Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 From Chinese Wall Security Policy Models to Granular Computing Tsau Young (T.Y.) Lin Computer Science Department,

Similar presentations


Presentation on theme: "1 From Chinese Wall Security Policy Models to Granular Computing Tsau Young (T.Y.) Lin Computer Science Department,"— Presentation transcript:

1 1 From Chinese Wall Security Policy Models to Granular Computing Tsau Young (T.Y.) Lin tylin@cs.sjsu.edu dr.tylin@sbcglobal.net Computer Science Department, San Jose State University, San Jose, CA 95192, and Berkeley Initiative in Soft Computing, UC-Berkeley, Berkeley, CA 94720

2 2 From Chinese Wall Security Policy... The goal of this talk is to illustrate how granular computing can be used to solved a long outstanding problem in computer security.

3 3 Outline 1. Overview(Main Ideas) 2. Detail Theory Background Brewer and Nash Vision Formal Theory 2

4 4 Overview New Methodology: Granular Computing Classical Problem:Trojan Horses

5 5 Overview - Granular computing Historical Notes 1. Zadeh (1979) Fuzzy sets and granularity 2. Pawlak, Tony Lee (1982):Partition Theory(RS) 3. Lin 1988/9: Neighborhood Systems(NS) and Chinese Wall (a set of binary relations. A non-reflexive...) 4. Stefanowski 1989 (Fuzzified partition) 5. Qing Liu &Lin 1990 (Neighborhood system)

6 6 Overview-Granular computing Historical Notes 6. Lin (1992):Topological and Fuzzy Rough Sets 7. Lin & Liu: Operator View of RS and NS (1993) 8. Lin & Hadjimichael : Non-classificatory hierarchy (1996)

7 7 Overview Problem Solving Paradigm Divide and Conquer 1. Divide : Partition (= Equivalence Relation) 2. Conquer : Quotient sets (Bo ZHANG, Knowledge Level Processing) 3. Could this be generalized?

8 8 Overview - Example Partition: disjoint granules (Equivalence Class) [0] 4 = {..., 0, 4, 8,...}={4n}, [1] 4 = {..., 1, 5, 9,...} ={4n+1}, [2] 4 = {..., 2, 6, 10,...} ={4n+2}, [3] 4 = {..., 3, 7, 11,...} ={4n+3}. Quotient set = Z/4 (Z/m)

9 9 Overview-New Challenge? Granulation: overlapping granules B 0 = {..., 0, 4, 8, 12,... 5, 9, } B 1 = {..., 1, 5, 9,...} B 2 = {..., 2, 6, 10,..., 7,} B 3 = {..., 3, 7, 11,..., 6, }. Quotient ?

10 10 Overview- Granular Computing - New Paradigm ? Classical paradigm is unavailable for general granulation Research Direction: New Paradigm ?

11 11 Overview- Granular Computing a New Problem Solving Paradigm Divide and Conquer (incremental development) 1. Divide : Granulation (binary relation) Topological Partition 2. Conquer : Topological Quotient Set

12 12 Application - New Paradigm ? Report: Applying an incremental progress in granulation to Classical problem in computer security

13 13 Overview - Trojan Horses Classical Problem Trojan Horses, e.g.virus propagation

14 14 Overview - Trojan Horses Grader G is a conscientious student but lacking computer skills. So a classmate C sets up a tool box that includes, e.g., editor, spread sheet, …;

15 15 Overview - Trojan Horses C embeds a “copy program” into G’s tool; it sends a copy of G’s file to C (university system normally allows students to exchange information)

16 16 Overview - Trojan Horses As the Grader is not aware of such Trojan Horses, he cannot stop them; The system has to stop them! Can it?

17 17 Overview - Trojan Horses Can it? In general, NO With constraints, YES Chinese (Great) Wall Security Policy.

18 18 Overview - Trojan Horses Direct Information flow(DIF); CIF, a sequence of DIF’s, leaks the information legally !!! Professor Grader StudentCIF DIFTrojan horse( DIF )

19 19 Overview End of Overview

20 20 Details Background

21 21 Background In UK, a financial service company may consulted by competing companies. Therefore it is vital to have a lawfully enforceable security policy. 3

22 22 Background Brewer and Nash (BN) proposed Chinese Wall Security Policy Model (CWSP) 1989 for this purpose

23 23 Background The idea of CWSP was, and still is, fascinating; Unfortunately, BN made a technical error.

24 24 Outline BN’s Vision

25 25 BN: Intuitive Wall Model Built a set of impenetrable Chinese Walls among company datasets so that No corporate data that are in conflict can be stored in the same side of the Walls 5

26 26 Policy: Simple CWSP (SCWSP) "Simple Security", BN asserted that "people (agents) are only allowed access to information which is not held to conflict with any other information that they (agents) already possess."

27 27 Could Policy Enforce the Goal? “YES” BN’s intent; technical flaw Yes, but it relates an outstanding difficult problem in Computer Security

28 28 First analysis Simple CWSP(SCWSP): No single agent can read data X and Y that are in CONFLICT Is SCWSP adequate?

29 29 Formal Simple CWSP SCWSP says that a system is secure, if “(X, Y)  CIR  X NDIF Y “ “(X, Y)  CIR  X DIF Y “ (need to know may apply) CIR=Conflict of Interests Binary Relation

30 30 More Analysis SCWSP requires no single agent can read X and Y, but do not exclude the possibility a sequence of agents may read them Is it secure?

31 31 Aggressive CWSP (ACWSP) The Intuitive Wall Model implicitly requires: No sequence of agents can read X and Y: A 0 reads X=X 0 and X 1, A 1 reads X 1 and X 1,... A n reads X n =Y

32 32 Can SCWSP enforce ACWSP? Related to a Classical Problem Trojan Horses

33 33 Current States 1.BN-Theory (Rough Computing)-failed 2.Granular Computing Method

34 34 Formal Model When an agent, who has read both X and Y, considers a decision for Y, information in X may be used consciously or unconsciously.

