The Separation of Duty with Privilege Calculus

The Separation of Dut y with Privilege Calculus ⋆ Chenggong Lv 1 , Jun W ang 1 , Lu Liu 1 , and W eijia Y ou 1 Beihang Univ ersity , Beijing 100083, P .R. China, lcgong@gma il.com , king.wang@ buaa.edu.cn , liulu@buaa .edu.cn , weijiawx@gmail.com Abstract. This pap er presents Privilege Calculus (PC) as a n ew ap- proac h of knowle d ge representatio n for Separation of D uty (SD) in the view of pro cess and intents to improv e the reconfi gurabilit y and trace- abilit y of SD. PC p resumes th at the structure of SD should be reduced to the structure of privilege and t h en the regulation of system should be analyzed with th e help of forms of privilege. 1 In tro duction The Separ ation of Duty (SD) is a security pr inciple that is used to formulate m ulti-p ers on control p olicies, which requir es that tw o o r more different p eople be res po ns ible for completion of a task or a s et o f related tasks [1]. The Role- Based Access Control (RBA C) sy stem is defined by a state mac hine mo del and characterized by the fact that a user’s rights to access ob jects a re defined by the user’s mem b ers hip to a “role” and by the ro le s’ per missions to p erfor m op eratio ns on those ob jects [2]. Hence, the ro le is a semantic r eferent of dut y repr e sent a tion and the structur e o f role is a division o f r ight s in cross- o rganiza tio n systems. With the help of a ssignment op eration, the user-r ole ass ignment ca n be handled by one while per mission-ro le assig nmen t is handled by another [3]. Because the p er mission ass ig nmen t on role hierarchy is static, Sandhu [4] int r o duced the Role Activ ation Hiera rch y (RAH). RAH extends the p ermiss ion- usage hiera rch y and ma kes the role activ a tion governed by an a ctiv ation hierar - ch y . Sandhu argued that the a dministration o f RBAC must itself b e decentralized and manag ed b y administrative roles. More over, F err a iolo [5] ar gued that static separatio n of duty enforces constra in ts on the assignment of users to ro les, and dynamic separa tion duty places constraints on roles that ca n be ac tiv ated within or across a user’s session. Although the delegatio n mo del [6] is helpful to res o lve the tempo ral pe r- mission ass ignment problem b y the delivery of duty in trust, the p ermission delegated has to cro sscut t wo or more r oles in RAH and the definition working to map b etw een them is not ea s y . Also , for the constraints in RBAC, there is an inconsistency b etw een the access co nt r ol policy and the cons traints that a r e sp ecified to limit this polic y . One tra nsform limit may preclude, by a cons traint, ⋆ W e are grateful for the supp orting of the N ational Natural S cience F oundation of China (NSFC, Pro ject No. 7040100 1). the change in a nother tr a nsform limit even tho ugh the r ights that embo dy the conflict hav e not been a ssigned yet [7]. So extra mechanisms were integrated to detect [8] and res olve [9] the conflict. Jae g er ha s argued that since fail-sa fet y is often a goal of se c ur e systems, so me form of conflict resolution may not b e unreasona ble, but the trade-off is not clear-c ut [7]. It is the question that how to keep change of c ondition predictable and how control exists a fter reco nfiguration in dynamic wa y , for which the essential c hal- lenge is, we be lie ve , the repre s ent a tion of SD still. Our a ppr oach is enlightened by π -ca lc ulus that makes pro cess reconfigura ble [10], and assumes that the duty is comp ose d of the interaction commitment of pro cess, i.e. privilege(se e section 3.3), and the r esult of SD is a collectio n of in tera ction commitments, i.e. regula- tion(see section 2). The examples in section 5 show the flexibility and usefulness of our approach. 