[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Behavior of deny-overrides
I believe Barth and Mitchell made the same comments about EPAL's "First-Applicable" rule in one or both of the two following papers: # Adam Barth and John C. Mitchell. Enterprise Privacy Promises and Enforcement. In WITS 2005: Proceedings of the 2005 ACM Workshop on Issues in the Theory of Security. 2005. # Adam Barth, John C. Mitchell, and Justin Rosenstein. Conflict and Combination in Privacy Policy Languages. In WPES 2004: Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society. 2004. Regards, Anne Erik Rissanen wrote On 01/30/07 10:26,: > All, > > Olav Bandmann has discovered that a couple of the 2.0 combining > algorithms have "weird" effects sometimes. I am not sure if this was > already known, or if anything should be done about it. > > This is a bit difficult to explain, but I will make an attempt. One can > define a soundness criterion for policy combining algorithms: A > combining algorithm is sound iff a constituent policy cannot cause a > combined decision which the constituent policy would never evaluate to > in isolation. By this definition, the deny-overrides algorithm is not > sound. For instance: > > P1 has a singe rule with a Permit effect. This policy in isolation can > never evaluate to a Deny. > > PS is a policy set with a number of policies: > > PS > /| > / | > / | > P2-Pn > > PS uses a deny-overrides policy combining algorithm. Assume that for a > request R, PS, as it is, will evaluate to Permit. Now, insert P1 into PS: > > PS > /|\ > / | \ > / | \ > P2-Pn P1 > > Let’s evaluate R against PS again and let’s say that P1 evaluates to > indeterminate. This will cause PS to be Deny. P1 made PS into a Deny, > although P1 can never evaluate to Deny in isolation! > > There is a similar behavior in the only-one-applicable. > > So, why is this a problem? Because it makes harder to understand a > complex policy. You cannot look at the parts in isolation. For instance, > if several administrators are responsible for parts of a large policy > set, then their policies could have effects that they did not intend or > anticipate. > > One could argue that the algorithms have a well defined behavior, so > they are not “wrong” and they behave as intended. That could be said > about the only-one-applicable algorithm for instance, or if I for some > reason want to define an algorithm which inverts everything, makes its > decisions randomly, or whatever. > > However, in the case of deny-overrides, the algorithm could have been > designed so it would have been sound in this respect. > > Olav suspects (and so do I) that the motivation for the current design > was based on concerns about access being allowed in case of an error: If > PS uses deny-overrides and P1 evaluates to indeterminate, then perhaps > P1 could have evaluated to Deny if there was no error? So to be safe, we > make the whole a Deny. However, it would have been better to make it > indeterminate, and then have a Deny biased PEP instead, if denying > access is important in case of uncertainty in policy evaluation. > > Is this already known? Is it a concern? To fix it, we could define a new > combining algorithm which does not have this behavior and recommend > people to use it instead of the old one. > > Regards, > Erik > > > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]