35 35 Formal Model (DIF) So the fair assumptions are: if the same agent can read X and Y X has direct information flowed into Y, in notation, X DIF Y also Y DIF X...

36 36 Formal Simple CWSP SCWSP says that a system is secure, if “(X, Y)  CIR  X NDIF Y “ “(X, Y)  CIR  X DIF Y “ CIR=Conflict of Interests Binary Relation

37 37 Composite Information flow Composite Information flow(CIF) is a sequence of DIFs, denoted by  such that X=X 0  X 1 ...  X n =Y And we write X CIF Y NCIF: No CIF

38 38 Formal Aggressive CWSP Aggressive CWSP says that a system is secure, if “(X, Y)  CIR  X NCIF Y “ “(X, Y)  CIR  X CIF Y “

39 39 The Problem Simple CWSP  ? Aggressive CWSP This is a malicious Trojan Horse problem

40 40 Need ACWSP Theorem Theorem If CIR is anti-reflexive, symmetric and anti-transitive, then Simple CWSP  Aggressive CWSP

41 41 Solution BN’s solution GrC Solution

42 42 BN-Theory(failed) BN assumed: Corporate data are decomposed into Conflict of Interest Classes (CIR-classes) (implies CIR is an equivalence relation)

43 43 BN-Theory BN assumption: CIR-classes Class A Class B f, g, h i, j, k Class C l, m, n

44 44 BN-Theory Can they be partitioned? C US, Russia UK? France, German

45 45 BN-theory Is CIR Equivalence Relation? NO (will prove)

46 46 Some Mathematics A partition  Equivalence Relation Class A Class B f, g, h i, j, k Class C l, m, n

47 47 Some Mathematics Partition  Equivalence relation X  Y (Equivalence Relation) if and only if both belong to the same class/granule

48 48 Equivalence Relation Generalized Identity X  X (Reflexive) X  Y implies Y  X (Symmetric) X  Y, Y  Z implies X  Z (Transitive)

49 49 Is CIR Symmetric? US  (conflict) USSR implies USSR  (conflict) US ? YES

50 50 Is CIR Transitive? US  (conflict) Russia Russia  (conflict) UK UK  ? US NO

51 51 Is CIR Reflexive? Is CIR self conflicting? US  (conflict) US ? NO

52 52 Is CIR Equivalence Relation? NO

53 53 Overlapping CIR-classes CIR is not an equivalence relation, so CIR classes do overlap US, UK, Iraq,... USSR

54 54 BN-Theory BN-Theory Failed, but BN’ intention is valid

55 55 New Theory Formalize BN’s intuition: O: the set of objects(company datasets) X, Y,... are objects

56 56 Summary on Simple CWSP “X and Y has no conflict then they can be read by same agent “  “ (X, Y)  CIR  X NDIF Y” B(X) ={Y | X NDIF Y } ={Y | (X, Y )  CIR } 6

57 57 Granule (“Access Lists”) B(X) is a set of objects that information of X canNOT be flow into. Granule / Neighborhood “Access Denied Lists”

58 58 DAC and GrC The association B: O  2 O ;  X  B(X) DAC (Discretionary Access Control Model) Basic (binary) Granulation/Neighborhood System

59 59 Derived Equivalence Relation The inverse images of B is a partition (an equivalence relation) C ={C p | C p =B –1 (B p ) p  V} This is the heart of this talk

60 60 The set C of the center sets of CIR The set C of center sets C p is a partition Iraq,...US, UK,... German,...

61 61 C and CIR classes IJAR=C p CIR-class C p -classes

62 62 C and CIR classes CIR-class C p -classes

63 63 C and CIR classes CIR: Anti-reflexive, symmetric, anti-transitive CIR-class C p -classes

64 64 Derived Equivalence Relation C p is called the center set of B p A member of C p is called a center.

65 65 Derived Equivalence Relation The center set C p consists of all the points that have the same granule Center set C p = {q | B q = B p }

66 66 Aggressive CWSP Theorem Theorem. If CIR is anti-reflexive, symmetric, anti-transitive, then C=IJAR(=complement of CIR).

67 67 Aggressive CWSP CIR (with three conditions) only allows information sharing within one IJAR-class An IJAR-class is an equivalence class; so there is no danger the information will spill to outside.

68 68 ACWSP Theorem If CIR is anti-reflexive, symmetric and anti-transitive, then Simple CWSP  Strong CWSP

69 69 Conclusions 1. Classical Problem Solving Paradigm requires partitioning (equivalence relation) may be too strong 2. Classical idea is extended to granulation (binary relation)

70 70 Conclusions 3. A small success in apply new paradigm to computer security 4. CWSP is one of the the bigger problem, managing the Information Flow Model in DAC; this was considered impossible in the past.

71 71 Conclusions 5. BN’s requirements implies IJAR is an equivalence class. However, if we impose “need to know” constraint, then IJAR is not an equivalence class. Under such constraints, we have weaker form of CWSP theorem

72 72 Appendix Aggressive CWSP Theorem If CIR is anti-transitive non-empty and if (u, v)  CIR implies that  w  V (at least one of (u, w) or (w, v) belongs to CIR ). Let (x, y) and (y, z) be in IJAR, we need to show that (x, z) be in IJAR. Assume contrarily, it is in CIR, by anti-transitive, one and only one of (x, y) or (y, z) be in CIR, that is the contradiction.


Download ppt "1 From Chinese Wall Security Policy Models to Granular Computing Tsau Young (T.Y.) Lin Computer Science Department,"

Similar presentations


Ads by Google