Trust and Security for Next Generation Grids, Grid Security Requirements Philippe Massonet et al CETIC OGF-25-Presentation Catania, 02-06/03/2009

Trust and Security for Next Generation Grids, Plan Secure virtual organisations: need for security policies Secure virtual organisations: need for security policies Multi level policy enforcement points VO and computational level policies for secure virtual organisations Introduction to usage control Introduction to the GridTrust framework Introduction security requirements engineering Introduction security requirements engineering Requirements engineering Security requirements Security policies Proposed Methodology for Grid security requirements Proposed Methodology for Grid security requirements Modeliing of security requirements, VO meta model Reuse of security patterns Library of Patterns Generation of XACML and Polpa security policies Tool support Tool support VO editor Security pattern library and reuse process Policy generation support Open source version

Trust and Security for Next Generation Grids, Trust in Dynamic Virtual Organisations Since VOs are based on sharing information and knowledge, there must be a high amount of trust among the partners. Especially since each partner contribute with their core competencies Threats: Bad service (contract not respected) Attacks – loss of information Attacks – disruption of service Vulnerability to attacks (low level of security at one of the partners) … How do you maintain Trust and Security properties in dynamic VO? Need for Trust and security mechanisms Services 3 Dynamic 6 Collaboration

Trust and Security for Next Generation Grids, Secure VO Lifecycle Management VO = set of users that pool resources in order to achieve common goals - Rules governing the sharing of the resources VO = set of users that pool resources in order to achieve common goals - Rules governing the sharing of the resources Trust and security policies are derived following the goals of the VO and rules for sharing resources Trust and security policies are derived following the goals of the VO and rules for sharing resources discovery of potential trustworthy partners establishment of security policies, following governing rules monitoring Enforcing policies Maintenance of reputation membership and policy adaptation termination of trust relationships maintenance of reputation

Trust and Security for Next Generation Grids, Security at Different Levels in Grid VO VO Service Service Computational Computational GRID Service Middleware Layer GRID Application Layer GRID Foundation Middleware Layer Network Operating System NGG Architecture

Trust and Security for Next Generation Grids, Trust and Security Issues in Service based Grids Res. Service Provider (SP) Service Requestor (SR) VO Service Request Shared resources Infrastructure Provider (IP) Service Instance Can I trust the SR and SP? Is SP using my resources with malicious intent? Is the selected IP secure?

Trust and Security for Next Generation Grids, General Architecture PPM Service SRB Service VBE Service TRS Service Globus Service Providers C-UCON Service VO Manager Enforcer VO

Trust and Security for Next Generation Grids, From Access Control to Usage Control Before usage Pre decision Ongoing usage After usage Ongoing update Post update Mutability of attributes Ongoing decision Continuity of decision Time Pre update Usage Decision still valid ? Can you revoke access ?

Trust and Security for Next Generation Grids, Usage Control Services Monitor the actions executed on behalf of the grid users and enforce a UCON security policy Monitor the actions executed on behalf of the grid users and enforce a UCON security policy Computational level (C-UCON) The policy consists of a highly detailed description of the correct behaviour of the application being executed Only the applications whose behaviour is consistent with the security policy are executed on the computational resource VO level (Enforcer) Policy evaluation point that support UCON policies The usage control service will be integrated into the Globus middleware The usage control service will be integrated into the Globus middleware GRID Service Middleware Layer GRID Foundation Middleware Layer WP3/WP4

Trust and Security for Next Generation Grids, Secure Resource Broker Service Integrate access control with resource/service scheduling Integrate access control with resource/service scheduling Both resource owners and VO define their resource access and usage policies Both resource owners and VO define their resource access and usage policies The resource broker schedules a user request only within the set of resources whose policies match the user credentials (and vice-versa) Scalability and efficiency Scalability and efficiency It will be integrated into the Globus middleware It will be integrated into the Globus middleware GRID Service Middleware Layer GRID Foundation Middleware Layer WP3/WP4

