Institute for Cyber Security Group-Centric Models for Secure and Agile Information Sharing Ravi Sandhu Executive Director and Endowed Professor April 2010 [email protected], www.profsandhu.com, www.ics.utsa.edu Joint work with.
Download ReportTranscript Institute for Cyber Security Group-Centric Models for Secure and Agile Information Sharing Ravi Sandhu Executive Director and Endowed Professor April 2010 [email protected], www.profsandhu.com, www.ics.utsa.edu Joint work with.
Institute for Cyber Security Group-Centric Models for Secure and Agile Information Sharing Ravi Sandhu Executive Director and Endowed Professor April 2010 [email protected], www.profsandhu.com, www.ics.utsa.edu Joint work with ICS colleagues Ram Krishnan, Jianwei Niu and Will Winsborough © Ravi Sandhu World-Leading Research with Real-World Impact! 1 Application Context Basic premise There is no security without application context Opposite premise Orange Book and Rainbow Series Era (1983-1994) Application context makes high-assurance impossible o Good-enough security is good enough o Mission-assurance not information-assurance Towards the end of this era applications had to be addressed: Trusted Database Interpretation (TDI) Firewall Era (1992-2008) Perimeter security, vulnerability scanning, penetrate and patch, intrusion prevention, secure coding, etc © Ravi Sandhu World-Leading Research with Real-World Impact! 2 Application Context Software Architect Project % Time Label Alice Win7 25% U Alice SecureWin7 75% S Bob Vista 100% U What precisely is Secret? There exists a SecureWin7 project Alice works on SecureWin7 Alice’s effort on SecureWin7 is 75% All or some of the above How do we maintain integrity of the database Depends Data and security model are intertwined • Much work and $$$ by researchers and vendors, late 80’s-early 90’s • © Ravi Sandhu World-Leading Research with Real-World Impact! 3 Application Centric Security Modern applications Ongoing projects at ICS Multi-party Different objectives and responsibilities, often in conflict Secure information sharing Social networking Critical infrastructure assurance SaaS in the Cloud/Intercloud Smart grid The future is data application and centric application centric New ACM Conference on Data and Application Security and Privacy (CODASPY) Feb 21-23, 2011, San Antonio, Texas www.codaspy.org, www.sigsac.org Papers due: Sept 15th 2010 © Ravi Sandhu World-Leading Research with Real-World Impact! 4 PEI Models Security and system goals (objectives/policy) Policy models Enforcement models Implementation models Concrete System © Ravi Sandhu Necessarily informal Specified using users, subjects, objects, admins, labels, roles, groups, etc. in an ideal setting. Security analysis (objectives, properties, etc.). Approximated policy realized using system architecture with trusted servers, protocols, etc. Enforcement level security analysis (e.g. stale information due to network latency, protocol proofs, etc.). Technologies such as Cloud Computing, Trusted Computing, etc. Implementation level security analysis (e.g. vulnerability analysis, penetration testing, etc.) Software and Hardware World-Leading Research with Real-World Impact! 5 Secure Information Sharing (SIS) Goal: Share but protect Containment challenge Client containment High assurance infeasible (e.g., cannot close the analog hole) Low to medium assurance achievable Server containment Will typically have higher assurance than client containment Policy challenge How to construct meaningful, usable SIS policy How to develop an intertwined information and security model © Ravi Sandhu World-Leading Research with Real-World Impact! 6 SIS Policy Construction Dissemination Centric (d-SIS) Sticky policies that follow an object along a dissemination chain (possibly modified at each step) Group Centric (g-SIS) Bring users and information together to share existing information and create new information Metaphors: Secure meeting room, Subscription service Benefits: analogous to RBAC over DAC Why not use existing access control (AC) models? Discretionary (DAC): fails containment Lattice-based (LBAC or MAC): no agility Role-based (RBAC): too general Attribute-based (ABAC): too general © Ravi Sandhu World-Leading Research with Real-World Impact! 7 g-SIS Model Components Operational aspects Group operation semantics o Add, Join, Leave, Remove, etc o Multicast group is one example Object model o Read-only o Read-Write (no versioning vs versioning) User-subject model o Read-only Vs read-write Policy specification join Users leave Group Authz (u,o,r)? remove add Objects Administrative aspects Authorization to create group, user join/leave, object add/remove, etc. © Ravi Sandhu World-Leading Research with Real-World Impact! 8 g-SIS Models Isolated groups model No subject level info flow between groups Groups are information sinks Connected groups model Connected groups with some type of relationship o E.g. Subordination (read, write, create subject, move subject), conditional membership, mutual exclusion, etc. Subject level info flow governed by relationship semantics Connected + ABAC Isolated + ABAC Anticipate to be straight-forward © Ravi Sandhu g-SIS Models Connected Work in Progress Isolated World-Leading Research with Real-World Impact! 9 Isolated Group Model (g-SISi) Abstract model specification = Stateless (vis-à-vis Stateful) Specify without worrying about state structure o No data structure to maintain user/object attributes Use many sorted, first-order linear temporal logic (FOTL) o FOTL = LTL with parameters, constants, variables and quantifiers Entities in the isolated group model Users, subjects, object versions, groups and permissions Operations in the isolated group model CreateO(o,vinit,g) User membership operations update update o Join(u,g), Leave(u,g) (s,o,vinit,v1,g) (s,o,vinit,v2,g) Object membership operations o Add(o,v,g), Remove(o,v,g) update update (s,o,v1,v3,g) (s,o,v1,v4,g) o CreateO(o,v,g) Subject operations o createS(u,s,g), killS(u,s,g), read(s,o,v,g), update(s,o,v1,v2,g) Authorization to exercise a permission p on an object version Authz(u,o,v,g,p) AuthzS(s,o,v,g,p) © Ravi Sandhu World-Leading Research with Real-World Impact! 