Presentation is loading. Please wait.

Presentation is loading. Please wait.

Logical Method for Reasoning about Access Control and Data Flow Control Models Luigi Logrippo Laboratoire de recherche en sécurité informatique Université.

Published byHarold Dawson Modified over 9 years ago

Similar presentations

Presentation on theme: "Logical Method for Reasoning about Access Control and Data Flow Control Models Luigi Logrippo Laboratoire de recherche en sécurité informatique Université."— Presentation transcript:

1 Logical Method for Reasoning about Access Control and Data Flow Control Models Luigi Logrippo Laboratoire de recherche en sécurité informatique Université du Québec en Outaouais Gatineau, Québec, Canada Paper presentation at 7 th International Symposium on Foundations and Practice of Security Montréal, November 2014

2 Security invariants Many security properties can be expressed as invariant properties of systems – E.g. information of certain types remains within certain boundaries However invariants are rarely mentioned and security models are usually defined in terms of operations which induce transformations

3 Invariant concept In Mathematics a property is invariant for certain transformations if it remains true when these transformations are applied – Concept developed in Computer Science by Floyd, Hoare, Dijkstra, many others

4 Classical Example: Bell La Padula Usually described in terms of transformations such as: Subjects cannot read information from higher security levels nor write information to lower ones While its invariant property could be expressed as: Information belonging to a security level can be known only to subjects of that level or higher We show that this property remains invariant if the read and write transformations satisfy the conditions specified just above

5 Isn’t it the same thing? Invariants make explicit system properties that may not be obvious by looking at the transformations These are two different views that must agree – The one using programming terminology read, write could be thought of as the implementation – While the one using the concept of ‘knowledge’ could be thought of as the specification It must be possible to prove that the implementation corresponds to the specification and vice-versa

6 Access control and flow control Read, write are access control concepts – Direct relationship between a subject and an object Knowledge is a flow control concept – Where protected values can end up

7 Confidentiality and Integrity invariants Confidentiality: information can only be known by authorized subjects Integrity: information can only be placed on authorized objects [Sandhu 1993]

8 How does information move? In access control systems, information can be written by subjects on objects It can be read from objects by subjects – We do not consider here covert channels

9 Basic Concepts Access Control: – CanRead (S,O) : subject S can read from object O – CanWrite (S,O) : subject S can write on object O Abbreviated CR, CW Flow control: – CanKnow (S,x) : subject S can know variable x – CanStore (O,x) : object O can contain variable x Abbreviated CK, CS x x S O S O S O

10 Flow control inference rules 1) Unconditional relationships are expressed in the form: CK(S,x) or CS(O,x) 2) Inference rule for CK:  O (CS(O,x)  CR(S,O)) ⇒ CK(S,x) 3) Inference rule for CS:  S (CK(S,x)  CW(S,O)) ⇒ CS(O,x) Closure property: All CS or CK relationships must be true either unconditionally or by one of the two inference rules.

11 Derivation Example – Given: CW(S1,O1), CR(O1,S2), CW(S2,O3) etc. (access control rules) – Given: CK (S1,x): (unconditional relationship) – Infer: CS (O1,x) Since CK (S1,x)  CW(S1,O1) – Infer: CK (S2,x) Since CS (O1,x)  CR (S2,O1) – Infer: CS (O2,x) Since CK (S2,x)  CW (S2,O2) – … – Infer: CK(S4,x) xx Unconditional: CK (S 1, x) Inferrred: CK (S4,x)... S1S1 S4S4 O1O1 S2S2

12 Formalizing confidentiality and integrity invariants Confidentiality invariants express who can know what, so they can be expressed in terms of CK predicate Integrity invariants express where information can end up so they can be expressed in terms of CS predicate

13 In terms of sets CKS(x): (a set) the data that subject x can know CSS(y): (a set) the data that object y can store Information transfer is irreversible, i.e. once a data item has been included in CKS or CSS it cannot be removed

14 Labels Data variables, Subjects and Objects are labeled to indicate their security status – x: TopSecret – y: BankAmerica – S: {BankAmerica, RoyalBank}

15 Example: Static Chinese Wall Invariant view There are ‘compatible’ and ‘incompatible’ information domains – E.g. two banks have incompatible information that must be kept separate Invariants: – Confidentiality: Subjects are allowed to know only compatible information – Integrity: Objects are allowed to store only compatible information

16 Example: Static Chinese Wall Transformation view Allowed transformations are: – Subjects can only read from objects with compatible information – Subjects can only write on objects with compatible information

17 Formalizing Static ChWall Security domains: – Bank1, Bank2, Oil – Compatibility relationship ∼ Bank1 ∼ Oil, Bank2 ∼ Oil but not Bank1 ∼ Bank2 Allowed labels are sets of security domains that contain only mutually compatible domains – {}, {Bank1}, {Bank2}, {Oil}, {Bank1, Oil}, {Bank2, Oil}

18 Allowed transformations for ChWall (Access Control rules) CR(S: , O:  ’) ↔  ’ ⊆  – a subject can read from an object iff the object can contain only data variables that the subject can know CW(S: , O:  ’) ↔  ⊆  ’ – a subject can write on an object iff the subject can know only data variables that the object can store In other words, incompatible information is not allowed to cross the ChWall

19 CR, CW relationships Oil Alice Bob Bank1 Bank2 Arrows show direction of allowed information transfer Information cannot flow between Bank1 and Bank2

