![Page 1: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/1.jpg)
September 2006
1
Security policy systems and their consistency problems
Luigi Logrippo, Kamel AdiUniversité du Québec en Outaouais
![Page 2: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/2.jpg)
2
Research at the UQOComputer Science and Engineering
Canada Research Chair in PhotonicsUniversity Research Chair in Distributed
ComputingSecurity Laboratory
My colleague Kamel Adi We organized 3 international workshops on Access
control and security in the past couple of yearsWe have also research labs in multimedia,
robotics, hardware design, wireless communications, etc.
Master’s and PhD program
![Page 3: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/3.jpg)
3
Our Claim
Formal auditing and formal verification of security policies is becoming possible by the use of logic tools
![Page 4: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/4.jpg)
4
Formal auditing of accounts
$15,000.00+$ 5,000.00+$ 3,000.00-
$17,000.00
Has a company made 17,000 if it has had incomes of 15,000 and 5,000, and loss of 3,000?
![Page 5: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/5.jpg)
5
Formal auditing of security policies
Can nurses gain access to accounting information in a hospital?
Only employees in the accounting department can access acct info
Nurses are in the patient care department
No employees can be in both patient care and accounting
No nurse can gain accept to accounting information
This is formally verifiable if enterprise policies are expressed in a suitable formal language
![Page 6: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/6.jpg)
6
Policy languages for customizing enterprise systems
Policy languages are already being used in order to express enterprise policies in many applications. Examples: Firewalls Access control (e.g. language XACML, SiteMinder) Security models (Bell-LaPadula, Chinese Wall, RBAC…) Identity identification Telecommunications features, call control Telecommunications routers Web services orchestration and choreography (e.g. language
BPEL) E-commerce
![Page 7: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/7.jpg)
7
Policy sources
Enterprise policies can be formalized in computer language, or be in printed regulations, or be in the ‘memory’ of the enterprise
Policies can originate in several different places in an enterprise Can be attached to administrative units or roles
Can be created by agreements, internal or externalPolicies come and go as the enterprise evolves
![Page 8: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/8.jpg)
8
We’ll start with a simpler problem Policy consistency
![Page 9: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/9.jpg)
9
Policy consistency
Policies must be mutually consistent in order to work together Inconsistency of policies can lead to inability to take
a decision in a particular situation Or to the wrong decision being taken
Research issues: How to check policy consistency How to maintain policy consistency
![Page 10: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/10.jpg)
10
Approach
Consistency is a logical problem Tools to perform ‘efficient’ consistency checking are
becoming availableTranslate policies in logic formalismUse logic tools to check consistency:
Model checkers Theorem provers
Once an inconsistency has been identified, it must be reported to user to check if it is intended
![Page 11: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/11.jpg)
11
Required: a formal model of the enterprise
Of the organization structure Of all policies in an organization Not too much to ask?
partial models can be sufficient in many cases
![Page 12: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/12.jpg)
12
Results: 1. XACML case study
XACML: A language to specify access control constraints to computing resources To files, equipment, web services …
OASIS standard
Some functionalities of XACML are present in SiteMinder, to which our approach may apply
![Page 13: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/13.jpg)
13
Access Control Applications
Access control is becoming very important in the presence of strict accessibility and privacy laws And the possibility of remote access via web services
Example: in a hospital Statistician can access files for reading patient data, but not
names Physician can access for read/write most info for her patients
But not billing info Patient can read selected information on her record Accountant can only access accounting info Etc. etc.
![Page 14: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/14.jpg)
14
<Rule RuleId="Rule1" Effect="Permit"><Description> A professor can perform any action on the file of the course she teaches </Description>
<Target><Subjects>
<Subject><SubjectMatch MatchId="string-equal">
<AttributeValue DataType="string"> Professor </AttributeValue><SubjectAttributeDesignator AttributeId="Role" DataType="string"/>
</SubjectMatch> </Subject>
</Subjects><Resources><AnyResource/></Resources><Actions> <AnyAction/> </Actions>
</Target><condition>
<Apply FunctionId="function:string-is-in"><Apply FunctionId="function:string-one-and-only">
<ResourceAttributeDesignator AttributeId="courses" Datatype="string"/></Apply><SubjectAttributeDesignator AttributeId="taught_courses" Datatype="string"/>
</Apply></condition>
</Rule>
Example of XACML Rule
![Page 15: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/15.jpg)
15
Checking Access Control Policies
Policies can be translated in logic notation, and consistency checks can be run
![Page 16: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/16.jpg)
16
Possible relationships between targets
DisjunctionNon-empty
intersectionInclusionEquality
Of: Subjects Resources Actions
![Page 17: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/17.jpg)
17
Disjunction
There is disjunction between targets if subjects, resources, and actions are all distinct
Disjunction between the targets of two policy sets, policies, or rules means that there is no case in which both are applicable
OK, then
![Page 18: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/18.jpg)
18
Non-empty Intersection
There is nonempty intersection between two targets if: The set of subjects intersect and The set of resources intersect and The set of actions intersect
Example: (deny) (Executives) (databases A, B, C) (action read, write) (accept) (Employees) (database B, D) (action write)
Executives, being employees, have conflicting write rights on B
![Page 19: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/19.jpg)
19
How to fix?