10 g-SISi Operation Semantics Strict Join Join Users Users Liberal Join Read-only Model Strict Leave Leave Read-Write Model Liberal Leave GROUP Authz (u,o,r)? Strict Add Strict Remove Liberal Remove Liberal Add Liberal Remove Add Strict Createupdateupdate Create Create Objects Objects © Ravi Sandhu World-Leading Research with Real-World Impact! 11 Core Properties Authorization Persistence Authorization cannot change unless some group event occurs © Ravi Sandhu World-Leading Research with Real-World Impact! 12 Core Properties (contd) Authorization Provenance Authorization can begin to hold only after a simultaneous period of user and object version membership Bounded Authorization Authorization cannot grow during non-membership period © Ravi Sandhu World-Leading Research with Real-World Impact! 13 Core Properties (contd) Version Authorization Uniformity A current user should be authorized to read and write either all versions of locally created objects or none of them © Ravi Sandhu World-Leading Research with Real-World Impact! 14 g-SISi Specification A g-SIS specification specifies the precise conditions under which Authz(u,o,v,g,p) and AuthzS (s,o,v,g,p) may hold A g-SIS specification That is: © Ravi Sandhu must satisfy all of the core properties World-Leading Research with Real-World Impact! 15 Membership Semantics Strict Vs Liberal operations User operations: <SJ, LJ>, <SL, LL> Object operations: <SA, LA>, <SC, LC> and <SR, LR> u not authorized to access objects added prior to join time u retains access to objects authorized at leave time © Ravi Sandhu Users joining after add time not authorized to access o Users authorized to access o at remove time retain access World-Leading Research with Real-World Impact! 16 Membership Renewal Semantics Lossless Vs Lossy Join Lossless: Authorization from past membership not lost Lossy: Some authorization lost at re-join time Restorative Vs Non-Restorative Join Restorative: Authorizations from past membership restored Non-Restorative: Past authorizations not restored on re-join Gainless Vs Gainful Leave Restorative Vs Non-Restorative Leave © Ravi Sandhu World-Leading Research with Real-World Impact! 17 The π-system Specification Allows any variation of membership semantics Strict and Liberal versions of user and object operations Allows selected membership renewal semantics Lossless and Non-Restorative Join Gainless and Non-Restorative Leave © Ravi Sandhu World-Leading Research with Real-World Impact! 18 The π-system Specification (contd) © Ravi Sandhu World-Leading Research with Real-World Impact! 19 The π-system Specification (contd) © Ravi Sandhu World-Leading Research with Real-World Impact! 20 Formal Analysis The core properties are mutually independent The core properties are consistent Used a model checker to prove these results for a small carrier case Extended this result using manual proof for large carrier case The π-system satisfies the core properties © Ravi Sandhu World-Leading Research with Real-World Impact! 21 Connected Groups Model (g-SISc) Groups connected by some type of relationship Conditional membership (users/objects) Subordination o Read, write, subject create, subject move Mutual exclusion Cardinality Relationships are reflexive by definition Transitivity and anti-symmetry must be explicitly defined if needed Relationships vary over time in SIS scenario G5 G6 condM G1 condM subordW G2 condM G3 subordR subordC subordM G4 © Ravi Sandhu World-Leading Research with Real-World Impact! 22 Configuring Classic Policies LBAC in g-SISc A sample lattice © Ravi Sandhu Not an equivalent g-SISc configuration (trusted pipeline from G_ L to G_H via Equivalent g-SISc Configuration G_M1 or G_M2) World-Leading Research with Real-World Impact! 23 Configuring Classic Policies (contd) Domain and Type Enforcement (DTE) in g-SIS A sample lattice Objects Subjects subor dW DTE for trusted LBAC in DTEpipeline from L to H via M1 or M2 © Ravi Sandhu Equivalent g-SISc Configuration World-Leading Research with Real-World Impact! 24 LBAC Inadequate for Agile Sharing What if H users from Org A and S users from Org B want to collaborate on a mission? What if Org B does not want H users to create subjects in S and write to S objects? o E.g. Org B wants to share intel with Org A but do not want them to modify their data o Categories work only if pre-determined subordR subordR LBAC Org A © Ravi Sandhu Org B Org A World-Leading Research with Real-World Impact! g-SISC Org B 25 LBAC Inadequate (contd) Can use all isolated group operation subordR semantics Publish group for TS objects Export allowed only by Trusted Subjects subordR Export SC/LC SJ/LJ, SL/LL SJ/LJ, SL/LL TS G1 condM condM SA/LA, SR/LR subordC subordR SA/LA, SR/LR subordC subordR subordW H subordC subordR subordW subordW SC/LC SJ/LJ, SL/LL SJ/LJ, SL/LL S G2 condM SA/LA, SR/LR condM L SA/LA, SR/LR Export subordR subordR Publish group for S objects © Ravi Sandhu Export allowed only by Trusted Subjects World-Leading Research with Real-World Impact! 26 Conclusion No security without application context Group-Centric Secure Information Sharing is a promising approach Still in early days We project the need for Application Centric security models in many emerging arenas Goal: have a methodology and conceptual framework for this purpose PEI, Stateless-Statefull specifications, Stale-safe enforcement, etc © Ravi Sandhu World-Leading Research with Real-World Impact! 27