2 Regulation There a re tw o synchronized complementary a ctions in an interaction [1 0]. The guarded action is an action with one preceding action that has not been reduced. W e hav e tw o pro ce ssors that execute these actions r esp e ctiv ely . These actions represent the semantics of this interaction of the tw o pro ces sors. A compo nent is featured with the comp osition o f distinct functions and con- sists of co rresp onding pro cessors. One function features one pro cessor in design, and one pro cess or r uns one action in one pro cess (runtime). The sequence of observe d action repr esents a pr o c e ss and reflects the implement a tion of function int ention. So the sequence of pr o gr amme d action repr e sent s an interaction co m- mitmen t. Mor eov er, the intersection of interaction commitment inv olved in an int er action are no t empt y . Although co mpo nen t is neutra l, sys tem works in a conserv ative wa y . The framework of system is a guar ding pr o cessor a nd guards each interaction of t wo managed comp onents. The guarding interaction of framework precedes the guarded interaction of comp onent. Regulation of system is a co llection of int er action c o mmitmen ts, including the interaction commitments of framework and of co mponent. F or the sy stems based o n pr ivilege ca lculus, the result of separ a tion of duty is regula tio n, i.e. a collection of privilege. 3 Structure of Privilege In this section, w e g ive the structure of privilege with the help o f notio ns, em- ploymen t and condition. The notion of employment is the refined structure of function in tention. 3.1 Employmen t Definition 1. The function-entity employment f /e me ans that function f is employe d on entity e . Prop ositio n 1 . Ther e ar e employments, f 1 /e 1 and f 2 /e 2 , f 1 /e 1 + f 2 /e 2 = ∅ ⇐ ⇒ f 1 /e 1 = ∅ ∧ f 2 /e 2 = ∅ Then we introduce the left employmen t mergence of function-entit y . Prop ositio n 2 . Ther e ar e employments, f 1 /e 1 6 = ∅ and f 2 /e 2 6 = ∅ . ( f 1 /e 1 ) ∗ ( f 2 /e 2 ) = ( f /e, if f = f 1 = f 2 6 = ∅ and e = e 1 = e 2 6 = ∅ ; ∅ , otherwise. Definition 2. F is a c ol le ction of functions, and E is a c ol le ction of entities. The employment F /E is a set { f /e | f ∈ F , e ∈ E } . Let F , F 1 , and F 2 be resp ectively a collection of functions, and let E , E 1 , and E 2 be a collection of entities. W e hav e f 1 ∈ F 1 , f 2 ∈ F 2 , e 1 ∈ E 1 , and e 2 ∈ E 2 . The mergence of employmen t is F 1 /E 1 ∗ F 2 /E 2 = { f 1 /e 1 ∗ f 2 /e 2 6 = ∅} . (1) The comp osition of emplo yment is F 1 /E 1 + F 2 /E 2 = { f 1 /e 1 6 = ∅ ∨ f 2 /e 2 6 = ∅} . (2) F or the conv enience of co mputation, we g ive F / ∅ = ∅ , ∅ /E = ∅ and ∅ / ∅ = ∅ . If no confusion a rises, thes e express ions, f /e , { f } /e and f / { e } , a re the same as { f } / { e } . With definition 2 a nd eq uations 1 a nd 2 , we prove that the employmen t are asso ciative, commutativ e and distributive. 3.2 Condition Regulation is different from pro cess, which we hav e discussed in sec tio n 2. The condition acts as the connection with the state of “pro cess world”. In this s ub- section, w e prop ose the definition of co ndition. Definition 3. The fact set T is a c ol le ction of subset s of statement c ol le ction S . The fact set T on S has the fol lowing pr op erties: 1. ∅ and S ar e in T . 2. The union of the element s of any sub-c ol le ction of T is in T . 3. The interse ction of t he elements of any finite sub-c ol le ction of T in T . Definition 4. F act set T on S , c ondition r is a function r : T s → { 1 , 0 } with the pr op erty: ∀ x 1 , x 2 ∈ T and x 1 ∩ x 2 = ∅ , r ( x 1 ∪ x 2 ) = r ( x 1 ) ∨ r ( x 2 ) . The { 1 , 0 } is the true v alue. If the fact x ∈ T , we call that the condition r is suppo rted on the fact x , or the fact x supp or ts the condition r . Prop ositio n 3 . F or fact set T on S , ∀ x 1 , x 2 ∈ T and x 1 ⊂ x 2 , r ( x 1 ) → r ( x 2 ) . Definition 5. F or fact set T on S and c ondition r , if r ( x ) is true, the fact x ∈ T is the evidenc e to r . Definition 6. F or fact set T on S , ∃ x ∗ ∈ T and su ch that x ∗ is the evidenc e to the c ondition r , if ∄ x ⊂ x ∗ and such that x is the evidenc e to r , then the x ∗ is the minimu m evidenc e to r . 