Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Information Flow Security for Asynchronous,Distributed, and Mobile Applications
Felipe LUNA DEL AGUILA
OASIS ProjectINRIA Sophia Antipolis
CNRS - I3S - Universite Nice–Sophia Antipolis
Agenda
• Introduction
PhD Defense - jump to start 1
Agenda
• Introduction
• Context (informal and formal perspectives)
PhD Defense - jump to start 1
Agenda
• Introduction
• Context (informal and formal perspectives)
– ProActive
PhD Defense - jump to start 1
Agenda
• Introduction
• Context (informal and formal perspectives)
– ProActive– ASP calculus and communication reduction rules
PhD Defense - jump to start 1
Agenda
• Introduction
• Context (informal and formal perspectives)
– ProActive– ASP calculus and communication reduction rules
• Objectives
PhD Defense - jump to start 1
Agenda
• Introduction
• Context (informal and formal perspectives)
– ProActive– ASP calculus and communication reduction rules
• Objectives
• Related Security Mechanisms
PhD Defense - jump to start 1
Agenda
• Introduction
• Context (informal and formal perspectives)
– ProActive– ASP calculus and communication reduction rules
• Objectives
• Related Security Mechanisms
• The ASP Security Model
PhD Defense - jump to start 1
Agenda
• Introduction
• Context (informal and formal perspectives)
– ProActive– ASP calculus and communication reduction rules
• Objectives
• Related Security Mechanisms
• The ASP Security Model
• Implementation of the Security Model
PhD Defense - jump to start 1
Agenda
• Introduction
• Context (informal and formal perspectives)
– ProActive– ASP calculus and communication reduction rules
• Objectives
• Related Security Mechanisms
• The ASP Security Model
• Implementation of the Security Model
• Conclusion
PhD Defense - jump to start 1
Introduction
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Recent paradigms
PhD Defense - jump to start 2
Introduction
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Recent paradigms
SystemsDistributed
PhD Defense - jump to start 2
Introduction
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Recent paradigms
SystemsDistributed
ProgrammingObject-oriented
PhD Defense - jump to start 2
Introduction
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Recent paradigms
SystemsDistributed
ProgrammingObject-oriented
Service-orientedComputing
PhD Defense - jump to start 2
Introduction
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Recent paradigms
SystemsDistributed
ProgrammingObject-oriented
Service-orientedComputing
Security
PhD Defense - jump to start 2
Introduction
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Recent paradigms
SystemsDistributed
ProgrammingObject-oriented
Service-orientedComputing
Security
Security focused specifically on Information Flow
PhD Defense - jump to start 2
Context
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
ProActive main characteristics
• Middleware library for distributed applications
PhD Defense - jump to start 3
Context
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
ProActive main characteristics
• Middleware library for distributed applications
• 100% Java
PhD Defense - jump to start 3
Context
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
ProActive main characteristics
• Middleware library for distributed applications
• 100% Java
• Existence of passive and active objects
PhD Defense - jump to start 3
Context
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
ProActive main characteristics
• Middleware library for distributed applications
• 100% Java
• Existence of passive and active objects
• Asynchronous communications between active objects
PhD Defense - jump to start 3
Context
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
ProActive main characteristics
• Middleware library for distributed applications
• 100% Java
• Existence of passive and active objects
• Asynchronous communications between active objects
– Principle of wait-by-necessity and futures:1. future reference
PhD Defense - jump to start 3
Context
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
ProActive main characteristics
