CS343 Access Control in PRPL

1
CS343 Access Control in PRPL

• Greg Bayer, Debangsu Sengupta, Antone Vogt, Tom
  Wang

2
Problem Access Control

• New domain for which to provide Access Control
• Semantic Web rich, but unstructured
• Need for Fine-Grained sharing
• Incompatible data sources from multiple systems

3
Problem Usual solutions

• Expose complexity to user
• Ex Distributed file systems, ACLs
• Or, too coarse-grained
• Ex Share with everyone or friends (Facebook)
• Access control files on a specific system, not
  your data wherever it may be
• Static access control systems
• Does not scale new systems all the time

4
Our Solution Attribute-Based (ABAC)

• Leverage harvesters' knowledge of data context
• Support arbitrary, harvester-defined ontologies
• Infer Attributes from Semantic Web Information
• Provide access control for PRPL data based on
  these attributes
• fine-grained
• easy-to-use
• semantic rules automatically apply to new data

5
Demo
6
What we learned

• The context extracted by harvester (screen
  scraping, XML feeds) is sufficient for
  interesting access control tasks.
• Can leverage semantic web tools RDF/RDFS, OWL,
  SPARQL, etc.
• Intuitive UI representation is critical
• Must be flexible/extensible to express complex
  rules
• Good framework Prefuse
• Much work to be done to express complex access
  control policies intuitively
• Email recipient/attachments scenario

7
Future work

• Demonstrate more complex rules in the system and
  UI.
• Email recipients scenario.
• Blacklist rules / Conflicts between rules
• Prune attributes displayed in tree using machine
  learning methods.
• Time Frame 1-2 months
•  Automatic rules generations
• Sophisticated heuristics
• Time frame 3 months
• Publish content owners rules - alternative use
• Ex. Express sharing rules in PRPL UI, publish to
  facebook
• Pull from PRPL-compliant web service
• Time frame 1 month

8
Future work

• Scalability
• Expressivity / performance tradeoff. Different
  inference engines.
• Cache rules / relationships in database
• Time frame 2-3 months
• Authentication
• Study integration with OAuth, single sign-on
  services like Shibboleth.
• Time frame 2-3 months.
•  
• Usability studies.
• Do users like our solution? Focus groups.
• Time frame 1 month.
• Build system statistics module.
• E.g. number of steps taken by user to complete
  common rules assignment tasks.
• Time frame 1 month

9
PRPL Index Server with Access Control
10
Questions/comments/suggestions?
11
Backup slides
12
Surprises for the project

• Coarse grained sharing
• Not flexible enough for PRPL.
• Better Fine - grained mechanism.
• Traditional RBAC / ACL.
• Complexity exposed to user. Difficult to express
  simple tasks. Static hierarchical data not
  available in PRPL context.
• Better Attribute links from persons to resources
• Static / manually assigned attributes
• Works within organizations. Inappropriate for
  web-based open systems.
• Better Relations defined from attributes
  gathered/inferred from harvesting.
• Complexity shown to user e.g. ACL
• Better Hide complexity. Tradeoff between complex
  rules and ones that can be easily expressed.
• Allow users to verify.

13
Features

• Attribute-based
• Use common access control ontology that is
  customized by groups suggested for the user.
• Ontology for persons and resources. Can leverage
  existing work in the areas.
• Relationships and rules generation to augment
  access control ontology.
• Currently, heuristics based.
• Groups are represented as attributes for both
  persons and resources.
• Toolset Jena, Sparql, RDF/XML, RDFS, OWL
  ontology, reasoners.

14
Features ctd

• Easy to use minimize use effort / transparency
• Intuitive UI
• Use familiar patterns to establish links between
  Persons and objects.
• Translate content owner actions to rules.
• Currently support accept/deny rules.
• Extensible
• Underlying model based on standard GraphML.
• Can include complicated rules and expose
  attributes.
• Tree view to browse through persons and files
  hierarchies
• Search feature on both sides.

15

• Slides From First
• Presentation
• (in-class discussion)

16
Access Control in PRPL

• Basic idea
• Fine-grained data sharing
• In PRPL
• Index Server
• Perimeter security
• Index data is unencrypted.
• Data Server
• Encrypted data - pictures, sensitive documents. 
• Policy-based encryption

17
Access Control Fundamentals

• RBAC
• Commonly used in enterprise
• Role concept is central
• Principals (users) map to 1 or more roles.
• Permissions on objects (r/w/x) map to 1 or more
  roles.
• Attribute-based Access Control
• Roles are determined from attributes extracted
  from subjects and objects.

18
Attribute-Based Access Control

• Object attributes
• Types of objects Files, Folders, URI's
• Attribute Ski photos
• Subject/Principal attributes
• Examples of subjects Tom, Harry
• Attributes Friends, family, colleagues
• Harvest attributes from semantic web (social
  network information).

19
Concept

• Coalition Alliances and collaboration between
  individuals from multiple organizations. 
• Dynamic coalition Entities join or leave in an
  ad-hoc manner.

20
Access Control policy fundamentals

• Principals Users including owners and
  requesters.
• Objects Files, services etc.
• Policy definition
• Which principals have access to what resources
  and has the ability to do what activities.
• Dynamic access control Principal (subject)
  information must be derived from user attributes.

21
Attribute based approach

• Determine user and object attributes.
• Infer which user attributes are semantically
  relevant to object attributes.
• Identify mapping relationships that enable
  mapping between user attributes, job functions
  (attributes), and object attributes. 
• Prune the semantically relevant attributes.
• Identify which are unlikely to be held by those
  principals outside the role. 

22
Attributes User

• User attributes
• Manual - generally
• Certifiable or organizationally assigned
• User Attribute Base Set of all user attributes.
• Example 2. Tom, who works at LM company, has the
  following attribute set UAB(Tom)
  (hasDegreebachelors),(performsJobsoftware),
  (assignedToprojectBlue),(hasExpertiseInjava),
  (officeLocNVC1).

23
Attributes Object

• Object attributes
• Manual
• Manual tagging, file name, file description
• Automatic
• Inference based on content, keywords, owners,
  owner relationships etc.
• Object attribute base (OAB) Set of all object
  attributes.
• Example 3
• "Component 1 software" (C1) object attribute set
  (hasContentjava), (hasContentfinancial)(hasCon
  tentsoftware), (createdUnderProjectBlue).

24
Link user and object attributes

• Use concept hierarchy
• Example relationships used
• Subclass
• Synonyms.
• Superclass
• Compatible - common parent.
• .....
•                                               
                                              
  ......

25
Matching

• Semantic Match
• Between subject (user) attribute/value pair and
  object attribute/value pair if...
• Both
• The attributes are linked
• And
• The values and are synonymous or
• The object value is a subclass of the object
  value.

26
PRPL Access Control Module
27
Attribute Relationships

• Relationship expansion.
• Existing database / auto generated
• From User
• Examples
• Object "Wedding photos" -gt "Photos"
• Subject "CS343 friends" -gt"Stanford"
• .....
•                                               
                                                 
  .......

28
Smart Security

• Multiple levels of security
• Whitelist - Very secure.
• Blacklist - Open.
• Grey / Smart / adaptive security - Our focus
• Smart security consists of
• Automatic attribute-relationship generation
• Subject attributes
• Object attributes
• Automatic rule generation
• Rule Subjects with certain attributes can read
  objects with certain attributes

29
Subject Relationships, Our Approach

• Auto-attribute generation based on
• Existing information online, as in Tokyo paper
• FOAF, event attendee acquaintance
• Email conversations.
• User tuning
• Group "Stanford friends" and "UMass friends"
  into "University friends" attribute
• Harvesting Scenairo
• 4 of us have exchanged 25 mails, 10 attachments,
  calendar data, Facebook events.gt Harvester
  creates group for sharing data

30
Object Attributes

• File extensions help classify file types
• .doc, .jpg, .html
• Extract information from existing sites
• Example Tags of photos from Flickr
• Assumption Semantic webgt Metadata should be
  rich source of information

31
Automatic Rule Generation

• Infer rules based on past actions / history of
• owner, friends.
• Aggregate rules based on overall PRPL data.
• Hard-coded rules based on default rules database.
  