Trust and Security for Next Generation Grids, Trust and Reputation Service Collect, distribute and aggregate feedbacks about entities' behaviour in a particular context in order to produce a rating about the entities Collect, distribute and aggregate feedbacks about entities' behaviour in a particular context in order to produce a rating about the entities Entities could be either users, resources/ services, service providers or VOs The reputation service is based on ideas of utility computing The reputation service is based on ideas of utility computing Can be used in both centralised and distributed settings Can be used in both centralised and distributed settings The reputation service will be also integrated into the Globus middleware The reputation service will be also integrated into the Globus middleware GRID Service Middleware Layer WP2/WP4

Trust and Security for Next Generation Grids, VBE: Virtual Breeding Environment Service It manages the Virtual Breeding Environment composed of users and service providers (user, service provider registration, certificate management, etc.) It manages the Virtual Breeding Environment composed of users and service providers (user, service provider registration, certificate management, etc.)

Trust and Security for Next Generation Grids, PPM: Profile and Policy Management Service The policy and profile management service is a database service that keeps information about security policies of all the entities of the system. The policy and profile management service is a database service that keeps information about security policies of all the entities of the system. Support several types of query Support several types of query Service ID, Type, Name, attribute (OS, Memory, CPU type, Library, Certificate)

Trust and Security for Next Generation Grids, VO Library To be used by the VO Manager to use and interface with GridTrust services To be used by the VO Manager to use and interface with GridTrust services Offers a full set of functionalities to manage VO life cycle (Creation, Termination,…) Offers a full set of functionalities to manage VO life cycle (Creation, Termination,…) Manage access at communication and authentication level from applications to GridTrust Services. Manage access at communication and authentication level from applications to GridTrust Services. Hides complexity of certificates management between users and GridTrust CA Hides complexity of certificates management between users and GridTrust CA

Trust and Security for Next Generation Grids, GridTrust Framework - Components service providers users PKI GridTrust Services TRS VBE SRB PPM C-UCON ENFORCER VO Library

Trust and Security for Next Generation Grids, Secure VO Lifecycle: Formation VBE Manager PKI TRS PPM SRB C-UCON VO VO Manager

Trust and Security for Next Generation Grids, Secure VO Lifecycle: VO Operation Application VO ENFORCER Virtual Breeding Environment TRS Policy: Service 1 ; Service 2 VO user Service1 Service3 Service2 Denied Service 1 Done Service 2

Trust and Security for Next Generation Grids, What is RE about? goals WHY? WHAT? operationalization requirements,assumptions domainknowledge

Trust and Security for Next Generation Grids, What is RE about? goals WHY? WHAT? WHO? operationalization responsibilityassignment requirements,assumptions domainknowledge

Trust and Security for Next Generation Grids, WHAT are goals ? objectives to be achieved by system objectives to be achieved by system statements of intent system": software + environment current system, system-to-be

Trust and Security for Next Generation Grids, WHAT are goals ? different types of concern different types of concern functional goals non-functional goals security, safety, accuracy, performance, cost usability, adaptability,...

Trust and Security for Next Generation Grids, Modeling goals: types & taxonomies goals functional satisfaction information security non-functional accuracy confidentiality... performance integrity usability time space... Functional vs. non-functional goals

Trust and Security for Next Generation Grids, Modeling goals: types & taxonomies Soft vs. hard goals soft goals: achievement cannot be established in clear-cut sense soft goals: achievement cannot be established in clear-cut sense goal satisficing, qualitative reasoning goal satisficing, qualitative reasoning (hard) goals: achievement can be verified (hard) goals: achievement can be verified goal satisfaction, formal reasoning goal satisfaction, formal reasoning

