Formal Specification and Validation of Security Policies

International audienceWe propose a formal framework for the specification and validation of security policies. To model a secured system, the evolution of security information in the system is described by transitions triggered by authorization requests and the policy is given by a set of rules describing the way the corresponding decisions are taken. Policy rules are constrained rewrite rules whose constraints are first-order formulas on finite domains, which provides enhanced expressive power compared to classical security policy specification approaches like the ones using Datalog, for example. Our specifications have an operational semantics based on transition and rewriting systems and are thus executable. This framework also provides a common formalism to define, compare and compose security systems and policies. We define transformations over secured systems in order to perform validation of classical security properties

On the Suitability of Dissemination-centric Access Control Systems for Group-centric Sharing

ABSTRACT The Group-centric Secure Information Sharing (g-SIS) family of models has been proposed for modeling environments in which group dynamics dictate information-sharing policies and practices. This is in contrast to traditional, dissemination-centric sharing models, which focus on attaching policies to resources that limit their flow from producer to consumer. The creators of g-SIS speculate that it may not be strictly more expressive than dissemination-centric models, but that it nevertheless has pragmatic efficiency advantages in group-centric scenario

A FIREWALL MODEL OF FILE SYSTEM SECURITY

File system security is fundamental to the security of UNIX and Linux systems since in these systems almost everything is in the form of a file. To protect the system files and other sensitive user files from unauthorized accesses, certain security schemes are chosen and used by different organizations in their computer systems. A file system security model provides a formal description of a protection system. Each security model is associated with specified security policies which focus on one or more of the security principles: confidentiality, integrity and availability. The security policy is not only about “who” can access an object, but also about “how” a subject can access an object. To enforce the security policies, each access request is checked against the specified policies to decide whether it is allowed or rejected. The current protection schemes in UNIX/Linux systems focus on the access control. Besides the basic access control scheme of the system itself, which includes permission bits, setuid and seteuid mechanism and the root, there are other protection models, such as Capabilities, Domain Type Enforcement (DTE) and Role-Based Access Control (RBAC), supported and used in certain organizations. These models protect the confidentiality of the data directly. The integrity of the data is protected indirectly by only allowing trusted users to operate on the objects. The access control decisions of these models depend on either the identity of the user or the attributes of the process the user can execute, and the attributes of the objects. Adoption of these sophisticated models has been slow; this is likely due to the enormous complexity of specifying controls over a large file system and the need for system administrators to learn a new paradigm for file protection. We propose a new security model: file system firewall. It is an adoption of the familiar network firewall protection model, used to control the data that flows between networked computers, toward file system protection. This model can support decisions of access control based on any system generated attributes about the access requests, e.g., time of day. The access control decisions are not on one entity, such as the account in traditional discretionary access control or the domain name in DTE. In file system firewall, the access decisions are made upon situations on multiple entities. A situation is programmable with predicates on the attributes of subject, object and the system. File system firewall specifies the appropriate actions on these situations. We implemented the prototype of file system firewall on SUSE Linux. Preliminary results of performance tests on the prototype indicate that the runtime overhead is acceptable. We compared file system firewall with TE in SELinux to show that firewall model can accommodate many other access control models. Finally, we show the ease of use of firewall model. When firewall system is restricted to specified part of the system, all the other resources are not affected. This enables a relatively smooth adoption. This fact and that it is a familiar model to system administrators will facilitate adoption and correct use. The user study we conducted on traditional UNIX access control, SELinux and file system firewall confirmed that. The beginner users found it easier to use and faster to learn then traditional UNIX access control scheme and SELinux

Approach to identify product and process state drivers in manufacturing systems using supervised machine learning

The developed concept allows identifying relevant state drivers of complex, multi-stage manufacturing systems holistically. It is able to utilize complex, diverse and high-dimensional data sets which often occur in manufacturing applications and integrate the important process intra- and inter-relations. The evaluation was conducted by using three different scenarios from distinctive manufacturing domains (aviation, chemical and semiconductor). The evaluation confirmed that it is possible to incorporate implicit process intra- and inter-relations on process as well as programme level through applying SVM based feature ranking. The analysis outcome presents a direct benefit for practitioners in form of the most important process parameters and state characteristics, so-called state drivers, of a manufacturing system. Given the increasing availability of data and information, this selection support can be directly utilized in, e.g., quality monitoring and advanced process control

