Deriving Enforcement Mechanisms from H. Janicke, et.al. Policies - PowerPoint PPT Presentation

Deriving Enforcement Mechanisms from Policies Deriving Enforcement Mechanisms from H. Janicke, et.al. Policies Motivation ITL Policy Rules Helge Janicke, Antonio Cau, Fran¸ cois Siewe, Enforcement Hussein Zedan Summary Software Technology Research Laboratory De Montfort University Policy 2007, 14th June 2007, in Bologna, Italy

Motivation Deriving Policies describe protection requirements in an abstract, Enforcement Mechanisms often denotational form. from Policies H. Janicke, In security critical applications an unambiguous and et.al. concise semantics of policies is required. Motivation Abstract policies must be translated (interpreted) and ITL enforced. Policy Rules Enforcement Summary How to ensure that enforcement mechanisms are correct ? Can we accurately define what correct means? What optimisation of the enforcement is possible? Is the approach constructive and can it be automated?

Interval Temporal Logic Syntax Expressions Deriving Enforcement Mechanisms e ::= µ | a | A | g ( e 1 , . . . , e n ) | � v | fin v from Policies H. Janicke, Formulae et.al. p ( e 1 , . . . , e n ) | ¬ f | f 1 ∧ f 2 | ∀ v q f | skip | f 1 ; f 2 | f ∗ f ::= Motivation ITL Policy Rules µ is an integer value, Enforcement a is a static variable (doesn’t change within an interval), Summary A is a state variable (can change within an interval), v is a static or state variable, g is a function symbol and p is a predicate symbol

Interval Temporal Logic Syntax Expressions Deriving Enforcement Mechanisms e ::= µ | a | A | g ( e 1 , . . . , e n ) | � v | fin v from Policies H. Janicke, Formulae et.al. p ( e 1 , . . . , e n ) | ¬ f | f 1 ∧ f 2 | ∀ v q f | skip | f 1 ; f 2 | f ∗ f ::= Motivation ITL Policy Rules µ is an integer value, Enforcement a is a static variable (doesn’t change within an interval), Summary A is a state variable (can change within an interval), v is a static or state variable, g is a function symbol and p is a predicate symbol

Interval Temporal Logic Informal Semantics Skip (Unit Interval) State Formula Deriving w skip Enforcement Mechanisms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . from Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ✉ ✉ . . ✉ . . . . . . . . . . . . H. Janicke, ✉ . ✉ w et.al. Chop (Sequence) Motivation ITL g f Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Summary ✉ ✉ . . . ✉ ✉ ✉ . . . ✉ Chopstar (Iteration) f f f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ✉ ✉ . ✉ . ✉ ✉ . ✉

Policy Rule Deriving Enforcement Policy Rule Mechanisms from Policies H. Janicke, Expresses individual protection requirements in the form: et.al. Motivation premise → consequence ITL Policy Rules Enforcement Premise describes the behaviour (as an ITL formula) Summary that leads to the consequence. “Subject S did in the past read object O ” Consequence distinguishes the type of the rule. “then S is authorised to read objects from the same dataset”

Semantics of Rules Deriving Enforcement Definition (Always Followed By) Mechanisms from Policies H. Janicke, The operator always-followed-by , is defined as: et.al. i (( ♦ f ) ⊃ fin w ) Motivation f �→ w = � � ITL Policy Rules where f stands for any ITL formula, and w is a state formula. Enforcement Summary f �→ w f f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ✉ ✉ ✉ . ✉ . ✉ ✉ w w

Enforcement Enforcement Property Deriving A policy defines access control decisions autho ( s , o , a ) in each Enforcement Mechanisms state of the interval. from Policies H. Janicke, We define the execution of requests such that: et.al. Motivation done(s,o,a) is true iff the action was successful. ITL failed(s,o,a) is true iff the action failed. Policy Rules Enforcement Definition (Correct Enforcement — Access Control) Summary We say a policy is correctly enforced iff: E autho � = keep ( � done ( s , o , a ) ⊃ autho ( s , o , a ))

Enforcement Reference Monitor Deriving Rules define history-based access control. Their enforcement Enforcement Mechanisms must: from Policies H. Janicke, Determine the history that is required for policy decisions. et.al. Maintain this history. Motivation Optimise enforcement efficiency and decide timely. ITL Subject RM Object Policy Rules Enforcement 1 Summary 2 3b 3a 4 5 6 7

Enforcement A Single Request enf post exec succeed Deriving Enforcement Mechanisms from Policies σ j σ k σ l σ i ′ C autho H. Janicke, ¬ m ¬ m et.al. enf pre Motivation ITL fail σ i σ j σ i ′ Policy Rules Enforcement m ¬ m m Summary σ j σ i ′ ¬ C autho Requests are defined at fine level of temporal granularity. Policy enforcement takes place in enf pre and enf post and is reflected in the condition C autho .

Enforcement Mapping between Policies and Enforcement RMS Deriving Enforcement M M Mechanisms from Policies H. Janicke, et.al. σ 0 σ 1 σ 2 σ 3 σ 4 σ 5 σ 6 Motivation m ¬ m ¬ m ¬ m m ¬ m m ITL Policy Rules Enforcement Summary σ ′ σ ′ σ ′ 0 1 2 P ∧ E autho We use temporal projection to map between the more coarse policy reference interval and the fine grained RM specification.

Enforcement A Simple Rule Deriving Subject s is authorised to perform a on o if s was not acting Enforcement Mechanisms in the role admin in the state before. from Policies H. Janicke, et.al. 1 : ¬ in ( s , admin ) �→ autho ( s , o , a ) Motivation ITL We stepwise refine the temporal operators. It is clear that only Policy Rules the current and the last value of the role assignments are Enforcement required. This allows to refine the pre-update as. Summary enf pre � = ∀ s ∈ S q H in , s , admin [1] , H in , s , admin [0] ← H in , s , admin [0] , in ( s , admin ) where H is a list of history variables for the observed subscript.

Enforcement A Simple Rule Deriving The (parallel) temporal assignment can be refined into the Enforcement Mechanisms following sequence: from Policies H. Janicke, et.al. enf pre � = for s in S : { H in , s , admin [1] := H in , s , admin [0]; Motivation ITL H in , s , admin [0] := in ( s , admin ) Policy Rules } Enforcement Summary As the relevant history is now available, we can express the actual access decision in terms of these variables. C autho � = T ≥ 1 ∧ ¬ H in , s , admin [1]