Visualising Access Control: The PRISM Approach

2010 14th Panhellenic Conference on Informatics

Visualising Access Control: The PRISM Approach Aziz S. Mousas, Anna Antonakopoulou, Fotios Gogoulos, Georgios V. Lioudakis, Dimitra I. Kaklamani, Iakovos S. Venieris School of Electrical and Computer Engineering, National Technical University of Athens, Athens, Greece {azmousas, aantwnakop, fgogoulos, gelioud}@icbnet.ntua.gr, [email protected], [email protected] Abstract—Despite the usefulness of passive network monitoring for the operation, maintenance, control and protection of communication networks, as well as law enforcement, network monitoring activities are surrounded by serious privacy implications. In this paper, a software tool for the management of privacy-preserving authorisation and access control to data originating from passive network monitoring is described. It offers a user-friendly, visual interface for the specification of the underlying concepts, such as roles, data types, actions, rules and contextual information, providing the appropriate level of abstraction. Based on the specified model, the proposed application generates the cryptographic means for the dissemination of the provisions to the enforcing entities, while relying on an ontological model for the representation of the access control policies.

proprietary user-friendly software tool which serves for the visualisation of the policy specification and administration. The tool provides an advanced visual editor, hiding the technical details of the underlying model and requiring no particular technical expertise by its users. The result is an access control policy implemented as an ontology, along with a set of X.509 certificates [5] that serve for its enforcement by the corresponding systems. The description of this application constitutes the main aim of this paper. The remainder of this paper is structured as follows. Section II summarises the overall PRISM approach; before describing the PRISM Access Control Model Editor in Section IV, Section III outlines the PRISM Ontology, the semantic model used for the representation of the access control policies and other provisions that are specified through the editor. The paper concludes in Section V.

Keywords-policies specification application; ontology visualisation; privacy; access control; network monitoring.

I.

II.

INTRODUCTION

The potential invasion of individuals’ privacy constitutes the flip side of the contemporary Information and Communication Technologies. In this context, the activities related to network monitoring hold an outstanding position; while extremely useful and important for purposes such as network operation, management, planning and maintenance, security protection (e.g., in terms of intrusion detection and prevention), scientific research based on real traffic traces, as well as law enforcement (e.g., by means of data retention and lawful interception), network monitoring not only may lead to privacy violations but it is also surrounded by legal implications (see e.g., [1]). As electronic communications increasingly proliferate in everyday life, privacy with all its facets is increasingly considered as a quality attribute of paramount importance. In that respect, violations related to network monitoring and communications’ surveillance have started hitting the headlines and feeding citizens’ concerns [2].

This Section summarises the PRISM framework for privacy-preserving passive network monitoring, describing the general architecture, the fundamentals of the access control model and its enforcement. For further details, the reader is referred to [6]. A. System Architecture The key engineering guidelines for the PRISM framework have been the following: 1) Protection of the data already as soon as they are captured, i.e., on the online monitoring probes. 2) Provision of a comprehensive framework for controlling access and processing of the collected data. 3) Adaptation of the monitoring applications to operate “behind” this framework. 4) Decoupling of the entities in charge of enforcing data protection (e.g., a legal authority) and the one in charge of running monitoring applications (e.g., the network operator). These aspects have been met by designing PRISM as a twotier system and by providing a generalized access control framework. Unlike traditional architectures, that are typically monolithic, the envisioned system is comprised of three separate subsystems that are administratively independent as it is depicted in Fig. 1: the Front-End tier (FE), the Back-End tier (BE) and the Privacy-Preserving Controller (PPC).

