OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only
Back to discussions
Expand all | Collapse all

Break the Glass policies

David Chadwick

David Chadwick12-15-2009 21:29

  • 1.  Break the Glass policies

    Posted 12-12-2009 23:45 
    I have just returned from ACSAC in Hawaii where I presented a paper on 
the BTG-RBAC model. BTG is equivalent to breaking the glass on a 
firedoor. You are not normally granted access but in an emergency you 
are if you decide to BTG. This model requires the PDP to return one of 
three responses to the PEP instead of the traditional two (grant and 
deny) (forgetting for now indeterminate and not-applicable)

The semantics of the new "permission to BTG" response are

- this user is not granted access, but will be granted access if he/she 
decides to break the glass.

The application can then display a screen to the user asking if they 
wish to BTG and warning them that they will be held accountable for 
their actions if they decide to BTG. At real hospital trails in the main 
hospital in Porto, Portugal, where my PhD student works, results show 
that nearly 50% of doctors decided not to BTG when given the opportunity 
to do so. (The results are presented in our ACSAC paper along with the 
model). If the user decides to BTG then this grant is accompanied by a 
set of obligations which can perform audit, email the user's manager, 
reset the broken glass in 30 minutes etc at the wish of the policy 
writer. We have implemented a number of these obligations.

Whilst a complete implementation requires a truly stateful PDP, we have 
implemented support for BTG (with some limitations) using Sun's XACML 
PDP with a stateful wrapper that holds the BTG state in an obligation 
object. (We will be writing a paper on this sometime in the New Year). 
Either way, the PEP is given an extra response, "permission to BTG" when 
it asks if the user can access a particular resource. The reason we have 
done it this way, rather than getting the PEP to make multiple calls to 
the PDP and hold the BTG state itself, is simple, it makes it trivial 
for any application to support BTG policies, which can be simply added 
to the access control policies of any stateful or stateless PDP (XACML 
or otherwise).

So, after this very long introduction, my question to the group is

Can we standardise the BTG response and add it to the XACML standard as 
  a new response in the response context.

1. Ideally I would like to create a fifth enumerated value for decision, 
called BTG

2. As a sort of hack, we could create a new Major status code called 
BTG, but this is a hack, status codes are optional and the response is 
neither grant or deny but is genuinely intermediate to these. It is not 
indeterminate or not-applicable either, so which decision would 
accompany this status code?

3. We can always invent our own minor status code and put BTG there 
without perturbing the XACML standard, but this is effectively the group 
saying we dont see a requirement for BTG policies.

Comments please.

regards

David


*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************


  • 2.  Re: [xacml] Break the Glass policies

    Posted 12-14-2009 06:41 
    Hi David,

At the RSA 2008 Interop, we demonstrated an "emergency override" 
capability that I believe is equivalent to BTG, and was even referred to 
as BTG during requirements analysis. We did not require a new return 
code, but simply implemented this as part of the policy definitions - 
basically, a user requested access and was denied, then re-requested 
access with a new Permission (HL7) provided in the request, which 
enabled access.

The details are in section 2.2.4 of the document that may be found on 
the XACML TC main page:
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#expository
The doc is described here:
http://www.oasis-open.org/committees/document.php?document_id=28030&wg_abbrev=xacml
The zip file containing the doc is in this zip file:
http://www.oasis-open.org/committees/download.php/28030/XACML-20-RSA-Interop-Documents-V-01.zip

Based on that implementation of the capability I would like to 
understand better the need for a "permission to BTG" response. In 
particular, why not just return the "permission" as an Obligation to the 
PEP to notify the user of this option?

    Thanks,
    Rich



David Chadwick wrote:
> I have just returned from ACSAC in Hawaii where I presented a paper on 
> the BTG-RBAC model. BTG is equivalent to breaking the glass on a 
> firedoor. You are not normally granted access but in an emergency you 
> are if you decide to BTG. This model requires the PDP to return one of 
> three responses to the PEP instead of the traditional two (grant and 
> deny) (forgetting for now indeterminate and not-applicable)
>
> The semantics of the new "permission to BTG" response are
>
> - this user is not granted access, but will be granted access if 
> he/she decides to break the glass.
>
> The application can then display a screen to the user asking if they 
> wish to BTG and warning them that they will be held accountable for 
> their actions if they decide to BTG. At real hospital trails in the 
> main hospital in Porto, Portugal, where my PhD student works, results 
> show that nearly 50% of doctors decided not to BTG when given the 
> opportunity to do so. (The results are presented in our ACSAC paper 
> along with the model). If the user decides to BTG then this grant is 
> accompanied by a set of obligations which can perform audit, email the 
> user's manager, reset the broken glass in 30 minutes etc at the wish 
> of the policy writer. We have implemented a number of these obligations.
>
> Whilst a complete implementation requires a truly stateful PDP, we 
> have implemented support for BTG (with some limitations) using Sun's 
> XACML PDP with a stateful wrapper that holds the BTG state in an 
> obligation object. (We will be writing a paper on this sometime in the 
> New Year). Either way, the PEP is given an extra response, "permission 
> to BTG" when it asks if the user can access a particular resource. The 
> reason we have done it this way, rather than getting the PEP to make 
> multiple calls to the PDP and hold the BTG state itself, is simple, it 
> makes it trivial for any application to support BTG policies, which 
> can be simply added to the access control policies of any stateful or 
> stateless PDP (XACML or otherwise).
>
> So, after this very long introduction, my question to the group is
>
> Can we standardise the BTG response and add it to the XACML standard 
> as  a new response in the response context.
>
> 1. Ideally I would like to create a fifth enumerated value for 
> decision, called BTG
>
> 2. As a sort of hack, we could create a new Major status code called 
> BTG, but this is a hack, status codes are optional and the response is 
> neither grant or deny but is genuinely intermediate to these. It is 
> not indeterminate or not-applicable either, so which decision would 
> accompany this status code?
>
> 3. We can always invent our own minor status code and put BTG there 
> without perturbing the XACML standard, but this is effectively the 
> group saying we dont see a requirement for BTG policies.
>
> Comments please.
>
> regards
>
> David
>
>
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
> Skype Name: davidwchadwick
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick@kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: 
> http://www.cs.kent.ac.uk/research/groups/iss/index.html
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
>
> *****************************************************************
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


  • 3.  Re: [xacml] Break the Glass policies

    Posted 12-14-2009 07:08 
    David,
If I undesrstand you right, you want PEP to know at the end of first 
call that access is allowed for BTG scenario.
Is it not resolved if PDP sent Permit with an Obligation?
May be the standards can specify a standard obligation-id for BTG.
Thanks.
-Dilli

Rich.Levinson wrote:
> Hi David,
>
> At the RSA 2008 Interop, we demonstrated an "emergency override" 
> capability that I believe is equivalent to BTG, and was even referred 
> to as BTG during requirements analysis. We did not require a new 
> return code, but simply implemented this as part of the policy 
> definitions - basically, a user requested access and was denied, then 
> re-requested access with a new Permission (HL7) provided in the 
> request, which enabled access.
>
> The details are in section 2.2.4 of the document that may be found on 
> the XACML TC main page:
> http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#expository 
>
> The doc is described here:
> http://www.oasis-open.org/committees/document.php?document_id=28030&wg_abbrev=xacml 
>
> The zip file containing the doc is in this zip file:
> http://www.oasis-open.org/committees/download.php/28030/XACML-20-RSA-Interop-Documents-V-01.zip 
>
>
> Based on that implementation of the capability I would like to 
> understand better the need for a "permission to BTG" response. In 
> particular, why not just return the "permission" as an Obligation to 
> the PEP to notify the user of this option?
>
>    Thanks,
>    Rich
>
>
>
> David Chadwick wrote:
>> I have just returned from ACSAC in Hawaii where I presented a paper 
>> on the BTG-RBAC model. BTG is equivalent to breaking the glass on a 
>> firedoor. You are not normally granted access but in an emergency you 
>> are if you decide to BTG. This model requires the PDP to return one 
>> of three responses to the PEP instead of the traditional two (grant 
>> and deny) (forgetting for now indeterminate and not-applicable)
>>
>> The semantics of the new "permission to BTG" response are
>>
>> - this user is not granted access, but will be granted access if 
>> he/she decides to break the glass.
>>
>> The application can then display a screen to the user asking if they 
>> wish to BTG and warning them that they will be held accountable for 
>> their actions if they decide to BTG. At real hospital trails in the 
>> main hospital in Porto, Portugal, where my PhD student works, results 
>> show that nearly 50% of doctors decided not to BTG when given the 
>> opportunity to do so. (The results are presented in our ACSAC paper 
>> along with the model). If the user decides to BTG then this grant is 
>> accompanied by a set of obligations which can perform audit, email 
>> the user's manager, reset the broken glass in 30 minutes etc at the 
>> wish of the policy writer. We have implemented a number of these 
>> obligations.
>>
>> Whilst a complete implementation requires a truly stateful PDP, we 
>> have implemented support for BTG (with some limitations) using Sun's 
>> XACML PDP with a stateful wrapper that holds the BTG state in an 
>> obligation object. (We will be writing a paper on this sometime in 
>> the New Year). Either way, the PEP is given an extra response, 
>> "permission to BTG" when it asks if the user can access a particular 
>> resource. The reason we have done it this way, rather than getting 
>> the PEP to make multiple calls to the PDP and hold the BTG state 
>> itself, is simple, it makes it trivial for any application to support 
>> BTG policies, which can be simply added to the access control 
>> policies of any stateful or stateless PDP (XACML or otherwise).
>>
>> So, after this very long introduction, my question to the group is
>>
>> Can we standardise the BTG response and add it to the XACML standard 
>> as  a new response in the response context.
>>
>> 1. Ideally I would like to create a fifth enumerated value for 
>> decision, called BTG
>>
>> 2. As a sort of hack, we could create a new Major status code called 
>> BTG, but this is a hack, status codes are optional and the response 
>> is neither grant or deny but is genuinely intermediate to these. It 
>> is not indeterminate or not-applicable either, so which decision 
>> would accompany this status code?
>>
>> 3. We can always invent our own minor status code and put BTG there 
>> without perturbing the XACML standard, but this is effectively the 
>> group saying we dont see a requirement for BTG policies.
>>
>> Comments please.
>>
>> regards
>>
>> David
>>
>>
>> *****************************************************************
>> David W. Chadwick, BSc PhD
>> Professor of Information Systems Security
>> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
>> Skype Name: davidwchadwick
>> Tel: +44 1227 82 3221
>> Fax +44 1227 762 811
>> Mobile: +44 77 96 44 7184
>> Email: D.W.Chadwick@kent.ac.uk
>> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>> Research Web site: 
>> http://www.cs.kent.ac.uk/research/groups/iss/index.html
>> Entrust key validation string: MLJ9-DU5T-HV8J
>> PGP Key ID is 0xBC238DE5
>>
>> *****************************************************************
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


  • 4.  Re: [xacml] Break the Glass policies

    Posted 12-15-2009 21:04 
    Hi Dilli

Dilli Dorai wrote:
> David,
> If I undesrstand you right, you want PEP to know at the end of first 
> call that access is allowed for BTG scenario.

yes correct, because there are policy rules that say this.

