A Security Model/Enforcement Framework with Assurance for a Distributed Environment

DSEC--1

CSE333

A Security Model/Enforcement Framework with A Security Model/Enforcement Framework with Assurance for a Distributed EnvironmentAssurance for a Distributed Environment

C. Phillips, S. Demurjian, and T.C. TingComputer Science & Engineering Department

The University of ConnecticutStorrs, Connecticut 06269-3155

[email protected]{steve,ting}@engr.uconn.edu

http://www.engr.uconn.edu/~steve(860) 486 - 4818

DSEC--2

CSE333

Motivation Motivation

Legacy

Legacy

COTS

GOTS

Database

Database

NETWORK

JavaClient

GOTSClient

LegacyClient

DatabaseClient

COTSClient

Premise: Premise: ArtifactsArtifacts - set of - set of DB, Legacy, COTS,

GOTS, Each w/ API Premise: Premise: UsersUsers

New and Existing Utilize Artifact APIs

Distributed Application, Distributed Application, DADA Artifacts + Users

Can we Control Can we Control UserUser Access to Access to Artifact Artifact APIs APIs (Methods) by … (Methods) by … Role (who) Classification (MAC) Time (when) Data (what)

DSEC--3

CSE333

JavaClientUser ARole X

AuthorizeC1, C2C3, C5L1, L2

L: Legacy API:

MethodsL1L2L3

C: COTSAPI:

MethodsC1C2C3C4C5

JavaClientUser BRole Y

AuthorizeC1, C4L2, L3

Motivation Motivation API Access Based on Role/ClassificationAPI Access Based on Role/Classification Can we Control AccessCan we Control Access

Based on Based on RoleRole??

Can we Control Access to Based on Can we Control Access to Based on ClassificationClassification??(high T > S > C > U low)(high T > S > C > U low)


AuthorizeSecret

(S)

L: Legacy API:

MethodsT: L1C: L2U: L3

C: COTSAPI:

MethodsT: C1S: C2S: C3T: C4C: C5


AuthorizeConfidential

(C)

DSEC--4

CSE333Java

ClientUser ARole X

AuthorizeC1: TI aC4: TI bL1: TI c

L: Legacy API:

MethodsL1L2L3

C: COTSAPI:

MethodsC1C2C3C4C5


AuthorizeC2: TI dL1: TI e

Motivation Motivation API Access Based on Time/ValueAPI Access Based on Time/Value

Can we Control Access Can we Control Access Based on Based on TimeTime??

Can we Control Access Can we Control Access Based on Based on Data ValuesData Values??


AuthorizeX.C1 (a < 30)X.C4 (d > 40)X.L1 (f = 10)

L: Legacy API:

MethodsL1 (f)L2 (g)L3 (h)

C: COTSAPI:

MethodsC1 (a)C2 (b)C3 (c)C4 (d)C5 (e)


AuthorizeY.C2 (0<b<99)Y. L1 (f = 100)

DSEC--5

CSE333

Overview of Remainder of TalkOverview of Remainder of Talk

Problem StatementProblem Statement Research Goals and ObjectivesResearch Goals and Objectives Relevance/Importance of ResearchRelevance/Importance of Research Distributed Environment AssumptionsDistributed Environment Assumptions Unified Security Model for RBAC/MACUnified Security Model for RBAC/MAC Security Enforcement FrameworkSecurity Enforcement Framework Security AssuranceSecurity Assurance

Design Time and Run Time Checks Role Delegation Extensions and Capabilities Role Delegation Extensions and Capabilities Analysis vs. SSE-CMM and Evaluation vs. DCPAnalysis vs. SSE-CMM and Evaluation vs. DCP Concluding RemarksConcluding Remarks

DSEC--6

CSE333

Problem Statement - Research FociProblem Statement - Research Foci

UnifiedRBAC/MAC

Security Model

Security Policy Definition

Run TimeSecurity

Assurance

Analyses of RBAC/MACModel/Framework Against SSE-CMM

Evaluation of RBAC/MAC Model

Using DCP

RBAC/MACEnforcementFramework

Security Administrative

and Management Tools

Design Time Security

Assurance

DSEC--7

CSE333

Research Goals and ObjectivesResearch Goals and Objectives

Security Model that Unifies RBAC/MAC withSecurity Model that Unifies RBAC/MAC with Constraints Based on Method Signature (How),

Time (When), and Security Clearances and Classifications

Security Policy and Enforcement AssuranceSecurity Policy and Enforcement Assurance Design Time (During Security Policy

Definition) Security Assurance Run Time (Executing Application) Security

Enforcement RBAC/MAC Model for a Distributed SettingRBAC/MAC Model for a Distributed Setting

Leverage Middleware Capabilities Flexible, Portable, Platform Independent Security with Minimal/Controlled Impact

DSEC--8

CSE333

Research Goals and ObjectivesResearch Goals and Objectives

Method-Level Approach Method-Level Approach Constraints using: Role, MAC, Time, and Data Customized Access to APIs of Artifacts Contrast with Object Level Approach

Assessment: Security Model/Enforcement Assessment: Security Model/Enforcement Analysis Versus CMU’s Security Engineering

Capability Maturity Model (SSE-CMM) Evaluation of Utility of Approach for

Supporting Dynamic Coalition Problem Prototype

Administrative and Management Tools - Assurance Security Resources/Middleware - Enforcement

DSEC--9

CSE333

Relevance/Importance of ResearchRelevance/Importance of Research

Shrinking Military More Reliant on the Civilian Shrinking Military More Reliant on the Civilian Sector for Operational Support and Internet UsageSector for Operational Support and Internet Usage Legacy Software Systems COTS and GOTS Shared Databases

Flexible Security Policy Realization and Flexible Security Policy Realization and Enforcement in Support of Coalition WarfareEnforcement in Support of Coalition Warfare Classified and Non-Classified Information Rapid Deployment and Easy to Use Platform Independence

Growing Need for Multi-level Security SolutionsGrowing Need for Multi-level Security Solutions Currently Government Systems Avoid MAC Difficult to Realize and Manage

DSEC--10

CSE333

Distributed Environment Assumptions Distributed Environment Assumptions

Assume Presence of Middleware (JINI, CORBA):Assume Presence of Middleware (JINI, CORBA): Provides Bridge Between Software Artifacts Allows Software Artifacts to Register/Publish

their APIs for use by Clients/Other Resources Lookup Service: Lookup Service:

Middleware that Provides Means for Software Artifacts (Resource) and Clients to Interact

A Resource is a Software Artifact Accessible via A Resource is a Software Artifact Accessible via API (e.g., C++, Java, etc.) Consisting of ServicesAPI (e.g., C++, Java, etc.) Consisting of Services

A Service is a Logical Grouping of Public A Service is a Logical Grouping of Public Methods that are Registered with Lookup ServiceMethods that are Registered with Lookup Service

A Method has a Signature Consisting of a Possible A Method has a Signature Consisting of a Possible Null Return Type and Zero or More ParametersNull Return Type and Zero or More Parameters

DSEC--11

CSE333

Global Command and Control System Global Command and Control System (GCCS) Resource/Service/Methods(GCCS) Resource/Service/Methods

GCCS Resource with Two Services

Joint Service with Methods: a.k.a Weather (Token); METOC VideoTeleconference (Token, fromOrg, toOrg);TLCF JointOperationsPlannning (Token, CrisisNum); JOPES CrisisPicture (Token, CrisisNum, Grid1, Grid2); COP TransportationFlow (Token); JFAST LogisticsPlanningTool (Token, CrisisNum); LOGSAFE DefenseMessageSystem (Token); DMS NATOMessageSystem (Token); CRONOS

Component Service with Methods: ArmyBattleCommandSys (Token, CrisisNum); ABCS AirForceBattleManagementSys (Token, CrisisNum); TBMCS MarineCombatOpnsSys (Token, CrisisNum); TCO NavyCommandSystem (Token, CrisisNum); JMCIS

DSEC--12

CSE333

Security Enforcement Framework Security Enforcement Framework Software ArchitectureSoftware Architecture

WrappedResource for LegacyApplication

WrappedResource

for DatabaseApplication

LookupService

General Resource

WrappedResource

for COTSApplication

JavaClient

LegacyClient

DatabaseClient

SoftwareAgent

COTSClient

Lookup

Service

Security AuthorizationClient (SAC)

Security Policy Client (SPC)

SecurityRegistration

Services

Unified Security Resource (USR)Security Policy

Services

Security DelegationClient (SDC)

SecurityAnalysis and

Tracking (SAT)

SecurityAuthorization

Services

DSEC--13

CSE333

Security Enforcement FrameworkSecurity Enforcement Framework

Unified Security Resource Services to:Unified Security Resource Services to: Manage URs and Privileges Authorize URs to Us Identify Users and Track Security Behavior

Associated Administrative/Management ToolsAssociated Administrative/Management Tools Security Policy Client to Grant/Revoke Privileges (TCs, methods, SCs)/set CLS/CLR Security Authorization Client to Assign CLRs and Authorize URs to End Users Security Analysis Tool (SAT) to Track all Client Activity (Logons/Method Invocations)

DSEC--14

CSE333

Definition 1: A lifetime, LT, is a Discrete Time Interval [LT.st, LT.et] with LT.et > LT.st LT.st (start time) or LT.et (end time) is a tuple

(day, month, year, hour, minute, second) where x y means x.LT.st y.LT.st and

x.LT.et y.LT.et X Y is equivalent to Y X Let

LT = [ct, ] means current time (ct) onward

Unified Security Model DefinitionsUnified Security Model DefinitionsLifetimes ConceptLifetimes Concept

