trust and security for next generation grids, grid security requirements philippe massonet et al...

Trust and Security for Next Generation Grids, www.gridtrust.eu

Grid Security RequirementsGrid Security Requirements

Philippe Massonet et al

CETIC

OGF-25-Presentation

Catania, 02-06/03/2009


PlanPlan

• Secure virtual organisations: need for security policies Secure virtual organisations: need for security policies Multi level policy enforcement points VO and computational level policies for secure virtual organisations Introduction to usage control Introduction to the GridTrust framework

• Introduction security requirements engineeringIntroduction security requirements engineering Requirements engineering Security requirements Security policies

• Proposed Methodology for Grid security requirementsProposed Methodology for Grid security requirements Modeliing of security requirements, VO meta model Reuse of security patterns Library of Patterns Generation of XACML and Polpa security policies

• Tool supportTool support VO editor Security pattern library and reuse process Policy generation support Open source version


Trust in Dynamic Virtual Trust in Dynamic Virtual OrganisationsOrganisations

““Since VOs are based on sharing information and knowledge, Since VOs are based on sharing information and knowledge, there must be a high amount of trust among the partners. there must be a high amount of trust among the partners. Especially since each partner contribute with Especially since each partner contribute with their core their core competenciescompetencies””

Threats:• Bad service (contract not respected)• Attacks – loss of information• Attacks – disruption of service• Vulnerability to attacks (low level of security at one of the partners)• …

How do you maintain Trust and Security properties in dynamic VO?Need for Trust and security mechanisms

1 54

3

2

Services

3’

Dynamic

Dynamic

6

Collaboration


Secure VO Lifecycle Secure VO Lifecycle ManagementManagement

• VO = set of users that pool resources in order to achieve VO = set of users that pool resources in order to achieve common goals - Rules governing the sharing of the common goals - Rules governing the sharing of the resourcesresources

• Trust and security policies are derived following the goals of Trust and security policies are derived following the goals of the VO and rules for sharing resourcesthe VO and rules for sharing resources

discovery of potential

trustworthy partners

establishment of security policies, following governing

rules

monitoringEnforcing policies

Maintenance of reputation

membership and policy adaptation

termination of trust relationships

maintenance of reputation


Security at Different Levels in Grid Security at Different Levels in Grid

• VOVO

• ServiceService

• ComputationalComputational

GRID Service

Middleware Layer

GRID Application

Layer

GRID Foundation Middleware

Layer

Network Operating

System

NGG Architecture


Trust and Security Issues in Service based Trust and Security Issues in Service based GridsGrids

Res. Res.

Service Provider

(SP)

Service Requesto

r (SR)

VO

Service Request

Shared resource

s

Infrastructure Provider (IP)

Service Instance

Can I trust the SR and SP?

Is SP using my resources with malicious

intent?

Is the selected IP secure?


General ArchitectureGeneral Architecture

PPMService

SRBService

VBEService

TRSService

Globus

Service Providers

C-UCONServiceVO

Manager

Enforcer

VO


From Access Control to Usage ControlFrom Access Control to Usage Control

Before usageBefore usage

Pre decisionPre decision

OngoingOngoing usageusage After usageAfter usage

Ongoing updateOngoing update Post updatePost update

Mutability of attributesMutability of attributes

Ongoing decisionOngoing decision

Continuity of decisionContinuity of decision

TimeTime

Pre updatePre update

Usage Decision still valid ?Usage Decision still valid ?

Can you revoke access ?Can you revoke access ?