> Is it not resolved if PDP sent Permit with an Obligation?

No, because as explained in Babak's and Erik's paper, you have to 
differentiate between a genuine permit with or without obligations, and 
a special (BTG) Permit with obligations for any user who has the same 
attributes and is making the same request multiple times. I dont believe 
you can do this with their paper.

In effect there are three classes of user

- those who are always permitted
- those who are not normally permitted but are in an emergency
- those who are always denied

It is quite simple to formulate rules for the above using a single 
condition  for the middle case (IF Emergency/BTG is true). Once the 
glass is broken the condition becomes true and the user always has 
access until the glass is reset.

I dont believe you can do this using obligations

regards

David

> May be the standards can specify a standard obligation-id for BTG.
> Thanks.
> -Dilli
> 
> Rich.Levinson wrote:
>> Hi David,
>>
>> At the RSA 2008 Interop, we demonstrated an "emergency override" 
>> capability that I believe is equivalent to BTG, and was even referred 
>> to as BTG during requirements analysis. We did not require a new 
>> return code, but simply implemented this as part of the policy 
>> definitions - basically, a user requested access and was denied, then 
>> re-requested access with a new Permission (HL7) provided in the 
>> request, which enabled access.
>>
>> The details are in section 2.2.4 of the document that may be found on 
>> the XACML TC main page:
>> http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#expository 
>>
>> The doc is described here:
>> http://www.oasis-open.org/committees/document.php?document_id=28030&wg_abbrev=xacml 
>>
>> The zip file containing the doc is in this zip file:
>> http://www.oasis-open.org/committees/download.php/28030/XACML-20-RSA-Interop-Documents-V-01.zip 
>>
>>
>> Based on that implementation of the capability I would like to 
>> understand better the need for a "permission to BTG" response. In 
>> particular, why not just return the "permission" as an Obligation to 
>> the PEP to notify the user of this option?
>>
>>    Thanks,
>>    Rich
>>
>>
>>
>> David Chadwick wrote:
>>> I have just returned from ACSAC in Hawaii where I presented a paper 
>>> on the BTG-RBAC model. BTG is equivalent to breaking the glass on a 
>>> firedoor. You are not normally granted access but in an emergency you 
>>> are if you decide to BTG. This model requires the PDP to return one 
>>> of three responses to the PEP instead of the traditional two (grant 
>>> and deny) (forgetting for now indeterminate and not-applicable)
>>>
>>> The semantics of the new "permission to BTG" response are
>>>
>>> - this user is not granted access, but will be granted access if 
>>> he/she decides to break the glass.
>>>
>>> The application can then display a screen to the user asking if they 
>>> wish to BTG and warning them that they will be held accountable for 
>>> their actions if they decide to BTG. At real hospital trails in the 
>>> main hospital in Porto, Portugal, where my PhD student works, results 
>>> show that nearly 50% of doctors decided not to BTG when given the 
>>> opportunity to do so. (The results are presented in our ACSAC paper 
>>> along with the model). If the user decides to BTG then this grant is 
>>> accompanied by a set of obligations which can perform audit, email 
>>> the user's manager, reset the broken glass in 30 minutes etc at the 
>>> wish of the policy writer. We have implemented a number of these 
>>> obligations.
>>>
>>> Whilst a complete implementation requires a truly stateful PDP, we 
>>> have implemented support for BTG (with some limitations) using Sun's 
>>> XACML PDP with a stateful wrapper that holds the BTG state in an 
>>> obligation object. (We will be writing a paper on this sometime in 
>>> the New Year). Either way, the PEP is given an extra response, 
>>> "permission to BTG" when it asks if the user can access a particular 
>>> resource. The reason we have done it this way, rather than getting 
>>> the PEP to make multiple calls to the PDP and hold the BTG state 
>>> itself, is simple, it makes it trivial for any application to support 
>>> BTG policies, which can be simply added to the access control 
>>> policies of any stateful or stateless PDP (XACML or otherwise).
>>>
>>> So, after this very long introduction, my question to the group is
>>>
>>> Can we standardise the BTG response and add it to the XACML standard 
>>> as  a new response in the response context.
>>>
>>> 1. Ideally I would like to create a fifth enumerated value for 
>>> decision, called BTG
>>>
>>> 2. As a sort of hack, we could create a new Major status code called 
>>> BTG, but this is a hack, status codes are optional and the response 
>>> is neither grant or deny but is genuinely intermediate to these. It 
>>> is not indeterminate or not-applicable either, so which decision 
>>> would accompany this status code?
>>>
>>> 3. We can always invent our own minor status code and put BTG there 
>>> without perturbing the XACML standard, but this is effectively the 
>>> group saying we dont see a requirement for BTG policies.
>>>
>>> Comments please.
>>>
>>> regards
>>>
>>> David
>>>
>>>
>>> *****************************************************************
>>> David W. Chadwick, BSc PhD
>>> Professor of Information Systems Security
>>> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
>>> Skype Name: davidwchadwick
>>> Tel: +44 1227 82 3221
>>> Fax +44 1227 762 811
>>> Mobile: +44 77 96 44 7184
>>> Email: D.W.Chadwick@kent.ac.uk
>>> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>>> Research Web site: 
>>> http://www.cs.kent.ac.uk/research/groups/iss/index.html
>>> Entrust key validation string: MLJ9-DU5T-HV8J
>>> PGP Key ID is 0xBC238DE5
>>>
>>> *****************************************************************
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 
> 

-- 
-------------------------------------------------------------
The Israeli group Breaking the Silence has just released a collection of
testimonies by Israeli soldiers that took part in the Gaza attack last
December and January. The testimonies expose significant gaps between 
the official stances of the Israeli military and events on the ground.

See  http://www.shovrimshtika.org/news_item_e.asp?id=30

The Israeli government defies Obama, and continues its settlement expansion

Israel plans to allocate $250 million over the next two years for 
settlements

http://www.palestinecampaign.org/index7b.asp?m_id=1&l1_id=4&l2_id=24&Content_ID=698

whilst simultaneously continuing to bulldoze Palestinian homes

http://salsa.democracyinaction.org/o/301/t/9462/campaign.jsp?campaign_KEY=27357

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************


  • 5.  Re: [xacml] Break the Glass policies

    Posted 12-15-2009 20:36 
    Hi Rich

I knew about the RSA Interop but could not find details of the way BTG 
was actually implemented. I will now look at these docs with our medical 
colleagues to see if it suffices. But one immediate question comes to 
mind. Why would the user or the PEP always issue a second request when 
denied access to a resource? How would they know when to and when not 
to. And if they did it everytime, and the SAML-XACML protocol is being 
used to contact a remote PDP, then this is extremely wasteful of 
resources and time consuming. Since the PDP has the policy rules anyway, 
it can short circuit this by replying BTG only in the cases when it 
knows the user does have the second type of permission.

regards

David


Rich.Levinson wrote:
> Hi David,
> 
> At the RSA 2008 Interop, we demonstrated an "emergency override" 
> capability that I believe is equivalent to BTG, and was even referred to 
> as BTG during requirements analysis. We did not require a new return 
> code, but simply implemented this as part of the policy definitions - 
> basically, a user requested access and was denied, then re-requested 
> access with a new Permission (HL7) provided in the request, which 
> enabled access.
> 
> The details are in section 2.2.4 of the document that may be found on 
> the XACML TC main page:
> http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#expository
> The doc is described here:
> http://www.oasis-open.org/committees/document.php?document_id=28030&wg_abbrev=xacml 
> 
> The zip file containing the doc is in this zip file:
> http://www.oasis-open.org/committees/download.php/28030/XACML-20-RSA-Interop-Documents-V-01.zip 
> 
> 
> Based on that implementation of the capability I would like to 
> understand better the need for a "permission to BTG" response. In 
> particular, why not just return the "permission" as an Obligation to the 
> PEP to notify the user of this option?
> 
>    Thanks,
>    Rich
> 
> 
> 
> David Chadwick wrote:
>> I have just returned from ACSAC in Hawaii where I presented a paper on 
>> the BTG-RBAC model. BTG is equivalent to breaking the glass on a 
>> firedoor. You are not normally granted access but in an emergency you 
>> are if you decide to BTG. This model requires the PDP to return one of 
>> three responses to the PEP instead of the traditional two (grant and 
>> deny) (forgetting for now indeterminate and not-applicable)
>>
>> The semantics of the new "permission to BTG" response are
>>
>> - this user is not granted access, but will be granted access if 
>> he/she decides to break the glass.
>>
>> The application can then display a screen to the user asking if they 
>> wish to BTG and warning them that they will be held accountable for 
>> their actions if they decide to BTG. At real hospital trails in the 
>> main hospital in Porto, Portugal, where my PhD student works, results 
>> show that nearly 50% of doctors decided not to BTG when given the 
>> opportunity to do so. (The results are presented in our ACSAC paper 
>> along with the model). If the user decides to BTG then this grant is 
>> accompanied by a set of obligations which can perform audit, email the 
>> user's manager, reset the broken glass in 30 minutes etc at the wish 
>> of the policy writer. We have implemented a number of these obligations.
>>
>> Whilst a complete implementation requires a truly stateful PDP, we 
>> have implemented support for BTG (with some limitations) using Sun's 
>> XACML PDP with a stateful wrapper that holds the BTG state in an 
>> obligation object. (We will be writing a paper on this sometime in the 
>> New Year). Either way, the PEP is given an extra response, "permission 
>> to BTG" when it asks if the user can access a particular resource. The 
>> reason we have done it this way, rather than getting the PEP to make 
>> multiple calls to the PDP and hold the BTG state itself, is simple, it 
>> makes it trivial for any application to support BTG policies, which 
>> can be simply added to the access control policies of any stateful or 
>> stateless PDP (XACML or otherwise).
>>
>> So, after this very long introduction, my question to the group is
>>
>> Can we standardise the BTG response and add it to the XACML standard 
>> as  a new response in the response context.
>>
>> 1. Ideally I would like to create a fifth enumerated value for 
>> decision, called BTG
>>
>> 2. As a sort of hack, we could create a new Major status code called 
>> BTG, but this is a hack, status codes are optional and the response is 
>> neither grant or deny but is genuinely intermediate to these. It is 
>> not indeterminate or not-applicable either, so which decision would 
>> accompany this status code?
>>
>> 3. We can always invent our own minor status code and put BTG there 
>> without perturbing the XACML standard, but this is effectively the 
>> group saying we dont see a requirement for BTG policies.
>>
>> Comments please.
>>
>> regards
>>
>> David
>>
>>
>> *****************************************************************
>> David W. Chadwick, BSc PhD
>> Professor of Information Systems Security
>> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
>> Skype Name: davidwchadwick
>> Tel: +44 1227 82 3221
>> Fax +44 1227 762 811
>> Mobile: +44 77 96 44 7184
>> Email: D.W.Chadwick@kent.ac.uk
>> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>> Research Web site: 
>> http://www.cs.kent.ac.uk/research/groups/iss/index.html
>> Entrust key validation string: MLJ9-DU5T-HV8J
>> PGP Key ID is 0xBC238DE5
>>
>> *****************************************************************
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 

-- 
-------------------------------------------------------------
The Israeli group Breaking the Silence has just released a collection of
testimonies by Israeli soldiers that took part in the Gaza attack last
December and January. The testimonies expose significant gaps between 
the official stances of the Israeli military and events on the ground.

