Upload
keena
View
27
Download
0
Tags:
Embed Size (px)
DESCRIPTION
A Security Model/Enforcement Framework with Assurance for a Distributed Environment. C. Phillips, S. Demurjian, and T.C. Ting Computer Science & Engineering Department The University of Connecticut Storrs, Connecticut 06269-3155. [email protected] {steve,ting}@engr.uconn.edu - PowerPoint PPT Presentation
Citation preview
DSEC--1
CSE333
A Security Model/Enforcement Framework with A Security Model/Enforcement Framework with Assurance for a Distributed EnvironmentAssurance for a Distributed Environment
C. Phillips, S. Demurjian, and T.C. TingComputer Science & Engineering Department
The University of ConnecticutStorrs, Connecticut 06269-3155
[email protected]{steve,ting}@engr.uconn.edu
http://www.engr.uconn.edu/~steve(860) 486 - 4818
DSEC--2
CSE333
Motivation Motivation
Legacy
Legacy
COTS
GOTS
Database
Database
NETWORK
JavaClient
GOTSClient
LegacyClient
DatabaseClient
COTSClient
Premise: Premise: ArtifactsArtifacts - set of - set of DB, Legacy, COTS,
GOTS, Each w/ API Premise: Premise: UsersUsers
New and Existing Utilize Artifact APIs
Distributed Application, Distributed Application, DADA Artifacts + Users
Can we Control Can we Control UserUser Access to Access to Artifact Artifact APIs APIs (Methods) by … (Methods) by … Role (who) Classification (MAC) Time (when) Data (what)
DSEC--3
CSE333
JavaClientUser ARole X
AuthorizeC1, C2C3, C5L1, L2
L: Legacy API:
MethodsL1L2L3
C: COTSAPI:
MethodsC1C2C3C4C5
JavaClientUser BRole Y
AuthorizeC1, C4L2, L3
Motivation Motivation API Access Based on Role/ClassificationAPI Access Based on Role/Classification Can we Control AccessCan we Control Access
Based on Based on RoleRole??
Can we Control Access to Based on Can we Control Access to Based on ClassificationClassification??(high T > S > C > U low)(high T > S > C > U low)
JavaClientUser ARole X
AuthorizeSecret
(S)
L: Legacy API:
MethodsT: L1C: L2U: L3
C: COTSAPI:
MethodsT: C1S: C2S: C3T: C4C: C5
JavaClientUser BRole Y
AuthorizeConfidential
(C)
DSEC--4
CSE333Java
ClientUser ARole X
AuthorizeC1: TI aC4: TI bL1: TI c
L: Legacy API:
MethodsL1L2L3
C: COTSAPI:
MethodsC1C2C3C4C5
JavaClientUser BRole Y
AuthorizeC2: TI dL1: TI e
Motivation Motivation API Access Based on Time/ValueAPI Access Based on Time/Value
Can we Control Access Can we Control Access Based on Based on TimeTime??
Can we Control Access Can we Control Access Based on Based on Data ValuesData Values??
JavaClientUser ARole X
AuthorizeX.C1 (a < 30)X.C4 (d > 40)X.L1 (f = 10)
L: Legacy API:
MethodsL1 (f)L2 (g)L3 (h)
C: COTSAPI:
MethodsC1 (a)C2 (b)C3 (c)C4 (d)C5 (e)
JavaClientUser BRole Y
AuthorizeY.C2 (0<b<99)Y. L1 (f = 100)
DSEC--5
CSE333
Overview of Remainder of TalkOverview of Remainder of Talk
Problem StatementProblem Statement Research Goals and ObjectivesResearch Goals and Objectives Relevance/Importance of ResearchRelevance/Importance of Research Distributed Environment AssumptionsDistributed Environment Assumptions Unified Security Model for RBAC/MACUnified Security Model for RBAC/MAC Security Enforcement FrameworkSecurity Enforcement Framework Security AssuranceSecurity Assurance
Design Time and Run Time Checks Role Delegation Extensions and Capabilities Role Delegation Extensions and Capabilities Analysis vs. SSE-CMM and Evaluation vs. DCPAnalysis vs. SSE-CMM and Evaluation vs. DCP Concluding RemarksConcluding Remarks
DSEC--6
CSE333
Problem Statement - Research FociProblem Statement - Research Foci
UnifiedRBAC/MAC
Security Model
Security Policy Definition
Run TimeSecurity
Assurance
Analyses of RBAC/MACModel/Framework Against SSE-CMM
Evaluation of RBAC/MAC Model
Using DCP
RBAC/MACEnforcementFramework
Security Administrative
and Management Tools
Design Time Security
Assurance
DSEC--7
CSE333
Research Goals and ObjectivesResearch Goals and Objectives
Security Model that Unifies RBAC/MAC withSecurity Model that Unifies RBAC/MAC with Constraints Based on Method Signature (How),
Time (When), and Security Clearances and Classifications
Security Policy and Enforcement AssuranceSecurity Policy and Enforcement Assurance Design Time (During Security Policy
Definition) Security Assurance Run Time (Executing Application) Security
Enforcement RBAC/MAC Model for a Distributed SettingRBAC/MAC Model for a Distributed Setting
Leverage Middleware Capabilities Flexible, Portable, Platform Independent Security with Minimal/Controlled Impact
DSEC--8
CSE333
Research Goals and ObjectivesResearch Goals and Objectives
Method-Level Approach Method-Level Approach Constraints using: Role, MAC, Time, and Data Customized Access to APIs of Artifacts Contrast with Object Level Approach
Assessment: Security Model/Enforcement Assessment: Security Model/Enforcement Analysis Versus CMU’s Security Engineering
Capability Maturity Model (SSE-CMM) Evaluation of Utility of Approach for
Supporting Dynamic Coalition Problem Prototype
Administrative and Management Tools - Assurance Security Resources/Middleware - Enforcement
DSEC--9
CSE333
Relevance/Importance of ResearchRelevance/Importance of Research
Shrinking Military More Reliant on the Civilian Shrinking Military More Reliant on the Civilian Sector for Operational Support and Internet UsageSector for Operational Support and Internet Usage Legacy Software Systems COTS and GOTS Shared Databases
Flexible Security Policy Realization and Flexible Security Policy Realization and Enforcement in Support of Coalition WarfareEnforcement in Support of Coalition Warfare Classified and Non-Classified Information Rapid Deployment and Easy to Use Platform Independence
Growing Need for Multi-level Security SolutionsGrowing Need for Multi-level Security Solutions Currently Government Systems Avoid MAC Difficult to Realize and Manage
DSEC--10
CSE333
Distributed Environment Assumptions Distributed Environment Assumptions
Assume Presence of Middleware (JINI, CORBA):Assume Presence of Middleware (JINI, CORBA): Provides Bridge Between Software Artifacts Allows Software Artifacts to Register/Publish
their APIs for use by Clients/Other Resources Lookup Service: Lookup Service:
Middleware that Provides Means for Software Artifacts (Resource) and Clients to Interact
A Resource is a Software Artifact Accessible via A Resource is a Software Artifact Accessible via API (e.g., C++, Java, etc.) Consisting of ServicesAPI (e.g., C++, Java, etc.) Consisting of Services
A Service is a Logical Grouping of Public A Service is a Logical Grouping of Public Methods that are Registered with Lookup ServiceMethods that are Registered with Lookup Service
A Method has a Signature Consisting of a Possible A Method has a Signature Consisting of a Possible Null Return Type and Zero or More ParametersNull Return Type and Zero or More Parameters
DSEC--11
CSE333
Global Command and Control System Global Command and Control System (GCCS) Resource/Service/Methods(GCCS) Resource/Service/Methods
GCCS Resource with Two Services
Joint Service with Methods: a.k.a Weather (Token); METOC VideoTeleconference (Token, fromOrg, toOrg);TLCF JointOperationsPlannning (Token, CrisisNum); JOPES CrisisPicture (Token, CrisisNum, Grid1, Grid2); COP TransportationFlow (Token); JFAST LogisticsPlanningTool (Token, CrisisNum); LOGSAFE DefenseMessageSystem (Token); DMS NATOMessageSystem (Token); CRONOS
Component Service with Methods: ArmyBattleCommandSys (Token, CrisisNum); ABCS AirForceBattleManagementSys (Token, CrisisNum); TBMCS MarineCombatOpnsSys (Token, CrisisNum); TCO NavyCommandSystem (Token, CrisisNum); JMCIS
DSEC--12
CSE333
Security Enforcement Framework Security Enforcement Framework Software ArchitectureSoftware Architecture
WrappedResource for LegacyApplication
WrappedResource
for DatabaseApplication
LookupService
General Resource
WrappedResource
for COTSApplication
JavaClient
LegacyClient
DatabaseClient
SoftwareAgent
COTSClient
Lookup
Service
Security AuthorizationClient (SAC)
Security Policy Client (SPC)
SecurityRegistration
Services
Unified Security Resource (USR)Security Policy
Services
Security DelegationClient (SDC)
SecurityAnalysis and
Tracking (SAT)
SecurityAuthorization
Services
DSEC--13
CSE333
Security Enforcement FrameworkSecurity Enforcement Framework
Unified Security Resource Services to:Unified Security Resource Services to: Manage URs and Privileges Authorize URs to Us Identify Users and Track Security Behavior
