group-centric secure information sharing models

Click here to load reader

Upload: kennan

Post on 24-Feb-2016

50 views

Category:

Documents


0 download

DESCRIPTION

Group-Centric Secure Information Sharing Models. Ram Krishnan PhD Candidate Dissertation Directors: Dr. Ravi Sandhu and Dr. Daniel Menascé. Dissertation Defense Nov 25 th 2009. Presentation Outline. Introduction Policy Models for Group-Centric Secure Information Sharing (g-SIS) - PowerPoint PPT Presentation

TRANSCRIPT

Slide 1

Ram KrishnanPhD CandidateDissertation Directors:Dr. Ravi Sandhu and Dr. Daniel Menasc

Group-CentricSecure Information Sharing ModelsDissertation DefenseNov 25th 2009

1Presentation Outline2IntroductionPolicy Models for Group-Centric Secure Information Sharing (g-SIS)Enforcement Models for g-SISImplementation Model for g-SISIntroduction and MotivationSecure Information SharingShare but protectA fundamental problem in cyber securityDissemination-Centric SharingDissemination chain with sticky policies on objectsE.g. ORCON, DRM ,ERM, XrML, ODRL, etc.3AliceBobCharlieEveSusieAttribute + Policy CloudObjectAttribute + Policy CloudObjectAttribute + Policy CloudObjectAttribute + Policy CloudObjectAttribute CloudAttribute CloudAttribute CloudAttribute CloudAttribute CloudQuery-Centric SharingQueries wrt a particular datasetMore generally, addresses de-aggregation/inference problemIntroduction and Motivation (contd)Group-Centric SharingSharing for a specific purpose or missionE.g. Collaboration in joint product design, merger and acquisition, etc.Emerging needs in Government and Commercial OrganizationsE.g. Mission critical operations post 9/11, Inter-organizational collaboration, etc.Brings users & objects together in a groupSecure Meeting RoomSubscription Model4UsersObjectsGroupAuthz (u,o,r)?joinleaveaddremoveProblem StatementOne of the central problems in information sharing is the ability to securely share information for a specific purpose or mission by bringing together users and informationThere is no existing model that addresses this problem5A first step towards a formal and systematic study of Group-Centric Secure Information Sharing ModelsContributionThesis StatementIt is possible to systematically develop Policy, Enforcement and Implementation models for Group-Centric Sharing

6Security and system goals(objectives/policy)Policy modelsEnforcement modelsImplementation models Necessarily informal Specified using users, subjects, objects, admins, labels, roles, groups, etc. in an ideal setting. Security analysis (objectives, properties, etc.). Approximated policy realized using system architecture with trusted servers, protocols, etc. Enforcement level security analysis (e.g. stale information due to network latency, protocol proofs, etc.). Technologies such as Cloud Computing, Trusted Computing, etc. Implementation level security analysis (e.g. vulnerability analysis, penetration testing, etc.) Software and HardwareConcrete SystemGroup-Centric Sharing (g-SIS)7Operational aspectsObject ModelRead-onlyRead-write (versioning?)User-Subject ModelRead-only subjects may read multiple groupsRead-write subjects restricted to single groupGroup CharacteristicsCore propertiesMembership semanticsMembership renewal semanticsg-SIS specificationAuthorizations for Join, Add, etc.SubordinationConditional MembershipMutual ExclusionAdministrative aspectsInter-group relationsg-SIS Operations8GROUPAuthz (u,o,r)?JoinLeaveAddRemoveUsersObjectsGROUPAuthz (u,o,r)?Strict JoinStrict LeaveLiberal AddLiberal RemoveLiberalJoinLiberalLeaveStrictAddStrictRemoveUsersObjectsCore g-SIS Properties9Authorization PersistenceAuthorization cannot change if no group event occursAuthorization ProvenanceAuthorization can begin to hold only after a simultaneous period of user and object membershipCore g-SIS Properties (contd)10Bounded AuthorizationAuthorization cannot grow during non-membership periodsAvailabilityOn add, authorization should hold for all existing users at add time