3.3 Privilege Definition 7. F or a c ol le ction of functions F , a c ol le ction of entities E and a c ol le ction of c onditions R , the privile ge is ( F /E , R ) . F or conv enience, we define, ( ∅ , r ) = ∅ . Definition 8. The privile ge sp ac e P is a c ol le ction of subsets of P with the fol lowing pr op erties: 1. (Privileg e Mergence) F or al l privile ge, u, v ∈ P , u = ( f 1 /E 1 , R 1 ) , and v = ( f 2 /E 2 , R 2 ) , u ∗ v = { ( f 1 ∗ f 2 / ( E 1 ∩ E 2 ) , R 1 ∩ R 2 ) } ; 2. (Privileg e Comp ositio n) F or al l privile ge, u, v ∈ P , u = ( f 1 /E 1 , R 1 ) , and v = ( f 2 /E 2 , R 2 ) , u + v = { ( f 1 /E 1 , R 1 ) ∪ ( f 2 /E 2 , R 2 ) } ; 3. F or al l privile ge, u, v ∈ P , u ∗ v = v ∗ u ; 4. F or al l privile ge, u, v ∈ P , u + v = v + u ; 5. F or al l privile ge, u, v , w ∈ P , ( u ∗ v ) ∗ w = v ∗ ( u ∗ w ) ; 6. F or al l privile ge, u, v , w ∈ P , ( u + v ) + w = v + ( u + w ) ; 7. F or al l privile ge, u, v , w ∈ P , u ∗ ( v + w ) = u ∗ v + u ∗ w . 4 Normal F orm of P rivilege Definition 9. The employment arr angement M is a fi nite c ol le ction of employ- ment and such that ∀ m, n ∈ M , m 6 = n ∧ m ∗ n = ∅ . Definition 10. T o employment arr angement M , the normal form of privile ge p is nfm M ( p ) = M X i m i = M X i ( f i /E i , c i ) , wher e f i /E i is an element of M and c i is a c ondition. Prop ositio n 4 . T o employment arr angement M , every privile ge is str u ctur al ly e qual to its normal form. Definition 11. T o employment arr angement M , t he privile ges ar e structu r al e quivalenc e, if and only if they have t he same normal form, u M = v ⇐ ⇒ nfm M ( u ) = nfm M ( v ) . When one condition has an evide nc e , thes e privileges that inv olve the condi- tion are pulsed. Cor resp onding to normal form of privileg e, ther e is the pulsed form. Definition 12. T o employment arr angement M , on the fact t ∈ T , the pulse d form of privile ge p is pfm M ( p, t ) = M X i ( f i /E i , c i ( t )) , wher e f i /E i is an element of M and c i is a c ondition. W e hav e a sequence of fact Q = ( t 0 , t 1 , . . . , t j , . . . ). W e get the seque nc e of pulse to privilege t , pfm M ( p, Q ) = (pfm M ( p, t 0 ) , pfm M ( p, t 1 ) , . . . , pfm M ( p, t j ) , . . . ) . This sequence of pulsed for m describ es the trace of pr o cess ab out priv ilege p . The trace matrix ( c i,j ) of pr iv ilege p is made from this sequence, where c i,j ∈ { 1 , 0 } . t 0 t 1 . . . t j . . . f 0 /E 0 c 0 , 0 c 0 , 1 . . . c 0 ,j . . . f 1 /E 1 c 1 , 0 c 1 , 1 . . . c 1 ,j . . . . . . . . . . . . . . . . . . . . . f i /E i c i, 0 c i, 1 . . . c i,j . . . . . . . . . . . . . . . . . . . . . f n /E n c n, 0 c n, 1 . . . c n,j . . . F o r example, we have tw o op erations (privileges) op 1 and op 2 , and three peo ple (pr ivileges) u 1 , u 2 and u 3 . W e want to know what will ha pp en at time (facts) t 0 and t 1 . So we define a gauging privilege, g = ( u 1 + u 2 + u 3 ) ∗ ( op 1 + op 2 ). And the sequence of pulse is (pfm M ( g , t 0 ) , pfm M ( g , t 1 )). Definition 13. T o employment arr angement M , privile ges, u and v , ar e c on- gruent on fact t ∈ T , a t ∼ b , if and only if u and v have t he same pulse d form. Definition 14. T o employment arr angement M , on fact t ∈ T , privile ge p is c ompliant t o privile ge q , p t ∗ ∼ q , if and only if ( p ∗ q ) t ∼ q . The co ngruence ∼ and the co mplia nce ∗ ∼ ar e a function P × P × T → { 1 , 0 } . So they can b e a condition in one high-or der privilege. F or a co mplia nce e x ample, we have the privileg es, g , p and q , and such tha t g = [ p ∗ ∼ q ]. W e call that the privilege g is a high-or der privilege of p and q . 