20 Formal Invariant Properties for ChWall  set of allowed labels Confidentiality: – x:D ∈ CKS(S:  ) ↔ D ∈  E.g. x:Bank1 cannot be known by S:{Bank2,Oil} – Invariant could be violated only for subjects containing both Bank1 and Bank2 in their labels: not allowed Integrity: – x:D ∈ CSS(O:  ) ↔ D ∈  E.g. x:Bank1 cannot be stored in O:{Bank2,Oil} – Similar reason

21 Proving ChWall invariants So it is easy to prove that, given the set of allowed transformations, the invariant properties for CWall hold – E.g. that x:Bank1 will never end up in O:{…Bank2…} – Since O:{Bank1,…Bank2…} labels cannot exist

22 Proof technique Our proofs are based on the following simple induction principle: – Suppose that a property P is true for some set – And suppose that there are rules for adding elements to the set, which check whether P will still be true after the addition – Then obviously P will remain true in the set So P is invariant with respect to adding information to a set of acquired information

23 Dynamic systems So far, labels were fixed – Our ChWall is a simplification so far In dynamic systems, labels change as the system progresses – E.g. in real ChWall, Labels of subjects change as they read new objects – They can now know new information Labels of objects change as more things are stored in them – They can now store new information

24 Dynamic ChWall Standard ChWall is dynamic: – At the beginning, any subject can read from or write to any object – These operations alter the labels and the sets CKS and CSS, thus changing the compatibility relationships between subjects and objects and the CR or CW conditions – But labels with incompatible information are still not allowed

25 Example Initial state: – Alice:{}; Bob:{}; Bank1:{Bank1}; Bank2{Bank2}; Oil{Oil} Alice Reads from Bank1, now Alice: {Bank1} 25 Oil Alice Bob Bank1 Bank2 {Bank1} {Oil} {} Wall {Bank1} {Bank2}

26 Example Initial state: – Alice:{}; Bob:{}; Bank1:{Bank1}; Bank2{Bank2}; Oil{Oil} Alice Reads from Bank1, now Alice: {Bank1} Bob Reads from Bank2, now Bob: {Bank2} Alice Reads from Oil, now Alice:{Bank1,Oil } 26 Oil Alice Bob Bank1 Bank2 {Bank1,Oil } {Oil} {Bank2} Wall {Bank1} {Bank2}

27 Example Initial state: – Alice:{}; Bob:{}; Bank1:{Bank1}; Bank2{Bank2}; Oil{Oil} Alice Reads from Bank1, now Alice: {Bank1} Bob Reads from Bank2, now Bob: {Bank2} Alice Reads from Oil, now Alice:{Bank1,Oil } Bob writes on Oil, now Oil: {Oil,Bank2} ¬(Bank1 ∼ Bank2) so labels containing both are not allowed future attempts of Alice to read from or write to Oil are blocked 27 Oil Alice Bob Bank1 Bank2 {Bank1,Oil } {Oil,Bank2} {Bank2} CW {Bank1} {Bank2}

28 The construction We introduce Read and Write operations If executed when CR or CW are false they cause state changes New states are characterized by new label assignments, reflecting the new CK and CW relationships However Read and Write operations that lead to disallowed labels are not possible So at some point all allowed labels will be used and the system becomes stabilized Go to ‘static ChWall’ case

29 Summary of results 1 We have introduced a new method for reasoning about properties of access control systems – Formalizing intuitive concepts We have shown its applicability to a number of classical access control models: – Bell-La Padula, Biba, Lattice-Based, RBAC, High-Water Mark, Chinese Wall – These models were very simplified but there is no real obstacle to extending the reasoning to the full models

30 Summary of results 2 No new properties have been proven, but several known properties have been proven with this single method – Conventional presentations use different methods for each model

31 Developments: New access control methods Our reasoning method allows to decompose the classical methods into elementary constituents This leads to the discovery of new elementary access control methods, that can be combined in many different ways They can be studied with our technique

32 Future work Better assess and develop the usefulness of the technique with respect to – more realistically described access control models of various kinds – automatic theorem proving – model combinations  a new life for MAC models?

Download ppt "Logical Method for Reasoning about Access Control and Data Flow Control Models Luigi Logrippo Laboratoire de recherche en sécurité informatique Université."

Similar presentations

Artificial Intelligence

Artificial Intelligence
In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
Introduction to Proofs

Introduction to Proofs
Techniques for Proving the Completeness of a Proof System Hongseok Yang Seoul National University Cristiano Calcagno Imperial College.

Techniques for Proving the Completeness of a Proof System Hongseok Yang Seoul National University Cristiano Calcagno Imperial College.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Copyright © Cengage Learning. All rights reserved.

Copyright © Cengage Learning. All rights reserved.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais.

Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais.
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.

Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Introduction to Computability Theory

Introduction to Computability Theory
CS 536 Spring 20011 Global Optimizations Lecture 23.

CS 536 Spring Global Optimizations Lecture 23.
CS5371 Theory of Computation

CS5371 Theory of Computation
Verifiable Security Goals

Verifiable Security Goals
4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)

4/25/08Prof. Hilfinger CS164 Lecture 371 Global Optimization Lecture 37 (From notes by R. Bodik & G. Necula)
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
4/17/2017 Section 3.6 Program Correctness ch3.6.

4/17/2017 Section 3.6 Program Correctness ch3.6.
CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 16 / 2008 Instructor: Michael Eckmann.

Similar presentations

Ads by Google