable policy language that is
  sufficiently expressive to capture a wide range
  of the licenses/laws that exist today.

13
Meeting the goal

• A number of people claim to have developed
  expressive enforceable policy languages.
  
• 2 popular choices are XrML (endorsed by
  Microsoft,) and XaCML (endorsed by Sun, ).
  
• Do either of these languages meet the goal?

14
Evaluating XrML and XaCML

• Big idea
• Collect a bunch of licenses/laws.
• Try to write them in XrML and XaCML.
• First step to presenting the results
• Give an overview of each language.
• Approach present a basic policy language, called
  MinLang, then explain how to change MinLang to
  get the others.

15
Syntax

• Principals
• Agents (e.g., Alice, Bob)
• Resources
• Digital content (e.g., a movie, an article)
• Actions
• what principals can do (e.g., play, edit)
• Properties
• attributes of a principal, resource, or action
  (e.g., trusted, high-res, dangerous).

16
Syntax (cont.)

• Policy
• ?x1 ?xn (Condition? ?Condition?Perm(p, a,
  r))
  
• Perm(p, a, r) means p is permitted to do action a
  to resource r.
  
• A policy is closed (no free variables).
• Condition Pr(e) true
• Pr(e) means entity e (principal, resource, or
  right) has property Pr.
  

17
Syntax (cont.)

• Policy
• ?x1 ?xn (Condition? ?Condition?Perm(p, a,
  r))
  
• Perm(p, a, r) means p is permitted to do action a
  to resource r.
  
• A policy is closed (no free variables).
• Condition Pr(e) true
• Pr(e) means entity e (principal, resource, or
  right) has property Pr.
  

18
Syntax (cont.)

• Policy
• ?x1 ?xn (Condition? ?Condition?Perm(p, a,
  r))
  
• Perm(p, a, r) means p is permitted to do action a
  to resource r.
  
• A policy is closed (no free variables).
• Condition Pr(e) true
• Pr(e) means entity e (principal, resource, or
  right) has property Pr.
  

19
Syntax (cont.)

• Policy
• ?x1 ?xn (Condition? ?Condition?Perm(p, a,
  r))
  
• Perm(p, a, r) means p is permitted to do action a
  to resource r.
  
• A policy is closed (no free variables).
• Condition Pr(e) true
• Pr(e) means entity e (principal, resource, or
  right) has property Pr.
  

20
Syntax (cont.)

• Policy
• ?x1 ?xn (Condition? ?Condition?Perm(p, a,
  r))
  
• Perm(p, a, r) means p is permitted to do action a
  to resource r.
  
• A policy is closed (no free variables).
• Condition Pr(e) true
• Pr(e) means entity e (principal, resource, or
  right) has property Pr.
  

21
Examples

• Can write
• Alice is permitted to read file f as
  
  
• true ? Perm(Alice, read, f) and
• Anyone who pays 99 cents may download a song as
  
  
• ?x1?x2(Paid99Cents(x1) ? Song(x2) ? Perm(x1,
  download, x2)).

22
Examples

• Can write
• Alice is permitted to read file f as
  
  
• true ? Perm(Alice, read, f) and
• Anyone who pays 99 cents may download a song as
  
  
• ?x1?x2(Paid99Cents(x1) ? Song(x2) ? Perm(x1,
  download, x2)).

23
Examples

• Can write
• Alice is permitted to read file f as
  
  
• true ? Permitted(Alice, read, f) and
• Anyone who pays 99 cents may download a song as
  
  
• ?x1?x2(Paid99Cents(x1) ? Song(x2) ? Perm(x1,
  download, x2)).

24
Permissions

• Given a set of policies, when does a permission
  hold?
  
• Example
• Given the policy anyone who pays 99 cents may
  download a song, can we determine whether Alice
  may download the theme song to Sesame Street?
  
• No. To answer the question, we need to know if
  Alice has paid 99 cents.

