Research Abstracts - 2006

Policy Aware Web

Tim Berners-Lee, Dan Connolly, Lalana Kagal, Yosi Scharf & Daniel J. Weitzner

Overview

Policy awareness is a property of the Semantic Web that will provide users with accessible and understandable views of the policies associated with resources, make compliance with stated rules easier, and provide accountability when rules are intentionally or accidentally broken. This project explores application of Semantic Web rules languages, logic engines, and proof exchange to a range of access control policy needs that are currently unmet in the Web today and will be essential for widespread us of the Semantic Web.[1]

Key research challenges

The major challenges that this project addresses includes:

• design of general purpose Semantic Web reasonersdevelopment of rules language to address the range of expressivity require for the policy awareness.
• scalability of proof-based access control mechanisms on the Web.

Our work builds Policy Aware Infrastructure into the design of the World Wide Web, responding to technical and social needs for more fine-grained control of access to information. We explore architectures that rules in decentralized systems.[2] Current rule-based schemes use specialized access control languages generally designed to work in a specific application. In these closed-world systems, a pre-defined set of subject roles and rules are checked against a predefined set of object permissions. While this approach may be sufficient in closed world contexts, it is not adequate for the open world of the Web. On the Web there is no simple set of rules that will be sufficient for all applications in all domains.As the figure illustrates. our designs shift the burden of deriving the access justification to the requesting party, who transmits that justification to the controlling party, who need only check it, the resulting system (a) provides for more flexible, scalable policy languages, (c) has a much smaller trusted computing base (only the part that verifies justifications) and (c) is much more transparent: any third party can audit that the justification is valid.

Our policy aware approach to access control is also a response to the observation that typical security architectures involve the requesting party doing very little computation -- typically, just providing a username/password, or perhaps computing a message digest and/or digital signature -- and the party providing and controlling access being obliged and trusted to derive the correct access control decision. Execution of even relatively inflexible policies described above depends on enormous trusted computing bases, generally including the entire operating system kernel, apache, php, databases, etc. PAW avoids the risk inherent in this complexity and provides a decentralized security model for the Semantic Web which is flexible and scalable.

Future Research Challenges

As our research progresses, we will address the following new challenges:

• integration of PAW architecture in enterprise and Web-scale environments;
• assessing various designs for proof generation and proof checking
• development of domain-specific policy languages, as well as rules visualization tools

Funding Sources

The project is a collaboration with Prof. J. Hendler, University of Maryland MIND Lab. Funding through National Science Foundation ITR 04-012 (award #0427275).

References:

[1] Weitzner, Hendler, Berners-Lee, Connolly, Creating the Policy-Aware Web: Discretionary, Rules-based Access for the World Wide Web in Elena Ferrari and Bhavani Thuraisingham, editors, Web and Information Security. IOS Press, 2005.

[2] Weitzner, Abelson, Berners-Lee, et al., "Transparent Accountable Data Mining: New Strategies for Privacy Protection", MIT CSAIL Technical Report MIT-CSAIL-TR-2006-007 (27 January 2006).

[3] Berners-Lee, T., CWM ­ A general purpose data processor for the Semantic Web, 2000. http://www.w3.org/2000/10/swap/doc/cwm.html