}.,.min{}.,.max{ etYetXETandstYstXST

)2.1(],[

)1.1(Ø

STETifETST

STETifYX

DSEC--15

CSE333

Concept of Containment of LifetimesConcept of Containment of Lifetimes

DSEC--16

CSE333

Usage of LifetimesUsage of Lifetimes

Lifetimes are Important Concepts since they Lifetimes are Important Concepts since they Delineate “When” an Action or Usage Can OccurDelineate “When” an Action or Usage Can Occur

For Example:For Example: “When” is a User Role Authorized to invoke a

Method? “When” is a User Authorized to a User Role? “When” Does a Resource Allow its Services

Available in the Distributed Environment? Overall - LTs Control the Time Constrained Overall - LTs Control the Time Constrained

Behavior for SecurityBehavior for Security

DSEC--17

CSE333

Examples of LifetimesExamples of Lifetimes

DSEC--18

CSE333

Related Work: LifetimesRelated Work: Lifetimes

Leasing [Wald99]Leasing [Wald99] Temporal Constraints [Bert96, Bert01, Ahn00]Temporal Constraints [Bert96, Bert01, Ahn00] DBMS Constraints [Bark01, Nota95]DBMS Constraints [Bark01, Nota95] User Constraints [Sand98, Zurk96]User Constraints [Sand98, Zurk96] Similarities and DifferencesSimilarities and Differences::

Extend Leasing Concept from Resources, Services, and Methods to LTs of URs/ Users

Temporal Constraints used on Objects and Work Flow are applied to Resources, URs, and Users Which Allows for Less Code Modification and Dynamic Changes

LTs in Conjunction with Method Time Constraints Improve Granularity and Provide Increased Flexibility for Security Policy

DSEC--19

CSE333

Definition 2: Relevant MAC Concepts are: A sensitivity level, SLEVEL, SLEVEL =

{U,C,S,T} unclassified (U) - no impact; confidential (C) causes some damage; secret (S), causes serious damage; top secret (T) causes exceptionally grave damage

SLEVELs form a hierarchy: U < C < S < T Clearance (CLR) is SLEVEL given to users Classification (CLS) is the SLEVEL given to

entities (roles, objects, methods, etc.) Note:Note:

We Utilize 4 Levels of Sensitivity Approach Will Work for n Levels

Unified Security Model DefinitionsUnified Security Model DefinitionsMAC ConceptMAC Concept

DSEC--20

CSE333

Unified Security Model DefinitionsUnified Security Model DefinitionsDistributed ApplicationDistributed Application

Definition 3:Definition 3: A A Distributed ApplicationDistributed Application, , DAPPL,DAPPL, is Composed of a Set of is Composed of a Set of Software/systemSoftware/system Resources Resources (e.g., a Legacy, COTS, DB, Etc.), Each (e.g., a Legacy, COTS, DB, Etc.), Each Composed of a Set of Composed of a Set of Services, Services, Which in Turn Are Which in Turn Are Each Composed of a Set of Each Composed of a Set of MethodsMethods, Namely:, Namely:

Uniquely Identifies Each MethodUniquely Identifies Each Method

}1|{ miRR i

}1|{ iiji njSS

}1|{ ijijkij qkMM

ijkiji MSR ..

DSEC--21

CSE333

Unified Security Model DefinitionsUnified Security Model DefinitionsMethodsMethods

Every Method of Service of ResourceEvery Method of Service of ResourceMust be Registered from a Security PerspectiveMust be Registered from a Security Perspective

Registration of Signature and Security InformationRegistration of Signature and Security Information Lifetime of Method (When Available for Use) Classification of Method (Level of Use)

Definition 4:Definition 4: Every Every methodmethod is registered as: is registered as:

Default CLS is UDefault CLS is U Default LT = [ct, Default LT = [ct, ] ] Resource by Registering Sets CLS and LTResource by Registering Sets CLS and LT

],,,[ Paramsijk

CLSijk

LTijk

Nameijkijk MMMMM

ijkiji MSR ..

DSEC--22

CSE333

Unified Security Model DefinitionsUnified Security Model DefinitionsServicesServices

Definition 5Definition 5: Every : Every service service is registered as:is registered as:

wherewhere

Note that LT and CLS are Inferred from LT and Note that LT and CLS are Inferred from LT and CLS of Methods that Comprise ServiceCLS of Methods that Comprise Service

],,[ CLSij

LTij

Nameijij SSSS

}...1|min{ ..ij

stLTijk

stLTij qkMS

}...1|max{ ..ij

etLTijk

etLTij qkMS

}1|min{ ijCLSijk

CLSij qkMS

DSEC--23

CSE333

Unified Security Model DefinitionsUnified Security Model DefinitionsResourceResource

Definition 6:Definition 6: Every Every resourceresource is registered as: is registered as:

wherewhere

Note that LT and CLS are Inferred from LT and Note that LT and CLS are Inferred from LT and CLS of Services that Comprise ResourceCLS of Services that Comprise Resource

],,[ CLSi

LTi

Nameii RRRR

}...1|min{ ..i

stLTij

stLTi njSR

}...1|max{ ..i

etLTij

etLTi njSR

}1|min{ iCLSij

CLSi njSR

DSEC--24

CSE333

Clearances/ClassificationsClearances/ClassificationsExampleExample

(C) GCCS Resource C= min {Service CLSs}(S) Joint Service with Methods S = min{Method CLSs} a.k.a (S)Weather (Token); METOC (S)VideoTeleconference (Token, fromOrg, toOrg); TLCF (S)JointOperationsPlannning (Token, CrisisNum); JOPES (S)CrisisPicture (Token, CrisisNum, Grid1, Grid2); COP (S)TransportationFlow (Token);JFAST (S)LogisticsPlanningTool (Token, CrisisNum); LOGSAFE (S)DefenseMessageSystem (Token); DMS (T)NATOMessageSystem (Token); CRONOS

(C) Component Service with Methods: C = min{Method CLSs} (S)ArmyBattleCommandSys (Token, CrisisNum); ABCS (S)AirForceBattleManagementSys (Token, CrisisNum); TBMCS (S)MarineCombatOpnsSys (Token, CrisisNum); TCO (C)NavyCommandSystem (Token, CrisisNum); JMCIS

Note: Access Classification Precedes Each Entry.

DSEC--25

CSE333

Related Work: Related Work: Clearances/ClassificationsClearances/Classifications

Lattice Based Access Control [Sand93]Lattice Based Access Control [Sand93] MAC and RBAC [Nyan95, Osbo97, Osbo00]MAC and RBAC [Nyan95, Osbo97, Osbo00] DAC with Roles [Sand98]DAC with Roles [Sand98] Orange Book [DoD96]Orange Book [DoD96] MAC with Objects [Thur89]MAC with Objects [Thur89] Similarities and DifferencesSimilarities and Differences

Our Approach Opposite in that we Take Minimum and Standard would Take Maximum

Our Security Approach is at the Method Level Our Approach is Dynamic in That CLRs and

CLSs Can Be Changed During Runtime MAC Check at Invocation Eliminates Need for

Object Access or Change

DSEC--26

CSE333

Unified Security Model DefinitionsUnified Security Model DefinitionsUser Roles and UR ListUser Roles and UR List

Definition 7: Definition 7: A A user roleuser role, , URUR, representing a set , representing a set of responsibilities for an application, is defined as: of responsibilities for an application, is defined as:

Notes Notes LT and CLS is Set by Security Officer Defaults are [ct, ] and U Respectively

Examples: Commander /Joint Planner - Crisis 1Examples: Commander /Joint Planner - Crisis 1 [[CDR_CR1CDR_CR1, , URURLTLT, , TT]]

[ [JPlannerCR1JPlannerCR1, [, [01dec00, 01jun0101dec00, 01jun01], ], SS]] Definition 8:Definition 8: A A user-role list, user-role list, ,, URL URL is the set of is the set of rr

unique roles that have been defined for DAPPL. unique roles that have been defined for DAPPL.

],,[ CLSLTName URURURUR

DSEC--27

CSE333

Unified Security Model DefinitionsUnified Security Model DefinitionsUsers and User ListUsers and User List

Definition 9:Definition 9: A A user, U,user, U, who will be accessing the who will be accessing the DAPPL via a client application, is defined as: DAPPL via a client application, is defined as:

Notes Notes LT and CLS is Set by Security Officer Defaults are [ct, ] and U Respectively

Example Users:Example Users:General DoBest: [General DoBest: [DoBestDoBest, , 1 year1 year, , TT]]Colonel DoGood: [Colonel DoGood: [DoGoodDoGood, , 6 mo.,6 mo., SS]]

Definition 10:Definition 10: A A user list, UL user list, UL is the set of is the set of uu users users that have been defined for DAPPL.that have been defined for DAPPL.