Associated Administrative/Management ToolsAssociated Administrative/Management Tools Security Policy Client to Grant/Revoke Privileges (TCs, methods, SCs)/set CLS/CLR Security Authorization Client to Assign CLRs and Authorize URs to End Users Security Analysis Tool (SAT) to Track all Client Activity (Logons/Method Invocations)
DSEC--14
CSE333
Definition 1: A lifetime, LT, is a Discrete Time Interval [LT.st, LT.et] with LT.et > LT.st LT.st (start time) or LT.et (end time) is a tuple
(day, month, year, hour, minute, second) where x y means x.LT.st y.LT.st and
x.LT.et y.LT.et X Y is equivalent to Y X Let
LT = [ct, ] means current time (ct) onward
Unified Security Model DefinitionsUnified Security Model DefinitionsLifetimes ConceptLifetimes Concept
}.,.min{}.,.max{ etYetXETandstYstXST
)2.1(],[
)1.1(Ø
STETifETST
STETifYX
DSEC--15
CSE333
Concept of Containment of LifetimesConcept of Containment of Lifetimes
DSEC--16
CSE333
Usage of LifetimesUsage of Lifetimes
Lifetimes are Important Concepts since they Lifetimes are Important Concepts since they Delineate “When” an Action or Usage Can OccurDelineate “When” an Action or Usage Can Occur
For Example:For Example: “When” is a User Role Authorized to invoke a
Method? “When” is a User Authorized to a User Role? “When” Does a Resource Allow its Services
Available in the Distributed Environment? Overall - LTs Control the Time Constrained Overall - LTs Control the Time Constrained
Behavior for SecurityBehavior for Security
DSEC--17
CSE333
Examples of LifetimesExamples of Lifetimes
DSEC--18
CSE333
Related Work: LifetimesRelated Work: Lifetimes
Leasing [Wald99]Leasing [Wald99] Temporal Constraints [Bert96, Bert01, Ahn00]Temporal Constraints [Bert96, Bert01, Ahn00] DBMS Constraints [Bark01, Nota95]DBMS Constraints [Bark01, Nota95] User Constraints [Sand98, Zurk96]User Constraints [Sand98, Zurk96] Similarities and DifferencesSimilarities and Differences::
Extend Leasing Concept from Resources, Services, and Methods to LTs of URs/ Users
Temporal Constraints used on Objects and Work Flow are applied to Resources, URs, and Users Which Allows for Less Code Modification and Dynamic Changes
LTs in Conjunction with Method Time Constraints Improve Granularity and Provide Increased Flexibility for Security Policy
DSEC--19
CSE333
Definition 2: Relevant MAC Concepts are: A sensitivity level, SLEVEL, SLEVEL =
{U,C,S,T} unclassified (U) - no impact; confidential (C) causes some damage; secret (S), causes serious damage; top secret (T) causes exceptionally grave damage
SLEVELs form a hierarchy: U < C < S < T Clearance (CLR) is SLEVEL given to users Classification (CLS) is the SLEVEL given to
entities (roles, objects, methods, etc.) Note:Note:
We Utilize 4 Levels of Sensitivity Approach Will Work for n Levels
Unified Security Model DefinitionsUnified Security Model DefinitionsMAC ConceptMAC Concept
DSEC--20
CSE333
Unified Security Model DefinitionsUnified Security Model DefinitionsDistributed ApplicationDistributed Application
Definition 3:Definition 3: A A Distributed ApplicationDistributed Application, , DAPPL,DAPPL, is Composed of a Set of is Composed of a Set of Software/systemSoftware/system Resources Resources (e.g., a Legacy, COTS, DB, Etc.), Each (e.g., a Legacy, COTS, DB, Etc.), Each Composed of a Set of Composed of a Set of Services, Services, Which in Turn Are Which in Turn Are Each Composed of a Set of Each Composed of a Set of MethodsMethods, Namely:, Namely:
Uniquely Identifies Each MethodUniquely Identifies Each Method
}1|{ miRR i
}1|{ iiji njSS
}1|{ ijijkij qkMM
ijkiji MSR ..
DSEC--21
CSE333
Unified Security Model DefinitionsUnified Security Model DefinitionsMethodsMethods
Every Method of Service of ResourceEvery Method of Service of ResourceMust be Registered from a Security PerspectiveMust be Registered from a Security Perspective
Registration of Signature and Security InformationRegistration of Signature and Security Information Lifetime of Method (When Available for Use) Classification of Method (Level of Use)
Definition 4:Definition 4: Every Every methodmethod is registered as: is registered as:
Default CLS is UDefault CLS is U Default LT = [ct, Default LT = [ct, ] ] Resource by Registering Sets CLS and LTResource by Registering Sets CLS and LT
],,,[ Paramsijk
CLSijk
LTijk
Nameijkijk MMMMM
ijkiji MSR ..
DSEC--22
CSE333
Unified Security Model DefinitionsUnified Security Model DefinitionsServicesServices
Definition 5Definition 5: Every : Every service service is registered as:is registered as:
wherewhere
Note that LT and CLS are Inferred from LT and Note that LT and CLS are Inferred from LT and CLS of Methods that Comprise ServiceCLS of Methods that Comprise Service
],,[ CLSij
LTij
Nameijij SSSS
}...1|min{ ..ij
stLTijk
stLTij qkMS
}...1|max{ ..ij
etLTijk
etLTij qkMS
}1|min{ ijCLSijk
CLSij qkMS
DSEC--23
CSE333
Unified Security Model DefinitionsUnified Security Model DefinitionsResourceResource
Definition 6:Definition 6: Every Every resourceresource is registered as: is registered as:
wherewhere
Note that LT and CLS are Inferred from LT and Note that LT and CLS are Inferred from LT and CLS of Services that Comprise ResourceCLS of Services that Comprise Resource
],,[ CLSi
LTi
Nameii RRRR
}...1|min{ ..i
stLTij
stLTi njSR
}...1|max{ ..i
etLTij
etLTi njSR
}1|min{ iCLSij
CLSi njSR
DSEC--24
CSE333
Clearances/ClassificationsClearances/ClassificationsExampleExample
(C) GCCS Resource C= min {Service CLSs}(S) Joint Service with Methods S = min{Method CLSs} a.k.a (S)Weather (Token); METOC (S)VideoTeleconference (Token, fromOrg, toOrg); TLCF (S)JointOperationsPlannning (Token, CrisisNum); JOPES (S)CrisisPicture (Token, CrisisNum, Grid1, Grid2); COP (S)TransportationFlow (Token);JFAST (S)LogisticsPlanningTool (Token, CrisisNum); LOGSAFE (S)DefenseMessageSystem (Token); DMS (T)NATOMessageSystem (Token); CRONOS
(C) Component Service with Methods: C = min{Method CLSs} (S)ArmyBattleCommandSys (Token, CrisisNum); ABCS (S)AirForceBattleManagementSys (Token, CrisisNum); TBMCS (S)MarineCombatOpnsSys (Token, CrisisNum); TCO (C)NavyCommandSystem (Token, CrisisNum); JMCIS
Note: Access Classification Precedes Each Entry.
DSEC--25
CSE333
Related Work: Related Work: Clearances/ClassificationsClearances/Classifications
Lattice Based Access Control [Sand93]Lattice Based Access Control [Sand93] MAC and RBAC [Nyan95, Osbo97, Osbo00]MAC and RBAC [Nyan95, Osbo97, Osbo00] DAC with Roles [Sand98]DAC with Roles [Sand98] Orange Book [DoD96]Orange Book [DoD96] MAC with Objects [Thur89]MAC with Objects [Thur89] Similarities and DifferencesSimilarities and Differences
Our Approach Opposite in that we Take Minimum and Standard would Take Maximum
Our Security Approach is at the Method Level Our Approach is Dynamic in That CLRs and
CLSs Can Be Changed During Runtime MAC Check at Invocation Eliminates Need for
Object Access or Change
DSEC--26
CSE333
Unified Security Model DefinitionsUnified Security Model DefinitionsUser Roles and UR ListUser Roles and UR List
Definition 7: Definition 7: A A user roleuser role, , URUR, representing a set , representing a set of responsibilities for an application, is defined as: of responsibilities for an application, is defined as:
Notes Notes LT and CLS is Set by Security Officer Defaults are [ct, ] and U Respectively
Examples: Commander /Joint Planner - Crisis 1Examples: Commander /Joint Planner - Crisis 1 [[CDR_CR1CDR_CR1, , URURLTLT, , TT]]
[ [JPlannerCR1JPlannerCR1, [, [01dec00, 01jun0101dec00, 01jun01], ], SS]] Definition 8:Definition 8: A A user-role list, user-role list, ,, URL URL is the set of is the set of rr
unique roles that have been defined for DAPPL. unique roles that have been defined for DAPPL.
],,[ CLSLTName URURURUR
DSEC--27
CSE333
Unified Security Model DefinitionsUnified Security Model DefinitionsUsers and User ListUsers and User List
Definition 9:Definition 9: A A user, U,user, U, who will be accessing the who will be accessing the DAPPL via a client application, is defined as: DAPPL via a client application, is defined as:
Notes Notes LT and CLS is Set by Security Officer Defaults are [ct, ] and U Respectively
Example Users:Example Users:General DoBest: [General DoBest: [DoBestDoBest, , 1 year1 year, , TT]]Colonel DoGood: [Colonel DoGood: [DoGoodDoGood, , 6 mo.,6 mo., SS]]
Definition 10:Definition 10: A A user list, UL user list, UL is the set of is the set of uu users users that have been defined for DAPPL.that have been defined for DAPPL.