• Middleware library for distributed applications
• 100% Java
• Existence of passive and active objects
• Asynchronous communications between active objects
– Principle of wait-by-necessity and futures:1. future reference
(ex.: http://www.anysite.com/anypage.html)
PhD Defense - jump to start 3
Context
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
ProActive main characteristics
• Middleware library for distributed applications
• 100% Java
• Existence of passive and active objects
• Asynchronous communications between active objects
– Principle of wait-by-necessity and futures:1. future reference
(ex.: http://www.anysite.com/anypage.html)
2. future value
PhD Defense - jump to start 3
Context
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
ProActive main characteristics
• Middleware library for distributed applications
• 100% Java
• Existence of passive and active objects
• Asynchronous communications between active objects
– Principle of wait-by-necessity and futures:1. future reference
(ex.: http://www.anysite.com/anypage.html)
2. future value
(ex.: HTML error: 404 Not Authorized)
PhD Defense - jump to start 3
ASP semantics and ProActive
• The ASP language entities:
– activity α
α
PhD Defense - jump to start 4
ASP semantics and ProActive
• The ASP language entities:
– activity α, active object a
αActive object
PhD Defense - jump to start 4
ASP semantics and ProActive
• The ASP language entities:
– activity α, active object a, passive objects
αActive object
PhD Defense - jump to start 4
ASP semantics and ProActive
• The ASP language entities:
– activity α, active object a, passive objects, activity β
αActive object
β
PhD Defense - jump to start 4
ASP semantics and ProActive
• The ASP language entities:
– activity α, active object a, passive objects, activity β, active object reference AO(α)
αActive object
β
PhD Defense - jump to start 4
ASP semantics and ProActive
• The ASP language entities:
– activity α, active object a, passive objects, activity β, active object reference AO(α), future
fα→βi and request queue (with pending, current, and completed requests)
αActive object
β
references tofuture values
currentrequest
pendingrequests
Futurevalue
PhD Defense - jump to start 4
ASP semantics and ProActive
• The ASP language entities:
– activity α, active object a, passive objects, activity β, active object reference AO(α), future
fα→βi and request queue (with pending, current, and completed requests), future references
fut(fα→βi )
αActive object
β
references tofuture values
currentrequest
pendingrequests
Futurevalue
f2
current term
Requestparameter
foo
f
f3
PhD Defense - jump to start 4
ASP semantics and ProActive
• The ASP language entities:
– activity α, active object a, passive objects, activity β, active object reference AO(α), future
fα→βi and request queue (with pending, current, and completed requests), future references
fut(fα→βi ), and store σ
αActive object
β
references tofuture values
currentrequest
pendingrequests
Futurevalue
f2
current term
Requestparameter
foo
f
f3
σβ
PhD Defense - jump to start 4
ASP semantics and ProActive
• The ASP language entities:
– activity α, active object a, passive objects, activity β, active object reference AO(α), future
fα→βi and request queue (with pending, current, and completed requests), future references
fut(fα→βi ), and store σ
αActive object
β
references tofuture values
currentrequest
pendingrequests
Futurevalue
f2
current term
Requestparameter
foo
f
f3
σβ
• Parallel configurations are then of the form: P,Q ::= α [a; σ; ι; F ; R; f ] ‖ β [· · · ] ‖ · · ·
PhD Defense - jump to start 4
ASP parallel reduction rules
PhD Defense - jump to start 5
ASP parallel reduction rules
(a, σ) →S (a′, σ′) →S does not clone a future
α[a; σ; ι; F ; R; f ] ‖ P −→ α[a′; σ′; ι; F ; R; f ] ‖ P(local)
γ fresh activity ι′ 6∈ dom(σ) σ′ = {ι′ 7→ AO(γ)} :: σ σγ = copy(ι′′, σ)
α[R[Active(ι′′, mj)]; σ; ι; F ; R; f ] ‖ P −→ α[R[ι′]; σ′; ι; F ; R; f ] ‖ γ[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P(newact)
σα(ι) = AO(β) ι′′ 6∈ dom(σβ) fα→βi new future ιf 6∈ dom(σα)
σ′β = Copy&Merge(σα, ι′ ; σβ, ι′′) σ′α = {ιf 7→ fut(fα→βi )} :: σα
