Security for Cloud Environment through Information Flow Properties Formalization with a First-Order Temporal Logic

The main slowdown of Cloud activity comes from the lack of reliable security. The on-demand security concept aims at delivering and enforcing the client's security requirements. In this paper, we present an approach, Information Flow Past Linear Time Logic (IF-PLTL), to specify how a system can support a large range of security properties. We present in this paper how to control those information flows from lower system events. We give complete details over IF-PLTL syntax and semantics. Furthermore, that logic enables to formalize a large set of security policies. Our approach is exemplified with the Chinese Wall commercial-related policy. Finally, we discuss the extension of IF-PLTL with dynamic relabeling to encompass more realistic situations through the dynamic domains isolation policy.La principale cause de ralentissement de l'adoption du Cloud est le manque de sécurité fiable. Le concept de sécurité à la demande est de déployer et d'appliquer les demandes de sécurité d'un client. Dans ce papier, nous présentons une approche, Information Flow Past Linear Time Logic (IF-PLTL), qui permet de spécifier comment un système peut supporter un large ensemble de propriétés de sécurité. Nous présentons dans ce papier comment ces flux d'information peuvent être contrôler en utilisant les événements systèmes de bas niveau. Nous donnons une description compléte de la syntaxe de IF-PLTL ainsi que sa sémantique. De plus, cette logique permet de formaliser un large ensemble de politiques de sécurité. Notre approche est illustrée par la politique de sécurité de la muraille de Chine orienté vers le monde commercial. Finalement, nous montrons comment nous avons étendu notre langage pour supporter la relabélisation dynamique qui permet de supporter la dynamicité inhérante des systèmes. Nous illustrons cette extension par la formalisation d'une propriété de sécurité pour l'isolation dynamique de domaines

An Access Control and Trust Management Framework for Loosely-Coupled Multidomain Environment

Multidomain environments where multiple organizations interoperate with each other are becoming a reality as can be seen in emerging Internet-based enterprise applications. Access control to ensure secure interoperation in such an environment is a crucial challenge. A multidomain environment can be categorized as tightly-coupled and loosely-coupled. The access control challenges in the loosely-coupled environment have not been studied adequately in the literature. In a loosely-coupled environment, different domains do not know each other before they interoperate. Therefore, traditional approaches based on users' identities cannot be applied directly. Motivated by this, researchers have developed several attribute-based authorization approaches to dynamically build trust between previously unknown domains. However, these approaches all focus on building trust between individual requesting users and the resource providing domain. We demonstrate that such approaches are inefficient when the requests are issued by a set of users assigned to a functional role in the organization. Moreover, preserving principle of security has long been recognized as a challenging problem when facilitating interoperations. Existing research work has mainly focused on solving this problem only in a tightly-coupled environment where a global policy is used to preserve the principle of security. In this thesis, we propose a role-based access control and trust management framework for loosely-coupled environments. In particular, we allow the users to specify the interoperation requests in terms of requested permissions and propose several role mapping algorithms to map the requested permissions into roles in the resource providing domain. Then, we propose a Simplify algorithm to simplify the distributed proof procedures when a set of requests are issued according to the functions of some roles in the requesting domain. Our experiments show that our Simplify algorithm significantly simplifies such procedures when the total number of credentials in the environment is sufficiently large, which is quite common in practical applications. Finally, we propose a novel policy integration approach using the special semantics of hybrid role hierarchy to preserve the principle of security. At the end of this dissertation a brief discussion of implemented prototype of our framework is present

Multi-Dimensional-Personalization in mobile contexts

During the dot com era the word "personalisation” was a hot buzzword. With the fall of the dot com companies the topic has lost momentum. As the killer application for UMTS or the mobile internet has yet to be identified, the concept of Multi-Dimensional-Personalisation (MDP) could be a candidate. Using this approach, a recommendation of mobile advertisement or marketing (i.e., recommendations or notifications), online content, as well as offline events, can be offered to the user based on their known interests and current location. Instead of having to request or pull this information, the new service concept would proactively provide the information and services – with the consequence that the right information or service could therefore be offered at the right place, at the right time. The growing availability of "Location-based Services“ for mobile phones is a new target for the use of personalisation. "Location-based Services“ are information, for example, about restaurants, hotels or shopping malls with offers which are in close range / short distance to the user. The lack of acceptance for such services in the past is based on the fact that early implementations required the user to pull the information from the service provider. A more promising approach is to actively push information to the user. This information must be from interest to the user and has to reach the user at the right time and at the right place. This raises new requirements on personalisation which will go far beyond present requirements. It will reach out from personalisation based only on the interest of the user. Besides the interest, the enhanced personalisation has to cover the location and movement patterns, the usage and the past, present and future schedule of the user. This new personalisation paradigm has to protect the user’s privacy so that an approach supporting anonymous recommendations through an extended "Chinese Wall“ will be described