Satisfaction and Independence11The Core Properties are Satisfiable

There exists a trace in whichis trueThe Core Properties are IndependentNeither prove nor refute one of the properties from othersis not valid

is not valid

Membership SemanticsStrict Vs Liberal OperationsUser operations: and Object operations: and 12SJ (u)u not authorized to access objects added prior to join timeSA (o)Users joining after add time not authorized to access oLL (u)u retains access to objects authorized at leave timeLR (o)Users authorized to access o at remove time retain accessMembership Renewal SemanticsLossless Vs Lossy JoinLossless: Authorizations from past membership period not lostLossy: Some authorizations lost at rejoin timeRestorative Vs Non-Restorative JoinRestorative: Authorizations from past membership restoredNon-Restorative: Past authorizations not restored at rejoin timeGainless Vs Gainful LeaveRestorative Vs Non-Restorative Leave13The -System SpecificationAllows all membership ops (Strict and Liberal user/object ops)Allows selected membership renewal opsLossless and Non-Restorative JoinGainless and Non-Restorative Leave14The -system satisfies the core g-SIS properties-system g-SIS Specification:Add after JoinAdd before Join15Well-formed tracesThe -System Specification (contd)

That is, the -systemis a g-SIS specification1515

Fixed Operation Models16 possible initial models with fixed operationsE.g. (SJ, SL, SA, SR) or (LJ, LL, LA, LR) for all users and objects16SJLJSLLLSALASRLR

Typical group model in traditional operating systemsTypical in secure multicastUser ModelObject ModelCan be reduced to 8 fixed operation modelsE.g. With SJ, object add semantics has no significance on users authorizationEnforcement Models for g-SIS17Security and system goals(objectives/policy)Policy modelsEnforcement modelsImplementation modelsConcrete Systemg-SIS Enforcement ModelEnforcement ComponentsControl Center (CC)Group Administrator (GA)UsersAllows Offline AccessAssumes a Trusted Reference Monitor (TRM)Resides on group users access machinesEnforces group policySynchronizes attributes periodically with serverObjects Available Via Super-distribution18Interaction b/w Various Components19GANew UserCCObject CloudExisting users1.1 Request Join1.2 Authorize Join1.3 Fwd authorization to Join with integrity evidence1.4 Provision Group Attributes2.1 Add Object o2.2 Approve and Release Object oObtain o3. Access objects4.1 Request Refresh4.2 Update Attributes{JoinTS, LeaveTS, ORL, gKey, N}5.1 Leave User u5.2 Remove Object o5.2 Update:LeaveTS (u) =Current Time5.2 Update:a. RemoveTS (o) = Current Timeb. ORL = ORL {AddTS (o), RemoveTS(o)}

Att (u) = {JoinTS, LeaveTS, gKey, N, ORL}Att (o) = {AddTS}

Fixed Operation Model: (, )Concept of Stale-SafetyAIPAIPAIPAIPADPADPADPAEPAIP: Authorization Information PointUpdateADP: Authorization Decision Point

AEP:Authorization Enforcement Point

2020Staleness in g-SISRT3RT4RT5RT6Join (u)Add (o1)Add (o2)Leave (u)Request (u, o1, r)Request (u, o2, r)Authz held at RT6Authz never held21RTi: Refresh TimesRT7

Fixed Operation Model: (, )21Stale-Safe Security PropertiesIf a user is able to perform an action on an object, the authorization to perform the action is guaranteed to have held sometime prior to performWeak Stale-SafetyAllows safe authorization decision without contacting the CCAchieved by requiring that authorization held at the most recent refresh timeStrong Stale-SafetyNeed to obtain up to date authorization information from CC after a request is receivedIf CC is not available, decision cannot be made22

Weak and Strong Stale-Safe PropertiesRequestPerformRequestPerform

Weak Stale-Safety:Strong Stale-Safety:

23Formula Formula

23Verification using Model Checking24

Implementation Model and PoC25Security and system goals(objectives/policy)Policy modelsEnforcement modelsImplementation modelsConcrete SystemImplementation Model Specified TPM-based protocols for g-SIS Enforcement ModelProof-of-ConceptAssumed the presence of a Trusted Computing Base on client machinesImplemented secure provisioning of group credentials on the user machine26

ContributionPolicy LayerFormal characterization of Group-Centric modelsIdentification of a core set of properties required of all g-SIS specificationsProof of Independence and Satisfaction of core propertiesA set of useful group operation semanticsA family of g-SIS specifications ( -system) supporting a variety of group operation semanticsA formal proof that the -system satisfies the core propertiesEnforcement LayerIdentification and specification of stale-safe security propertiesVerification of stale-safety of g-SIS enforcement modelImplementation LayerTPM-based protocols for g-SIS enforcement modelProvisioning protocol proof-of-concept27

A few things that I did not talk aboutPolicy LayerDetailed versioning modelCase-study of inter-organizational collaboration scenarioAdministrative ComponentOperational Component with a user-subject modelA framework for developing more sophisticated g-SIS modelsEnforcement LayerSuper-distribution, Micro-distribution and Hybrid enforcement modelsModel checking g-SIS enforcement model using NuSMVImplementation LayerApproach for access control of group credentials in users machineTPM-based protocols for super-distribution and hybrid modelProof of Concept design of provisioning protocol28Future WorkInter-group RelationsSubordination, conditional membership, mutual exclusionHandling relationship changesHandling information flowAdministrative Models for g-SISNeed Other Access Control Components in Practical ScenariosMeaningfully combine DAC, LBAC, RBAC and ABAC in g-SISGeneralization of Stale-safety to Multiple Authorization Information PointsExtension to ABACComplete Implementation29Related PublicationsRam Krishnan, Ravi Sandhu , Jianwei Niu and William Winsborough, Towards a Framework for Group-Centric Secure Collaboration, Proceedings of IEEE International Conference on Collaborative Computing (CollaborateCom), Crystal City, Washington D.C., Nov 11-14, 2009.Ram Krishnan and Ravi Sandhu, A Hybrid Enforcement Model for Group-Centric Secure Information Sharing, Proceedings of IEEE International Symposium on Secure Computing (SecureCom 2009), August 29-31, Vancouver, Canada.Ram Krishnan, Ravi Sandhu , Jianwei Niu and William Winsborough, Foundations for Group-Centric Secure Information Sharing Models, Proceedings of ACM Symposium on Access Control Models and Technologies (SACMAT 2009), June 3-5, Stresa, Italy.Ram Krishnan and Ravi Sandhu, Enforcement Architecture and Implementation Model for Group-Centric Information Sharing, International Workshop on Security and Communication Networks (IWSCN 2009), May 20-22, 2009, Trondheim, Norway.Ram Krishnan, Ravi Sandhu , Jianwei Niu and William Winsborough, A Conceptual Framework for Group-Centric Secure Information Sharing Models,Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS 2009) , March 10 12 2009, Sydney, Australia.Ram Krishnan, Jianwei Niu, Ravi Sandhu and William Winsborough, Stale-Safe Security Properties for Group-Based Secure Information Sharing, Proceedings of ACM workshop on Formal Methods in Security Engineering (FMSE 2008). Oct 27- Oct 31 2008, Alexandria, Virginia, USA.Manoj Sastry, Ram Krishnan and Ravi Sandhu, A New Modeling Paradigm for Dynamic Authorization in Multi-domain Systems, Proceedings of International Conference on Mathematical Methods, Models, and Architectures for Computer Network Security (MMM-ACNS 2007) . September 13-15, 2007, St. Petersburg, Russia.Ram Krishnan, Ravi Sandhu and Kumar Ranganathan, PEI Models towards Scalable, Usable and High-Assurance Information Sharing, Proceedings of ACM Symposium on Access Control Models and Technologies (SACMAT 2007) . June 20-22, 2007, Nice-Sophia Antipolis, France.30PEPEIPEPPEIQuestions and Comments31Thank you!Backup32Introduction & MotivationSecure Information SharingShare but protectA fundamental problem in cyber securityDissemination-Centric SharingDissemination chain with sticky policies on objectsE.g. ORCON, DRM, ERM, XrML, ODRL, etc.Query-Centric SharingQueries wrt a particular datasetMore generally addresses de-aggregation/inference problemGroup-Centric SharingSharing for a specific purpose or missionE.g. Collaboration in joint product design, merger and acquisition, etc.Emerging needs in Government and Commercial OrganizationsE.g. Mission critical operations post 9/11, Inter-organizational collaboration, etc.Brings users & objects together in a groupSecure Meeting RoomSubscription Model33UsersObjectsGroupAuthz (u,o,r)?joinleaveaddremoveSecure information sharing or to share but protect is a fundamental problem in cyber security. Nevertheless it has remained a challenging problem to solve. At a high-level, there are at least 3 forms of information sharing.