α[R[ι.mj(ι′)]; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→
α[R[ιf ]; σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σ′β; ιβ; Fβ; Rβ :: [mj; ι′′; fα→βi ]; fβ] ‖ P
(request)
R = R′ :: [mj; ιr; f ′] :: R′′ mj ∈ M ∀m ∈ M, m /∈ R′
α[R[Serve(M)]; σ; ι; F ; R; f ] ‖ P −→ α[ι.mj(ιr) ⇑ f,R[[]]; σ; ι; F ; R′ :: R′′; f ′] ‖ P(serve)
ι′ 6∈ dom(σ) F ′ = F :: {f 7→ ι′} σ′ = Copy&Merge(σ, ι ; σ, ι′)
α[ι ⇑ f ′, a; σ; ι; F ; R; f ] ‖ P −→ α[a; σ′; ι; F ′; R; f ′] ‖ P(endservice)
σα(ι) = fut(fγ→βi ) Fβ(f
γ→βi ) = ιf σ′α = Copy&Merge(σβ, ιf ; σα, ι)
α[aα; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→α[aα; σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P
(reply)
PhD Defense - jump to start 5
ASP parallel reduction rules
(a, σ) →S (a′, σ′) →S does not clone a future
α[a; σ; ι; F ; R; f ] ‖ P −→ α[a′; σ′; ι; F ; R; f ] ‖ P(local)
γ fresh activity ι′ 6∈ dom(σ) σ′ = {ι′ 7→ AO(γ)} :: σ σγ = copy(ι′′, σ)
α[R[Active(ι′′, mj)]; σ; ι; F ; R; f ] ‖ P −→ α[R[ι′]; σ′; ι; F ; R; f ] ‖ γ[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P(newact)
σα(ι) = AO(β) ι′′ 6∈ dom(σβ) fα→βi new future ιf 6∈ dom(σα)
σ′β = Copy&Merge(σα, ι′ ; σβ, ι′′) σ′α = {ιf 7→ fut(fα→βi )} :: σα
α[R[ι.mj(ι′)]; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→
α[R[ιf ]; σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σ′β; ιβ; Fβ; Rβ :: [mj; ι′′; fα→βi ]; fβ] ‖ P
(request)
R = R′ :: [mj; ιr; f ′] :: R′′ mj ∈ M ∀m ∈ M, m /∈ R′
α[R[Serve(M)]; σ; ι; F ; R; f ] ‖ P −→ α[ι.mj(ιr) ⇑ f,R[[]]; σ; ι; F ; R′ :: R′′; f ′] ‖ P(serve)
ι′ 6∈ dom(σ) F ′ = F :: {f 7→ ι′} σ′ = Copy&Merge(σ, ι ; σ, ι′)
α[ι ⇑ f ′, a; σ; ι; F ; R; f ] ‖ P −→ α[a; σ′; ι; F ′; R; f ′] ‖ P(endservice)
σα(ι) = fut(fγ→βi ) Fβ(f
γ→βi ) = ιf σ′α = Copy&Merge(σβ, ιf ; σα, ι)
α[aα; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→α[aα; σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P
(reply)
PhD Defense - jump to start 5
Reduction rules: 1) New Activity
γ fresh activity ι′ 6∈ dom(σ) σ′ = {ι′ 7→ AO(γ)} :: σ
α[R[Active(ι′′, mj)]; σ; ι; F ; R; f ] ‖ P −→α[R[ι′]; σ′; ι; F ; R; f ] ‖ γ[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P
α γσ γσ
PhD Defense - jump to start 6
Reduction rules: 1) New Activity
γ fresh activity copy(ι′′,σ) = σγ ι′ 6∈ dom(σ) σ′ = {ι′ 7→ AO(γ)} :: σ
α[R[Active(ι′′, mj)]; σ; ι; F ; R; f ] ‖ P −→α[R[ι′]; σ′; ι; F ; R; f ] ‖ γ[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P
α γσ γσ
Object toactivate
i”
PhD Defense - jump to start 6
Reduction rules: 1) New Activity
γ fresh activity copy(ι′′,σ) = σγ
i”.m ()j
α γσγσ
Active object
PhD Defense - jump to start 7
Reduction rules: 1) New Activity
γ fresh activity copy(ι′′,σ) = σγ ι′ 6∈ dom(σ) σ′= {ι′ 7→ AO(γ)} :: σ
α[R[Active(ι′′, mj)];σ; ι; F ; R; f ] ‖ P −→α[R[ι′];σ′; ι; F ; R; f ] ‖ γ[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P
i”.m ()j
α γσγσ
Active object
AO( )γ
’
i’
PhD Defense - jump to start 7
Reduction rules: 2) Request
σα(ι) =AO(β)
fα→βi new future ιf 6∈ dom(σα) {ιf 7→ fut(fα→β
i )} :: σα = σ′α
α[R[ι.mj(ι′)]; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→
α[R[ιf ]; σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σ′
β; ιβ; Fβ; Rβ :: [mj; ι′′; fα→βi ]; fβ] ‖ P
σβ
i.m ( i’ )j
βα σα
βAO( )i
Active object
PhD Defense - jump to start 8
Reduction rules: 2) Request
σα(ι) =AO(β) ι′′ 6∈ dom(σβ) Copy&Merge(σα, ι′ ; σβ, ι′′) = σ′β
fα→βi new future ιf 6∈ dom(σα) {ιf 7→ fut(fα→β
i )} :: σα = σ′α
α[R[ι.mj(ι′)]; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→
α[R[ιf ]; σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σ′
β; ιβ; Fβ; Rβ :: [mj; ι′′; fα→βi ]; fβ] ‖ P
σβ
i.m ( i’ )j
βα σα
βAO( )i
Active object
i’
Requestparameter
PhD Defense - jump to start 8
Reduction rules: 2) Request
σα(ι) =AO(β) ι′′ 6∈ dom(σβ) Copy&Merge(σα, ι′ ; σβ, ι′′) = σ′β
i.m ( i’ )j
βα σα
βAO( )i
Active objectβσ ’
Requestparameter
i”
PhD Defense - jump to start 9
Reduction rules: 2) Request
σα(ι) =AO(β) ι′′ 6∈ dom(σβ) Copy&Merge(σα, ι′ ; σβ, ι′′) = σ′β
fα→βi new future
i.m ( i’ )j
βα σα
βAO( )i
Active objectβσ ’
Requestparameter
i”
f α βi
PhD Defense - jump to start 9
Reduction rules: 2) Request
