Inconsistency resolving of safety and utility in access control

3.1. Reducing complexity

Once all the inconsistencies are known, we must find a way to resolve them. However, determining which policy to remove is difficult because there may be many policy inconsistencies. In order to simplify the resolution task, we consider as few policies as possible. Thus we reduce the complexity of reasoning about policy inconsistencies by the techniques of static pruning and minimal inconsistency cover set.

3.2. Measuring the safety-utility tradeoff

Given an MIC set for a policy inconsistency. Often, there may exist many choices for resolving this inconsistency. An interesting question for them is "which choice is optimal?". Our methodology helps policy administrators answer this question.

Algorithm 1. ComputeMIC (Q)

Input: Q = {e₁, ..., e _m , f₁, ..., f _n }

Output: the MIC sets of Q : S₁, ..., S _x

1: initialize S₁ = ∅, i = 1, j = 1, k = 1;

2: while (i < m||j < n) do

3:    if$\left(\left(P_{e_i}\cap P_{S_k}\ne \varnothing \right)\wedge \left(U_{e_i}\cap U_{S_k}\ne \varnothing \right)\right)$then

4:       S _k = S _k ∪ e _i ;

5:       i + +;

6:    else

7:       k + +;

8:       continue;

9:    end if

10:       k = 1;

11:    if$\left(\left(P_{f_j}\cap P_{S_k}\ne \varnothing \right)\wedge \left(U_{f_j}\cap U_{S_k}\ne \varnothing \right)\right)$then

12:       S _k = S _k ∪ f _j ;

13:       j + +;

14:    else

15:       k++;

16:       continue;

17:    end if

18:    k = 1;

19: end while;

20: MIC(Q) ← S₁, ..., S _x ;

21: for S _k ∈ MIC(Q) do

22:    if$\exists S_t\in MIC\left(Q\right)\left[\left(P_{S_t}\cap P_{S_k}\ne \varnothing \right)\wedge \left(U_{S_t}\cap U_{S_k}\ne \varnothing \right)\right]$then

23:       MIC(Q) = MIC(Q) - S _t - S _k ;

24:       S _k = S _k ∪ S _t ;

25:       MIC(Q) ← S _k ;

26:    end if

27: end for

28: return MIC(Q).

Example 3. Let us consider the same policies as the one from Example 1. After removing some policies from Q, the rest of policies will be consistent with each other. For example, resolving the policy inconsistency has the following choices.

Currently we lack a method for measuring the safety-utility tradeoff in policy inconsistency resolving. Removing SSoD policies result in safety loss for the whole safety requirement in Q. Similarly, Removing SA policies result in utility loss for the whole utility requirement in Q. Hence before making the choice, one must ensure that the safety loss and utility loss are limited to an acceptable level. To use our method, one must choose a measure for safety loss (S _loss ) and utility loss (U _loss ).

Definition 7. Let e₁and e₂be two SSoD policies, we say that$S_{loss}^{e_1}\ge S_{loss}^{e_2}$if and only if e₁ ≽ e₂. And$S_{loss}^{e_1}>S_{loss}^{e_2}$if and only if e₁ ≻ e₂.

Where $S_{loss}^{e_1}$ denotes the safety loss caused by removing e₁. As is intuitive, choosing to remove the policy with higher restrictive will cause more safety (or utility) loss.

Theorem 5. For any SSoD policies e₁= ssod <P₁, U₁, k₁> and e₂= ssod <P₂, U₂, k₂>, e₁ ≻ e₂if and only if (U₁ ⊇ U₂) ⋀ (k₁≥ k₂ + | P₁ - P₂|).

PROOF. For the "if" part, given (U₁ ⊇ U₂) ⋀ (k₁≥ k₂ + | P₁ - P₂|), we show that $\forall \epsilon \left(\neg sa{t}_{e_2}\left(\epsilon \right)\Rightarrow \neg sa{t}_{e_1}\left(\epsilon \right)\right)$. There are two cases for (U₁ ⊇ U₂) ⋀ (k₁≥ k₂ + | P₁ - P₂|): (1) P₁ ⊆ P₂, (2) P₁ ⊃ P₂. $\neg sa{t}_{e_2}\left(\epsilon \right)$ being true means that there exist k₂-1 users in U₂ together having all the permissions in P₂. For case (1), there also exists k₂-1 users in U₁ together having all the permissions in P₁ as (P₁ ⊆ P₂) ⋀ (U₁ ⊇ U₂), and (k₁ ≥ k₂ + |P₁ - P₂|) ⇒ (k₁- 1) ≥ (k₂ - 1). Therefore, there exists k₁-1 users in U₁ together having all the permissions in P₁, in other words, $\neg sa{t}_{e_1}\left(\epsilon \right)$ is true. For case (2), there also exist k₂-1 users in U₁ together having all the permissions in P₁ ∪ {P₂ - P₁} as (U₁ ⊇ U₂). At most |P₁ - P₂| users together having all the permissions in {P₂ - P₁}, and (k₁ ≥ k₂ + | P₁ - P₂|) ⇒ (k₂ - 1) ≤ (k₁ - 1) - |P₁ - P₂|. Thus there exists k₁-1 users in U₁ together having all the permissions in P₁, $sa{t}_{e_1}\left(\epsilon \right)$ is also false. Therefore, $\forall \epsilon \left(\neg sa{t}_{e_2}\left(\epsilon \right)\Rightarrow \neg sa{t}_{e_1}\left(\epsilon \right)\right)$ is true.