],,[ CLRLTUserId UUUU

DSEC--28

CSE333

Users: Users:

(T)General DoBest: [DoBest, [ct, ], T](T)Colonel DoGood: [DoGood, [01dec00,01jun01], T](S)Major DoRight: [DoRight, [01dec00,01jan01], S](T)Major CanDoRight: [CanDoRight,[01jan01,01feb01, T]

],,[ CLRLTUserId UUUU

],,[ CLSLTName URURURUR UserUser--Roles: Roles:

[CDR_CR1, [01dec00, ], T][JPlannerCR1, [01dec00, 01jun01], S][JPlannerCR2, [01jul01, 01sep01], C][ArmyLogCR1, [10dec00, 01mar01], S][ArmyLogCR2, [01jul01, 01aug01], C]

User Role Authorizations: User Role Authorizations: [JPlannerCR1, CrisisPicture, [ct, ],true][JPlannerCR1, ArmyBattleCommandSys, [10dec00,16feb01], true][ArmyLogCR1, CrisisPicture, [10dec00,16feb01],

Grid1 NA20 AND Grid2 NC40],[ArmyLogCR1, LogPlanningTool, [10dec00,16feb01],CrisisNum=CR1]

],,,[ SCTCMURURA

Examples: Users, User-Roles, and URAExamples: Users, User-Roles, and URA

DSEC--29

CSE333

Related Work: RBACRelated Work: RBAC

Benefits of RBACBenefits of RBAC Flexible, Ease of Use, Policy Realization [Bert97, Demu95, Ferr92, Nyan93, Sand96, Ting87]

Main ApproachesMain Approaches UConn - [Demu94…01, Hu94, Ting87] GMU -RBAC96 - [Ahn99…, Osbo96…, Sand96...] NIST - [Bark97, Ferr99…, Gavr98, Jeag97…]

Similarities and Differences: Our Approach Does Not Rely on a Role Hierarchy Administrative Duties are Separated for Ease of Use

and Least Privilege Our Approach Can Realize Multiple Policies

Simultaneously on Multiple Federated Resources

DSEC--30

CSE333

Unified Security Model Definitions Unified Security Model Definitions Signature ConstraintSignature Constraint

Definition 11Definition 11: A : A Signature ConstraintSignature Constraint, , SCSC,, Boolean Expression Defined on the Signature of Boolean Expression Defined on the Signature of Method, Method, MMijkijk of Service of Service SSijij of resource of resource RRii that that Limits the Allowable Values on the Parameters Boolean Expression is:

(return-type constraint) and (parameters constraint) where either/both could be null

Parameters Constraint uses AND, OR, NOT

Example:Example:CrisisPicture (Token, CrisisNum, Grid1, Grid2);CrisisPicture (Token, CrisisNum, Grid1, Grid2);

SC: SC: Grid1 < NA20 and Grid2 < NC40Grid1 < NA20 and Grid2 < NC40

DSEC--31

CSE333

Unified Security Model Definitions Unified Security Model Definitions Time ConstraintTime Constraint

Definition 12:Definition 12: A A time constraint, TC, time constraint, TC, is a lifetime is a lifetime that represents when a method can be assigned to a that represents when a method can be assigned to a user role (or invoked by a user) or when a user is user role (or invoked by a user) or when a user is allowed to play a role. A TC has the default of [ct, allowed to play a role. A TC has the default of [ct, ]. TC utilized at design and run time to:]. TC utilized at design and run time to: user role and method LTs constraining when the

method can be assigned user role, method, and user LTs constraining

when the method can be invoked user role and user LT constraining when the user

can be authorized to the role Example:Example:

ArmyBattleCommandSys (Token, CrisisNum);ArmyBattleCommandSys (Token, CrisisNum);TC =TC = [[10dec00, 16feb01]10dec00, 16feb01]

DSEC--32

CSE333

Related Work: Related Work: Signature and Time ConstraintsSignature and Time Constraints

Temporal Constraints [Ahn00, Bert96, Bert01]Temporal Constraints [Ahn00, Bert96, Bert01] User Constraints [Sand98, Zurk96]User Constraints [Sand98, Zurk96] Similarities and DifferencesSimilarities and Differences::

Temporal Constraints used on Objects for Work Flow are applied to Methods as Time Constraints to Create an Operational Time Window for Valid Invocations

Time Constraints are Role Dependent so Same Method in a Different Role, Can Have a Different Time Constraint

Lifetimes in Conjunction with Separate, Method Time Constraints Improve Granularity and Provide Increased Flexibility for Security Policy

Use of Flexible, Run-Time, Signature Constraints is Unique for Role Based Access Control, but Similar to Other Programming Parameter/Argument Techniques

DSEC--33

CSE333

Unified Security Model Definitions Unified Security Model Definitions Mandatory Access Control ConstraintMandatory Access Control Constraint Definition 13:Definition 13: A A mandatory access control mandatory access control

constraint, MACC, constraint, MACC, is the is the dominationdomination of the of the SLEVEL of one entity over another entity:SLEVEL of one entity over another entity: CLS of Role Dominate () CLS of Resource,

Service, or Method CLR of User Dominate () CLS of Role

Example MACC: Design Time

CLS of Role vs. CLS of Resource, Service, or Method

Check for CLR of User vs. CLS of Role Run Time: CLR of User vs. CLS of Resource,

Service, or Method

DSEC--34

CSE333

Unified Security Model DefinitionsUnified Security Model DefinitionsUser Role AuthorizationsUser Role Authorizations

Definition 14Definition 14: A : A user-role authorization, URA,user-role authorization, URA, signifies a UR authorized to invoke a method signifies a UR authorized to invoke a method under optional TC and/or SC, and is defined as: under optional TC and/or SC, and is defined as:

wherewhere UR is as given in Definition 7 M is as given in Definition 4 TC is as given in Definition 12 and is an LT

that represents when the method is available to UR for invocation with default [ct, ]

SC is empty (true) or as given in Definition 11 and represents values that invocation can occur

],,,[ SCTCMURURA

DSEC--35

CSE333

Unified Security Model DefinitionsUnified Security Model DefinitionsUser Role AuthorizationsUser Role Authorizations

Definition 15aDefinition 15a:: UR authorization matrix, URAM,UR authorization matrix, URAM,is ais a matrix indexed by roles and methods:matrix indexed by roles and methods:

Notes:Notes: Initially, URAM, contains all 0 entries When equal to 1 for some

authorization is a Valid URA (VURA) At Design, UR CLS must dominate M CLS

and there must be Overlap of LT/TC

otherwise

MinvoketoauthorizedisURMURURAM ji

ji 0

1),(

qr

],,,[ SCTCMAURA

DSEC--36

CSE333

Example Users, User Roles, and URAsExample Users, User Roles, and URAs

],

DSEC--37

CSE333

Unified Security Model DefinitionsUnified Security Model DefinitionsRemaining DefinitionsRemaining Definitions

Definition 15bDefinition 15b:: A A valid user-role authorization valid user-role authorization list, list, where where is the set of all VURAs with URAM(UR,M) = 1.

Definition 16: Definition 16: A A user authorization, UA,user authorization, UA, is a user is a user authorized to play a role: authorized to play a role: wherewhere U is as given in Definition 9 UR is as given in Definition 7 TC is as given in Definition 12 and

represents the LT of authorization

],,[ TCURUUA

}1{ viVURAVURAL i qrv

DSEC--38

CSE333


Definition 17aDefinition 17a:: User authorization matrix, UAMUser authorization matrix, UAM::

Notes: Notes: Initially, UAM, contains all 0 entries When equal to 1 for some

Authorization is a Valid UA (VUA) At Design Time, a U’s CLR must dominate a

Role’s CLS with overlap of TC and LT

otherwise

URtoauthorizedisUUURUAM ij

ji 0

1),(

DSEC--39

CSE333

Example UAM and URAM MatricesExample UAM and URAM Matrices

User\User-Role ArmyLogCR1 ArmyLogCR2 JPlannerCR1 JPlannerCR2 CDR_CR1DoBest 0 0 0 0 1DoGood 0 0 1 1 0DoRight 1 0 0 0 0CanDoRight 0 1 0 0 0

Method\User-Role ArmyLogCR1 ArmyLogCR2 JPlannerCR1 JPlannerCR2 CDR_CR1ArmyBattleCommamdSys 1 1 1 1 1CrisisPicture 1 1 1 1 1MarineCombatOpnsSys 0 0 1 1 1LogPlanningTool 1 1 0 0 1

User Authorization Matrix (UAM)1 = authorized, 0 = not

User-Role Authorization Matrix (URAM): 1 = UR authorized to invoke Method, 0 = otherwise

DSEC--40

CSE333


Definition 17bDefinition 17b: A : A valid user authorization list, valid user authorization list,

where where is the set of all VUAs with UAM(UR,U) = 1is the set of all VUAs with UAM(UR,U) = 1

Definition 18Definition 18: A : A client, C, client, C, is authorized user is authorized user UU, , uniquely identified via a uniquely identified via a client tokenclient token C = [U, UR, IP-Address, Client-Creation-Time]C = [U, UR, IP-Address, Client-Creation-Time]where Creation Time is Clock at Creation where Creation Time is Clock at Creation

}1|{ wiVUAVUAL i

urw

DSEC--41

CSE333

Security Enforcement Framework Security Enforcement Framework Software ArchitectureSoftware Architecture

WrappedResource for LegacyApplication

WrappedResource

for DatabaseApplication

LookupService

General Resource

WrappedResource

for COTSApplication

JavaClient

LegacyClient

DatabaseClient

SoftwareAgent

COTSClient

Lookup

Service

Security AuthorizationClient (SAC)

Security Policy Client (SPC)

Global ClockResource (GCR)

SecurityRegistration

Services

Unified Security Resource (USR)

Security Policy

Services


Services

SecurityAnalysis and

Tracking (SAT)

DSEC--42

CSE333

Security Enforcement FrameworkSecurity Enforcement Framework

Unified Security Resource Services to:Unified Security Resource Services to: Manage URs and Privileges Authorize URs to Us Identify Users and Track Security Behavior

Associated Administrative/Management ToolsAssociated Administrative/Management Tools Security Policy Client to Grant/Revoke

Privileges (TCs, methods, SCs)/set CLS/CLR Security Authorization Client to Assign CLRs

and Authorize URs to End Users Security Analysis Tool (SAT) to Track all

Client Activity (Logons/Method Invocations)

DSEC--43

CSE333

Security Enforcement Framework Security Enforcement Framework Security Prototype (JINI and CORBA)Security Prototype (JINI and CORBA)

JavaGUI

PDB Client

JINILookupService

USR All

Services

CommonResource

(Global Clock)

CORBALookupService

Patient DBResource (PDB)

University DBResource (UDB)

JavaGUI

UDB Client

SecurityPolicyClient


Client

DSEC--44

CSE333

Security Enforcement Framework Security Enforcement Framework USR ServicesUSR Services

Security Policy ServicesRegister ServiceQuery Privileges ServiceUser Role ServiceConstraint ServiceGrant-Revoke ServiceGrant_Resource(UR_Id, R_Id);Grant_Service(UR_Id, R_Id, S_Id);Grant_Method(UR_Id, R_Id, S_Id, M_Id);Grant_SC(UR_Id, R_Id, S_Id, M_Id, SC);Grant_TC(UR_Id, R_Id, S_Id, M_Id, TC);

Security Authorization ServicesAuthorize Role ServiceClient Profile Service

Security Registration ServicesRegister Client ServiceSecurity Tracking and Analysis Services

Revoke_Resource(UR_Id, R_Id);Revoke _Service(UR_Id, R_Id, S_Id);Revoke _Method(UR_Id, R_Id, S_Id, M_Id);Revoke _SC(UR_Id, R_Id, S_Id, M_Id, SC);Revoke _TC(UR_Id, R_Id, S_Id, M_Id, TC);

DSEC--45

CSE333

Security Enforcement Framework Security Enforcement Framework Security Policy ServicesSecurity Policy Services

Register ServiceRegister_Resource(R_Id); Register_Service(R_Id, S_Id);Register_Method(R_Id, S_Id, M_Id);Register_Signature(R_Id, S_Id, M_Id, Signat);UnRegister_Resource(R_Id);UnRegister_Service(R_Id, S_Id);UnRegister_Method(R_Id, S_Id, M_Id);Unregister_Token(Token)

Query Privileges ServiceQuery_AvailResource();Query_AvailMethod(R_Id);Query_Method(Token, R_Id, S_Id, M_Id);Check_Privileges(Token, R_Id, S_Id, M_Id, ParamValueList);

User Role ServiceCreate_New_Role(UR_Name, UR_Disc, UR_Id);Delete_Role(UR_Id);

DSEC--46

CSE333

Security Enforcement Framework Security Enforcement Framework Security Policy ServicesSecurity Policy Services

Constraint ServiceDefineTC(R_Id, S_Id, M_Id, SC);DefineSC(R_Id, S_Id, M_Id, SC);CheckTC(Token, R_Id, S_Id, M_ID); CheckSC(Token, R_Id, S_Id, M_ID, ParamValueList);

Grant-Revoke ServiceGrant_Resource(UR_Id, R_Id);Grant_Service(UR_Id, R_Id, S_Id);Grant_Method(UR_Id, R_Id, S_Id, M_Id);Grant_SC(UR_Id, R_Id, S_Id, M_Id, SC);Grant_TC(UR_Id, R_Id, S_Id, M_Id, TC);Revoke_Resource(UR_Id, R_Id);Revoke_Service(UR_Id, R_Id, S_Id);Revoke_Method(UR_Id, R_Id, S_Id, M_Id);Revoke_SC(UR_Id, R_Id, S_Id, M_Id, SC);Revoke_TC(UR_Id, R_Id, S_Id, M_Id, TC);

DSEC--47

CSE333

Security Authorization and Registration Security Authorization and Registration ServicesServices

Register Client ServiceCreate_Token(User_Id, UR_Id, Token); Register_Client(User_Id, IP_Addr, UR_Id);UnRegister_Client(User_Id, IP_Addr, UR_Id);IsClient_Registered(Token);Find_Client(User_Id, IP_Addr);

Security Tracking and Analysis ServicesTracking Service: Logfile(Log String)Analysis Service: Analyze (Java Class File)

SECURITY REGISTRATION SERVICES

Authorize Role ServiceGrant_Role(UR_Id, User_Id);Revoke_Role(UR_Id, User_Id);

Client Profile ServiceVerify_UR(User_Id, UR_Id);Erase_Client(User_Id);Find_Client(User_Id);Find_All_Clients();

SECURITY AUTHORIZATIONSERVICES

DSEC--48

CSE333

Security Enforcement Framework Security Enforcement Framework Client, Resource, Service InvocationsClient, Resource, Service Invocations


Services

Security Registration

Services

LookupService

GCCSClient

1 Register_Client(DoRight,100.150.200.250, ArmyLogCR1)

10 Return Result of Check_Privileges(…)

4 Return Result,Create_Token(DoRight,ArmyLogCR1,Token)

6 CrisisPicture(Token,CR1, NA20, NC40)

3 Client OK?

11 Return Result,CrisisPicture(…)

5. Discover/Lookup(GCCS,Joint,CrisisPicture) Returns Proxy to Course Client

7 IsClient_Registered(Token)

9 Check_Privileges(Token, GCCS, Joint, CrisisPicture, [NA20,NC40])

2 Verify_UR(DoRight,ArmyLogCR1)

SecurityPolicy

ServicesGCCS

Resource8 Return Result of IsClient_Registered(…)

USR

DSEC--49

CSE333

Security PrototypeSecurity PrototypeGlobal Clock Server/Client LogonGlobal Clock Server/Client Logon

DSEC--50

CSE333

The Security Policy ClientThe Security Policy Client

Manages Privileges for Roles and ResourcesManages Privileges for Roles and Resources For Roles:For Roles:

Define/Delete Roles including LTs and CLSs Grant/Revoke Privileges in Terms of Methods

Grant Methods to Roles Limit Grant based on Time Constraint Limit Grant based on Signature Constraint

For Resources:For Resources: Register Resource, its Services, their Methods Establish LTs and CLSs Resources can Also Register themselves

Programmatically via the USR Services

DSEC--51

CSE333

Security Policy ClientSecurity Policy ClientRegistering a ResourceRegistering a Resource

DSEC--52

CSE333

Security Policy ClientSecurity Policy ClientRegistering a ServiceRegistering a Service

DSEC--53

CSE333

Security Policy ClientSecurity Policy ClientRegistering Methods for ResourceRegistering Methods for Resource

DSEC--54

CSE333

Security Policy Client Security Policy Client Registering Methods for ResourceRegistering Methods for Resource

DSEC--55

CSE333

Security Policy ClientSecurity Policy ClientAdding Methods to ServiceAdding Methods to Service

DSEC--56

CSE333

Security Policy ClientSecurity Policy ClientAdding Methods to ServiceAdding Methods to Service

DSEC--57

CSE333

Security Policy Client Confirmation of Security Policy Client Confirmation of Registered MethodsRegistered Methods

DSEC--58

CSE333

Security Policy Client Security Policy Client Tracking Defined Resources Tracking Defined Resources

DSEC--59

CSE333

Security Policy Client Security Policy Client Creating User Role Creating User Role

DSEC--60

CSE333

Security Policy Client Security Policy Client Creating User RoleCreating User Role

DSEC--61

CSE333

Security Policy Client Security Policy Client Granting Resource to URGranting Resource to UR

DSEC--62

CSE333

Security Policy Client Security Policy Client Granting Service to URGranting Service to UR

DSEC--63

CSE333

Security Policy Client Security Policy Client Granting Method to URGranting Method to UR

DSEC--64

CSE333

Security Policy ClientSecurity Policy ClientConfirmation of Method to RoleConfirmation of Method to Role

DSEC--65

CSE333

Security Policy ClientSecurity Policy ClientReviewing Access of Resources to RolesReviewing Access of Resources to Roles

DSEC--66

CSE333

Security Policy Client Security Policy Client Defining a Signature ConstraintDefining a Signature Constraint

DSEC--67

CSE333

Security Policy Client Security Policy Client Defining a Signature ConstraintDefining a Signature Constraint

DSEC--68

CSE333

The Security Authorization ClientThe Security Authorization Client

Intended for Authorization CapabilitiesIntended for Authorization Capabilities Main ObjectivesMain Objectives

Define New User with CLR and LT Authorize URs to End Users Define Clients

Authorization of Roles to Users Must SatisfyAuthorization of Roles to Users Must Satisfy User.CLR Dominates Role.CLS Overlap of LTs w.r.t. Current Time

DSEC--69

CSE333

Security Authorization Client Security Authorization Client Creating a UserCreating a User

DSEC--70

CSE333

Security Authorization Client Security Authorization Client Granting Roles to UserGranting Roles to User

DSEC--71

CSE333

Security PrototypeSecurity PrototypeTracking Logins and Actions Tracking Logins and Actions

DSEC--72

CSE333

Security PrototypeSecurity PrototypeTracking Methods of ResourcesTracking Methods of Resources

DSEC--73

CSE333

Security AssuranceSecurity Assurance

Security Assurance Represents a Confidence Level of the Security Capabilities to Insure Sensitive Information is Protected From Access and Misuse

Assurance is Needed at: Design Time (DT) - as Security Policy is

Defined Using our Security Model Run Time (RT) - via Enforcement as

Users/Clients Access Resources in Secure Manner

Security Assurance is Enumerated and Defined toEnumerated and Defined to: Insure Policy Consistency (A & M Tools) Check Conditions as Users Access Resources

DSEC--74

CSE333

Assurance GuaranteesAssurance Guarantees

Available Time : Maximum Amount of Time Available Time : Maximum Amount of Time Derived from the Intersections of LTs and TCs Derived from the Intersections of LTs and TCs

Simple Security Property: A Subject Can Read at Simple Security Property: A Subject Can Read at the Same or Lower Level. (Read Down/No Read the Same or Lower Level. (Read Down/No Read Up)Up)

Simple Integrity Property: A Subject Can Write to Simple Integrity Property: A Subject Can Write to the Same or Lower Level the Same or Lower Level

Safety: No Bad Things Can Happen During Safety: No Bad Things Can Happen During ExecutionExecution

Liveness: All Good Things Can HappenLiveness: All Good Things Can Happen

DSEC--75

CSE333

Available TimeAvailable Time

Available Time Represents “When” Construct is Available Time Represents “When” Construct is Available for UsageAvailable for Usage