Usage Control ServicesUsage Control Services

• Monitor the actions executed on behalf of the grid Monitor the actions executed on behalf of the grid users and enforce a UCON security policyusers and enforce a UCON security policy Computational level (C-UCON)

The policy consists of a highly detailed description of the correct behaviour of the application being executed

Only the applications whose behaviour is consistent with the security policy are executed on the computational resource

VO level (Enforcer) Policy evaluation point that support UCON

policies

• The usage control service will be integrated into The usage control service will be integrated into the Globus middlewarethe Globus middleware

GRID Service

Middleware Layer


Layer

WP3/WP4


Secure Resource Broker ServiceSecure Resource Broker Service

• Integrate access control with Integrate access control with resource/service schedulingresource/service scheduling

• Both resource owners and VO define their Both resource owners and VO define their resource access and usage policiesresource access and usage policies

The resource broker schedules a user request only within the set of resources whose policies match the user credentials (and vice-versa)

• Scalability and efficiencyScalability and efficiency

• It will be integrated into the Globus It will be integrated into the Globus middlewaremiddleware

GRID Service

Middleware Layer


Layer

WP3/WP4


Trust and Reputation ServiceTrust and Reputation Service

• Collect, distribute and aggregate feedbacks about Collect, distribute and aggregate feedbacks about entities' behaviour in a particular context in order entities' behaviour in a particular context in order to produce a rating about the entitiesto produce a rating about the entities

Entities could be either users, resources/ services, service providers or VOs

• The reputation service is based on ideas of utility The reputation service is based on ideas of utility computingcomputing

• Can be used in both centralised and distributed Can be used in both centralised and distributed settings settings

• The reputation service will be also integrated into The reputation service will be also integrated into the Globus middlewarethe Globus middleware

GRID Service

Middleware Layer

WP2/WP4


VBE: Virtual Breeding Environment ServiceVBE: Virtual Breeding Environment Service

• It manages the Virtual Breeding It manages the Virtual Breeding Environment composed of users and Environment composed of users and service providers (user, service provider service providers (user, service provider registration, certificate management, registration, certificate management, etc.)etc.)


PPM: Profile and Policy Management ServicePPM: Profile and Policy Management Service

• The policy and profile management The policy and profile management service is a database service that keeps service is a database service that keeps information about security policies of all information about security policies of all the entities of the system.the entities of the system.

• Support several types of querySupport several types of queryService ID, Type, Name, attribute (OS,

Memory, CPU type, Library, Certificate)


VO LibraryVO Library

• To be used by the VO Manager to use and interface To be used by the VO Manager to use and interface with GridTrust serviceswith GridTrust services

• Offers a full set of functionalities to manage VO life Offers a full set of functionalities to manage VO life cycle (Creation, Termination,…)cycle (Creation, Termination,…)

• Manage access at communication and Manage access at communication and authentication level from applications to GridTrust authentication level from applications to GridTrust Services.Services.

• Hides complexity of certificates management Hides complexity of certificates management between users and GridTrust CAbetween users and GridTrust CA


GridTrust Framework - ComponentsGridTrust Framework - Components

service providers

users

PKI

GridTrust Services• TRS• VBE• SRB• PPM

C-UCON

ENFORCER VO Library


Secure VO Lifecycle: FormationSecure VO Lifecycle: Formation

VBE Manager

PKI

TRS

PPM

SRB

C-UCON

VO

VO Manager


Secure VO Lifecycle: Secure VO Lifecycle: VO OperationVO Operation

Application

VO

ENFORCER

Virtual BreedingVirtual BreedingEnvironmentEnvironment

TRS

Policy: Service1 ; Service2

VO user

Service1

Service3

Service2Service2

Denied

Service1

Done

Service2


What is RE about? What is RE about?

goalsgoalsWHY?WHY?

WHAT?WHAT?

operationalizationoperationalization

requirements,requirements,assumptionsassumptions

domaindomainknowledgeknowledge


What is RE about? What is RE about?

goalsgoalsWHY?WHY?

WHAT?WHAT?

WHO?WHO?

operationalizationoperationalization

responsibilityresponsibilityassignmentassignment

requirements,requirements,assumptionsassumptions

domaindomainknowledgeknowledge


WHAT are goals ?WHAT are goals ?

• objectivesobjectives to be achieved by to be achieved by systemsystem

statements of intent

system":

software + environment

current system, system-to-be


WHAT are goals ?WHAT are goals ?

• different types of concerndifferent types of concern

functional goals

non-functional goalssecurity, safety, accuracy, performance, cost usability, adaptability, ...


Modeling goals: types Modeling goals: types && taxonomies taxonomies

goals

functional

satisfaction information security

non-functional

accuracy

confidentiality

... performance

integrity

usability

time space... ...

... ...

Functional vs. non-functional goals



Soft Soft vs.vs. hard goals hard goals

• soft goals: achievement cannot be established in clear-cut sensesoft goals: achievement cannot be established in clear-cut sense

goal satisficing, qualitative reasoninggoal satisficing, qualitative reasoning

• (hard) goals: achievement can be verified(hard) goals: achievement can be verified

goal satisfaction, formal reasoning goal satisfaction, formal reasoning



Types of behavior prescribed Types of behavior prescribed

• AchieveAchieve goals: goals: generategenerate behaviors behaviors C T

e.g. Achieve [DataTransferredSecurily]

• MaintainMaintain / Avoid goals: / Avoid goals: restrictrestrict behaviors behaviors

C T , C ¬ T

e.g. Avoid [DataReadWithoutAuthorization]

Maintain [ConfidentialDataEncrypted]

• OptimizeOptimize goals: goals: comparecompare behaviors behaviors


Modeling goals: goal attributesModeling goals: goal attributes

• capture intrinsic goal featurescapture intrinsic goal features

name DataAccessibleToAuthorizedUsers

Definition data must only be accessible to users who have been authorized

priority mandatory, very high, high , …, low ...


Main Objectives of Trust and Security Main Objectives of Trust and Security Policy EngineeringPolicy Engineering

• Help analysts/users express security Help analysts/users express security requirements for their Grid applicationsrequirements for their Grid applicationsBased on library of verified security

requirement patterns• Help users/analysts derive high-level trust Help users/analysts derive high-level trust

and security policiesand security policiesIn UCON/PolpaIn XACMLIn event-B

• Help users/analysts refine policies into Help users/analysts refine policies into operational policies that can be deployedoperational policies that can be deployed


Refinement of Trust and Security Refinement of Trust and Security Goals into Requirements and PoliciesGoals into Requirements and Policies

Trust and Security Patterns

Usage Control Patterns

Abstract Policies

Refinement


Library of PatternsLibrary of Patterns

• From Business Requirements to abstract policiesFrom Business Requirements to abstract policiesCovering Different property classes: Confidentiality,

Integrity, Availability, Delegation but also others such as Usage limitation, Accounting, …

Ex: confidentiality and authorizations dynamic chineese wall

• Patterns Expressed in terms of VO meta-modelPatterns Expressed in terms of VO meta-modelGoals, Goal refinements, Services, Service

compositions, Subjects, Objects


Main Objectives of LibraryMain Objectives of Library

• Help users express security requirements for their Grid Help users express security requirements for their Grid applicationsapplications Confidentiality, Authorization, Privacy, Availability, Usage

limitation, Delegation but also others such as Integrity, Usage limitation,

Accounting, …• Help users express self-organisation and self-protection Help users express self-organisation and self-protection

(not done yet)(not done yet)• Covering the GridTrust ServicesCovering the GridTrust Services

Computational UCON, Service UCON, Secure Broker, Reputation

• Patterns Expressed in terms of VO meta-modelPatterns Expressed in terms of VO meta-model Goals, Goal refinements, Services, Service compositions,

Subjects, Objects • Library is embedded in requirements/policy tool Library is embedded in requirements/policy tool


Patterns for Trust and SecurityPatterns for Trust and Security

Authorization

Confidentiality

Privacy

Confidentiality of the content of a communication

Confidentiality of communication occurrence

Confidentiality of identity of sender and receiver

Integrity

Availability

Trust

Delegation

ChineseWall

(( ))


Usage Control PatternsUsage Control Patterns

Object/Subject Mutable Attribute Update

Pre-update

Ongoing-update

Post-update

Authorization

Pre-authorization

Ongoing-authorization

Post-authorization

Conditions

Pre-condition

Ongoing-condition

Obligations

Pre-obligation

Ongoing-obligation

Actions

Actions


Example: Managing Conflicts of Example: Managing Conflicts of Interest in Interest in

Virtual OrganisationsVirtual Organisations

Conflict of Interest

Collaborates on

Collaborates onAllo

cate

d t

o

Ow

ned B

y


Example: The Chinese WallExample: The Chinese Wall

• Based on the notion of conflict of interest classBased on the notion of conflict of interest class

• Need a historyNeed a history

Client 1

Resource 1Resource 2

Client 2

Resource 3Resource 4

Conflict of interest class

access


Chinese Wall Goal Ref. PatternChinese Wall Goal Ref. Pattern

Avoid Conflict Of Interest

Chinese WallAutorized Cases

Access Autorized Whithin Other Conflict Set

Access Autorized Whithin Same Company

Access

PolicyPreAuth: hasAccessed(u,r)

differentConflictSet (r,r’) PolicyPreAuth: hasAccessed(u,r) sameOrganisation(r,r’)

Post-condition: hasAccessed(u,r’)

( r : Resource; u : User, r’ : Resource) hasAccessed(u,r) sameOrganisation(r,r’) (hasAccessed(u,r’)

(r : Resource; u : User, r’ : Resource) hasAccessed(u,r) differentConflictSet (r,r’) (hasAccessed(u,r’)

(u : User; r,r’ : Resource) hasAccessed(u,r) sameOrganisation(r,r’)

differentConflictSet (r,r’)

( u:User; r,r’ :Resource)

hasAccessed(u,r) hasAccessed(u,r’) (sameOrganisation(r,r’) differentConflictSet(r,r’))


Chinese Wall Requirements PatternChinese Wall Requirements Pattern

•The pattern has been The pattern has been checked using alloy toolchecked using alloy tool

•It is complete and It is complete and consistent consistent

Increase the confidence Increase the confidence in this patternin this pattern


own

differentConflictSet

Specialisation/instatiation of the Specialisation/instatiation of the patternpattern

Organisation Resource

ServiceUser

Access

PolicyPreAuth: hasAccessed(u,r)

differentConflictSet (r,r’) PolicyPreAuth: hasAccessed(u,r) sameOrganisation(r,r’)

PolicyPreAuth: hasAccessed(pe,dci)

NotInCompetition (dci,dci’) PolicyPreAuth: hasAccessed(pe,dci) aboutSameProject(dci,dci’)

NotInCompetition

PublisherEmployee

ClientCompany DigitalContentInfo

Publishing

Domain

Final Chinese Wall Security Policy Final Chinese Wall Security Policy in Polpain Polpa

gvar[1]:=0. gvar[2]:=0.gvar[1]:=0. gvar[2]:=0.

([eq(gvar[2],0),eq(x1,”/home/paolo/SetA/*”),eq(x2,READ)].open(x1,x2,x3).lvar[1]:= ([eq(gvar[2],0),eq(x1,”/home/paolo/SetA/*”),eq(x2,READ)].open(x1,x2,x3).lvar[1]:= x3.gvar[1]:= 1.x3.gvar[1]:= 1.

i([eq(x1,lvar[1])].i([eq(x1,lvar[1])].readread(x1,x2,x3)).(x1,x2,x3)).[eq(x1,lvar[1])].close(x1,x2)[eq(x1,lvar[1])].close(x1,x2)))

ParPar

([eq(gvar[1],0),eq(x1,”/home/paolo/SetB/*”),eq(x1,READ)].open(x1,x2,x3).lvar[1]:= ([eq(gvar[1],0),eq(x1,”/home/paolo/SetB/*”),eq(x1,READ)].open(x1,x2,x3).lvar[1]:= x3.gvar[2]:=1.x3.gvar[2]:=1.

