Enforceable Security Policies Revisited David Basin 1 e 2 Vincent Jug´ Felix Klaedtke 1 alinescu 1 Eugen Z˘ 1 Institute of Information Security, ETH Zurich, Switzerland 2 MINES ParisTech, France POST 2012 Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 1 / 16
Security Policies Come in all Shapes and Sizes History-Based Access Control Chinese Wall Information Flow Separation of Duty Business Regulations Data Usage Privacy Estonian Law . . . Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 2 / 16
Security Policies Come in all Shapes and Sizes History-Based Access Control Chinese Wall Information Flow Separation of Duty Business Regulations Data Usage Privacy Estonian Law . . . Which of these are enforceable? Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 2 / 16
Enforcement by Execution Monitoring Enforceable Security Policies F. Schneider, TISSEC 2000 Abstract Setting System iteratively executes actions Enforcement mechanism intercepts them System (prior to their execution) allowed Enforcement mechanism terminates action? system in case of violation Enforcement Mechanism Main Concerns match with reality? ⇒ ⇒ ⇒ enforceable safety ���⇐ ⇐ ⇐ Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 3 / 16
Follow-Up Work SASI Enforcement of Security Policies ´ U. Erlingsson and F. Schneider, NSPW 1999 IRM Enforcement of Java Stack Inspection ´ U. Erlingsson and F. Schneider, S&P 2000 Access Control by Tracking Shallow Execution History P. Fong, S&P 2004 Edit Automata: Enforcement Mechanisms for Run-Time Security Properties J. Ligatti, L. Bauer, and D. Walker, IJIS 2005 Computability classes for enforcement mechanisms K. Hamlen, G. Morrisett, and F. Schneider, TISSEC 2006 Run-Time Enforcement of Nonsafety Policies J. Ligatti, L. Bauer, and D. Walker, TISSEC 2009 A Theory of Runtime Enforcement, with Results J. Ligatti and S. Reddy, ESORICS 2010 Do you really mean what you actually enforced? N. Bielova and F. Massacci, IJIS 2011 Runtime Enforcement Monitors: Composition, Synthesis and Enforcement Abilities Y. Falcone, L. Mounier, J.-C. Fernandez, and J.-L. Richier, FMSD 2011 Service Automata R. Gay, H. Mantel, and B. Sprick, FAST 2011 Enforceable Policies Revisited D. Basin, V. Jug´ e, F. Klaedtke, and E. Z˘ alinescu, POST 2012 . . . Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 4 / 16
Enforcement by Execution Monitoring (Fundamental Open Question) Match with Reality Limited Understanding Can we refine Schneider’s Schneider: enforceable ⇒ safety abstraction? Necessary and sufficient condition? Our Solution Refined abstract setting by distinguishing between observable and controllable actions: clock tick administrative actions user actions Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 5 / 16
Contributions 1 Formalization and Characterization of Enforceability 2 Realizability of Enforcement Mechanisms Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 6 / 16
Refined Abstract Setting Actions Traces Set of actions Σ = O ∪ C : Trace universe U ⊆ Σ ∞ : O = { observable actions } U � = ∅ C = { controllable actions } U prefix-closed Example: request · tick · deliver · tick · tick · request · deliver · tick . . . ∈ U Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 7 / 16
Refined Abstract Setting Actions Traces Set of actions Σ = O ∪ C : Trace universe U ⊆ Σ ∞ : O = { observable actions } U � = ∅ C = { controllable actions } U prefix-closed Example: request · tick · deliver · tick · tick · request · deliver · tick . . . ∈ U Requirements (on the Enforcement Mechanism) Computability : Make decisions Soundness : Prevent policy-violating traces Transparency : Allow policy-compliant traces Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 7 / 16
