System and method for evaluating a reverse query

US 10,158,641 B2
Filed: 05/08/2017
Issued: 12/18/2018
Est. Priority Date: 12/30/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for real-time evaluation of a reverse query to an attribute-based access control (ABAC) policy (P) comprising functional expressions dependent on attributes, wherein the ABAC policy is evaluable for an access request if the access request assigns a value to at least one of said attributes, wherein an access decision resulting from said evaluation is enforceable to control access to one or more resources in a computer network, said method performed by a processing device and comprising the steps of:

i) receiving by the processing device a reverse query indicating a given access decision (d), which is one of permit access and deny access, and further indicating a subset (R) of two or more access requests to the ABAC policy, wherein the subset (R) is defined by constraints over the set of possible access requests;

ii) constructing by the processing device a partial request (r_partial) from the subset (R) of access requests;

iii) reducing by the processing device the ABAC policy in accordance with the partial request;

iv) caching by the processing device the ABAC policy after said reducing, as a simplified policy (P′

) comprising at least one functional expression dependent on an attribute;

v) translating by the processing device the cached simplified policy (P′

) and the given decision (d) into a satisfiable logic proposition in Boolean variables (v_i, i=1, 2, . . . ), including replacing, by a Boolean variable, any Boolean expression in the policy representing a comparison of an attribute and a fixed value;

vi) deriving by the processing device all variable assignments (c_j=[v₁=x_j1, v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition;

vii) processing by the processing device the variable assignments satisfying the logic proposition on the basis of a correlation between each Boolean variable and the comparison which it replaces; and

viii) determining by the processing device, from each variable assignment processed in step vii, a set of potential access requests for which the ABAC policy would evaluate to the given decision (d) and where each request belongs to subset R.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method includes: (i) receiving a reverse query and a set of admissible access requests, each of which includes one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.

31 Citations

14 Claims

1. A computer-implemented method for real-time evaluation of a reverse query to an attribute-based access control (ABAC) policy (P) comprising functional expressions dependent on attributes, wherein the ABAC policy is evaluable for an access request if the access request assigns a value to at least one of said attributes, wherein an access decision resulting from said evaluation is enforceable to control access to one or more resources in a computer network, said method performed by a processing device and comprising the steps of:
- i) receiving by the processing device a reverse query indicating a given access decision (d), which is one of permit access and deny access, and further indicating a subset (R) of two or more access requests to the ABAC policy, wherein the subset (R) is defined by constraints over the set of possible access requests;
  
  ii) constructing by the processing device a partial request (r_partial) from the subset (R) of access requests;
  
  iii) reducing by the processing device the ABAC policy in accordance with the partial request;
  
  iv) caching by the processing device the ABAC policy after said reducing, as a simplified policy (P′
  
  ) comprising at least one functional expression dependent on an attribute;
  
  v) translating by the processing device the cached simplified policy (P′
  
  ) and the given decision (d) into a satisfiable logic proposition in Boolean variables (v_i, i=1, 2, . . . ), including replacing, by a Boolean variable, any Boolean expression in the policy representing a comparison of an attribute and a fixed value;
  
  vi) deriving by the processing device all variable assignments (c_j=[v₁=x_j1, v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition;
  
  vii) processing by the processing device the variable assignments satisfying the logic proposition on the basis of a correlation between each Boolean variable and the comparison which it replaces; and
  
  viii) determining by the processing device, from each variable assignment processed in step vii, a set of potential access requests for which the ABAC policy would evaluate to the given decision (d) and where each request belongs to subset R.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein step ii includes examining the subset (R) of access requests in order to determine:
    - a first set (D) of attributes that are associated with exactly the same set of values in all requests of the subset (R);
      
      a second set (A) of attributes that are absent in all requests of the subset (R); and
      
      a third set (U) of all other attributes not included in any of the first set (D) of attributes and the second set (A) of attributes.
  - 3. The method of claim 2, wherein step iii includes using the sets (D, A, U) of attributes to generate a partial access request, which:
    - assigns, to each attribute in the first set (D) of attributes, the exact set of values associated to it by any request in the subset (R); and
      