On the Design and Testing of Authorization Systems

Authorization deals with the specification and management of accesses principals have to resources. In the design of an authorization system, sometimes we just implement the accessenforcement without having a precise semantics for it. In this dissertation we show that, there exists a precise semantics that improves the efficiency of access-enforcement over the accessenforcement without precise semantics. We present an algorithm to produce an Access Control List (ACL), in a particular authorization system for version control syatems called gitolite, and we compare the implementation of our algorithm against the implementation that is already being used. As another design problem, we consider least-restrictive enforcement of the Chinese Wall security policy. We show that there exists a least-restrictive enforcement of the Chinese Wall Security Policy. Our approach to proving the thesis is by construction; we present an enforcement that is least-restrictive. We also prove that such an enforcement mechanism cannot be subjectindependent. We also propose a methodology that tests the implementation of an authorization system to check whether it has properties of interest. The properties may be considered to be held in the design of an authorization system, but they are not held in the implementation. We show that there exist authorization systems that do not have the properties of interest

Power Relationships in Information Systems Security Policy Formulation and Implementation

This thesis argues that organizational power impacts the development and implementation of Information Systems (IS) Security policy. The motivation for this research stems from the continuing concern of ineffective security in organizations, leading to significant monetary losses. IS researchers have contended that ineffective IS Security policy is a precursor to ineffective IS Security (Loch et al. 1992; Whitman et al. 2001; David 2002; Solms and Solms 2004). Beyond this pragmatic aspect, there is a gap in the literature concerning power relationships and IS Security policy. This research intends to bridge the gap. The dissertation is a two phased study whereby the first phase seeks to understand the intricacies of IS Security policy formulation and implementation. In the first phase, a conceptual framework utilizes Katz\u27s (1970) semantic theory. The conceptual framework provides the theoretical foundation for a case study that takes place at an educational institution\u27s Information Technology (IT) Department. In the results, it is confirmed that a disconnect exists between IS Security policy formulation and implementation. Furthermore, a significant emergent finding indicates that power relationships have a direct impact on this observed disconnect. The second phase takes place as an in depth case study at the IT department within a large financial organization. The theoretical foundation for the second phase is based was Clegg\u27s (2002) Circuits of Power. A conceptual framework for this phase utilizes this theory. This framework guides the study of power relationships and how they might affect the formulation and implementation of IS Security policy in this organization. The case study demonstrates that power relationships have a clear impact on the formulation and implementation of IS security policy. Though there is a strong security culture at the organization and a well defined set of processes, an improvement in the process and ensuing security culture is possible by accounting for the effect of power relationships

