Institute for Cyber Security Group-Centric Models for Secure and Agile Information Sharing Ravi Sandhu Executive Director and Endowed Professor April 2010 [email protected], www.profsandhu.com, www.ics.utsa.edu Joint work with.
Download
Report
Transcript Institute for Cyber Security Group-Centric Models for Secure and Agile Information Sharing Ravi Sandhu Executive Director and Endowed Professor April 2010 [email protected], www.profsandhu.com, www.ics.utsa.edu Joint work with.
Institute for Cyber Security
Group-Centric Models for Secure
and Agile Information Sharing
Ravi Sandhu
Executive Director and Endowed Professor
April 2010
[email protected], www.profsandhu.com, www.ics.utsa.edu
Joint work with ICS colleagues
Ram Krishnan, Jianwei Niu and Will Winsborough
© Ravi Sandhu
World-Leading Research with Real-World Impact!
1
Application Context
Basic
premise
There is no security without application context
Opposite
premise
Orange Book and Rainbow Series Era (1983-1994)
Application context makes high-assurance impossible
o Good-enough security is good enough
o Mission-assurance not information-assurance
Towards the end of this era applications had to be addressed:
Trusted Database Interpretation (TDI)
Firewall Era (1992-2008)
Perimeter security, vulnerability scanning, penetrate and
patch, intrusion prevention, secure coding, etc
© Ravi Sandhu
World-Leading Research with Real-World Impact!
2
Application Context
Software Architect
Project
% Time
Label
Alice
Win7
25%
U
Alice
SecureWin7
75%
S
Bob
Vista
100%
U
What
precisely is Secret?
There exists a SecureWin7 project
Alice works on SecureWin7
Alice’s effort on SecureWin7 is 75%
All or some of the above
How do we maintain integrity of the database
Depends
Data and security model are intertwined
•
Much work and $$$ by researchers and
vendors, late 80’s-early 90’s
•
© Ravi Sandhu
World-Leading Research with Real-World Impact!
3
Application Centric Security
Modern applications
Ongoing projects at ICS
Multi-party
Different objectives and responsibilities, often in conflict
Secure information sharing
Social networking
Critical infrastructure assurance
SaaS in the Cloud/Intercloud
Smart grid
The future is data
application
and centric
application centric
New ACM Conference on Data and Application Security
and Privacy (CODASPY)
Feb 21-23, 2011, San Antonio, Texas
www.codaspy.org, www.sigsac.org
Papers due: Sept 15th 2010
© Ravi Sandhu
World-Leading Research with Real-World Impact!
4
PEI Models
Security and system goals
(objectives/policy)
Policy models
Enforcement models
Implementation models
Concrete System
© Ravi Sandhu
Necessarily informal
Specified using users, subjects, objects, admins,
labels, roles, groups, etc. in an ideal setting.
Security analysis (objectives, properties, etc.).
Approximated policy realized using system architecture
with trusted servers, protocols, etc.
Enforcement level security analysis (e.g. stale information
due to network latency, protocol proofs, etc.).
Technologies such as Cloud Computing, Trusted
Computing, etc.
Implementation level security analysis (e.g.
vulnerability analysis, penetration testing, etc.)
Software and Hardware
World-Leading Research with Real-World Impact!
5
Secure Information Sharing (SIS)
Goal: Share but protect
Containment challenge
Client containment
High assurance infeasible (e.g., cannot close the analog hole)
Low to medium assurance achievable
Server containment
Will typically have higher assurance than client containment
Policy challenge
How to construct meaningful, usable SIS policy
How to develop an intertwined information and security model
© Ravi Sandhu
World-Leading Research with Real-World Impact!
6
SIS Policy Construction
Dissemination
Centric (d-SIS)
Sticky policies that follow an object along a
dissemination chain (possibly modified at each step)
Group
Centric (g-SIS)
Bring users and information together to share existing
information and create new information
Metaphors: Secure meeting room, Subscription service
Benefits: analogous to RBAC over DAC
Why
not use existing access control (AC) models?
Discretionary (DAC): fails containment
Lattice-based (LBAC or MAC): no agility
Role-based (RBAC): too general
Attribute-based (ABAC): too general
© Ravi Sandhu
World-Leading Research with Real-World Impact!
7
g-SIS Model Components
Operational aspects
Group operation semantics
o Add, Join, Leave, Remove, etc
o Multicast group is one example
Object model
o Read-only
o Read-Write (no versioning vs versioning)
User-subject model
o Read-only Vs read-write
Policy specification
join
Users
leave
Group
Authz (u,o,r)?
remove
add
Objects
Administrative aspects
Authorization to create group, user join/leave, object
add/remove, etc.
© Ravi Sandhu
World-Leading Research with Real-World Impact!
8
g-SIS Models
Isolated groups model
No subject level info flow between groups
Groups are information sinks
Connected groups model
Connected groups with some type of relationship
o E.g. Subordination (read, write, create subject, move subject),
conditional membership, mutual exclusion, etc.
Subject level info flow governed by relationship semantics
Connected + ABAC
Isolated
+
ABAC
Anticipate to be
straight-forward
© Ravi Sandhu
g-SIS
Models
Connected
Work in Progress
Isolated
World-Leading Research with Real-World Impact!
9
Isolated Group Model (g-SISi)
Abstract model specification = Stateless (vis-à-vis Stateful)
Specify without worrying about state structure
o No data structure to maintain user/object attributes
Use many sorted, first-order linear temporal logic (FOTL)
o FOTL = LTL with parameters, constants, variables and quantifiers
Entities in the isolated group model
Users, subjects, object versions, groups and permissions
Operations in the isolated group model
CreateO(o,vinit,g)
User membership operations
update
update
o Join(u,g), Leave(u,g)
(s,o,vinit,v1,g)
(s,o,vinit,v2,g)
Object membership operations
o Add(o,v,g), Remove(o,v,g)
update
update
(s,o,v1,v3,g)
(s,o,v1,v4,g)
o CreateO(o,v,g)
Subject operations
o createS(u,s,g), killS(u,s,g), read(s,o,v,g), update(s,o,v1,v2,g)
Authorization to exercise a permission p on an object version
Authz(u,o,v,g,p)
AuthzS(s,o,v,g,p)
© Ravi Sandhu
World-Leading Research with Real-World Impact!
10
g-SISi Operation Semantics
Strict
Join
Join
Users
Users
Liberal
Join
Read-only Model
Strict
Leave
Leave Read-Write Model
Liberal
Leave
GROUP
Authz (u,o,r)?
Strict
Add
Strict
Remove
Liberal
Remove
Liberal
Add
Liberal Remove
Add Strict
Createupdateupdate
Create
Create
Objects
Objects
© Ravi Sandhu
World-Leading Research with Real-World Impact!
11
Core Properties
Authorization Persistence
Authorization cannot change unless some group event occurs
© Ravi Sandhu
World-Leading Research with Real-World Impact!
12
Core Properties (contd)
Authorization Provenance
Authorization can begin to hold only after a simultaneous period of user
and object version membership
Bounded Authorization
Authorization cannot grow during non-membership period
© Ravi Sandhu
World-Leading Research with Real-World Impact!
13
Core Properties (contd)
Version Authorization Uniformity
A current user should be authorized to read and write either all versions
of locally created objects or none of them
© Ravi Sandhu
World-Leading Research with Real-World Impact!
14
g-SISi Specification
A g-SIS specification specifies the precise conditions under
which Authz(u,o,v,g,p) and AuthzS (s,o,v,g,p) may hold
A g-SIS specification
That is:
© Ravi Sandhu
must satisfy all of the core properties
World-Leading Research with Real-World Impact!
15
Membership Semantics
Strict Vs Liberal operations
User operations: <SJ, LJ>, <SL, LL>
Object operations: <SA, LA>, <SC, LC> and <SR, LR>
u not authorized to access objects
added prior to join time
u retains access to objects authorized
at leave time
© Ravi Sandhu
Users joining after add time not
authorized to access o
Users authorized to access o at
remove time retain access
World-Leading Research with Real-World Impact!
16
Membership Renewal Semantics
Lossless Vs Lossy Join
Lossless: Authorization from past membership not lost
Lossy: Some authorization lost at re-join time
Restorative Vs Non-Restorative Join
Restorative: Authorizations from past membership restored
Non-Restorative: Past authorizations not restored on re-join
Gainless Vs Gainful Leave
Restorative Vs Non-Restorative Leave
© Ravi Sandhu
World-Leading Research with Real-World Impact!
17
The π-system Specification
Allows any variation of membership semantics
Strict and Liberal versions of user and object operations
Allows selected membership renewal semantics
Lossless and Non-Restorative Join
Gainless and Non-Restorative Leave
© Ravi Sandhu
World-Leading Research with Real-World Impact!
18
The π-system Specification (contd)
© Ravi Sandhu
World-Leading Research with Real-World Impact!
19
The π-system Specification (contd)
© Ravi Sandhu
World-Leading Research with Real-World Impact!
20
Formal Analysis
The core properties are mutually independent
The core properties are consistent
Used a model checker to
prove these results for a
small carrier case
Extended this result using
manual proof for large
carrier case
The π-system satisfies the core properties
© Ravi Sandhu
World-Leading Research with Real-World Impact!
21
Connected Groups Model (g-SISc)
Groups connected by some type of relationship
Conditional membership (users/objects)
Subordination
o Read, write, subject create, subject move
Mutual exclusion
Cardinality
Relationships are reflexive by definition
Transitivity and anti-symmetry must be explicitly defined if needed
Relationships vary over time in SIS scenario
G5
G6
condM
G1
condM
subordW
G2
condM
G3
subordR
subordC
subordM
G4
© Ravi Sandhu
World-Leading Research with Real-World Impact!
22
Configuring Classic Policies
LBAC in g-SISc
A sample lattice
© Ravi Sandhu
Not an equivalent g-SISc configuration
(trusted pipeline from G_ L to G_H via
Equivalent
g-SISc Configuration
G_M1
or G_M2)
World-Leading Research with Real-World Impact!
23
Configuring Classic Policies (contd)
Domain and Type Enforcement (DTE) in g-SIS
A sample lattice
Objects
Subjects
subor
dW
DTE
for trusted
LBAC
in DTEpipeline
from L to H via M1 or M2
© Ravi Sandhu
Equivalent g-SISc Configuration
World-Leading Research with Real-World Impact!
24
LBAC Inadequate for Agile Sharing
What if H users from Org A and S users from Org B want to
collaborate on a mission?
What if Org B does not want H users to create subjects in S
and write to S objects?
o E.g. Org B wants to share intel with Org A but do not want
them to modify their data
o Categories work only if pre-determined
subordR
subordR
LBAC
Org A
© Ravi Sandhu
Org B
Org A
World-Leading Research with Real-World Impact!
g-SISC
Org B
25
LBAC Inadequate (contd)
Can use all isolated
group operation
subordR
semantics
Publish group
for TS objects
Export allowed
only by
Trusted Subjects
subordR
Export
SC/LC
SJ/LJ, SL/LL
SJ/LJ, SL/LL
TS
G1
condM
condM
SA/LA, SR/LR
subordC
subordR
SA/LA, SR/LR
subordC
subordR
subordW
H
subordC
subordR
subordW
subordW
SC/LC
SJ/LJ, SL/LL
SJ/LJ, SL/LL
S
G2
condM
SA/LA, SR/LR
condM
L
SA/LA, SR/LR
Export
subordR
subordR
Publish group
for S objects
© Ravi Sandhu
Export allowed
only by
Trusted Subjects
World-Leading Research with Real-World Impact!
26
Conclusion
No
security without application context
Group-Centric Secure Information Sharing is a
promising approach
Still in early days
We
project the need for Application Centric
security models in many emerging arenas
Goal: have a methodology and conceptual framework
for this purpose
PEI, Stateless-Statefull specifications, Stale-safe
enforcement, etc
© Ravi Sandhu
World-Leading Research with Real-World Impact!
27