],,[ CLRLTUserId UUUU
DSEC--28
CSE333
Users: Users:
(T)General DoBest: [DoBest, [ct, ], T](T)Colonel DoGood: [DoGood, [01dec00,01jun01], T](S)Major DoRight: [DoRight, [01dec00,01jan01], S](T)Major CanDoRight: [CanDoRight,[01jan01,01feb01, T]
],,[ CLRLTUserId UUUU
],,[ CLSLTName URURURUR UserUser--Roles: Roles:
[CDR_CR1, [01dec00, ], T][JPlannerCR1, [01dec00, 01jun01], S][JPlannerCR2, [01jul01, 01sep01], C][ArmyLogCR1, [10dec00, 01mar01], S][ArmyLogCR2, [01jul01, 01aug01], C]
User Role Authorizations: User Role Authorizations: [JPlannerCR1, CrisisPicture, [ct, ],true][JPlannerCR1, ArmyBattleCommandSys, [10dec00,16feb01], true][ArmyLogCR1, CrisisPicture, [10dec00,16feb01],
Grid1 NA20 AND Grid2 NC40],[ArmyLogCR1, LogPlanningTool, [10dec00,16feb01],CrisisNum=CR1]
],,,[ SCTCMURURA
Examples: Users, User-Roles, and URAExamples: Users, User-Roles, and URA
DSEC--29
CSE333
Related Work: RBACRelated Work: RBAC
Benefits of RBACBenefits of RBAC Flexible, Ease of Use, Policy Realization [Bert97, Demu95, Ferr92, Nyan93, Sand96, Ting87]
Main ApproachesMain Approaches UConn - [Demu94…01, Hu94, Ting87] GMU -RBAC96 - [Ahn99…, Osbo96…, Sand96...] NIST - [Bark97, Ferr99…, Gavr98, Jeag97…]
Similarities and Differences: Our Approach Does Not Rely on a Role Hierarchy Administrative Duties are Separated for Ease of Use
and Least Privilege Our Approach Can Realize Multiple Policies
Simultaneously on Multiple Federated Resources
DSEC--30
CSE333
Unified Security Model Definitions Unified Security Model Definitions Signature ConstraintSignature Constraint
Definition 11Definition 11: A : A Signature ConstraintSignature Constraint, , SCSC,, Boolean Expression Defined on the Signature of Boolean Expression Defined on the Signature of Method, Method, MMijkijk of Service of Service SSijij of resource of resource RRii that that Limits the Allowable Values on the Parameters Boolean Expression is:
(return-type constraint) and (parameters constraint) where either/both could be null
Parameters Constraint uses AND, OR, NOT
Example:Example:CrisisPicture (Token, CrisisNum, Grid1, Grid2);CrisisPicture (Token, CrisisNum, Grid1, Grid2);
SC: SC: Grid1 < NA20 and Grid2 < NC40Grid1 < NA20 and Grid2 < NC40
DSEC--31
CSE333
Unified Security Model Definitions Unified Security Model Definitions Time ConstraintTime Constraint
Definition 12:Definition 12: A A time constraint, TC, time constraint, TC, is a lifetime is a lifetime that represents when a method can be assigned to a that represents when a method can be assigned to a user role (or invoked by a user) or when a user is user role (or invoked by a user) or when a user is allowed to play a role. A TC has the default of [ct, allowed to play a role. A TC has the default of [ct, ]. TC utilized at design and run time to:]. TC utilized at design and run time to: user role and method LTs constraining when the
method can be assigned user role, method, and user LTs constraining
when the method can be invoked user role and user LT constraining when the user
can be authorized to the role Example:Example:
ArmyBattleCommandSys (Token, CrisisNum);ArmyBattleCommandSys (Token, CrisisNum);TC =TC = [[10dec00, 16feb01]10dec00, 16feb01]
DSEC--32
CSE333
Related Work: Related Work: Signature and Time ConstraintsSignature and Time Constraints
Temporal Constraints [Ahn00, Bert96, Bert01]Temporal Constraints [Ahn00, Bert96, Bert01] User Constraints [Sand98, Zurk96]User Constraints [Sand98, Zurk96] Similarities and DifferencesSimilarities and Differences::
Temporal Constraints used on Objects for Work Flow are applied to Methods as Time Constraints to Create an Operational Time Window for Valid Invocations
Time Constraints are Role Dependent so Same Method in a Different Role, Can Have a Different Time Constraint
Lifetimes in Conjunction with Separate, Method Time Constraints Improve Granularity and Provide Increased Flexibility for Security Policy
Use of Flexible, Run-Time, Signature Constraints is Unique for Role Based Access Control, but Similar to Other Programming Parameter/Argument Techniques
DSEC--33
CSE333
Unified Security Model Definitions Unified Security Model Definitions Mandatory Access Control ConstraintMandatory Access Control Constraint Definition 13:Definition 13: A A mandatory access control mandatory access control
constraint, MACC, constraint, MACC, is the is the dominationdomination of the of the SLEVEL of one entity over another entity:SLEVEL of one entity over another entity: CLS of Role Dominate () CLS of Resource,
Service, or Method CLR of User Dominate () CLS of Role
Example MACC: Design Time
CLS of Role vs. CLS of Resource, Service, or Method
Check for CLR of User vs. CLS of Role Run Time: CLR of User vs. CLS of Resource,
Service, or Method
DSEC--34
CSE333
Unified Security Model DefinitionsUnified Security Model DefinitionsUser Role AuthorizationsUser Role Authorizations
Definition 14Definition 14: A : A user-role authorization, URA,user-role authorization, URA, signifies a UR authorized to invoke a method signifies a UR authorized to invoke a method under optional TC and/or SC, and is defined as: under optional TC and/or SC, and is defined as:
wherewhere UR is as given in Definition 7 M is as given in Definition 4 TC is as given in Definition 12 and is an LT
that represents when the method is available to UR for invocation with default [ct, ]
SC is empty (true) or as given in Definition 11 and represents values that invocation can occur
],,,[ SCTCMURURA
DSEC--35
CSE333
Unified Security Model DefinitionsUnified Security Model DefinitionsUser Role AuthorizationsUser Role Authorizations
Definition 15aDefinition 15a:: UR authorization matrix, URAM,UR authorization matrix, URAM,is ais a matrix indexed by roles and methods:matrix indexed by roles and methods:
Notes:Notes: Initially, URAM, contains all 0 entries When equal to 1 for some
authorization is a Valid URA (VURA) At Design, UR CLS must dominate M CLS
and there must be Overlap of LT/TC
otherwise
MinvoketoauthorizedisURMURURAM ji
ji 0
1),(
qr
],,,[ SCTCMAURA
DSEC--36
CSE333
Example Users, User Roles, and URAsExample Users, User Roles, and URAs
],
DSEC--37
CSE333
Unified Security Model DefinitionsUnified Security Model DefinitionsRemaining DefinitionsRemaining Definitions
Definition 15bDefinition 15b:: A A valid user-role authorization valid user-role authorization list, list, where where is the set of all VURAs with URAM(UR,M) = 1.
Definition 16: Definition 16: A A user authorization, UA,user authorization, UA, is a user is a user authorized to play a role: authorized to play a role: wherewhere U is as given in Definition 9 UR is as given in Definition 7 TC is as given in Definition 12 and
represents the LT of authorization
],,[ TCURUUA
}1{ viVURAVURAL i qrv
DSEC--38
CSE333
Unified Security Model DefinitionsUnified Security Model DefinitionsRemaining DefinitionsRemaining Definitions
Definition 17aDefinition 17a:: User authorization matrix, UAMUser authorization matrix, UAM::
Notes: Notes: Initially, UAM, contains all 0 entries When equal to 1 for some
Authorization is a Valid UA (VUA) At Design Time, a U’s CLR must dominate a
Role’s CLS with overlap of TC and LT
otherwise
URtoauthorizedisUUURUAM ij
ji 0
1),(
DSEC--39
CSE333
Example UAM and URAM MatricesExample UAM and URAM Matrices
User\User-Role ArmyLogCR1 ArmyLogCR2 JPlannerCR1 JPlannerCR2 CDR_CR1DoBest 0 0 0 0 1DoGood 0 0 1 1 0DoRight 1 0 0 0 0CanDoRight 0 1 0 0 0
Method\User-Role ArmyLogCR1 ArmyLogCR2 JPlannerCR1 JPlannerCR2 CDR_CR1ArmyBattleCommamdSys 1 1 1 1 1CrisisPicture 1 1 1 1 1MarineCombatOpnsSys 0 0 1 1 1LogPlanningTool 1 1 0 0 1
User Authorization Matrix (UAM)1 = authorized, 0 = not
User-Role Authorization Matrix (URAM): 1 = UR authorized to invoke Method, 0 = otherwise
DSEC--40
CSE333
Unified Security Model DefinitionsUnified Security Model DefinitionsRemaining DefinitionsRemaining Definitions
Definition 17bDefinition 17b: A : A valid user authorization list, valid user authorization list,
where where is the set of all VUAs with UAM(UR,U) = 1is the set of all VUAs with UAM(UR,U) = 1
Definition 18Definition 18: A : A client, C, client, C, is authorized user is authorized user UU, , uniquely identified via a uniquely identified via a client tokenclient token C = [U, UR, IP-Address, Client-Creation-Time]C = [U, UR, IP-Address, Client-Creation-Time]where Creation Time is Clock at Creation where Creation Time is Clock at Creation
}1|{ wiVUAVUAL i
urw
DSEC--41
CSE333
Security Enforcement Framework Security Enforcement Framework Software ArchitectureSoftware Architecture
WrappedResource for LegacyApplication
WrappedResource
for DatabaseApplication
LookupService
General Resource
WrappedResource
for COTSApplication
JavaClient
LegacyClient
DatabaseClient
SoftwareAgent
COTSClient
Lookup
Service
Security AuthorizationClient (SAC)
Security Policy Client (SPC)
Global ClockResource (GCR)
SecurityRegistration
Services
Unified Security Resource (USR)
Security Policy
Services
SecurityAuthorization
Services
SecurityAnalysis and
Tracking (SAT)
DSEC--42
CSE333
Security Enforcement FrameworkSecurity Enforcement Framework
Unified Security Resource Services to:Unified Security Resource Services to: Manage URs and Privileges Authorize URs to Us Identify Users and Track Security Behavior
Associated Administrative/Management ToolsAssociated Administrative/Management Tools Security Policy Client to Grant/Revoke
Privileges (TCs, methods, SCs)/set CLS/CLR Security Authorization Client to Assign CLRs
and Authorize URs to End Users Security Analysis Tool (SAT) to Track all
Client Activity (Logons/Method Invocations)
DSEC--43
CSE333
Security Enforcement Framework Security Enforcement Framework Security Prototype (JINI and CORBA)Security Prototype (JINI and CORBA)
JavaGUI
PDB Client
JINILookupService
USR All
Services
CommonResource
(Global Clock)
CORBALookupService
Patient DBResource (PDB)
University DBResource (UDB)
JavaGUI
UDB Client
SecurityPolicyClient
SecurityAuthorization
Client
DSEC--44
CSE333
Security Enforcement Framework Security Enforcement Framework USR ServicesUSR Services
Security Policy ServicesRegister ServiceQuery Privileges ServiceUser Role ServiceConstraint ServiceGrant-Revoke ServiceGrant_Resource(UR_Id, R_Id);Grant_Service(UR_Id, R_Id, S_Id);Grant_Method(UR_Id, R_Id, S_Id, M_Id);Grant_SC(UR_Id, R_Id, S_Id, M_Id, SC);Grant_TC(UR_Id, R_Id, S_Id, M_Id, TC);
