c consiglio nazionale delle ricerche - pisa iit istituto per linformatica e la telematica reasoning...
TRANSCRIPT
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Reasoning about Secure Interoperation using Soft Constraints
Stefano BistarelliDipartimento di Scienze,
Università di Pescara, Italy;
IIT, CNR, Pisa, Italy
Simon Foley, Barry O’Sullivan
Department of Computer ScienceUniversity College Cork
Ireland
Speaker: Stefano BistarelliSpeaker: Stefano Bistarelli
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Thanks to my co-authors….
Barry O’Sullivan University College
Cork, Ireland Cork Constraint
Computation Centre Constraints
Simon Foley University College
Cork, Ireland Security, Policy,
Formal Methods
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Motivations
AdminSystem
Sales System
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Basic Security Modeling
SubjectDo
OperationSecurity
MechanismObject
SecurityPolicy
Subject: processes, … Objects: memory, files, …
Security policy defines rules that govern access to objects by subjects.
Security mechanism ensures security policy is upheld.
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Secure Composition of Systems
Systems are individually secure.Is it safe to allow file sharing between Personnel and Sales systems?
Clare not authorized to access Bob’s files, but, Clare may access Bob’s files via Sales system. Need to reconfigure connections to close this
circuitous access route [COLOPS2003,SAC2004,IAAI2004].
Need to reconfigure system access configurations!
AdminSystem
Sales System
Alice allowedaccess Bob’s files
Clare allowedaccess Alice’s files
connection
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Secure Interoperation
Computation Foundations [Gong&Qian, 1994] Analyzing the security of interoperating and
individually secure systems can be done in polynomial time.
Given a non-secure network configuration, then re-configuring the connections in an optimal way (to minimize the impact on interoperability) is NP.
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaTalk Outline:
describe how constraints provide a natural approach to modelling and solving the secure interoperation problem Basic Security
Modelling Secure Composition of
systems Secure Interoperation
What are Soft Constraints?
Semiring Framework
Using constraints for Access Configuration Access Reconfiguration Access Interoperation Dealing with Transitivity
Future Work
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Crisp toward soft constraints
P={
x3
x4
x1
x2 V,
{red,blue,yellow}
{blue,yellow}
{red,blue}{yellow}
D,
C={pairwise-different}
C, PC, con, def, a}
x1 x2 x3 x4
combination
projection
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Crisp toward soft constraints
x3
x4
x1
x2
{red,blue,yellow}
{blue,yellow}
{red,blue}{yellow}
C={pairwise-different} 5$
3$
2$
15$15$x1 x2 x3 x4
Combination (+)
Projection (min)
15$
13$
13$
<+,min,+,+,0>
<[0,1],max,min,0,1>
<[0,1],max,,0,1>
<{false,true},,,false,true>
Probabilistic
Fuzzy
Classical
Weighted
C-semiring <A,+,,0,1>:
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
The Semiring Framework
A c-semiring is a tuple <A,+,×,0,1> such that:A is the set of all consistency values and 0, 1A. 0 is the lowest consistency value and 1 is the highest consistency value;+, the additive operator, is a closed, commutative, associative and idempotent operation such that 1 is its absorbing element and 0 is its unit element;×, the multiplicative operator, is a closed and associative operation such that 0 is its absorbing element, 1 is its unit element and × distributes over +.
Stefano Bistarelli, Ugo Montanari, and Francesca Rossi, Semiring-based Constraint Solving and OptimizationJournal of the ACM, 44(2):201–236, Mar 1997.
Stefano Bistarelli, Ugo Montanari, and Francesca Rossi, Semiring-based Constraint Solving and OptimizationJournal of the ACM, 44(2):201–236, Mar 1997.
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Semiring-based Constraints
Given a semiring <A,+,×, 0, 1> , an ordered set of variables V over a finite domain D, a constraint is a function which maps an assignment of the variables in the support of c, supp(c) to an element of A.