See  http://www.shovrimshtika.org/news_item_e.asp?id=30

The Israeli government defies Obama, and continues its settlement expansion

Israel plans to allocate $250 million over the next two years for 
settlements

http://www.palestinecampaign.org/index7b.asp?m_id=1&l1_id=4&l2_id=24&Content_ID=698

whilst simultaneously continuing to bulldoze Palestinian homes

http://salsa.democracyinaction.org/o/301/t/9462/campaign.jsp?campaign_KEY=27357

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************


  • 6.  Re: [xacml] Break the Glass policies

    Posted 12-15-2009 23:53 
    Hi David,

Are you aware that there is inappropriate content being attached to your 
emails as they are delivered to the OASIS XACML TC site? The material 
does not show up on the reply-to, but it does appear in the original 
emails and the TC archives and should probably be removed.

    Thanks,  
    Rich


David Chadwick wrote:
> Hi Rich
>
> I knew about the RSA Interop but could not find details of the way BTG 
> was actually implemented. I will now look at these docs with our 
> medical colleagues to see if it suffices. But one immediate question 
> comes to mind. Why would the user or the PEP always issue a second 
> request when denied access to a resource? How would they know when to 
> and when not to. And if they did it everytime, and the SAML-XACML 
> protocol is being used to contact a remote PDP, then this is extremely 
> wasteful of resources and time consuming. Since the PDP has the policy 
> rules anyway, it can short circuit this by replying BTG only in the 
> cases when it knows the user does have the second type of permission.
>
> regards
>
> David
>
>
> Rich.Levinson wrote:
>> Hi David,
>>
>> At the RSA 2008 Interop, we demonstrated an "emergency override" 
>> capability that I believe is equivalent to BTG, and was even referred 
>> to as BTG during requirements analysis. We did not require a new 
>> return code, but simply implemented this as part of the policy 
>> definitions - basically, a user requested access and was denied, then 
>> re-requested access with a new Permission (HL7) provided in the 
>> request, which enabled access.
>>
>> The details are in section 2.2.4 of the document that may be found on 
>> the XACML TC main page:
>> http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml#expository 
>>
>> The doc is described here:
>> http://www.oasis-open.org/committees/document.php?document_id=28030&wg_abbrev=xacml 
>>
>> The zip file containing the doc is in this zip file:
>> http://www.oasis-open.org/committees/download.php/28030/XACML-20-RSA-Interop-Documents-V-01.zip 
>>
>>
>> Based on that implementation of the capability I would like to 
>> understand better the need for a "permission to BTG" response. In 
>> particular, why not just return the "permission" as an Obligation to 
>> the PEP to notify the user of this option?
>>
>>    Thanks,
>>    Rich
>>
>>
>>
>> David Chadwick wrote:
>>> I have just returned from ACSAC in Hawaii where I presented a paper 
>>> on the BTG-RBAC model. BTG is equivalent to breaking the glass on a 
>>> firedoor. You are not normally granted access but in an emergency 
>>> you are if you decide to BTG. This model requires the PDP to return 
>>> one of three responses to the PEP instead of the traditional two 
>>> (grant and deny) (forgetting for now indeterminate and not-applicable)
>>>
>>> The semantics of the new "permission to BTG" response are
>>>
>>> - this user is not granted access, but will be granted access if 
>>> he/she decides to break the glass.
>>>
>>> The application can then display a screen to the user asking if they 
>>> wish to BTG and warning them that they will be held accountable for 
>>> their actions if they decide to BTG. At real hospital trails in the 
>>> main hospital in Porto, Portugal, where my PhD student works, 
>>> results show that nearly 50% of doctors decided not to BTG when 
>>> given the opportunity to do so. (The results are presented in our 
>>> ACSAC paper along with the model). If the user decides to BTG then 
>>> this grant is accompanied by a set of obligations which can perform 
>>> audit, email the user's manager, reset the broken glass in 30 
>>> minutes etc at the wish of the policy writer. We have implemented a 
>>> number of these obligations.
>>>
>>> Whilst a complete implementation requires a truly stateful PDP, we 
>>> have implemented support for BTG (with some limitations) using Sun's 
>>> XACML PDP with a stateful wrapper that holds the BTG state in an 
>>> obligation object. (We will be writing a paper on this sometime in 
>>> the New Year). Either way, the PEP is given an extra response, 
>>> "permission to BTG" when it asks if the user can access a particular 
>>> resource. The reason we have done it this way, rather than getting 
>>> the PEP to make multiple calls to the PDP and hold the BTG state 
>>> itself, is simple, it makes it trivial for any application to 
>>> support BTG policies, which can be simply added to the access 
>>> control policies of any stateful or stateless PDP (XACML or otherwise).
>>>
>>> So, after this very long introduction, my question to the group is
>>>
>>> Can we standardise the BTG response and add it to the XACML standard 
>>> as  a new response in the response context.
>>>
>>> 1. Ideally I would like to create a fifth enumerated value for 
>>> decision, called BTG
>>>
>>> 2. As a sort of hack, we could create a new Major status code called 
>>> BTG, but this is a hack, status codes are optional and the response 
>>> is neither grant or deny but is genuinely intermediate to these. It 
>>> is not indeterminate or not-applicable either, so which decision 
>>> would accompany this status code?
>>>
>>> 3. We can always invent our own minor status code and put BTG there 
>>> without perturbing the XACML standard, but this is effectively the 
>>> group saying we dont see a requirement for BTG policies.
>>>
>>> Comments please.
>>>
>>> regards
>>>
>>> David
>>>
>>>
>>> *****************************************************************
>>> David W. Chadwick, BSc PhD
>>> Professor of Information Systems Security
>>> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
>>> Skype Name: davidwchadwick
>>> Tel: +44 1227 82 3221
>>> Fax +44 1227 762 811
>>> Mobile: +44 77 96 44 7184
>>> Email: D.W.Chadwick@kent.ac.uk
>>> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
>>> Research Web site: 
>>> http://www.cs.kent.ac.uk/research/groups/iss/index.html
>>> Entrust key validation string: MLJ9-DU5T-HV8J
>>> PGP Key ID is 0xBC238DE5
>>>
>>> *****************************************************************
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>
>


  • 7.  Re: [xacml] Break the Glass policies

    Posted 12-14-2009 07:52 
    Hi David,

you might want to look at this:
http://portal.acm.org/citation.cfm?id=1263871

I think it is very similar to what you want to achieve.

Regards,

Ludwig

-- 
Ludwig Seitz, PhD             |   Axiomatics AB
Training & Development        |   Electrum 223
Phone: +46 (0)760 44 22 91    |   S-164 40 Kista, Sweden
Mail: ludwig@axiomatics.com   |


  • 8.  RE: [xacml] Break the Glass policies

    Posted 12-14-2009 14:23 
    David, all --

In looking at access policies based on formal policy authorities (like
laws and frederal regulation) we've seen a number of cases where the
only practical source of a person or environmental "attribute" is
assertion by the requestor. The "BTG" attribute is an assertion that an
emergency situation exists. We also have come to the same conclusion
that you have (apparently), namely that ex-post enforcement (via audit
of access logs) is a sufficient basis for enforcement for many kinds of
policies. 

Another general class of self-assertion situations is where a law or
policy says "you can share information 'for the purpose of' something."
Example: passpost clerks can view personal passport records 'for the
purpose of' varifying information in the course of processing a passport
renewal application, (but not for other purposes, like browsing the
information of celebrities.)  In many of these scenarios one might
imagine a data source for the attribute that did not depend on
self-assertion, but those data may not be available at least in the
short run.

I have not considered implementation of this enforcement strategy
(self-assertion plus log audit) to be a standards issue, so much as a
tooling issue (does a PDP product support pop-up requests for
self-asserted information?)  But if making a BTG profile stimulates
vendors to add capability for collecting self-assertion data, I'm for
it!

Martin Smith
US Department of Homeland Security

   


    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 9.  Re: [xacml] Break the Glass policies

    Posted 12-15-2009 21:38 
    Hi Martin

at the NIST PMI conference in September the DoD had a similar concept of 
overriding access control for operational reasons, but the main 
difference to BTG is that in the DOD model a system component evaluates 
the operational need and either overrides or does not on behalf of the 
user. With BTG we are giving power back to the user to make the informed 
choice. One thing that our hospital trials uncovered is that you do need 
the audit and checks afterwards, otherwise it is hypothesised that once 
users learn that there are no consequences for always BTGing, they 
always will do it.

The purpose for us defining the BTG model and third response it to build 
the complexity into the application independent PDP layer with 
consequent simplicity in the PEP layer, and simplicity in specifying the 
BTG policies. We therefore hope it will make this type of access control 
  much easier to implement in all sorts of application scenarios.

regards

David


Smith, Martin wrote:
> David, all --
> 
> In looking at access policies based on formal policy authorities (like
> laws and frederal regulation) we've seen a number of cases where the
> only practical source of a person or environmental "attribute" is
> assertion by the requestor. The "BTG" attribute is an assertion that an
> emergency situation exists. We also have come to the same conclusion
> that you have (apparently), namely that ex-post enforcement (via audit
> of access logs) is a sufficient basis for enforcement for many kinds of
> policies. 
> 
> Another general class of self-assertion situations is where a law or
> policy says "you can share information 'for the purpose of' something."
> Example: passpost clerks can view personal passport records 'for the
> purpose of' varifying information in the course of processing a passport
> renewal application, (but not for other purposes, like browsing the
> information of celebrities.)  In many of these scenarios one might
> imagine a data source for the attribute that did not depend on
> self-assertion, but those data may not be available at least in the
> short run.
> 
> I have not considered implementation of this enforcement strategy
> (self-assertion plus log audit) to be a standards issue, so much as a
> tooling issue (does a PDP product support pop-up requests for
> self-asserted information?)  But if making a BTG profile stimulates
> vendors to add capability for collecting self-assertion data, I'm for
> it!
> 
> Martin Smith
> US Department of Homeland Security
> 
>    
> 
> 
    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 10.  RE: [xacml] Break the Glass policies

    Posted 12-16-2009 00:41 
    David -- Agree with your considerations. FWIW, I was visualizing this
from the ujser interaction POV (w/o worrying about implementation or
efficiency.) What I imagined was a person issuing a query, and then
getting a pop-up saying: "You are not authorized access to the requested
information EXCEPT in the following circumstance(s): [drop-down list of
circumstances].  If any of these applies to your request, select it and
then press the CERTIFY botton to certify that the circumstance applies
to this access request.  Otherwise press CANCEL.  Note: this transaction
and your certification will be recorded."  