5 Discussion In gener al, the r o le-based mo dels, s uch as RBA C r eference mo del [1 1, 5], AR- BAC [12], and T-RBAC [13], hav e constr ucts, such a s, USERS, R OL E S, O PS (op erations), a nd OB JS (ob jects), a nd re la tions, such as UA(user- to-role as sign- men t), P A(p ermiss io n-to-role ass ig nmen t), PRMS (se t of p ermission), and RH (role inheritance relation). These co nstructs ar e able to b e defined with privilege and these r e lation with privileg es. And these privileg es are glued by privilege’s op erations, such as privilege mergence and privilege comp osition. The following c o de is a demonstration written in P AL(Privilege Analys is Language) that is a reference implement a tion based o n pr iv ilege ca lc ulus. With this demonstration w e dis cuss cases a bo ut privilege r epresentation. namesp ace "exa mple" { let doc1 is TechDo c reader := (read + list)/T echDoc manage r := (read er + wri te + remove)/ TechDoc bob := reader + write/ TechDo c may := manage r phone := read + list office pc := read + list + write + remove } Shown by the ab ov e co de, we have four op eratio ns , r ead , l ist , w rite , and remov e , tw o roles, re ader and manag er , t wo users, bob and may , and tw o termi- nals, of f icepc and phone . The statement “ l e t ” declares that doc 1 is a do cument in the catego ry T e chD oc . The r ole r eader c a n r ead any do cumen ts in T echD oc and l ist entries of tho se, and the ro le manag er can w r ite and re m ov e any one in T echD oc and manag er inherits all of r eader ’s pr ivileges that are limited in T echDoc . User bob plays the r o le r eader and User may has the ro le manag er . The mobile phone , a ter minal device, has a limitation to access, read a nd li st . So far, we hav e defined these privileg es: r ead , l i st , w r ite , remov e , reader , manag er , bob , may , of f i cepc , phone , doc 1 , and T echD oc . While user bob has lo gged in system at his of f icep c , and the s ystem crea tes his session, session 1 = bob ∗ of f i cepc . In se ssion 1 , bob is able to r ead , l ist and wr ite a ny one in T echD oc . Later bob uses his p ersonal phone to navigate the system, the se ssion 2 is created automatica lly , ses sion 2 = b ob ∗ phone . The session 2 ’s privileg e s are different fro m session 1 ’s. W e se t a n employmen t a rrange ment, M = r ead + l ist + w r ite + r emov e . Thus, session 1 M = bob ∗ of f icepc M = ( re a der + w rite /T echD oc ) ∗ ( r ead + l ist + wr ite + r emov e ) M = re ad/T echD oc + l ist/ T e chD oc + w rite / T echDoc , session 2 M = bob ∗ phone M = (( rea d + l ist ) /T echD oc + w r ite ) ∗ ( r ead + l ist ) M = re ad/T echD oc + l ist/ T e chD oc . With the ab ov e computation, we know the sessi on 2 lacks the e mployment ‘ wr ite ’ on T echD oc . It is interesting tha t the sess ion in system can b e c r eated as a privilege a nd these constructs, such as session, user , role, pe rmission, gr oup, lo cation etc., could be r epresented by privilege . W e c o nt inue the story . User bob w ants to read the do c ument doc 1 that is a T echDoc . The guard re adg uar d to the action read is rea dg uar d = read ∗ [ session 1 ∗ ∼ ( re ad/doc 1)] . The rea dg uar d is the high-order privilege of session 1 and read/doc 1. The pulse of re adg uar d dep ends on the session 1 ’s compliance to read/ doc 1. User may has logg ed in, a nd her session is session 3 . She wan ts to write the do cumen t doc 1. The reg ulation do es concern not o nly may ’s privile ge but also the doc 1’s. So the privileg e doc 1 is redefined, doc 1 = r eadabl e + wr itabl e . Because the doc 1’s “writa ble ” a ction a nd the may ’s “ write” action are complementary in this synchronized interaction, w r iteg u ard and w ri ta bl eg uar d are defined, wr iteg ur ad = wr ite ∗ [ session 3 ∗ ∼ ( wr ite/doc 1)] , wr itabl eg uar d = wr itabl e ∗ [ doc 1 ∗ ∼ ( w ri tabl e )] . Thu s , we hav e the interaction guard intera c t i ong uar d , inter actiong u ard = wr iteg uard + w ri tabl eg ua r d . Finally , the session 3 ’s compliance and the doc 1’s complia nce consistently ma ke the pulse of inter a ctiong uar d . 6 Conclusion Separation of dut y is critical not only in security control but also in mo deling and monitoring o f business logic. F or improving reconfigura bilit y of representation of duty , we prop ose privile ge c alculus . With the help of privilege’s norma l form and pulsed form, w e ar e a ble to analyz e the structure of privileg e and to monitor the c ha nge in pr o cess. W e also have demonstrated that the access con tr ol mo del based on privilege calculus is compatible with RBA C, ACL. So far, w e hav e only b eg un to explo r e the computation o f priv ilege and r ep- resentation of r egulation in a ccess control lo gic. But we hav e little knowledge ab out the r elationship amo ng reg ula tion, business pro cess and bus ine s s r ule. O n all accounts, we hop e that the pap er will throw some light on the knowledge representation in separation of dut y domain to facilitate the analysis of business rules and business pro cesses. References 1. S imon, R., Zurko, M.: Separation of duty in role-based environments. I n : Proceed- ings of the 10th Comput er Security F ou n dations W orkshop, pp. 183–194. IEEE Press, New Y ork (1997) 2. Gligor, V., Gavrila, S., F erraiolo, D.: On the formal definition of separation-of- duty p olicies and th eircomposition. I n: Pro ceedings of Symp osium on S ecurity and Priv acy , pp. 172–183. IEEE Press, New Y ork (1998) 3. S andhu, R.: F uture Directions in Role-Based A ccess Con trol Mo dels. In: Goro det- ski, V.I., Skormin, V.A., Pop yac k, L.J. (eds.) Information Assurance in Computer Netw orks: Metho ds, Mod els, and Architectures for Net work Security , International W orkshop 2001. LNCS, vol . 2052, pp. 22–26. Springer, Heidelb erg (2001) 4. S andhu, R.: R ole activ ation h ierarc hies. In: Pro ceed in gs of the third ACM work- shop on role-based access con trol, pp.33–40. ACM Press, New Y ork ( 1998) 5. F erraiolo, D.F., S an d hu, R., Gavrila, S., Kuh n, D.R., Chandramouli, R.: Proposed NIST standard for role-based access con t rol. AC M T ransactions on Information and System Security 4(3), 224–274 (2001) 6. Bark a, E., Sandhu, R .: F ramew ork for role-based delegation mo dels. In: Proceed- ings of the 16th Annual Computer Security Applications Conference, p p. 168–176. IEEE Press, New Y ork (2000) 7. Jaeger, T.: O n the increasing importance of constrain ts. In : Proceedin gs of the fourth ACM w orkshop on role-b ased access control, pp. 33–42. ACM Press, New Y ork (1999) 8. S c h aad, A .: Detecting Conflicts in a R ole-based Delegation Model. I n: Pro ceedings of the 17th Annual Computer Security Applications Conference, pp. 117–126. I EEE Press, New Y ork (2001) 9. Jaeger, T., S ailer, R., Zhang, X .: Resolving constrain t conflicts. In: Pro ceedings of the 9th A CM sy m p osium on Access control mo dels and technolog ies, pp. 105–114. ACM Press, New Y ork (2004) 10. Milner, R.: Comm unicating and Mobile Systems: the π -Calculus. Cambridge Uni- versi ty Press, Cambridge (1999) 11. Sand hu, R ., Coyne, E., F einstein, H ., Y ouman, C.: Role-Based Access Con t rol Models. Computer 29(2), 38–47 (1996) 12. Sand hu, R., Bhamidipati, V., Munaw er, Q.: The A RBAC9 7 mo del for role-based administration of roles. ACM T ransactions on Information an d Sy stem S ecurit y 2(1), 105–135 ( 1999) 13. Oh , S., Park, S.: T ask-role-based access control mod el. Information Systems 28(6), 533–562 (2003)