Embed Size (px)
Citation preview
Analysis and Detection of Access Analysis and Detection of Access Violations in Componentised SystemsViolations in Componentised Systems
David Llewellyn-Jones, Madjid Merabti, Qi Shi, Bob AskwithAdvances in Computer Security and Forensics – 13th July 2007
Network & Information Security Technology LaboratorySchool of Computing and Mathematical SciencesLiverpool John Moores UniversityByrom Street, Liverpool L3 3AF, UKEmail: {D.Llewellyn-Jones, M.Merabti, Q.Shi, R.Askwith}@ljmu.ac.ukWeb: http://www.cms.livjm.ac.uk/NISTL
ContentsContents
• Introduction– Access control
– Ubiquitous computing
– Network elevation of privileges
• Composition access control check– Process
– Implementation
• Experiments and results• Conclusion
Access ControlAccess Control
• In theory– User can access data
only if their access level satisfies the access requirements of the data
• In practice– A user can only
access data via a program
User
Data
Access level
Access req.
User
Program
Access level
Access req.
Data Access req.
Access level
Distributed Access ControlDistributed Access Control
• Taos, local access control– Centralised access control
• DSS DACS, DSI, CORBASec– Atomic
– Enforced between pairs of components
• An alternative approach– Consider wider composition structure
Ubiquitous ComputingUbiquitous Computing
• Networking is wireless and pervasive• Devices are mobile and plentiful• Data flows unimpeded
– Easy access to data from anywhere
– Access control remains important
• Data sent across a network may be vulnerable– Inconsistent access requirements
– Each system individually satisfies access requirements
– Combined, incorrect access may occur
Network Elevation of PrivilegesNetwork Elevation of Privileges
System BSystem A
Alice’s file
Alice’s program
File with access by Bob
Bob’s program
SU’s program
File
Bob’s program
read
write
write
read
send
send
Solution OverviewSolution Overview
• Analyse possible data flow through a network– Based on topology and component properties
– Analysis takes place when topology changes
– Access control requirements are checked
– Composition only allowed if requirements met
• Need to know– Connections (data flow) between components
– Data flow within each component
FormalisationFormalisation
• Each component defined 4 data structures– uR, uW U, effective user ID for read, write
– dR, dW D, access of files read, written by component
• Access mappings– fR, fW : U × D → {0, 1}, determines if read, write access
should be granted
• Example: read access control lists
dR = Alice uR = BobfR (uR, dR) =
1 if uR dR
Bob 0 otherwise
Fred
Connections Between ComponentsConnections Between Components
• Follow data flow through components– For example, simple depth first traversal
• Match data access requirements with component access levels– Maintain dR, dW of data accessed, compare with uR, uW
for each component using fR, fW.
1 2
3
54
2
5
1
3
4
Component SlicingComponent Slicing
• Data flow within each component– Use Slicing to follow data
– Applied using pre and post conditions
Structure ProjectionStructure Projection
• Follow data flow through components– Take internal data flow into account
– Use slicing to determine this
• Project the structure– Project connections onto points
– Join points if pairs of connections coincide
1 2
3
54
3
4
5
2
1
3
Current ImplementationCurrent Implementation
• Use MATTS component analysis tool– Based on agent components
– Performs automatic slicing and topology check
– Currently must input connections manually
Future ImplementationFuture Implementation
• To exist as a service in the network– Properties determined using instrumentation
• Recheck whenever topology changes– Failure means composition would be refused
– Success means access control requirements are guaranteed to be fulfilled
– Properties cached to reduce overhead
Timing ResultsTiming Results
• Chain of components– Analysed as a single
application– Analysed using
composition analysis• 600 MHz Intel X-Scale
80321 Processor
ConclusionConclusion
• Provides useful distributed access control checking technique
• Implementation suggests practical solution– Intend to implement in a Networked Appliance
setting
• Highlights how composition analysis can reduce impact of state explosion
![INDEX [archive.lib.msu.edu]archive.lib.msu.edu/MMM/JA/09/a/JA09a001p014.pdf · INDEX AUCTION, of Askwith estate, 614. AUDET, Innocent, dit Lapointe, men-tioned, 327. AUDET, Mary,](https://img.dokumen.tips/doc/110x75/5b99003409d3f2210c8d3990/index-index-auction-of-askwith-estate-614-audet-innocent-dit-lapointe.jpg)
![C L A S S E M E N T G E N E R A L - 26.000 Kms 20:16 Clt ... · 25 RUE Adrien FRA n°2006 94 15 SEM 25 M 02:05:19 12.45 [02] Non Licencié 26 MERABTI Hamide FRA B24876C n°3317 69](https://img.dokumen.tips/doc/110x75/5f7dcd4cb37e8428d52d0589/c-l-a-s-s-e-m-e-n-t-g-e-n-e-r-a-l-26000-kms-2016-clt-25-rue-adrien-fra-n2006.jpg)