Non-empty intersections must be reported to user
Indicate that some relationships may not have been thought out
But the following are interesting special cases
![Page 20: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/20.jpg)
20
Inclusion of target T1 in target T2(special case of nonempty intersection)
There is inclusion between two targets if: The set of subjects of T1 is included in the set of subjects of
T2 and The set of resources of T1 is included in the set of
resources of T2 and The set of actions of T1 is included in the set of actions of
T2Example:
(accept) (executives) (database B) (action write) (deny) (employees) (database A,B,C) (any action)
![Page 21: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/21.jpg)
21
Is there something to fix?
The included case can be wanted as an exception but: Check that the exception is really wanted
(accept) (executives) (database B) (action write) (deny) (employees) (database A,B,C) (any action)
![Page 22: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/22.jpg)
22
Equality(special case of nonempty intersection)
Subjects, target, action are all the same Almost certainly, an error
![Page 23: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/23.jpg)
23
Proof of concept:2. Firewall case study
Contrary to XACML, where all rules must be considered, in firewalls rules are considered top-down, The first applicable rule is used, all the following ones are
skipped So in principle inconsistencies are impossible, however if
there are two rules that lead to different decisions, one of them may have been included by error
Hence it is a safe strategy to look for inconsistencies among rules
![Page 24: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/24.jpg)
24
Domain intersections, again
As in the previous case, domain intersections are symptoms of possible errors, but the order is important
![Page 25: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/25.jpg)
25
Shadowing
A rule is preceded by a more general one with different outcome Refuse all packets from port 25 Accept all packets from port 25 but from domain CA
(the second rule is ineffective)
![Page 26: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/26.jpg)
26
How to fix
Either take out the second rule,Or if the second rule is a desired exception,
move it ahead
![Page 27: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/27.jpg)
27
Generalization
A rule is followed by a more general one but with a different outcome Accept all packets from port 25 and from domain CA Refuse all packets from port 25
(the first rule is an exception wrt to the first one) (it must be checked whether the exception is desired)
![Page 28: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/28.jpg)
28
Is there something to fix?
Check that the exception is really wanted
![Page 29: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/29.jpg)
29
Other cases…
There are other cases of nonempty intersection between the domains of applicability of two rules
They should be detected and pointed out to user because they could be the result of user errors
![Page 30: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/30.jpg)
30
User Interfaces for policy creation
Ideally, policies should be created and modified directly by privacy specialists Often people with limited computing expertise
These people should be able to Enter policies by clicking on boxes
Or in English-like language Obtain diagnostics in clear Exercise different cases
What will happen if Joe wants to write on file X?Need of appropriate GUIs
![Page 31: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/31.jpg)
31
Decisions and user intentions
Since systems can have many rules, the existence of different rules for the same cases indicates the possibility of user error Some user intention which is not properly
represented
![Page 32: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/32.jpg)
32
Difficulty of the detection problem
In principle, the detection of inconsistencies is a constraint satisfaction problem Exponential complexity
However the examples we have seen have few variables, thus problem is still tractable
![Page 33: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/33.jpg)
33
Research tools to be considered
Coq, a theorem-proving tool developed at INRIAAlloy, a model-checker developed at MITZ-Eves, Canadian product, much used in
researchConstraint programming languages, e.g.
Constraint PrologImplementation in standard programming
languages such as C is possible, but requires more work
![Page 34: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/34.jpg)
34
Security agreements
WS-Policy Framework and other related standards establish rules by which parties can agree on security rules for a transaction
Each party will advertise own security policy wrt signatures, encryption, etc.
Are the requirements of the various parties mutually consistent?
Are the requirements of one a special case of the requirements of the other
Are there ways that the requirements can be reconciled?
![Page 35: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/35.jpg)
35
Privacy and secrecy models
Main privacy/secrecy models known: Bell-LaPadula Chinese Wall RBAC Delegation models
Can they be reconciled? Our work is showing that they can be combined
together However conditions should be added in each case
![Page 36: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/36.jpg)
36
E.g. effects of models on delegation
Chinese Wall is being used A and B are in different domains So they cannot delegate to each other
Bell-LaPadula is being used A can delegate to B if and only if
A and B have equal clearance level B has higher clearance level than A
These facts we can prove automatically by using our automated system
They are for themselves fairly simple, however much more complex properties can also be proven.
![Page 37: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/37.jpg)
37
Many applications
These ideas are of very general application, not at all limited to the case studies we have mentioned
E.g. in the case of identity management, we can have sets of policies that can be partially inconsistent
![Page 38: September 2006 1 Security policy systems and their consistency problems Luigi Logrippo, Kamel Adi Université du Québec en Outaouais luigi@uqo.ca](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e4e5503460f94b44667/html5/thumbnails/38.jpg)
38
ConclusionsStrict accessibility and privacy laws will require
increasing attention to this areaSecurity can be compromised by inappropriately
formulated access control rulesFormal methods will allow formal auditing and
verification of accessibility and privacy policies, as precise as formal accounting of financial records!
Tools to do this are available, but must be adapted