25
Permissions (cont)

• Assume an environment E that tells us basic facts
  about the world.
  
• E Pr1(e1) ? ? Prn(en)
• Assume p1, , pm is the set of policies.
• A principal p is permitted to do an action a to a
  resource r iff
  
• E ? p1 ? ? pm ? Perm(p, a, r)
• is valid.

26
Example

• Suppose that Alice has paid 99 cents, the theme
  song to Sesame Street is a song, and anyone who
  pays 99 cents may download a song.
  
• May Alice download the theme song?
• Let
• E Paid99Cents(Alice) ? Song(Sesame Street)
• P ?x1?x2(Paid99Cents(x1) ? Song(x2) ?
• Perm(x1, download, x2)).
• E ? P ? Perm(Alice, download, Sesame Street) is
  valid, so Alice has permission.

27
Example

• Suppose that Alice has paid 99 cents, the theme
  song to Sesame Street is a song, and anyone who
  pays 99 cents may download a song.
  
• May Alice download the theme song?
• Let
• E Paid99Cents(Alice) ? Song(Sesame Street)
• P ?x1?x2(Paid99Cents(x1) ? Song(x2) ?
• Perm(x1, download, x2)).
• E ? P ? Perm(Alice, download, Sesame Street) is
  valid, so Alice has permission.

28
Example

• Suppose that Alice has paid 99 cents, the theme
  song to Sesame Street is a song, and anyone who
  pays 99 cents may download a song.
  
• May Alice download the theme song?
• Let
• E Paid99Cents(Alice) ? Song(Sesame Street)
• P ?x1?x2(Paid99Cents(x1) ? Song(x2) ?
• Perm(x1, download, x2)).
• E ? P ? Perm(Alice, download, Sesame Street) is
  valid, so Alice has permission.

29
Example

• Suppose that Alice has paid 99 cents, the theme
  song to Sesame Street is a song, and anyone who
  pays 99 cents may download a song.
  
• May Alice download the theme song?
• Let
• E Paid99Cents(Alice) ? Song(Sesame Street)
• P ?x1?x2(Paid99Cents(x1) ? Song(x2) ?
• Perm(x1, download, x2)).
• E ? P ? Perm(Alice, download, Sesame Street) is
  valid, so Alice has permission.

30
Thats all folks

• for the basic language.
• How is XrML different?
• XrML is an XML-based language, so the syntax is
  more verbose/unwieldy, but plays better with
  other data.
  
• There are fundamental differences too

31
Whose the policymaker?

• MinLang assumes were given a set of policies
  from some trusted source.
  
• XrML assumes anyone can write a policy.
• E.g. Alice can write the policy Alice may eat a
  gazillion cookies.
  
• But the policy holds iff it was written by the
  system or by someone who was permitted to write
  it.

32
Example

• The System says Mom may write any policy.
• This policy holds.
• Mom says The babysitter may write any policy
  governing Alices eating.
  
• This policy holds.
• The babysitter says Alice may eat apples.
• This policy holds.
• Alice says Alice may eat cookies.
• This policy does not hold.

33
Why is this useful?

• Suppose were given a set of policies, each
  tagged by the identity of its author,
  
• the Systems only policy is Carl Lagoze may write
  any policy,
  
• and it follows that Alice is permitted to turn in
  her assignment late.
  
• Then we can conclude that Carl allows Alice to
  turn in her assignment late.

34
But wait theres more

• In XrML, a policy can grant a permission based on
  which permissions have been granted by other
  principals.
  
• E.g. In XrML, Alices Mom could write if Carl
  allows Alice to turn in her assignment late, then
  Alice is permitted to take an afternoon nap.

35
Is this capability important?

• Yes.
• Examples
• Digital libraries often have the policy if the
  government allows someone to access our usage
  records, then the access is permitted.
  
• Similar recognition of state/federal authority
  appear elsewhere.
  

36
Another difference

• In XrML, the action adopting can be done to a
  resource that is a role.
  
• E.g. Alice may adopt the role freshmen.
• Now, a policy can look more like an environment
  fact.
  
• E.g. anyone permitted to adopt the role
  freshman may adopt the role student
  
• (i.e., all freshmen are students).

37
Not quite enough

• Real licenses include fairly complex environment
  facts.
  
• E.g. If you try to make a purchase from iTunes
  using a gift certificate and the purchase price
  is more than the balance on the certificate, then
  the difference is charged to your credit card.
• XrML is step in the right direction, but isnt
  enough to capture everything.

38
Another problem Prohibitions

• Real licenses forbid certain actions.
• Example
• MIT has course materials online.
• According to their online license, users are
  forbidden to use the material for commercial
  purposes.
  
• In XrML, we cannot write that an action is
  forbidden.

39
A partial solution

• XrML assumes that an action is forbidden unless
  its explicitly permitted.
  
• This might be good enough, but were not really
  capturing the policymakers intent.
  
• And we cant write policies that depend on a
  policymakers indifference.
  
• E.g., An instructor cant say a student may
  audit my class if the university doesnt object.

40
A better solution

• Add negation to XrML.
• This can be done, although some care is needed to
  keep the language tractable (enforceable by
  computers).
  

41
Another problem Obligations

• Real licenses talk about the obligations of the
  consumer and the content provider.
  
• E.g. Licenses often obligate the consumer to
  defend the provider from any legal action
  resulting from the consumers use of the content.
  
• Providers often say that they are obligated to
  replace faulty content or give the consumer a
  full refund.

42
Adding obligations to XrML

• Adding obligations is fairly straightforward.
• But some thought needs to go into determining the
  relationship between permissions and
  obligations.
  
• E.g. Are all obligatory actions permitted?
• Also, its not clear how an obligation can be
  enforced.

43
Summary of XrML

• Pros
• Can capture policies that grant permissions
  depending on who has granted other permissions.
  (E.g. if Carl allows Alice to turn in her
  homework late, then she may take a nap.)
• Can capture some environment facts, such as all
  freshmen are students.

44
Summery of XrML (cont)

• Cons
• XrML cannot capture all of the environment facts
  that appear in licenses.
  
• XrML cannot capture policies that forbid an
  action. (E.g. Alice may not use the content for
  commercial purposes.)
  
• XrML cannot capture obligations. (E.g. if the
  content is buggy, the provider is obligated to
  give a refund.)
  

45
XaCML

• XaCML can capture policies that forbid actions.
• An answer to a query, such as may Alice download
  the theme song to Sesame Street, can be
  
• yes, the action is permitted,
• no, the action is forbidden,
• indeterminate, the action isnt regulated,
• yes, if she does some action
  (e.g., pay 99 cents).
  
• This should be quite useful in practice!

46
XaCML (cont)

• XaCML supports some use of disjunction (or) in
  policies.
  
• This doesnt add expressive power, but can make
  languages more concise.
  
• E.g., Consider the policy If Alice is over 18 or
  has parental consent, then she may access file
  f.
  
• In MinLang, this would be written as 2 policies.
  In XaCML, its just one.

47
XaCML (cont)

• XaCML allows the policymaker to define when a
  permission follows from a set of policies based
  on which policies permit/forbid the action.
  
• A policymaker could say that an action is
  permitted if the permission follows from one of
  the governments policies or if none of the
  policies imply that the action is forbidden.

48
Problems

• In XaCML, we cannot capture
• policies that depend on what other principals
  permit/forbid (if Carl allows Alice to turn in
  her homework late, then she may nap),
  
• environment facts (e.g., all freshmen are
  students), and
  
• obligations.

49
Summary

• Real licenses do not seem to require so much
  expressive power that it is impossible to create
  an appropriate policy language.
  
• But XrML and XaCML are not sufficiently
  expressive to capture the licenses of digital
  content providers.
  
• So there is work to be done.