Well, I hope it would be a bit less wordy that that.


  • 11.  Re: [xacml] Break the Glass policies

    Posted 12-17-2009 09:42 
    Hi Martin

Smith, Martin wrote:
> David -- Agree with your considerations. FWIW, I was visualizing this
> from the ujser interaction POV (w/o worrying about implementation or
> efficiency.) What I imagined was a person issuing a query, and then
> getting a pop-up

Yes this is what our hospital application does. BTW we have a very 
simple public demo here

http://issrg-testbed-2.cs.kent.ac.uk/

> saying: "You are not authorized access to the requested
> information EXCEPT in the following circumstance(s): [drop-down list of
> circumstances]. 

Hmm. where does the application get these circumstances from? Would they 
be part of the policy and returned as obligations with the BTG response? 
Or would they simply be configured into the application?

We have envisaged a different set of messages, which we called 
Consequences, that would pop up to warn the user of the consequences of 
breaking the glass. These would also be returned as obligations (to be 
displayed to the user by the PEP) in the BTG response.

We already have obligations on grant or deny, so could have them on BTG 
as well.


  If any of these applies to your request, select it and
> then press the CERTIFY botton to certify that the circumstance applies
> to this access request.  Otherwise press CANCEL.  Note: this transaction
> and your certification will be recorded."  


The note you specify above is one of the Consequences that we envisaged. 
By encoding them as obligations in the policy you get much greater 
freedom what to tell the user.


> 
> Well, I hope it would be a bit less wordy that that.


  • 12.  RE: [xacml] Break the Glass policies

    Posted 12-17-2009 18:08 
    David -- I have not delved in obligations, so I can't make any
meaningful comment. The list of exceptional circumstances are certainly
derived from policy, and it would be far better (less expensive, more
reliable) if they could be maintained there (in PDP) rather than having
to be coded (and updated) in every application. No idea how this would
be implemented, I'm afraid . . .

 Martin



    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 13.  Re: [xacml] Break the Glass policies

    Posted 12-19-2009 11:19 
    Martin, David, All

I have not understood all the specifics in this discussion, but I think 
the discussion touches an issue which is currently very 
underdeveloped/lacking in XACML. I mentioned this at the recent F2F, in 
the session about future directions for XACML, and I am referring to 
stateful policies.

As you say, for many reasons it is preferable that access control policy 
is externalized from applications, rather than having to be coded into 
applications.

Currently the XACML PDP is stateless, for many good reasons, meaning 
that any kind of stateful policy, such as dynamic separation of duties 
must be handled with attributes. And a policy language for defining the 
dynamic stateful policies in terms of attributes is also lacking. So 
this means application code.

An example of a dynamic stateful policy would be for instance the well 
known Chinese wall policy: "If someone accessed information about client 
A, they must not be allowed to work with any competitor of A". In this 
case future access rights depend on past actions. Sure, it can all be 
done with a mix of XACML, application code and attributes, but, as 
Martin says, it's not ideal since it's not really done through policy 
external from applications.

What XACML will need, once we get 3.0 done so we can focus on the long 
term future, is an extended architecture which includes a component 
which maintains state and a policy language for defining that state and 
how it relates to access control enforcement. I think the PDP should 
still be stateless, so we don't get state spread out all over the place, 
but with the stateful component (of some unknown kind, but well defined) 
which exposes itself as attributes, this kind of dynamic policies could 
be specified externally from the application.

Best regards,
Erik

On 12/17/2009 07:07 PM, Smith, Martin wrote:
> David -- I have not delved in obligations, so I can't make any
> meaningful comment. The list of exceptional circumstances are certainly
> derived from policy, and it would be far better (less expensive, more
> reliable) if they could be maintained there (in PDP) rather than having
> to be coded (and updated) in every application. No idea how this would
> be implemented, I'm afraid . . .
>
>   Martin
>
>
> 
    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 14.  Re: [xacml] Break the Glass policies

    Posted 12-21-2009 03:24 
    Hi Erik,

I found your email to be a very interesting and instructive analysis.

I am still not convinced that the PDP, itself, needs to maintain state. 
Why would we not store these "dynamic attributes" in some sort of PIP? 
Possibly we could have a dynamic attribute profile that described the 
operation of such a PIP.

+1 for putting this on the immediate post-3.0 stack.

    Thanks,
    Rich


Erik Rissanen wrote:
> Martin, David, All
>
> I have not understood all the specifics in this discussion, but I 
> think the discussion touches an issue which is currently very 
> underdeveloped/lacking in XACML. I mentioned this at the recent F2F, 
> in the session about future directions for XACML, and I am referring 
> to stateful policies.
>
> As you say, for many reasons it is preferable that access control 
> policy is externalized from applications, rather than having to be 
> coded into applications.
>
> Currently the XACML PDP is stateless, for many good reasons, meaning 
> that any kind of stateful policy, such as dynamic separation of duties 
> must be handled with attributes. And a policy language for defining 
> the dynamic stateful policies in terms of attributes is also lacking. 
> So this means application code.
>
> An example of a dynamic stateful policy would be for instance the well 
> known Chinese wall policy: "If someone accessed information about 
> client A, they must not be allowed to work with any competitor of A". 
> In this case future access rights depend on past actions. Sure, it can 
> all be done with a mix of XACML, application code and attributes, but, 
> as Martin says, it's not ideal since it's not really done through 
> policy external from applications.
>
> What XACML will need, once we get 3.0 done so we can focus on the long 
> term future, is an extended architecture which includes a component 
> which maintains state and a policy language for defining that state 
> and how it relates to access control enforcement. I think the PDP 
> should still be stateless, so we don't get state spread out all over 
> the place, but with the stateful component (of some unknown kind, but 
> well defined) which exposes itself as attributes, this kind of dynamic 
> policies could be specified externally from the application.
>
> Best regards,
> Erik
>
> On 12/17/2009 07:07 PM, Smith, Martin wrote:
>> David -- I have not delved in obligations, so I can't make any
>> meaningful comment. The list of exceptional circumstances are certainly
>> derived from policy, and it would be far better (less expensive, more
>> reliable) if they could be maintained there (in PDP) rather than having
>> to be coded (and updated) in every application. No idea how this would
>> be implemented, I'm afraid . . .
>>
>>   Martin
>>
>>
>> 
    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 15.  Re: [xacml] Break the Glass policies

    Posted 12-21-2009 05:11 
    Agree with Rich.
State would be maintained in ldap directory or an rdbms or things like 
that for long lived state.
State would be maintained in session for attributes that are short 
lived, that is less than or equal to an authenticated user session.
I thought PIP is the abstraction over ldap directory, rdbms, session 
authorities etc.
Given that, I do not really understand what we mean by the new term 
stateful policy.
Thanks.
-Dilli

Rich.Levinson wrote:
> Hi Erik,
>
> I found your email to be a very interesting and instructive analysis.
>
> I am still not convinced that the PDP, itself, needs to maintain 
> state. Why would we not store these "dynamic attributes" in some sort 
> of PIP? Possibly we could have a dynamic attribute profile that 
> described the operation of such a PIP.
>
> +1 for putting this on the immediate post-3.0 stack.
>
>    Thanks,
>    Rich
>
>
> Erik Rissanen wrote:
>> Martin, David, All
>>
>> I have not understood all the specifics in this discussion, but I 
>> think the discussion touches an issue which is currently very 
>> underdeveloped/lacking in XACML. I mentioned this at the recent F2F, 
>> in the session about future directions for XACML, and I am referring 
>> to stateful policies.
>>
>> As you say, for many reasons it is preferable that access control 
>> policy is externalized from applications, rather than having to be 
>> coded into applications.
>>
>> Currently the XACML PDP is stateless, for many good reasons, meaning 
>> that any kind of stateful policy, such as dynamic separation of 
>> duties must be handled with attributes. And a policy language for 
>> defining the dynamic stateful policies in terms of attributes is also 
>> lacking. So this means application code.
>>
>> An example of a dynamic stateful policy would be for instance the 
>> well known Chinese wall policy: "If someone accessed information 
>> about client A, they must not be allowed to work with any competitor 
>> of A". In this case future access rights depend on past actions. 
>> Sure, it can all be done with a mix of XACML, application code and 
>> attributes, but, as Martin says, it's not ideal since it's not really 
>> done through policy external from applications.
>>
>> What XACML will need, once we get 3.0 done so we can focus on the 
>> long term future, is an extended architecture which includes a 
>> component which maintains state and a policy language for defining 
>> that state and how it relates to access control enforcement. I think 
>> the PDP should still be stateless, so we don't get state spread out 
>> all over the place, but with the stateful component (of some unknown 
>> kind, but well defined) which exposes itself as attributes, this kind 
>> of dynamic policies could be specified externally from the application.
>>
>> Best regards,
>> Erik
>>
>> On 12/17/2009 07:07 PM, Smith, Martin wrote:
>>> David -- I have not delved in obligations, so I can't make any
>>> meaningful comment. The list of exceptional circumstances are certainly
>>> derived from policy, and it would be far better (less expensive, more
>>> reliable) if they could be maintained there (in PDP) rather than having
>>> to be coded (and updated) in every application. No idea how this would
>>> be implemented, I'm afraid . . .
>>>
>>>   Martin
>>>
>>>
>>> 
    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 16.  Re: [xacml] Break the Glass policies

    Posted 12-21-2009 08:44 
    Hi Dilli and Rich,

Yes, I intended that state is not put at the PDP. It's part of the PIP 
from the PDP's point of view, but that state should be controlled 
through policies (of some unknown form), rather than application code.

For instance, I imagine a policy about state as something like this:

IF client A record accessed THEN SET STATE subject.competing_clients = B

Note how we can express the dynamic separation of duties as a policy. I 
am not saying that this is the right form of policy and I don't know 
where the policy is and how it is enforced etc. But I hope you get the idea.

Then an XACML policy can have:



I really don't have any good concrete proposals. It's just that 
something I have noticed is not handled so well by XACML today. I am 
sure there is plenty of academic research we can make use of.