Security Authorization ServicesAuthorize Role ServiceClient Profile Service
Security Registration ServicesRegister Client ServiceSecurity Tracking and Analysis Services
Revoke_Resource(UR_Id, R_Id);Revoke _Service(UR_Id, R_Id, S_Id);Revoke _Method(UR_Id, R_Id, S_Id, M_Id);Revoke _SC(UR_Id, R_Id, S_Id, M_Id, SC);Revoke _TC(UR_Id, R_Id, S_Id, M_Id, TC);
DSEC--45
CSE333
Security Enforcement Framework Security Enforcement Framework Security Policy ServicesSecurity Policy Services
Register ServiceRegister_Resource(R_Id); Register_Service(R_Id, S_Id);Register_Method(R_Id, S_Id, M_Id);Register_Signature(R_Id, S_Id, M_Id, Signat);UnRegister_Resource(R_Id);UnRegister_Service(R_Id, S_Id);UnRegister_Method(R_Id, S_Id, M_Id);Unregister_Token(Token)
Query Privileges ServiceQuery_AvailResource();Query_AvailMethod(R_Id);Query_Method(Token, R_Id, S_Id, M_Id);Check_Privileges(Token, R_Id, S_Id, M_Id, ParamValueList);
User Role ServiceCreate_New_Role(UR_Name, UR_Disc, UR_Id);Delete_Role(UR_Id);
DSEC--46
CSE333
Security Enforcement Framework Security Enforcement Framework Security Policy ServicesSecurity Policy Services
Constraint ServiceDefineTC(R_Id, S_Id, M_Id, SC);DefineSC(R_Id, S_Id, M_Id, SC);CheckTC(Token, R_Id, S_Id, M_ID); CheckSC(Token, R_Id, S_Id, M_ID, ParamValueList);
Grant-Revoke ServiceGrant_Resource(UR_Id, R_Id);Grant_Service(UR_Id, R_Id, S_Id);Grant_Method(UR_Id, R_Id, S_Id, M_Id);Grant_SC(UR_Id, R_Id, S_Id, M_Id, SC);Grant_TC(UR_Id, R_Id, S_Id, M_Id, TC);Revoke_Resource(UR_Id, R_Id);Revoke_Service(UR_Id, R_Id, S_Id);Revoke_Method(UR_Id, R_Id, S_Id, M_Id);Revoke_SC(UR_Id, R_Id, S_Id, M_Id, SC);Revoke_TC(UR_Id, R_Id, S_Id, M_Id, TC);
DSEC--47
CSE333
Security Authorization and Registration Security Authorization and Registration ServicesServices
Register Client ServiceCreate_Token(User_Id, UR_Id, Token); Register_Client(User_Id, IP_Addr, UR_Id);UnRegister_Client(User_Id, IP_Addr, UR_Id);IsClient_Registered(Token);Find_Client(User_Id, IP_Addr);
Security Tracking and Analysis ServicesTracking Service: Logfile(Log String)Analysis Service: Analyze (Java Class File)
SECURITY REGISTRATION SERVICES
Authorize Role ServiceGrant_Role(UR_Id, User_Id);Revoke_Role(UR_Id, User_Id);
Client Profile ServiceVerify_UR(User_Id, UR_Id);Erase_Client(User_Id);Find_Client(User_Id);Find_All_Clients();
SECURITY AUTHORIZATIONSERVICES
DSEC--48
CSE333
Security Enforcement Framework Security Enforcement Framework Client, Resource, Service InvocationsClient, Resource, Service Invocations
SecurityAuthorization
Services
Security Registration
Services
LookupService
GCCSClient
1 Register_Client(DoRight,100.150.200.250, ArmyLogCR1)
10 Return Result of Check_Privileges(…)
4 Return Result,Create_Token(DoRight,ArmyLogCR1,Token)
6 CrisisPicture(Token,CR1, NA20, NC40)
3 Client OK?
11 Return Result,CrisisPicture(…)
5. Discover/Lookup(GCCS,Joint,CrisisPicture) Returns Proxy to Course Client
7 IsClient_Registered(Token)
9 Check_Privileges(Token, GCCS, Joint, CrisisPicture, [NA20,NC40])
2 Verify_UR(DoRight,ArmyLogCR1)
SecurityPolicy
ServicesGCCS
Resource8 Return Result of IsClient_Registered(…)
USR
DSEC--49
CSE333
Security PrototypeSecurity PrototypeGlobal Clock Server/Client LogonGlobal Clock Server/Client Logon
DSEC--50
CSE333
The Security Policy ClientThe Security Policy Client
Manages Privileges for Roles and ResourcesManages Privileges for Roles and Resources For Roles:For Roles:
Define/Delete Roles including LTs and CLSs Grant/Revoke Privileges in Terms of Methods
Grant Methods to Roles Limit Grant based on Time Constraint Limit Grant based on Signature Constraint
For Resources:For Resources: Register Resource, its Services, their Methods Establish LTs and CLSs Resources can Also Register themselves
Programmatically via the USR Services
DSEC--51
CSE333
Security Policy ClientSecurity Policy ClientRegistering a ResourceRegistering a Resource
DSEC--52
CSE333
Security Policy ClientSecurity Policy ClientRegistering a ServiceRegistering a Service
DSEC--53
CSE333
Security Policy ClientSecurity Policy ClientRegistering Methods for ResourceRegistering Methods for Resource
DSEC--54
CSE333
Security Policy Client Security Policy Client Registering Methods for ResourceRegistering Methods for Resource
DSEC--55
CSE333
Security Policy ClientSecurity Policy ClientAdding Methods to ServiceAdding Methods to Service
DSEC--56
CSE333
Security Policy ClientSecurity Policy ClientAdding Methods to ServiceAdding Methods to Service
DSEC--57
CSE333
Security Policy Client Confirmation of Security Policy Client Confirmation of Registered MethodsRegistered Methods
DSEC--58
CSE333
Security Policy Client Security Policy Client Tracking Defined Resources Tracking Defined Resources
DSEC--59
CSE333
Security Policy Client Security Policy Client Creating User Role Creating User Role
DSEC--60
CSE333
Security Policy Client Security Policy Client Creating User RoleCreating User Role
DSEC--61
CSE333
Security Policy Client Security Policy Client Granting Resource to URGranting Resource to UR
DSEC--62
CSE333
Security Policy Client Security Policy Client Granting Service to URGranting Service to UR
DSEC--63
CSE333
Security Policy Client Security Policy Client Granting Method to URGranting Method to UR
DSEC--64
CSE333
Security Policy ClientSecurity Policy ClientConfirmation of Method to RoleConfirmation of Method to Role
DSEC--65
CSE333
Security Policy ClientSecurity Policy ClientReviewing Access of Resources to RolesReviewing Access of Resources to Roles
DSEC--66
CSE333
Security Policy Client Security Policy Client Defining a Signature ConstraintDefining a Signature Constraint
DSEC--67
CSE333
Security Policy Client Security Policy Client Defining a Signature ConstraintDefining a Signature Constraint
DSEC--68
CSE333
The Security Authorization ClientThe Security Authorization Client
Intended for Authorization CapabilitiesIntended for Authorization Capabilities Main ObjectivesMain Objectives
Define New User with CLR and LT Authorize URs to End Users Define Clients
Authorization of Roles to Users Must SatisfyAuthorization of Roles to Users Must Satisfy User.CLR Dominates Role.CLS Overlap of LTs w.r.t. Current Time
DSEC--69
CSE333
Security Authorization Client Security Authorization Client Creating a UserCreating a User
DSEC--70
CSE333
Security Authorization Client Security Authorization Client Granting Roles to UserGranting Roles to User
DSEC--71
CSE333
Security PrototypeSecurity PrototypeTracking Logins and Actions Tracking Logins and Actions
DSEC--72
CSE333
Security PrototypeSecurity PrototypeTracking Methods of ResourcesTracking Methods of Resources
DSEC--73
CSE333
Security AssuranceSecurity Assurance
Security Assurance Represents a Confidence Level of the Security Capabilities to Insure Sensitive Information is Protected From Access and Misuse
Assurance is Needed at: Design Time (DT) - as Security Policy is
Defined Using our Security Model Run Time (RT) - via Enforcement as
Users/Clients Access Resources in Secure Manner
Security Assurance is Enumerated and Defined toEnumerated and Defined to: Insure Policy Consistency (A & M Tools) Check Conditions as Users Access Resources
DSEC--74
CSE333
Assurance GuaranteesAssurance Guarantees
Available Time : Maximum Amount of Time Available Time : Maximum Amount of Time Derived from the Intersections of LTs and TCs Derived from the Intersections of LTs and TCs
Simple Security Property: A Subject Can Read at Simple Security Property: A Subject Can Read at the Same or Lower Level. (Read Down/No Read the Same or Lower Level. (Read Down/No Read Up)Up)
Simple Integrity Property: A Subject Can Write to Simple Integrity Property: A Subject Can Write to the Same or Lower Level the Same or Lower Level
Safety: No Bad Things Can Happen During Safety: No Bad Things Can Happen During ExecutionExecution
Liveness: All Good Things Can HappenLiveness: All Good Things Can Happen
DSEC--75
CSE333
Available TimeAvailable Time
Available Time Represents “When” Construct is Available Time Represents “When” Construct is Available for UsageAvailable for Usage
Comparison of Lifetimes IncludingComparison of Lifetimes Including Role Method Current Time
Sets a Limit on When an Action can OccurSets a Limit on When an Action can Occur
DSEC--76
CSE333
The Compare Function for Two LTsThe Compare Function for Two LTs
DSEC--77
CSE333
Time-Based GuaranteesTime-Based Guarantees
DSEC--78
CSE333
Time-Based GuaranteesTime-Based Guarantees
DSEC--79
CSE333
Lemma 1 ConceptuallyLemma 1 Conceptually
DSEC--80
CSE333
Time-Based GuaranteesTime-Based Guarantees
DSEC--81
CSE333
Lemma 2 ConceptuallyLemma 2 Conceptually
DSEC--82
CSE333
Time-Based GuaranteesTime-Based Guarantees
DSEC--83
CSE333
Lemma 3 ConceptuallyLemma 3 Conceptually
DSEC--84
CSE333
MAC-Based GuaranteesMAC-Based Guarantees
Verify the Behavior of Method InvocationVerify the Behavior of Method Invocation Differentiate Between Method TypesDifferentiate Between Method Types
Read-Only Method - Do not Change the State of an Object Satisfies Simple Security (Read up/No Read
Down) Read-Write method
May Change the State of an Object Satisfies Simple Security (Read up/No Read
Down) and Simple Integrity (Write Down/No Write Up)
Assume: Values are Not Returned Through Method Parameters (only Value Parameters)
DSEC--85
CSE333
MAC-Based GuaranteesMAC-Based Guarantees
DSEC--86
CSE333
MAC-Based GuaranteesMAC-Based Guarantees
DSEC--87
CSE333
MAC-Based GuaranteesMAC-Based Guarantees
DSEC--88
CSE333
MAC-Based GuaranteesMAC-Based Guarantees
DSEC--89
CSE333
MAC-Based GuaranteesMAC-Based Guarantees
DSEC--90
CSE333
Safety: Nothing bad happens during execution
Liveness: All good things can happen during execution
GOAL: Maximize Safety and Liveness Disconnecting from a network increases
Safety, but decreases Liveness Allowing unlimited access increases Liveness,
but decreases Safety
Safety and Liveness GuaranteesSafety and Liveness Guarantees
DSEC--91
CSE333
Security Assurance RulesSecurity Assurance Rules
A Security Assurance Rule Must hold True for the Security Policy DT: Privilege Definition/Modification RT: As Users Perform Actions
Categories of Checks are:Categories of Checks are: MACC Domination Lifetime Time Constraint Signature Constraint Authorization and Authentication
DSEC--92
CSE333
Create a VURA and if the Creation is Successful, then the entry of URAM = 1.
