C Consiglio Nazionale delle Ricerche - Pisa Iit Istituto per lInformatica e la Telematica Reasoning...

C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica

Reasoning about Secure Interoperation using Soft Constraints

Stefano BistarelliDipartimento di Scienze,

Università di Pescara, Italy;

IIT, CNR, Pisa, Italy

Simon Foley, Barry O’Sullivan

Department of Computer ScienceUniversity College Cork

Ireland

Speaker: Stefano BistarelliSpeaker: Stefano Bistarelli


Thanks to my co-authors….

Barry O’Sullivan University College

Cork, Ireland Cork Constraint

Computation Centre Constraints

Simon Foley University College

Cork, Ireland Security, Policy,

Formal Methods


Motivations

AdminSystem

Sales System


Basic Security Modeling

SubjectDo

OperationSecurity

MechanismObject

SecurityPolicy

Subject: processes, … Objects: memory, files, …

Security policy defines rules that govern access to objects by subjects.

Security mechanism ensures security policy is upheld.


Secure Composition of Systems

Systems are individually secure.Is it safe to allow file sharing between Personnel and Sales systems?

Clare not authorized to access Bob’s files, but, Clare may access Bob’s files via Sales system. Need to reconfigure connections to close this

circuitous access route [COLOPS2003,SAC2004,IAAI2004].

Need to reconfigure system access configurations!

AdminSystem

Sales System

Alice allowedaccess Bob’s files

Clare allowedaccess Alice’s files

connection


Secure Interoperation

Computation Foundations [Gong&Qian, 1994] Analyzing the security of interoperating and

individually secure systems can be done in polynomial time.

Given a non-secure network configuration, then re-configuring the connections in an optimal way (to minimize the impact on interoperability) is NP.

C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaTalk Outline:

describe how constraints provide a natural approach to modelling and solving the secure interoperation problem Basic Security

Modelling Secure Composition of

systems Secure Interoperation

What are Soft Constraints?

Semiring Framework

Using constraints for Access Configuration Access Reconfiguration Access Interoperation Dealing with Transitivity

Future Work


Crisp toward soft constraints

P={

x3

x4

x1

x2 V,

{red,blue,yellow}

{blue,yellow}

{red,blue}{yellow}

D,

C={pairwise-different}

C, PC, con, def, a}

x1 x2 x3 x4

combination

projection


Crisp toward soft constraints

x3

x4

x1

x2

{red,blue,yellow}

{blue,yellow}

{red,blue}{yellow}

C={pairwise-different} 5$

3$

2$

15$15$x1 x2 x3 x4

Combination (+)

Projection (min)

15$

13$

13$

<+,min,+,+,0>

<[0,1],max,min,0,1>

<[0,1],max,,0,1>

<{false,true},,,false,true>

Probabilistic

Fuzzy

Classical

Weighted

C-semiring <A,+,,0,1>:


The Semiring Framework

A c-semiring is a tuple <A,+,×,0,1> such that:A is the set of all consistency values and 0, 1A. 0 is the lowest consistency value and 1 is the highest consistency value;+, the additive operator, is a closed, commutative, associative and idempotent operation such that 1 is its absorbing element and 0 is its unit element;×, the multiplicative operator, is a closed and associative operation such that 0 is its absorbing element, 1 is its unit element and × distributes over +.

Stefano Bistarelli, Ugo Montanari, and Francesca Rossi, Semiring-based Constraint Solving and OptimizationJournal of the ACM, 44(2):201–236, Mar 1997.

Stefano Bistarelli, Ugo Montanari, and Francesca Rossi, Semiring-based Constraint Solving and OptimizationJournal of the ACM, 44(2):201–236, Mar 1997.


Semiring-based Constraints

Given a semiring <A,+,×, 0, 1> , an ordered set of variables V over a finite domain D, a constraint is a function which maps an assignment of the variables in the support of c, supp(c) to an element of A.

Notation c represents the constraint function c evaluated under instantiation , returning a semiring value.Given two constraints c1 and c2, their combination is defined as (c1c2) = c1×c2 .

The operation C represents the combination of a set of constraints C.a· b iff a+b=bc1 v c2 iff 8 c1 · c2

Stefano Bistarelli, Ugo Montanari and Francesca Rossi, Soft Concurrent Constraint Programming,Proceedings of ESOP-2002, LNCS, April 2002.

Stefano Bistarelli, Ugo Montanari and Francesca Rossi, Soft Concurrent Constraint Programming,Proceedings of ESOP-2002, LNCS, April 2002.

C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaTalk Outline:

describe how constraints provide a natural approach to modelling and solving the secure interoperation problem Basic Security

Modelling Secure Composition of

systems Secure Interoperation

What are Soft Constraints?

Semiring Framework

Using constraints for Access Configuration Access Reconfiguration Access Interoperation Dealing with Transitivity

Future Work


Access Configuration

A collection of constraints between entities (subjects, objects) specifying access permissions Represented as a semiring

S=<PERM,+,£,?,>> Srw=<2{r,w},[,Å,;,{r,w}> Sbool=<{F,T},Ç,Æ,F,T>

a b{w}

CS,O(a,b)={w}


Access Configuration

A collection of constraints between entities (subjects, objects) specifying access permissions Represented as a semiring

S=<PERM,+,£,?,>> Srw=<2{r,w},[,Å,;,{r,w}> Sbool=<{F,T},Ç,Æ,F,T>

a b F

CS,O(a,b)=F

a b T

CS,O(a,b)=T


Access Configuration: Example

Sbool=<{F,T},Ç,Æ,F,T> CS,O(b,a)=F CS,O(c,b)=F CS,O(x,y)=T

c

ba


Access ReconfigurationExisting configuration CS may be safely re-configured to CS’ when CS’v CS

C>

CS

C?

vSecure reconfigurations

CS’


Access Reconfiguration: Example

c

ba

c

ba

c

ba

rrwrw

rw

c

ba

wr

rw


Access Interoperation

Has to be a secure reconfiguration of both the sistems S1 and S3

CS1 CS3

c

ba a

c d


Access InteroperationCS1 CS3

c

ba a

c d


Access InteroperationCS1 CS3

c

ba a

c d

CS1 CS3

c

baa

c d

c

ba a

c d


Access TransitivityCS1

c

ba

CS3

a

c d


Access TransitivityCS1 CS3CS1 CS3

c

ba a

c d


Access TransitivityCS1 CS3

a

c d

CS1 CS3

c

ba

c

ba a

c d

c

baa

c d


Access Transitivity vs non-transitivity

CS1

c

ba

CS3a

c d

CS1 CS3

CS1

c

ba

c

ba

c

ba


Where to from here?

Real world implementation: Currently seeking funding

to work with a company based in New Hampshire, USA.


Conclusion

We described how constraints provide a natural approach to modelling and solving the secure interoperation problemAccess ConfigurationAccess ReconfigurationAccess Interoperation Transitivity entities

All naturally represented with constraint operations


Questions?

Thank you for your attention

You have been listening to:

“Reasoning about Secure Interoperation using Soft Constraints”

Stefano Bistarelli, Simon Foley and Barry O’Sullivan

Proceedings of FAST2004, pag. 183-196

C Consiglio Nazionale delle Ricerche - Pisa Iit Istituto per lInformatica e la Telematica Reasoning...

Documents

Transcript of C Consiglio Nazionale delle Ricerche - Pisa Iit Istituto per lInformatica e la Telematica Reasoning...