SYSTEM AND METHOD FOR EVALUATING A REVERSE QUERY

US 20130055344A1
Filed: 07/19/2011
Published: 02/28/2013
Est. Priority Date: 12/30/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for real-time evaluation of a reverse query to an attribute-based access control (ABAC) policy (P), which is enforced to control access to one or more resources in a computer network, said method comprising the steps of:

i) receiving a reverse query indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests, each of which comprises one or more attributes appearing in the ABAC policy and explicit values assigned to these;

ii) extracting attributes to which all access requests in the set (R) assign identical values;

iii) reducing the ABAC policy at least by substituting values for the extracted attributes;

iv) caching the policy after said reducing as a simplified policy (P′

);

v) translating the cached simplified policy (P′

) and the given decision (d) into a satisfiable logic proposition in Boolean variables (v_i, i=1, 2, . . . );

vi) deriving all variable assignments (c_j=[v₁=x_j1, v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition; and

vii) extracting, based on the variable assignments thus derived, all access requests from the set (R) for which the ABAC policy (P) yields the given decision (d).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are real-time techniques for determining all access requests to an attribute-based access control policy which evaluate to a given decision, “permit” or “deny”. The policy is enforced to control access to one or more resources in a computer network. In one embodiment, a method comprises: (i) receiving a reverse query and a set of admissible access requests, each of which comprises one or more attributes in the policy and values of these; (ii) extracting attributes to which all access requests in the set assign identical values; (iii) reducing the ABAC policy by substituting values for the extracted attributes; (iv) caching the policy as a simplified policy; (v) translating the simplified policy and the given decision into a satisfiable logic proposition; (vi) deriving all solutions satisfying the proposition; and (vi) extracting, based on the solutions, all access requests from the set for which the policy yields the given decision.

23 Citations

View as Search Results

15 Claims

1. A computer-implemented method for real-time evaluation of a reverse query to an attribute-based access control (ABAC) policy (P), which is enforced to control access to one or more resources in a computer network, said method comprising the steps of:
- i) receiving a reverse query indicating a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests, each of which comprises one or more attributes appearing in the ABAC policy and explicit values assigned to these;
  
  ii) extracting attributes to which all access requests in the set (R) assign identical values;
  
  iii) reducing the ABAC policy at least by substituting values for the extracted attributes;
  
  iv) caching the policy after said reducing as a simplified policy (P′
  
  );
  
  v) translating the cached simplified policy (P′
  
  ) and the given decision (d) into a satisfiable logic proposition in Boolean variables (v_i, i=1, 2, . . . );
  
  vi) deriving all variable assignments (c_j=[v₁=x_j1, v₂=x_j2, . . . ], j=1, 2, . . . ) satisfying the logic proposition; and
  
  vii) extracting, based on the variable assignments thus derived, all access requests from the set (R) for which the ABAC policy (P) yields the given decision (d).
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein step ii includes examining the set (R) of access requests in order to determine:
    - a first set (D) of attributes that are associated with exactly the same set of values in all requests of said subset (R);
      
      a second set (A) of attributes that are absent in all requests of said subset (R); and
      
      a third set (U) of all other attributes not included in any of the sets (D or A) of attributes.
  - 3. The method of claim 2, wherein step iii includes using said sets (D, A, U) of attributes to generate a partial access request, which:
    - assigns, to each attribute in said first set (D) of attributes, the exact set of values associated to it by any request in said set (R); and
      
      leaves all attributes in said set (U) undefined.
  - 4. The method of claim 3, wherein the partial access request further (V) marks all attributes in said set (A) as not present.
  - 5. The method of claim 1,wherein step iv includes caching the simplified policy (P′
    - ) represented with a tree structure,wherein step v includes, whenever a sub-tree in the tree structure represents a Boolean expression that compares an attribute with a fixed value, replacing said whole sub-tree by a variable (v_i).
  - 6. The method of claim 1,wherein step iv includes caching the simplified policy (P′
    - ) represented with a tree structure,wherein step v includes, whenever a sub-tree in the tree structure represents a Boolean expression but at least one of its children evaluates to a non-Boolean value, replacing said whole sub-tree by a variable (v_i).
  - 7. The method claim 5, wherein, in step v, the variable replacing the sub-tree comprises two associated Boolean variables for representing more than two possible values of the sub-tree.
  - 8. The method of claim 7, said possible values being “
    - true”
      
      , “
      
      false” and
      
      “
      
      indeterminate”
      
      .
  - 9. The method of claim 1, wherein step v includes storing a correlation between each variable (v_i) and the sub-tree which it replaces.
  - 10. The method of claim 1, wherein step vii includes assessing, for each request (r) in the set (R) of requests, whether it corresponds to any of the variable assignments satisfying the logic expression;
    - and, if it does, extracting this access request.
  - 11. The method of claim 1, wherein step vi is performed by means of a SAT solver.
  - 12. The method of claim 1,wherein step v includes representing at least part of the simplified policy (P′
    - ) as a binary decision diagram; and
      
      wherein step vi includes deriving all paths in the binary decision diagram evaluating to either true or false.
  - 13. The method of any of the preceding claims claim 1, wherein step iii includes:
    - determining an implicit reference defined by a value of one of said extracted attributes together with the ABAC policy; and
      
      fetching, in accordance with this implicit reference, at least one attribute value from a remote source.
  - 14. A computer program product comprising a data carrier storing computer-executable instructions for performing the method of claim 1.

15. A computer system configured for real-time evaluation of a reverse query to an attribute-based access control (ABAC) policy, which is enforced to control access to one or more resources in a computer network,wherein the reverse query indicates a given decision (d), which is one of permit access and deny access, and a set (R) of admissible access requests, each of which comprises one or more attributes appearing in the ABAC policy and explicit values assigned to these,said computer system comprising:
- a data memory (12) operable to store one or more ABAC policies;
  
  a partial request generation means operable to construct, based on said set (R) of admissible access requests, a partial request (r_partial) assigning values only to attributes associated with identical values throughout the set (R) of admissible requests;
  
  a policy decision means connected to said partial request generation means and to the electronic storing means, and operable to evaluate said policy (P) for said partial request (r_partial), thereby yielding a simplified policy (P′
  
  );
  
  a translation means, connected to said policy decision means and operable to translate said simplified policy (P′
  
  ), said subset (R) of said set of possible requests, and said given decision (d) into a satisfiable logic proposition (F) in Boolean variables (v_i, i=1, 2, . . . );
  
  an analyzing means 483, connected to said translation means and operable to analyze said propositional logic formula (F) in order to determine a sequence ([c₁, . . . , c_k]) of conditions over requests, each condition defining a variable assignment (c_j=[v₁=x_j1, v₂=x_j2, . . . ], j=1, 2, . . . ); and
  
  a conversion means connected to said analyzing means, and operable to extract, based on said sequence [c₁, . . . , c_k] of conditions, valid requests contained in said subset (R) which evaluate to said given decision (d).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Axiomatics AB
Original Assignee
Axiomatics AB
Inventors
Rissanen, Erik, Giambiagi, Pablo

Granted Patent

US 9,223,992 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

G06F 2221/2141 Access rights, e.g. capabil...

SYSTEM AND METHOD FOR EVALUATING A REVERSE QUERY

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR EVALUATING A REVERSE QUERY

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links