• Family ltgt "Family photos"
• Share info with participants
• Event info with event attendees
• Project info with project members

32
Easy-To-Use Goals

• Minimize user effort
• System transparency

33
Typical User Interface

• GUI allows users to manipulate directly or
  indirectly the internal access control
  mechanismgt Burden too heavy even for simple
  task
• Problem Internal access control mechanism too
  arcane and difficult
• In the paper ACL-based Access Control

34
Beyond IAM, What does easy-to-use really mean?

• Owner should see and understand what the
  principal -gt object mappings are.
• Transparent to owner
• Default "Smart" security should be "good enough"
  for most owners. (predictable)
• Can track success with how often users make
  changes.
•  
• .....

35
What does easy-to-use mean? ...ctd

• Specific fine-grained updates from owner should
  be easy(match the way the user thinks about the
  task of sharing)
• Smart security will periodically provide access
  control suggestions based on mining recent data
  in owner's social networks.
• Recent Gmail, Facebook activity.

36
Default view

• Medium level of specificity
• Files and people
• Security hints button
• System rules view

37
Security model

• Multiple levels of security
• Whitelist , blacklist, smart security
• Smart security provided at different times
• Initial configuration - when user first links up
  their accounts.
• Users verify the suggested model.
• User modifies and creates finer-grained lists
  (optional)
• Periodic updates
• Suggestions provided based on user's activity
• User accepts / rejects suggestion. System updates
  based on user input.

38
HCI/UI elements

• Most General
• Attribute view
• Connections between object attributes and subject
  attributes
• Example
• Work emails and attachments -gt shared with
  "Colleagues".
• Vacation pictures -gt Family.

39
HCI/UI elements continued...

• Most specific
• By source
• Filtering attributes
• Creating rules
• Examples
• Emails from gmail account1 -gt shared with theater
  group
• Emails from gmail account2 -gt shared with all
  family.
• Facebook photos tagged ski -gt shared with ski
  club friends.

40
UI Preview rules

• Preview all rules
• Manually created and auto-generated rules.
• Why
• Provide system visibility / transparency to user.
  
• Example Display link.
• Ski trip photos
• NOT shared with ALL
• Shared with Ski club friends, family
• Wedding photos
• Shared with ALL
• Not shared with ex. 

41
UI Preview object access

• Idea Given all the rules mapping, who can view a
  given object.
• Owner selects Objects - e.g. Ski trip photos -gt
  John
• System displays
• List of users that can view the photos
• Which rule(s) triggered this access.
• e.g. Photos -gt Friends.

42
UI Preview subject access

• Question Which pictures can grandma view?
• Owner selects a user in the network.
• System displays
• List of objects grandma has access to.
• Which rule(s) triggered this access.
• "Personal photos" -gt family
• Specific example if possible.

43
(No Transcript)
44
Implementation components

• Access control
• Attribute query
• Relationship expansion
• Ontology / synonyms
• Owner defined grouping
• Rule matching engine
• User Interface
• See slides before

45
Contribution - our 'twist' ltinsert group twist
picgt

• Prototype components
• Access control module
• User interface
• Basic heuristics for auto-generation
• Provide groundwork for further exploration
• Access control architecture
• Rule generation ideas
• UI based on our model

• Semantic attribute based Access Control 
• Prototypeindex server perimeter access control
• Easy-to-use
• visualization / interface
• Smart security
• Automatic rules generation on attributes