i([eq(x1,lvar[1])].i([eq(x1,lvar[1])].readread(x1,x2,x3)).(x1,x2,x3)).[eq(x1,lvar[1])].close(x1,x2)[eq(x1,lvar[1])].close(x1,x2)))

Usage Control Policy Language

History of System Calls


Reuse MethodologyReuse Methodology

Security patternsSecurity patterns

Trust patternsTrust patterns

Usage controlUsage control Patterns Patterns

SpecialiseSpecialise InstantiateInstantiate

ProblemProblem

SpecificationSpecification

SubjectSubjectTaxonomyTaxonomy

ResourceResourceTaxonomyTaxonomy


Policy Engineering: From Security Policy Engineering: From Security and Trust Requirements to Policiesand Trust Requirements to Policies

• Target Policy languages SelectedTarget Policy languages SelectedUCON/Polpa (powerful usage control policy

language)XACML (OASIS standard)Event-B (formal policy refinement)

• Two derivation approaches investigatedTwo derivation approaches investigatedPattern instantiation

Instantiate pattern (not general translation) composition of patterns is open issue

Full (or partial) translation Sometimes difficult because of underlying semantics


UCON/Polpa: Pattern Instantiation UCON/Polpa: Pattern Instantiation ApproachApproach

Example: PreA0 UCON Model (Pre-Auth without update)Example: PreA0 UCON Model (Pre-Auth without update)

Requirement patternRequirement pattern

permitaccesspermitaccess((ss, , oo, , rr) → ) → ( (tryaccesstryaccess((ss, , oo, , rr) ∧) ∧((pp1 ∧1 ∧ ・・・・・・∧ ∧ pipi))))

UCON/Polpa policy patternUCON/Polpa policy patterntryaccess(s, o, r).tryaccess(s, o, r).pA(s, o, r).pA(s, o, r).permitaccess(s, o, r).permitaccess(s, o, r).endaccess(s, o, r)endaccess(s, o, r)

Instantiated requirementInstantiated requirement

permitaccesspermitaccess((editoreditor, , contentcontent, , writewrite) → ) → ( (tryaccesstryaccess((editoreditor, , contentcontent, , writewrite) ∧) ∧currentState=“edition”currentState=“edition” ) )

Instantiated Instantiated

by analystby analyst

Instantiated UCON/PolpaInstantiated UCON/Polpatryaccess(tryaccess(editoreditor, , contentcontent, , writewrite).).[eq([eq(currentStatecurrentState, “, “editionedition”)].”)].permitaccess(permitaccess(editoreditor, , contentcontent, , writewrite).).endaccess(endaccess(editoreditor, , contentcontent, , writerwriter))

Instantiated by Instantiated by substitutionsubstitution

(s=editor), … (s=editor), …

SatifiesSatifies

LibraryLibrary


Event-B: Partial Translation ApproachEvent-B: Partial Translation Approach

• Semantic issue Between KAOS and Event-BSemantic issue Between KAOS and Event-B Requirements have progress properties (temporal logic) B is safety oriented, no notion of obligations (no notion of time)

• ApproachApproach We have developed syntactic extension to Event-B to model

the notion of obligation throughout the use of triggers The obligation imposed by a trigger is interpreted as a

constraint on when other events can be permitted• Our motivation is to link KAOS requirements with Event-B Our motivation is to link KAOS requirements with Event-B

specificationsspecifications Triggered events as presented here are suitable for modelling

the KAOS achieve pattern We are investigating the representation of other modalities as

events, so that we can model other KAOS patterns such as maintain and cease

PaperPaper: : Towards Modelling Obligations in Event-Towards Modelling Obligations in Event-B, LNCS, Abstract State Machines, B and Z, B, LNCS, Abstract State Machines, B and Z, First International Conference, ABZ 2008, First International Conference, ABZ 2008, London, UK, September 16-18, 2008. London, UK, September 16-18, 2008. Proceedings Proceedings


