Detecting Policy Interactions Formal Model Verification

1
Detecting Policy InteractionsFormal Model
Verification

• Waël Hassan,
• University Of Ottawa

2
Abstract

• The use of formal methods in Business and
  TechnologyPolicy formulation is an essential
  requirement for delivering error free industrial
  grade systems. The integration of policies from
  different levels of a hierarchy and from
  different domains with several requirements
  creates consistency problems, possibly including
  or leading to feature interactions. We propose
  using formal logic and theorem provers to extract
  inconsistencies and feature interactions. Our
  methodology can be applied to Business Processes
  and IT systems. For Business processes,
  possibilities include Online Auctions, CRM, PRM,
  and Banking Policies. For telecommunications
  Security, Access Control, Telephony.

3
Detecting Policy Inconsistencies

• Policies and Features
• Complexity and Interactions
• Logical Interpretation
• Using Theorem Prover (SPASS) to detect
  contradictions
• Examples and Applications

4
Policies and Features

• Policy A policy is a high-level overall plan
  that embraces the general goals and directives of
  an institution. 
• Specifies intent or requirements
• As an example, topics dealing with human
  resources, lending guidelines, regulations, and
  preferences.
• Procedure A procedure is documented controlled
  steps or activities that accomplish the goals and
  directives of a related policy. 
• A Feature Is a equivalent to a procedure and
  often associated with a telephony system.

5
Policy Domains
Role
Call Control Channel Control
Security
Presence
6
Kinds of Policies

• Security Policy
• Knowledge Security
• Access Control
• Transport Security (Traffic)
• Application Layer Security
• Personal Security and Privacy Policy
• Call Control and Policy
• Presence Policy
• Signaling Translation and Control
• Routing Specification and Control
• Call Policy

• Business
• Hierarchy structure
• Delegation and authority
• Auction
• Sellers conditions
• Delivery condition
• Role Policy
• Bidding policy

7
General Notes about Policies

• Define Behavior (Can be seen as a )
• specification paradigm or as an exception
  handling situation
• Communicate consensus
• Specify Ontology
• Establish a trust model
• Define Access Control

8
Detecting Policy Inconsistencies

• Policies and Features
• Complexity and Interactions
• Logical Interpretation
• Using Theorem Prover (SPASS) to detect
  contradictions
• Examples and Applications

9
Difficulty of Policy Management/Enforcement

• Types of Systems
• Static
• Same State Commands
• System is defined during design time
• Issues are resolved at the same time
• Manual/Automated Interaction can be used
• Dynamic Systems
• Different or changing State Commands
• Customizable Features
• Programmable Features

10
Types of Policies

• Static Policies
• Fixed through out the system that can be either
  static or dynamic
• Dynamic Policies
• Change depending on context
• Location Based or Role Based

11
Complexity Matrix
The number of Arrow heads? Complexity
12
Multi-Level Policy Definition

• Inheritance in Policies.
• yay Or Nay
• Multi-Layer
• Good, Scales However not realistic
• Too many changes and updates and exceptions to
  the rule.
• Especially after creating a few thousand
  Policies, things can get out of hand

13
Formal Model to Verify Contradictions

• Role
• Presence
• Security

With Respect to

• Control
• Membership

14
Detecting Policy Inconsistencies

• Policies and Features
• Complexity and Interactions
• Logical Interpretation
• Using Theorem Prover (SPASS) to detect
  contradictions
• Examples and Applications

15
How do we proof or verify Consistency of a System
Our Language

• Start with Problem
• definition

Translate into Logic
16
Which Logic do we use?
Deontic
Defeasible Logic
Temporal

• First order Predicate logic

17
Call Control Policies in Logic

• Call Forward on Busy
• _at_ x , CallAttempt(x, B) (Status (B, BUSY)) gt
  Call(x, D)

• Call Forward Location Based
• _at_ x , CallAttempt(x,B)
• (PresentAtLocation (B, MEETG_ROOM) ) gtCall(x,C)