Access Control Administration with Adjustable Decentralization

Access control is a key function of enterprises that preserve and propagate massive data. Access control enforcement and administration are two major components of the system. On one hand, enterprises are responsible for data security; thus, consistent and reliable access control enforcement is necessary although the data may be distributed. On the other hand, data often belongs to several organizational units with various access control policies and many users; therefore, decentralized administration is needed to accommodate diverse access control needs and to avoid the central bottleneck. Yet, the required degree of decentralization varies within different organizations: some organizations may require a powerful administrator in the system; whereas, some others may prefer a self-governing setting in which no central administrator exists, but users fully manage their own data. Hence, a single system with adjustable decentralization will be useful for supporting various (de)centralized models within the spectrum of access control administration. Giving individual users the ability to delegate or grant privileges is a means of decentralizing access control administration. Revocation of arbitrary privileges is a means of retaining control over data. To provide flexible administration, the ability to delegate a specific privilege and the ability to revoke it should be held independently of each other and independently of the privilege itself. Moreover, supporting arbitrary user and data hierarchies, fine-grained access control, and protection of both data (end objects) and metadata (access control data) with a single uniform model will provide the most widely deployable access control system. Conflict resolution is a major aspect of access control administration in systems. Resolving access conflicts when deriving effective privileges from explicit ones is a challenging problem in the presence of both positive and negative privileges, sophisticated data hierarchies, and diversity of conflict resolution strategies. This thesis presents a uniform access control administration model with adjustable decentralization, to protect both data and metadata. There are several contributions in this work. First, we present a novel mechanism to constrain access control administration for each object type at object creation time, as a means of adjusting the degree of decentralization for the object when the system is configured. Second, by controlling the access control metadata with the same mechanism that controls the users’ data, privileges can be granted and revoked to the extent that these actions conform to the corporation’s access control policy. Thus, this model supports a whole spectrum of access control administration, in which each model is characterized as a network of access control states, similar to a finite state automaton. The model depends on a hierarchy of access banks of authorizations which is supported by a formal semantics. Within this framework, we also introduce the self-governance property in the context of access control, and show how the model facilitates it. In particular, using this model, we introduce a conflict-free and decentralized access control administration model in which all users are able to retain complete control over their own data while they are also able to delegate any subset of their privileges to other users or user groups. We also introduce two measures to compare any two access control models in terms of the degrees of decentralization and interpretation. Finally, as the conflict resolution component of access control models, we incorporate a unified algorithm to resolve access conflicts by simultaneously supporting several combined strategies

Ansätze kompositionaler und zustandsbasierter Zugriffskontrolle für Web-basierte Umgebungen

Moderne verteilte Rechensysteme müssen flexibel an wechselnde Rahmenbedingungen und Aufgabenstellungen angepasst werden können. Notwendig hierfür ist, dass diese Rechensysteme in dynamisch veränderlicher Struktur aus verschiedenen informationellen Diensten zusammengesetzt sind. Kompositionalität ist in diesem Kontext eine wünschenswerte Eigenschaft, sowohl der Rechensysteme als auch der den Diensten zugeordneten Zugriffskontrollpolitiken und ihren Implementierungen. Zugriffskontrollpolitiken drücken hier aus, welche Dienste welchen Teilnehmern unter welchen Bedingungen verfügbar sein sollen. Bei anspruchsvollen Anwendungen wie beispielsweise strukturierten Diensten müssen die Zugriffskontrollpolitiken nicht nur für einzelne, atomare Funktionalitäten der Dienste festgelegt werden, sondern auch für komplexe Folgen der Funktionalitäten. Diese Arbeit schlägt eine kompositionale und zustandsbasierte Lösung für die beschriebenen Herausforderungen vor. Es wird eine kompositionale Algebra für Zugriffskontrollpolitiken für strukturierte Dienste entwickelt. Für diese sogenannten zustandsdynamischen Zugriffskontrollpolitiken werden konzeptionelle Durchsetzungsmechanismen erarbeitet. Es werden des Weiteren zentrale und dezentrale Architekturen für Zertifikat-basierte Zugriffskontrollsysteme entworfen, in die die vorgeschlagene Lösung eingebettet werden kann

Journal of Telecommunications and Information Technology, 2002, nr 4

kwartalni

Techniques for Application-Aware Suitability Analysis of Access Control Systems

Access control, the process of selectively restricting access to a set of resources, is so fundamental to computer security that it has been called the field's traditional center of gravity. As such, a wide variety of systems have been proposed for representing, managing, and enforcing access control policies. Prior work on evaluating access control systems has primarily relied on relative expressiveness analysis, which proves that one system has greater capabilities than another. Although expressiveness is a meaningful basis for comparing access control systems, it does not consider the application in which the system will be deployed. Furthermore, expressiveness is not necessarily a useful way to rank systems; if two systems are expressive enough for a given application, little benefit is derived from choosing the one that has greater expressiveness. On the contrary, many of the concerns that arise when choosing an access control system can be negatively impacted by additional expressiveness: a system that is too complex is often harder to specify policies in, less efficient, or harder to reason about from the perspective of security guarantees. To address these shortcomings, we propose the access control suitability analysis problem, and present a series of techniques for solving it. Suitability analysis evaluates access control systems against the specific demands of the application within which they will be used, and considers a wide range of both expressiveness and ordered cost metrics. To conduct suitability analysis, we present a two-phase framework consisting of formal reductions for proving qualitative suitability and simulation techniques for evaluating quantitative suitability. In support of this framework we present a fine-grained lattice of reduction properties, as well as Portuno, a flexible simulation engine for conducting cost analysis of access control systems. We evaluate our framework formally, by proving that it satisfies a series of technical requirements, and practically, by presenting several case studies demonstrating its use in conducting analysis in realistic scenarios