Current Status of Tool SupportCurrent Status of Tool Support

RequirementsRequirements

PoliciesPolicies

• AchievementsAchievementsVO requirements editor

Goal meta-model

VO meta-model

Library of trust and security patterns

Add / Reuse pattern

Taxonomy

• In progressIn progressFrom requirements to

Policies


Goal and VO Metamodel : brief Goal and VO Metamodel : brief overviewoverview

• Two main partsTwo main partsGoals and Requirements

Objectives : Goals, Requirement, Expectation, Softgoal,…

Their relations : refinement, operationalization, …

Obstacles and threats

VO VO, Organization, Resources, services, …

Their relations : owns, aims, …


Goal-oriented VO meta-modelGoal-oriented VO meta-model

Objective ObstacleObstruction

Threat

Virtual OrganisationOrganisation

Service Workflow

Resource

User

Aims

Member

Manage

Manage

Provide/Use

Uses

Uses

Manage

Refine

Goal and ThreatMeta-Model

VO Meta- Model

Policy

Refine


Eclipse platformEclipse platform

General Tool ArchitectureGeneral Tool Architecture

EMFTEMFTGMFGMF

EMFEMFOCLOCL ……GEFGEF

GridTrust Plug-inGridTrust Plug-in

MetamodelMetamodel

GoalGoal

MappingMapping

Graphical definitionGraphical definition

Pattern libraryPattern library


Architecture motivationArchitecture motivation

• Based on eclipseBased on eclipseEasy to integrate with other toolsLot of reusable APIVery popular in private companiesEasy to integrate with other framework (g-

eclipse)

• Based on an EMF metamodelBased on an EMF metamodelOCL for queryModel transformationStandard framework


Translation Technology: Model based Translation Technology: Model based TransformationTransformation

• Translation technology selectedTranslation technology selectedM2M/ATL (ATLAS Transformation Language)

is a model transformation language: produce a set of target models from a set of source models

Uses OCL to define transformation rules• WhyWhy

Supports (formal) model transformation (Model+assertions)

Based on meta-model approachCan be integrated with Eclipse


M2M general pictureM2M general picture

Source metamodel

conformsTo

Target metamodel

conformsTo

Source model Target model

Metametamodel (ECORE)

conformsTo

conformsTo

conformsTo

Source2Target


Tool Support for PolpaTool Support for Polpa

GridTrust Editor GridTrust Editor (Eclipse/GMF, EMF, GEF)(Eclipse/GMF, EMF, GEF)

Req MMReq MM Polpa MMPolpa MM

Req2PolpaReq2Polpa

Temporal Logic Syntax Editor Temporal Logic Syntax Editor (Eclipse/TEF)(Eclipse/TEF)

Polpa Syntax Editor Polpa Syntax Editor (Eclipse/TEF)(Eclipse/TEF)


GridTrust Framework: Tools and Policy-based Services

GRID Service

Middleware Layer

NGG Architecture

GRID Application

Layer


Layer

Network Operating

System

Trust and SecurityGoals Self-* …

Dynamic VO

…

Reputation Mgtservice

VO Mngt

…Resources

VO Members

Services

Computational usage control +TM Fine grained

Continuous

OGSAcompliant

Secure res. broker

Usage Cont. service

Secure VO Req Editor

UsageControl Policies

VO-level Policies

VO Model and Refinement

Tool

2. Local

Policies

1. Global Policies


ConclusionsConclusions

• Security Requiments MethodologySecurity Requiments MethodologyFrom objectives to requirements via refinementFrom security requirements to security policies

Pattern based translation

XACML and Polpa (usage control policy language)

• Eclipse-based Tool Support Eclipse-based Tool Support Editor Generation of partial security policies

• Linked to the GridTrust frameworkLinked to the GridTrust framework

• Open source will be available on Source Forge: Open source will be available on Source Forge: http://sourceforge.net/projects/gridtrust/http://sourceforge.net/projects/gridtrust/

trust and security for next generation grids, grid security requirements philippe massonet et al...

Documents

security issues

security mechanisms

security properties

resources trust

low level of security

resources vo

usage policies

generation grids