Cassandra: Flexible Trust Management, Applied to Electronic Health RecordsMoritz Y. Becker Peter SewellComputer Laboratory, University of CambridgeJJ Thomson Avenue, Cambridge, United Kingdom{moritz.becker, peter.sewell}@cl.cam.ac.ukAbstractWe study the specification of access control policy inlarge-scale distributed systems. We present Cassandra, alanguage and system for expressing policy, and the resultsof a substantial case study, a security policy for a nationalElectronic Health Record system, based on the requirementsfor the ongoing UK National Health Service procurementexercise.Cassandra policies are expressed in a language based onDatalog with constraints. The expressiveness of the lan-guage (and its computational complexity) can be tuned bychoosing an appropriate constraint domain. Cassandra isrole-based; it supports credential-based access control (e.g.between administrative domains); and rules can refer to re-mote policies (for automatic credential retrieval and trustnegotiation). Moreover, the policy language is small, andit has a formal semantics for query evaluation and for theaccess control engine.For the case study we choose a constraint domain C0thatis sufficiently expressive to encode many policy idioms. Thecase study turns out to require many subtle variants of these;it is important to express this variety smoothly, rather thanadd them as ad hoc features. By ensuring only a constraintcompact fragment of C0is used, we guarantee a finite andcomputable fixed-point model. We use a top-down evalua-tion algorithm, for efficiency and to guarantee termination.The case study (with some 310 rules and 58 roles) demon-strates that this language is expressive enough for a real-world application; preliminary results suggest that the per-formance should be acceptable.1. IntroductionIn this paper we study the specification and enforcementof security policy in large-scale distributed systems. Previ-ous work on trust management and role-based access controlsystems has argued that it is desirable to:• factor out the policy from the application code, so thatit can be easily understood, and changed over time;• express policy not in terms of individuals, but via theindirection of roles;• express policy in a language with a formally definedsemantics, again to ease precise understanding, and alsoto support static analysis, to verify sanity properties;• support distributed access control, basing authorisationon digital credentials, with policies that express auto-matic credential retrieval over the network and strate-gies to establish mutual trust between strangers; and• be scalable – to large numbers of sites and entities, butalso to cover different administrative domains with in-dependent policies or local adaptations of a default pol-icy.There is a tension in the design of policy languages, how-ever: they should be expressive (so intended policies can bewritten naturally), small and elegant, without ad hoc features(so policies can be easily understood), and also efficientlycomputable in practical examples.To address this, we have designed a trust managementsystem, Cassandra, in which the expressiveness of the lan-guage can be tuned by selecting an appropriate constraintdomain – policies are expressed in an extension of DatalogC,or Datalog with constraints. We ground this research byworking out a substantial real-world example, a securitypolicy for a national Electronic Health Record (EHR) sys-tem, based on the requirements for the ongoing UK NationalHealth Service procurement exercise. This is, to the bestof our knowledge, among the most complex policy exam-ples discussed in the literature. It has some 310 rules and 58roles and, as we shall see, demands the full expressivenessof Cassandra.For the case study we choose a constraint domain C0thatis sufficiently expressive to encode many policy idioms suchas role hierarchy, separation of duties, role appointment,cardinality constraints, role validity periods, and distributedtrust negotiation. Interestingly, the case study turns out torequire many subtle variants of these idioms that cannot beexpressed in other languages; it is important that we can ex-press this variety smoothly, rather than add each one as an adhoc feature. By using static groundness analysis we restrictpolicies so that only a constraint compact fragment of C0isrequired, guaranteeing a finite and computable fixed-pointmodel. We use a memoizing top-down evaluation algorithm,for efficiency and to guarantee termination.Cassandra is role-based with parameterised roles and ac-tions (supporting concise policies); it is declarative (makingpolicies as clear as possible); it can express powerful role re-vocation policies including cascading revocation; it supportscredential-based access control decisions between adminis-trative domains; and rules can refer to remote policies (pro-viding automatic credential retrieval and trust negotiation).Moreover, the policy language is small, and the system hasa formal semantics for both query evaluation and for the ac-cess control engine.Existing trust management systems possess subsets ofthese features; it is however the combination of all these fea-tures, together with Cassandra’s tunable expressiveness, thatmakes it unique, and powerful enough for us to express thepolicies of the case study.In §2 we discuss the background for the case study, andoutline an example scenario of the use of the EHR system.In §3 we discuss how policies are specified in Cassandra,including brief outlines of the semantics and the evaluationalgorithm. For lack of space we omit full technical defini-tions and theoretical results. Cassandra needs not just a lan-guage for expressing policies, but an API and operationalsemantics for the access control engine; this is given in §4.We demonstrate how some ‘classic’ policy idioms can be ex-pressed in §5: particular forms of role hierarchy, separationof duties, and delegation. In §6 we return to the case study,outlining its main features, paying careful attention to whatidioms are used and what expressiveness it demands of thepolicy language. The full policy is available on-line [5]. In§7 we describe our prototype implementation (though at thetime of writing it does not cover all aspects); preliminary ex-periments suggest that performance should be reasonable forsuch a policy. Finally we discuss related work and conclude.2. Background: Electronic Health RecordsElectronic Health Record (EHR)
View Full Document