For the "only if" part, given e₁ ≽ e₂, we show that (U₁ ⊇ U₂) ⋀ (k₁ ≥ k₂ + |P₁ - P₂|) is true. Suppose, for the sake of contradiction, that ¬((U₁ ⊇ U₂) ⋀ (k₁ ≥ k₂ + |P₁ - P₂|)) is true. In other words, both U₁ ⊇ U₂ and k₁ ≥ k₂ + |P₁ - P₂| are false. Let e₁ and e₂ are two SSoD policies, where e₁ = ssod <P₁, U₁, k₁>, e₂ = ssod <P₂, U₂, k₂>. If U₁ ⊇ U₂ is false, then ∃u ∈ U₂/U₁. Assuming that $sa{t}_{e_1}\left(\epsilon \right)$ is true, assign all the permissions in P₂ to u, and then $sa{t}_{e_2}\left(\epsilon \right)$ is false as k₂> 1. Therefore, U₁ ⊇ U₂ is true. If k₁ ≥ k₂ + |P₁ - P₂| is false, then k₁< k₂ + |P₁ - P₂|. If P₁ ⊆ P₂, then k₁< k₂ ⇒ k₁ ≤ k₂ - 1. $sa{t}_{e_1}\left(\epsilon \right)$ being true means that at least k₁ users in U₁ together having all the permissions in P₁. We assume that there exist k₁ users in U₁ together having all the permissions in P₁ in ε; then there exist k₂-1 users in U₂ together having all the permissions in P₂ as to ε (let U₁ = U₂, and these k₁ users also have all the permissions in {P₂ - P₁}), then $sa{t}_{e_2}\left(\epsilon \right)$ is false. If P₁ ⊃ P₂, let k₁< k₂ + |P₁ - P₂|; given an access control state ε that $sa{t}_{e_1}\left(\epsilon \right)$ is true, for each permission in {P₂ - P₁}, assign it to |P₁ - P₂| different users, and these users are not assigned any other permissions in P₁, and then k₁-|P₁ - P₂| users together having all the permissions in P₁. Therefore, there exist less than k₂ users in U₂ together having all the permissions in P₂ (let U₁ = U₂), and therefore, $sa{t}_{e_2}\left(\epsilon \right)$ is false. This contradicts the assumption that e₁ ≽ e₂. Therefore, if e₁ ≽ e₂, then (U₁ ⊇ U₂) ⋀ (k₁ ≥ k₂ + |P₁ - P₂|).   □

Definition 8. Let f₁and f₂be two SA policies, we say that$U_{loss}^{f_1}\ge U_{loss}^{f_2}$if and only if f₁ ≽ f₂. And$U_{loss}^{f_1}>U_{loss}^{f_2}$if and only if f₁ ≻ f₂.

Theorem 6. For any SA policies f₁= sa <P₁, U₁, t₁> and f₂= sa <P₂, U₂, t₂>, f₁ ≽ f₂if and only if (P₁ ⊇ P₂) ⋀ (U₁ ⊇ U₂) ⋀ (t₁ ≤ t₂).

PROOF. For the "if" part, given (P₁ ⊇ P₂) ⋀ (U₁ ⊇ U₂) ⋀ (t₁ ≤ t₂), we show that $\forall \epsilon \left(sa{t}_{f_1}\left(\epsilon \right)\Rightarrow sa{t}_{f_2}\left(\epsilon \right)\right)$ is true. $sa{t}_{f_1}\left(\epsilon \right)$ being true means that any size-t₁ user set $U_1^{\prime }$ from U₁ together having all the permissions in P₁. Since (P₁ ⊇ P₂) ⋀ (U₁ ⊇ U₂) ⋀ (t₁ ≤ t₂), for each $U_1^{\prime }\subseteq U_2\subseteq U_1,{\bigcup }_{u\in U_1^{\prime }}aut{h}_{-}{p}_{\epsilon }\left(u\right)\supseteq P_1\supseteq P_2$, and $\left|U_1^{\prime }\right|=t_1\le t_2$. Therefore, $sa{t}_{f_2}\left(\epsilon \right)$ is also true.