Trust and Security for Next Generation Grids, Modeling goals: types & taxonomies Types of behavior prescribed Achieve goals: generate behaviors Achieve goals: generate behaviors C T e.g. Achieve [DataTransferredSecurily] Maintain / Avoid goals: restrict behaviors Maintain / Avoid goals: restrict behaviors C T, C ¬ T e.g. Avoid [DataReadWithoutAuthorization] Maintain [ConfidentialDataEncrypted] Optimize goals: compare behaviors Optimize goals: compare behaviors

Trust and Security for Next Generation Grids, Modeling goals: goal attributes capture intrinsic goal features capture intrinsic goal features name DataAccessibleToAuthorizedUsers Definition data must only be accessible to users who have been authorized priority mandatory, very high, high, …, low...

Trust and Security for Next Generation Grids, Main Objectives of Trust and Security Policy Engineering Help analysts/users express security requirements for their Grid applications Help analysts/users express security requirements for their Grid applications Based on library of verified security requirement patterns Help users/analysts derive high-level trust and security policies Help users/analysts derive high-level trust and security policies In UCON/Polpa In XACML In event-B Help users/analysts refine policies into operational policies that can be deployed Help users/analysts refine policies into operational policies that can be deployed

Trust and Security for Next Generation Grids, Refinement of Trust and Security Goals into Requirements and Policies Trust and Security Patterns Usage Control Patterns Abstract Policies Refinement

Trust and Security for Next Generation Grids, Library of Patterns From Business Requirements to abstract policies From Business Requirements to abstract policies Covering Different property classes: Confidentiality, Integrity, Availability, Delegation but also others such as Usage limitation, Accounting, … Ex: confidentiality and authorizations dynamic chineese wall Patterns Expressed in terms of VO meta-model Patterns Expressed in terms of VO meta-model Goals, Goal refinements, Services, Service compositions, Subjects, Objects

Trust and Security for Next Generation Grids, Main Objectives of Library Help users express security requirements for their Grid applications Help users express security requirements for their Grid applications Confidentiality, Authorization, Privacy, Availability, Usage limitation, Delegation but also others such as Integrity, Usage limitation, Accounting, … Help users express self-organisation and self-protection (not done yet) Help users express self-organisation and self-protection (not done yet) Covering the GridTrust Services Covering the GridTrust Services Computational UCON, Service UCON, Secure Broker, Reputation Patterns Expressed in terms of VO meta-model Patterns Expressed in terms of VO meta-model Goals, Goal refinements, Services, Service compositions, Subjects, Objects Library is embedded in requirements/policy tool Library is embedded in requirements/policy tool

Trust and Security for Next Generation Grids, Patterns for Trust and Security Authorization Confidentiality Privacy Confidentiality of the content of a communication Confidentiality of communication occurrence Confidentiality of identity of sender and receiver Integrity Availability Trust Delegation ChineseWall ( )

Trust and Security for Next Generation Grids, Usage Control Patterns Object/Subject Mutable Attribute Update Pre-update Ongoing-update Post-update Authorization Pre-authorization Ongoing-authorization Post-authorization Conditions Pre-condition Ongoing-condition Obligations Pre-obligation Ongoing-obligation Actions

Trust and Security for Next Generation Grids, Example: Managing Conflicts of Interest in Virtual Organisations Conflict of Interest Collaborates on Allocated to Owned By

Trust and Security for Next Generation Grids, Example: The Chinese Wall Based on the notion of conflict of interest class Based on the notion of conflict of interest class Need a history Need a history Client 1 Resource 1Resource 2 Client 2 Resource 3Resource 4 Conflict of interest class access