σα(ι) =AO(β) ι′′ 6∈ dom(σβ) Copy&Merge(σα, ι′ ; σβ, ι′′) = σ′β
fα→βi new future ιf 6∈ dom(σα) {ιf 7→ fut(fα→β
i )} :: σα = σ′α
i.m ( i’ )j
βα σα
βAO( )i
Active objectβσ ’
Requestparameter
i”
f α βi
α β
i f
ifut ( f )
’
PhD Defense - jump to start 9
Reduction rules: 2) Request
σα(ι) =AO(β) ι′′ 6∈ dom(σβ) Copy&Merge(σα, ι′ ; σβ, ι′′) = σ′β
fα→βi new future ιf 6∈ dom(σα) {ιf 7→ fut(fα→β
i )} :: σα = σ′α
α[R[ι.mj(ι′)];σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→
α[R[ιf ];σ′α; ια; Fα; Rα; fα] ‖ β[aβ; σ′
β; ιβ; Fβ; Rβ :: [mj;ι′′;fα→β
i ]; fβ] ‖ P
i.m ( i’ )j
βα σα
βAO( )i
Active objectβσ ’
Requestparameter
i”
f α βi
α β
i f
ifut ( f )
’
PhD Defense - jump to start 9
Reduction rules: 3) Reply
σα(ι) =fut(fγ→βi ) Fβ(f
γ→βi ) = ιf = σ′
α
α[aα; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→α[aα; σ′
α; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P
βα σα
ifut ( f )
i
βγ
βσ
futurevalue
fi
PhD Defense - jump to start 10
Reduction rules: 3) Reply
σα(ι) =fut(fγ→βi ) Fβ(f
γ→βi ) = ιf Copy&Merge(σβ, ιf ; σα, ι) = σ′
α
α[aα; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→α[aα; σ′
α; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P
βα σα
ifut ( f )
i
βγ
βσ
futurevalue
fi
PhD Defense - jump to start 10
Reduction rules: 3) Reply
σα(ι) =fut(fγ→βi ) Fβ(f
γ→βi ) = ιf Copy&Merge(σβ, ιf ; σα, ι) = σ′
α
α[aα; σα; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→α[aα; σ′
α; ια; Fα; Rα; fα] ‖ β[aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P
βα σα βσ
i
’
futurevalue
PhD Defense - jump to start 11
Objectives
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Main objective: Information Flow Control
PhD Defense - jump to start 12
Objectives
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Main objective: Information Flow Control
1. To guarantee data confidentiality
Confidentiality in MLS: follows the basic principle of no writedown, no read up
PhD Defense - jump to start 12
Objectives
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Main objective: Information Flow Control
1. To guarantee data confidentiality
Confidentiality in MLS: follows the basic principle of no writedown, no read up
2. Define a security policy to apply to asynchronous,distributed, and mobile applications
PhD Defense - jump to start 12
Objectives
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Main objective: Information Flow Control
1. To guarantee data confidentiality
Confidentiality in MLS: follows the basic principle of no writedown, no read up
2. Define a security policy to apply to asynchronous,distributed, and mobile applications
Main issue: Presence of asymmetric patterns of communications(result of the future and wait-by necessity concepts)
PhD Defense - jump to start 12
Objectives
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Main objective: Information Flow Control
1. To guarantee data confidentiality
Confidentiality in MLS: follows the basic principle of no writedown, no read up
2. Define a security policy to apply to asynchronous,distributed, and mobile applications
Main issue: Presence of asymmetric patterns of communications(result of the future and wait-by necessity concepts)
3. Provide a formal security model
PhD Defense - jump to start 12
Objectives
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Main objective: Information Flow Control
1. To guarantee data confidentiality
Confidentiality in MLS: follows the basic principle of no writedown, no read up
2. Define a security policy to apply to asynchronous,distributed, and mobile applications
Main issue: Presence of asymmetric patterns of communications(result of the future and wait-by necessity concepts)
3. Provide a formal security model which is verifiable
mathematically
PhD Defense - jump to start 12
Objectives
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Main objective: Information Flow Control
1. To guarantee data confidentiality
Confidentiality in MLS: follows the basic principle of no writedown, no read up
2. Define a security policy to apply to asynchronous,distributed, and mobile applications
Main issue: Presence of asymmetric patterns of communications(result of the future and wait-by necessity concepts)