The first form can be characterized as dissemination-centric. Conceptually, in dissemination-centric sharing, as an object moves from one user to another (or from one org to another), new policies (or attributes) may be stuck to the object. These policies are sometimes referred to as being sticky. A user will be allowed to access the object only if the sticky policy is satisfied. Some examples include models such as ORCON in which the originator of the info has the ultimate control on who can access the information. Many Digital and Enterprise rights management solutions exist from the industry. XrML and ODRL are policy languages that have been specifically invented for this purpose.

Unlike dissemination-centric sharing, Query-centric sharing is not primarily concerned with controlling access after information release. The primary objective is inference protection where the user should not be able to infer unauthorized information from one or more authorized information. A lot of work in the area of privacy exist in this arena.

In contrast to these two modes of sharing, Group-Centric sharing is concerned about sharing information for a specific purpose or a mission. Examples include collaboration scenarios such as joint product design, merger and acquisition, etc. Furthermore, this form of sharing has recently gained more prominence. For instance, post 9/11 there has been a compelling need for multiple govt and military orgs to share and collaborate for a specific purpose. Modern businesses also collaborate in spite of being competitors for mutual benefit.

Thus in group-centric sharing, users and objects are brought together to promote sharing in a group. Two metaphors serve to illustrate group-centric sharing. Secure meeting room metaphor illustrates a potentially small-scale sharing.33Thesis StatementIt is feasible to systematically develop Policy, Enforcement and Implementation models for Group-Centric SharingConsider temporal aspects in this initial work34Technical ApproachStudy Policy, Enforcement and Implementation aspects of Group-Centric Secure Information Sharing