Notation c represents the constraint function c evaluated under instantiation , returning a semiring value.Given two constraints c1 and c2, their combination is defined as (c1c2) = c1×c2 .
The operation C represents the combination of a set of constraints C.a· b iff a+b=bc1 v c2 iff 8 c1 · c2
Stefano Bistarelli, Ugo Montanari and Francesca Rossi, Soft Concurrent Constraint Programming,Proceedings of ESOP-2002, LNCS, April 2002.
Stefano Bistarelli, Ugo Montanari and Francesca Rossi, Soft Concurrent Constraint Programming,Proceedings of ESOP-2002, LNCS, April 2002.
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaTalk Outline:
describe how constraints provide a natural approach to modelling and solving the secure interoperation problem Basic Security
Modelling Secure Composition of
systems Secure Interoperation
What are Soft Constraints?
Semiring Framework
Using constraints for Access Configuration Access Reconfiguration Access Interoperation Dealing with Transitivity
Future Work
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Configuration
A collection of constraints between entities (subjects, objects) specifying access permissions Represented as a semiring
S=<PERM,+,£,?,>> Srw=<2{r,w},[,Å,;,{r,w}> Sbool=<{F,T},Ç,Æ,F,T>
a b{w}
CS,O(a,b)={w}
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Configuration
A collection of constraints between entities (subjects, objects) specifying access permissions Represented as a semiring
S=<PERM,+,£,?,>> Srw=<2{r,w},[,Å,;,{r,w}> Sbool=<{F,T},Ç,Æ,F,T>
a b F
CS,O(a,b)=F
a b T
CS,O(a,b)=T
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Configuration: Example
Sbool=<{F,T},Ç,Æ,F,T> CS,O(b,a)=F CS,O(c,b)=F CS,O(x,y)=T
c
ba
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Configuration: Example
Sbool=<{F,T},Ç,Æ,F,T> CS,O(b,a)=F CS,O(c,b)=F CS,O(x,y)=T
c
ba
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Configuration: Example
Sbool=<{F,T},Ç,Æ,F,T> CS,O(b,a)=F CS,O(c,b)=F CS,O(x,y)=T
c
ba
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Configuration: Example
Sbool=<{F,T},Ç,Æ,F,T> CS,O(b,a)=F CS,O(c,b)=F CS,O(x,y)=T
c
ba
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Configuration: Example
Sbool=<{F,T},Ç,Æ,F,T> CS,O(b,a)=F CS,O(c,b)=F CS,O(x,y)=T
c
ba
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access ReconfigurationExisting configuration CS may be safely re-configured to CS’ when CS’v CS
C>
CS
C?
vSecure reconfigurations
CS’
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Reconfiguration: Example
c
ba
c
ba
c
ba
rrwrw
rw
c
ba
wr
rw
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Interoperation
Has to be a secure reconfiguration of both the sistems S1 and S3
CS1 CS3
c
ba a
c d
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access InteroperationCS1 CS3
c
ba a
c d
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access InteroperationCS1 CS3
c
ba a
c d
CS1 CS3
c
baa
c d
c
ba a
c d
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access TransitivityCS1
c
ba
CS3
a
c d
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access TransitivityCS1 CS3CS1 CS3
c
ba a
c d
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access TransitivityCS1 CS3
a
c d
CS1 CS3
c
ba
c
ba a
c d
c
baa
c d
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Transitivity vs non-transitivity
CS1
c
ba
CS3a
c d
CS1 CS3
CS1
c
ba
c
ba
c
ba
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Where to from here?
Real world implementation: Currently seeking funding
to work with a company based in New Hampshire, USA.
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Conclusion
We described how constraints provide a natural approach to modelling and solving the secure interoperation problemAccess ConfigurationAccess ReconfigurationAccess Interoperation Transitivity entities
All naturally represented with constraint operations
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Questions?
Thank you for your attention
You have been listening to:
“Reasoning about Secure Interoperation using Soft Constraints”
Stefano Bistarelli, Simon Foley and Barry O’Sullivan
Proceedings of FAST2004, pag. 183-196