Obligation Policies Heimdall: An Enforcement Platform

1
Obligation PoliciesHeimdall An Enforcement
Platform

• Pedro Gama and Paulo Ferreira
• pedro.gama, paulo.ferreira_at_gsd.inesc-id.pt

2
Introduction

• Policy-based mechanisms reduce complexity and
  development errors
• History-based policies are evaluated based on
  past actions
• Chinese-Wall security policy
• Obligation-based policies include actions to be
  executed in the future

3
Motivating Examples

• Sometimes, actions in the obligation can be
  exchanged into a traditional authorization rule
• Obligation
• After buying a book one must pay for the book

Authorization To take a book, the book must have
been payed
4
Motivating Examples

• QoS Agreement
• Obligation to assure 5 hours of exclusive CPU
  usage against the payment of 100
• Tax declaration
• Obligation to forward the tax declaration to
  employer after submission to the IRS Dep.

5
Motivating Examples

• In these examples...
• QoS Agreement
• CPU Usage depends on previous payment
• Tax declaration
• Submission must occur prior to forwarding

6
Motivating Examples

• QoS Agreement
• Obligation to assure 5 hours of exclusive CPU
  usage against the payment of 100
• Otherwise return the money in double and
  blacklist the CPU provider.
• Tax declaration
• Obligation to forward the tax declaration to
  employer after submission to the IRS Dep.
• Otherwise cancel the submission and request any
  already executed tax reimbursements

7
Drawbacks of current approaches

• Most work focus on the definition of the
  Obligation Model
• ? Heimdall is a real enforcement platform
• Some engines use simple ECA (Event-Condition-Actio
  n rules)
• ? Heimdall provides a powerful obligation
  semantics based in conditions, timeouts and
  compensatory actions.

8
Drawbacks of currentapproaches

• Others are restricted to specific aspects of
  obligation enforcement, such as Resource
  Provisioning
• ? Heimdall supports generic obligations and a
  rich policy language

9
Our Goals

• Allow several policy semantics
• History-Based, Obligation, RBAC,
• Clearly separate
• Policy specification and enforcement
• Application development
• Allow easy integration with existing systems

10
Our approach

• We assume executed actions can be counterbalanced
  in the future
• It is not sufficient to group actions atomically
• Physical actions cannot be canceled
• The cancellation of trigger actions is not
  usually sufficiently penalizing

11
Architecture
Receives events (e.g. using the HTTP protocol)
and forms normalized xSPL events
Intercepts applicational actions and generates
events
NOT restricted to a particular application
(e.g. JVM, CLR)
12
Architecture
1. Receives normalized events 2. Stores pending
obligations 3. Manages triggering and
fulfilment 4. Activates compensatory actions
(e.g. JVM, CLR)
13
Architecture
Verifies triggering and fulfilment of obligations
(e.g. JVM, CLR)
14
Relevance Engine

• Evaluates a Policy against the current event and
  the content of History Log
• Positive if the trigger and obliged expressions
  are true
• Negative if only the trigger expression is true
• Not Apply if the trigger is false

? Door EXIST fe IN FutureEvents
ce.action Open Door fe.action
Close Door
15
Relevance Engine

• But the History Log does not
• contain events in the Future!!!

16
Relevance Engine

• Obligation Policies are aged in order to allow
  monitoring of future events.
• Policies are partitioned into 2 independent
  policies that analyse triggering and fulfilment.

17
Relevance Engine
? Door EXIST fe IN FutureEvents
ce.action Open Door fe.action
Close Door
Aging
? DoorTrigger ce.action Open Door true
Triggering
? DoorFulfill ce.action Close Door true
Fulfilment (fe.action ? ce.action)
18
Architecture
Controls obligation timeouts
Executes Compensatory actions (HTTP callbacks)
Stores and searches events (one Log per Policy)
(e.g. JVM, CLR)
19
Example
Activated Clock Timers
Clock Timer A cancelled
Clock Timer B expired
Event Bridge
Obligation A
Oblig. Enforcer
Relev. Engine
Obligation B
Timekeeper
Executor
Event X
Event Y
A and B triggered
A fulfilled
B not fulfilled
20
Implementation

• Implemented in Java (jre 1.4.2)
• Relevance Engine adapts and extends SPL Reasoning
  Engine developed by Ribeiro Ribeiro01
• History Logs are a set of Dynamically Generated
  Event Repositories
• Ribeiro01 C. N. Ribeiro, A. Zúquete, P.
  Ferreira, and P. Guedes. SPL An access control
  language for security policies with complex
  constraints. In Proceedings of the Network and
  Distributed System Security Symposium, San Diego,
  California, Feb 2001.

21
Evaluation

• Strict Obligation Policies
• Include the current event (ce) and future
  events (fe)
• ? StrictTestScenario
• EXIST fe IN FutureEvents
• ce.action An
• fe.action Bn

All scenarios were tested in a Pentium 4, 2.8GHz,
512MB PC, running Microsoft Windows XP
Professional SP2.
22
Evaluation (Strict Obligations)
Simulation engine generated events in the
following form A0, A1, A2, ... An, B0, B1, B2,
...Bn, A0, A1, ... Average Number of Obligation
Instances Number of Deployed Policies / 2
23
Evaluation (Strict Obligations)
Simulation engine generated events in the
following form A0, A1, A2, ... An, A0, A1, A2,
... An, A0, A1, ... Number of Obligation
Instances Number of Generated Events
24
Evaluation

• History-Based Obligation Policies
• Include the current event (ce), past events
  (pe) and future events (fe)
• ? HistoryTestScenario
• EXIST pe IN PastEvents
• EXIST fe IN FutureEvents
• ce.action.name An
• pe.action.name Bn fe.action.name
  Cn

All scenarios were tested in a Pentium 4, 2.8GHz,
512MB PC, running Microsoft Windows XP
Professional SP2.
25
Evaluation (History Obligations)
Simulation engine generated events in the
following form A0, A1, A2, ... An, A0, A1, A2,
... An, A0, A1, ... Number of Obligation
Instances Number of Generated Events
26
Conclusions

• Traditional Authorization mechanisms cannot
  monitor obligation policies.
• Heimdall
• Allows the specification and enforcement of
  obligations
• Separates policy specification and administration
  from application development
• Performance penalizations are negligible

27
Questions
???