Best regards,
Erik



On 2009-12-21 06:10, Dilli Dorai wrote:
> Agree with Rich.
> State would be maintained in ldap directory or an rdbms or things like 
> that for long lived state.
> State would be maintained in session for attributes that are short 
> lived, that is less than or equal to an authenticated user session.
> I thought PIP is the abstraction over ldap directory, rdbms, session 
> authorities etc.
> Given that, I do not really understand what we mean by the new term 
> stateful policy.
> Thanks.
> -Dilli
>
> Rich.Levinson wrote:
>> Hi Erik,
>>
>> I found your email to be a very interesting and instructive analysis.
>>
>> I am still not convinced that the PDP, itself, needs to maintain 
>> state. Why would we not store these "dynamic attributes" in some sort 
>> of PIP? Possibly we could have a dynamic attribute profile that 
>> described the operation of such a PIP.
>>
>> +1 for putting this on the immediate post-3.0 stack.
>>
>>    Thanks,
>>    Rich
>>
>>
>> Erik Rissanen wrote:
>>> Martin, David, All
>>>
>>> I have not understood all the specifics in this discussion, but I 
>>> think the discussion touches an issue which is currently very 
>>> underdeveloped/lacking in XACML. I mentioned this at the recent F2F, 
>>> in the session about future directions for XACML, and I am referring 
>>> to stateful policies.
>>>
>>> As you say, for many reasons it is preferable that access control 
>>> policy is externalized from applications, rather than having to be 
>>> coded into applications.
>>>
>>> Currently the XACML PDP is stateless, for many good reasons, meaning 
>>> that any kind of stateful policy, such as dynamic separation of 
>>> duties must be handled with attributes. And a policy language for 
>>> defining the dynamic stateful policies in terms of attributes is 
>>> also lacking. So this means application code.
>>>
>>> An example of a dynamic stateful policy would be for instance the 
>>> well known Chinese wall policy: "If someone accessed information 
>>> about client A, they must not be allowed to work with any competitor 
>>> of A". In this case future access rights depend on past actions. 
>>> Sure, it can all be done with a mix of XACML, application code and 
>>> attributes, but, as Martin says, it's not ideal since it's not 
>>> really done through policy external from applications.
>>>
>>> What XACML will need, once we get 3.0 done so we can focus on the 
>>> long term future, is an extended architecture which includes a 
>>> component which maintains state and a policy language for defining 
>>> that state and how it relates to access control enforcement. I think 
>>> the PDP should still be stateless, so we don't get state spread out 
>>> all over the place, but with the stateful component (of some unknown 
>>> kind, but well defined) which exposes itself as attributes, this 
>>> kind of dynamic policies could be specified externally from the 
>>> application.
>>>
>>> Best regards,
>>> Erik
>>>
>>> On 12/17/2009 07:07 PM, Smith, Martin wrote:
>>>> David -- I have not delved in obligations, so I can't make any
>>>> meaningful comment. The list of exceptional circumstances are 
>>>> certainly
>>>> derived from policy, and it would be far better (less expensive, more
>>>> reliable) if they could be maintained there (in PDP) rather than 
>>>> having
>>>> to be coded (and updated) in every application. No idea how this would
>>>> be implemented, I'm afraid . . .
>>>>
>>>>   Martin
>>>>
>>>>
>>>> 
    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 17.  Re: [xacml] Break the Glass policies

    Posted 12-21-2009 23:45 
    Hi Dilli

the problem is that the amount of state information could be huge, with 
different values per user, per action, per resource, per environmental 
parameter etc. So which value does the PIP give to the PDP? Or does it 
send the entire RDBMS contents to the PDP with each request context?

regards

David


Dilli Dorai wrote:
> Agree with Rich.
> State would be maintained in ldap directory or an rdbms or things like 
> that for long lived state.
> State would be maintained in session for attributes that are short 
> lived, that is less than or equal to an authenticated user session.
> I thought PIP is the abstraction over ldap directory, rdbms, session 
> authorities etc.
> Given that, I do not really understand what we mean by the new term 
> stateful policy.
> Thanks.
> -Dilli
> 
> Rich.Levinson wrote:
>> Hi Erik,
>>
>> I found your email to be a very interesting and instructive analysis.
>>
>> I am still not convinced that the PDP, itself, needs to maintain 
>> state. Why would we not store these "dynamic attributes" in some sort 
>> of PIP? Possibly we could have a dynamic attribute profile that 
>> described the operation of such a PIP.
>>
>> +1 for putting this on the immediate post-3.0 stack.
>>
>>    Thanks,
>>    Rich
>>
>>
>> Erik Rissanen wrote:
>>> Martin, David, All
>>>
>>> I have not understood all the specifics in this discussion, but I 
>>> think the discussion touches an issue which is currently very 
>>> underdeveloped/lacking in XACML. I mentioned this at the recent F2F, 
>>> in the session about future directions for XACML, and I am referring 
>>> to stateful policies.
>>>
>>> As you say, for many reasons it is preferable that access control 
>>> policy is externalized from applications, rather than having to be 
>>> coded into applications.
>>>
>>> Currently the XACML PDP is stateless, for many good reasons, meaning 
>>> that any kind of stateful policy, such as dynamic separation of 
>>> duties must be handled with attributes. And a policy language for 
>>> defining the dynamic stateful policies in terms of attributes is also 
>>> lacking. So this means application code.
>>>
>>> An example of a dynamic stateful policy would be for instance the 
>>> well known Chinese wall policy: "If someone accessed information 
>>> about client A, they must not be allowed to work with any competitor 
>>> of A". In this case future access rights depend on past actions. 
>>> Sure, it can all be done with a mix of XACML, application code and 
>>> attributes, but, as Martin says, it's not ideal since it's not really 
>>> done through policy external from applications.
>>>
>>> What XACML will need, once we get 3.0 done so we can focus on the 
>>> long term future, is an extended architecture which includes a 
>>> component which maintains state and a policy language for defining 
>>> that state and how it relates to access control enforcement. I think 
>>> the PDP should still be stateless, so we don't get state spread out 
>>> all over the place, but with the stateful component (of some unknown 
>>> kind, but well defined) which exposes itself as attributes, this kind 
>>> of dynamic policies could be specified externally from the application.
>>>
>>> Best regards,
>>> Erik
>>>
>>> On 12/17/2009 07:07 PM, Smith, Martin wrote:
>>>> David -- I have not delved in obligations, so I can't make any
>>>> meaningful comment. The list of exceptional circumstances are certainly
>>>> derived from policy, and it would be far better (less expensive, more
>>>> reliable) if they could be maintained there (in PDP) rather than having
>>>> to be coded (and updated) in every application. No idea how this would
>>>> be implemented, I'm afraid . . .
>>>>
>>>>   Martin
>>>>
>>>>
>>>> 
    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 18.  Re: [xacml] Break the Glass policies

    Posted 12-21-2009 23:42 
    Hi Erik

I agree it would be good to work on stateful policies for XACMLv4.

We have been building state variables outside the PDP in a wrapper 
object that holds the various state variables and returns the current 
value to the PDP with the request context. This wrapper appears to be a 
PEP to the PDP and a PDP to the PEP, so the XACML request context can be 
passed between both interfaces.

But in our latest BTG implementation (which uses this wrapper) we have 
found cases where it is not possible to know which precise state 
attribute value to pass to the PDP in the request context because there 
are several possible ones to chose from (e.g. there could be one state 
per role and the user presents several roles). It could be that our 
current design is wrong (i.e. we should be passing back the entire state 
array to the PDP rather than a single attribute value as we do now), or 
that the PDP does need to be stateful and hold all the state values, 
since only it knows which is the correct state value to use when it 
evaluates each of the various access rules. The outer wrapper does not 
have access to the policy rules, so it can never know which state should 
go with which rule. Any future design will have to address this specific 
issue.

regards

David


Erik Rissanen wrote:
> Martin, David, All
> 
> I have not understood all the specifics in this discussion, but I think 
> the discussion touches an issue which is currently very 
> underdeveloped/lacking in XACML. I mentioned this at the recent F2F, in 
> the session about future directions for XACML, and I am referring to 
> stateful policies.
> 
> As you say, for many reasons it is preferable that access control policy 
> is externalized from applications, rather than having to be coded into 
> applications.
> 
> Currently the XACML PDP is stateless, for many good reasons, meaning 
> that any kind of stateful policy, such as dynamic separation of duties 
> must be handled with attributes. And a policy language for defining the 
> dynamic stateful policies in terms of attributes is also lacking. So 
> this means application code.
> 
> An example of a dynamic stateful policy would be for instance the well 
> known Chinese wall policy: "If someone accessed information about client 
> A, they must not be allowed to work with any competitor of A". In this 
> case future access rights depend on past actions. Sure, it can all be 
> done with a mix of XACML, application code and attributes, but, as 
> Martin says, it's not ideal since it's not really done through policy 
> external from applications.
> 
> What XACML will need, once we get 3.0 done so we can focus on the long 
> term future, is an extended architecture which includes a component 
> which maintains state and a policy language for defining that state and 
> how it relates to access control enforcement. I think the PDP should 
> still be stateless, so we don't get state spread out all over the place, 
> but with the stateful component (of some unknown kind, but well defined) 
> which exposes itself as attributes, this kind of dynamic policies could 
> be specified externally from the application.
> 
> Best regards,
> Erik
> 
> On 12/17/2009 07:07 PM, Smith, Martin wrote:
>> David -- I have not delved in obligations, so I can't make any
>> meaningful comment. The list of exceptional circumstances are certainly
>> derived from policy, and it would be far better (less expensive, more
>> reliable) if they could be maintained there (in PDP) rather than having
>> to be coded (and updated) in every application. No idea how this would
>> be implemented, I'm afraid . . .
>>
>>   Martin
>>
>>
>> 
    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 19.  Re: [xacml] Break the Glass policies

    Posted 12-14-2009 14:45 
    On Mon, 14 Dec 2009, Ludwig Seitz wrote:

> Hi David,
>
> you might want to look at this:
> http://portal.acm.org/citation.cfm?id=1263871
>
> I think it is very similar to what you want to achieve.
>
> Regards,
>
> Ludwig

By odd coincidence, I encountered a reference to XACML and BTG
yesterday in an ACM SACMAT 2009 paper.  I provide some references
below, though I've not yet spotted an online copy of David's
ACSAC 2009 paper "How to Securely Break into RBAC: the BTG-RBAC Model"

================================================================================

"Extending Access Control Models with Break-glass"

Achim D. Brucker (achim.brucker@sap.com)
SAP Research

Helmut Petritsch (helmut.petritsch@sap.com)
SAP Research

Presented June 5, 2009 at ACM SACMAT
Proceedings of the Fourteenth ACM symposium on Access Control Models and 
Technologies
http://www.sacmat.org/2009/index.php

http://www.brucker.ch/bibliography/abstract/brucker.ea-extending-2009.en.html
http://www.brucker.ch/bibliography/download/2009/brucker.ea-extending-2009.pdf

Access control models are usually static, i.e., permissions are
granted based on a policy that only changes seldom. Especially
for scenarios in health care and disaster management, a more
flexible support of access control, i.e., the underlying policy,
is needed.

