Скачать презентацию Stale-Safe Security Properties for Secure Information Sharing Ram Скачать презентацию Stale-Safe Security Properties for Secure Information Sharing Ram

4b3a486b63591f6c9e074352d10d475e.ppt

  • Количество слайдов: 23

Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Stale-Safe Security Properties for Secure Information Sharing Ram Krishnan (GMU) Jianwei Niu (UT San Antonio) Ravi Sandhu (UT San Antonio) William Winsborough (UT San Antonio) 1

Presentation Outline • Concept – Stale-Safety – Group-Based Secure Information Sharing (g-SIS) • Staleness Presentation Outline • Concept – Stale-Safety – Group-Based Secure Information Sharing (g-SIS) • Staleness in g-SIS • Formal Specification using Linear Temporal Logic – Weak Stale-Safe Security Property – Strong Stale-Safe Security Property • Modeling g-SIS • Verification of g-SIS Stale-Safety using Model Checking 2

Concept of Stale-Safety Update AIP: Authorization Information Point AIP ADP: Authorization Decision Point AEP: Concept of Stale-Safety Update AIP: Authorization Information Point AIP ADP: Authorization Decision Point AEP: Authorization Enforcement Point ADP AIP ADP AEP 3

Group-Based Secure Information Sharing (g-SIS) • Share sensitive information within a group • Allows Group-Based Secure Information Sharing (g-SIS) • Share sensitive information within a group • Allows offline access • Assumes a Trusted Reference Monitor (TRM) – Resides on group subject’s access machine – Enforces group policy – Synchronizes attributes periodically with server • Objects available via Super-Distribution 4

g-SIS Subject Join-TS Object Leave-TS Attributes Add-TS Attributes Remove-TS Time of Join NULL Time g-SIS Subject Join-TS Object Leave-TS Attributes Add-TS Attributes Remove-TS Time of Join NULL Time of Add NULL Join Time of Leave Time of Add Time of Remove Add Never Group Subject Object Join Add Authz (s, o, r) Current Group Subject Object Leave Remove Past Group Subject Object Add-TS(o) > Join-TS(s) & Leave-TS(s) = NULL & Remove-TS(o) = NULL 5

g-SIS Architecture 3. 2 Set Leave-TS (s) CC h s fre e t. R g-SIS Architecture 3. 2 Set Leave-TS (s) CC h s fre e t. R es u q Re 1 5. 1. Read Objects 5. 2 TRM ute rib tt s A ate d Up … TRM CC: Control Center GA: Group Administrator 4. 2 Add o to ORL 4. Re 1 Ob mo jec ve t (o ) 3. Le 1 Su av bj e ec (s t ) GA Group Subjects Subject Attributes: {id, Join-TS, Leave-TS, ORL, g. Key} Object Attributes: {id, Add-TS} ORL: Object Revocation List g. Key: Group Key Refresh Time (RT): TRM contacts CC to update attributes 6

Staleness in g-SIS RT: Refresh Time Was never authorized Add (o 1) Join (s) Staleness in g-SIS RT: Refresh Time Was never authorized Add (o 1) Join (s) RT 0 RT 1 RT 2 Add (o 2) RT 3 Leave (s) Request (s, o 2, r) RT 4 Request (s, o 1, r) Was authorized at recent RT Authz (s, o, r) Add-TS(o) > Join-TS(s) & Leave-TS(s) = NULL & o Not. In ORL 7

FORMALIZATION OF STALE-SAFETY 8 FORMALIZATION OF STALE-SAFETY 8

Linear Temporal Logic • Precise, Concise expression of state sequence properties – Uses temporal Linear Temporal Logic • Precise, Concise expression of state sequence properties – Uses temporal operators and logical connectives – Enables automated verification of properties • Future Operators – p: formula p holds in current and all future states • Past Operators – p S q (p Since q): means q held sometime in the past and p held since that state to the current – p (previous): means p held in the previous state 9