35Security and system goals(objectives/policy)Policy modelsEnforcement modelsImplementation models Necessarily informal Specified using users, subjects, objects, admins, labels, roles, groups, etc. in an ideal setting. Security analysis (objectives, properties, etc.). Approximated policy realized using system architecture with trusted servers, protocols, etc. Enforcement level security analysis (e.g. stale information due to network latency, protocol proofs, etc.). Technologies such as SOA, Cloud, SaaS, Trusted Computing, MILS, etc. Implementation level security analysis (e.g. vulnerability analysis, penetration testing, etc.) Software and HardwareConcrete SystemRelated PublicationsRam Krishnan, Ravi Sandhu , Jianwei Niu and William Winsborough, Towards a Framework for Group-Centric Secure Collaboration, To appear in the 5th IEEE International Conference on Collaborative Computing (CollaborateCom), Crystal City, Washington D.C., Nov 11-14, 2009.Ram Krishnan and Ravi Sandhu, A Hybrid Enforcement Model for Group-Centric Secure Information Sharing, Proceedings of IEEE International Symposium on Secure Computing (SecureCom 2009), August 29-31, Vancouver, Canada.Ram Krishnan, Ravi Sandhu , Jianwei Niu and William Winsborough, Foundations for Group-Centric Secure Information Sharing Models, Proceedings of 14thACM Symposium on Access Control Models and Technologies (SACMAT 2009), June 3-5, Stresa, Italy.Ram Krishnan and Ravi Sandhu, Enforcement Architecture and Implementation Model for Group-Centric Information Sharing, International Workshop on Security and Communication Networks (IWSCN 2009), May 20-22, 2009, Trondheim, Norway.Ram Krishnan, Ravi Sandhu , Jianwei Niu and William Winsborough, A Conceptual Framework for Group-Centric Secure Information Sharing Models,Proceedings of 4th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2009) , March 10 12 2009, Sydney, Australia.Ram Krishnan, Jianwei Niu, Ravi Sandhu and William Winsborough, Stale-Safe Security Properties for Group-Based Secure Information Sharing, Proceedings of 6th ACM workshop on Formal Methods in Security Engineering (FMSE 2008). Oct 27- Oct 31 2008, Alexandria, Virginia, USA.Manoj Sastry, Ram Krishnan and Ravi Sandhu, A New Modeling Paradigm for Dynamic Authorization in Multi-domain Systems, Proceedings of 4th International Conference on Mathematical Methods, Models, and Architectures for Computer Network Security (MMM-ACNS 2007) . September 13-15, 2007, St. Petersburg, Russia.Ram Krishnan, Ravi Sandhu and Kumar Ranganathan, PEI Models towards Scalable, Usable and High-Assurance Information Sharing, Proceedings of 12th ACM Symposium on Access Control Models and Technologies (SACMAT 2007) . June 20-22, 2007, Nice-Sophia Antipolis, France.36Information Protection ModelsTraditional models do capture important SIS aspectsBut not satisfactoryDiscretionary Access Control (DAC)Owner based discretionFails to distinguish copy from readLattice Based Access Control (E.g. Bell-LaPadula)One directional information flow in a lattice of security labelsRigid and coarse-grained due to strict one-directional information flow within predefined security labelsRole Based Access Control (E.g. RBAC96)Effective administrationToo flexible; does not directly address information sharingAttribute Based Access Control (E.g. UCON)Obligations, Conditions, etc.Too flexible; does not directly address information sharing37Secure Information Sharing (SIS)38Share but protectA fundamental problem in cyber securityTraditional models do capture important SIS aspectsBut not satisfactoryDiscretionary Access Control (owner control)Too fine-grained, lacks copy controlBell-LaPadula (information flow)Too rigid and coarse-grainedRole-Based Access Control (effective administration)Too general and does not directly address information sharingUCON/ABAC also too generalPrimary issuesCopy controlManageability38Dissemination-Centric Sharing39Extensive research in the last two decadesORCON, DRM, ERM, XrML, ODRL, etc.Copy/usage control has received major attentionManageability problem largely unaddressedAliceBobCharlieEveSusieAttribute + Policy CloudObjectAttribute + Policy CloudObjectAttribute + Policy CloudObjectAttribute + Policy CloudObjectDissemination Chain with Sticky Policies on ObjectsAttribute CloudAttribute CloudAttribute CloudAttribute CloudAttribute CloudRoles Vs Groups in SISRolesUsers get same set of privileges on role assignmentDoes not consider timing of assignment/activationTemporal RBAC considers specific timing aspectsE.g. authorizations for when a role can be activatedGroupsPrivileges may differ with time of join, leave, etc.Sharing is promoted within and across groupsInter-group relationship may differ from that of roles40Group-Centric Sharing (g-SIS)41Brings users & objects together in a groupTwo metaphorsSecure Meeting RoomSubscription ModelOperational aspectsGroup characteristicsE.g. What are the properties of a group?Group operation semanticsE.g. What is authorized by join, add, etc.?Administrative aspectsE.g. Who authorizes join, add, etc.?May be application dependantInter-group relationsUsersObjectsGroupAuthz (u,o,r)?joinleaveaddremoveGroup-Centric Sharing (g-SIS)42Operational aspectsObject ModelRead-onlyRead-Write (With and without versioning)User-Subject ModelRead-only subjects can read from multiple groupsRead-write subjects can read and write only in one groupGroup characteristicsCore propertiesIndependence and Satisfiability Operation semanticsMembership semanticsMembership renewal semantics

