Information Flow Security for Asynchronous, Distributed ... · Information Flow Security for...

Information Flow Security for Asynchronous,Distributed, and Mobile Applications

Felipe LUNA DEL AGUILA

OASIS ProjectINRIA Sophia Antipolis

CNRS - I3S - Universite Nice–Sophia Antipolis

Agenda

• Introduction

PhD Defense - jump to start 1

Agenda

• Introduction

• Context (informal and formal perspectives)

PhD Defense - jump to start 1

Agenda

• Introduction

• Context (informal and formal perspectives)

– ProActive

PhD Defense - jump to start 1

Agenda

• Introduction

• Context (informal and formal perspectives)

– ProActive– ASP calculus and communication reduction rules

PhD Defense - jump to start 1

Agenda

• Introduction

• Context (informal and formal perspectives)

– ProActive– ASP calculus and communication reduction rules

• Objectives

PhD Defense - jump to start 1

Agenda

• Introduction

• Context (informal and formal perspectives)

– ProActive– ASP calculus and communication reduction rules

• Objectives

• Related Security Mechanisms

PhD Defense - jump to start 1

Agenda

• Introduction

• Context (informal and formal perspectives)

– ProActive– ASP calculus and communication reduction rules

• Objectives

• Related Security Mechanisms

• The ASP Security Model

PhD Defense - jump to start 1

Agenda

• Introduction

• Context (informal and formal perspectives)

– ProActive– ASP calculus and communication reduction rules

• Objectives

• Related Security Mechanisms

• The ASP Security Model

• Implementation of the Security Model

PhD Defense - jump to start 1

Agenda

• Introduction

• Context (informal and formal perspectives)

– ProActive– ASP calculus and communication reduction rules

• Objectives

• Related Security Mechanisms

• The ASP Security Model

• Implementation of the Security Model

• Conclusion

PhD Defense - jump to start 1

Introduction

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Recent paradigms

PhD Defense - jump to start 2

Introduction

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Recent paradigms

SystemsDistributed

PhD Defense - jump to start 2

Introduction

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Recent paradigms

SystemsDistributed

ProgrammingObject-oriented

PhD Defense - jump to start 2

Introduction

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Recent paradigms

SystemsDistributed

ProgrammingObject-oriented

Service-orientedComputing

PhD Defense - jump to start 2

Introduction

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Recent paradigms

SystemsDistributed

ProgrammingObject-oriented

Service-orientedComputing

Security

PhD Defense - jump to start 2

Introduction

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Recent paradigms

SystemsDistributed

ProgrammingObject-oriented

Service-orientedComputing

Security

Security focused specifically on Information Flow

PhD Defense - jump to start 2

Context

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

ProActive main characteristics

• Middleware library for distributed applications

PhD Defense - jump to start 3

Context

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

ProActive main characteristics

• Middleware library for distributed applications

• 100% Java

PhD Defense - jump to start 3

Context

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

ProActive main characteristics

• Middleware library for distributed applications

• 100% Java

• Existence of passive and active objects

PhD Defense - jump to start 3

Context

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

ProActive main characteristics

• Middleware library for distributed applications

• 100% Java

• Existence of passive and active objects

• Asynchronous communications between active objects

PhD Defense - jump to start 3

Context

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

ProActive main characteristics

• Middleware library for distributed applications

• 100% Java

• Existence of passive and active objects

• Asynchronous communications between active objects

– Principle of wait-by-necessity and futures:1. future reference

PhD Defense - jump to start 3

Context

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

ProActive main characteristics

• Middleware library for distributed applications

• 100% Java

• Existence of passive and active objects

• Asynchronous communications between active objects

– Principle of wait-by-necessity and futures:1. future reference

(ex.: http://www.anysite.com/anypage.html)

PhD Defense - jump to start 3

Context

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

ProActive main characteristics

• Middleware library for distributed applications

• 100% Java

• Existence of passive and active objects

• Asynchronous communications between active objects

– Principle of wait-by-necessity and futures:1. future reference

(ex.: http://www.anysite.com/anypage.html)

2. future value

PhD Defense - jump to start 3

Context

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

ProActive main characteristics

• Middleware library for distributed applications

• 100% Java

• Existence of passive and active objects

• Asynchronous communications between active objects

– Principle of wait-by-necessity and futures:1. future reference

(ex.: http://www.anysite.com/anypage.html)

2. future value

(ex.: HTML error: 404 Not Authorized)

PhD Defense - jump to start 3

ASP semantics and ProActive

• The ASP language entities:

– activity α

α

PhD Defense - jump to start 4

ASP semantics and ProActive

• The ASP language entities:

– activity α, active object a

αActive object

PhD Defense - jump to start 4

ASP semantics and ProActive

• The ASP language entities:

– activity α, active object a, passive objects

αActive object

PhD Defense - jump to start 4

ASP semantics and ProActive

• The ASP language entities:

– activity α, active object a, passive objects, activity β

αActive object

β

PhD Defense - jump to start 4

ASP semantics and ProActive

• The ASP language entities:

– activity α, active object a, passive objects, activity β, active object reference AO(α)

αActive object

β

PhD Defense - jump to start 4

ASP semantics and ProActive

• The ASP language entities:

– activity α, active object a, passive objects, activity β, active object reference AO(α), future

fα→βi and request queue (with pending, current, and completed requests)

αActive object

β

references tofuture values

currentrequest

pendingrequests

Futurevalue

PhD Defense - jump to start 4

ASP semantics and ProActive

• The ASP language entities:

– activity α, active object a, passive objects, activity β, active object reference AO(α), future

fα→βi and request queue (with pending, current, and completed requests), future references

fut(fα→βi )

αActive object

β

references tofuture values

currentrequest

pendingrequests

Futurevalue

f2

current term

Requestparameter

foo

f

f3

PhD Defense - jump to start 4

ASP semantics and ProActive

• The ASP language entities:

– activity α, active object a, passive objects, activity β, active object reference AO(α), future

fα→βi and request queue (with pending, current, and completed requests), future references

fut(fα→βi ), and store σ

αActive object

β

references tofuture values

currentrequest

pendingrequests

Futurevalue

f2

current term

Requestparameter

foo

f

f3

σβ

PhD Defense - jump to start 4

ASP semantics and ProActive

• The ASP language entities:

– activity α, active object a, passive objects, activity β, active object reference AO(α), future

fα→βi and request queue (with pending, current, and completed requests), future references

fut(fα→βi ), and store σ

αActive object

β

references tofuture values

currentrequest

pendingrequests

Futurevalue

f2

current term

Requestparameter

foo

f

f3

σβ

• Parallel configurations are then of the form: P,Q ::= α [a; σ; ι; F ; R; f ] ‖ β [· · · ] ‖ · · ·

PhD Defense - jump to start 4

ASP parallel reduction rules

PhD Defense - jump to start 5

ASP parallel reduction rules

(a, σ) →S (a′, σ′) →S does not clone a future

α[a; σ; ι; F ; R; f ] ‖ P −→ α[a′; σ′; ι; F ; R; f ] ‖ P(local)

γ fresh activity ι′ 6∈ dom(σ) σ′ = {ι′ 7→ AO(γ)} :: σ σγ = copy(ι′′, σ)

α[R[Active(ι′′, mj)]; σ; ι; F ; R; f ] ‖ P −→ α[R[ι′]; σ′; ι; F ; R; f ] ‖ γ[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P(newact)

σα(ι) = AO(β) ι′′ 6∈ dom(σβ) fα→βi new future ιf 6∈ dom(σα)

σ′β = Copy&Merge(σα, ι′ ; σβ, ι′′) σ′α = {ιf 7→ fut(fα→βi )} :: σα

α[R[ι.mj(ι′)]; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→

α[R[ιf ]; σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σ′β; ιβ; Fβ; Rβ :: [mj; ι′′; fα→βi ]; fβ] ‖ P

(request)

R = R′ :: [mj; ιr; f ′] :: R′′ mj ∈ M ∀m ∈ M, m /∈ R′

α[R[Serve(M)]; σ; ι; F ; R; f ] ‖ P −→ α[ι.mj(ιr) ⇑ f,R[[]]; σ; ι; F ; R′ :: R′′; f ′] ‖ P(serve)

ι′ 6∈ dom(σ) F ′ = F :: {f 7→ ι′} σ′ = Copy&Merge(σ, ι ; σ, ι′)

α[ι ⇑ f ′, a; σ; ι; F ; R; f ] ‖ P −→ α[a; σ′; ι; F ′; R; f ′] ‖ P(endservice)

σα(ι) = fut(fγ→βi ) Fβ(f

γ→βi ) = ιf σ′α = Copy&Merge(σβ, ιf ; σα, ι)

α[aα; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→α[aα; σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P

(reply)

PhD Defense - jump to start 5

ASP parallel reduction rules

(a, σ) →S (a′, σ′) →S does not clone a future

α[a; σ; ι; F ; R; f ] ‖ P −→ α[a′; σ′; ι; F ; R; f ] ‖ P(local)

γ fresh activity ι′ 6∈ dom(σ) σ′ = {ι′ 7→ AO(γ)} :: σ σγ = copy(ι′′, σ)

α[R[Active(ι′′, mj)]; σ; ι; F ; R; f ] ‖ P −→ α[R[ι′]; σ′; ι; F ; R; f ] ‖ γ[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P(newact)

σα(ι) = AO(β) ι′′ 6∈ dom(σβ) fα→βi new future ιf 6∈ dom(σα)

σ′β = Copy&Merge(σα, ι′ ; σβ, ι′′) σ′α = {ιf 7→ fut(fα→βi )} :: σα

α[R[ι.mj(ι′)]; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→

α[R[ιf ]; σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σ′β; ιβ; Fβ; Rβ :: [mj; ι′′; fα→βi ]; fβ] ‖ P

(request)

R = R′ :: [mj; ιr; f ′] :: R′′ mj ∈ M ∀m ∈ M, m /∈ R′

α[R[Serve(M)]; σ; ι; F ; R; f ] ‖ P −→ α[ι.mj(ιr) ⇑ f,R[[]]; σ; ι; F ; R′ :: R′′; f ′] ‖ P(serve)

ι′ 6∈ dom(σ) F ′ = F :: {f 7→ ι′} σ′ = Copy&Merge(σ, ι ; σ, ι′)

α[ι ⇑ f ′, a; σ; ι; F ; R; f ] ‖ P −→ α[a; σ′; ι; F ′; R; f ′] ‖ P(endservice)

σα(ι) = fut(fγ→βi ) Fβ(f

γ→βi ) = ιf σ′α = Copy&Merge(σβ, ιf ; σα, ι)

α[aα; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→α[aα; σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P

(reply)

PhD Defense - jump to start 5

Reduction rules: 1) New Activity

γ fresh activity ι′ 6∈ dom(σ) σ′ = {ι′ 7→ AO(γ)} :: σ

α[R[Active(ι′′, mj)]; σ; ι; F ; R; f ] ‖ P −→α[R[ι′]; σ′; ι; F ; R; f ] ‖ γ[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P

α γσ γσ

PhD Defense - jump to start 6

Reduction rules: 1) New Activity

γ fresh activity copy(ι′′,σ) = σγ ι′ 6∈ dom(σ) σ′ = {ι′ 7→ AO(γ)} :: σ

α[R[Active(ι′′, mj)]; σ; ι; F ; R; f ] ‖ P −→α[R[ι′]; σ′; ι; F ; R; f ] ‖ γ[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P

α γσ γσ

Object toactivate

i”

PhD Defense - jump to start 6

Reduction rules: 1) New Activity

γ fresh activity copy(ι′′,σ) = σγ

i”.m ()j

α γσγσ

Active object

PhD Defense - jump to start 7

Reduction rules: 1) New Activity

γ fresh activity copy(ι′′,σ) = σγ ι′ 6∈ dom(σ) σ′= {ι′ 7→ AO(γ)} :: σ

α[R[Active(ι′′, mj)];σ; ι; F ; R; f ] ‖ P −→α[R[ι′];σ′; ι; F ; R; f ] ‖ γ[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P

i”.m ()j

α γσγσ

Active object

AO( )γ

’

i’

