Members only


Protune, the policy framework of REWERSE, has a rich set of unique features that are currently not supported by standard systems and languages.  Some of these features can be individually found in some systems (sometimes research prototypes), however Protune currently offers one of the most complete sets of features [see this paper].  Here are some examples of the benefits resulting from specifying, managing, and enforcing policies with Protune.


1. Flexibility without program coding

Protune policies can express a variety of static and dynamic requirements without requiring ad-hoc program code. It supports attribute based access control where attribute values may be extracted from different kinds of evidence of different strength and deployment cost, such as digital credentials, single-sign-on tokens, unsigned declarations (web forms), and reputation measures.  This makes it possible to balance the risks involved in a transaction with the cost of enforcing the policy. Protune's software interprets the given policies and activates the right procedures for gathering the required kind of evidence.
Protune's policies may enforce simple obligations by linking some logical preconditions (such as event_logged or admin_notified) to actions (implementing event logging, notifications, etc.) that make the corresponding precondition true. Policies can declaratively specify when actions are to be executed and which are the peers in charge of their execution. Actions can be implemented as shell scripts or Java method calls (yes, one needs some programming here...). Changing the policy does not necessarily imply re-implementing actions; programming is required only when the need for new kinds of actions arises.
Actions provide also an effective integration method for legacy software and data.

2. User awareness and documentation

Proper policy documentation is essential to raise user trust in a system, and to make a system more usable and competitive [see the discussion of cooperative enforcement here]. Here we are talking both of end users and security administrators; both categories may include users with little or no expertise on security languages and standards, who need documentation to be formulated in a nontechnical language. Handwritten documentation is obviously very expensive, especially as policies evolve along time, and the risk of documentation not being aligned with the currently enforced policy becomes higher and higher during a system's life.
Protune's framework comprises Protune-X, a unique second-generation explanation facility that presents policies and explains access control decisions in natural language. Since explanations are automatically derived from the executable policy, (i) costs are reduced, (ii) documentation is always up-to-date, (iii) explanations can be contextualized specifically to the current transaction.

3. Policy confidentiality

Documentation needs and cooperative enforcement require policies to be accessible, to some extent.  This should be done with care, as policies themselves may be confidential.  There are plenty of examples in the industrial world (e.g. a policy may reveal collaborations between different organizations), and some examples concern typical private uses of the Web, too (such as social networks). For instance, think about a person trying to download the pictures of a friend and realizing that the operation is not allowed because she is not regarded as a "best friend". Standard policy frameworks are not equipped for defining policies on policies. Protune allows policy writers to assign sensitivity levels to policy rules and predicates, and restricts policy release appropriately.

4. Access control and usability

Policies are application-domain dependent and so are the predicates in access control conditions.  In standard frameworks such as XACML the context is a black box and application-specific terms are not specified in a machine-understandable way.  This prevents any support to information exchange during authentication phases: users have to be involved because the server cannot specify its credential requests directly to heterogeneous user agents.  In Protune, interoperability is enhanced by means of lightweight ontologies that can specify in a machine-understandable way what it means to be authenticated to a specific system, what are the accepted credit cards, which resources are public, and so on. This enables automated support to access control procedures: a user agent can autonomously check whether the user can possibly fulfill the server's policy, and present the possible options to her, as appropriate for the current transaction (e.g. releasing a membership card, a credit card, or both - say, to get a discount). This approach may significantly improve a user's navigation experience, and harmonize usability requirements with strong and articulated access control requirements. Such techniques are particularly interesting in pervasive computing scenarios, where the interactions with small computing devices are particularly cumbersome.

5. Privacy and usability

Before using a service for the first time, a user may wish to inspect the service's certifications (e.g. membership to some seal program such as e-Trust and BBB). Today this must necessarily be done manually.  Protune supports this process by letting user agents ask servers for certificates and other forms of evidence (if so desired).  The semantic infrastructure for interoperability mentioned above is well suited for automating this task, too. By relieving the user from the burden of checking server properties, this approach encourages the development of more rigorous service selection procedures, with stronger guarantees for the user.
Moreover, Protune enhances user privacy by supporting information release policies on the clients. The most common decisions about releasing sensitive pieces of information (be they credentials, unsigned declarations, or whatever) can be specified once and for all as a policy that the user agent can automatically apply, thereby improving the users' navigation experience without sacrificing privacy.

6. Low deployment and maintenance costs

Protune has been designed to reduce the cost of deployment in new application domains and subsequent maintenance. By minimizing program coding (almost totally replaced by configuration-like activities) and exploiting knowledge-based techniques to automate a wide range of operations, the costs related to instantiating Protune's framework in a new domain, and the costs related to writing and maintaining policies are significantly reduced. Protune supports also extensibility mechanisms based on metapolicies.

How do we get all of the above (and why others can't)
  • Policies are formulated and treated as (lightweight) knowledge bases. In this way, many operations can be automated, thereby reducing ad-hoc program coding to a minimum (cf. Point 1) and enabling automated documentation (Point 2). By the same means we support interoperability (Points 4,5) and reduce costs (Point 6). A crucial property is that the context is itself described in a machine understandable way and it is not a black box, unlike XACML's contexts.
  • Protune supports negotiations between the agents involved in a transaction. In the simplest case, the server publishes its policy and the client tries to fulfill it; this procedure is at the core of (i) the flexibility mentioned in Point 1, and (ii) the assisted access control procedures mentioned in Point 4. In the general case, negotiations improve policy confidentiality (Point 3) - as policies can be disclosed incrementally, as needed by the current transaction - and let clients gather information about servers, as explained in Point 5.
  • Protune behavior can be controlled and configured in a declarative way with metapolicies. This gives the framework much of its flexibility without requiring ad-hoc programming (Point 1), especially as actions (and more generally dynamic behavior) are concerned. Metapolicies provide also a simple means to specify which parts of the policy are sensitive (Point 3), and how application-specific atomic conditions are to be verbalized in the documentation (complex conditions and rules are explained by automatically assembling such "atomic" verbalizations). The role played by metapolicies in governing the behavior ot Protune's framework contributes significantly to reducing ad-hoc programming efforts and improving policy readability and maintainability. As such, metapolicies are one of the pillars of our cost reduction strategy (Point 6).

Coordinator unit: Sezione di Informatica - Dip. Di Scienze Fisiche - Universita' di Napoli Federico II