Modelling mobility aspects of security policies
description
Transcript of Modelling mobility aspects of security policies
InspiredlogoModelling mobility aspectsof security policies
Pieter Hartel, Pascal van EckSandro Etalle, Roel Wieringa
University of Twente
InspireDlogo
WP 2.6 kick off, March 11 2004,Marseille
Objectives
Explain the problem that mobility may invalidate (or confuse) good security policies
Show that the solution requires the integration of physical and logical security policies
Illustrate this using case studies Model the essence of the solutions using
SPIN
InspireDlogo
WP 2.6 kick off, March 11 2004,Marseille
Socialworld
Physicalworld
Digitalworld
Physical security uses barriers to stop unauthorised persons from gaining access to physical resources. Security Dept
Digital security provides passwords to stop unauthorised persons from accessing digital resources. IT Dept
Coordination of physical and digital security via integrated specification of security policies. One Dept
Three world model
InspireDlogo
WP 2.6 kick off, March 11 2004,Marseille
Ping
Bob pings Whitehouse Whitehouse responds Bob moves, or more
interestingly… Only ping moves to another
machine Moving ping has violated a
security policy on mobility
$ ping www.whitehouse.govReply from 194.109.217.178: time=110msReply from 194.109.217.178: time=1072msReply from 194.109.217.178: time=90ms
$ ping www.whitehouse.govUsage: ping [-t] [-a] [-n count] …
Mobile code
InspireDlogo
WP 2.6 kick off, March 11 2004,Marseille
Data base
Bob submits his tax return anywhere
Alice receives Bob’s tax return at the IRS
Alice discusses Bob’s tax return with her boss in the park
Eve spies on Alice Alice has violated the
security policy on mobility
Mobile computers
InspireDlogo
WP 2.6 kick off, March 11 2004,Marseille
Smart card
Alice collects smart card from the bank
Bob offers ‘special deal’ if she pays with plastic…
Can Bob be trusted? Get new security policy at
the bank for ‘special deals’
Mobile smart card
InspireDlogo
WP 2.6 kick off, March 11 2004,Marseille
Modelling
System: objects from the 3 worlds Policy: (un)acceptable behaviour Principle: guidance & formula Verification: (system║policy)╞ principle SPIN: communicating processes with a
trace declarationRule out behaviour that has been deemed unacceptable. Examples:•Restrict access control•Restrict information flow •Maintain avaliability
Identify & highlight security objectives. Examples:
•Follow least privilege•Compartmentalise•Be reluctant to trust
InspireDlogo
WP 2.6 kick off, March 11 2004,Marseille
Host accepts “standard” ping only
Principle of the“least privilege”
Any system call except Socket(anywhere) *
Socket(Test) Any system call
except Socket(anywhere) *
Ping(Test)
Ping Host
Ping(Production)
PolicySystem
Unexpected?
InspireDlogo
WP 2.6 kick off, March 11 2004,Marseille
System
chan c = [0] of {mtype, mtype} ;
active proctype system() { do :: c!Exit(env) :: c!Printf(env) :: c!Recvfrom(env) :: c!Sendto(env) :: c!Socket(env) od}
mtype = { Test_Env, Production_Env, Exit, Printf, Recvfrom, Sendto, Socket} ;
byte env = Test_Env ;
active proctype mobility() { do :: env = Test_Env :: env = Production_Env od}
Channel
Enumeration type
Two concurrent processes
Two concurrent processes
Global state
Non deterministic choice
InspireDlogo
WP 2.6 kick off, March 11 2004,Marseille
Policy & Principle
active proctype policy() { do :: c?Printf(_) ; c?Exit(_) :: c?Socket(_) ; c?Printf(_) ; do :: c?Sendto(_) ; c?Recvfrom(_) :: break od od}
trace { do :: c?Exit(_) :: c?Printf(_) :: c?Recvfrom(_) :: c?Sendto(_) :: c?Socket(Test_Env) -> break od ; do :: c?Exit(_) :: c?Printf(_) :: c?Recvfrom(_) :: c?Sendto(_) od}
Based on work by
Mycroft et al
InspireDlogo
WP 2.6 kick off, March 11 2004,Marseille
Counter example
System Policy
1!Socket,Test_Env
1!Printf,Production_Env
1!Socket,Test_Env
Mobility
InspireDlogo
WP 2.6 kick off, March 11 2004,Marseille
Principle “Compartmentalise”
Connect(here) Request(here) Reply(here) Request(here) Reply(here) ... Disconnect(here)
Location determines data base
PresentationLayer 1(office)
Businesslogic layer
Databaselayer
PresentationLayer 2(park)
DB1 DB2
System
Policy
Not checked by Standard
policy
InspireDlogo
WP 2.6 kick off, March 11 2004,Marseille
Location determines applet
mall
counter
bank
atmposterminal
shop
vendingmachine
Managementapplet
Loyaltyapplet
Paymentapplet
Policy
System
Principle “Be reluctant to trust”
Payment(vending) Loyalty(vending)
Not checked by Standard
policy
InspireDlogo
WP 2.6 kick off, March 11 2004,Marseille
Conclusions and future work
We can analyse policies, showing that none of the models satisfy our principles
Trace declarations limited, more tool support needed
Models should be more systematic, and hierarchical
How can we enforce policies?