      leaves all attributes in the third set (U) undefined.
  - 4. The method of claim 3, wherein the partial access request further (V) marks all attributes in the second set (A) as not present.
  - 5. The method of claim 1, wherein step iv includes caching the simplified policy (P′
    - ) represented with a tree structure,wherein step v includes, whenever a sub-tree in the tree structure represents a Boolean expression but at least one of its children evaluates to a non-Boolean value, replacing the whole sub-tree by a variable (v_i).
  - 6. The method of claim 5, wherein, in step v, the variable replacing the sub-tree comprises two associated Boolean variables for representing more than two possible values of the sub-tree.
  - 7. The method of claim 6, the possible values being “
    - true”
      
      , “
      
      false” and
      
      “
      
      indeterminate”
      
      .
  - 8. The method of claim 1, wherein step v includes storing the correlation between each variable (v_i) and the sub-tree which it replaces.
  - 9. The method of claim 1, wherein step vii includes assessing, for each request (r) in the subset (R) of requests, whether it corresponds to any of the variable assignments satisfying the logic expression;
    - and, if it does, extracting this access request.
  - 10. The method of claim 1, wherein step vi is performed by means of a SAT solver implemented in hardware and/or a computer executing software.
  - 11. The method of claim 1,wherein step v further includes representing at least part of the simplified policy (P′
    - ) as a binary decision diagram; and
      
      wherein step vi includes deriving all paths in the binary decision diagram evaluating to either true or false.
  - 12. The method of claim 1, wherein step iii includes:
    - determining an implicit reference defined by a value of one of the extracted attributes together with the ABAC policy; and
      
      fetching, in accordance with this implicit reference, at least one attribute value from a remote source.
  - 13. A non-transitory computer-readable storage medium storing computer-executable instructions for performing a method of claim 1.

14. A computer system including a processing device coupled to a non-transitory data memory, the computer system being configured for real-time evaluation of a reverse query to an attribute-based access control (ABAC) policy (P) comprising functional expressions dependent on attributes, wherein the ABAC policy is evaluable for an access request if the access request assigns a value to at least one of said attributes, wherein an access decision resulting from said evaluation is enforceable to control access to one or more resources in a computer network,wherein the reverse query indicates a given access decision (d), which is one of permit access and deny access, and further indicating a subset (R) of two or more access requests to the ABAC policy, wherein the subset (R) is defined by constraints over the set of possible access requests,the computer system comprising:
- the data memory operable to store one or more ABAC policies;
  
  a partial request generation means operable to construct a partial request (r_partial) from the subset (R) of access requests;
  
  a policy decision partial evaluation means connected to the partial request generation means and to the data memory, and operable to reduce evaluate the ABAC policy (P) in accordance with the partial request (r_partial), thereby yielding a simplified policy (P′
  
  );
  
  a translation means, connected to the policy decision means and operable to translate the simplified policy (P′
  
  ), and the given decision (d) into a satisfiable logic proposition (F) in Boolean variables (vi, i=1, 2, . . . ), wherein the translation means is configured to replace, by a Boolean variable, any Boolean expression in the policy representing a comparison of an attribute and a fixed value;
  
  an analyzing means, connected to the translation means and operable to derive all variable assignment (c_j=[v₁=x_ji, v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition;
  
  a conversion means connected to said analyzing means, and operable to process the variable assignments satisfying the logic proposition on the basis of a correlation between each Boolean variable and the comparison which it replaces; and
  
  a determining means operable to determining, from each variable assignment processed by said conversion means, a set of potential access requests for which the ABAC policy would evaluate to the given decision (d) and where each request belongs to subset R.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Axiomatics AB
Original Assignee
Axiomatics AB
Inventors
Rissanen, Erik, Giambiagi, Pablo
Primary Examiner(s)
Rahim, Monjur

Application Number

US15/589,296
Publication Number

US 20170244711A1
Time in Patent Office

589 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/10   for controlling access to d...

System and method for evaluating a reverse query

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for evaluating a reverse query

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links