Owned Policies for Information Security Hubie Chen Stephen Chong Cornell University.

Slides:



Advertisements
Similar presentations
ROWLBAC – Representing Role Based Access Control in OWL
Advertisements

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Information Flow and Covert Channels November, 2006.
Optimizing single thread performance Dependence Loop transformations.
Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University.
CS7100 (Prasad)L16-7AG1 Attribute Grammars Attribute Grammar is a Framework for specifying semantics and enables Modular specification.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
SMU SRG reading by Tey Chee Meng: Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications by David Brumley, Pongsin Poosankam,
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
A Language for Automatically Enforcing Privacy Jean Yang with Kuat Yessenov and Armando Solar-Lezama.
Distributed Data Flow Language for Multi-Party Protocols Krzysztof Ostrowski †, Ken Birman †, Danny Dolev § † Cornell University, § Hebrew University
Commutativity Analysis: A New Analysis Technique for Parallelizing Compilers Martin C. Rinard Pedro C. Diniz April 7 th, 2010 Youngjoon Jo.
JFlow: Practical Mostly-Static Information Flow Control Andrew C. Myers.
13. Summary, Trends, Research. © O. Nierstrasz PS — Summary, Trends, Research Summary, Trends, Research...  Summary: functional, logic and object-oriented.
IBM WebSphere survey Kristian Bisgaard Lassen. University of AarhusIBM WebSphere survey2 Tools  WebSphere Application Server Portal Studio Business Integration.
Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
Catriel Beeri Pls/Winter 2004/5 type reconstruction 1 Type Reconstruction & Parametric Polymorphism  Introduction  Unification and type reconstruction.
Decentralized Robustness Stephen Chong Andrew C. Myers Cornell University CSFW 19 July 6 th 2006.
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.
Complexity of Mechanism Design Vincent Conitzer and Tuomas Sandholm Carnegie Mellon University Computer Science Department.
Direction of analysis Although constraints are not directional, flow functions are All flow functions we have seen so far are in the forward direction.
Rights management Vicky Weissman
1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper.
Describing Syntax and Semantics
1 A Short Introduction to (Object-Oriented) Type Systems Kris De Volder.
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Role Based Access Control Models Presented By Ankit Shah 2 nd Year Master’s Student.
P2P Systems Meet Mobile Computing A Community-Oriented Software Infrastructure for Mobile Social Applications Cristian Borcea *, Adriana Iamnitchi + *
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.
Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
CatBAC: A Generic Framework for Designing and Validating Hybrid Access Control Models Bernard Stepien, University of Ottawa Hemanth Khambhammettu Kamel.
CS162 Week 8 Kyle Dewey. Overview Example online going over fail03.not (from the test suite) in depth A type system for secure information flow Implementing.
1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.
Secure Systems Research Group - FAU Classifying security patterns E.B.Fernandez, H. Washizaki, N. Yoshioka, A. Kubo.
An Algebra for Composing Access Control Policies (2002) Author: PIERO BONATTI, SABRINA DE CAPITANI DI, PIERANGELA SAMARATI Presenter: Siqing Du Date:
Principles of Programming Languages Lecture 1 Slides by Daniel Deutch, based on lecture notes by Prof. Mira Balaban.
© DATAMAT S.p.A. – Giuseppe Avellino, Stefano Beco, Barbara Cantalupo, Andrea Cavallini A Semantic Workflow Authoring Tool for Programming Grids.
1 Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework ¹ Dep. of Information and Communication Technology,
Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch.
Ethan Jackson, Nikolaj Bjørner and Wolfram Schulte Research in Software Engineering (RiSE), Microsoft Research 1. A FORMULA for Abstractions and Automated.
SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.
Dynamic software reconfiguration using control supervisors Ugo Buy 13 June 2005.
FlexFlow: A Flexible Flow Policy Specification Framework Shipping Chen, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems George.
MK++ A High Assurance Operating System Kernel Shai Guday David Black.
A Lattice Model of Secure Information Flow By Dorothy E. Denning Presented by Drayton Benner March 22, 2000.
Algorithm Discovery and Design Objectives: Interpret pseudocode Write pseudocode, using the three types of operations: * sequential (steps in order written)
Secure Composition of Untrusted Code: Wrappers and Causality Types Kyle Taylor.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Decentralized Information Flow A paper by Myers/Liskov.
Modeling Security-Relevant Data Semantics Xue Ying Chen Department of Computer Science.
From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.
CS162 Week 8 Kyle Dewey. Overview Example online going over fail03.not (from the test suite) in depth A type system for secure information flow Implementing.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
1 Authorization Sec PAL: A Decentralized Authorization Language.
The Ins and Outs of Gradual Type Inference Avik Chaudhuri Basil Hosmer Adobe Systems Aseem Rastogi Stony Brook University.
COMP 412, FALL Type Systems C OMP 412 Rice University Houston, Texas Fall 2000 Copyright 2000, Robert Cartwright, all rights reserved. Students.
Type Checking and Type Inference
Opeoluwa Matthews, Jesse Bingham, Daniel Sorin
Past, Present and Future
Knowledge Inference for Optimizing Secure Multi-party Computation
An information flow model FM is defined by
Computer Security Access Control
Access Control What’s New?
Deniz Beser A Fundamental Tradeoff in Knowledge Representation and Reasoning Hector J. Levesque and Ronald J. Brachman.
CHAPTER FOUR VARIABLES AND CONSTANTS
A Survey of Formal Models for Computer Security
Presentation transcript:

Owned Policies for Information Security Hubie Chen Stephen Chong Cornell University

Owned Policies for Information Security Owned Policies Information often has owners Owners may want system to enforce a policy that restricts use of info ) owned policy

Owned Policies for Information Security Owned Policies Examples sets of readers Decentralized Label Model [ML98] Restrict flow of infoPrincipalsInformation flow PoliciesOwnersExample Software licenses (restrict software composition) Software producers Software components Gnu Public License ORAC [MMN90] Access control lists (restrict access to info) PrincipalsAccess control

Owned Policies for Information Security A Framework for Owned Policies This work: general framework for owned policies that allows reasoning about owned policies even with only partial knowledge of security policy structure inference of owned policies Results apply to all instantiations of framework Generalizes and inspired by decentralized label model [Myers+Liskov ’98]

Owned Policies for Information Security Owned Policy Model Set O is a finite set of owners typically principals can represent groups and roles An owner hierarchy ¸ o is a pre-order on O if o 1 ¸ o o 2 then o 1 can act on behalf of o 2 Set P is a finite set of policies A policy hierarchy ¸ p is a pre-order on P if p 1 ¸ p p 2 then p 1 is at least as restrictive as p 2 A hierarchy H is a pair ( ¸ o, ¸ p )

Owned Policies for Information Security Owned Policy Model ctd. An owned policy is a pair o:p Owner o wants policy p or a more restrictive policy (wrt ¸ p ) enforced A label L is a set of owned policies L = {o 1 :p 1, …, o n :p n } Labels can be associated with data

Owned Policies for Information Security Example Owner hierarchy ¸ o Policy hierarchy ¸ p Consider label {Alice: Classified, Charlie: TopSecret} Alice specifies at least policy Classified should be enforced Bob does not specify any policy Charlie specifies at least policy TopSecret should be enforced TopSecret Classified Unclassified AliceCharlie Bob

Owned Policies for Information Security Semantics Semantics of a label L are relative to a hierarchy H = ( ¸ o, ¸ p ) Semantics are a set of permissions Permission (o, p) means o allows the data to be used according to p Semantics X(H, L) (o,p) 2 X(H, L) if all owners who can act for o allow the data to be used according to p X(H, L) = {(o,p) | 8 o i :p i 2 L. o i ¸ o o ) p ¸ p p i } Captures intuition that i. o i :p i means o i wants p i or something more restrictive enforced ii.if o’ can act for o, then o must “agree with” o’

Owned Policies for Information Security Semantics Example Label L = {Alice: Classified, Charlie: TopSecret} With hierarchy H 1 X(H 1, L) = {(Alice,Classified), (Alice,TopSecret), (Charlie,TopSecret), (Bob,TopSecret) } With hierarchy H 2 X(H 2, L) = {(Alice,Classified), (Alice,TopSecret), (Charlie,TopSecret), (Bob,Unclassified), (Bob,Classified), (Bob,TopSecret) } AliceCharlie Bob TopSecret Classified Unclassified TopSecret Classified Unclassified CharlieAliceBob

Owned Policies for Information Security Using Labels int{Alice: Classified} x := …; int{Bob: TopSecret} y := …; int{ ????????? } z := x + y; Question: What should the label for z be? z should be: at least as restrictive as {Alice: Classified}; and at least as restrictive as {Bob: TopSecret} ) z should be at least {Alice: Classified} “join” {Bob: TopSecret}

Owned Policies for Information Security Structure of Labels For a hierarchy H, can define an ordering on labels! L 1 v H L 2 means “L 2 is at least as restrictive as L 1 in H” Formally: L 1 v H L 2 if (o,p) 2 X(H,L 2 ) ) (o,p) 2 X(H,L 1 ) For any hierarchy H, v H forms a lattice Very few restrictions on H, O or P! This lattice structure is useful when info is combined (e.g., composition, computation) Joins arise when many labeled input produces an output Label of output should be at least as restrictive as label of inputs

Owned Policies for Information Security Partial Knowledge of Hierarchies Good news: for any H, v H forms a lattice Bad news : don’t know everything about H! Runtime hierarchy often unknown at compile-time E.g., only managers are allowed to see info ⇒ Alice can see info only if Alice is a manager But Alice may be promoted or fired between runs of the system! Framework permits reasoning with only partial knowledge of runtime hierarchy

Owned Policies for Information Security Universal Join int{Alice: Classified} x := …; int{Bob: TopSecret} y := …; int{Alice: Classified; Bob: TopSecret} z := x + y; Thm: For any hierarchy H and all labels L 1 and L 2 L 1 t H L 2 = L 1 [ L 2 Set union [ is a universal join operation

Owned Policies for Information Security int{Bob: TopSecret} x := …; int{Charlie: TopSecret} y := …; if (Charlie actsfor Bob) { y := x; } else { y := 0; } Runtime Hierarchy Example runtime test of security hierarchy // Executes if Charlie ¸ o Bob {Bob: TopSecret} v H {Charlie: TopSecret}Charlie ¸ o Bob ) {Bob: TopSecret} v H {Charlie: TopSecret}

Owned Policies for Information Security Label Inference Program analysis generally requires explicit security labels Burden on programmer to provide them Clutters program code Automatic inference of labels can reduce need for explicit labels

Owned Policies for Information Security Label Inference Constraints Infer labels by generating and solving a set of constraints. Constraints need to deal with unknown run-time hierarchy for all possible hierarchies H: a v H b where a, b are each a constant label or variable But also need to deal with partial knowledge for all possible hierarchies H more specific than H’: a v H b where H’ is a hierarchy representing partial knowledge

Owned Policies for Information Security Label Inference Determining if set of constraints has solution is poly-time tractable Finding most-restrictive solution is poly- time tractable Existence of universal join [ is crucial to results Set union [ has property: for all hierarchies H: L 1 t H L 2 = L 1 [ L 2

Owned Policies for Information Security Dynamic Owners, Policies, Labels Can reason about dynamic owners and dynamic policies Just a lack of knowledge of runtime hierarchy Future work: incorporation of dynamic labels…

Owned Policies for Information Security Conclusions General framework for owned policies General results, applicable to any instantiation Lot of structure in labels with few restrictions on owners or policies Tractability results for inference

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.