Comparison of Lifetimes IncludingComparison of Lifetimes Including Role Method Current Time

Sets a Limit on When an Action can OccurSets a Limit on When an Action can Occur

DSEC--76

CSE333

The Compare Function for Two LTsThe Compare Function for Two LTs

DSEC--77

CSE333

Time-Based GuaranteesTime-Based Guarantees

DSEC--78

CSE333


DSEC--79

CSE333

Lemma 1 ConceptuallyLemma 1 Conceptually

DSEC--80

CSE333


DSEC--81

CSE333


DSEC--82

CSE333


DSEC--83

CSE333


DSEC--84

CSE333

MAC-Based GuaranteesMAC-Based Guarantees

Verify the Behavior of Method InvocationVerify the Behavior of Method Invocation Differentiate Between Method TypesDifferentiate Between Method Types

Read-Only Method - Do not Change the State of an Object Satisfies Simple Security (Read up/No Read

Down) Read-Write method

May Change the State of an Object Satisfies Simple Security (Read up/No Read

Down) and Simple Integrity (Write Down/No Write Up)

Assume: Values are Not Returned Through Method Parameters (only Value Parameters)

DSEC--85

CSE333


DSEC--86

CSE333


DSEC--87

CSE333


DSEC--88

CSE333


DSEC--89

CSE333


DSEC--90

CSE333

Safety: Nothing bad happens during execution

Liveness: All good things can happen during execution

GOAL: Maximize Safety and Liveness Disconnecting from a network increases

Safety, but decreases Liveness Allowing unlimited access increases Liveness,

but decreases Safety

Safety and Liveness GuaranteesSafety and Liveness Guarantees

DSEC--91

CSE333

Security Assurance RulesSecurity Assurance Rules

A Security Assurance Rule Must hold True for the Security Policy DT: Privilege Definition/Modification RT: As Users Perform Actions

Categories of Checks are:Categories of Checks are: MACC Domination Lifetime Time Constraint Signature Constraint Authorization and Authentication

DSEC--92

CSE333

Create a VURA and if the Creation is Successful, then the entry of URAM = 1.

For Authorization to Occur CLS of A must Dominate CLS of M LTs of A, M, and TC must Overlap (reset as

TC), and reset TC has an end time after ct

Security Assurance - Design TimeSecurity Assurance - Design TimeRule I: Authorizing Method to URRule I: Authorizing Method to UR

DSEC--93

CSE333

LTs and TCs must be ContrastedLTs and TCs must be Contrasted

Security Assurance - Design TimeSecurity Assurance - Design TimeRule I ConceptuallyRule I Conceptually

ctA.LT M.LT TC

A.LTM.LT

TC

DSEC--94

CSE333

Create a VUA and if the Creation is Successful, the Entries of UAM and UDAM are set to 1

For Authorization to Occur CLR of X must Dominate CLS of A LTs of A, X, and TC must Overlap (reset as

TC), and reset TC has an end time after ct

Security Assurance - Design TimeSecurity Assurance - Design TimeRule II: Authorizing UR to UserRule II: Authorizing UR to User

DSEC--95

CSE333

LTs and TCs Again ConstrainedLTs and TCs Again Constrained

Security Assurance - Design TimeSecurity Assurance - Design TimeRule II ConceptuallyRule II Conceptually

ct

A.LT X.LT TC

A.LTX.LT

TC

DSEC--96

CSE333

Runtime Authorization (of user to role).

For Authorization to Occur at Runtime Rule II must be rechecked (since privileges can

dynamically change). Recheck involves the Overlap of the LTs of X,

A, and TC with Respect to Current Time.

Security Assurance - RuntimeSecurity Assurance - RuntimeRule III: Authorizing UR to UserRule III: Authorizing UR to User

DSEC--97

CSE333

What is the Time Issue in This Case?What is the Time Issue in This Case? Must Compare Against Rule II Must Also Look at TC vs. ct TC.et After ct TC.st Before ct

Security Assurance - RuntimeSecurity Assurance - RuntimeRule III ConceptuallyRule III Conceptually

ctTC

ct

TC

DSEC--98

CSE333

N(Name), P(Params), APV(Actual Param Values) SCOracle is a Constraint Checker that Compares

Parameter Values of M’s Invocation against SC returns true if M.parametervalues satisfy SC returns false otherwise.

Security Assurance - RuntimeSecurity Assurance - RuntimeRule IV: Invoking a MethodRule IV: Invoking a Method

DSEC--99

CSE333

Security Assurance - RuntimeSecurity Assurance - RuntimeRule IV ConceptuallyRule IV Conceptually

Same issues as Rule III (Rule I and TC vs. ct)Same issues as Rule III (Rule I and TC vs. ct) Additionally, There is a Constraint CheckerAdditionally, There is a Constraint Checker

Defn: CrisisPicture (Token, CrisisNum, Grid1, Grid2);SC: Grid1 < NA20 and Grid2 < NC40Call: CrisisPicture (123, 111, NA18, NC45);

Compare Call Against SC to Determine if Can Invoke

DSEC--100

CSE333

Safety and Liveness TheoremsSafety and Liveness Theorems

DSEC--101

CSE333


DSEC--102

CSE333


DSEC--103

CSE333


DSEC--104

CSE333

Related WorkRelated WorkSecurity Assurance Security Assurance

Motivation and Need within DoD

[C4I99, DARP00, DoD88, Tete99] Abstract Study of Assurance

[Alfo01, Garv98,McCu91, Maco01] Role Administration Participates in Assurance

Separation of Duty [Ahn99, Both01,Garv98, Glig98, Nyan93, Osob00, Simo97]

Mutual Exclusion [Bert97, Kand01, Khun97] Role Hierarchies [Demu95, Ferr97, Hu95,

Jans98, Moff99, Sand96, Spoo89 ] Administration Mechanisms [Awis97, Murl01,

Nyan94, Sand99]

DSEC--105

CSE333

What is Role Delegation?What is Role Delegation?

Role Delegation is a User-to-User Relationship that Allows One User to Transfer Responsibility for a Particular Role to Another Individual

Two Major Types of Delegation Administratively-directed Delegation has an

Administrative Infrastructure Outside the Direct Control of a User Mediates Delegation

User-directed Delegation has an User (Playing a Role) Determining If and When to Delegate a Role to Another User

In Both, Security Administrators Still Oversee Who Can Do What When w.r.t. Delegation

Work of M. Liebrand (Rensselaer at Hartford)Rensselaer at Hartford)

DSEC--106

CSE333

Why is Role Delegation Important?Why is Role Delegation Important?

Many Different Scenarios Under Which Privileges Many Different Scenarios Under Which Privileges May Want to be Passed to Other IndividualsMay Want to be Passed to Other Individuals Large organizations often require delegation to

meet demands on individuals in specific roles for certain periods of time

True in Many Different Sectors Financial Services Engineering Academic Setting

Key Issues:Key Issues: Who Controls Delegation to Whom? How are Delegation Requirements Enforced?

DSEC--107

CSE333

What Can be Delegated?What Can be Delegated?

Authority Authority to Do the Task, Carries the Least to Do the Task, Carries the Least Responsibility Necessary to Execute the Task, but Responsibility Necessary to Execute the Task, but Does Mean the Delegated User Can Execute the Does Mean the Delegated User Can Execute the Delegated Task or Role. Delegated Task or Role.

ResponsibilityResponsibility to Do a Task Implies Accountability to Do a Task Implies Accountability and a Vested Interest that a Task or Role Can Be and a Vested Interest that a Task or Role Can Be Executed Properly. Executed Properly.

DutyDuty to Perform a Task Implies that the Delegated to Perform a Task Implies that the Delegated User is Obligated to Execute the Given Task. User is Obligated to Execute the Given Task.

Our Focus: Delegate Authority OnlyOur Focus: Delegate Authority Only

DSEC--108

CSE333

Our Focus for DelegationOur Focus for Delegation

Extensions to the Unified Security Model Extensions to the Unified Security Model Identify Roles that are Delegatable Distinguish: Original and Delegated Users Delegation Authority and Delegated Role

Detailed Example to Illustrate ConceptsDetailed Example to Illustrate Concepts Analysis of Role Delegation CapabilitiesAnalysis of Role Delegation Capabilities Investigation of SPC, SAC, and SDC in Support of Investigation of SPC, SAC, and SDC in Support of

DelegationDelegation Security Assurance for DelegationSecurity Assurance for Delegation

DSEC--109

CSE333

Role Delegation Extensions Role Delegation Extensions

Definition 19:Definition 19: A A delegatable UR, DURdelegatable UR, DUR, is a UR , is a UR that is eligible for delegation. that is eligible for delegation.