As far as privacy protection is concerned, network monitoring activities are in particular interesting compared to other domains, due to some special characteristics they have [3]. In order to address the underlying issues, the FP7 ICT project PRISM [4] proposed an architecture which mediates between the source of information (i.e., the communication channel) and the entities that consume data originating from network monitoring and enforces an authorisation and access control model specifying semantic security policies specifically designed for this context. An important aspect of the framework is the PRISM Access Control Model Editor, a 978-0-7695-4172-3/10 $26.00 © 2010 IEEE DOI 10.1109/PCI.2010.52

THE PRISM APPROACH FOR PRIVACY-PRESERVING NETWORK MONITORING

107

3) A set of roles (R) 4) A set of actors (A) 5) A set of rules (Ru) 6) A set of conditions (C) The latter two represent, respectively, the actual access control rules, i.e., permissions and prohibitions, and the realtime constraints to the applicability of the rules. The set of personal data types (DT) is characterized by three relationships, reflecting respectively the inheritance of characteristics, the detail level of the same concept (e.g., location) and the inclusion of a data type to another one. The access control rules, from which also the authorisation provisions are derived, are always associated with a {personal data types, purpose, role} triad. That is, the three corresponding sets constitute the domain of the rules, while a fourth parameter is reflected by the conditions, if any: dom Ru = DTn × Pu × R × C. The access control rules can be either positive or negative, resulting to positive or negative authorisations, respectively, as far as the underlying action is concerned. The actors of the system are assigned with roles; this creates the Role Assignments (RA) set, where RA ⊆ A × R, reflecting a many-tomany relation, assigning roles to actors.

Figure 1. PRISM System Architecture.

Goal of the FE tier, which is implemented as a network card and plays the role of the online traffic probe, is to capture the packets on the network link, protect them according to suitably designed data protection mechanisms and deliver them to the BE tier through standard-based data export protocols.

Additionally, purposes are assigned to roles as permissions, since, intuitively, not all types of roles are permitted to act (i.e., execute a monitoring function offered by an application) with respect to serving all possible purposes. This creates a Purposeto-role associations set (PR), where PR ⊆ P × R. What is now left is the association of personal data types with {purpose, role} associations, i.e., elements of the PR. This creates the concept of the permitted data types reflecting positive read authorizations on data: we say that a tuple of personal data 〈dt1, dt2, …, dtm〉 is permitted for a purpose-to-role association przy, when all the personal data types comprising the tuple are necessary to any actor ax assigned with the role ry, in order to fulfill the purpose puz, where przy = 〈puz, ry〉. That is, the Permitted Data Types set (PDT): PDT ⊆ DTn × PR is defined.

The BE tier is the system’s component primarily in charge of controlling any access to the data, either in real-time, i.e., immediately after their collection, or offline. Neither the network operator nor any other entity (e.g., third-party outsourcers, subcontractors, Authorities) has direct access to the collected data; the data reach the BE already cryptographically protected by the FE tier and the reversion of the protection means, as well as the further dissemination of the data are subject to the enforcement of the privacy-aware access control model. The PPC constitutes a significant entity of the PRISM system charged with a diversity of responsibilities and equipped with a variety of functionalities. For Instance, during the PRISM operation, the PPC employs the role of the Source of Authority (SoA) and the Certificate Authority (CA) of the PRISM Public Key Infrastructure (PKI) and Privilege Management Infrastructure (PMI), respectively, and it is the certificates’ revocation specification and evaluation point. In this context, the PRISM Access Model Editor constitutes the entry point for the ontology creation and management, the access control reasoning process execution as well as users’ administration and certificates’ lifecycle management.

All the above reflect access control with respect to the interaction between the BE and the entity that requests for data. On the other hand, regarding the controlled access of the BE to data provided by the FE, the situation is more complicated, since the data types defined above as permitted may not be known to the FE. Such data types are clearly not known to the FE and therefore, rules defined for such data types cannot be used by the FE in order to grant access to the BE and – consequently– to the requesting entity. The different types of data that the PRISM system deals with are categorized either as raw data types or as derived data types. The former are the ones that are explicitly contained in the monitoring flows (e.g., protocol header fields) or any other types of data that can be provided directly by the FE. On the other hand, as derived are characterized these data types that constitute the product of some processing functions that extends the FE capabilities. These data types are generated by the BE and/or the monitoring application.

B. Fundamentals of the PRISM Access Control Model PRISM follows an approach for access control that is based on policies set forth by the PPC; these policies are evaluated and enforced by the system in order to take access decisions. The fundamental components that comprise the policy framework are the following: 1) A set of personal data types (DT) 2) A set of purposes (Pu)

The BE is empowered with a rich library of software tools, referred to as Embedded Processing Components (EPC). The EPC incorporate (among other tools) functionalities for the

108

transformation of a set of data types to another, including simple and complex transformations. These functionalities constitute in essence a set of Data Transformation Functions (DTF) that are used from the BE in order to produce the derived data types that will be delivered to the monitoring application instead of disseminating the actual raw monitoring data. Intuitively, the BE needs to be provided by the FE with the set of data that comprise the necessary input to the corresponding functions.

usesTransformationTool Components

DataTransformations transformsDataFromType

excludes

ExclusiveCombinations storedNotWith PersonalData

Permanent Public Key Certificates (P-PKCs) which certify that the holder of such a certificate is the entity that claims to be.

Temporal

isOfType

ContextualTypes

Spatial

DataAge

Figure 2. The PRISM Ontology.

THE PRISM ONTOLOGY

The knowledge base of the PRISM system in terms of access control rules is expressed by means of an ontology, which is implemented using the W3C Web Ontology Language (OWL) [7]. The detailed specification is out of scope of this paper; a more detailed description is provided in [8]. The classes comprising the PRISM Ontology are the following (Fig. 2): •

Roles

subclass

On the other hand, dynamic reasoning refers to provisions that can only be evaluated at runtime by the associated entities, primarily the BE. Such provisions concern temporal, spatial and history-based conditions, mutual exclusions and the execution of privacy obligations. III.

Conditions

Purposes

ContextualBase

Role assignment certificates (CertRA) which certify that the holder of such a certificate has been assigned the corresponding role(s).

•

refersToPurpose

hasValue

In that respect, a mechanism grounded on an X.509 infrastructure [5] has been considered; introducing a number of X.509 certificates that are generated (mostly) “offline” by the PPC, encoding the static aspects of authentication, authorisation and access control. The certificates are made available to the associated parties and used during the PRISM operation. In offline mode, the PPC issues the following types of X.509 Attribute Certificates (ACs):

CertPDT and CertPDT* certificates, certifying the permitted data types and the raw permitted data types respectively.

hasSubject

Rules

follows

le Ro To rs fe re

hasObject

C. Reasoning and Enforcement All the afore-described access control principles can be evaluated before the submission of a data request. In fact, from the PRISM Ontology it is possible to specify all the permitted data types (PDT) and raw permitted data types (PDT*). Therefore, the term static reasoning is introduced, referring to reasoning that is based on rules that can be a priori evaluated.

•

ConditionSubject

Obligations

appliesUnderCondition

refersToSubject

In addition, the model defines sets of mutually excluded data types, MED ⊆ DTn. These sets are queried regarding the existence of “forbidden” data combinations within the PDT and, based on the outcome, the data types comprising the PDT are disclosed as a whole or some are excluded.

•

refersToData

refersToObject

ReferenceObject

ObligationPatterns

transformsDataToType

•

Purposes, reflecting the purposes for data collection;

•

Roles, describing the different roles that the system’s actors hold;

•

Rules, specifying the access control rules;

•

Components, comprising the “semantic signatures” of the BE system’s components (EPC);

•

DataTransformations, that defines transformations from one type to another;

•

ExclusiveCombinations, describes how data types are mutually excluding the one the others from disclosure;

•

Conditions, specifying access constraints.

•

ConditionSubject, defines the subjects of the conditions.

•

ReferenceObject, defines the data set that is affected by the applicability of the condition.

•

ContextualBase, contains a subclass for each ContextualType (Temporal, Spatial, DataAge subclasses).

•

Obligations, describes the obligations that should be executed along with the enforcement of a rule.

•

ObligationPatterns, which primitives about the obligation. IV.

defines

data

some

PRISM ACCESS CONTROL MODEL EDITOR

The PRISM Access Control Model Editor (PACME) constitutes a user-friendly application implemented in Java, devised for the specification and management of the PRISM Ontology by people that are not coming from the worlds of computer science or engineering, such as lawyers and other members of the administration department of an organisation. Input provided to the PACME is transparently translated to OWL code and X.509 certificates.

PersonalData, representing the different personal data types and their associations;

109

After logging-in, the authenticated PACME user is provided with several different views, devised for the administration of the personal data, purposes and roles’ subgraphs, the rules, the contextual conditions, the exclusive combinations and the data transformations. In addition, the PACME provides to the user all the necessary options in order to interact with the PRISM ontology and fulfil PPC tasks, while offering a family of auxiliary tools for tasks such as loading existing semantic models and disseminating the ontology. Some insights on the main PACME views follow. A. The Subgraphs View The subgraphs views (e.g., Fig. 3), which are enabled when selecting one of the Personal Data, Services, Roles and Conditions tabs on the right side of the interface, provide the user with the means for the specification and administration of the corresponding subgraphs of the ontology. The main area of each view illustrates the respective subgraph, while the user is provided with a plethora of tools: definition of new nodes, relations, properties, renaming, deletion, etc. The offered facilities include among others zoom-in/-out, rotation and navigation. On the left hand side of the interface, an alphabetical taxonomy of the different instances is displayed, which additionally offers search facility with automatic focus on the requested instance’s node at the right side. The bottom left side presents a bird’s-eye view of the subgraph.

Figure 3. Subgraphs View.

B. The Rules Management View The rules management view (Fig. 4) provides a list of the existing rules of the model, as well as a toolbox for their administration. The rules, along with all their properties, are depicted on the upper right side as rows of a list, while the bottom right side illustrates schematically the selected rule, gives its textual description and specifies the condition that must meet in order for the rule to apply. Both the rows of the rules’ list and the graphical representation are editable areas. The PACME user may perform changes either directly on the list’s fields or mouse-clicking at the areas of the rule’s graph.

Figure 4. Rules Management View.

The left hand side of the rules management view provides functionalities for rules searching/filtering according to all their properties. For example, if the user presses any of the “Data”, “Service”, “Role”, “Condition” underlined labels, a pop-up frame with the corresponding subgraph of the ontology will appear (similar with the one of Fig. 3 and with all the facilities described above), enabling the user to select the desired type. Additionally, the task buttons at the upper left side trigger functionalities for deleting a rule (followed by a confirmation window), application of performed changes, as well as the activation of the rule creation/editing wizard (Fig. 5), which is a simple way for defining or modifying a rule of the model. Using the wizard, the user defines a new or modifies an existing rule in eight steps. At every step, a representation of the current status of the rule is depicted at the bottom right side. The steps of the rule creation/editing wizard are the following:

Figure 5. Rules Management Wizard.

Step 4: Specification of the “core” of the rule, i.e., the read/write access rights of the considered role on the specified data in the context of the execution of the specified service type, as well as the data retention period.

Steps 1 – 3: Specification of the “domain” of the rule, i.e., the {personal data, purpose, role} triad to which the rule applies. In each of these steps, the user is provided with an interface similar to the ones used for the specification of the corresponding semantic subgraphs (such as the one of Fig. 3).

Step 5: Specification of the complementary actions, such as the applicable privacy obligations.