PresentAtLocation(B,Meeting) Status(B,BUSY)
18
Detecting Policy Inconsistencies

• Policies and Features
• Complexity and Interactions
• Logical Interpretation
• Using Theorem Prover (SPASS) to detect
  contradictions
• Examples and Applications

19
How do we proof or verify Consistency of a System
Our Language
Translate into Logic

• Start with Problem
• definition

Proof Correctness Or consistency or Validity
according to spec.
Filter Inconsistencies
Use SPASS
20
SPASS Example
Disprove the contradiction

• begin_problem(Whassan1).
• list_of_descriptions.
• name(SimpleCall).
• author(Wael Hassan).
• status(unsatisfiable).
• description(Can not call two people at once).
• end_of_list.
• list_of_symbols.
• functions(A,0), (B,0),(C,0),(D,0),(Home,0).
• predicates(CallAttempt,2), (Ring,2).
• end_of_list.
• list_of_formulae(axioms).
• formula( forall( x,y, not(
• exists( z, and(
• Ring(x, y),
• Ring(x,z))))),1)
• end_of_list.

• list_of_formulae(conjectures).
• // Can we call two people at once
• formula( and (
• Ring(A,B),
• Ring(A,C)),2).
• formula( not( and (
• Ring(A,B),
• Ring(A,C))),3).

Requirement
Prove the Correct Rule
21
Inconsistency Checking

• Test Rule

A
NOT A
Verify
Correct Rule
Add to System of Validated Policies
22
Inconsistency Checking

• Test Rule

A
NOT A
Verify
Contradiction
Check Rule and Fix Error, Recheck
23
Detecting Policy Inconsistencies

• Policies and Features
• Complexity and Interactions
• Logical Interpretation
• Using Theorem Prover (SPASS) to detect
  contradictions
• Examples and Applications

24
Bank Policy Regarding Profile Access

• Counter Employees are only allowed to access
  Customer Acc, and Balance
• Counter Employees can deposit, checks, cash, and
  International Money Orders for Employees
• International Money orders need to be traced and
  linked to similar transactions
• Only Supervisors are allowed Full account access
  with history
• A person walks in with an international money
  order gives it to counter person, a feature
  interaction starts

25
Gateway Policy Contradiction

• Call C, through gateway G, gateway G by default
  modifies the initiating address to that of the
  company ID
• Policy of A
• IDCallAttempt ( A, C, ID) ? IDCallAttempt( A, G,
  ID) ? IDCallAttempt( G, C, ID)
• Policy of G
• _at_ x. IDCallAttempt(G,x,ID) gt IDCallAttempt(G,X,Com
  panyID)

• Policy of A

• Policy of G

Contradicts
26
N1
Call Policy
N2
Security Policy
Gateway
Call my Wife, Proof to Her it is Me
ID INFOEncrypt(606-2323)
Call Wife, IDINFO
Wife
Gateway translate originating local call to
606-7007
Husb.
Call from 606-7007 IDINFO
Verify IDINFO and Call Source
Decrypt(IDINFO) ?606-2323 ! 606-7007
Source ! Call Origin Call Deny
Call Denied Authentication Failed
27
Telephony (Call Control)

• Call Forward on Busy
• _at_ x , CallAttempt(x, B) (Status (B, BUSY)) gt
• Call(x, D)

• Call Forward Location Based
• _at_ x , CallAttempt(x,B)
• (PresentAtLocation (B, MEETG_ROOM) ) gtCall(x,C)

PresentAtLocation(B,Meeting) Status(B,BUSY)
The last rule will cause a contradiction
28
Merging of Business Policies
29
Summary

• Applications
• Telephony Systems
• Access Control
• Security
• Business Policies
• Contracts, negotiation, CRM, PRM.

30
Waël Hassanwael_at_acm.orghttp//www.site.uottawa.c
a/whassan
?
?
?
?
?
?

• Questions