Stale-Safe Security Properties • Weak Stale-Safety – Allows (safe) authorization decision to made without Stale-Safe Security Properties • Weak Stale-Safety – Allows (safe) authorization decision to made without contacting the CC – Achieved by requiring that authorization was TRUE at the most recent refresh time • Strong Stale-Safety – Need to obtain up to date authorization information from CC after a request is received – If CC is not available decision cannot be made 10

Properties Join Stale-unsafe Decision Add Request RT Authz Perform Formula Perform Request Perform Formula Properties Join Stale-unsafe Decision Add Request RT Authz Perform Formula Perform Request Perform Formula Weak Stale-Safety: Strong Stale-Safety: 11

MODELING TRUSTED REFERENCE MONITOR (TRM) 12 MODELING TRUSTED REFERENCE MONITOR (TRM) 12

Stale-Unsafe TRM idle Request [Authz & !timeout] Request [timeout] /refresh. Req [Authz & !timeout] Stale-Unsafe TRM idle Request [Authz & !timeout] Request [timeout] /refresh. Req [Authz & !timeout] /Perform [!Authz] /Reject /refresh [timeout] /refresh. Req authorized Transition Notation: e[c] / a e : Event c : Condition a : Action refreshing [Authz] /refresh Authz Add-TS > Join-TS & Leave-TS = NULL & o Not. In ORL 13

Stale-Safe TRM idle Request [timeout | stale] /refresh. Request [Authz & !timeout & !stale] Stale-Safe TRM idle Request [timeout | stale] /refresh. Request [Authz & !timeout & !stale] [Authz & !timeout] /Perform authorized Transition Notation: e[c] / A e : Event c : Condition a : Action [!Authz & !timeout] /Reject [timeout] /refresh. Req [Authz. E] /Reject /refreshing [Authz] /refresh Authz Add-TS > Join-TS & Leave-TS = NULL & Remove-TS = NULL stale: Add-TS >= Refresh-TS 14

Stale-Safety Verification • Model Checkers – Cadence: http: //www. kenmcmil. com/ – Nu. SMV: Stale-Safety Verification • Model Checkers – Cadence: http: //www. kenmcmil. com/ – Nu. SMV: http: //nusmv. irst. itc. it/ • Language: Symbolic Model Verifier (SMV) • Verification of Weak Stale-Safety – Un. Safe TRM – Safe TRM 15

Stale-Unsafe TRM 16 Stale-Unsafe TRM 16

Stale-Safe TRM 17 Stale-Safe TRM 17

Conclusions • Staleness is inherent to distributed systems – Impossible to eliminiate time-delayed attributes Conclusions • Staleness is inherent to distributed systems – Impossible to eliminiate time-delayed attributes – Possible to limit impact of time-delayed attributes • Weak Stale-Safe Property – Characterizes safe decisions using time-delayed attributes • Strong Stale-Safe Property – Characterizes a decision that can be made only with up to date attributes (infeasible in many applications such as g-SIS) • Formal Specification using LTL allows automated verification using model checking 18

Questions/Comments Thanks! 19 Questions/Comments Thanks! 19

Backup 20 Backup 20

Formalization of Authz Join Add Authz. CC Case (a) Join Add RT Authz. TRM Formalization of Authz Join Add Authz. CC Case (a) Join Add RT Authz. TRM Join RT Add Authz. TRM Case (b) Case (a) Case (b) 21

Stale-Safe Systems • Strong Stale-Safety – Safe for Confidentiality and Integrity systems – Main Stale-Safe Systems • Strong Stale-Safety – Safe for Confidentiality and Integrity systems – Main trade-off is usability/practicality • E. g. Not applicable for g-SIS • Weak Stale-Safety – Risky for Integrity systems • Maliciously updated objects may be consumed by others before modifications can be undone • E. g. Malicious code injected by unauthorized subjects may be executed on a critical system by another subject 22

Temporal Operators 23 Temporal Operators 23