Giorgini P., EuroPKI 20041 Filling the gap between Requirements Engineering and Public Key/Trust Management Infrastructures Paolo Giorgini Department of.

Slides:



Advertisements
Similar presentations
QUN NI 1, SHOUHUAI XU 2, ELISA BERTINO 1, RAVI SANDHU 2, AND WEILI HAN 3 1 PURDUE UNIVERSITY USA 2 UT SAN ANTONIO USA 3 FUDAN UNIVERSITY CHINA PRESENTED.
Advertisements

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Community of Interest for Patient Identifiers AGENDA 1.NHII’s Unique Health Information Identification Requirements - Soloman I. Appavu, SIG Leader 2.Identification.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
21 mai 2015 Bridges between Certification Authorities.
1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Research topics Semantic Web - Spring 2007 Computer Engineering Department Sharif University of Technology.
Secure Systems Research Group - FAU Patterns for access control E.B. Fernandez.
Software Requirements
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Object-Orientated Design Unit 3: Objects and Classes Jin Sa.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Company LOGO Business Process Monitoring and Alignment An Approach Based on the User Requirements Notation and Business Intelligence Tools Pengfei Chen.
ICT 1 Towards an Integrated Approach to Access Control to Health Information Presented by: Inger Anne Tøndel SINTEF Co-authors: Per Håkon Meland SINTEF.
1 Conceptual Modeling of User Interfaces to Workflow Information Systems Conceptual Modeling of User Interfaces to Workflow Information Systems By: Josefina.
CLEANROOM SOFTWARE ENGINEERING.
Research Paper Presentation Software Engineering in agent systems.
Chapter 8 Architecture Analysis. 8 – Architecture Analysis 8.1 Analysis Techniques 8.2 Quantitative Analysis  Performance Views  Performance.
SecureTropos ST-Tool A CASE tool for security-aware software requirements analysis Departement of Information and Communication Technology – University.
Pushing the Security Boundaries of Ubiquitous Computing ACSF 2006 —————— 13 th July 2006 —————— David Llewellyn-Jones, Madjid Merabti, Qi Shi, Bob Askwith.
A Goal-Based Organizational Perspective on Multi-Agent Architectures Manuel Kolp † Paolo Giorgini ‡ John Mylopoulos † † Department of Computer Science.
1 Process Engineering A Systems Approach to Process Improvement Jeffrey L. Dutton Jacobs Sverdrup Advanced Systems Group Engineering Performance Improvement.
Università degli Studi di Trento Privacy is Linking Permission to Purpose F.MassacciN. Zannone Presented by Fabio Massacci (DIT - University of Trento.
Andrew Brasher Andrew Brasher, Patrick McAndrew Userlab, IET, Open University Human-Generated Learning.
 Dr. Syed Noman Hasany.  Review of known methodologies  Analysis of software requirements  Real-time software  Software cost, quality, testing and.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Applying Tropos to Socio-Technical System Design and Runtime Configuration Fabiano Dalpiaz, Raian Ali, Yudistira Asnar, Volha Bryl, Paolo Giorgini Dipartimento.
Secure Systems Research Group - FAU Classifying security patterns E.B.Fernandez, H. Washizaki, N. Yoshioka, A. Kubo.
Interoperability Framework Overview Health Information Technology (HIT) Standards Committee June 24, 2010 Presented by: Douglas Fridsma, MD, PhD Acting.
1 Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework ¹ Dep. of Information and Communication Technology,
Privacy Engineering for Digital Rights Management Systems By XiaoYu Chen.
Presentation on Issues and Challenges in Evaluation of Agent-Oriented Software Engineering Methodologies By: kanika singhal.
Institute for Cyber Security Multi-Tenancy Authorization Models for Collaborative Cloud Services Bo Tang, Ravi Sandhu, and Qi Li Presented by Bo Tang ©
Requirement Engineering for Trust Management : Model, Methodology Reasoning P. Giorgini, F. Massacci, J. Mylopoulos, N. Zannone, “Requirements Engineering.
1 Evolving System Architecture to Meet Changing Business Goals An Agent and Goal-Oriented Approach Daniel Gross & Eric Yu Faculty of Information Studies.
Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.
Authorization in Trust Management Conditional Delegation and Attribute-Based Role Assignment using XACML and RBAC Brian Garback © Brian Garback 2005.
Unit 8.2: Effective Implementation Planning HIT Implementation Planning for Quality and Safety Component 12/Unit 81 Health IT Workforce Curriculum Version.
Usable Security – CS 6204 – Fall, 2009 – Dennis Kafura – Virginia Tech Automatic Trust Negotiation Rajesh Gangam
SecPAL Presented by Daniel Pechulis CS5204 – Operating Systems1.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
The Laboratory of Information Integration, Security and Privacy ● University of North Carolina at Charlotte URL: 306, UNC Charlotte.
A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아.
 2001 John Mylopoulos STRAW’ Software Architectures as Social Structures John Mylopoulos University of Toronto First ICSE Workshop titled “From.
Banaras Hindu University. A Course on Software Reuse by Design Patterns and Frameworks.
Yu, et al.’s “A Model-Driven Development Framework for Enterprise Web Services” In proceedings of the 10 th IEEE Intl Enterprise Distributed Object Computing.
Software Production ( ) Lecture 3: Dr. Samer Odeh Hanna (PhD) office: 318.
1 XACML for RBAC and CADABRA Constrained Delegation and Attribute-Based Role Assignment Brian Garback © Brian Garback 2005.
1 Security and Dependability Organizational Patterns - A Proof of Concept Demo for SERENITY A. Saidane, F. Dalpiaz, V.H. Nguyen, F. Massacci.
A look into current and future trends in national policies for eHealth and Innovation in the WHO European Region Clayton Hamilton, eHealth and Innovation.
SECURE TROPOS Michalis Pavlidis 8 May Seminar Agenda  Secure Tropos  History and Foundation  Tropos  Basics  Secure Tropos  Concepts / Modelling.
1 Software Requirements Descriptions and specifications of a system.
Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.
Anupam Joshi University of Maryland, Baltimore County Joint work with Tim Finin and several students Computational/Declarative Policies.
Chapter 5 – System Modeling
Chapter 7. Hybrid Policies
Trust Profiling for Adaptive Trust Negotiation
University of Trento, Italy
Chapter 4 – Requirements Engineering
Chapter 5 – System Modeling
Grid Security.
Object-Oriented Analysis and Design
Distribution and components
System Modeling Chapter 4
NAAS 2.0 Features and Enhancements
Requirements Engineering meets Trust Management
Detecting Conflicts of Interest
Scalable and Efficient Reasoning for Enforcing Role-Based Access Control
Chapter 4 System Modeling.
Presentation transcript:

Giorgini P., EuroPKI Filling the gap between Requirements Engineering and Public Key/Trust Management Infrastructures Paolo Giorgini Department of Information and Comm. Tech. University of Trento (Italy) Joint work with Fabio Massacci, John Mylopoulos, and Nicola Zannone

Giorgini P., EuroPKI Summary Motivation Our approach –Secure aware-Tropos –Case study –Formalization –Axioms –Proprerties –Trust Management Implementation Conclusion and future work

Giorgini P., EuroPKI Trust Management and PKIs Trust Management and PKIs are hot topics in security research: –sophisticated policy languages, algorithms, and system for managing security credentials Solutions based on public-key cryptography and credential have been shown to be well suited in satisfying the security requirements of distributed systems However, there is big gap between solutions and the requirements of the entire system

Giorgini P., EuroPKI Security and Requirements No methodologies for linking security policy to the mainstream requirements analysis process The usual approach towards the inclusion of security within a system is to identify security requirements after system design Security mechanisms have to be fitted into a pre- existing design –may not be able to accommodate them –security requirements can generate conflicts functional requirements of the system

Giorgini P., EuroPKI Our goal There are proposals improving on secure engineering or architectures for trust management, but nobody has proposed a methodology that considers together both these approaches We want to introduce a trust management system into the requirements engineering framework –avoid designing an entire system and then retrofitting a PKI on its top, when it is already to late to make it fits snugly

Giorgini P., EuroPKI Our proposal A process that integrates trust, security and system engineering, using the same concepts and notations used for requirements specification –Three steps approach: 1.Functional Requirements modeling 2.Trust Requirements modeling 3.PKI/trust management implementation We use Tropos, an agent-oriented methodology, for requirements modeling and analysis

Giorgini P., EuroPKI Tropos Methodology Tropos is an agent-oriented software development methodology, tailored to describe both the organization and the system itself Tropos uses concepts of –Actor Intentional entity: role, position, agent (human or software) –Goal (softgoal) Strategic interest of an actor –Task Particular course of action that can be executed in order to satisfy a goal –Resource Physical or informational entity (without intentionality) –Social dependency (between two actors) One actor depends on another to accomplish a goal, execute a task, or deliver a resource

Giorgini P., EuroPKI Security-Aware Tropos Tropos has not been designed with security in mind We introduce four new relationships: –Trust,among two agents and a service –Delegation, among two agents and a service –Ownership, between an agent and a service –Offer, between an agent and a service And we refine the methodology by –Define functional dependencies of services among actors –Design a trust model among actors –Identify who owns services and who is able to fulfill them

Giorgini P., EuroPKI An illustrative Case Study A health care IS, in which –Patient, that depends on the hospital for receiving appropriate health care. Further, patients will refuse to share their data if they do not trust the system or do not have sufficient control over the use of their data; –Hospital, that provides medical treatment and depends on the patients for having their personal information. –Clinician, physician of the hospital that provides medical health advice and, whenever needed, provide accurate medical treatment; –Health Care Authority (HCA) that control and guarantee the fair resources allocation and a good quality of the delivered services. –Medical Information System (MIS), that, according the current privacy legislation, can share the patients medical data if and only if consent is obtained.

Giorgini P., EuroPKI The Functional Requirements Model D: Dependency A: Aim S: Service

Giorgini P., EuroPKI The Trust Requirements Model O: Ownership T: Trust

Giorgini P., EuroPKI The Trust Management Implementation 2 forms of Delegation: P: Permission (deleg. for use) G: delegation for Grant

Giorgini P., EuroPKI Formalization (1) Predicates for the functional requirements model offers(a,s) aims(a,s) has(a,s) depends(a,b,s1,s2) Predicates for the trust requirements model owns(a,s) trust(a,b,s1,s2,n)n: trust depth Predicates for the trust management implementation fulfills(a,s) delGrant(idC,a,b,s1,s2,n)idC: certificate identify n: delegation depth permission(idC,a,b,s1,s2)

Giorgini P., EuroPKI Formalization (2) A way to see depth is the number of re-delegation; depth 1 means that no re-delegation is allowed, depth N that N-1 further step are allowed

Giorgini P., EuroPKI Axioms using Datalog

Giorgini P., EuroPKI Properties We use the DLV system for automatic verification of security requirements

Giorgini P., EuroPKI Negative Authorization (1) We use a closed world policy: the lack of an authorization is interpreted as a negative authorization This approach has a major problem in the lack of a given authorization for a given actor does not prevent this user from receiving this authorization later on We propose an explicit negative authorization, namely an explicit denial for an actor to access a service Negative authorizations are stronger than positive authorizations Two predicates: –delDenial(idC,a,b,s,n) –prohibition(idC,a,b,s) and analougsly for positive authorization –delDChain(A,B,S) –prohibitionChain(A,C,S)

Giorgini P., EuroPKI Negative Authorization (2) Axioms Properties

Giorgini P., EuroPKI Trust Management Implementation We use the RT framework (by Li et al.), which provides policy language, semantics, deduction engine, and pragmatic features RT includes a declarative, logic-based semantic foundation based on Datalog, support for vocabulary agreement, strongly-typed credential and policies, and flexible delegation structures In RT, an entity is a uniquely identified individual or process An entity can issue credentials and make requests RT uses the notion of role to represent attributes –Entity.Role

Giorgini P., EuroPKI Roles in the RT framework Only the entity A has the authority to A.R, and A does so by issuing role-definition credentials An entity A can define A.R to contain A.R1, another role defined by A –A.R  A.R1, means that A defines that R1 dominates R A credential A.R  B.R is a delegation from A to B of authority over R. This can be used to decentralize the user-role assignment. A credential of the form A.R  B.R1 can be used to define role-mapping across multiple organizations The credential A.R  A.R1.R2 states that: A.R contains any B.R2 if A.R1 contains B.

Giorgini P., EuroPKI Moving to the RT framework permission(ID,A,B,S1,S2) –A.S1  B.S2 delGrant(ID,A,B,S1,S2,N) –A.S1  B.r.S2 where B allows to use the service S1 to actors in the role B.r

Giorgini P., EuroPKI Example 1 A patient allows his clinician to read his personal/medical data to provide accurate medical treatment. permission(id,Pat,Cli,Rec,MedTre):- isClinicianOf(Pat,Cli)^owns(Pat,Rec) In RT: Pat.recordAc(read,?F:Pat.record)  Pat.clinician.provide(?E:medTre) Given Pat.record  Rec and Pat.clinician  Cli, one can conclude that Pat.recordAc(read,Rec)  Cli.provide(?E:medTre)

Giorgini P., EuroPKI Example 2 The Medical Information System allows the clinician to write on his patient records to upgrade them. permission(id,MIS,Cli,Rec,upgrade(Rec)):- isClinicianOf(Pat,Cli)^owns(Pat,Rec) In RT MIS.recordAc(write,?F:Pat.record)  Pat.clinician.upgrade(?F:Pat.record) Given Pat.record  Rec and Pat.clinician  Cli, one can conclude that MIS.recordAc(write,Rec)  Cli.upgrade(Rec)

Giorgini P., EuroPKI Conclusion and future work We have introduced a process that integrates security and requirements engineering –A clear separation of trust and delegation relationship Our framework supports the automatic verification of security requirements We have defined the trust management implementation of our framework into the RT framework Future work –incorporating explicitly roles adding time features –integration with the Formal Tropos tool

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.