Trust and Security for Next Generation Grids, Chinese Wall Goal Ref. Pattern Avoid Conflict Of Interest Chinese Wall Autorized Cases Access Autorized Whithin Other Conflict Set Access Autorized Whithin Same Company Access PolicyPreAuth: hasAccessed(u,r) differentConflictSet (r,r) PolicyPreAuth: hasAccessed(u,r) sameOrganisation(r,r) Post-condition: hasAccessed(u,r) ( r : Resource; u : User, r : Resource) hasAccessed(u,r) sameOrganisation(r,r) (hasAccessed(u,r) ( r : Resource; u : User, r : Resource) hasAccessed(u,r) differentConflictSet (r,r) (hasAccessed(u,r) ( u : User; r,r : Resource) hasAccessed(u,r) sameOrganisation(r,r) differentConflictSet (r,r) ( u:User; r,r :Resource) hasAccessed(u,r) hasAccessed(u,r) (sameOrganisation(r,r) differentConflictSet(r,r))

Trust and Security for Next Generation Grids, Chinese Wall Requirements Pattern The pattern has been checked using alloy tool The pattern has been checked using alloy tool It is complete and consistent It is complete and consistent Increase the confidence in this pattern Increase the confidence in this pattern

Trust and Security for Next Generation Grids, own differentConflictSet Specialisation/instatiation of the pattern OrganisationResource Service User Acces s PolicyPreAuth: hasAccessed(u,r) differentConflictSet (r,r) PolicyPreAuth: hasAccessed(u,r) sameOrganisation(r,r) PolicyPreAuth: hasAccessed(pe,dci) NotInCompetition (dci,dci) PolicyPreAuth: hasAccessed(pe,dci) aboutSameProject(dci,dci) NotInCompetition Publisher Employee ClientCompany DigitalContentInfo Publishing Domain

Final Chinese Wall Security Policy in Polpa gvar[1]:=0. gvar[2]:=0. ([eq(gvar[2],0),eq(x1,/home/paolo/SetA/*),eq(x2,READ)].open(x1,x2,x3).lvar[1]:= x3.gvar[1]:= 1. i([eq(x1,lvar[1])].read(x1,x2,x3)). [eq(x1,lvar[1])].close(x1,x2))Par ([eq(gvar[1],0),eq(x1,/home/paolo/SetB/*),eq(x1,READ)].open(x1,x2,x3).lvar[1]:= x3.gvar[2]:=1. i([eq(x1,lvar[1])].read(x1,x2,x3)). [eq(x1,lvar[1])].close(x1,x2)) Usage Control Policy Language History of System Calls

Trust and Security for Next Generation Grids, Reuse Methodology Security patterns Trust patterns Usage control Patterns SpecialiseInstantiate Problem Specification Subject Taxonomy Resource Taxonomy

Trust and Security for Next Generation Grids, Policy Engineering: From Security and Trust Requirements to Policies Target Policy languages Selected Target Policy languages Selected UCON/Polpa (powerful usage control policy language) XACML (OASIS standard) Event-B (formal policy refinement) Two derivation approaches investigated Two derivation approaches investigated Pattern instantiation Instantiate pattern (not general translation) composition of patterns is open issue Full (or partial) translation Sometimes difficult because of underlying semantics

Trust and Security for Next Generation Grids, UCON/Polpa: Pattern Instantiation Approach Example: PreA0 UCON Model (Pre-Auth without update) Requirement pattern permitaccess(s, o, r) (tryaccess(s, o, r) (p1 pi)) UCON/Polpa policy pattern tryaccess(s, o, r). pA(s, o, r). permitaccess(s, o, r). endaccess(s, o, r) Instantiated requirement permitaccess(editor, content, write) (tryaccess(editor, content, write) currentState=edition ) Instantiated by analyst Instantiated UCON/Polpa tryaccess(editor, content, write). [eq(currentState, edition)]. permitaccess(editor, content, write). endaccess(editor, content, writer) Instantiated by substitution (s=editor), … Satifies Library

