Designing, Capturing and Validating History-Sensitive Security Policies for Distributed Systems

Published in Volume XXI, Issue 1, 2011, pages 107-149

Authors: A.M. Hernandez, F. Nielson, H. Riis-Nielson

Abstract

We consider the use of Aspect-oriented techniques as a flexible way to deal with security policies in distributed systems. We follow the approach of attaching security policies to the relevant locations that must be governed by them, and then combining them at runtime according to the interactions that happen. Recent work suggests using Aspects in this way to analyse the future behaviour of programs and to make access control decisions based on this; this gives the flavour of dealing with information flow rather than mere access control. We show in this paper that it is beneficial to augment this approach with history-based components, as is traditional in reference-monitor-based approaches to mandatory access control. Our developments are performed in an Aspect-oriented coordination language, aiming to describe the Bell-LaPadula policy as elegantly as possible. Furthermore, the resulting language has the capability of combining both history-sensitive and future-sensitive policies, providing even more flexibility and power. Moreover, we propose a global Logic for reasoning about the systems designed with this language. We show how the Logic can be used to validate the combination of security policies in a distributed system, either with or without exploring the entire state space.

Full Text (PDF)

References

[1] M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. A calculus for access control in distributed systems. ACM Trans. Program. Lang. Syst., 15:706-734, September 1993.

[2] M. Abadi and C. Fournet. Access control based on execution history. In NDSS, 2003.

[3] B. Alpern and F. Schneider. Recognizing safety and liveness. Distributed Computing, 2:117-126, 1986.

[4] O. Arieli and A. Avron. The value of the four values. Artificial Intelligence, 102(1):97-141, 1998.

[5] L. Bauer, J. Ligatti, and D. Walker. More enforceable security policies. In Foundations of Computer Security, Copenhagen, Denmark, July 2002.

[6] D. E. Bell and L. J. LaPadula. Secure computer systems: mathematical foundations. Technical report, MITRE Corp., 1973.

[7] N. D. Belnap. How a computer should think. In Contemporary Aspects of Philosophy, pages 30-56. Oriel Press, 1977.

[8] D. Brewer and M. Nash. The chinese wall security policy. Security and Privacy, IEEE Symposium on, 0:206, 1989.

[9] G. Bruns, D. Dantas, and M. Huth. A simple and expressive semantic framework for policy composition in access control. In Proceedings of the 2007 ACM workshop on Formal methods in security engineering, FMSE ’07, pages 12-21, New York, NY, USA, 2007. ACM.

[10] G. Bruns and M. Huth. Access-control policies via Belnap logic: Effective and efficient composition and analysis. In CSF08, pages 163-176. IEEE Computer Society, 2008.

[11] K. M. Chandy. Distributed snapshots: Determining global states of distributed systems. ACM Transactions on Computer Systems, 3:63-75, 1985.

[12] M. J. Fischer, N. D. Griffeth, and N. A. Lynch. Global states of a distributed system. IEEE Transactions on Software Engineering, 8:198-202, 1982.

[13] R. Focardi and R. Gorrieri. A classification of security properties for process algebras. JOURNAL OF COMPUTER SECURITY, 3:5-33, 1994.

[14] R. Focardi, R. Gorrieri, and F. Martinelli. Non interference for the analysis of cryptographic protocols. In ICALP’00, pages 354-372, 2000.

[15] C. Fournet and A. Gordon. Stack inspection: theory and variants. In POPL, pages 307-318, 2002.

[16] D. Gelernter and N. Carriero. Coordination languages and their significance. Communications of the ACM, 35(2):96-107, 1992.

[17] J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 1982.

[18] D. Gollmann. Computer security. Wiley, 1999.

[19] K. W. Hamlen and M. Jones. Aspect-oriented in-lined reference monitors. In PLAS ’08: Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, pages 11-20, New York, NY, USA, 2008. ACM.

[20] C. Hankin, F. Nielson, and H. Riis Nielson. Advice from Belnap policies. In CSF09, pages 234-247. IEEE Computer Society, 2009.

[21] C. Hankin, F. Nielson, H. Riis Nielson, and F. Yang. Advice for coordination. In COORDINATION08, LNCS, volume 5052, pages 153-168. Springer, 2008.

[22] A. M. Hernandez and F. Nielson. History-sensitive versus futuresensitive approaches to security in distributed systems. In ICE2010 – 3rd Interaction and Concurrency Experience – EPTCS, volume 38, pages 29-43, 2010.

[23] G. Kiczales, J. Lamping, A. Mendhekar, C. Maeda, C. V. Lopes, J. M. Loingtier, and J. Irwin. Aspect-oriented programming. In ECOOP97, LNCS, volume 1241, pages 220-242. Springer, 1997.

[24] B. Lampson. Protection. SIGOPS Oper. Syst. Rev., 8:18-24, January 1974.

[25] J. McCune, S. Berger, R. Caceres, T. Jaeger, and R. Sailer. Shamon: A system for distributed mandatory access control. ACSAC, 2006.

[26] R. De Nicola, G. Ferrari, and R. Pugliese. Klaim: A kernel language for agents interaction and mobility. IEEE Trans. on Soft. Engineering, 24(5):315-330, 1998.

[27] R. De Nicola, D. Gorla, and R. Pugliese. On the expressive power of klaim-based calculi. Theor. Comput. Sci., 356:387-421, May 2006.

[28] R. De Nicola and F. Vaandrager. Action versus state based logics for transition systems. In Proceedings of the LITP spring school on theoretical computer science on Semantics of systems of concurrent processes, pages 407-419, New York, NY, USA, 1990. Springer-Verlag New York, Inc.

[29] A. Sabelfeld and H. Mantel. Static confidentiality enforcement for distributed programs. In Manuel Hermenegildo and Germ´an Puebla, editors, Static Analysis, volume 2477 of Lecture Notes in Computer Science, pages 376-394. Springer Berlin / Heidelberg, 2002.

[30] A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21(1):5-19, January 2003.

[31] R. S. Sandhu. Lattice-based access control models. Computer, 26:9-19, 1993.

[32] F. Schneider. Enforceable security policies. ACM Trans. Inf. Syst. Secur., 3(1):30-50, 2000.

[33] T. Woo and S. Lam. Authorizations in distributed systems: A new approach. Journal of Computer Security, 2(2-3):107-136, 1993.

[34] F. Yang, C. Hankin, F. Nielson, and H. Riis Nielson. Aspects-oriented access control of tuple spaces. Manuscript submitted to a journal, 2010.

Bibtex

@article{sacscuza:hernandez2011dcavhspfds,
  title={Designing, Capturing and Validating History-Sensitive Security Policies for Distributed Systems},
  author={A.M. Hernandez and F. Nielson and H. Riis-Nielson},
  journal={Scientific Annals of Computer Science},
  volume={21},
  number={1},
  organization={``A.I. Cuza'' University, Iasi, Romania},
  year={2011},
  pages={107--149},
  publisher={``A.I. Cuza'' University Press}
}