Administrative aspectsE.g. Who authorizes join, add, etc.?Inter-group relationsSubordination, Conditional Membership, Mutual ExclusionLinear Temporal Logic (summary)Next pFormula p holds in the next stateHenceforth pStarting from current state, p will continuously hold in all the future statesp until qq will occur sometime in the future and p will hold at least until the first occurrence of qp unless qp holds either until the next occurrence of q or if q never occurs, it holds throughout43Previous pFormula p held in the previous stateOnce pFormula p held at least once in the pastp since qq happened in the past and p held continuously from the position following the last occurrence of q to the present43NotationsUse Join, Leave, Add and Remove to refer to some respective event type occurring44Drop the parameters for convenienceWell-Formed TracesMultiple events cannot occur in a state for the same user (or object)E.g. 1 User cannot join and leave in the same stateE.g. 2 Two types of join cannot occur in the same state45Malformed traces0s1s2s3E.g. 1E.g. 2User events should occur alternatively beginning with a join eventE.g. 1 leave cannot occur before joinE.g. 2 join should be followed by a leave before another joinMalformed traces0s1s2s3E.g. 1E.g. 2LTL Specification of Well-Formed Traces46g-SIS Specification (Syntactic Correctness)Defines precisely when authorization holdsA g-SIS specification is syntactically correct ifStated in terms of past user and object operationsSatisfies well-formedness constraints47Well-formedness constraintsspecified using join, leave, add and removeA g-SIS specification is semantically correct if it satisfies following core propertiesg-SIS Specification (Semantic Correctness)Semantically correct if it satisfies the core g-SIS properties48Group Operation SemanticsMembership semanticsAuthorizations enabled by current membership (join & add)And authorizations disabled at the time of leave and removeMembership Renewal SemanticsAuthorizations enabled from prior membership periodAnd those disabled at subsequent leave time49

50LTL spec for Membership and Membership Renewal Properties (contd)Verification Using Model CheckerModel allows join, leave, add and remove to occur concurrently, non-deterministically and in any order51The above implication is used as the LTLSPECThe model checker generates a counter-example if the specification is falseUsed the open-source NuSMV model checker

Read-Write Object Model52No VersioningVersioning1. Multiple users may update, latest write is committed (destructive write).1. Multiple users may update, each update creates a new version.2. No write after leave.2. No write after leave.3. Coarse-grained authorization (specified on the whole object).

3. Fine-grained. Authorization can differ for different versions of the same object.4. Tricky issues with Liberal operations.E.g. On LL, past users may read new writes by group users. 4.1 Fix: Past LL users cannot read after write.4. No such issues. Past LL users may continue to read versions authorized at leave time. Provenance property rules out access to new versions after leave.Core Properties (no versioning)New Operation: Update(o)Provenance Both user and object should be current members

Bounded AuthorizationPast users cannot read after update

Past users cannot write. No write on past objects.53

JoinUpdateLeaveJoinAuthz (u,o,r)

Core Properties (versioning)New operation: Update(o.vi, o.vj)54Authorization ProvenanceUser needs to be a current member to writeAccess can be frozen at leave time even with Liberal Leave or RemoveUpdate(o.v2,o.v3)Update(o.v1,o.v2)Update(o.v3,o.v4)LL(u)Authz(u, o.v3, r)Join(u)

Authz(u, o.v4, r)

Version to updateNew updated VersionBounded Authorization

Read-Write (versioning)55An object is composed of multiple versionsAn update operation creates a new versionA specific version of an object may be updatedBasically, versions are immutableNew operation:Update(o.vi, o.vj)Version to updateNew updated VersionCore Properties (Continued)Version dependency propertiesIf current user can read base version of o, all other versions of o can also be read56If some version of o can be read, all prior versions of o can also be readIf user can write some version of o, then he/she can write all versions of oNote only current members can write

Core Properties (versioning)New operation: Update(o.vi, o.vj)Authorization Persistence57Authorization ProvenanceUser needs to be a current member to writeAccess can be frozen at leave time even with Liberal Leave or RemoveUpdate(o.v2,o.v3)Update(o.v1,o.v2)Update(o.v3,o.v4)LL(u)Authz(u, o.v3, r)Join(u)

Authz(u, o.v4, r)

Version to updateNew updated VersionCore Properties (continued)Bounded Authorization58Availability

Super-distribution59User1Object CloudCCUser2c= Enc (o, k)Add (c)Set AddTS for oDistribute oGet (o)Provide (c)Store c locallyDec (c, k) and read oMicro-Distribution and Hybrid Approach60User1CCUser2Encrypt o with key k1 shared with CC(c= Enc (o, k1))Add (c)Dec (c,k1),Set AddTS for o and store locallyGet (o)Provide (c)Store c locallyDec (c, k2) and read oEncrypt o with key k2 shared with User (c=Enc (o,k2))Micro-distribution:Obtain custom encrypted object from CC the first timeSubsequent accesses can be offlineUser1Object CloudCCUser2Encrypt o with encryption key e(c= Enc (o, e))Add (c)Set AddTSfor oDistribute cGet (o)Provide (c)m= Dec (m, d1) and read oStore m locallyRead (c)Decrypt c using split decryption key d2 (M=Dec(c, d2))Send (m)Hybrid approach:Split-key RSA, One split per userCC participates in initial decryptionSubsequent accesses can be offline

PropertiesRTPerformStale-unsafe DecisionRequestPerformRequestPerform

Weak Stale-Safety:Strong Stale-Safety:

61

Formula Formula JoinAddAuthz

61Verification (continued)Let 0: composition of stale-unsafe FSMs 1: composition of weak stale-safe FSMs 2: composition of strong stale-safe FSMsVerified using model checking that:Authz is enforced by 0, 1 and 2 0 fails Weak and Strong Stale-Safe security properties1 satisfies Weak Stale-Safe security property 1 fails Strong Stale-Safe security property 2 satisfies Strong Stale-Safe security property

62Strong Stale-Safe Machine63

idleentry/waitAnswer=0

waitingentry/waitAnswer=1

reqPerform ^request

succeed ^perform

fail ^reject

leave_user ^req_leave_TS

Group_User

userNonMember

objectNonMember

userMember

join_user ^req_join_TS

idleentry /pendResponse = 0

authorized

refresh request [AuthzE]/pendResponse = 1

refresh request [AuthzE] ^fail

refresh ^succeed

refreshedentry /updateAttributes

refresh

refresh request

refresh

[AuthzE pendResponse=1]

[AuthzE pendResponse=1] ^fail

[pendResponse=0]

refresh request/pendResponse=1

TRM_StaleUnsafe

GA_User

CC_Object

objectMember

add_object ^req_add_TS

GA_Object

remove_object ^req_remove_TS

userNonMem

userMem

req_join_TS /set_join_TS

objectNonMem

CC_User

req_leave_TS /set_leave_TS

req_remove_TS /set_remove_TS/ORL=ORL {(add_TS, Remove_TS)}

req_add_TS /set_add_TS

single

cloud

^superDistr

objectMem

CC

GA

refresh /sendAttribute(join_TS, leave_TS, ORL)

Idleentry/ pendResponse = 0

request refresh [AuthzE] /pendResponse=1

request refresh [AuthzE] ^fail

refresh [staleSafe=1]^succeed

refreshedentry /updateAttributes

refresh

request refresh/pendResponse=1

refresh

[pendResponse=1]

[pendResponse=0]

check

safe

[RT < Add-TS] /staleSafe=0

staleCheck

refresh [staleSafe=0]^fail

refresh request

[RT Add-TS] /staleSafe=1

TRM_WeakStaleSafe

Linux Kernel + TPM Driver

TSS

TPM

TV

TRM

Trusted GRUB

Update Internal PCR

Internal PCRs

AppPCRs

Idleentry/ pendResponse = 0

[ AuthzE] ^succeed

TRM_StrongStaleSafe

refreshedentry /updateAttributes

request/pendResponse=1

refresh

[ AuthzE] ^fail