Definition 20:Definition 20: The The delegatable UR vector, DURV,delegatable UR vector, DURV, is defined for all is defined for all r r as: as:

Delegatable URs (from Slide 33)Delegatable URs (from Slide 33) [CDR_CR1, [01dec00,01dec01], T][CDR_CR1, [01dec00,01dec01], T][JPlannerCR1, [01dec00, 01jun01], S][JPlannerCR1, [01dec00, 01jun01], S][JPlannerCR2, [01jul01, 01sep01], C][JPlannerCR2, [01jul01, 01sep01], C]DURV(A) = 1 for A = CDR_CR1, JPlannerCR1 and JPlannerCR2DURV(A) = 0 for A = ArmyLogCR1 and ArmyLogCR2

DURanotisUR

DURaisURURDURV

i

ii 0

1)(

DSEC--110

CSE333


Definition 21:Definition 21: An An original user, OUoriginal user, OU UL, UL, is is authorized to the UR such that there exists a VUA authorized to the UR such that there exists a VUA for the OU/UR, i.e., UAM(UR,OU) = 1for the OU/UR, i.e., UAM(UR,OU) = 1 OU: Authorized to the UR via Regular Process Implies Not Eligible for Delegation

Definition 22:Definition 22: A A delegated user, DUdelegated user, DU UL, UL, is a is a user eligible to be delegated a UR by an OU or a user eligible to be delegated a UR by an OU or a DU (there is not a VUA i.e., UAM(UR,DU) DU (there is not a VUA i.e., UAM(UR,DU) 1). 1). DU of a UR cannot be an OU for same UR

DSEC--111

CSE333

Examples of Examples of OUs DUs OUs DUs ArmyLogCR1ArmyLogCR1

DoRight ArmyLogCR2ArmyLogCR2

CanDoRight JPlannerCR1JPlannerCR1

DoGood JPlannerCR2JPlannerCR2

DoGood CRC_CR1CRC_CR1

CDR_CR1

ArmyLogCR1ArmyLogCR1 DoBest, DoGood,

CanDoRight ArmyLogCR2ArmyLogCR2

DoBest, DoGood, DoRight

JPlannerCR1/JPlannerCR2 JPlannerCR1/JPlannerCR2

DoBest, DoRight, CanDoRight

CRC_CR1CRC_CR1 DoGood, DoRight,

CanDoRight

DSEC--112

CSE333


Definition 23:Definition 23: User delegation/authorization User delegation/authorization matrix,matrix, UDAMUDAM::

Represents who is a DU, OU, or NeitherRepresents who is a DU, OU, or Neither UDAM Entries are UDAM Entries are

Initially All Set to False Set to 1 Whenever a User is an OU Set to 2 Whenever a User is an DU

Recall Rule II Set UDAM = 1Recall Rule II Set UDAM = 1

ij

ij

ij

ji

URtoauthorizednotisU0

URofOUanisU1

URofDUaisU2

UURUDAM ),(

DSEC--113

CSE333

Delegation and Pass on Delegation Delegation and Pass on Delegation AuthoritiesAuthorities

When Establishing Privileges (by the Security When Establishing Privileges (by the Security Officer) there must be the Ability to Define:Officer) there must be the Ability to Define: Delegation Authority (DA)

Recall:Security Officer can Delegate a Role to User DA Means that the Security Officer Can Delegate

the Authority to Delegate to another User Role Can be Delegated by one User to Another However, Delegation Authority Cannot

Pass-on Delegation Authority (PODA) PODA Augments DA to Allow the Delegation

Authority to Also be Delegated as Part of the Delegation of a Role to a User

DSEC--114

CSE333

Role Delegation ExtensionsRole Delegation Extensions

Definition 24:Definition 24: Delegation authority, DA, Delegation authority, DA, is given is given to the OU to allow delegation of a DUR.to the OU to allow delegation of a DUR.

Definition 25:Definition 25: Pass-on delegation authority, Pass-on delegation authority, PODA, PODA, allows an OU (DU) to pass on DA for a allows an OU (DU) to pass on DA for a DUR to another user (OU or DU). DUR to another user (OU or DU).

Definition 26:Definition 26: Delegation authority matrix,Delegation authority matrix, DAMDAM::

DU has Neither DA Nor PODADU has Neither DA Nor PODADU has Just DADU has Just DADU has Both DA and PODADU has Both DA and PODA

ij

ij

ij

ji

URforPODAnorDAneitherhasU0

URforDAonlyhasU1

URforPODAandDAhasU2

UURDAM ),(

DSEC--115

CSE333

Example of DA and PODAExample of DA and PODA

JPlanner1: DoGood has DAJPlanner1: DoGood has DA JPlanner2: DoGood has DAJPlanner2: DoGood has DA CDR_CR1: DoBest has both DA and PODACDR_CR1: DoBest has both DA and PODA All Other Entries have Neither DA Nor PODAAll Other Entries have Neither DA Nor PODA


Delegation Authority Matrix (DAM): 2 = has DA and PODA, 1 = has DA, 0 = neither

DSEC--116

CSE333

Recall UAM and URAM MatricesRecall UAM and URAM Matrices


Method\User-Role ArmyLogCR1 ArmyLogCR2 JPlannerCR1 JPlannerCR2 CDR_CR1ArmyBattleCommamdSys 1 1 1 1 1CrisisPicture 1 1 1 1 1MarineCombatOpnsSys 0 0 1 1 1LogPlanningTool 1 1 0 0 1

User Authorization Matrix (UAM)1 = authorized, 0 = not

User-Role Authorization Matrix (URAM): 1 = UR authorized to invoke Method, 0 = otherwise

DSEC--117

CSE333

Augment withAugment with DAM and UDAM Matrices DAM and UDAM Matrices


Delegation Authority Matrix (DAM): 2 = has DA and PODA, 1 = has DA, 0 = neither


User Delegation/Authorization Matrix (UDAM): 2 = U is a DU, 1 = U is a OU, and 0 = not authorized

DSEC--118

CSE333

Example - Role DelegationExample - Role Delegation

General DoBest Delegates his Role to Colonel DoGood with DA, where DoBest, CDR_CR1, and DoGood defined as:

OU: [DoBest, [ct, ], T]UR: [CDR_CR1, [01dec00, 01dec01], T]UA: [DoBest, CDR_CR1, [01dec00, 01dec01]]DA: YesPODA: Yes

After Delegation:

DU: [DoGood, [01dec00, 01jun01], T]UA: [DoGood, CDR_CR1, [01dec00, 01jun01]]

DSEC--119

CSE333

Example - Role DelegationExample - Role Delegation

Now,Now, Colonel DoGood wishes to re-delegate Colonel DoGood wishes to re-delegate CDR_CR1 to Major CanDoRight, which can be CDR_CR1 to Major CanDoRight, which can be defined as:defined as:

DU: [DoGood, [01dec00, 01jun01], T]UR: [CDR_CR1, [01dec00, 01dec01], T]UA: [DoGood, CDR_CR1, [01dec00, 01jun01]]DA: YesPODA: No

After Delegation:

DU: [CanDoRight, [01jan01, 01feb01], T]UA: [CanDoRight, CDR_CR1, [01dec00, 01jun01]]

DSEC--120

CSE333

Related Work: Role DelegationRelated Work: Role Delegation

Role Administration [Awis97]Role Administration [Awis97] Delegation with RBAC [Bark00, Na00]Delegation with RBAC [Bark00, Na00] Delegation Principals [Zhang01]Delegation Principals [Zhang01] Similarities and DifferencesSimilarities and Differences

In Our Approach, OU Maintains Control of Delegation DU Cannot Give Delegation Authority

Our Approach is Dynamic, in that, Delegations have LTs Changeable During Runtime

Our Delegation Incorporates MACC We extend Zhang’s Definitions to Include

Delegation Authority, Revocation Authority, Delegated Role, and Delegatable Role

DSEC--121

CSE333

Enforcement Framework andEnforcement Framework andRole Delegation Revocation RulesRole Delegation Revocation Rules

User-to-User Delegation Authority RuleUser-to-User Delegation Authority Rule A User (OU or DU) Who is a Current Member

of a Delegatable Role (DUR), Can Delegate that User Role to Any User that Meets the Prerequisite Conditions of the Role: DU Receiving the Role is Not a Member of the

Role; OU or DU is Identified As Having Delegation

Authority for the Role; DU Meets the Mandatory Access Control

Constraints (MACC).

DSEC--122

CSE333

Enforcement Framework andEnforcement Framework andRole Delegation Revocation RulesRole Delegation Revocation Rules

Delegation Revocation Authorization RuleDelegation Revocation Authorization Rule:: An Original User Can Revoke Any Delegated

User From a User Role in Which the OU Executed the Delegation.

This is a Stricter Interpretation than [Zhan01], Which Allows Any OU of a Role Revocation Authority Over a DU in the Delegation Path.

In Addition, a Security Administrator Can Revoke Any Delegation.

Cascading Revocation RuleCascading Revocation Rule:: Whenever an OU or DU in the delegation path

is revoked, all DUs in the path are revoked.

DSEC--123

CSE333

Analysis of Role DelegationAnalysis of Role Delegation

Analysis of Role Delegation Against Set of Common Criteria Monotonicity Permanence Totality Administration Levels of Delegation Multiple Delegation Agreements Cascading Revocation Grant-dependency Revocation

We’ll Define and Discuss Each

DSEC--124

CSE333

Analysis of Role DelegationAnalysis of Role DelegationMonotonicityMonotonicity

Definition: Monotonicity Refers to the State of Control the OU Possesses After Role Delegation Monotonic Delegation Means That the OU

Maintains Control of the Delegated Role Non-monotonic Means That the OU Passes the

Control of the Role to DU Our Approach Utilizes Monotonic Delegation

Since We Believe for Assurance it is Critical to Exercise a Level of Control W.R.T. Delegation

DSEC--125

CSE333

Analysis of Role DelegationAnalysis of Role DelegationPermanencePermanence

Definition: Definition: PermanencePermanence Refers to Delegation in Refers to Delegation in Terms of Time DurationTerms of Time Duration Permanent Delegation is When a DU

Permanently Replaces the OU Temporary Delegation Has an Associated

Time Limit With Each Role Our Approach Utilizes Temporary Delegation

Since Temporal Constraints (LTs/TC) Are an Important Part of Our Unified Security Model

DSEC--126

CSE333

Analysis of Role DelegationAnalysis of Role DelegationTotalityTotality

Definition: Definition: Totality Refers to How Completely the Permissions Assigned to the Role Are Delegated Partial Delegation Refers to the Delegation of

a Subset of the Permissions of the Role Total Delegation Refers to the Situation All of

the Permissions of the Role Are Delegated Our Approach Utilizes Total Delegation Since we

Believe Partial Delegation Defeats Purpose of Urs and Assignment Methods to UR under TCs/SCs

Partial Delegation is Achievable by Defining Special Roles that are Delegatable

DSEC--127

CSE333

Analysis of Role DelegationAnalysis of Role DelegationAdministrationAdministration

Definition: Definition: Administration Refers to how Delegation will be Administered User Directed is when the User Controls all

Aspects of Delegation Administrator-Directed (Third party, Agent-

directed) is when Control is with the Security Officer

Our Approach Utilizes a Combination of Both Allowing the Security Officer to Establish DA/PODA and the User to Determine to “Whom” the Delegation will Occur

DSEC--128

CSE333

Analysis of Role DelegationAnalysis of Role DelegationLevels of DelegationLevels of Delegation

Definition: Definition: Levels of Delegation Refers to the Ability of DU to Further Delegate a Role (PODA) and the Number of Vertical Levels the Delegated Role Can Be Delegated Boolean Control – Roles Can Be Re-delegated

Until a Delegating User Says No Integer Control –Roles can be Re-delegated

until Fixed Number of Re-delegations Occur Our Approach Utilizes Modified Boolean Control

via the DA/PODA If PODA not Given - Delegation Stops Prototype has Limit of either 2 or 3 Levels

DSEC--129

CSE333

Analysis of Role DelegationAnalysis of Role DelegationMultiple DelegationsMultiple Delegations

Definition: Definition: Multiple Delegations Refers to the Number of Delegated Users (DU) (Horizontally) to Whom a Delegatable User Role (DUR) Can Be Delegated to at Any Given Time

Our Approach Includes Unlimited Delegations in Our Security Model Since We Want to Maintain the User’s Flexibility A Limit on the Number of DUs to a Role is

Subjective. Subjective Limits Are Not Often Enforced;

There Are No Hard Bases for Them

DSEC--130

CSE333

Analysis of Role DelegationAnalysis of Role DelegationAgreementsAgreements

Definition: Definition: Agreements Refer to the Delegation Protocol of the OU to the DU Bilateral Agreements: the DU Needs to

Accept the Delegated Role Unilateral Agreements: the OU Delegates the

UR Permissions and the DUs Are Not Required to Accept or Even Acknowledge the Delegation

Our Approach Utilizes Unilateral Agreements

DSEC--131

CSE333

Analysis of Role DelegationAnalysis of Role DelegationCascading RevocationCascading Revocation

Definition: Definition: Cascading Revocation Refers to the Indirect Revocation of All DUs When the OU Revokes Delegation or Administration Revokes the OU’s Delegated Role

Non-cascading Revocation Could Be Useful in the Event a Middle Manager User Is Fired Without Replacement and Subordinates Need to Execute the Vacated Roles

Our Approach Utilizes Cascading Revocation and will Handle Non-Cascading Case via Security Administrative Tools (Changing Privileges)

DSEC--132

CSE333

Analysis of Role DelegationAnalysis of Role DelegationGrant Dependency RevocationGrant Dependency Revocation

Definition: Definition: Grant-Dependency Revocation Refers to Who Has Authority to Revoke a DU Grant-Dependent Revocation Only Allow the

OU to Revoke the Delegated Role Grant-Independent Revocation Allows Any

Original Member of the DUR to Revoke a Delegated Role

Our Approach Utilizes a Limited Form of Grant-independent Revocation Where Only the DU and the Security Administrator Can Revoke a DUR

DSEC--133

CSE333

Role Delegation Process Role Delegation Process Security Management ToolsSecurity Management Tools

Examine the Process of DelegationExamine the Process of Delegation Utilize the Military ApplicationUtilize the Military Application ExploreExplore

Security Policy Client Security Authorization Client Security Delegation Client

SDC is a New Administrative Tool Utilized by Both Security Officer and the End User

Focus on their role in Delegation AdministrationFocus on their role in Delegation Administration Screen Bit Maps are Ordered to Illustrate a ProcessScreen Bit Maps are Ordered to Illustrate a Process

DSEC--134

CSE333

Security Policy ClientSecurity Policy ClientRegistration of ResourcesRegistration of Resources

DSEC--135

CSE333

Security Policy ClientSecurity Policy Client Creation of Administration RoleCreation of Administration Role

DSEC--136

CSE333

Security Authorization ClientSecurity Authorization ClientGranting of Role(s) to User(s)Granting of Role(s) to User(s)

DSEC--137

CSE333

Security Policy ClientSecurity Policy Client Cdr. Crisis 1 Role/Conflicting Role ListCdr. Crisis 1 Role/Conflicting Role List

DSEC--138

CSE333

Security Policy ClientSecurity Policy Client Granting of Resource(s) to Role(s)Granting of Resource(s) to Role(s)

DSEC--139

CSE333

Security Policy ClientSecurity Policy Client Granting of Service (s) to Role(s)Granting of Service (s) to Role(s)

DSEC--140

CSE333

Security Policy ClientSecurity Policy Client Granting of Methods(s) to Role(s)Granting of Methods(s) to Role(s)

DSEC--141

CSE333

Security Policy ClientSecurity Policy Client Query PrivilegesQuery Privileges

DSEC--142

CSE333

Security Authorization ClientSecurity Authorization ClientCreate a UserCreate a User

DSEC--143

CSE333

Security Authorization ClientSecurity Authorization Client Create a UserCreate a User

DSEC--144

CSE333

Security Authorization ClientSecurity Authorization Client Granting a RoleGranting a Role

DSEC--145

CSE333

Security Authorization ClientSecurity Authorization Client Granting a Role with DA/PODAGranting a Role with DA/PODA

DSEC--146

CSE333

Security Authorization ClientSecurity Authorization Client Granting a Role with DA/PODAGranting a Role with DA/PODA

DSEC--147

CSE333

Security Authorization ClientSecurity Authorization Client Query PrivilegesQuery Privileges

DSEC--148

CSE333

Security Authorization ClientSecurity Authorization Client Query Privileges - ResultsQuery Privileges - Results

DSEC--149

CSE333

The Security Delegation ClientThe Security Delegation Client

DSEC--150

CSE333

Security Delegation ClientSecurity Delegation Client Log on to the Security Delegation ClientLog on to the Security Delegation Client

DSEC--151

CSE333

Security Delegation ClientSecurity Delegation ClientAttempt to Perform a DelegationAttempt to Perform a Delegation

DSEC--152

CSE333

Security Delegation ClientSecurity Delegation ClientAttempt to Perform a DelegationAttempt to Perform a Delegation

DSEC--153

CSE333

Security Delegation ClientSecurity Delegation ClientQuery a User’s RoleQuery a User’s Role

DSEC--154

CSE333

Security Delegation ClientSecurity Delegation ClientRevocation of DelegationRevocation of Delegation

DSEC--155

CSE333

Security Delegation ClientSecurity Delegation ClientRevocation of DelegationRevocation of Delegation

DSEC--156

CSE333

Security Delegation ClientSecurity Delegation ClientDenying Log in if UR not AvailableDenying Log in if UR not Available

DSEC--157

CSE333

Security Delegation ClientSecurity Delegation ClientDenying Delegation if MAC ViolatedDenying Delegation if MAC Violated

DSEC--158

CSE333

Security Delegation ClientSecurity Delegation ClientDenying Delegation if TC ViolatedDenying Delegation if TC Violated

DSEC--159

CSE333

Security Delegation ClientSecurity Delegation ClientDenying Delegation if no Delegatable RolesDenying Delegation if no Delegatable Roles

DSEC--160

CSE333

Security Delegation ClientSecurity Delegation ClientPass on Delegation RestrictionPass on Delegation Restriction

DSEC--161

CSE333

Security Delegation ClientSecurity Delegation ClientExampleExample

Dobest delegate a role to dogood without pass-on-delegation, when dogood delegated this role to doright, he can’t delegate it with pass-on-delegation

DSEC--162

CSE333

Security Delegation ClientSecurity Delegation ClientDelegation Matrix within SDCDelegation Matrix within SDC

Dobest(T): ArmyLogCR1(c)

Chip(T): ArmyLogCR1(c)

Dogood(S): ArmyLogCR1 ( C)

Doright(c ): ArmyLogCR1 ( C)

When Original user revokeThis role, the role matrix is revoked within SDC

DSEC--163

CSE333


Dobest delegate a role to dogood

Dogood delegate this role to other users

DSEC--164

CSE333


Dobest revokes the role delegated to dogood

The role delegated by dogood are erased at the same time.

DSEC--165

CSE333

Design Time Security Assurance Design Time Security Assurance for Delegationfor Delegation

Design Time Checks – Policy RealizationDesign Time Checks – Policy Realization MACC Domination CLR Dominates CLS Role Delegation

DU Not Already a Role Member User to User Delegation Authority

Must Check User Delegation Authority Matrix DU Meets MACC Requirements

Lifetime Consistency DU’s LT Must be Within OU’s LT

Modified Boolean Delegation OU can Delegate and Pass on Delegation Authority DU cannot Pass On Delegation Authority

These are Checks in SPC, SAC, and SDCThese are Checks in SPC, SAC, and SDC

DSEC--166

CSE333

Run Time Security Assurance Run Time Security Assurance for Delegationfor Delegation

Executed While Running Distributed ApplicationExecuted While Running Distributed Application MACC Domination Role Delegation User to User Delegation Authority Lifetime Consistency Modified Boolean Delegation

(additional checks) Delegation Revocation Authorization Rule

OU/DU Can Revoke Any Initiated Delegation Cascading Revocation Rule

Whenever OU is Revoked, OU’s Delegations are revoked, Including Passed On Delegations

These are Checks by the Enforcement Framework These are Checks by the Enforcement Framework as supported with USRas supported with USR

DSEC--167

CSE333

UDAM(A, X) =1 implies that UAM(A, X) = 1 by Rule II.

Rules V establishes DA for user X to role A in the case where X is an OU.

Security Assurance - Design timeSecurity Assurance - Design timeRule V: Assigning Delegation AuthorityRule V: Assigning Delegation Authority

DSEC--168

CSE333

Theorem VTheorem V

DSEC--169

CSE333

User must have DA in order to have PODA e.g., a User cannot have PODA without DA

UDAM(A, X) =1 implies that UAM(A, X) = 1 by Rule II.

Rule VI establishes, respectively, DA/PODA for user X to role A in the case where X is an OU.

Security Assurance - Design timeSecurity Assurance - Design timeRule VI: DA and PODARule VI: DA and PODA

DSEC--170

CSE333

The delegation sets UAM and UDAM for the DU and DR.

Y is a DU of A, and X satisfies Rules V or VI Y to be authorized to A, hence UAM(A, Y) = 1

Security Assurance - Design timeSecurity Assurance - Design timeRule VII: Delegation of URRule VII: Delegation of UR

DSEC--171

CSE333

Passing on of DA or DA/PODA from a user (either OU or DU) to another DU

Rule VIII establishes, respectively, DA or DA/PODA for user Y a DU of role A, and assumes Rule VII is satisfied.

Security Assurance - Design timeSecurity Assurance - Design timeRule VIII: Delegation of DA/PODARule VIII: Delegation of DA/PODA

DSEC--172

CSE333

Theorem VI, VII, and VIIITheorem VI, VII, and VIII

DSEC--173

CSE333

Assessment of RBAC/MAC Assessment of RBAC/MAC Model/FrameworkModel/Framework

Intent is to Assess the Capabilities of RBAC/MAC Intent is to Assess the Capabilities of RBAC/MAC Model and Security FrameworkModel and Security Framework

Analysis vs. SSE-CMMAnalysis vs. SSE-CMM SSE-CMM: Standard Security Model Compare/Contrast Model/Framework

(including Assurance) Against SSE-CMM Use SSE-CMM as a Benchmark to Evaluate

the Degree We Meet ISO Requirements Evaluation vs. Dynamic Coalitions (DCs)Evaluation vs. Dynamic Coalitions (DCs)

Represent via the RBAC/MAC Model Security Features/Requirements of DCs

Can RBAC/MAC Model Represent DCs? What Features are Good? Need to be Added?

DSEC--174

CSE333

Analysis vs. SSE-CMM Analysis vs. SSE-CMM What is SSE-CMM?What is SSE-CMM?

An ISO Standard Model For Capturing the An ISO Standard Model For Capturing the Essential Characteristics of an Organization’s Essential Characteristics of an Organization’s Security Engineering ProcessSecurity Engineering Process

The Model is a Standard for Security Engineering The Model is a Standard for Security Engineering Practices Covering:Practices Covering: Life Cycle Management of All Activities Management, Organizational, and Engineering

Activities Concurrent Interactions (Software, Hardware,

Humans, Organizations) Certification, Accreditation, and Evaluation

DSEC--175

CSE333

Analysis vs. SSE-CMM Analysis vs. SSE-CMM Why was SSE-CMM Developed?Why was SSE-CMM Developed?

Objective:Objective: Advance Security Engineering As a Defined,

Mature, and Measurable Discipline Project Goal:Project Goal:

Develop a Mechanism to Enable: Selection of Appropriately Qualified Security

Engineering Providers Focused Investments in Security Engineering

Practices Capability-based Assurance

DSEC--176

CSE333

Analysis vs. SSE-CMM Analysis vs. SSE-CMM SSE-CMM Engineering Process AreasSSE-CMM Engineering Process Areas

Administer Security Administer Security ControlsControls

Assess ImpactAssess Impact Assess Security RiskAssess Security Risk Assess ThreatAssess Threat Assess VulnerabilityAssess Vulnerability Build Assurance Build Assurance

ArgumentArgument

Coordinate Security Coordinate Security Monitor Security Monitor Security

PosturePosture Provide Security Provide Security

InputInput Specify Security Specify Security

NeedsNeeds Verify and Validate Verify and Validate

SecuritySecurity

DSEC--177

CSE333

10/24/96

Domain

ProcessAreas

BasePracticesBase

Practices

ProcessAreas

BasePractices

BasePractices

Analysis vs. SSE-CMM Analysis vs. SSE-CMM SSE-CMM Model ArchitectureSSE-CMM Model Architecture

Process Areas

OrganizationProject

Security Engineering

ProcessAreas • • •

Domain Compare and Contrast Compare and Contrast

RBAC/MAC Model and RBAC/MAC Model and Framework w/StandardFramework w/Standard

SSE-CMM: 11 Process SSE-CMM: 11 Process Areas/61 Base PracticesAreas/61 Base Practices PA01: Administer

Security Controls Base Practice 01:

Establish Responsibilities and Accountability for Security Controls

Base Practice 02: Manage the Configuration of Security System Controls

Work in ProgressWork in Progress

DSEC--178

CSE333

Evaluation vs. DCPEvaluation vs. DCP What is DCP? What is DCP?

Marine Corps

NavyAir Force

Army

GCCS

FADDAFATDS

GCCS-A

MCS

ASAS

CSSCS

Other

ABCS

Battle Management

System

JointCommand

System

Army Battle Command

System

CombatOperations

System

U.N.

U.S.A

NGO/PVO

NATO

Dynamic Coalition

U.S. Global C2 SystemsArmy C2

Dynamic Coalition Problem (DCP) are Inherent Security, Resource, and/or Information Sharing Risks that Occur as a Result of

the Coalition being Formed Quickly

DSEC--179

CSE333

Evaluation vs. DCPEvaluation vs. DCPSuitability of Our Approach for DCPSuitability of Our Approach for DCP

Detailed Evaluation of DCP w.r.t. Security ModelDetailed Evaluation of DCP w.r.t. Security Model Utility of Multiple Roles for Users Relevance of Data Value Constraints and Time

Limitations on Users Examination of API Level Control of Resources Importance of Multi-level Secure Capabilities Security Assurance at Design/Run Times Extrapolating from GCCS to DCP

Evolve from GCCS to DCP What are the Issues and Problems to Solve?

Status: Work in Progress at this TimeStatus: Work in Progress at this Time

DSEC--180

CSE333

Summary: Research InnovationsSummary: Research Innovations

Unification of Mandatory Access Control (MAC) and Role-based Access Control (RBAC) Features Realization of MAC: Bell and LaPadula Model Highly Flexible RBAC Capabilities

Security Policy Realization Change Policy on the fly

Broad Use of Constraints: Fine-Grained Security User Constraints and Role Constraints Time Constraints and Signature Constraints

Security Assurance at Design and Run Times DT Checks as Security Policy is Defined RT Checks for Invocation/Delegation

DSEC--181

CSE333

Summary: Summary: Additional ContributionsAdditional Contributions

Working Prototype that can Administer Multiple Working Prototype that can Administer Multiple Security Policies Against Multiple Resources in a Security Policies Against Multiple Resources in a Distributed Environment Supporting JINI/CORBADistributed Environment Supporting JINI/CORBA

A Well Defined Security Model which Supports A Well Defined Security Model which Supports Security Policy Definition via Administrative and Security Policy Definition via Administrative and Management Tools with Security Assurance:Management Tools with Security Assurance: Security Policy Client (SPC) Security Authorization Client (SAC) Security Analysis Tool (SAT) Security Delegation Client (SDC)

DSEC--182

CSE333

Summary: Remaining ResearchSummary: Remaining Research

Security Model that Unifies RBAC/MACSecurity Model that Unifies RBAC/MAC Finer Grained MAC

Classification Levels on a Method’s Signature Investigate Time-Constrained Classification

User Constraints Role Deconfliction

Security Policy and Enforcement AssuranceSecurity Policy and Enforcement Assurance Detailing all Design and Run Time Checks Defining Security Assurance for Fine Grained

MAC and User Constraints Completion of Analysis/Evaluation:Completion of Analysis/Evaluation:

Model/Framework vs. CMU Security Model Evaluation of Utility in Support of DCP

DSEC--183

CSE333

Summary: Publications to DateSummary: Publications to Date

Initial Security Model S. Demurjian, T. C. Ting, P. Barr, C. Phillips, “Role-

Based Security in a Distributed Resource Environment”, Proc. of 14th IFIP WG 11.3 Working Conf. on Database Security, August 2000.

S. Demurjian, T.C. Ting, C. Phillips, et al., “A User Role-Based Security Model for a Distributed Environment”, in Research Advances in Database and Information Systems Security, J. Therrien (ed.), Kluwer, 2001.

Enhanced Security Model C. Phillips, S. Demurjian, T.C. Ting, “Security

Engineering for Roles and Resources in a Distributed Environment", Proc. of the 3rd Annual Information Systems Security Engineering Conf., March 2002.

DSEC--184

CSE333

Summary: Publications to DateSummary: Publications to Date

Relevance of Work for DCP C. Phillips, T.C. Ting, S. Demurjian, “Information

Sharing in Dynamic Coalitions”, Proc. of the 7th ACM SACMAT 2002, June 2002.

MAC Model Extensions and Security Assurance C. Phillips, S. Demurjian, T.C. Ting, “Towards

Information Assurance for Dynamic Coalitions”, Proc. of the 3rd IEEE Info. Assurance Workshop, June 2002.

C. Phillips, S. Demurjian, T.C. Ting, “Security Assurance for an RBAC/MAC Security Model and Enforcement Framework”, CSE Technical Report.

Role Delegation Extensions with Assurance M. Liebrand, H. Ellis, C. Phillips, S. Demurjian, and

T.C. Ting, “Role Delegation for a Distributed, Unified RBAC/MAC”, Proc. 16th IFIP WG 11.3 Conf. on Data and Application Security, July 2002.

Documents

A Security Model/Enforcement Framework with Assurance for a Distributed Environment