For Authorization to Occur CLS of A must Dominate CLS of M LTs of A, M, and TC must Overlap (reset as
TC), and reset TC has an end time after ct
Security Assurance - Design TimeSecurity Assurance - Design TimeRule I: Authorizing Method to URRule I: Authorizing Method to UR
DSEC--93
CSE333
LTs and TCs must be ContrastedLTs and TCs must be Contrasted
Security Assurance - Design TimeSecurity Assurance - Design TimeRule I ConceptuallyRule I Conceptually
ctA.LT M.LT TC
A.LTM.LT
TC
DSEC--94
CSE333
Create a VUA and if the Creation is Successful, the Entries of UAM and UDAM are set to 1
For Authorization to Occur CLR of X must Dominate CLS of A LTs of A, X, and TC must Overlap (reset as
TC), and reset TC has an end time after ct
Security Assurance - Design TimeSecurity Assurance - Design TimeRule II: Authorizing UR to UserRule II: Authorizing UR to User
DSEC--95
CSE333
LTs and TCs Again ConstrainedLTs and TCs Again Constrained
Security Assurance - Design TimeSecurity Assurance - Design TimeRule II ConceptuallyRule II Conceptually
ct
A.LT X.LT TC
A.LTX.LT
TC
DSEC--96
CSE333
Runtime Authorization (of user to role).
For Authorization to Occur at Runtime Rule II must be rechecked (since privileges can
dynamically change). Recheck involves the Overlap of the LTs of X,
A, and TC with Respect to Current Time.
Security Assurance - RuntimeSecurity Assurance - RuntimeRule III: Authorizing UR to UserRule III: Authorizing UR to User
DSEC--97
CSE333
What is the Time Issue in This Case?What is the Time Issue in This Case? Must Compare Against Rule II Must Also Look at TC vs. ct TC.et After ct TC.st Before ct
Security Assurance - RuntimeSecurity Assurance - RuntimeRule III ConceptuallyRule III Conceptually
ctTC
ct
TC
DSEC--98
CSE333
N(Name), P(Params), APV(Actual Param Values) SCOracle is a Constraint Checker that Compares
Parameter Values of M’s Invocation against SC returns true if M.parametervalues satisfy SC returns false otherwise.
Security Assurance - RuntimeSecurity Assurance - RuntimeRule IV: Invoking a MethodRule IV: Invoking a Method
DSEC--99
CSE333
Security Assurance - RuntimeSecurity Assurance - RuntimeRule IV ConceptuallyRule IV Conceptually
Same issues as Rule III (Rule I and TC vs. ct)Same issues as Rule III (Rule I and TC vs. ct) Additionally, There is a Constraint CheckerAdditionally, There is a Constraint Checker
Defn: CrisisPicture (Token, CrisisNum, Grid1, Grid2);SC: Grid1 < NA20 and Grid2 < NC40Call: CrisisPicture (123, 111, NA18, NC45);
Compare Call Against SC to Determine if Can Invoke
DSEC--100
CSE333
Safety and Liveness TheoremsSafety and Liveness Theorems
DSEC--101
CSE333
Safety and Liveness TheoremsSafety and Liveness Theorems
DSEC--102
CSE333
Safety and Liveness TheoremsSafety and Liveness Theorems
DSEC--103
CSE333
Safety and Liveness TheoremsSafety and Liveness Theorems
DSEC--104
CSE333
Related WorkRelated WorkSecurity Assurance Security Assurance
Motivation and Need within DoD
[C4I99, DARP00, DoD88, Tete99] Abstract Study of Assurance
[Alfo01, Garv98,McCu91, Maco01] Role Administration Participates in Assurance
Separation of Duty [Ahn99, Both01,Garv98, Glig98, Nyan93, Osob00, Simo97]
Mutual Exclusion [Bert97, Kand01, Khun97] Role Hierarchies [Demu95, Ferr97, Hu95,
Jans98, Moff99, Sand96, Spoo89 ] Administration Mechanisms [Awis97, Murl01,
Nyan94, Sand99]
DSEC--105
CSE333
What is Role Delegation?What is Role Delegation?
Role Delegation is a User-to-User Relationship that Allows One User to Transfer Responsibility for a Particular Role to Another Individual
Two Major Types of Delegation Administratively-directed Delegation has an
Administrative Infrastructure Outside the Direct Control of a User Mediates Delegation
User-directed Delegation has an User (Playing a Role) Determining If and When to Delegate a Role to Another User
In Both, Security Administrators Still Oversee Who Can Do What When w.r.t. Delegation
Work of M. Liebrand (Rensselaer at Hartford)Rensselaer at Hartford)
DSEC--106
CSE333
Why is Role Delegation Important?Why is Role Delegation Important?
Many Different Scenarios Under Which Privileges Many Different Scenarios Under Which Privileges May Want to be Passed to Other IndividualsMay Want to be Passed to Other Individuals Large organizations often require delegation to
meet demands on individuals in specific roles for certain periods of time
True in Many Different Sectors Financial Services Engineering Academic Setting
Key Issues:Key Issues: Who Controls Delegation to Whom? How are Delegation Requirements Enforced?
DSEC--107
CSE333
What Can be Delegated?What Can be Delegated?
Authority Authority to Do the Task, Carries the Least to Do the Task, Carries the Least Responsibility Necessary to Execute the Task, but Responsibility Necessary to Execute the Task, but Does Mean the Delegated User Can Execute the Does Mean the Delegated User Can Execute the Delegated Task or Role. Delegated Task or Role.
ResponsibilityResponsibility to Do a Task Implies Accountability to Do a Task Implies Accountability and a Vested Interest that a Task or Role Can Be and a Vested Interest that a Task or Role Can Be Executed Properly. Executed Properly.
DutyDuty to Perform a Task Implies that the Delegated to Perform a Task Implies that the Delegated User is Obligated to Execute the Given Task. User is Obligated to Execute the Given Task.
Our Focus: Delegate Authority OnlyOur Focus: Delegate Authority Only
DSEC--108
CSE333
Our Focus for DelegationOur Focus for Delegation
Extensions to the Unified Security Model Extensions to the Unified Security Model Identify Roles that are Delegatable Distinguish: Original and Delegated Users Delegation Authority and Delegated Role
Detailed Example to Illustrate ConceptsDetailed Example to Illustrate Concepts Analysis of Role Delegation CapabilitiesAnalysis of Role Delegation Capabilities Investigation of SPC, SAC, and SDC in Support of Investigation of SPC, SAC, and SDC in Support of
DelegationDelegation Security Assurance for DelegationSecurity Assurance for Delegation
DSEC--109
CSE333
Role Delegation Extensions Role Delegation Extensions
Definition 19:Definition 19: A A delegatable UR, DURdelegatable UR, DUR, is a UR , is a UR that is eligible for delegation. that is eligible for delegation.