Small TCBs of policy-controlled operating systems

IT Systeme mit qualitativ hohen Sicherheitsanforderungen verwenden zur Beschreibung, Analyse und Implementierung ihrer Sicherheitseigenschaften zunehmend problemspezifische Sicherheitspolitiken, welche ein wesentlicher Bestandteil der Trusted Computing Base (TCB) eines IT Systems sind. Aus diesem Grund sind die Korrektheit und Unumgehbarkeit der Implementierung einer TCB entscheidend, um die geforderten Sicherheitseigenschaften eines Systems herzustellen, zu wahren und zu garantieren. Viele der heutigen Betriebssysteme zeigen, welche Herausforderung die Realisierung von Sicherheitspolitiken darstellt; seit mehr als 40 Jahren unterstützen sie wahlfreie identitätsbasierte Zugriffssteuerungspolitiken nur rudimentär. Dies führt dazu, dass große Teile der Sicherheitspolitiken von Anwendersoftware durch die Anwendungen selbst implementiert werden. Infolge dessen sind die TCBs heutiger Betriebssysteme groß, heterogen und verteilt, so dass die exakte Bestimmung ihres Funktionsumfangs sehr aufwendig ist. Im Ergebnis sind die wesentlichen Eigenschaften von TCBs - Korrektheit, Robustheit und Unumgehbarkeit - nur schwer erreichbar. Dies hat zur Entwicklung von Politik gesteuerten Betriebssystemen geführt, die alle Sicherheitspolitiken eines Betriebssystems und seiner Anwendungen zentral zusammenfassen, indem sie Kernabstraktionen für Sicherheitspolitiken und Politiklaufzeitumgebungen anbieten. Aktuelle Politik gesteuerte Betriebssysteme basieren auf monolithischen Architekturen, was dazu führt, dass ihre Komponenten zur Durchsetzung ihrer Politiken im Betriebssystemkern verteilt sind. Weiterhin verfolgen sie das Ziel, ein möglichst breites Spektrum an Sicherheitspolitiken zu unterstützen. Dies hat zur Folge, dass ihre Laufzeitkomponenten für Politikentscheidung und -durchsetzung universal sind. Im Ergebnis sind ihre TCB-Implementierungen groß und komplex, so dass der TCB- Funktionsumfang nur schwer identifiziert werden kann und wesentliche Eigenschaften von TCBs nur mit erhöhtem Aufwand erreichbar sind. Diese Dissertation verfolgt einen Ansatz, der die TCBs Politik gesteuerter Betriebssysteme systematisch entwickelt. Die Idee ist, das Laufzeitsystem für Sicherheitspolitiken so maßzuschneidern, dass nur die Politiken unterstützt werden, die tatsächlich in einer TCB vorhanden sind. Dabei wird der Funktionsumfang einer TCB durch kausale Abhängigkeiten zwischen Sicherheitspolitiken und TCB-Funktionen bestimmt. Das Ergebnis sind kausale TCBs, die nur diejenigen Funktionen enthalten, die zum Durchsetzen und zum Schutz der vorhandenen Sicherheitspolitiken notwendig sind. Die präzise Identifikation von TCB-Funktionen erlaubt, die Implementierung der TCB-Funktionen von nicht-vertrauenswürdigen Systemkomponenten zu isolieren. Dadurch legen kausale TCBs die Grundlage für TCB-Implementierungen, deren Größe und Komplexität eine Analyse und Verifikation bezüglich ihrer Korrektheit und Unumgehbarkeit ermöglichen. Kausale TCBs haben ein breites Anwendungsspektrum - von eingebetteten Systemen über Politik gesteuerte Betriebssysteme bis hin zu Datenbankmanagementsystemen in großen Informationssystemen.Policy-controlled operating systems provide a policy decision and enforcement environment to protect and enforce their security policies. The trusted computing base (TCB) of these systems are large and complex, and their functional perimeter can hardly be precisely identified. As a result, a TCB's correctness and tamper-proofness are hard to ensure in its implementation. This dissertation develops a TCB engineering method for policy-controlled operating systems that tailors the policy decision and enforcement environment to support only those policies that are actually present in a TCB. A TCB's functional perimeter is identified by exploiting causal dependencies between policies and TCB functions, which results in causal TCBs that contain exactly those functions that are necessary to establish, enforce, and protect their policies. The precise identification of a TCB's functional perimeter allows for implementing a TCB in a safe environment that indeed can be isolated from untrusted system components. Thereby, causal TCB engineering sets the course for implementations whose size and complexity pave the way for analyzing and verifying a TCB's correctness and tamper-proofness.Auch im Buchhandel erhältlich: Small TCBs of policy-controlled operating systems / Anja Pölck Ilmenau : Univ.-Verl. Ilmenau, 2014. - xiii, 249 S. ISBN 978-3-86360-090-7 Preis: 24,40

Lattice-Based Enforcement of Chinese Walls

The Chinese Wall policy was identi#ed and so named by Brewer and Nash #2#. This policy arises in the #nancial segment of the commercial sector, which provides consulting services to other companies. Consultants naturally have to deal with con#dential company information for their clients. The objective of the Chinese Wall policy is to prevent information #ows which cause con#ict of interest for individual consultants. Brewer and Nash develop a mathematical model of the Chinese Wall policy, on the basis of which they claim that this policy #cannot be correctly represented by a Bell-LaPadula model." In this paper we demonstrate that the Brewer-Nash model is too restrictive to be employed in a practical system. This is due to their treatment of users and subjects as synonymous concepts, with the consequence that they do not distinguish security policy as applied to human users versus security policy as applied to computer subjects. By maintaining a careful distinction between..