group-centric models for secure and agile information sharingarchitectures for computer network...

Group-Centric Models for Secure and Agile Information Sharing

Ravi Sandhu

Executive Director and Endowed Professor

Institute for Cyber Security

Executive Director and Endowed ProfessorOctober 2010

[email protected], www.profsandhu.com, www.ics.utsa.edu

© Ravi Sandhu World-Leading Research with Real

Centric Models for Secure and Agile Information Sharing

Ravi Sandhu

Executive Director and Endowed Professor

Institute for Cyber Security

1

Executive Director and Endowed ProfessorOctober 2010

[email protected], www.profsandhu.com, www.ics.utsa.edu

Leading Research with Real-World Impact!

Goal: 4th

� 3 succesful access control models in 40+ years�Discretionary Access Control (DAC)�Mandatory Access Control (MAC)�Role-base Access Control (RBAC)

� Crucial ingredients for success�Strong mathematical foundations�Strong mathematical foundations�Strong intuitive foundations�Significant real-world deployment


th Element

3 succesful access control models in 40+ yearsDiscretionary Access Control (DAC)Mandatory Access Control (MAC)

base Access Control (RBAC)Crucial ingredients for success

Strong mathematical foundations

2

Strong mathematical foundationsStrong intuitive foundations

world deployment


What is the 4

� DAC – owner control� MAC – information flow� RBAC – organizational/social alignment� Dynamics/agility

�Unconstrained DAC: too loose, too fine�Group-centric conceived to fill this gap�Group-centric conceived to fill this gap


What is the 4th Element?

organizational/social alignment

Unconstrained DAC: too loose, too fine-grainedcentric conceived to fill this gap

3

centric conceived to fill this gap


Historical Aside on Dynamics/Agility

� Harrison, Russo and Ullman 1976: HRU�dynamics leads to undecidable safety

� Jones, Lipton, Snyder 1978: Take�simple models can be efficiently decidable

� Sandhu, 1988, 1992: SPM, TAM�sophisticated models can be efficiently decidable�sophisticated models can be efficiently decidable


Historical Aside on Dynamics/Agility

Harrison, Russo and Ullman 1976: HRUdynamics leads to undecidable safety

Jones, Lipton, Snyder 1978: Take-Grantsimple models can be efficiently decidable

Sandhu, 1988, 1992: SPM, TAMsophisticated models can be efficiently decidable

4

sophisticated models can be efficiently decidable


Secure Information Sharing (SIS)

Goal: Share but protect� Containment challenge

� Client containment� Ultimate assurance infeasible (e.g., the analog hole)� Appropriate assurance achievable

� Server containment� Will typically have higher assurance than client containment� Will typically have higher assurance than client containment

� Policy challenge� How to construct meaningful, usable, agile SIS policy� How to develop an intertwined information and security model


Secure Information Sharing (SIS)

Ultimate assurance infeasible (e.g., the analog hole)Appropriate assurance achievable

Will typically have higher assurance than client containment

5

Will typically have higher assurance than client containment

How to construct meaningful, usable, agile SIS policyHow to develop an intertwined information and security model


Community Cyber Security

Core

Group Conditional

Membership

Automatic

Membership

Filtered RW

Administered

Membership


Open

Group

Membership


Incident

Group

6Leading Research with Real-World Impact!

Administered

Membership

Domain

Experts


Core

Group

Incident

Groups

Automatic

Membership

Conditional

Membership

Read

Subordination


Open

Group Write

Subordination


Incident

Groups

g1

g2

Read

Subordination Domain

Experts

Administered

Membership


g2

g3

Write

Subordination

A Family of g


� We have achieved a deep, formal understanding of isolated, undifferentiated groups

� Next challenge: extend the theory to connected, differentiated groups

A Family of g-SIS Models


We have achieved a deep, formal understanding of isolated, undifferentiated groupsNext challenge: extend the theory to connected,

Formal Models Development

Formal stateless behavioral model

Formal statefulenforceable model

Provable security properties


Formal statefulenforceable model with latencies,

disconnected operations etc

Proof of safe equivalence

Formal Models Development

Provable security properties

Proof of equivalence

9


Proof of safe equivalence

g-SIS Model Components

� Operational aspects� Group operation semanticso Add, Join, Leave, Remove, etc

o Multicast group is one example� Object modelo Read-onlyo Read-Write (no versioning

� User-subject model� User-subject modelo Read-only Vs read-write

� Policy specification

� Administrative aspects� Authorization to create group, user join/leave, object

add/remove, etc.


