Access control via belnap logic: intuitive, expressive, and analyzable policy composition

Access control to IT systems increasingly relies on the ability to compose policies. There is thus bene t in any framework for policy composition that is intuitive, formal (and so \an- alyzable" and \implementable"), expressive, independent of speci c application domains, and yet able to be extended to create domain-speci c instances. Here we develop such a framework based on Belnap logic. An access-control policy is interpreted as a four-valued predicate that maps access requests to either grant, deny, con ict, or unspeci ed { the four values of the Bel- nap bilattice. We de ne an expressive access-control policy language PBel, having composition operators based on the operators of Belnap logic. Natural orderings on policies are obtained by lifting the truth and information orderings of the Belnap bilattice. These orderings lead to a query language in which policy analyses, e.g. con ict freedom, can be speci ed. Policy analysis is supported through a reduction of the validity of policy queries to the validity of propositional formulas on predicates over access requests. We evaluate our approach through rewall policy and RBAC policy examples, and discuss domain-speci c and generic extensions of our policy language

Tipski sistemi za kontrolu memorije i prava pristupa

Three issues will be elaborated and disussed in the proposed thesis. The first is administration and control of data access rights in networks with XML data, with emphasis on data security. The second is the administration and control of access rights to data in computer networks with RDF data, with emphasis on data privacy. The third is prevention of errors and memory leaks, as well as communication errors, generated by programs written in Sing # language in the presence of exceptions. For all three issues, there will be presented formal models with corresponding type systems and showed the absence of undesired behavior i.e. errors in networks or programs.У тези су разматрана три проблема. Први је администрација и контрола права приступа података у рачунарској мрежи са XML подацима, са нагласком на безбедости посматраних података. Други је администрација и котрола права приступа подацима у рачунарској мрежи са RDF подацима, са нагласком на приватности посматраних података. Трећи је превенција грешака и цурења меморије, као и грешака у комуникацији генерисаним програмима написаних на језику Sing# у којима су присутни изузеци. За сва три проблема биће предложени формални модели и одговарајући типски системи помоћу којих се показује одсуство неповољних понашања тј. грешака у мрежама односно програмима.U tezi su razmatrana tri problema. Prvi je administracija i kontrola prava pristupa podataka u računarskoj mreži sa XML podacima, sa naglaskom na bezbedosti posmatranih podataka. Drugi je administracija i kotrola prava pristupa podacima u računarskoj mreži sa RDF podacima, sa naglaskom na privatnosti posmatranih podataka. Treći je prevencija grešaka i curenja memorije, kao i grešaka u komunikaciji generisanim programima napisanih na jeziku Sing# u kojima su prisutni izuzeci. Za sva tri problema biće predloženi formalni modeli i odgovarajući tipski sistemi pomoću kojih se pokazuje odsustvo nepovoljnih ponašanja tj. grešaka u mrežama odnosno programima

A model checking-based approach for security policy verification of mobile systems

International audienceThis article describes an approach for the automated verification of mobile systems. Mobile systems are characterized by the explicit notion of (e.g., sites where they run) and the ability to execute at different locations, yielding a number of security issues. To this aim, we formalize mobile systems as Labeled Kripke Structures, encapsulating the notion of that describes the hierarchical nesting of the threads constituting the system. Then, we formalize a generic that includes rules for expressing and manipulating the code location. In contrast to many other approaches, our technique supports both access control and information flow specification. We developed a prototype framework for model checking of mobile systems. It works directly on the program code (in contrast to most traditional process-algebraic approaches that can model only limited details of mobile systems) and uses abstraction-refinement techniques, based also on location abstractions, to manage the program state space. We experimented with a number of mobile code benchmarks by verifying various security policies. The experimental results demonstrate the validity of the proposed mobile system modeling and policy specification formalisms and highlight the advantages of the model checking-based approach, which combines the validation of security properties with other checks, such as the validation of buffer overflows

Aspect-based approach to modeling access control policies, An

Department Head: L. Darrell Whitley.2007 Spring.Includes bibliographical references (pages 119-126).Access control policies determine how sensitive information and computing resources are to be protected. Enforcing these policies in a system design typically results in access control features that crosscut the dominant structure of the design (that is, features that are spread across and intertwined with other features in the design). The spreading and intertwining of access control features make it difficult to understand, analyze, and change them and thus complicate the task of ensuring that an evolving design continues to enforce access control policies. Researchers have advocated the use of aspect-oriented modeling (AOM) techniques for addressing the problem of evolving crosscutting features. This dissertation proposes an approach to modeling and analyzing crosscutting access control features. The approach utilizes AOM techniques to isolate crosscutting access control features as patterns described by aspect models. Incorporating an access control feature into a design involves embedding instantiated forms of the access control pattern into the design model. When composing instantiated access control patterns with a design model, one needs to ensure that the resulting composed model enforces access control policies. The approach includes a technique to verify that specified policies are enforced in the composed model. The approach is illustrated using two well-known access control models: the Role- Based Access Control (RBAC) model and the Bell-LaPadula (BLP) model. Features that enforce RBAC and BLP models are described by aspect models. We show how the aspect models can be composed to create a new hybrid access control aspect model. We also show how one can verify that composition of a base (primary) design model and an aspect model that enforces specified policies produces a composed model in which the policies are still enforced

Small TCBs of policy-controlled operating systems

IT Systeme mit qualitativ hohen Sicherheitsanforderungen verwenden zur Beschreibung, Analyse und Implementierung ihrer Sicherheitseigenschaften zunehmend problemspezifische Sicherheitspolitiken, welche ein wesentlicher Bestandteil der Trusted Computing Base (TCB) eines IT Systems sind. Aus diesem Grund sind die Korrektheit und Unumgehbarkeit der Implementierung einer TCB entscheidend, um die geforderten Sicherheitseigenschaften eines Systems herzustellen, zu wahren und zu garantieren. Viele der heutigen Betriebssysteme zeigen, welche Herausforderung die Realisierung von Sicherheitspolitiken darstellt; seit mehr als 40 Jahren unterstützen sie wahlfreie identitätsbasierte Zugriffssteuerungspolitiken nur rudimentär. Dies führt dazu, dass große Teile der Sicherheitspolitiken von Anwendersoftware durch die Anwendungen selbst implementiert werden. Infolge dessen sind die TCBs heutiger Betriebssysteme groß, heterogen und verteilt, so dass die exakte Bestimmung ihres Funktionsumfangs sehr aufwendig ist. Im Ergebnis sind die wesentlichen Eigenschaften von TCBs - Korrektheit, Robustheit und Unumgehbarkeit - nur schwer erreichbar. Dies hat zur Entwicklung von Politik gesteuerten Betriebssystemen geführt, die alle Sicherheitspolitiken eines Betriebssystems und seiner Anwendungen zentral zusammenfassen, indem sie Kernabstraktionen für Sicherheitspolitiken und Politiklaufzeitumgebungen anbieten. Aktuelle Politik gesteuerte Betriebssysteme basieren auf monolithischen Architekturen, was dazu führt, dass ihre Komponenten zur Durchsetzung ihrer Politiken im Betriebssystemkern verteilt sind. Weiterhin verfolgen sie das Ziel, ein möglichst breites Spektrum an Sicherheitspolitiken zu unterstützen. Dies hat zur Folge, dass ihre Laufzeitkomponenten für Politikentscheidung und -durchsetzung universal sind. Im Ergebnis sind ihre TCB-Implementierungen groß und komplex, so dass der TCB- Funktionsumfang nur schwer identifiziert werden kann und wesentliche Eigenschaften von TCBs nur mit erhöhtem Aufwand erreichbar sind. Diese Dissertation verfolgt einen Ansatz, der die TCBs Politik gesteuerter Betriebssysteme systematisch entwickelt. Die Idee ist, das Laufzeitsystem für Sicherheitspolitiken so maßzuschneidern, dass nur die Politiken unterstützt werden, die tatsächlich in einer TCB vorhanden sind. Dabei wird der Funktionsumfang einer TCB durch kausale Abhängigkeiten zwischen Sicherheitspolitiken und TCB-Funktionen bestimmt. Das Ergebnis sind kausale TCBs, die nur diejenigen Funktionen enthalten, die zum Durchsetzen und zum Schutz der vorhandenen Sicherheitspolitiken notwendig sind. Die präzise Identifikation von TCB-Funktionen erlaubt, die Implementierung der TCB-Funktionen von nicht-vertrauenswürdigen Systemkomponenten zu isolieren. Dadurch legen kausale TCBs die Grundlage für TCB-Implementierungen, deren Größe und Komplexität eine Analyse und Verifikation bezüglich ihrer Korrektheit und Unumgehbarkeit ermöglichen. Kausale TCBs haben ein breites Anwendungsspektrum - von eingebetteten Systemen über Politik gesteuerte Betriebssysteme bis hin zu Datenbankmanagementsystemen in großen Informationssystemen.Policy-controlled operating systems provide a policy decision and enforcement environment to protect and enforce their security policies. The trusted computing base (TCB) of these systems are large and complex, and their functional perimeter can hardly be precisely identified. As a result, a TCB's correctness and tamper-proofness are hard to ensure in its implementation. This dissertation develops a TCB engineering method for policy-controlled operating systems that tailors the policy decision and enforcement environment to support only those policies that are actually present in a TCB. A TCB's functional perimeter is identified by exploiting causal dependencies between policies and TCB functions, which results in causal TCBs that contain exactly those functions that are necessary to establish, enforce, and protect their policies. The precise identification of a TCB's functional perimeter allows for implementing a TCB in a safe environment that indeed can be isolated from untrusted system components. Thereby, causal TCB engineering sets the course for implementations whose size and complexity pave the way for analyzing and verifying a TCB's correctness and tamper-proofness.Auch im Buchhandel erhältlich: Small TCBs of policy-controlled operating systems / Anja Pölck Ilmenau : Univ.-Verl. Ilmenau, 2014. - xiii, 249 S. ISBN 978-3-86360-090-7 Preis: 24,40

Approches formelles pour la modélisation et la vérification du contrôle d'accès et des contraintes temporelles dans les systèmes d'information

RÉSUMÉ Nos travaux de recherche s’inscrivent dans un cadre qui vise à développer des approches formelles pour aider à concevoir des systèmes d’information avec un bon niveau de sûreté et de sécurité. Précisément, il s’agit de disposer d’approches pour vérifier qu’un système fonctionne correctement et qu’il implémente une politique de sécurité qui répond à ses besoins spécifiques en termes de confidentialité, d’intégrité et de disponibilité des données. Notre recherche s’est ainsi construite autour de la volonté de développer, valoriser et élargir l’utilisation des réseaux de Petri en tant qu’outil de modélisation et le model-checking en tant que technique de vérification. Notre principal objectif est d’exprimer la dimension temporelle de manière quantitative pour vérifier des propriétés temporelles telles que la disponibilité des données, la durée d’exécution des tâches, les deadlines, etc. Tout d’abord, nous proposons une extension du modèle TSCPN (Timed Secure Colored Petri Net), initialement présenté dans mon mémoire de maˆıtrise. Le modèle TSCPN permet de modéliser et de raisonner sur les droits d’accès aux données exprimés via une politique de contrôle d’accès mandataire, i.e. Modèle de Bell-LaPadula. Ensuite, nous investigons l’idée d’utiliser les réseaux de Petri colorés pour représenter les politiques de contrôle d’accès à base de rôles (Role Based Access Control - RBAC). Notre objectif est de fournir des guides précis pour aider à la spécification d’une politique RBAC cohérente et complète, appuyée par les réseaux de Petri colorés et l’outil CPNtools. Finalement, nous proposons d’enrichir la classe des réseaux de Petri temporels par une nouvelle extension qui permet d’exprimer plus d’un seul type de contraintes temporelles. Il s’agit du modèle TAWSPN (Timed Arc Petri net - Weak and Strong semantics). Notre but étant d’offrir une grande flexibilité dans la modélisation de systèmes temporisés complexes sans complexifier les méthodes d’analyse classiques. En effet, le modèle TAWSPN offre une technique de modelchecking, basée sur la construction de graphes des zones (Gardey et al., 2003), comparables à celles des autres extensions temporelles des réseaux de Petri. ----------ABSTRACT Our research is integrated within a framework that aims to develop formal approaches to help in the design of information systems with a good level of safety and security. Specifically, these approaches have to verify that a system works correctly and that it implements a security policy that meets its specific needs in terms of data confidentiality, integrity and availability. Our research is thus built around the aim to develop, enhance and expand the use of Petri nets as a modeling tool and the Model-checking as a verification technique. Our main objective is to express the temporal dimension in order to check quantitative temporal properties such as data availability, task execution duration, deadlines, etc. First, we propose an extension of the TSCPN (Timed Secure Colored Petri Net) model, originally presented in my master’s thesis. This model allows representing and reasoning about access rights, expressed via a mandatory access control policy, i.e. Bell-LaPadula model. In a second step, we investigate the idea of using colored Petri nets to represent role based access control policies (RBAC). Our goal is to provide specific guidelines to assist in the specification of a coherent and comprehensive RBAC, supported by colored Petri nets and CPNtools. Finally, we propose to enrich the class of time Petri nets by a new extension that allows to express more than one kind of time constraint, named TAWSPN (Timed-Arc Petri net Weak and Strong semantics). Our goal is to provide great flexibility in modeling complex systems without complicating the conventional methods of analysis. Indeed, the TAWSPN model offers a model-checking technique based on the construction of zone graphs (Gardey et al., 2003), comparable to those of other extensions of timed Petri net

Broadening the Scope of Security Usability from the Individual to the Organizational : Participation and Interaction for Effective, Efficient, and Agile Authorization

Restrictions and permissions in information systems -- Authorization -- can cause problems for those interacting with the systems. Often, the problems materialize as an interference with the primary tasks, for example, when restrictions prevent the efficient completing of work and cause frustration. Conversely, the effectiveness can also be impacted when staff is forced to circumvent the measure to complete work -- typically sharing passwords among each other. This is the perspective of functional staff and the organization. There are further perspectives involved in the administration and development of the authorization measure. For instance, functional staff need to interact with policy makers who decide on the granting of additional permissions, and policy makers, in turn, interact with policy authors who actually implement changes. This thesis analyzes the diverse contexts in which authorization occurs, and systematically examines the problems that surround the different perspectives on authorization in organizational settings. Based on prior research and original research in secure agile development, eight principles to address the authorization problems are identified and explored through practical artifacts

Secure platforms for enforcing contextual access control

Advances in technology and wide scale deployment of networking enabled portable devices such as smartphones has made it possible to provide pervasive access to sensitive data to authorized individuals from any location. While this has certainly made data more accessible, it has also increased the risk of data theft as the data may be accessed from potentially unsafe locations in the presence of untrusted parties. The smartphones come with various embedded sensors that can provide rich contextual information such as sensing the presence of other users in a context. Frequent context profiling can also allow a mobile device to learn its surroundings and infer the familiarity and safety of a context. This can be used to further strengthen the access control policies enforced on a mobile device. Incorporating contextual factors into access control decisions requires that one must be able to trust the information provided by these context sensors. This requires that the underlying operating system and hardware be well protected against attacks from malicious adversaries. ^ In this work, we explore how contextual factors can be leveraged to infer the safety of a context. We use a context profiling technique to gradually learn a context\u27s profile, infer its familiarity and safety and then use this information in the enforcement of contextual access policies. While intuitive security configurations may be suitable for non-critical applications, other security-critical applications require a more rigorous definition and enforcement of contextual policies. We thus propose a formal model for proximity that allows one to define whether two users are in proximity in a given context and then extend the traditional RBAC model by incorporating these proximity constraints. Trusted enforcement of contextual access control requires that the underlying platform be secured against various attacks such as code reuse attacks. To mitigate these attacks, we propose a binary diversification approach that randomizes the target executable with every run. We also propose a defense framework based on control flow analysis that detects, diagnoses and responds to code reuse attacks in real time