Break-glass is one approach for such a flexible support of
policies which helps to prevent system stagnation that could
harm lives or otherwise result in losses. Today, break-glass
techniques are usually added on top of standard access control
solutions in an ad-hoc manner and, therefore, lack an
integration into the underlying access control paradigm and
the systems' access control enforcement architecture. We
present an approach for integrating, in a fine-grained manner,
break-glass strategies into standard access control models
and their accompanying enforcement architecture. This
integration provides means for specifying break-glass policies
precisely and supporting model-driven development techniques
based on such policies.

Our contributions are four-fold: first, we present a generic
break-glass model. Second, we present a SecureUML extension
supporting break-glass. Third, we present a security architecture
supporting break-glass and, finally, a transformation from
break-glass SecureUML policies to XACML. The rest of the paper
is structured as follows: after introducing the preliminaries
of our work in Section 2, we present a generic break-glass
model which can be integrated into a large class of access
control models in Section 3. In the same section, we also
present, as an example for such an integration, an extension
for SecureUML supporting break-glass. We present a security
architecture supporting break-glass in Section 4. This
architecture is the target of the transformation of break-glass
SecureUML policies to XACML which we present in Section 5.
Finally report on related work in Section 6 and present our
conclusions in Section 7.

==================================================================

How to Securely Break into RBAC: the BTG-RBAC Model
Ana Ferreira, David Chadwick, Pedro Farinha, Gansen Zhao, Rui Chilro

2009 Annual Computer Security Applications Conference
http://www.acsac.org/2009/
http://www.acsac.org/2009/openconf/modules/request.php?module=oc_program&action=summary.php&id=135

Access control models describe frameworks that dictate how
subjects (e.g. users) access resources. In the Role-Based
Access Control (RBAC) model access to resources is based on
the role the user holds within the organization. Although
flexible and easier to manage within large-scale authorization
frameworks, RBAC is usually a static model where access
control decisions have only two output options: Grant or Deny.
Break The Glass (BTG) policies can be provided in order to
break or override the access controls within an access control
policy but in a controlled and justifiable manner. The main
objective of this paper is to integrate BTG within the
NIST/ANSI RBAC model in a transparent and secure way so that
it can be adopted generically in any domain where unanticipated
or emergency situations may occur. The new proposed model,
called BTG-RBAC, provides a third decision option BTG. This
allows break the glass policies to be implemented in any
application without any major changes to either the application
or the RBAC authorization infrastructure, apart from the
decision engine. Finally, in order to validate the model,
we discuss how the BTG-RBAC model is being introduced within
a Portuguese healthcare institution where the legislation
requires that genetic information must be accessed by a
restricted group of healthcare professionals. These
professionals, advised by the ethical committee, have required
and asked for the implementation of the BTG concept in order
to comply with the said legislation.

Related:

How to break access control in a controlled manner
http://kar.kent.ac.uk/14476/1/How_to_break_access_control_in_a_controlled_manner.pdf

Modular Authorisation Infrastructures
http://www.sti.uniurb.it/events/fosad08/slides/Chadwick_ModAuthz.pdf

===========

Robin Cover
OASIS, Director of Information Services
Editor, Cover Pages and XML Daily Newslink
Email: robin@oasis-open.org
Staff bio: http://www.oasis-open.org/who/staff.php#cover
Cover Pages: http://xml.coverpages.org/
Newsletter: http://xml.coverpages.org/newsletterArchive.html
Tel: +1 972-296-1783


On Mon, 14 Dec 2009, Ludwig Seitz wrote:

> Hi David,
>
> you might want to look at this:
> http://portal.acm.org/citation.cfm?id=1263871
>
> I think it is very similar to what you want to achieve.
>
> Regards,
>
> Ludwig
>
> -- 
> Ludwig Seitz, PhD             |   Axiomatics AB
> Training & Development        |   Electrum 223
> Phone: +46 (0)760 44 22 91    |   S-164 40 Kista, Sweden
> Mail: ludwig@axiomatics.com   |
>


  • 20.  Re: [xacml] Break the Glass policies

    Posted 12-15-2009 21:29
      |   view attached

    Attachment(s)

    pdf
    ACSACfinalSubmitted.pdf   926 KB 1 version


  • 21.  Re: [xacml] Break the Glass policies

    Posted 12-15-2009 20:57 
    Hi Ludwig

yes I am aware of Babak and Erick's paper. But this is an extremely 
complex way of achieving what is in effect quite straight forward to 
achieve with very simple policy rules (if you read our paper). No 
complex obligation combining rules are needed. Also I dont know if Babak 
and Erik's paper is now part of standard XACML or you still need 
extensions to it in order to achieve a BTG type of response (using 
obligations)

regards

David


Ludwig Seitz wrote:
> Hi David,
> 
> you might want to look at this:
> http://portal.acm.org/citation.cfm?id=1263871
> 
> I think it is very similar to what you want to achieve.
> 
> Regards,
> 
> Ludwig
> 

-- 
-------------------------------------------------------------
The Israeli group Breaking the Silence has just released a collection of
testimonies by Israeli soldiers that took part in the Gaza attack last
December and January. The testimonies expose significant gaps between 
the official stances of the Israeli military and events on the ground.

See  http://www.shovrimshtika.org/news_item_e.asp?id=30

The Israeli government defies Obama, and continues its settlement expansion

Israel plans to allocate $250 million over the next two years for 
settlements

http://www.palestinecampaign.org/index7b.asp?m_id=1&l1_id=4&l2_id=24&Content_ID=698

whilst simultaneously continuing to bulldoze Palestinian homes

http://salsa.democracyinaction.org/o/301/t/9462/campaign.jsp?campaign_KEY=27357

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************


  • 22.  Re: [xacml] Break the Glass policies

    Posted 12-14-2009 14:02 
    FYI, the way I have implemented this in the past is by hitting a point 
in the policy evaluation where a well-known BTG attribute is required. 
This can only be supplied by the PEP, so the result is indeterminate and 
the accompanying detail is that this attribute was missing. This signals 
the PEP that it should prompt the user for whether or not they want to 
proceed.

Personally, I like this style over a new kind of return value, since the 
first evaluation really isn't resulting in a decision. In other words, 
the result (to my mind at least) is that the PDP needs to know more 
before proceeding, which is what Indeterminate means. Hope this helps..


seth


  • 23.  Re: [xacml] Break the Glass policies

    Posted 12-15-2009 21:18 
    Hi Seth

this is an interesting approach and one I had not considered before. But 
I think it still has some flaws.

Firstly the PEP must operate by never sending this BTG attribute in its 
first request context (otherwise it would be assuming that the user 
always wants to BTG). If the response is grant or deny, end of story, 
but if it is indeterminate it asks the user if she wants to BTG. If the 
user says Yes, then the PEP passes the BTG attribute with the required 
value and gets grant plus obligations.

Now here is the first problem with your method. The user makes a second 
access request for the resource (say medical record) and now either the 
whole process is repeated to the annoyance of the user, and the 
duplication of obligation enforcement, or the intelligent PEP knows the 
user has already BTGed once so does not need to do it again and the PEP 
automatically sets the BTG attribute on the request context, whereupon 
the obligations are returned again. Now should the PEP enforce the 
obligations or ignore them?

Therefore, from the PEP's perspective it is not ideal for the following 
reasons.

i) does a clever PEP anticipate that the attribute is needed and 
therefore provide it, so that two calls are not needed?

ii) does a dumb PEP make the call, get indeterminate then make a second 
call, to the repeated annoyance of the user.

If you have a BTG response and a BTG state, then the user only needs to 
BTG once, the state is set and thereafter the accesses are granted with 
no obligations until the state is reset.

regards

David


Seth Proctor wrote:
> 
> FYI, the way I have implemented this in the past is by hitting a point 
> in the policy evaluation where a well-known BTG attribute is required. 
> This can only be supplied by the PEP, so the result is indeterminate and 
> the accompanying detail is that this attribute was missing. This signals 
> the PEP that it should prompt the user for whether or not they want to 
> proceed.
> 
> Personally, I like this style over a new kind of return value, since the 
> first evaluation really isn't resulting in a decision. In other words, 
> the result (to my mind at least) is that the PDP needs to know more 
> before proceeding, which is what Indeterminate means. Hope this helps..
> 
> 
> seth
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 

-- 
-------------------------------------------------------------
The Israeli group Breaking the Silence has just released a collection of
testimonies by Israeli soldiers that took part in the Gaza attack last
December and January. The testimonies expose significant gaps between 
the official stances of the Israeli military and events on the ground.

See  http://www.shovrimshtika.org/news_item_e.asp?id=30

The Israeli government defies Obama, and continues its settlement expansion

Israel plans to allocate $250 million over the next two years for 
settlements

http://www.palestinecampaign.org/index7b.asp?m_id=1&l1_id=4&l2_id=24&Content_ID=698

whilst simultaneously continuing to bulldoze Palestinian homes

http://salsa.democracyinaction.org/o/301/t/9462/campaign.jsp?campaign_KEY=27357

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************


  • 24.  Re: [xacml] Break the Glass policies

    Posted 12-16-2009 02:25 
    Hi David. You raise some interesting points, but respectfully I have to 
disagree with you.

> Firstly the PEP must operate by never sending this BTG attribute in its 
> first request context

I have built *many* systems where the user knows that they are supplying 
an attribute in the initial request to "break the glass." This can 
happen for many reasons, through the usual use-cases have to do with 
emergency medical access or other "first-responder" systems. I don't 
think this is required, but it's definitely a common scenario that I've 
come across in practice in many systems.

> [...]
> i) does a clever PEP anticipate that the attribute is needed and 
> therefore provide it, so that two calls are not needed?

This is entirely application-specific, as is everything else that you 
raise. It is *impossible* to know if a give application will want to 
query the user to ask if it's ok to "break the glass" with each request, 
if it wants to implement SSO, or if it wants to implement this silently. 
This is a fact. It has nothing to do with the given system. No matter 
what is supported directly in XACML, each system will have its own 
requirements, and I can say this confidently based on many years of 
working with teams who are trying to support exactly these kinds of 
use-cases.

It doesn't matter if there's some special BTG return or an 
Indeterminate, it's the same scenario. In both cases, the PDP says that 
it can't make a decision and provides detail about what it's missing to 
make that decision. The PEP is left to interpret this and decide what to 
do. It can be the current Indeterminate response or some new kind of 
response, but that will have *no* effect on the PEP, which will still be 
application-specific and have to decide how it responds to the PDP's 
decision.

In other words, any issues of how "smart" or "dumb" or "stateful" a PEP 
is doesn't come into play here. There is simply no difference between 
returning a special return type and retuning Indeterminate for a known 
attribute, except that the later is already part of the standard and can 
be modeled in the current XACML policy format.

