Complex Security Policies Dave Andersen Advanced Operating Systems Georgia State University
Part 1 Presentation of Material from Text Book Chapter 8.6.1
Stateless vs. State-Dependent Security Policies • The Access Control List (ACL) and Capability List (CL) security models are stateless. Properties remain fixed unless explicitly changed by the server. • Complex Access Control Policies are state dependent. Authorization of access depends on subjects past history and interaction with other objects. [1998 Chow and Johnson]
Information Flow Control • When information flow is built on lattices information can only flow between components of the lattice in the direction the lattice permits. • Flow properties of the lattice model include: • Transitivity: A->B and B->C implies A->C • Aggregation: A->C and B->C implies A U B ->C • Separability: A U B ->C implies A->C and B->C • Some applications require information flow which violates properties of the lattice.[1998 Chow and Johnson]
Exceptions to Lattice Model [1998 Chow and Johnson]
Example of a Complex Access Control Policy Computer Automated Bank Loan Application • Only clerk(S1) can prepare loan application (write permissions for object O). • One of two bank officers, the manager (S2) or accountant (S3) (but not both) must approve the application (append permissions). • Approved loan is the appended with electronic check signed by both bank manager (S2) and cashier (S4) .
Graphical Representation [1998 Chow and Johnson]
Security Issues • Only subjects with write permissions can alter electronic document. • Must be able to authenticate digital signatures. • Enforce a transitivity exception to write access: clerk cannot alter document once it has been approved. • Enforce sequence order of writes: application, approval, then check. • Enforce aggregation exception: either manager or accountant approves loan, not both (and therefore once approved by one it cannot be disapproved by another). • Check must be signed by both manager and cashier (separation exception). [1998 Chow and Johnson]
Challenge: Simple Model for Implementing Complex Policy • First two issues (write permissions and digital signatures) are solved. • As of book publishing – solution doesn’t exist for the others. • First Possibility - Maintain Finite State Machines for each object. Unfortunately, not simple or efficient. • Second Possibility: Boolean representation of access rules. • ACEw(O) = A+ B XOR C + B AND D • Achieves simplicity and efficiency, but lacks state information for proper rule enforcement. [1998 Chow and Johnson]
Storing State Information • Storing State Information on Server • File must be updated with each access. • Storing State Information on Client: • Eliminates need to update file with every access. • But, may affect clients ability to access other objects. • And, difficult to propagate state information to other clients. • Author’s Conclusion: Use Server.
Part 2 Current Research
Current Research • A Software Architecture for Automatic Security Policy Enforcement in Distributed Systems [2007 Hamdi, Bouhoula, Mosbah] • Authors propose: • Policy Specification Tool • Enforcement and Verification Engine • Automatically Generated Enforcement Mechanisms
Policy Programming Language • PPL is used to define the policies and rules that apply to an object or group of objects and the actions that should be taken when a constraint is matched. • Uses Backus–Naur Form (BNF) Syntax
Proposed System Architecture [2007 Hamdi, Bouhoula, and Mosbah]
Policy Enforcement • Portability - PPL is compiled into monitors and configurations for a specific system platform. • PPL compilation allows for the detection of policy conflicts. • All security checks and state management operations occur at entry and exit of policy enforcement point.
Part 3 Future Directions
Automated Security Testing? Security Policies can be very complex— Can a program/system be developed to either prove or disprove (find security holes) in a set of rules or policies of a given system.
References • Randy Chow and Theodore Johnson, Distributed Operating Systems & Algorithms, Addison Wesley Longman, Inc., Reading, MA, 1997. • H. Hamdi, A. Bouhoula, M. Mosbah, “A Software Architecture for Automatic Security Policy Enforcement in Distributed Systems”, SecureWare 2007, The International Conference on Emerging Security Information Systems and Technologies, October 14-20, 2007, pages 187-192.