Formalization Enforcement Mechanism action System a n Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 8 / 16
Formalization Enforcement Mechanism . . . a n . . . action a 1 a 2 1 a n # System − a n DTM Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 8 / 16
Formalization Enforcement Mechanism . . . a n . . . action a 1 a 2 1 a n a n + 1 System − a n + 1 DTM Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 8 / 16
Formalization Enforcement Mechanism . . . a n . . . action a 1 a 2 1 a n a n + 1 System − a n + 1 DTM Definition P ⊆ ( O ∪ C ) ∞ is enforceable in U def ⇐ ⇒ exists DTM M with ε ∈ L ( M ) 1 “ M accepts the empty trace” M halts on inputs in � trunc ( L ( M )) · ( O ∪ C ) � ∩ U 2 “ M either permits or denies intercepted action” � � M accepts inputs in trunc ( L ( M )) · O ∩ U 3 “ M permits intercepted observable action” � � trunc ( L ( M )) ∩ U = P ∩ U limitclosure 4 “soundness ( ⊆ ) and transparency ( ⊇ )” Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 8 / 16
Examples Setting Controllable actions: C = { login , request , deliver } Observable actions: O = { tick , fail } Set of actions: Σ = C ∪ O Trace universe: U = Σ ∗ ∪ (Σ ∗ · { tick } ) ω Policies 1 “ login must not happen within 3 time units after a fail .” 2 “each request must be followed by a deliver within 3 time units.” Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 9 / 16
Examples Setting Controllable actions: C = { login , request , deliver } Observable actions: O = { tick , fail } Set of actions: Σ = C ∪ O Trace universe: U = Σ ∗ ∪ (Σ ∗ · { tick } ) ω Policies 1 “ login must not happen within 3 time units after a fail .” ⇒ enforceable 2 “each request must be followed by a deliver within 3 time units.” ⇒ not enforceable Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 9 / 16
Evolution of Safety Early Definitions L. Lamport, 1977: “A safety property is one which states that something bad will not happen.” B. Alpern and F. Schneider, 1986: A property P ⊆ Σ ω is ω -safety if ∃ i ∈ N . ∀ τ ∈ Σ ω . σ < i · τ / ∀ σ ∈ Σ ω . σ / ∈ P → � ∈ P � Folklore: A property P ⊆ Σ ∞ is ∞ -safety if ∃ i ∈ N . ∀ τ ∈ Σ ∞ . σ < i · τ / � � ∀ σ ∈ Σ ∞ . σ / ∈ P → ∈ P T. Henzinger, 1992: A property P ⊆ Σ ω is safety in U ⊆ Σ ω if ∃ i ∈ N . ∀ τ ∈ Σ ω . σ < i · τ / � � ∀ σ ∈ U . σ / ∈ P → ∈ P ∩ U Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 10 / 16
Evolution of Safety Early Definitions L. Lamport, 1977: “A safety property is one which states that something bad will not happen.” B. Alpern and F. Schneider, 1986: A property P ⊆ Σ ω is ω -safety if ∃ i ∈ N . ∀ τ ∈ Σ ω . σ < i · τ / ∀ σ ∈ Σ ω . σ / ∈ P → � ∈ P � Folklore: A property P ⊆ Σ ∞ is ∞ -safety if ∃ i ∈ N . ∀ τ ∈ Σ ∞ . σ < i · τ / � � ∀ σ ∈ Σ ∞ . σ / ∈ P → ∈ P T. Henzinger, 1992: A property P ⊆ Σ ω is safety in U ⊆ Σ ω if ∃ i ∈ N . ∀ τ ∈ Σ ω . σ < i · τ / � � ∀ σ ∈ U . σ / ∈ P → ∈ P ∩ U Refined Definition A property P ⊆ Σ ∞ is ∞ -safety if ∃ i ∈ N . ∀ τ ∈ Σ ∞ . σ < i · τ / � � ∀ σ ∈ Σ ∞ . σ / ∈ P → ∈ P Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 10 / 16
Evolution of Safety Early Definitions L. Lamport, 1977: “A safety property is one which states that something bad will not happen.” B. Alpern and F. Schneider, 1986: A property P ⊆ Σ ω is ω -safety if ∃ i ∈ N . ∀ τ ∈ Σ ω . σ < i · τ / ∀ σ ∈ Σ ω . σ / ∈ P → � ∈ P � Folklore: A property P ⊆ Σ ∞ is ∞ -safety if ∃ i ∈ N . ∀ τ ∈ Σ ∞ . σ < i · τ / � � ∀ σ ∈ Σ ∞ . σ / ∈ P → ∈ P T. Henzinger, 1992: A property P ⊆ Σ ω is safety in U ⊆ Σ ω if ∃ i ∈ N . ∀ τ ∈ Σ ω . σ < i · τ / � � ∀ σ ∈ U . σ / ∈ P → ∈ P ∩ U Refined Definition A property P ⊆ Σ ∞ is U-safety if ∃ i ∈ N . ∀ τ ∈ Σ ∞ . σ < i · τ / � � ∀ σ ∈ U . σ / ∈ P → ∈ P ∩ U Basin, Jug´ e, Klaedtke, Z˘ alinescu Enforceable Security Policies Revisited POST 2012 10 / 16
Recommend
More recommend