SIS Model Components

Add, Join, Leave, Remove, etc

Multicast group is one example

Write (no versioning vs versioning)

Users

Objects

Group

Authz (u,o,r)?

join leave

add remove

10

Authorization to create group, user join/leave, object


Core Properties

� Authorization Persistence� Authorization cannot change unless some group event occurs


Core Properties

Authorization cannot change unless some group event occurs


The π-system Specification


system Specification


Sample Stateful

Authz (s,o,r) ->

Add-TS(o) > Join

Leave-TS(s) = NULL &

Remove-TS(o) = NULL


Remove-TS(o) = NULL

Stateful Specification

TS(o) > Join-TS(s) &

TS(s) = NULL &

TS(o) = NULL


TS(o) = NULL

Summary

� The 4th element, crucial for dynamic/agile secure information sharing� Discretionary Access Control (DAC)

� Mandatory Access Control (MAC)

� Role-base Access Control (RBAC)

� Group-centric Secure Information Sharing (g

� Crucial ingredients for success


� Crucial ingredients for success� Strong mathematical foundations

� Strong intuitive foundations

� Significant real-world deployment

Summary

element, crucial for dynamic/agile secure

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

base Access Control (RBAC)

centric Secure Information Sharing (g-SIS)

Crucial ingredients for success


Crucial ingredients for successStrong mathematical foundations

Strong intuitive foundations

world deployment

Publications

� Ram Krishnan, Jianwei Niu, Ravi Sandhu and William Winsborough, “Groupfor Isolated Groups.” ACM Transactions on Information and System Security

� Ravi Sandhu, Ram Krishnan and Gregory White, “TowarSecurity.” In Proceedings 5th IEEE International ConfereWorksharing (CollaborateCom), Chicago, Illinois, October 9

� Ravi Sandhu, Ram Krishnan, Jianwei Niu and William Winsborough, “GroupInformation Sharing.” In Proceedings 5th International Conference, on Mathematical Methods, Models, and Architectures for Computer Network Security, MMM-ACNS 2010, St. Petersburg, Russia, September 855-69. Published as Springer Lecture Notes in Computer Science Vol. 6258, and Victor Skormin, editors), 2010.

� Ram Krishnan, Ravi Sandhu, Jianwei Niu and William Winsborough, “Towards a Framework for GroupCollaboration.” In Proc. 5th IEEE International ConferencWorksharing (CollaborateCom), Crystal City, Virginia, November 11

� Ram Krishnan and Ravi Sandhu, “A Hybrid Enforcement Model for Group


� Ram Krishnan and Ravi Sandhu, “A Hybrid Enforcement Model for GroupIEEE International Conference on Computational Science and Engineering (CSE31, 2009, pages 189-194.

� Ram Krishnan, Ravi Sandhu, Jianwei Niu and William Winsborough, “Formal Models for GroupInformation Sharing.” Proc. 14th ACM Symposium on Access Control Models and Technologies (SACMAT)Italy, June 3-5, 2009, pages 115-124.

� Ram Krishnan, Ravi Sandhu, Jianwei Niu and William Winsborough, “A Conceptual Framework for GroupSecure Information Sharing.” Proc. 4th ACM Symposium on Information, Computer and Communications Security (AsiaCCS), Sydney, Australia, March 10-12, 2009, pages 384

� Ram Krishnan, Jianwei Niu, Ravi Sandhu and William Winsborough, “StaleSecure Information Sharing.” Proc. 6th ACM-CCS Workshop on Formal Methods in Security Engineering (FMSE),Alexandria, Virginia, October 27, 2008, pages 53-62.

Publications

Ram Krishnan, Jianwei Niu, Ravi Sandhu and William Winsborough, “Group-Centric Secure Information Sharing Models ACM Transactions on Information and System Security, accepted with minor revision.

ards Secure Information Sharing Models for Community Cyber erence on Collaborative Computing: Networking, Applications and

, Chicago, Illinois, October 9-12, 2010.Ravi Sandhu, Ram Krishnan, Jianwei Niu and William Winsborough, “Group-Centric Models for Secure and Agile

Proceedings 5th International Conference, on Mathematical Methods, Models, and ACNS 2010, St. Petersburg, Russia, September 8-10, 2010, pages

69. Published as Springer Lecture Notes in Computer Science Vol. 6258, Computer Network Security (Igor Kotenko

Ram Krishnan, Ravi Sandhu, Jianwei Niu and William Winsborough, “Towards a Framework for Group-Centric Secure ence on Collaborative Computing: Networking, Applications and

, Crystal City, Virginia, November 11-14, 2009, pages 1-10. Ram Krishnan and Ravi Sandhu, “A Hybrid Enforcement Model for Group-Centric Secure Information Sharing.” Proc.


Ram Krishnan and Ravi Sandhu, “A Hybrid Enforcement Model for Group-Centric Secure Information Sharing.” Proc. IEEE International Conference on Computational Science and Engineering (CSE-09), Vancouver, Canada, August 29-

Ram Krishnan, Ravi Sandhu, Jianwei Niu and William Winsborough, “Formal Models for Group-Centric Secure Proc. 14th ACM Symposium on Access Control Models and Technologies (SACMAT), Stresa,

Ram Krishnan, Ravi Sandhu, Jianwei Niu and William Winsborough, “A Conceptual Framework for Group-Centric Proc. 4th ACM Symposium on Information, Computer and Communications Security

12, 2009, pages 384-387.Ram Krishnan, Jianwei Niu, Ravi Sandhu and William Winsborough, “Stale-Safe Security Properties for Group-Based

CCS Workshop on Formal Methods in Security Engineering (FMSE),

group-centric models for secure and agile information sharingarchitectures for computer network...

Documents