Trust and Security for Next Generation Grids, Event-B: Partial Translation Approach Semantic issue Between KAOS and Event-B Semantic issue Between KAOS and Event-B Requirements have progress properties (temporal logic) B is safety oriented, no notion of obligations (no notion of time) Approach Approach We have developed syntactic extension to Event-B to model the notion of obligation throughout the use of triggers The obligation imposed by a trigger is interpreted as a constraint on when other events can be permitted Our motivation is to link KAOS requirements with Event-B specifications Our motivation is to link KAOS requirements with Event-B specifications Triggered events as presented here are suitable for modelling the KAOS achieve pattern We are investigating the representation of other modalities as events, so that we can model other KAOS patterns such as maintain and cease Paper: Towards Modelling Obligations in Event- B, LNCS, Abstract State Machines, B and Z, First International Conference, ABZ 2008, London, UK, September 16-18, Proceedings

Trust and Security for Next Generation Grids, Current Status of Tool Support Requirements Policies Achievements Achievements VO requirements editor Goal meta-model VO meta-model Library of trust and security patterns Add / Reuse pattern Taxonomy In progress In progress From requirements to Policies

Trust and Security for Next Generation Grids, Goal and VO Metamodel : brief overview Two main parts Two main parts Goals and Requirements Objectives : Goals, Requirement, Expectation, Softgoal,… Their relations : refinement, operationalization, … Obstacles and threats VO VO, Organization, Resources, services, … Their relations : owns, aims, …

Trust and Security for Next Generation Grids, Goal-oriented VO meta-model Objective Obstacle Obstruction Threat Virtual Organisation Organisation ServiceWorkflow Resource User Aims Member Manage Provide/Use Uses Manage Refine Goal and Threat Meta-Model VO Meta- Model Policy Refine

Trust and Security for Next Generation Grids, Eclipse platform General Tool Architecture EMFT GMF EMFOCL… GEF GridTrust Plug-in Metamodel Goal Mapping Graphical definition Pattern library

Trust and Security for Next Generation Grids, Architecture motivation Based on eclipse Based on eclipse Easy to integrate with other tools Lot of reusable API Very popular in private companies Easy to integrate with other framework (g- eclipse) Based on an EMF metamodel Based on an EMF metamodel OCL for query Model transformation Standard framework

Trust and Security for Next Generation Grids, Translation Technology: Model based Transformation Translation technology selected Translation technology selected M2M/ATL (ATLAS Transformation Language) is a model transformation language: produce a set of target models from a set of source models Uses OCL to define transformation rules Why Why Supports (formal) model transformation (Model+assertions) Based on meta-model approach Can be integrated with Eclipse

Trust and Security for Next Generation Grids, M2M general picture Source metamodel conformsTo Target metamodel conformsTo Source modelTarget model Metametamodel (ECORE) conformsTo Source2Target

Trust and Security for Next Generation Grids, Tool Support for Polpa GridTrust Editor (Eclipse/GMF, EMF, GEF) Req MM Polpa MM Req2Polpa Temporal Logic Syntax Editor (Eclipse/TEF) Polpa Syntax Editor (Eclipse/TEF)

Trust and Security for Next Generation Grids, GridTrust Framework: Tools and Policy-based Services GRID Service Middleware Layer NGG Architecture GRID Application Layer GRID Foundation Middleware Layer Network Operating System Trust and Security Goals Self-* … Dynamic VO … Reputation Mgt service VO Mngt … Resources VO Members Services Computational usage control +TM Fine grained Continuous OGSA compliant Secure res. broker Usage Cont. service Secure VO Req Editor Usage Control Policies VO-level Policies VO Model and Refinement Tool 2. Local Policies 1. Global Policies

Trust and Security for Next Generation Grids, Conclusions Security Requiments Methodology Security Requiments Methodology From objectives to requirements via refinement From security requirements to security policies Pattern based translation XACML and Polpa (usage control policy language) Eclipse-based Tool Support Eclipse-based Tool Support Editor Generation of partial security policies Linked to the GridTrust framework Linked to the GridTrust framework Open source will be available on Source Forge: Open source will be available on Source Forge: