View
217
Download
0
Embed Size (px)
Citation preview
1
From Chinese Wall Security Policy Models to Granular Computing
Tsau Young (T.Y.) Lin
[email protected] [email protected]
Computer Science Department, San Jose State University, San Jose, CA 95192,
and
Berkeley Initiative in Soft Computing, UC-Berkeley, Berkeley, CA 94720
2
From Chinese Wall Security Policy. . .
The goal of this talk is to illustrate how granular computing can be used to solved a long outstanding problem in computer security.
3
Outline
1. Overview(Main Ideas)
2. Detail Theory
Background
Brewer and Nash Vision
Formal Theory
2
4
Overview
New Methodology: Granular Computing
Classical Problem:Trojan Horses
5
Overview - Granular computing
Historical Notes
1. Zadeh (1979) Fuzzy sets and granularity
2. Pawlak, Tony Lee (1982):Partition Theory(RS)
3. Lin 1988/9: Neighborhood Systems(NS) and Chinese
Wall (a set of binary relations. A non-reflexive. . .)
4. Stefanowski 1989 (Fuzzified partition)
5. Qing Liu &Lin 1990 (Neighborhood system)
6
Overview-Granular computing
Historical Notes
6. Lin (1992):Topological and Fuzzy Rough Sets
7. Lin & Liu: Operator View of RS and NS (1993)
8. Lin & Hadjimichael : Non-classificatory hierarchy (1996)
7
Overview
Problem Solving Paradigm
Divide and Conquer
1. Divide: Partition (= Equivalence Relation)
2. Conquer: Quotient sets (Bo ZHANG, Knowledge Level Processing)
3. Could this be generalized?
8
Overview-Example
Partition: disjoint granules(Equivalence Class)
[0]4 = {. . . , 0, 4, 8, . . .}={4n},
[1]4 = {. . . , 1, 5, 9, . . .} ={4n+1},
[2]4 = {. . . , 2, 6, 10, . . .} ={4n+2},
[3]4 = {. . . , 3, 7, 11, . . .} ={4n+3}.
Quotient set = Z/4 (Z/m)
9
Overview-New Challenge?
Granulation: overlapping granules
B0 = {. . . , 0, 4, 8, 12,. . . 5, 9, }
B1 = {. . . , 1, 5, 9, . . .}
B2 = {. . . , 2, 6, 10, . . ., 7,}
B3 = {. . . , 3, 7, 11, . . ., 6, }.
Quotient ?
10
Overview-
Granular Computing - New Paradigm ?
Classical paradigm is unavailable for general granulation
Research Direction: New Paradigm ?
11
Overview- Granular Computing a New Problem Solving Paradigm
Divide and Conquer (incremental development)
1. Divide: Granulation (binary relation)
Topological Partition
2. Conquer: Topological Quotient Set
12
Application - New Paradigm ?
Report:
Applying an incremental progress
in granulation to
Classical problem in computer security
13
Overview - Trojan Horses
Classical Problem
Trojan Horses, e.g.virus propagation
14
Overview - Trojan Horses
Grader G is a conscientious student but lacking computer skills.
So a classmate C sets up a tool box that includes, e.g., editor, spread sheet, …;
15
Overview - Trojan Horses
C embeds a “copy program”
into G’s tool; it sends
a copy of G’s file to C
(university system normally allows students to exchange information)
16
Overview - Trojan Horses
As the Grader is not aware of such
Trojan Horses, he cannot stop them;
The system has to stop them!
Can it?
17
Overview - Trojan Horses
Can it?
In general, NO
With constraints, YES Chinese (Great) Wall Security Policy.
18
Overview - Trojan HorsesDirect Information flow(DIF); CIF, a sequence of
DIF’s, leaks the information legally !!!
Professor
Grader
StudentCIF
DIF Trojan horse(DIF)
19
Overview
End of Overview
20
Details
Background
21
Background
In UK, a financial service company may consulted by competing companies. Therefore it is vital to have a lawfully enforceable security policy.
3
22
Background
Brewer and Nash (BN) proposed Chinese Wall Security Policy Model (CWSP) 1989 for this purpose
23
Background
The idea of CWSP was, and still is, fascinating;
Unfortunately, BN made a technical error.
24
Outline
BN’s Vision
25
BN: Intuitive Wall Model
Built a set of impenetrable Chinese Walls among company datasets so that
No corporate data that are in conflict can be stored in the same side of the Walls
5
26
Policy: Simple CWSP (SCWSP)
"Simple Security", BN asserted that
"people (agents) are only allowed access to information which is notheld to conflict with any other information that they (agents) already possess."
27
Could Policy Enforce the Goal?
“YES” BN’s intent; technical flaw
Yes, but it relates an outstanding difficult problem in Computer Security
28
First analysis
Simple CWSP(SCWSP):
No single agent can read data X and Y
that are in CONFLICT
Is SCWSP adequate?
29
Formal Simple CWSP
SCWSP says that a system is secure, if
“(X, Y) CIR X NDIF Y “
“(X, Y) CIR X DIF Y “ (need to know may apply)CIR=Conflict of Interests Binary Relation
30
More Analysis
SCWSP requires no single agent can read X and Y,
but do not exclude the possibility a sequence of agents may read them
Is it secure?
31
Aggressive CWSP (ACWSP)
The Intuitive Wall Model implicitly requires: No sequence of agents can read X and Y:
A0 reads X=X0 and X1,
A1 reads X1 and X1,
. . .An reads Xn=Y
32
Can SCWSP enforce ACWSP?
Related to a Classical Problem
Trojan Horses
33
Current States
1.BN-Theory (Rough Computing)-failed
2.Granular Computing Method
34
Formal Model
When an agent, who has read both X and Y, considers a decision for Y,
information in X may be used
consciously or unconsciously.
35
Formal Model (DIF)
So the fair assumptions are:
if the same agent can read X and Y
X has direct information flowed into Y, in notation, X DIF Y
also Y DIF X . . .
36
Formal Simple CWSP
SCWSP says that a system is secure, if
“(X, Y) CIR X NDIF Y “
“(X, Y) CIR X DIF Y “
CIR=Conflict of Interests Binary Relation
37
Composite Information flow
Composite Information flow(CIF) is
a sequence of DIFs , denoted by such that
X=X0 X1 . . . Xn=Y
And we write X CIF Y
NCIF: No CIF
38
Formal Aggressive CWSP
Aggressive CWSP says that a system is secure, if
“(X, Y) CIR X NCIF Y “
“(X, Y) CIR X CIF Y “
39
The Problem
Simple CWSP ? Aggressive CWSP
This is a malicious Trojan Horse problem
40
Need ACWSP Theorem
Theorem If CIR is anti-reflexive, symmetric and anti-transitive, then
Simple CWSP Aggressive CWSP
41
Solution
BN’s solution
GrC Solution
42
BN-Theory(failed)
BN assumed:
Corporate data are decomposed into
Conflict of Interest Classes
(CIR-classes)
(implies CIR is an equivalence relation)
43
BN-Theory BN assumption: CIR-classes
Class A
Class B
f, g, h i, j, k
Class Cl, m, n
44
BN-Theory Can they be partitioned?
CUS, Russia
UK?
France, German
45
BN-theory
Is CIR Equivalence Relation?
NO (will prove)
46
Some Mathematics
A partition Equivalence Relation
Class A
Class B
f, g, h i, j, k
Class Cl, m, n
47
Some Mathematics
Partition Equivalence relation
X Y (Equivalence Relation)
if and only if
both belong to the same class/granule
48
Equivalence Relation Generalized Identity X X (Reflexive)
X Y implies Y X (Symmetric)
X Y, Y Z implies X Z (Transitive)
49
Is CIR Symmetric?
US (conflict) USSR
implies
USSR (conflict) US ?
YES
50
Is CIR Transitive?
US (conflict) Russia
Russia (conflict) UK
UK ? US
NO
51
Is CIR Reflexive?
Is CIR self conflicting?
US (conflict) US ?
NO
52
Is CIR Equivalence Relation?
NO
53
Overlapping CIR-classes
• CIR is not an equivalence relation, so CIR classes do overlap
US, UK, Iraq, . . .
USSR
54
BN-Theory
BN-Theory Failed, but
BN’ intention is valid
55
New Theory
Formalize BN’s intuition:
O: the set of objects(company datasets)
X, Y, . . . are objects
56
Summary on Simple CWSP “X and Y has no conflict then they can be read by same
agent “
“(X, Y) CIR X NDIF Y” B(X) ={Y | X NDIF Y }
={Y | (X, Y ) CIR }
6
57
Granule (“Access Lists”)
B(X) is a set of objects that information of X canNOT be flow into.
Granule / Neighborhood “Access Denied Lists”
58
DAC and GrC
The association
B: O 2O ; X B(X)
DAC (Discretionary Access Control Model) Basic (binary) Granulation/Neighborhood
System
59
Derived Equivalence Relation
The inverse images of B is a partition (an equivalence relation)
C ={Cp | Cp =B –1 (Bp) p V}
This is the heart of this talk
60
The set C of the center sets of CIR
The set C of center sets Cp is a partition
Iraq, . . .US, UK, . . .
German, . . .
61
C and CIR classes IJAR=Cp
CIR-class Cp -classes
Cp -classes
62
C and CIR classes
CIR-class Cp -classes
Cp -classes
63
C and CIR classes CIR: Anti-reflexive, symmetric, anti-transitive
CIR-class Cp -classes
Cp -classes
64
Derived Equivalence Relation
Cp is called the center set of Bp
A member of Cp is called a center.
65
Derived Equivalence Relation
The center set Cp consists of all the points that have the same granule
Center set Cp = {q | Bq= Bp}
66
Aggressive CWSP Theorem
Theorem. If CIR is anti-reflexive, symmetric, anti-transitive, then
C=IJAR(=complement of CIR).
67
Aggressive CWSP
CIR (with three conditions) only allows information sharing within one IJAR-class
An IJAR-class is an equivalence class; so there is no danger the information will spill to outside.
68
ACWSP
Theorem If CIR is anti-reflexive, symmetric and anti-transitive, then
Simple CWSP Strong CWSP
69
Conclusions
1. Classical Problem Solving Paradigm requires partitioning (equivalence relation) may be too strong
2. Classical idea is extended to granulation (binary relation)
70
Conclusions
3. A small success in apply new paradigm to computer security
4. CWSP is one of the the bigger problem, managing the Information Flow Model in DAC; this was considered impossible in the past.
71
Conclusions
5. BN’s requirements implies IJAR is an equivalence class. However, if we impose “need to know” constraint, then IJAR is not an equivalence class. Under such constraints, we have weaker form of CWSP theorem
72
AppendixAggressive CWSP Theorem
If CIR is anti-transitive non-empty and if (u, v) CIR implies that w V (at least one of (u, w) or (w, v) belongs to CIR ). Let (x, y) and (y, z) be in IJAR, we need to show that (x, z) be in IJAR. Assume contrarily, it is in CIR, by anti-transitive, one and only one of (x, y) or (y, z) be in CIR, that is the contradiction.