PhD Defense - jump to start 7

Reduction rules: 2) Request

σα(ι) =AO(β)

fα→βi new future ιf 6∈ dom(σα) {ιf 7→ fut(fα→β

i )} :: σα = σ′α

α[R[ι.mj(ι′)]; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→

α[R[ιf ]; σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σ′

β; ιβ; Fβ; Rβ :: [mj; ι′′; fα→βi ]; fβ] ‖ P

σβ

i.m ( i’ )j

βα σα

βAO( )i

Active object

PhD Defense - jump to start 8

Reduction rules: 2) Request

σα(ι) =AO(β) ι′′ 6∈ dom(σβ) Copy&Merge(σα, ι′ ; σβ, ι′′) = σ′β

fα→βi new future ιf 6∈ dom(σα) {ιf 7→ fut(fα→β

i )} :: σα = σ′α

α[R[ι.mj(ι′)]; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→

α[R[ιf ]; σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σ′

β; ιβ; Fβ; Rβ :: [mj; ι′′; fα→βi ]; fβ] ‖ P

σβ

i.m ( i’ )j

βα σα

βAO( )i

Active object

i’

Requestparameter

PhD Defense - jump to start 8

Reduction rules: 2) Request

σα(ι) =AO(β) ι′′ 6∈ dom(σβ) Copy&Merge(σα, ι′ ; σβ, ι′′) = σ′β

i.m ( i’ )j

βα σα

βAO( )i

Active objectβσ ’

Requestparameter

i”

PhD Defense - jump to start 9

Reduction rules: 2) Request

σα(ι) =AO(β) ι′′ 6∈ dom(σβ) Copy&Merge(σα, ι′ ; σβ, ι′′) = σ′β

fα→βi new future

i.m ( i’ )j

βα σα

βAO( )i

Active objectβσ ’

Requestparameter

i”

f α βi

PhD Defense - jump to start 9

Reduction rules: 2) Request

σα(ι) =AO(β) ι′′ 6∈ dom(σβ) Copy&Merge(σα, ι′ ; σβ, ι′′) = σ′β

fα→βi new future ιf 6∈ dom(σα) {ιf 7→ fut(fα→β

i )} :: σα = σ′α

i.m ( i’ )j

βα σα

βAO( )i

Active objectβσ ’

Requestparameter

i”

f α βi

α β

i f

ifut ( f )

’

PhD Defense - jump to start 9

Reduction rules: 2) Request

σα(ι) =AO(β) ι′′ 6∈ dom(σβ) Copy&Merge(σα, ι′ ; σβ, ι′′) = σ′β

fα→βi new future ιf 6∈ dom(σα) {ιf 7→ fut(fα→β

i )} :: σα = σ′α

α[R[ι.mj(ι′)];σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→

α[R[ιf ];σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σ′

β; ιβ; Fβ; Rβ :: [mj;ι′′;fα→β

i ]; fβ] ‖ P

i.m ( i’ )j

βα σα

βAO( )i

Active objectβσ ’

Requestparameter

i”

f α βi

α β

i f

ifut ( f )

’

PhD Defense - jump to start 9

Reduction rules: 3) Reply

σα(ι) =fut(fγ→βi ) Fβ(f

γ→βi ) = ιf = σ′

α

α[aα; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→α[aα; σ′

α; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P

βα σα

ifut ( f )

i

βγ

βσ

futurevalue

fi

PhD Defense - jump to start 10

Reduction rules: 3) Reply

σα(ι) =fut(fγ→βi ) Fβ(f

γ→βi ) = ιf Copy&Merge(σβ, ιf ; σα, ι) = σ′

α

α[aα; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→α[aα; σ′

α; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P

βα σα

ifut ( f )

i

βγ

βσ

futurevalue

fi

PhD Defense - jump to start 10

Reduction rules: 3) Reply

σα(ι) =fut(fγ→βi ) Fβ(f

γ→βi ) = ιf Copy&Merge(σβ, ιf ; σα, ι) = σ′

α

α[aα; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→α[aα; σ′

α; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P

βα σα βσ

i

’

futurevalue

PhD Defense - jump to start 11

Objectives

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Main objective: Information Flow Control

PhD Defense - jump to start 12

Objectives

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Main objective: Information Flow Control

1. To guarantee data confidentiality

Confidentiality in MLS: follows the basic principle of no writedown, no read up

PhD Defense - jump to start 12

Objectives

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Main objective: Information Flow Control

1. To guarantee data confidentiality

Confidentiality in MLS: follows the basic principle of no writedown, no read up

2. Define a security policy to apply to asynchronous,distributed, and mobile applications

PhD Defense - jump to start 12

Objectives

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Main objective: Information Flow Control

1. To guarantee data confidentiality

Confidentiality in MLS: follows the basic principle of no writedown, no read up

2. Define a security policy to apply to asynchronous,distributed, and mobile applications

Main issue: Presence of asymmetric patterns of communications(result of the future and wait-by necessity concepts)

PhD Defense - jump to start 12

Objectives

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Main objective: Information Flow Control

1. To guarantee data confidentiality

Confidentiality in MLS: follows the basic principle of no writedown, no read up

2. Define a security policy to apply to asynchronous,distributed, and mobile applications

Main issue: Presence of asymmetric patterns of communications(result of the future and wait-by necessity concepts)

3. Provide a formal security model

PhD Defense - jump to start 12

Objectives

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Main objective: Information Flow Control

1. To guarantee data confidentiality

Confidentiality in MLS: follows the basic principle of no writedown, no read up

2. Define a security policy to apply to asynchronous,distributed, and mobile applications

Main issue: Presence of asymmetric patterns of communications(result of the future and wait-by necessity concepts)

3. Provide a formal security model which is verifiable

mathematically

PhD Defense - jump to start 12

Objectives

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Main objective: Information Flow Control

1. To guarantee data confidentiality

Confidentiality in MLS: follows the basic principle of no writedown, no read up

2. Define a security policy to apply to asynchronous,distributed, and mobile applications

Main issue: Presence of asymmetric patterns of communications(result of the future and wait-by necessity concepts)

3. Provide a formal security model which is verifiable

mathematically

4. Propose an architecture for the implementation of the

security model

PhD Defense - jump to start 12

Related Security Mechanisms

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Models

PhD Defense - jump to start 13

Related Security Mechanisms

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Models

– Mandatory Access Controls (MAC)

PhD Defense - jump to start 13

Related Security Mechanisms

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Models

– Mandatory Access Controls (MAC)

– Discretionary Access Controls (DAC)

PhD Defense - jump to start 13

Related Security Mechanisms

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Models

– Mandatory Access Controls (MAC)

– Discretionary Access Controls (DAC)

• Formal methods

PhD Defense - jump to start 13

Related Security Mechanisms

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Models

– Mandatory Access Controls (MAC)

– Discretionary Access Controls (DAC)

• Formal methods

– Non-interference

PhD Defense - jump to start 13

Related Security Mechanisms

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Models

– Mandatory Access Controls (MAC)

– Discretionary Access Controls (DAC)

• Formal methods

– Non-interference

– π-calculus, Asynchronous-π, and Spi calculus

PhD Defense - jump to start 13

Related Security Mechanisms

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Models

– Mandatory Access Controls (MAC)

– Discretionary Access Controls (DAC)

• Formal methods

– Non-interference

– π-calculus, Asynchronous-π, and Spi calculus

– Ambients, and Mobile Ambients

PhD Defense - jump to start 13

Related Security Mechanisms

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Models

– Mandatory Access Controls (MAC)

– Discretionary Access Controls (DAC)

• Formal methods

– Non-interference

– π-calculus, Asynchronous-π, and Spi calculus

– Ambients, and Mobile Ambients

– Seals, Boxed Ambients, and Secure Safe Ambients

PhD Defense - jump to start 13

Related Security Mechanisms

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Models

– Mandatory Access Controls (MAC)

– Discretionary Access Controls (DAC)

• Formal methods

– Non-interference

– π-calculus, Asynchronous-π, and Spi calculus

– Ambients, and Mobile Ambients

– Seals, Boxed Ambients, and Secure Safe Ambients

• Informal approaches

PhD Defense - jump to start 13

Related Security Mechanisms

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Models

– Mandatory Access Controls (MAC)

– Discretionary Access Controls (DAC)

• Formal methods

– Non-interference

– π-calculus, Asynchronous-π, and Spi calculus

– Ambients, and Mobile Ambients

– Seals, Boxed Ambients, and Secure Safe Ambients

• Informal approaches

– Exceptions (in the security policy)

PhD Defense - jump to start 13

Related Security Mechanisms

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Models

– Mandatory Access Controls (MAC)

– Discretionary Access Controls (DAC)

• Formal methods

– Non-interference

– π-calculus, Asynchronous-π, and Spi calculus

– Ambients, and Mobile Ambients

– Seals, Boxed Ambients, and Secure Safe Ambients

• Informal approaches

– Exceptions (in the security policy), labels

PhD Defense - jump to start 13

Related Security Mechanisms

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Models

– Mandatory Access Controls (MAC)

– Discretionary Access Controls (DAC)

• Formal methods

– Non-interference

– π-calculus, Asynchronous-π, and Spi calculus

– Ambients, and Mobile Ambients

– Seals, Boxed Ambients, and Secure Safe Ambients

• Informal approaches

– Exceptions (in the security policy), labels, tickets

PhD Defense - jump to start 13

Related Security Mechanisms

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Models

– Mandatory Access Controls (MAC)

– Discretionary Access Controls (DAC)

• Formal methods

– Non-interference

– π-calculus, Asynchronous-π, and Spi calculus

– Ambients, and Mobile Ambients

– Seals, Boxed Ambients, and Secure Safe Ambients

• Informal approaches

– Exceptions (in the security policy), labels, tickets,

certificates . . .

PhD Defense - jump to start 13

The ASP Security Model

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Syntax and semantics of the security framework

PhD Defense - jump to start 14

The ASP Security Model

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Syntax and semantics of the security framework

• S set of activities acting as subjects, where

α, β, γ, ... ∈ S

PhD Defense - jump to start 14

The ASP Security Model

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Syntax and semantics of the security framework

• S set of activities acting as subjects, where

α, β, γ, ... ∈ S

• D set of data objects sent as arguments in REQUEST

actions: Rqα→β(d)

PhD Defense - jump to start 14

The ASP Security Model

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Syntax and semantics of the security framework

• S set of activities acting as subjects, where

α, β, γ, ... ∈ S

• D set of data objects sent as arguments in REQUEST

actions: Rqα→β(d)

• R is the set of objects associated to futures, and

returned in REPLY actions: Rpβ→α(r)

PhD Defense - jump to start 14

The ASP Security Model (cntd.)Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• L finite set of security levels λ, partially ordered by

the relation ≤, where ∀i ∈ S ∪ D, λi ∈ L

PhD Defense - jump to start 15

The ASP Security Model (cntd.)Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• L finite set of security levels λ, partially ordered by

the relation ≤, where ∀i ∈ S ∪ D, λi ∈ L

processingdata

ms

mt

(task)

targetsubject

r λβ

αλα βλ

aλα

λα

b

( )dλin

dλin

β

λβ

βλ

tx=b.m

PhD Defense - jump to start 15

The ASP Security Model (cntd.)Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• L finite set of security levels λ, partially ordered by

the relation ≤, where ∀i ∈ S ∪ D, λi ∈ L

processingdata

ms

mt

(task)

targetsubject

r λβ

αλα βλ

aλα

λα

b

( )dλin

dλin

β

λβ

βλ

tx=b.m

• Transmissions of d and r are restricted by the security

rules

PhD Defense - jump to start 15

The ASP Security Model (cntd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Actions

• A set of actions, where a ∈ A

PhD Defense - jump to start 16

The ASP Security Model (cntd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Actions

• A set of actions, where a ∈ A

• ASP actions are now rewritten to include security

properties:

PhD Defense - jump to start 16

The ASP Security Model (cntd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Actions

• A set of actions, where a ∈ A

• ASP actions are now rewritten to include security

properties:

Nw(γ, λγ) is a modified NEWACT

PhD Defense - jump to start 16

The ASP Security Model (cntd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Actions

• A set of actions, where a ∈ A

• ASP actions are now rewritten to include security

properties:

Nw(γ, λγ) is a modified NEWACT

Rqα→β(d, λin) is a modified REQUEST

PhD Defense - jump to start 16

The ASP Security Model (cntd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Actions

• A set of actions, where a ∈ A

• ASP actions are now rewritten to include security

properties:

Nw(γ, λγ) is a modified NEWACT

Rqα→β(d, λin) is a modified REQUEST

Rpβ→α(r) is an unchanged REPLY

PhD Defense - jump to start 16

The ASP Security Model (cntd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Actions

• A set of actions, where a ∈ A

• ASP actions are now rewritten to include security

properties:

Nw(γ, λγ) is a modified NEWACT

Rqα→β(d, λin) is a modified REQUEST

Rpβ→α(r) is an unchanged REPLY

• In general,

a = {Nw(γ, λγ), Rqα→β(d, λin), Rpβ→α(r)}

PhD Defense - jump to start 16

The ASP Security Model (cntd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Additional entities

• M matrix of explicit (discretionary) rights

PhD Defense - jump to start 17

The ASP Security Model (cntd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Additional entities

• M matrix of explicit (discretionary) rights

M = S × S → P(A)

PhD Defense - jump to start 17

The ASP Security Model (cntd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Additional entities

• M matrix of explicit (discretionary) rights

M = S × S → P(A)P(A) set of actions whose assignation of a security

level is explicitly allowed

PhD Defense - jump to start 17

The ASP Security Model (cntd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Additional entities

• M matrix of explicit (discretionary) rights

M = S × S → P(A)P(A) set of actions whose assignation of a security

level is explicitly allowed

In general, p ∈ P(A) if and only if

p = {Nw(γ, λγ), Rqα→β(d, λin)}

PhD Defense - jump to start 17

The ASP Security Model (cntd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Additional entities

• M matrix of explicit (discretionary) rights

M = S × S → P(A)P(A) set of actions whose assignation of a security

level is explicitly allowed

In general, p ∈ P(A) if and only if

p = {Nw(γ, λγ), Rqα→β(d, λin)}

• T set of authorized (access) transmissions

PhD Defense - jump to start 17

The ASP Security Model (cntd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Additional entities

• M matrix of explicit (discretionary) rights

M = S × S → P(A)P(A) set of actions whose assignation of a security

level is explicitly allowed

In general, p ∈ P(A) if and only if

p = {Nw(γ, λγ), Rqα→β(d, λin)}

• T set of authorized (access) transmissions

T = S × S ×A

PhD Defense - jump to start 17

Application of the security framework

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

PhD Defense - jump to start 18

Application of the security framework

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

1.- Base statements:

• Creation (and migration) of new activities are secure

• Emission of requests, with modifiable security levels in the datasent, are secure

• Emission of replies are secure

PhD Defense - jump to start 18

Application of the security framework

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

1.- Base statements:

• Creation (and migration) of new activities are secure

• Emission of requests, with modifiable security levels in the datasent, are secure

• Emission of replies are secure

2.- Support concepts:

• Elementary flows of information

• Flow-paths

PhD Defense - jump to start 18

Application of the security framework

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

1.- Base statements:

• Creation (and migration) of new activities are secure

• Emission of requests, with modifiable security levels in the datasent, are secure

• Emission of replies are secure

2.- Support concepts:

• Elementary flows of information

• Flow-paths

3.- Results:

Confidentiality, from end-to-end in a flow-path, is guaranteed

PhD Defense - jump to start 18

Secure Activity Creation

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

PhD Defense - jump to start 19

Secure Activity Creation

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, γ ∈ S

PhD Defense - jump to start 19

Secure Activity Creation

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, γ ∈ S: (α, γ, Nw(γ, λγ)) ∈ T ⇐⇒

A new activity action is considered secure iff:

PhD Defense - jump to start 19

Secure Activity Creation

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, γ ∈ S: (α, γ, Nw(γ, λγ)) ∈ T ⇐⇒(λα ≤ λγ)

A new activity action is considered secure iff:

1. The new activity has a higher security level compared

to its creator

PhD Defense - jump to start 19

Secure Activity Creation

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, γ ∈ S: (α, γ, Nw(γ, λγ)) ∈ T ⇐⇒(λα ≤ λγ) ∨Nw(γ, λγ) ∈M(α, γ)

A new activity action is considered secure iff:

1. The new activity has a higher security level compared

to its creator

2. or, in case the new activity has a lower security (i.e. a

downgrade), the creation action must be explicitly

allowed

PhD Defense - jump to start 19

Secure Activity Creation

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, γ ∈ S: (α, γ, Nw(γ, λγ)) ∈ T ⇐⇒(λα ≤ λγ) ∨Nw(γ, λγ) ∈M(α, γ)

A new activity action is considered secure iff:

1. The new activity has a higher security level compared

to its creator

2. or, in case the new activity has a lower security (i.e. a

downgrade), the creation action must be explicitly

allowed

Special case: Migration of an existing activity

PhD Defense - jump to start 19

Secure Request Transmission

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

PhD Defense - jump to start 20

Secure Request Transmission

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, β ∈ S

PhD Defense - jump to start 20

Secure Request Transmission

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, β ∈ S: (α, β, Rqα→β(d, λin)) ∈ T ⇐⇒

A request transmission action is considered secure iff:

PhD Defense - jump to start 20

Secure Request Transmission

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, β ∈ S: (α, β, Rqα→β(d, λin)) ∈ T ⇐⇒(λin ≤ λβ)∧

A request transmission action is considered secure iff:

1. Data is ”released” to an authorized target, AND

PhD Defense - jump to start 20

Secure Request Transmission

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, β ∈ S: (α, β, Rqα→β(d, λin)) ∈ T ⇐⇒(λin ≤ λβ)∧(λα ≤ λin)

A request transmission action is considered secure iff:

1. Data is ”released” to an authorized target, AND

2. Either:

• The data has a higher level than the sender

PhD Defense - jump to start 20

Secure Request Transmission

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, β ∈ S: (α, β, Rqα→β(d, λin)) ∈ T ⇐⇒(λin ≤ λβ)∧(λα ≤ λin)

∨ ((λα > λin) ∧Rqα→β(d, λin) ∈M(α, β))

A request transmission action is considered secure iff:

1. Data is ”released” to an authorized target, AND

2. Either:

• The data has a higher level than the sender

• If data has a lower level than the sender (i.e. a

downgrade), the action must be explicitly allowed

PhD Defense - jump to start 20

Secure Request Transmission

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, β ∈ S: (α, β, Rqα→β(d, λin)) ∈ T ⇐⇒(λin ≤ λβ)∧(λα ≤ λin)

∨ ((λα > λin) ∧Rqα→β(d, λin) ∈M(α, β))∨ ∃γ, δ, fi, d = fut(fγ→δ

i )

A request transmission action is considered secure iff:

1. Data is ”released” to an authorized target, AND

2. Either:

• The data has a higher level than the sender

• If data has a lower level than the sender (i.e. a

downgrade), the action must be explicitly allowed

• The data is a future reference

PhD Defense - jump to start 20

Secure Reply Transmission

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

PhD Defense - jump to start 21

Secure Reply Transmission

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, β ∈ S

PhD Defense - jump to start 21

Secure Reply Transmission

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, β ∈ S: (α, β, Rpβ→α(r)) ∈ T ⇐⇒

A reply transmission action is considered secure iff:

PhD Defense - jump to start 21

Secure Reply Transmission

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, β ∈ S: (α, β, Rpβ→α(r)) ∈ T ⇐⇒(λβ ≤ λα)

A reply transmission action is considered secure iff:

1. The data contained in the reply r (hence of level λβ)

can be released to the corresponding receiving subject

(with λα)

PhD Defense - jump to start 21

Secure Reply Transmission

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

∀α, β ∈ S: (α, β, Rpβ→α(r)) ∈ T ⇐⇒(λβ ≤ λα) ∨ (∃γ, δ, fi, r = fut(fγ→δ

i ))

A reply transmission action is considered secure iff:

1. The data contained in the reply r (hence of level λβ)

can be released to the corresponding receiving subject

(with λα)

2. or, if the data in the reply is only a reference to a

future

PhD Defense - jump to start 21

Secure ASP reduction rules

PhD Defense - jump to start 22

Secure ASP reduction rules

γ fresh activity ι′ 6∈ dom(σ) σ′ = {ι′ 7→ AO(γ)} :: σ

σγ = copy(ι′′, σ) (α, γ, Nw(γ, λγ)) ∈ T

αλ[R[Activeλa(ι′′, mj)]; σ; ι; F ; R; f ] ‖ P −→αλ[R[ι′]; σ′; ι; F ; R; f ] ‖ γλa[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P

(SecNEWACT)

σα(ι) = AO(β) ι′′ 6∈ dom(σβ) fα→βi new future

ιf 6∈ dom(σα) σ′β = Copy&Merge(σα, ι′ ; σβ, ι′′)

σ′α = {ιf 7→ fut(fα→βi )} :: σα (α, β, Rqα→β(σα(ι′), λin)) ∈ T

αλα[R[ι.mj(ι′λin)]; σα; ια; Fα; Rα; fα] ‖ β

λβ [aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→αλα[R[ιf ]; σ′α; ια; Fα; Rα; fα] ‖ β

λβ [aβ; σ′β; ιβ; Fβ; Rβ :: [mj; ι′′; fα→βi ]; fβ] ‖ P

(SecREQUEST)

σα(ι) = fut(fγ→βi ) Fβ(f

γ→βi ) = ιf

σ′α = Copy&Merge(σβ, ιf ; σα, ι) (β, α, Rpβ→α(σβ(ιf))) ∈ T

αλα[aα; σα; ια; Fα; Rα; fα] ‖ βλβ [aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→

αλα[aα; σ′α; ια; Fα; Rα; fα] ‖ βλβ [aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P

(SecREPLY)

PhD Defense - jump to start 22

Secure ASP reduction rules

γ fresh activity ι′ 6∈ dom(σ) σ′ = {ι′ 7→ AO(γ)} :: σ

σγ = copy(ι′′, σ) (α, γ, Nw(γ, λγ)) ∈ T

αλ[R[Activeλa(ι′′, mj)]; σ; ι; F ; R; f ] ‖ P −→αλ[R[ι′]; σ′; ι; F ; R; f ] ‖ γλa[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P

(SecNEWACT)

σα(ι) = AO(β) ι′′ 6∈ dom(σβ) fα→βi new future

ιf 6∈ dom(σα) σ′β = Copy&Merge(σα, ι′ ; σβ, ι′′)

σ′α = {ιf 7→ fut(fα→βi )} :: σα (α, β, Rqα→β(σα(ι′), λin)) ∈ T

αλα[R[ι.mj(ι′λin)]; σα; ια; Fα; Rα; fα] ‖ β

λβ [aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→αλα[R[ιf ]; σ′α; ια; Fα; Rα; fα] ‖ β

λβ [aβ; σ′β; ιβ; Fβ; Rβ :: [mj; ι′′; fα→βi ]; fβ] ‖ P

(SecREQUEST)

σα(ι) = fut(fγ→βi ) Fβ(f

γ→βi ) = ιf

σ′α = Copy&Merge(σβ, ιf ; σα, ι) (β, α, Rpβ→α(σβ(ιf))) ∈ T

αλα[aα; σα; ια; Fα; Rα; fα] ‖ βλβ [aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→

αλα[aα; σ′α; ια; Fα; Rα; fα] ‖ βλβ [aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P

(SecREPLY)

Parallel configurations are now of the form:

P, Q ::= αλα[a;σ; ι;F ;R; f ] ‖ βλβ[· · · ] ‖ · · ·

PhD Defense - jump to start 22

The Secure Information Flow

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

PhD Defense - jump to start 23

The Secure Information Flow

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• The concept elementary flow of information is based

on the ”release” or transmission of information from

an activity

PhD Defense - jump to start 23

The Secure Information Flow

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• The concept elementary flow of information is based

on the ”release” or transmission of information from

an activity

• Hence, it is derived the secure information flownotion:

(α, β, Rqα→β(σ(ι′), λin)) ∈ T

Secϕ∅(α, β)

(β, α, Rpβ→α(σα(ιf))) ∈ T

Secϕ∅(β, α)

(α, γ, Nw(γ, λγ)) ∈ T

Secϕ∅(α, γ)

PhD Defense - jump to start 23

The Secure Information Flow

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• The concept elementary flow of information is based

on the ”release” or transmission of information from

an activity

• Hence, it is derived the secure information flownotion:

(α, β, Rqα→β(σ(ι′), λin)) ∈ T

Secϕ∅(α, β)

(β, α, Rpβ→α(σα(ιf))) ∈ T

Secϕ∅(β, α)

(α, γ, Nw(γ, λγ)) ∈ T

Secϕ∅(α, γ)

The syntax Secϕ∅(α, β) means there is a secure flow

(Secϕ), with no other intermediate activities (∅),happening between activities α and β

PhD Defense - jump to start 23

The Secure Path for Information Flow

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

PhD Defense - jump to start 24

The Secure Path for Information Flow

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• A flow of information is composed of several elementary flowshappening in a sequential order

PhD Defense - jump to start 24

The Secure Path for Information Flow

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• A flow of information is composed of several elementary flowshappening in a sequential order

• A flow-path (fp) is produced when intermediate activities arepresent in between the communication of two given activities(i.e. the end points)

PhD Defense - jump to start 24

The Secure Path for Information Flow

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• A flow of information is composed of several elementary flowshappening in a sequential order

• A flow-path (fp) is produced when intermediate activities arepresent in between the communication of two given activities(i.e. the end points)

• Formally, the secure path for information flow is:

Secϕfp1(α, γ) Secϕfp2(γ, β)

Secϕfp1.γ.fp2(α, β)

PhD Defense - jump to start 24

The Secure Path for Information Flow

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• A flow of information is composed of several elementary flowshappening in a sequential order

• A flow-path (fp) is produced when intermediate activities arepresent in between the communication of two given activities(i.e. the end points)

• Formally, the secure path for information flow is:

Secϕfp1(α, γ) Secϕfp2(γ, β)

Secϕfp1.γ.fp2(α, β)

• There is a secure information flow from end-to-end on any flowpath when:

Secϕγ1···γn(α, β) ⇐⇒Secϕ∅(α, γ1) ∧ Secϕ∅(γ1, γ2) ∧ · · · ∧ Secϕ∅(γn, β)

PhD Defense - jump to start 24

Service-Oriented Computing and futures

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Impossible future updates with symmetric patterns of

communications

β

Active Object Active Object Active Object

λδ < βλ γλ<

γ

AO( )δ

δ

γAO( )

PhD Defense - jump to start 25

Service-Oriented Computing and futures

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Impossible future updates with symmetric patterns of

communications

β

Active Object Active Object Active Object

λδ < βλ γλ<

γ

AO( )δ

δ

γAO( )

Reqγ

PhD Defense - jump to start 25

Service-Oriented Computing and futures

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Impossible future updates with symmetric patterns of

communications

β

Active Object Active Object Active Object

λδ < βλ γλ<

γ

AO( )δ

δ

γAO( )

Reqγ

f 2

PhD Defense - jump to start 25

Service-Oriented Computing and futures

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Impossible future updates with symmetric patterns of

communications

β

Active Object Active Object Active Object

λδ < βλ γλ<

γ

AO( )δ

δ

γAO( )

Reqγ

f 2

Reqδ

PhD Defense - jump to start 25

Service-Oriented Computing and futures

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Impossible future updates with symmetric patterns of

communications

β

Active Object Active Object Active Object

λδ < βλ γλ<

γ

AO( )δ

δ

γAO( )

Reqγ

f 2

Reqδ

2f’

PhD Defense - jump to start 25

Service-Oriented Computing and futures

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Impossible future updates with symmetric patterns of

communications

β

Active Object Active Object Active Object

λδ < βλ γλ<

γ

AO( )δ

δ

γAO( )

Reqγ

f 2

Reqδ

2f’

λλδ < γ

PhD Defense - jump to start 25

Service-Oriented Computing and futures

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Impossible future updates with symmetric patterns of

communications

β

Active Object Active Object Active Object

λδ < βλ γλ<

γ

AO( )δ

δ

γAO( )

Reqγ

f 2

Reqδ

2f’

λλδ < γ

<βλ γλ

PhD Defense - jump to start 25

Service-Oriented Computing and futures (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Future updates are possible in asymmetric patterns of

communications

β

Active Object Active Object Active Object

λδ < βλ γλ<2f’

γ

AO( )δ

δ

γAO( )

Reqγ

f 2

Reqδ

PhD Defense - jump to start 26

Service-Oriented Computing and futures (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Future updates are possible in asymmetric patterns of

communications

β

Active Object Active Object Active Object

λδ < βλ γλ<2f’

γ

AO( )δ

δ

γAO( )

Reqγ

f 2

Reqδ

future reference

PhD Defense - jump to start 26

Service-Oriented Computing and futures (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Future updates are possible in asymmetric patterns of

communications

β

Active Object Active Object Active Object

λδ < βλ γλ<2f’

γ

AO( )δ

δ

γAO( )

Reqγ

f 2

Reqδ

future reference

λλδ < β

PhD Defense - jump to start 26

Implementation of the Security Model

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Architecture of active objects

passiveobject

futurevalue

currentrequest

pendingrequests

references tofuture values

FutureProxy

BodyProxy

future

local JVM remote JVM

Request queue structure

A

Stub_BBody

B

PhD Defense - jump to start 27

Implementation of the Security Model (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Security schema for active objects

ProActivemiddlewarelayer

Applicationlayer

A

Stub-B

B

Body

PhD Defense - jump to start 28

Implementation of the Security Model (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Security schema for active objects

ProActivemiddlewarelayer

Applicationlayer

A

Stub-B

B

Body

security sublayer EF / DF AF AF EF / DF

PhD Defense - jump to start 28

Implementation of the Security Model (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Security schema for active objects

ProActivemiddlewarelayer

Applicationlayer

A

Stub-B

B

Body

security sublayer EF / DF AF AF EF / DF

JVM Y

Java API Java APIlayerJava

JVM X

PhD Defense - jump to start 28

Implementation of the Security Model (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Security schema for active objects

ProActivemiddlewarelayer

Applicationlayer

A

Stub-B

B

Body

security sublayer EF / DF AF AF EF / DF

JVM Y

Java API Java APIlayerJava

JVM X

request request

PhD Defense - jump to start 28

Implementation of the Security Model (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Security schema for active objects

ProActivemiddlewarelayer

Applicationlayer

A

Stub-B

B

Body

security sublayer EF / DF AF AF EF / DF

JVM Y

Java API Java APIlayerJava

JVM X

request request

requestauthorized

PhD Defense - jump to start 28

Implementation of the Security Model (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Security schema for active objects

ProActivemiddlewarelayer

Applicationlayer

A

Stub-B

B

Body

security sublayer EF / DF AF AF EF / DF

JVM Y

Java API Java APIlayerJava

JVM X

request request

requestauthorized

reply reply

PhD Defense - jump to start 28

Implementation of the Security Model (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Security schema for active objects

ProActivemiddlewarelayer

Applicationlayer

A

Stub-B

B

Body

security sublayer EF / DF AF AF EF / DF

JVM Y

Java API Java APIlayerJava

JVM X

request request

requestauthorized

reply reply

authorizedreply

PhD Defense - jump to start 28

Implementation of the Security Model (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Detailed Security sub-layer

PhD Defense - jump to start 29

Implementation of the Security Model (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Detailed Security sub-layer

flow control SecurityManager

Java API

EF

or migrateTo)reply,request,turnActive,(newActive,

intercepted action

• EF = flow control mechanism as a Java Security Manager

PhD Defense - jump to start 29

Implementation of the Security Model (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Detailed Security sub-layer

flow control SecurityManager

Java API

EF

or migrateTo)reply,request,turnActive,(newActive,

intercepted action

setup

DFPDP

ContextHandler

XACMLpolicy

file

• EF = flow control mechanism as a Java Security Manager

• DF = Context Handler + Policy Decision Point + XACML file

PhD Defense - jump to start 29

Implementation of the Security Model (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Detailed Security sub-layer

flow control SecurityManager

Java API

EF

or migrateTo)reply,request,turnActive,(newActive,

intercepted action

setup

DFPDP

ContextHandler

XACMLpolicy

fileAF

PIP AOPIP

• EF = flow control mechanism as a Java Security Manager

• DF = Context Handler + Policy Decision Point + XACML file

• AF = Policy Information Point + active object PIP

PhD Defense - jump to start 29

Implementation of the Security Model (contd.)

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Detailed Security sub-layer

flow control SecurityManager

Java API

EF

or migrateTo)reply,request,turnActive,(newActive,

intercepted action

setup

DFPDP

ContextHandler

XACMLpolicy

fileAF

PIP AOPIP

• EF = flow control mechanism as a Java Security Manager

• DF = Context Handler + Policy Decision Point + XACML file

• AF = Policy Information Point + active object PIP

PhD Defense - jump to start 29

Conclusions

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

PhD Defense - jump to start 30

Conclusions

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Expresiveness:

– Assignation of specific security levels to request

parameters and created activities

PhD Defense - jump to start 30

Conclusions

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Expresiveness:

– Assignation of specific security levels to request

parameters and created activities

• Scalability:

– Dynamic checks performed only at activity creation,

and inter-activity communications

PhD Defense - jump to start 30

Conclusions

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• Expresiveness:

– Assignation of specific security levels to request

parameters and created activities

• Scalability:

– Dynamic checks performed only at activity creation,

and inter-activity communications

• Extendable:

– XACML features provide a finer control on the

discretionary access control

PhD Defense - jump to start 30

Perspectives

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

PhD Defense - jump to start 31

Perspectives

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• TCSEC/ITSEC/CC level A/EAL7 can be attained (i.e.

formal design and verification)

PhD Defense - jump to start 31

Perspectives

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• TCSEC/ITSEC/CC level A/EAL7 can be attained (i.e.

formal design and verification)

• Further study of covert channels in distributed systems

PhD Defense - jump to start 31

Perspectives

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• TCSEC/ITSEC/CC level A/EAL7 can be attained (i.e.

formal design and verification)

• Further study of covert channels in distributed systems

• Static type checking in Java can be complemented

with our model

PhD Defense - jump to start 31

Perspectives

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

• TCSEC/ITSEC/CC level A/EAL7 can be attained (i.e.

formal design and verification)

• Further study of covert channels in distributed systems

• Static type checking in Java can be complemented

with our model

• The security mechanism can be applied to the

Components paradigm

PhD Defense - jump to start 31

Q&A

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Questions ?

Thank you for your attention

PhD Defense - jump to start 32

Q&A

Agenda

• Introduction

• Context

• Objectives

• Mechanisms

• ASP SecurityModel

• Implementation

• Conclusions

Questions ?

Thank you for your attention

PhD Defense - jump to start 32