Definition 20:Definition 20: The The delegatable UR vector, DURV,delegatable UR vector, DURV, is defined for all is defined for all r r as: as:
Delegatable URs (from Slide 33)Delegatable URs (from Slide 33) [CDR_CR1, [01dec00,01dec01], T][CDR_CR1, [01dec00,01dec01], T][JPlannerCR1, [01dec00, 01jun01], S][JPlannerCR1, [01dec00, 01jun01], S][JPlannerCR2, [01jul01, 01sep01], C][JPlannerCR2, [01jul01, 01sep01], C]DURV(A) = 1 for A = CDR_CR1, JPlannerCR1 and JPlannerCR2DURV(A) = 0 for A = ArmyLogCR1 and ArmyLogCR2
DURanotisUR
DURaisURURDURV
i
ii 0
1)(
DSEC--110
CSE333
Role Delegation Extensions Role Delegation Extensions
Definition 21:Definition 21: An An original user, OUoriginal user, OU UL, UL, is is authorized to the UR such that there exists a VUA authorized to the UR such that there exists a VUA for the OU/UR, i.e., UAM(UR,OU) = 1for the OU/UR, i.e., UAM(UR,OU) = 1 OU: Authorized to the UR via Regular Process Implies Not Eligible for Delegation
Definition 22:Definition 22: A A delegated user, DUdelegated user, DU UL, UL, is a is a user eligible to be delegated a UR by an OU or a user eligible to be delegated a UR by an OU or a DU (there is not a VUA i.e., UAM(UR,DU) DU (there is not a VUA i.e., UAM(UR,DU) 1). 1). DU of a UR cannot be an OU for same UR
DSEC--111
CSE333
Examples of Examples of OUs DUs OUs DUs ArmyLogCR1ArmyLogCR1
DoRight ArmyLogCR2ArmyLogCR2
CanDoRight JPlannerCR1JPlannerCR1
DoGood JPlannerCR2JPlannerCR2
DoGood CRC_CR1CRC_CR1
CDR_CR1
ArmyLogCR1ArmyLogCR1 DoBest, DoGood,
CanDoRight ArmyLogCR2ArmyLogCR2
DoBest, DoGood, DoRight
JPlannerCR1/JPlannerCR2 JPlannerCR1/JPlannerCR2
DoBest, DoRight, CanDoRight
CRC_CR1CRC_CR1 DoGood, DoRight,
CanDoRight
DSEC--112
CSE333
Role Delegation Extensions Role Delegation Extensions
Definition 23:Definition 23: User delegation/authorization User delegation/authorization matrix,matrix, UDAMUDAM::
Represents who is a DU, OU, or NeitherRepresents who is a DU, OU, or Neither UDAM Entries are UDAM Entries are
Initially All Set to False Set to 1 Whenever a User is an OU Set to 2 Whenever a User is an DU
Recall Rule II Set UDAM = 1Recall Rule II Set UDAM = 1
ij
ij
ij
ji
URtoauthorizednotisU0
URofOUanisU1
URofDUaisU2
UURUDAM ),(
DSEC--113
CSE333
Delegation and Pass on Delegation Delegation and Pass on Delegation AuthoritiesAuthorities
When Establishing Privileges (by the Security When Establishing Privileges (by the Security Officer) there must be the Ability to Define:Officer) there must be the Ability to Define: Delegation Authority (DA)
Recall:Security Officer can Delegate a Role to User DA Means that the Security Officer Can Delegate
the Authority to Delegate to another User Role Can be Delegated by one User to Another However, Delegation Authority Cannot
Pass-on Delegation Authority (PODA) PODA Augments DA to Allow the Delegation
Authority to Also be Delegated as Part of the Delegation of a Role to a User
DSEC--114
CSE333
Role Delegation ExtensionsRole Delegation Extensions
Definition 24:Definition 24: Delegation authority, DA, Delegation authority, DA, is given is given to the OU to allow delegation of a DUR.to the OU to allow delegation of a DUR.
Definition 25:Definition 25: Pass-on delegation authority, Pass-on delegation authority, PODA, PODA, allows an OU (DU) to pass on DA for a allows an OU (DU) to pass on DA for a DUR to another user (OU or DU). DUR to another user (OU or DU).
Definition 26:Definition 26: Delegation authority matrix,Delegation authority matrix, DAMDAM::
DU has Neither DA Nor PODADU has Neither DA Nor PODADU has Just DADU has Just DADU has Both DA and PODADU has Both DA and PODA
ij
ij
ij
ji
URforPODAnorDAneitherhasU0
URforDAonlyhasU1
URforPODAandDAhasU2
UURDAM ),(
DSEC--115
CSE333
Example of DA and PODAExample of DA and PODA
JPlanner1: DoGood has DAJPlanner1: DoGood has DA JPlanner2: DoGood has DAJPlanner2: DoGood has DA CDR_CR1: DoBest has both DA and PODACDR_CR1: DoBest has both DA and PODA All Other Entries have Neither DA Nor PODAAll Other Entries have Neither DA Nor PODA
User\User-Role ArmyLogCR1 ArmyLogCR2 JPlannerCR1 JPlannerCR2 CDR_CR1DoBest 0 0 0 0 2DoGood 0 0 1 1 0DoRight 0 0 0 0 0CanDoRight 0 0 0 0 0
Delegation Authority Matrix (DAM): 2 = has DA and PODA, 1 = has DA, 0 = neither
DSEC--116
CSE333
Recall UAM and URAM MatricesRecall UAM and URAM Matrices
User\User-Role ArmyLogCR1 ArmyLogCR2 JPlannerCR1 JPlannerCR2 CDR_CR1DoBest 0 0 0 0 1DoGood 0 0 1 1 0DoRight 1 0 0 0 0CanDoRight 0 1 0 0 0
Method\User-Role ArmyLogCR1 ArmyLogCR2 JPlannerCR1 JPlannerCR2 CDR_CR1ArmyBattleCommamdSys 1 1 1 1 1CrisisPicture 1 1 1 1 1MarineCombatOpnsSys 0 0 1 1 1LogPlanningTool 1 1 0 0 1
User Authorization Matrix (UAM)1 = authorized, 0 = not
User-Role Authorization Matrix (URAM): 1 = UR authorized to invoke Method, 0 = otherwise
DSEC--117
CSE333
Augment withAugment with DAM and UDAM Matrices DAM and UDAM Matrices
User\User-Role ArmyLogCR1 ArmyLogCR2 JPlannerCR1 JPlannerCR2 CDR_CR1DoBest 0 0 0 0 2DoGood 0 0 1 1 0DoRight 0 0 0 0 0CanDoRight 0 0 0 0 0
Delegation Authority Matrix (DAM): 2 = has DA and PODA, 1 = has DA, 0 = neither
User\User-Role ArmyLogCR1 ArmyLogCR2 JPlannerCR1 JPlannerCR2 CDR_CR1DoBest 0 0 0 0 1DoGood 0 0 1 1 0DoRight 1 0 0 0 0CanDoRight 0 1 0 0 0
User Delegation/Authorization Matrix (UDAM): 2 = U is a DU, 1 = U is a OU, and 0 = not authorized
DSEC--118
CSE333
Example - Role DelegationExample - Role Delegation
General DoBest Delegates his Role to Colonel DoGood with DA, where DoBest, CDR_CR1, and DoGood defined as:
OU: [DoBest, [ct, ], T]UR: [CDR_CR1, [01dec00, 01dec01], T]UA: [DoBest, CDR_CR1, [01dec00, 01dec01]]DA: YesPODA: Yes
After Delegation:
DU: [DoGood, [01dec00, 01jun01], T]UA: [DoGood, CDR_CR1, [01dec00, 01jun01]]
DSEC--119
CSE333
Example - Role DelegationExample - Role Delegation
Now,Now, Colonel DoGood wishes to re-delegate Colonel DoGood wishes to re-delegate CDR_CR1 to Major CanDoRight, which can be CDR_CR1 to Major CanDoRight, which can be defined as:defined as:
DU: [DoGood, [01dec00, 01jun01], T]UR: [CDR_CR1, [01dec00, 01dec01], T]UA: [DoGood, CDR_CR1, [01dec00, 01jun01]]DA: YesPODA: No
After Delegation:
DU: [CanDoRight, [01jan01, 01feb01], T]UA: [CanDoRight, CDR_CR1, [01dec00, 01jun01]]
DSEC--120
CSE333
Related Work: Role DelegationRelated Work: Role Delegation
Role Administration [Awis97]Role Administration [Awis97] Delegation with RBAC [Bark00, Na00]Delegation with RBAC [Bark00, Na00] Delegation Principals [Zhang01]Delegation Principals [Zhang01] Similarities and DifferencesSimilarities and Differences
In Our Approach, OU Maintains Control of Delegation DU Cannot Give Delegation Authority
Our Approach is Dynamic, in that, Delegations have LTs Changeable During Runtime
Our Delegation Incorporates MACC We extend Zhang’s Definitions to Include
Delegation Authority, Revocation Authority, Delegated Role, and Delegatable Role
DSEC--121
CSE333
Enforcement Framework andEnforcement Framework andRole Delegation Revocation RulesRole Delegation Revocation Rules
User-to-User Delegation Authority RuleUser-to-User Delegation Authority Rule A User (OU or DU) Who is a Current Member
of a Delegatable Role (DUR), Can Delegate that User Role to Any User that Meets the Prerequisite Conditions of the Role: DU Receiving the Role is Not a Member of the
Role; OU or DU is Identified As Having Delegation
Authority for the Role; DU Meets the Mandatory Access Control
Constraints (MACC).
DSEC--122
CSE333
Enforcement Framework andEnforcement Framework andRole Delegation Revocation RulesRole Delegation Revocation Rules
Delegation Revocation Authorization RuleDelegation Revocation Authorization Rule:: An Original User Can Revoke Any Delegated
User From a User Role in Which the OU Executed the Delegation.
This is a Stricter Interpretation than [Zhan01], Which Allows Any OU of a Role Revocation Authority Over a DU in the Delegation Path.
In Addition, a Security Administrator Can Revoke Any Delegation.
Cascading Revocation RuleCascading Revocation Rule:: Whenever an OU or DU in the delegation path
is revoked, all DUs in the path are revoked.