110

Step 6: Specification of the meta-information regarding inheritance to the descendants of the personal data, monitoring service and role types under consideration, as well as the resolution of conflicts. Step 7: Specification of the condition of the rule and the meta-information regarding inheritance to the descendants of the conditions. In this step the user is provided with an interface for the specification of the conditions subgraph. Step 8: In the final step, the textual description of the rule is authored. C. User Management View The user management process is accomplished through the Tools menu and more specifically through the Identify User option in the context of a submission form which should be filled in order to contain all the necessary information concerning the user. This information refers to some personal details of the user, information about the X.509 certificates, as well as some contextual parameters that are directly used for access control, such as the working hours and valid IP addresses. Upon the submission of this information, the procedures of the all the necessary certificates (described in Section II) creation and storage in the appropriate database is accomplished, in order for the certificates to be used for the authentication/authorisation processes during the PRISM operation. The options for retrieving, present and delete these certificates are also provided through the PACME’s Tools of the Menu bar, as well as the specification and examination of their revocation status. Finally, through this view the options of editing and deleting a user are also offered.

Figure 6. User Management View.

REFERENCES

D. Other Views PACME is not limited to the views described above. For instance, an important additional view is devised for specifying the data transformations definitions. Through this view, the user specifies the input and output data types along with the component (i.e., BE’s EPC) that performs the transformation. The outcome is reflected by the DataTransformations class of the ontology. On the other hand, a similar approach is followed for the definition of exclusive combinations of data types. Instances of ExclusiveCombinations class created by the corresponding PACME view define structures of mutually excluded data that are visually selected to participate in the set. V.

[1]

[2] [3]

[4] [5]

CONCLUSIONS

[6]

This paper has focused on the PRISM Access Control Model Editor, a software tool that can easily implement and visualise the basic concepts of the PRISM access control framework. Although it has been designed for accessing data that are collected in the context of passive network monitoring activities, the basic concepts of the framework can be used in other domains where privacy is a critical issue. In that respect, future work concerns the extension of the editor, in order to become a general purpose access control administration tool, as well as to support alternative representations, such as XACML.

[7] [8]

111

P. Ohm, D. Sicker, and D. Grunwald, “Legal Issues Surrounding Monitoring during Network Research“, in Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement (IMC ‘07), San Diego, USA, October 24 – 26, 2007, pp. 141 – 148. V. Prevelakis and D. Spinellis, “The Athens Affair”, IEEE Spectrum, Vol. 47, No. 7, pp. 26 – 33, July 2007. F. Gogoulos, A. Antonakopoulou, A. S. Mousas, G. V. Lioudakis, D. I. Kaklamani, I. S. Venieris, “Privacy-Aware Passive Network Monitoring”, in Proceedings of the 13th Panhellenic Conference on Informatics (PCI 2009), Corfu, Greece, September 10 – 12, 2009. FP7 ICT project PRISM (PRIvacy-aware Secure Monitoring), home page: http://fp7-prism.eu/. International Telecommunication Union (ITU) – Telecommunication Standardization Sector, “Information technology – Open Systems Interconnection – The Directory: Public-key and Attribute Certificate Frameworks”, ITU-T Recommendation X.509, August 2005. F. Gogoulos, A. Antonakopoulou, G. V. Lioudakis, A. S. Mousas, D. I. Kaklamani, I. S. Venieris, “Privacy-Aware Access Control and Authorization in Passive Network Monitoring Infrastructures”, in Proceedings of the 3rd IEEE International Symposium on Trust, Security and Privacy for Emerging Applications (TSP 2010), Bradford, UK, June 29 – July 1, 2010. The World Wide Web Consortium (W3C), “Web Ontology Language (OWL)”, home page: http://www.w3.org/2004/OWL/. F. Gogoulos, A. Antonakopoulou, G. V. Lioudakis, A. S. Mousas, D. I. Kaklamani, I. S. Venieris, “Semantic Information Model for PrivacyAware Access Control”, in Proceedings of the 14th Panhellenic Conference on Informatics (PCI 2010), Tripolis, Greece, September 10 – 12, 2010.