complex security policies

Complex Security Policies

Dave AndersenAdvanced Operating Systems

Georgia State University

Part 1

Presentation of Materialfrom Text Book

Chapter 8.6.1

Stateless vs. State-Dependent Security Policies

The Access Control List (ACL) and Capability List (CL) security models are stateless. Properties remain fixed unless explicitly changed by the server.

Complex Access Control Policies are state dependent. Authorization of access depends on subjects past history and interaction with other objects.

[1998 Chow and Johnson]

Information Flow Control

When information flow is built on lattices information can only flow between components of the lattice in the direction the lattice permits.

Flow properties of the lattice model include: Transitivity: A->B and B->C implies A->C Aggregation: A->C and B->C implies A U B ->C Separability: A U B ->C implies A->C and B->C

Some applications require information flow which violates properties of the lattice. [1998 Chow and Johnson]

Exceptions to Lattice Model

[1998 Chow and Johnson]

Example of a Complex Access Control Policy

Computer Automated Bank Loan Application Only clerk(S1) can prepare loan application (write

permissions for object O). One of two bank officers, the manager (S2) or accountant

(S3) (but not both) must approve the application (append permissions).

Approved loan is the appended with electronic check signed by both bank manager (S2) and cashier (S4) .

Graphical Representation

[1998 Chow and Johnson]

Security Issues

Only subjects with write permissions can alter electronic document. Must be able to authenticate digital signatures. Enforce a transitivity exception to write access: clerk cannot alter document

once it has been approved. Enforce sequence order of writes: application, approval, then check. Enforce aggregation exception: either manager or accountant approves loan,

not both (and therefore once approved by one it cannot be disapproved by another).

Check must be signed by both manager and cashier (separation exception).

[1998 Chow and Johnson]

Challenge: Simple Model for Implementing Complex Policy

First two issues (write permissions and digital signatures) are solved.

As of book publishing – solution doesn’t exist for the others. First Possibility - Maintain Finite State Machines for each

object. Unfortunately, not simple or efficient. Second Possibility: Boolean representation of access rules.

• ACEw(O) = A+ B XOR C + B AND D• Achieves simplicity and efficiency, but lacks state

information for proper rule enforcement. [1998 Chow and Johnson]

Storing State Information

Storing State Information on Server File must be updated with each access.

Storing State Information on Client: Eliminates need to update file with every access. But, may affect clients ability to access other objects. And, difficult to propagate state information to other

clients. Author’s Conclusion: Use Server.

Part 2

Current Research

Current Research

A Software Architecture for Automatic Security Policy Enforcement in Distributed Systems [2007 Hamdi, Bouhoula, Mosbah]

Authors propose:Policy Specification ToolEnforcement and Verification EngineAutomatically Generated Enforcement Mechanisms

Policy Programming Language

PPL is used to define the policies and rules that apply to an object or group of objects and the actions that should be taken when a constraint is matched.

Uses Backus–Naur Form (BNF) Syntax

Proposed System Architecture

[2007 Hamdi, Bouhoula, and Mosbah]

Policy Enforcement

Portability - PPL is compiled into monitors and configurations for a specific system platform.

PPL compilation allows for the detection of policy conflicts.

All security checks and state management operations occur at entry and exit of policy enforcement point.

Part 3

Future Directions

Automated Security Testing?

Security Policies can be very complex—

Can a program/system be developed to either prove or disprove (find security holes) in a set of rules or policies of a given system.

References

Randy Chow and Theodore Johnson, Distributed Operating Systems & Algorithms, Addison Wesley Longman, Inc., Reading, MA, 1997.

H. Hamdi, A. Bouhoula, M. Mosbah, “A Software Architecture for Automatic Security Policy Enforcement in Distributed Systems”, SecureWare 2007, The International Conference on Emerging Security Information Systems and Technologies, October 14-20, 2007, pages 187-192.

Questions?