DSEC--123
CSE333
Analysis of Role DelegationAnalysis of Role Delegation
Analysis of Role Delegation Against Set of Common Criteria Monotonicity Permanence Totality Administration Levels of Delegation Multiple Delegation Agreements Cascading Revocation Grant-dependency Revocation
We’ll Define and Discuss Each
DSEC--124
CSE333
Analysis of Role DelegationAnalysis of Role DelegationMonotonicityMonotonicity
Definition: Monotonicity Refers to the State of Control the OU Possesses After Role Delegation Monotonic Delegation Means That the OU
Maintains Control of the Delegated Role Non-monotonic Means That the OU Passes the
Control of the Role to DU Our Approach Utilizes Monotonic Delegation
Since We Believe for Assurance it is Critical to Exercise a Level of Control W.R.T. Delegation
DSEC--125
CSE333
Analysis of Role DelegationAnalysis of Role DelegationPermanencePermanence
Definition: Definition: PermanencePermanence Refers to Delegation in Refers to Delegation in Terms of Time DurationTerms of Time Duration Permanent Delegation is When a DU
Permanently Replaces the OU Temporary Delegation Has an Associated
Time Limit With Each Role Our Approach Utilizes Temporary Delegation
Since Temporal Constraints (LTs/TC) Are an Important Part of Our Unified Security Model
DSEC--126
CSE333
Analysis of Role DelegationAnalysis of Role DelegationTotalityTotality
Definition: Definition: Totality Refers to How Completely the Permissions Assigned to the Role Are Delegated Partial Delegation Refers to the Delegation of
a Subset of the Permissions of the Role Total Delegation Refers to the Situation All of
the Permissions of the Role Are Delegated Our Approach Utilizes Total Delegation Since we
Believe Partial Delegation Defeats Purpose of Urs and Assignment Methods to UR under TCs/SCs
Partial Delegation is Achievable by Defining Special Roles that are Delegatable
DSEC--127
CSE333
Analysis of Role DelegationAnalysis of Role DelegationAdministrationAdministration
Definition: Definition: Administration Refers to how Delegation will be Administered User Directed is when the User Controls all
Aspects of Delegation Administrator-Directed (Third party, Agent-
directed) is when Control is with the Security Officer
Our Approach Utilizes a Combination of Both Allowing the Security Officer to Establish DA/PODA and the User to Determine to “Whom” the Delegation will Occur
DSEC--128
CSE333
Analysis of Role DelegationAnalysis of Role DelegationLevels of DelegationLevels of Delegation
Definition: Definition: Levels of Delegation Refers to the Ability of DU to Further Delegate a Role (PODA) and the Number of Vertical Levels the Delegated Role Can Be Delegated Boolean Control – Roles Can Be Re-delegated
Until a Delegating User Says No Integer Control –Roles can be Re-delegated
until Fixed Number of Re-delegations Occur Our Approach Utilizes Modified Boolean Control
via the DA/PODA If PODA not Given - Delegation Stops Prototype has Limit of either 2 or 3 Levels
DSEC--129
CSE333
Analysis of Role DelegationAnalysis of Role DelegationMultiple DelegationsMultiple Delegations
Definition: Definition: Multiple Delegations Refers to the Number of Delegated Users (DU) (Horizontally) to Whom a Delegatable User Role (DUR) Can Be Delegated to at Any Given Time
Our Approach Includes Unlimited Delegations in Our Security Model Since We Want to Maintain the User’s Flexibility A Limit on the Number of DUs to a Role is
Subjective. Subjective Limits Are Not Often Enforced;
There Are No Hard Bases for Them
DSEC--130
CSE333
Analysis of Role DelegationAnalysis of Role DelegationAgreementsAgreements
Definition: Definition: Agreements Refer to the Delegation Protocol of the OU to the DU Bilateral Agreements: the DU Needs to
Accept the Delegated Role Unilateral Agreements: the OU Delegates the
UR Permissions and the DUs Are Not Required to Accept or Even Acknowledge the Delegation
Our Approach Utilizes Unilateral Agreements
DSEC--131
CSE333
Analysis of Role DelegationAnalysis of Role DelegationCascading RevocationCascading Revocation
Definition: Definition: Cascading Revocation Refers to the Indirect Revocation of All DUs When the OU Revokes Delegation or Administration Revokes the OU’s Delegated Role
Non-cascading Revocation Could Be Useful in the Event a Middle Manager User Is Fired Without Replacement and Subordinates Need to Execute the Vacated Roles
Our Approach Utilizes Cascading Revocation and will Handle Non-Cascading Case via Security Administrative Tools (Changing Privileges)
DSEC--132
CSE333
Analysis of Role DelegationAnalysis of Role DelegationGrant Dependency RevocationGrant Dependency Revocation
Definition: Definition: Grant-Dependency Revocation Refers to Who Has Authority to Revoke a DU Grant-Dependent Revocation Only Allow the
OU to Revoke the Delegated Role Grant-Independent Revocation Allows Any
Original Member of the DUR to Revoke a Delegated Role
Our Approach Utilizes a Limited Form of Grant-independent Revocation Where Only the DU and the Security Administrator Can Revoke a DUR
DSEC--133
CSE333
Role Delegation Process Role Delegation Process Security Management ToolsSecurity Management Tools
Examine the Process of DelegationExamine the Process of Delegation Utilize the Military ApplicationUtilize the Military Application ExploreExplore
Security Policy Client Security Authorization Client Security Delegation Client
SDC is a New Administrative Tool Utilized by Both Security Officer and the End User
Focus on their role in Delegation AdministrationFocus on their role in Delegation Administration Screen Bit Maps are Ordered to Illustrate a ProcessScreen Bit Maps are Ordered to Illustrate a Process
DSEC--134
CSE333
Security Policy ClientSecurity Policy ClientRegistration of ResourcesRegistration of Resources
DSEC--135
CSE333
Security Policy ClientSecurity Policy Client Creation of Administration RoleCreation of Administration Role
DSEC--136
CSE333
Security Authorization ClientSecurity Authorization ClientGranting of Role(s) to User(s)Granting of Role(s) to User(s)
DSEC--137
CSE333
Security Policy ClientSecurity Policy Client Cdr. Crisis 1 Role/Conflicting Role ListCdr. Crisis 1 Role/Conflicting Role List
DSEC--138
CSE333
Security Policy ClientSecurity Policy Client Granting of Resource(s) to Role(s)Granting of Resource(s) to Role(s)
DSEC--139
CSE333
Security Policy ClientSecurity Policy Client Granting of Service (s) to Role(s)Granting of Service (s) to Role(s)
DSEC--140
CSE333
Security Policy ClientSecurity Policy Client Granting of Methods(s) to Role(s)Granting of Methods(s) to Role(s)
DSEC--141
CSE333
Security Policy ClientSecurity Policy Client Query PrivilegesQuery Privileges
DSEC--142
CSE333
Security Authorization ClientSecurity Authorization ClientCreate a UserCreate a User
DSEC--143
CSE333
Security Authorization ClientSecurity Authorization Client Create a UserCreate a User
DSEC--144
CSE333
Security Authorization ClientSecurity Authorization Client Granting a RoleGranting a Role
DSEC--145
CSE333
Security Authorization ClientSecurity Authorization Client Granting a Role with DA/PODAGranting a Role with DA/PODA
DSEC--146
CSE333
Security Authorization ClientSecurity Authorization Client Granting a Role with DA/PODAGranting a Role with DA/PODA
DSEC--147
CSE333
Security Authorization ClientSecurity Authorization Client Query PrivilegesQuery Privileges
DSEC--148
CSE333
Security Authorization ClientSecurity Authorization Client Query Privileges - ResultsQuery Privileges - Results
DSEC--149
CSE333
The Security Delegation ClientThe Security Delegation Client
DSEC--150
CSE333
Security Delegation ClientSecurity Delegation Client Log on to the Security Delegation ClientLog on to the Security Delegation Client
DSEC--151
CSE333
Security Delegation ClientSecurity Delegation ClientAttempt to Perform a DelegationAttempt to Perform a Delegation
DSEC--152
CSE333
Security Delegation ClientSecurity Delegation ClientAttempt to Perform a DelegationAttempt to Perform a Delegation
DSEC--153
CSE333
Security Delegation ClientSecurity Delegation ClientQuery a User’s RoleQuery a User’s Role
DSEC--154
CSE333
Security Delegation ClientSecurity Delegation ClientRevocation of DelegationRevocation of Delegation
DSEC--155
CSE333
Security Delegation ClientSecurity Delegation ClientRevocation of DelegationRevocation of Delegation
DSEC--156
CSE333
Security Delegation ClientSecurity Delegation ClientDenying Log in if UR not AvailableDenying Log in if UR not Available
DSEC--157
CSE333
Security Delegation ClientSecurity Delegation ClientDenying Delegation if MAC ViolatedDenying Delegation if MAC Violated
DSEC--158
CSE333
Security Delegation ClientSecurity Delegation ClientDenying Delegation if TC ViolatedDenying Delegation if TC Violated
DSEC--159
CSE333
Security Delegation ClientSecurity Delegation ClientDenying Delegation if no Delegatable RolesDenying Delegation if no Delegatable Roles
DSEC--160
CSE333
Security Delegation ClientSecurity Delegation ClientPass on Delegation RestrictionPass on Delegation Restriction
DSEC--161
CSE333
Security Delegation ClientSecurity Delegation ClientExampleExample
Dobest delegate a role to dogood without pass-on-delegation, when dogood delegated this role to doright, he can’t delegate it with pass-on-delegation
DSEC--162
CSE333
Security Delegation ClientSecurity Delegation ClientDelegation Matrix within SDCDelegation Matrix within SDC
Dobest(T): ArmyLogCR1(c)
Chip(T): ArmyLogCR1(c)
Dogood(S): ArmyLogCR1 ( C)
Doright(c ): ArmyLogCR1 ( C)
When Original user revokeThis role, the role matrix is revoked within SDC
DSEC--163
CSE333
Security Delegation ClientSecurity Delegation ClientExampleExample
Dobest delegate a role to dogood
Dogood delegate this role to other users
DSEC--164
CSE333
Security Delegation ClientSecurity Delegation ClientExampleExample
Dobest revokes the role delegated to dogood
The role delegated by dogood are erased at the same time.
DSEC--165
CSE333
Design Time Security Assurance Design Time Security Assurance for Delegationfor Delegation
Design Time Checks – Policy RealizationDesign Time Checks – Policy Realization MACC Domination CLR Dominates CLS Role Delegation
DU Not Already a Role Member User to User Delegation Authority
Must Check User Delegation Authority Matrix DU Meets MACC Requirements
Lifetime Consistency DU’s LT Must be Within OU’s LT
Modified Boolean Delegation OU can Delegate and Pass on Delegation Authority DU cannot Pass On Delegation Authority
These are Checks in SPC, SAC, and SDCThese are Checks in SPC, SAC, and SDC
DSEC--166
CSE333
Run Time Security Assurance Run Time Security Assurance for Delegationfor Delegation
Executed While Running Distributed ApplicationExecuted While Running Distributed Application MACC Domination Role Delegation User to User Delegation Authority Lifetime Consistency Modified Boolean Delegation
(additional checks) Delegation Revocation Authorization Rule
OU/DU Can Revoke Any Initiated Delegation Cascading Revocation Rule
Whenever OU is Revoked, OU’s Delegations are revoked, Including Passed On Delegations
These are Checks by the Enforcement Framework These are Checks by the Enforcement Framework as supported with USRas supported with USR
DSEC--167
CSE333
UDAM(A, X) =1 implies that UAM(A, X) = 1 by Rule II.
Rules V establishes DA for user X to role A in the case where X is an OU.
Security Assurance - Design timeSecurity Assurance - Design timeRule V: Assigning Delegation AuthorityRule V: Assigning Delegation Authority
DSEC--168
CSE333
Theorem VTheorem V
DSEC--169
CSE333
User must have DA in order to have PODA e.g., a User cannot have PODA without DA
UDAM(A, X) =1 implies that UAM(A, X) = 1 by Rule II.
Rule VI establishes, respectively, DA/PODA for user X to role A in the case where X is an OU.
Security Assurance - Design timeSecurity Assurance - Design timeRule VI: DA and PODARule VI: DA and PODA
DSEC--170
CSE333
The delegation sets UAM and UDAM for the DU and DR.
Y is a DU of A, and X satisfies Rules V or VI Y to be authorized to A, hence UAM(A, Y) = 1
Security Assurance - Design timeSecurity Assurance - Design timeRule VII: Delegation of URRule VII: Delegation of UR
DSEC--171
CSE333
Passing on of DA or DA/PODA from a user (either OU or DU) to another DU
Rule VIII establishes, respectively, DA or DA/PODA for user Y a DU of role A, and assumes Rule VII is satisfied.
Security Assurance - Design timeSecurity Assurance - Design timeRule VIII: Delegation of DA/PODARule VIII: Delegation of DA/PODA
DSEC--172
CSE333
Theorem VI, VII, and VIIITheorem VI, VII, and VIII
DSEC--173
CSE333
Assessment of RBAC/MAC Assessment of RBAC/MAC Model/FrameworkModel/Framework
Intent is to Assess the Capabilities of RBAC/MAC Intent is to Assess the Capabilities of RBAC/MAC Model and Security FrameworkModel and Security Framework
Analysis vs. SSE-CMMAnalysis vs. SSE-CMM SSE-CMM: Standard Security Model Compare/Contrast Model/Framework
(including Assurance) Against SSE-CMM Use SSE-CMM as a Benchmark to Evaluate
the Degree We Meet ISO Requirements Evaluation vs. Dynamic Coalitions (DCs)Evaluation vs. Dynamic Coalitions (DCs)
Represent via the RBAC/MAC Model Security Features/Requirements of DCs
Can RBAC/MAC Model Represent DCs? What Features are Good? Need to be Added?
DSEC--174
CSE333
Analysis vs. SSE-CMM Analysis vs. SSE-CMM What is SSE-CMM?What is SSE-CMM?
An ISO Standard Model For Capturing the An ISO Standard Model For Capturing the Essential Characteristics of an Organization’s Essential Characteristics of an Organization’s Security Engineering ProcessSecurity Engineering Process
The Model is a Standard for Security Engineering The Model is a Standard for Security Engineering Practices Covering:Practices Covering: Life Cycle Management of All Activities Management, Organizational, and Engineering
Activities Concurrent Interactions (Software, Hardware,
Humans, Organizations) Certification, Accreditation, and Evaluation
DSEC--175
CSE333
Analysis vs. SSE-CMM Analysis vs. SSE-CMM Why was SSE-CMM Developed?Why was SSE-CMM Developed?
Objective:Objective: Advance Security Engineering As a Defined,
Mature, and Measurable Discipline Project Goal:Project Goal:
Develop a Mechanism to Enable: Selection of Appropriately Qualified Security
Engineering Providers Focused Investments in Security Engineering
Practices Capability-based Assurance
DSEC--176
CSE333
Analysis vs. SSE-CMM Analysis vs. SSE-CMM SSE-CMM Engineering Process AreasSSE-CMM Engineering Process Areas
Administer Security Administer Security ControlsControls
Assess ImpactAssess Impact Assess Security RiskAssess Security Risk Assess ThreatAssess Threat Assess VulnerabilityAssess Vulnerability Build Assurance Build Assurance
ArgumentArgument
Coordinate Security Coordinate Security Monitor Security Monitor Security
PosturePosture Provide Security Provide Security
InputInput Specify Security Specify Security
NeedsNeeds Verify and Validate Verify and Validate
SecuritySecurity
DSEC--177
CSE333
10/24/96
Domain
ProcessAreas
BasePracticesBase
Practices
ProcessAreas
BasePractices
BasePractices
Analysis vs. SSE-CMM Analysis vs. SSE-CMM SSE-CMM Model ArchitectureSSE-CMM Model Architecture
Process Areas
OrganizationProject
Security Engineering
ProcessAreas • • •
Domain Compare and Contrast Compare and Contrast
RBAC/MAC Model and RBAC/MAC Model and Framework w/StandardFramework w/Standard
SSE-CMM: 11 Process SSE-CMM: 11 Process Areas/61 Base PracticesAreas/61 Base Practices PA01: Administer
Security Controls Base Practice 01:
Establish Responsibilities and Accountability for Security Controls
Base Practice 02: Manage the Configuration of Security System Controls
Work in ProgressWork in Progress
DSEC--178
CSE333
Evaluation vs. DCPEvaluation vs. DCP What is DCP? What is DCP?
Marine Corps
NavyAir Force
Army
GCCS
FADDAFATDS
GCCS-A
MCS
ASAS
CSSCS
Other
ABCS
Battle Management
System
JointCommand
System
Army Battle Command
System
CombatOperations
System
U.N.
U.S.A
NGO/PVO
NATO
Dynamic Coalition
U.S. Global C2 SystemsArmy C2
Dynamic Coalition Problem (DCP) are Inherent Security, Resource, and/or Information Sharing Risks that Occur as a Result of
the Coalition being Formed Quickly
DSEC--179
CSE333
Evaluation vs. DCPEvaluation vs. DCPSuitability of Our Approach for DCPSuitability of Our Approach for DCP
Detailed Evaluation of DCP w.r.t. Security ModelDetailed Evaluation of DCP w.r.t. Security Model Utility of Multiple Roles for Users Relevance of Data Value Constraints and Time
Limitations on Users Examination of API Level Control of Resources Importance of Multi-level Secure Capabilities Security Assurance at Design/Run Times Extrapolating from GCCS to DCP
Evolve from GCCS to DCP What are the Issues and Problems to Solve?
Status: Work in Progress at this TimeStatus: Work in Progress at this Time
DSEC--180
CSE333
Summary: Research InnovationsSummary: Research Innovations
Unification of Mandatory Access Control (MAC) and Role-based Access Control (RBAC) Features Realization of MAC: Bell and LaPadula Model Highly Flexible RBAC Capabilities
Security Policy Realization Change Policy on the fly
Broad Use of Constraints: Fine-Grained Security User Constraints and Role Constraints Time Constraints and Signature Constraints
Security Assurance at Design and Run Times DT Checks as Security Policy is Defined RT Checks for Invocation/Delegation
DSEC--181
CSE333
Summary: Summary: Additional ContributionsAdditional Contributions
Working Prototype that can Administer Multiple Working Prototype that can Administer Multiple Security Policies Against Multiple Resources in a Security Policies Against Multiple Resources in a Distributed Environment Supporting JINI/CORBADistributed Environment Supporting JINI/CORBA
A Well Defined Security Model which Supports A Well Defined Security Model which Supports Security Policy Definition via Administrative and Security Policy Definition via Administrative and Management Tools with Security Assurance:Management Tools with Security Assurance: Security Policy Client (SPC) Security Authorization Client (SAC) Security Analysis Tool (SAT) Security Delegation Client (SDC)
DSEC--182
CSE333
Summary: Remaining ResearchSummary: Remaining Research
Security Model that Unifies RBAC/MACSecurity Model that Unifies RBAC/MAC Finer Grained MAC
Classification Levels on a Method’s Signature Investigate Time-Constrained Classification
User Constraints Role Deconfliction
Security Policy and Enforcement AssuranceSecurity Policy and Enforcement Assurance Detailing all Design and Run Time Checks Defining Security Assurance for Fine Grained
MAC and User Constraints Completion of Analysis/Evaluation:Completion of Analysis/Evaluation:
Model/Framework vs. CMU Security Model Evaluation of Utility in Support of DCP
DSEC--183
CSE333
Summary: Publications to DateSummary: Publications to Date
Initial Security Model S. Demurjian, T. C. Ting, P. Barr, C. Phillips, “Role-
Based Security in a Distributed Resource Environment”, Proc. of 14th IFIP WG 11.3 Working Conf. on Database Security, August 2000.
S. Demurjian, T.C. Ting, C. Phillips, et al., “A User Role-Based Security Model for a Distributed Environment”, in Research Advances in Database and Information Systems Security, J. Therrien (ed.), Kluwer, 2001.
Enhanced Security Model C. Phillips, S. Demurjian, T.C. Ting, “Security
Engineering for Roles and Resources in a Distributed Environment", Proc. of the 3rd Annual Information Systems Security Engineering Conf., March 2002.
DSEC--184
CSE333
Summary: Publications to DateSummary: Publications to Date
Relevance of Work for DCP C. Phillips, T.C. Ting, S. Demurjian, “Information
Sharing in Dynamic Coalitions”, Proc. of the 7th ACM SACMAT 2002, June 2002.
MAC Model Extensions and Security Assurance C. Phillips, S. Demurjian, T.C. Ting, “Towards
Information Assurance for Dynamic Coalitions”, Proc. of the 3rd IEEE Info. Assurance Workshop, June 2002.
C. Phillips, S. Demurjian, T.C. Ting, “Security Assurance for an RBAC/MAC Security Model and Enforcement Framework”, CSE Technical Report.
Role Delegation Extensions with Assurance M. Liebrand, H. Ellis, C. Phillips, S. Demurjian, and
T.C. Ting, “Role Delegation for a Distributed, Unified RBAC/MAC”, Proc. 16th IFIP WG 11.3 Conf. on Data and Application Security, July 2002.