For the "only if" part, given f₁ ≽ f₂, we show that (P₁ ⊇ P₂) ⋀ (U₁ ⊇ U₂) ⋀ (t₁ ≤ t₂) is true. Suppose, for the sake of contradiction, that ¬( P₁ ⊇ P₂) ⋀ (U₁ ⊇ U₂) ⋀ (t₁ ≤ t₂) is true, thus (P₁ ⊂ P₂) ⋁ (U₁ ⊂ U₂) ⋁ (t₁> t₂) is true, then ∃P ∈ P₂/P₁. Assuming that there exists an access control state ε, and $sa{t}_{f_1}\left(\epsilon \right)$ is true. Let P be not assigned to any user in U₂, that does not affect $sa{t}_{f_1}\left(\epsilon \right)$. But $sa{t}_{f_2}\left(\epsilon \right)$ is false, as no size-t₂ user set from U₂ can together cover P₂. Thus the assumption is false, and P₁ ⊇ P₂ is true.

If U₁ ⊂ U₂ is true, then ∃u ∈ U₂/ U₁. We now can construct a state ε that makes $sa{t}_{f_2}\left(\epsilon \right)$ true, but $sa{t}_{f_1}\left(\epsilon \right)$ false. By Theorem 1, sat _f (ε) being true means that each size-t user sets from U cover the permission set P. The above discussion shown that P₁ ⊇ P₂ is true, and let t₁ = t₂. As |U₂| + 1 - t₂> |U₁| + 1 - t₁, $sa{t}_{f_1}\left(\epsilon \right)$ is true, which contradicts the assumption, and thus U₁ ⊇ U₂ is true.

If t₁> t₂ is true, let $f_1^{\prime }=sa⟨P_2,U_2,t_1⟩$. As shown above, $f_1\succcurlyeq f_1^{\prime }$, such as for any state ε that $\neg sa{t}_{f_1^{\prime }}\left(\epsilon \right)\Rightarrow \neg sa{t}_{f_1}\left(\epsilon \right)$. Thus we only need to construct a state ε that $sa{t}_{f_2}\left(\epsilon \right)$is true, but $sa{t}_{f_1^{\prime }}\left(\epsilon \right)$ is false as follows. Find a size-t₁ user set U' ⊂ U₂, and partition P₂ into t₁ disjoint sets $v_1,\dots ,v_{t_1}$, such that the permissions in each set be assigned to each user in U', respectively. Without any one user in U' can not cover P₂. Since t₁> t₂, we can find a size-t₂ user set U'' ⊂ U' that the users in U'' do not together have all the permissions in P₂. In other words, $sa{t}_{f_1^{\prime }}\left(\epsilon \right)$ is false, and $sa{t}_{f_1}\left(\epsilon \right)$ is also false. This contradicts the assumption, and thus t₁ ≤ t₂ is true. Consequently, if f₁ ≽ f₂, then (P₁ ⊇ P₂) ⋀ (U₁ ⊇ U₂) ⋀ (t₁ ≤ t₂).   □

After computing the rank of S _loss for each SSoD policy and U _loss for each SA policy. A fundamental problem in inconsistency resolving is how to make the right tradeoff between safety and utility. However, it is inappropriate to directly compare safety with utility. The most important reason is that removing SSoD policies will increase the safety loss for the whole policies, but will not increase the utility gain. Similarly, removing SA policies will increase the utility loss for the whole policies, but will not increase the safety gain. For example, if we choose to remove {e₁, e₂} in Example 5, then S _loss = 100%, U _loss = 0%. And if we choose to remove {f₁, f₂}, then S _loss = 0%, U _loss = 100%.

If safety and utility cannot be directly compared, how should one consider them in a policy set for inconsistency resolution? For this, given a number of policy sets that are candidates for removing, for each of which we measure its safety loss S _loss and its utility loss U _loss . We can obtain a set of (S _loss , U _loss ) pairs, one for each set. An ideal (but unachievable) choice will have the smallest S _loss and U _loss . For this, we need to be able to compare two different (S _loss , U _loss ) pairs.