The only issue here is whether there is some *standard* behavior for a 
resposnse from the PDP which specifies that we're in a BTG scenario and 
more detail is required. This has nothing to do with the response format 
itself, but could be defined by a profile that defines well-known 
attributes and well-known behavior based on those attributes.


seth


  • 25.  RE: [xacml] Break the Glass policies

    Posted 12-16-2009 03:29 
    Seems to me the general (and typical) case is that a policy may call for
more info than is provided by the initial set of user attributes. Maybe
this is info to be supplied:

by the user (a user-provided BTG certification or other self-assertion
-- where the only "attribute authority" is the user him/her-self); or
By a third party (like a supervisor or adjudicator  -- this is a
solution that has been recommended to deal with some homeland-security
situations); or
In the general environment (like a call to a Web service that provide
the current terrorism threat level, or maybe just the time.) 

Furthermore, I a really hoping that the PDP can determine the attributes
of the target in a general-purpose way. That is, a policy should be able
to be something like "if the user is a doctor and the resource is
subject to HPPA (a patient medical record), then . . "  How will the PDP
know that the resource is "subject to HPPA"? Presumably by examining the
query or the actual query results before making an access decision. (I
am not looking for AI here--just assuming that the resources are marked
up somehow with "access-relevant" attributes.)

So, the PDP has to be able to GATHER data from multiple sources to
acquire the variables required by the policies it is applying.   

Martin
 


    
                                                
    
					
                                                    

        
                                                
				
    
                                                
    
                                                    
                                                        
                                                        Original Message


  • 26.  Re: [xacml] Break the Glass policies

    Posted 12-17-2009 09:42 
    Hi Seth

I guess we will just have to disagree on your point about the semantics 
of the actual return code (see more below).

The real difference is that the BTG response requires a stateful PDP in 
order to work correctly, because once the glass is broken the PDP will 
return grants instead of BTG responses. Thus the PEP can be dumb but a 
high quality of service can be given to the user.

In your approach the indeterminate response works with a stateless PDP, 
which is why the state has to kept by the PEP if a high quality service 
is to be given to the user.

So, if the PDP remains stateless the format of the actual return is not 
that important as the behaviour will be the same in both cases. But if 
the PDP becomes stateful then the BTG response has clear advantages over 
indeterminate (but at a cost of complexity in implementing the PDP).

Seth Proctor wrote:
> 
> Hi David. You raise some interesting points, but respectfully I have to 
> disagree with you.
> 
>> Firstly the PEP must operate by never sending this BTG attribute in 
>> its first request context
> 
> I have built *many* systems where the user knows that they are supplying 
> an attribute in the initial request to "break the glass." This can 
> happen for many reasons, through the usual use-cases have to do with 
> emergency medical access or other "first-responder" systems. I don't 
> think this is required, but it's definitely a common scenario that I've 
> come across in practice in many systems.#


What you are doing here is putting an extra burden on the user (who is 
probably already stressed in an emergency situation) by requiring them 
to behave differently by providing an extra attribute in the emergency 
situation that they dont normally need to provide in a normal situation. 
Its a bit like them having a Get Out of Jail Free card in Monopoly, and 
having to present this when an emergency arises and not presenting it in 
normal situations. One has to ask, is this a reasonable and user 
friendly thing to do? Or is it better for the user to simply ask for 
access and then be told they can if they BTG and take the consequences.


> 
>> [...]
>> i) does a clever PEP anticipate that the attribute is needed and 
>> therefore provide it, so that two calls are not needed?
> 
> This is entirely application-specific, as is everything else that you 
> raise. It is *impossible* to know if a give application will want to 
> query the user to ask if it's ok to "break the glass" with each request, 
> if it wants to implement SSO, or if it wants to implement this silently. 

You see this is the burden that your mechanism requires, which is 
removed once you have a stateful BTG PDP.


> This is a fact. It has nothing to do with the given system. No matter 
> what is supported directly in XACML, each system will have its own 
> requirements, and I can say this confidently based on many years of 
> working with teams who are trying to support exactly these kinds of 
> use-cases.
> 
> It doesn't matter if there's some special BTG return or an 
> Indeterminate, it's the same scenario.

Same scenario but different semantics attached to the return code.

> In both cases, the PDP says that 
> it can't make a decision and provides detail about what it's missing to 
> make that decision.

No the above is the semantic of your response and of your response only.

The semantic of the BTG response is quite different. The semantic is 
more definite as the PDP has made a decision and it means "this user 
will be granted access if (s)he decides to first break the glass and 
take the consequences".


> The PEP is left to interpret this and decide what to 
> do.

that is correct in both cases. But the interpretation is different in 
both cases even if the PEPs actions are similar in both cases. However, 
with a BTG response (supplemented with standard obligations) the PEP can 
do much more tailored and sophisticated actions (unless you also allow 
obligations to be returned with indeterminate).

Furthermore, on the second and subsequent calls if the PEP behaves the 
same each time, the effect is different in the BTG case. In the 
indeterminate response case, the same sequence of actions will be 
repeated each time, but in the BTG case the second and subsequent 
responses will be Grant (up until the broken glass is repaired).


> It can be the current Indeterminate response or some new kind of 
> response, but that will have *no* effect on the PEP, which will still be 
> application-specific and have to decide how it responds to the PDP's 
> decision.

I assert that the BTG response with a stateful PDP will have a 
significant effect on the code that needs to be written for the PEP - it 
will be much simpler and will also give a better quality of service to 
the end user.


> 
> In other words, any issues of how "smart" or "dumb" or "stateful" a PEP 
> is doesn't come into play here. There is simply no difference between 
> returning a special return type and retuning Indeterminate for a known 
> attribute, except that the later is already part of the standard and can 
> be modeled in the current XACML policy format.


You are correct if the PDP remains stateless, since BTG cannot operate 
correctly in this case (since after the glass is broken the PDP will not 
remember that it has been broken and will ask for it to be broken again, 
so it is not true BTG, its BTG with unbreakable glass :-).


> 
> The only issue here is whether there is some *standard* behavior for a 
> resposnse from the PDP which specifies that we're in a BTG scenario and 
> more detail is required. This has nothing to do with the response format 
> itself, but could be defined by a profile that defines well-known 
> attributes and well-known behavior based on those attributes.

I agree that with your scenario and a stateless PDP it would be useful 
to profile the indeterminate response code and the missing attribute, 
and also give examples of how it is used.

regards

David

> 
> 
> seth
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************


  • 27.  Re: [xacml] Break the Glass policies

    Posted 12-17-2009 13:33 
    Hi David. I'm not sure where the disconnect is here, but let me try one 
more time..

> The real difference is that the BTG response requires a stateful PDP in 
> order to work correctly, because once the glass is broken the PDP will 
> return grants instead of BTG responses. Thus the PEP can be dumb but a 
> high quality of service can be given to the user.

I would argue this is no different than any other SSO scenario. Once a 
certain process has happened, you can resolve attribute values and make 
decisions that were unavailable before. You could build a custom PDP to 
do this, but I would tend to use the existing standards to push this to 
the PEP or PIPs.

> In your approach the indeterminate response works with a stateless PDP, 
> which is why the state has to kept by the PEP if a high quality service 
> is to be given to the user.
 >
> So, if the PDP remains stateless the format of the actual return is not 
> that important as the behaviour will be the same in both cases. But if 
> the PDP becomes stateful then the BTG response has clear advantages over 
> indeterminate (but at a cost of complexity in implementing the PDP).

I don't understand why you're getting caught up in the notion of 
staefulness here. There are many scenarios today where XACML is used by 
applications that change state based on the context or past interaction, 
and it doesn't require changing the PDP behavior. If all you want is to 
put state into the PDP (breaking the standard) then I would argue that 
you don't even need a new response format.

> [...]
> What you are doing here is putting an extra burden on the user (who is 
> probably already stressed in an emergency situation) by requiring them 
> to behave differently by providing an extra attribute in the emergency 
> situation that they dont normally need to provide in a normal situation. 

No. Let me be clear: that is absolutely not true. I have said absolutely 
nothing about the user in this situation. Yes, sometimes you want to 
prompt the user, and other times you want the system to take action. All 
I have described is how the PDP and PEP interact. In your original email 
you described a 2-pass protocol where the PDP returned a special message 
to the PEP which then sent a new request, and this is *all* that I also 
have suggested. It's completely up to an application/system to decide if 
the user needs to be prompted before continuing.

>> This is entirely application-specific, as is everything else that you 
>> raise. It is *impossible* to know if a give application will want to 
>> query the user to ask if it's ok to "break the glass" with each 
>> request, if it wants to implement SSO, or if it wants to implement 
>> this silently. 
> 
> You see this is the burden that your mechanism requires, which is 
> removed once you have a stateful BTG PDP.

Again, you're confused about the roles here. I'm very clear to say that 
it's the application's option to decide how the user interacts with the 
system. When I have built exactly the systems you are describing I have 
often done it for uses where the user should not be queried, and where 
the PEP know what to do in these cases. There is state, and it's easy to 
implement, but it doesn't require changing anything about the XACML 
processing model.

>> It doesn't matter if there's some special BTG return or an 
>> Indeterminate, it's the same scenario.
> 
> Same scenario but different semantics attached to the return code.

This is exactly my point. You and I are suggesting exactly the same 
thing: there should be some return from the PDP that the PEP recognizes. 
This return should result in future operations being permitted. All I'm 
saying is that this is pretty easy to do today with the existing system. 
I'll also repeat my suggestion that a profile describing specific 
attributes and state models for supporting this in practice would be a 
great contribution.

>> In both cases, the PDP says that it can't make a decision and provides 
>> detail about what it's missing to make that decision.
> 
> No the above is the semantic of your response and of your response only.
> 
> The semantic of the BTG response is quite different. The semantic is 
> more definite as the PDP has made a decision and it means "this user 
> will be granted access if (s)he decides to first break the glass and 
> take the consequences".

Ah. Now that's different than what you said in your first email. This is 
not a different kind of response, but a PERMIT with Obligations. To 
support what you say above only requires a single message, and can 
easily be done today. Personally I don't like this model, because I 
think Obligations are things that you should make a "best effort" to 
discharge, but this gets back to a long history of what Obligations are 
and how you deal with them :)

>> The PEP is left to interpret this and decide what to do.
> 
> that is correct in both cases. But the interpretation is different in 
> both cases even if the PEPs actions are similar in both cases. However, 
> with a BTG response (supplemented with standard obligations) the PEP can 
> do much more tailored and sophisticated actions (unless you also allow 
> obligations to be returned with indeterminate).
> 
> Furthermore, on the second and subsequent calls if the PEP behaves the 
> same each time, the effect is different in the BTG case. In the 
> indeterminate response case, the same sequence of actions will be 
> repeated each time, but in the BTG case the second and subsequent 
> responses will be Grant (up until the broken glass is repaired).

Umm, no, in what I was proposing the second and subsequent responses are 
all permitted because the PEP understands that this is a BTG scenario 
and continues to provide the attribute(s) needed to trigger that logic path.

>> It can be the current Indeterminate response or some new kind of 
>> response, but that will have *no* effect on the PEP, which will still 
>> be application-specific and have to decide how it responds to the 
>> PDP's decision.
> 
> I assert that the BTG response with a stateful PDP will have a 
> significant effect on the code that needs to be written for the PEP - it 
> will be much simpler and will also give a better quality of service to 
> the end user.

Speaking as an implementor of both PDPs and PEPs, I'm not sure I agree 
with you here. Among other things, I've built many systems where there 
is a cluster of PDPs that can hit, each of which will provide the same 
response. I've also needed fail-over or quick-restart PDP services. In 
your "stateful PDP" these couldn't be supported. This is just part of 
why the XACML standard explicitly forbids side-effects. If you make the 
"state change" at the PIP that is providing the BTG state value, or in 
the PEP supporting the user, you're ok.

Note that the PEP can remain stateless, and pass back the initial result 
to the application. This doesn't mean the *user* will be prompted, only 
that the application is asked what to do. Now, you can put the state in 
the application, and it can know to provide the BTG go-ahead in each 
future request without having to change anything else in the system. 
This is something I've done in practice for hospital systems as well as 
financial apps, and it works quite well.

I hope this helps clarify a little more what I'm talking about. To be 
clear, I agree completely that BTG-type scenarios are extremely useful, 
I just think that it's easy to implement them a number of ways in the 
existing XACML specification today. I would be very interested to see 
profiles/papers written to capture best-practices and standard 
attributes here. In fact, David, if you'd like to work on something like 
this with me, please let me know!


seth


ps  I hesitate to add this, but I've also done BTG-type scenarios using 
a totally different design approach. Styled in more of a 
trust-management system, I've used policies that are by their nature 
flexible, and generally designed to permit with different levels of 
Obligations. There is no explicit notion of "breaking the glass" there 
is only the system's attempt to decide the context and appropriateness 
of the request and how to balance this against the risk of permitting 
the action. This has the nice property that no state is needed and the 
users are never interrupted. This would take a long time to explain, but 
I thought I'd throw it out there as another example of how the current 
spec can be used for these scenarios..


  • 28.  Re: [xacml] Break the Glass policies

    Posted 12-22-2009 00:02 
    Hi Seth

I think the real disconnect was highlighted by Martin. I am wanting to 
remove as much as possible from the application developers (which to me 
is the PEP) and put as much of the work as possible in the application 
independent code (which currently is the PDP) in order to simplify the 
task for application developers. Your approach however places some 
burden on the PEP developers.

In my latest paper at DIM in Chicago which I presented in November, I 
proposed an application independent PEP (AIPEP) that could do some or 
all of this work on behalf of the PDP. In this way the PEP has nothing 
to do, the PDP remains stateless, and the AIPEP holds the state and does 
other work that is application independent (like calling the PIPs etc).

So if you take the viewpoint, how can I provide BTG functionality for 
all applications so that they have the minimum of extra work to do (ie. 
no state holding or special code of knowledge other than behaving in one 
fixed way for one new response type) then you will probably see where I 
am coming from. I believe that I can see your viewpoint, since you say 
you are an implementor of both PDPs and PEPs, and it requires some 
application specific tweaking in order to get BTG to work efficiently. 
In our work we generally do not provide any PEP code and therefore we 
want to do everything for the application in the application independent 
layer.

However you are correct in saying that a stateful PDP does present its 
own problems when distributed decision making has to take place, which 
means that extraction of state to an outside entity can be beneficial, 
but as my other email points out this also has its own disadvantages.

I would be happy to work on a profile with you.

Concerning your last P.S. this sounds a bit like the DOD operational 
need overriding PDP decision scenario, but its going to be complex to 
determine the value of operational need.

regards

David


Seth Proctor wrote:
> 
> Hi David. I'm not sure where the disconnect is here, but let me try one 
> more time..
> 
>> The real difference is that the BTG response requires a stateful PDP 
>> in order to work correctly, because once the glass is broken the PDP 
>> will return grants instead of BTG responses. Thus the PEP can be dumb 
>> but a high quality of service can be given to the user.
> 
> I would argue this is no different than any other SSO scenario. Once a 
> certain process has happened, you can resolve attribute values and make 
> decisions that were unavailable before. You could build a custom PDP to 
> do this, but I would tend to use the existing standards to push this to 
> the PEP or PIPs.
> 
>> In your approach the indeterminate response works with a stateless 
>> PDP, which is why the state has to kept by the PEP if a high quality 
>> service is to be given to the user.
>  >
>> So, if the PDP remains stateless the format of the actual return is 
>> not that important as the behaviour will be the same in both cases. 
>> But if the PDP becomes stateful then the BTG response has clear 
>> advantages over indeterminate (but at a cost of complexity in 
>> implementing the PDP).
> 
> I don't understand why you're getting caught up in the notion of 
> staefulness here. There are many scenarios today where XACML is used by 
> applications that change state based on the context or past interaction, 
> and it doesn't require changing the PDP behavior. If all you want is to 
> put state into the PDP (breaking the standard) then I would argue that 
> you don't even need a new response format.
> 
>> [...]
>> What you are doing here is putting an extra burden on the user (who is 
>> probably already stressed in an emergency situation) by requiring them 
>> to behave differently by providing an extra attribute in the emergency 
>> situation that they dont normally need to provide in a normal situation. 
> 
> No. Let me be clear: that is absolutely not true. I have said absolutely 
> nothing about the user in this situation. Yes, sometimes you want to 
> prompt the user, and other times you want the system to take action. All 
> I have described is how the PDP and PEP interact. In your original email 
> you described a 2-pass protocol where the PDP returned a special message 
> to the PEP which then sent a new request, and this is *all* that I also 
> have suggested. It's completely up to an application/system to decide if 
> the user needs to be prompted before continuing.
> 
>>> This is entirely application-specific, as is everything else that you 
>>> raise. It is *impossible* to know if a give application will want to 
>>> query the user to ask if it's ok to "break the glass" with each 
>>> request, if it wants to implement SSO, or if it wants to implement 
>>> this silently. 
>>
>> You see this is the burden that your mechanism requires, which is 
>> removed once you have a stateful BTG PDP.
> 
> Again, you're confused about the roles here. I'm very clear to say that 
> it's the application's option to decide how the user interacts with the 
> system. When I have built exactly the systems you are describing I have 
> often done it for uses where the user should not be queried, and where 
> the PEP know what to do in these cases. There is state, and it's easy to 
> implement, but it doesn't require changing anything about the XACML 
> processing model.
> 
>>> It doesn't matter if there's some special BTG return or an 
>>> Indeterminate, it's the same scenario.
>>
>> Same scenario but different semantics attached to the return code.
> 
> This is exactly my point. You and I are suggesting exactly the same 
> thing: there should be some return from the PDP that the PEP recognizes. 
> This return should result in future operations being permitted. All I'm 
> saying is that this is pretty easy to do today with the existing system. 
> I'll also repeat my suggestion that a profile describing specific 
> attributes and state models for supporting this in practice would be a 
> great contribution.
> 
>>> In both cases, the PDP says that it can't make a decision and 
>>> provides detail about what it's missing to make that decision.
>>
>> No the above is the semantic of your response and of your response only.
>>
>> The semantic of the BTG response is quite different. The semantic is 
>> more definite as the PDP has made a decision and it means "this user 
>> will be granted access if (s)he decides to first break the glass and 
>> take the consequences".
> 
> Ah. Now that's different than what you said in your first email. This is 
> not a different kind of response, but a PERMIT with Obligations. To 
> support what you say above only requires a single message, and can 
> easily be done today. Personally I don't like this model, because I 
> think Obligations are things that you should make a "best effort" to 
> discharge, but this gets back to a long history of what Obligations are 
> and how you deal with them :)
> 
>>> The PEP is left to interpret this and decide what to do.
>>
>> that is correct in both cases. But the interpretation is different in 
>> both cases even if the PEPs actions are similar in both cases. 
>> However, with a BTG response (supplemented with standard obligations) 
>> the PEP can do much more tailored and sophisticated actions (unless 
>> you also allow obligations to be returned with indeterminate).
>>
>> Furthermore, on the second and subsequent calls if the PEP behaves the 
>> same each time, the effect is different in the BTG case. In the 
>> indeterminate response case, the same sequence of actions will be 
>> repeated each time, but in the BTG case the second and subsequent 
>> responses will be Grant (up until the broken glass is repaired).
> 
> Umm, no, in what I was proposing the second and subsequent responses are 
> all permitted because the PEP understands that this is a BTG scenario 
> and continues to provide the attribute(s) needed to trigger that logic 
> path.
> 
>>> It can be the current Indeterminate response or some new kind of 
>>> response, but that will have *no* effect on the PEP, which will still 
>>> be application-specific and have to decide how it responds to the 
>>> PDP's decision.
>>
>> I assert that the BTG response with a stateful PDP will have a 
>> significant effect on the code that needs to be written for the PEP - 
>> it will be much simpler and will also give a better quality of service 
>> to the end user.
> 
> Speaking as an implementor of both PDPs and PEPs, I'm not sure I agree 
> with you here. Among other things, I've built many systems where there 
> is a cluster of PDPs that can hit, each of which will provide the same 
> response. I've also needed fail-over or quick-restart PDP services. In 
> your "stateful PDP" these couldn't be supported. This is just part of 
> why the XACML standard explicitly forbids side-effects. If you make the 
> "state change" at the PIP that is providing the BTG state value, or in 
> the PEP supporting the user, you're ok.
> 
> Note that the PEP can remain stateless, and pass back the initial result 
> to the application. This doesn't mean the *user* will be prompted, only 
> that the application is asked what to do. Now, you can put the state in 
> the application, and it can know to provide the BTG go-ahead in each 
> future request without having to change anything else in the system. 
> This is something I've done in practice for hospital systems as well as 
> financial apps, and it works quite well.
> 
> I hope this helps clarify a little more what I'm talking about. To be 
> clear, I agree completely that BTG-type scenarios are extremely useful, 
> I just think that it's easy to implement them a number of ways in the 
> existing XACML specification today. I would be very interested to see 
> profiles/papers written to capture best-practices and standard 
> attributes here. In fact, David, if you'd like to work on something like 
> this with me, please let me know!
> 
> 
> seth
> 
> 
> ps  I hesitate to add this, but I've also done BTG-type scenarios using 
> a totally different design approach. Styled in more of a 
> trust-management system, I've used policies that are by their nature 
> flexible, and generally designed to permit with different levels of 
> Obligations. There is no explicit notion of "breaking the glass" there 
> is only the system's attempt to decide the context and appropriateness 
> of the request and how to balance this against the risk of permitting 
> the action. This has the nice property that no state is needed and the 
> users are never interrupted. This would take a long time to explain, but 
> I thought I'd throw it out there as another example of how the current 
> spec can be used for these scenarios..
> 

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************


Related Content