2. A Primer to Grid Computing and Access Control Models
2.3. The time aspect in access control models
2.3.2. The Usage Control authorization model and the implementing of the time aspect
The Usage Control model (UCON) is defined using the OM-AM (Objectives, Models, Architectures, and Mechanisms) framework. At the objective layer of the UCON OM-AM model (see Figure 11), the general subject and object attributes are defined. In the model layer, the conceptual and the formal UCON models are presented as in [25, 144, 145]. In the architecture layer, traditional server-side reference monitor (SRM) or emerging client-side reference monitor (CRM) or combination of them are used to support a UCON system [145]. In the mechanisms layer UCON make use of the existing DRM technologies (e.g. watermarking) or trusted computing technologies (providing mechanisms to support client-side reference monitors). A policy can be specified by XML with some standard approaches such as eXtensible Access Control Markup Language (XACML) for security policies and eXtensible rights Markup Language (XrML) for DRM policies [145].
Figure 11: The OM-AM framework for UCON systems as proposed by Sandhu et al. [145].
UCON lays in the model layer and provides abstract interpretation of the requirements.
Usage Control components
The Usage Control system has six components (see Figure 12): subject and attributes, object and attributes, rights, authorizations, obligations, and conditions.
The authorization, obligations and conditions are components of usage control decisions. An authorization rule permits or denies access of a subject to an object with a specific right based on subject and object attributes. Obligations are activities that are performed by subjects or by the system. Conditions are system environment restrictions, not related to subject or object attributes.
Figure 12: The Usage Control model [23, 144-146]. The intent of the double circles surrounding objects and subjects is to indicate sets, so we have a set of subjects and a set of objects [147].
The phases of a usage process
The usage process consists of three phases: before usage, ongoing usage, and after usage (see Figure 13). To enforce control decisions, UCON distinguishes two different types: pre-decision and ongoing-decision. In the after-usage phase, the original UCON model [23] does not enforce any decision since there is no access control after a user finishes her usage.
Figure 13: The continuity of decisions and the mutability of attributes in the UCON model.
These are the advantages of UCON over the traditional control access models [145].
For mutability of attributes, there are three kinds of updates along the three phases:
pre-update, ongoing-update, and post-update. In UCON all these updates are performed and monitored by the system [145], which limits the UCON model in its formal definition to closed systems.
The Usage Control core models
Based on the relationship between authorization decisions and attribute mutability, Park and Sandhu defined seven core models [23, 25]:
a) three pre-authorization models corresponding to a usage decision determined before access and: no subject or object attributes are updated (preA0), attributes are updated before usage (preA1), and attributes are updated after usage (preA3).
b) four ongoing-authorization models corresponding to a usage decision determined during access and: no attributes update (onA0), attributes update before usage (onA1), attributes update during usage (onA2), and attributes update after usage (onA3). In analogy, Park and Sandhu defined the models for oBligations (B) and Conditions (C) like in Table 3.
Table 3: The 16 basic UCON ABC models [23, 25]. “Y” (yes) for included and “N” (no) for not included in UCON models. “A” stands for Authorization, “B” for oBligations, “C” for Conditions
0 (immutable) 1(pre-update) 2(ongoing-update) 3 (post-update)
preA Y Y N Y
onA Y Y Y Y
preB Y Y N Y
onB Y Y Y Y
preC Y N N N
onC Y N N N
The preA2, preB2, and all mutable condition core models (preC1, preC2, preC3, onC1, onC2, and onC3) are not included in the original UCON core models.
Sandhu et al. argued that the reason not to include preA2 and preB2 was that ongoing updates can be postponed to the after-usage phase since the usage decision is already done and will not be affected during the usage process [23, 25].
Zhang, who wrote the UCON specification, extended these models to include all the left possibilities arguing that in a system there may exist concurrent usage processes, i.e. ongoing updates of a usage can affect other usages [145]. For mutable condition core models, subject and/or object attributes can also be updated, for example usage time and usage logs. Similarly, an update in a usage process of condition core models can affect other usage processes [145]. We will see at the end of this section why this is not possible with the UCON formal model.
The Usage Control transition system
In UCON, there are three different kinds of variables: subject attributes, object attributes, and system attributes. The authorization is determined by subjects’
attributes, objects’ attributes, and rights. A state of a subject or an object is an assignment of values to the attributes. System attributes are variables that are not related to a subject or to an object directly, such as system clock or location. The system has six states12; the transition from one state to another is a usage control action (see Figure 14).
The actions are categorized into two classes: actions performed by a subject and actions performed by the system. tryaccess and endaccess are performed by the subject (user) while all other actions are performed by the system. For a usage process, there can be multiple preupdates, onupdate, and postupdate actions for different attributes before, during, and after the access, respectively. Also, in the ongoing usage phase there may be continual or periodical onupdate actions for attributes.
12 UCON formal model defines a function state(s, o, r), which is a mapping from {(s, o, r)} to {initial, requesting, denied, accessing, revoked, end}, where s stand for subject, o for object and r for rights.
Figure 14: State transition of a single access with Usage Control actions [145]. All actions are performed by one actor, which makes UCON not adequate for grid computing.
The Usage Control formal model
UCON uses Temporal Logic of Action (TLA) [148] with extension to include past actions in order to define the formal model. The formal model uses the basic temporal operators “Always”: , “Eventually”: ◊, “Next”: ○, “Until”: U, and the past operator extension: “Has always been”: ■, “Once”: ♦, “Previous” , and
“Since” . A complete formal definition can be found in the literature [142, 144, 145, 149].
S
A logical model of UCON is a 5-tuple: M=( , , , , )SPA P A AC A B , where is a set of sequences of system states, is a finite set of authorization predicates built from the attributes of subjects and objects, is a finite set of condition predicates built from the system attributes, is a finite set of usage control actions, is a finite set of obligation actions.
S
PA
PC
AA AB
A logical formula in UCON is defined by the following grammar:
:: a p
,φ = ⏐ ⏐(¬ )⏐( ∧ )⏐( φ φ φ φ → φ )⏐ φ φ φ φ φ ⏐ ⏐ ◊ ○ ⏐( U )⏐ ■ φ φ φ φ ⏐♦ ⏐ ⏐( S φ )⏐
where a is an action, p is a predicate.
In a state sequence
sq
of a model , the satisfaction relation is defined by induction as followed,M
0 0
For example, the usage control policy for the model preA0 is:
( , , ) ( ( , , ) (
1...
i)),
permitaccess s o r
→♦tryaccess s o r
∧p
∧p
where p1,...,pi are predicates built from subject and/or object attributes, which are preauthorization predicates.
Another example is the usage control policy for the model preA1:
1
( , , )
( ( , , ) ( ...
i)) ( ).
permitaccess s o r
tryaccess s o r p p preupdate attribute
♦ ∧ ∧ ∧ ∧♦
→
A detailed description of UCON can be found in the literature [23, 25, 146] as well as the in formal definition [144, 145]. Critiques about the UCON model as well as shortcomings regarding a possible use within a grid environment are included in subsection 4.2.2. Before that, the methods in chapter 3 presents shortly multi-agent systems, the future vision regarding grids and agent systems, game theory, winning strategies and a suitable Temporal Logic to describe these notions.