Definition 9. Given two pairs (S _loss , U _loss )₁, and (S _loss , U _loss )₂, we define (S _loss , U _loss )₁ ≤ (S _loss , U _loss )₂if and only if$\left(S_{loss}^1\le S_{loss}^2\right)\wedge \left(U_{loss}^1\le U_{loss}^2\right)$. And (S _loss , U _loss )₁ < (S _loss , U _loss )₂if and only if$\left(S_{loss}^1<S_{loss}^2\right)\wedge \left(U_{loss}^1<U_{loss}^2\right)$.

Definition 10. Let A and B be two policy sets; removing A will caused (S _loss , U _loss ) _A , and removing B will caused (S _loss , U _loss ) _B . We say that the choice of removing A is at least as optimal as removing B (denoted by (S _loss , U _loss ) _A ⊵ (S _loss , U _loss ) _B ) if (S _loss , U _loss ) _A ≤ (S _loss , U _loss ) _B . And the the choice of removing A is better than removing B (denoted by (S _loss , U _loss ) _A ⊳ (S _loss , U _loss ) _B ) if (S _loss , U _loss ) _A < (S _loss , U _loss ) _B .

Example 4. Let us consider the following policy sets from Example 3 that can be removed to resolve the policy inconsistency. S₁ = {e₁}, S₂ = {f₁}, S₃ = {e₁, e₂}, S₄ = {f₁, f₂}, S₅ = {e₁, e₂, f₁}.

Obviously, ${\left(S_{loss},U_{loss}\right)}_{S_1}<{\left(S_{loss},U_{loss}\right)}_{S_3}<{\left(S_{loss},U_{loss}\right)}_{S_5}$, and ${\left(S_{loss},U_{loss}\right)}_{S_2}<{\left(S_{loss},U_{loss}\right)}_{S_4}<{\left(S_{loss},U_{loss}\right)}_{S_5}$. Thus S₁ and S₂ are two ideal choices to resolve the policy inconsistency.

3.3. Prioritized-based resolution

The notion of priority is very important in the study of knowledge based systems, since inconsistencies have a better chance to be resolved. The following subsections present two prioritized-based approaches to deal with policy inconsistencies. We first present the possibilistic logic approach, which selects one consistent subbase. And we then give the lexicographical inference approach, which selects several maximally consistent subbases [7]. We assume that knowledge bases Ψ are prioritized. Prioritized knowledge bases have the form Ψ = Ψ ^E ∪ Ψ ^F , where ${\Psi }^E=S_1^E\mathsf{\text{U}}\cdots \mathsf{\text{U}}{S}_m^E$, ${\Psi }^F=S_1^F\mathsf{\text{U}}\cdots \mathsf{\text{U}}{S}_n^F$, E and F denote all the SSoD and SA policies in the system, respectively. Formulas in $S_i^E$(or $S_i^F$) have the same level of priority and have higher priority than the ones in $S_j^E$(or $S_j^F$) where j > i. $S_1^E$ (or $S_1^F$) contains the one which have the highest priority in Ψ, and $S_m^E$(or $S_n^F$) contains the one which have the lowest priority in Ψ.

4.1. Running example

We now give a running example to show the validity of our approach for policy inconsistency resolving.

We now implement the proposed approach to resolve the policy inconsistency problem in Q. Firstly, by Theorem 3, we find that e₄, e₅ and f₅ can be removed from our consideration. Let Q' = {e₁, e₂, e₃, f₁, f₂, f₃, f₄}, thus we only need to consider the policies in Q'. Secondly, by Algorithm 1, we can get two MIC sets: {e₁, e₂, f₁, f₂, f₃} and {e₃, f₄}. Let Q _A = {e₁, e₂, f₁, f₂, f₃}, Q _B = {e₃, f₄}. Thirdly, we check whether the policies in each MIC set are consistent, and find that the policies in Q _A are inconsistent, but the policies in Q _B are consistent. Thus we only need to resolve the policy inconsistency in Q _A (Section 4.2 will give a more detailed description of consistency checking approach). Fourthly, we measure the safety loss for each SSoD policy and the utility loss for each SA policy. Via Theorem 5, we find that e₁ ≻ e₂, f₁ ≻ f₂. Thus we can have the form for prioritized knowledge bases Ψ = Ψ ^E ∪ Ψ ^F (where ${\Psi }^E=S_1^E\cup S_2^E$, ${\Psi }^F=S_1^F\cup S_2^F$, $S_1^E=\left\{e_1\right\}$, $S_2^E=\left\{e_2\right\}$, $S_1^F=\left\{f_1\right\}$, $S_2^F=\left\{f_2,f_3\right\}$.). We give the method for computing the S _loss and U _loss for each SSoD and SA policy, respectively as follows: