Re: [xacml] Behavior of deny-overrides

[Anne Anderson - Sun Microsystems <Anne.Anderson@sun.com>]

I believe Barth and Mitchell made the same comments about EPAL's 
"First-Applicable" rule in one or both of the two following papers:

# Adam Barth and John C. Mitchell. Enterprise Privacy Promises and 
Enforcement. In WITS 2005: Proceedings of the 2005 ACM Workshop on 
Issues in the Theory of Security. 2005.
# Adam Barth, John C. Mitchell, and Justin Rosenstein. Conflict and 
Combination in Privacy Policy Languages. In WPES 2004: Proceedings of 
the 2004 ACM Workshop on Privacy in the Electronic Society. 2004.

Regards,
Anne

Erik Rissanen wrote On 01/30/07 10:26,:
> All,
> 
> Olav Bandmann has discovered that a couple of the 2.0 combining
> algorithms have "weird" effects sometimes. I am not sure if this was
> already known, or if anything should be done about it.
> 
> This is a bit difficult to explain, but I will make an attempt. One can
> define a soundness criterion for policy combining algorithms: A
> combining algorithm is sound iff a constituent policy cannot cause a
> combined decision which the constituent policy would never evaluate to
> in isolation. By this definition, the deny-overrides algorithm is not
> sound. For instance:
> 
> P1 has a singe rule with a Permit effect. This policy in isolation can
> never evaluate to a Deny.
> 
> PS is a policy set with a number of policies:
> 
> PS
> /|
> / |
> / |
> P2-Pn
> 
> PS uses a deny-overrides policy combining algorithm. Assume that for a
> request R, PS, as it is, will evaluate to Permit. Now, insert P1 into PS:
> 
> PS
> /|\
> / | \
> / | \
> P2-Pn P1
> 
> Let’s evaluate R against PS again and let’s say that P1 evaluates to
> indeterminate. This will cause PS to be Deny. P1 made PS into a Deny,
> although P1 can never evaluate to Deny in isolation!
> 
> There is a similar behavior in the only-one-applicable.
> 
> So, why is this a problem? Because it makes harder to understand a
> complex policy. You cannot look at the parts in isolation. For instance,
> if several administrators are responsible for parts of a large policy
> set, then their policies could have effects that they did not intend or
> anticipate.
> 
> One could argue that the algorithms have a well defined behavior, so
> they are not “wrong” and they behave as intended. That could be said
> about the only-one-applicable algorithm for instance, or if I for some
> reason want to define an algorithm which inverts everything, makes its
> decisions randomly, or whatever.
> 
> However, in the case of deny-overrides, the algorithm could have been
> designed so it would have been sound in this respect.
> 
> Olav suspects (and so do I) that the motivation for the current design
> was based on concerns about access being allowed in case of an error: If
> PS uses deny-overrides and P1 evaluates to indeterminate, then perhaps
> P1 could have evaluated to Deny if there was no error? So to be safe, we
> make the whole a Deny. However, it would have been better to make it
> indeterminate, and then have a Deny biased PEP instead, if denying
> access is important in case of uncertainty in policy evaluation.
> 
> Is this already known? Is it a concern? To fix it, we could define a new
> combining algorithm which does not have this behavior and recommend
> people to use it instead of the old one.
> 
> Regards,
> Erik
> 
> 
> 

-- 
Anne H. Anderson             Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311     Tel: 781/442-0928
Burlington, MA 01803-0902 USA  Fax: 781/442-1692