complex security policies
DESCRIPTION
Complex Security Policies. Dave Andersen Advanced Operating Systems Georgia State University. Part 1. Presentation of Material from Text Book Chapter 8.6.1. Stateless vs. State-Dependent Security Policies. - PowerPoint PPT PresentationTRANSCRIPT
Complex Security Policies
Dave AndersenAdvanced Operating Systems
Georgia State University
Part 1
Presentation of Materialfrom Text Book
Chapter 8.6.1
Stateless vs. State-Dependent Security Policies
The Access Control List (ACL) and Capability List (CL) security models are stateless. Properties remain fixed unless explicitly changed by the server.
Complex Access Control Policies are state dependent. Authorization of access depends on subjects past history and interaction with other objects.
[1998 Chow and Johnson]
Information Flow Control
When information flow is built on lattices information can only flow between components of the lattice in the direction the lattice permits.
Flow properties of the lattice model include: Transitivity: A->B and B->C implies A->C Aggregation: A->C and B->C implies A U B ->C Separability: A U B ->C implies A->C and B->C
Some applications require information flow which violates properties of the lattice. [1998 Chow and Johnson]
Exceptions to Lattice Model
[1998 Chow and Johnson]
Example of a Complex Access Control Policy
Computer Automated Bank Loan Application Only clerk(S1) can prepare loan application (write
permissions for object O). One of two bank officers, the manager (S2) or accountant
(S3) (but not both) must approve the application (append permissions).
Approved loan is the appended with electronic check signed by both bank manager (S2) and cashier (S4) .
Graphical Representation
[1998 Chow and Johnson]
Security Issues
Only subjects with write permissions can alter electronic document. Must be able to authenticate digital signatures. Enforce a transitivity exception to write access: clerk cannot alter document
once it has been approved. Enforce sequence order of writes: application, approval, then check. Enforce aggregation exception: either manager or accountant approves loan,
not both (and therefore once approved by one it cannot be disapproved by another).
Check must be signed by both manager and cashier (separation exception).
[1998 Chow and Johnson]
Challenge: Simple Model for Implementing Complex Policy
First two issues (write permissions and digital signatures) are solved.
As of book publishing – solution doesn’t exist for the others. First Possibility - Maintain Finite State Machines for each
object. Unfortunately, not simple or efficient. Second Possibility: Boolean representation of access rules.
• ACEw(O) = A+ B XOR C + B AND D• Achieves simplicity and efficiency, but lacks state
information for proper rule enforcement. [1998 Chow and Johnson]
Storing State Information
Storing State Information on Server File must be updated with each access.
Storing State Information on Client: Eliminates need to update file with every access. But, may affect clients ability to access other objects. And, difficult to propagate state information to other
clients. Author’s Conclusion: Use Server.
Part 2
Current Research
Current Research
A Software Architecture for Automatic Security Policy Enforcement in Distributed Systems [2007 Hamdi, Bouhoula, Mosbah]
Authors propose:Policy Specification ToolEnforcement and Verification EngineAutomatically Generated Enforcement Mechanisms
Policy Programming Language
PPL is used to define the policies and rules that apply to an object or group of objects and the actions that should be taken when a constraint is matched.
Uses Backus–Naur Form (BNF) Syntax
Proposed System Architecture
[2007 Hamdi, Bouhoula, and Mosbah]
Policy Enforcement
Portability - PPL is compiled into monitors and configurations for a specific system platform.
PPL compilation allows for the detection of policy conflicts.
All security checks and state management operations occur at entry and exit of policy enforcement point.
Part 3
Future Directions
Automated Security Testing?
Security Policies can be very complex—
Can a program/system be developed to either prove or disprove (find security holes) in a set of rules or policies of a given system.
References
Randy Chow and Theodore Johnson, Distributed Operating Systems & Algorithms, Addison Wesley Longman, Inc., Reading, MA, 1997.
H. Hamdi, A. Bouhoula, M. Mosbah, “A Software Architecture for Automatic Security Policy Enforcement in Distributed Systems”, SecureWare 2007, The International Conference on Emerging Security Information Systems and Technologies, October 14-20, 2007, pages 187-192.
Questions?