3. Provide a formal security model which is verifiable
mathematically
4. Propose an architecture for the implementation of the
security model
PhD Defense - jump to start 12
Related Security Mechanisms
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Models
PhD Defense - jump to start 13
Related Security Mechanisms
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Models
– Mandatory Access Controls (MAC)
PhD Defense - jump to start 13
Related Security Mechanisms
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Models
– Mandatory Access Controls (MAC)
– Discretionary Access Controls (DAC)
PhD Defense - jump to start 13
Related Security Mechanisms
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Models
– Mandatory Access Controls (MAC)
– Discretionary Access Controls (DAC)
• Formal methods
PhD Defense - jump to start 13
Related Security Mechanisms
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Models
– Mandatory Access Controls (MAC)
– Discretionary Access Controls (DAC)
• Formal methods
– Non-interference
PhD Defense - jump to start 13
Related Security Mechanisms
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Models
– Mandatory Access Controls (MAC)
– Discretionary Access Controls (DAC)
• Formal methods
– Non-interference
– π-calculus, Asynchronous-π, and Spi calculus
PhD Defense - jump to start 13
Related Security Mechanisms
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Models
– Mandatory Access Controls (MAC)
– Discretionary Access Controls (DAC)
• Formal methods
– Non-interference
– π-calculus, Asynchronous-π, and Spi calculus
– Ambients, and Mobile Ambients
PhD Defense - jump to start 13
Related Security Mechanisms
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Models
– Mandatory Access Controls (MAC)
– Discretionary Access Controls (DAC)
• Formal methods
– Non-interference
– π-calculus, Asynchronous-π, and Spi calculus
– Ambients, and Mobile Ambients
– Seals, Boxed Ambients, and Secure Safe Ambients
PhD Defense - jump to start 13
Related Security Mechanisms
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Models
– Mandatory Access Controls (MAC)
– Discretionary Access Controls (DAC)
• Formal methods
– Non-interference
– π-calculus, Asynchronous-π, and Spi calculus
– Ambients, and Mobile Ambients
– Seals, Boxed Ambients, and Secure Safe Ambients
• Informal approaches
PhD Defense - jump to start 13
Related Security Mechanisms
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Models
– Mandatory Access Controls (MAC)
– Discretionary Access Controls (DAC)
• Formal methods
– Non-interference
– π-calculus, Asynchronous-π, and Spi calculus
– Ambients, and Mobile Ambients
– Seals, Boxed Ambients, and Secure Safe Ambients
• Informal approaches
– Exceptions (in the security policy)
PhD Defense - jump to start 13
Related Security Mechanisms
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Models
– Mandatory Access Controls (MAC)
– Discretionary Access Controls (DAC)
• Formal methods
– Non-interference
– π-calculus, Asynchronous-π, and Spi calculus
– Ambients, and Mobile Ambients
– Seals, Boxed Ambients, and Secure Safe Ambients
• Informal approaches
– Exceptions (in the security policy), labels
PhD Defense - jump to start 13
Related Security Mechanisms
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Models
– Mandatory Access Controls (MAC)
– Discretionary Access Controls (DAC)
• Formal methods
– Non-interference
– π-calculus, Asynchronous-π, and Spi calculus
– Ambients, and Mobile Ambients
– Seals, Boxed Ambients, and Secure Safe Ambients
• Informal approaches
– Exceptions (in the security policy), labels, tickets
PhD Defense - jump to start 13
Related Security Mechanisms
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Models
– Mandatory Access Controls (MAC)
– Discretionary Access Controls (DAC)
• Formal methods
– Non-interference
– π-calculus, Asynchronous-π, and Spi calculus
– Ambients, and Mobile Ambients
– Seals, Boxed Ambients, and Secure Safe Ambients
• Informal approaches
– Exceptions (in the security policy), labels, tickets,
certificates . . .
PhD Defense - jump to start 13
The ASP Security Model
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Syntax and semantics of the security framework
PhD Defense - jump to start 14
The ASP Security Model
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Syntax and semantics of the security framework
• S set of activities acting as subjects, where
α, β, γ, ... ∈ S
PhD Defense - jump to start 14
The ASP Security Model
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Syntax and semantics of the security framework
• S set of activities acting as subjects, where
α, β, γ, ... ∈ S
• D set of data objects sent as arguments in REQUEST
actions: Rqα→β(d)
PhD Defense - jump to start 14
The ASP Security Model
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Syntax and semantics of the security framework
• S set of activities acting as subjects, where
α, β, γ, ... ∈ S
• D set of data objects sent as arguments in REQUEST
actions: Rqα→β(d)
• R is the set of objects associated to futures, and
returned in REPLY actions: Rpβ→α(r)
PhD Defense - jump to start 14
The ASP Security Model (cntd.)Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• L finite set of security levels λ, partially ordered by
the relation ≤, where ∀i ∈ S ∪ D, λi ∈ L
PhD Defense - jump to start 15
The ASP Security Model (cntd.)Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• L finite set of security levels λ, partially ordered by
the relation ≤, where ∀i ∈ S ∪ D, λi ∈ L
processingdata
ms
mt
(task)
targetsubject
r λβ
αλα βλ
aλα
λα
b
( )dλin
dλin
β
λβ
βλ
tx=b.m
PhD Defense - jump to start 15
The ASP Security Model (cntd.)Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• L finite set of security levels λ, partially ordered by
the relation ≤, where ∀i ∈ S ∪ D, λi ∈ L
processingdata
ms
mt
(task)
targetsubject
r λβ
αλα βλ
aλα
λα
b
( )dλin
dλin
β
λβ
βλ
tx=b.m
• Transmissions of d and r are restricted by the security
rules
PhD Defense - jump to start 15
The ASP Security Model (cntd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Actions
• A set of actions, where a ∈ A
PhD Defense - jump to start 16
The ASP Security Model (cntd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Actions
• A set of actions, where a ∈ A
• ASP actions are now rewritten to include security
properties:
PhD Defense - jump to start 16
The ASP Security Model (cntd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Actions
• A set of actions, where a ∈ A
• ASP actions are now rewritten to include security
properties:
Nw(γ, λγ) is a modified NEWACT
PhD Defense - jump to start 16
The ASP Security Model (cntd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Actions
• A set of actions, where a ∈ A
• ASP actions are now rewritten to include security
properties:
Nw(γ, λγ) is a modified NEWACT
Rqα→β(d, λin) is a modified REQUEST
PhD Defense - jump to start 16
The ASP Security Model (cntd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Actions
• A set of actions, where a ∈ A
• ASP actions are now rewritten to include security
properties:
Nw(γ, λγ) is a modified NEWACT
Rqα→β(d, λin) is a modified REQUEST
Rpβ→α(r) is an unchanged REPLY
PhD Defense - jump to start 16
The ASP Security Model (cntd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Actions
• A set of actions, where a ∈ A
• ASP actions are now rewritten to include security
properties:
Nw(γ, λγ) is a modified NEWACT
Rqα→β(d, λin) is a modified REQUEST
Rpβ→α(r) is an unchanged REPLY
• In general,
a = {Nw(γ, λγ), Rqα→β(d, λin), Rpβ→α(r)}
PhD Defense - jump to start 16
The ASP Security Model (cntd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Additional entities
• M matrix of explicit (discretionary) rights
PhD Defense - jump to start 17
The ASP Security Model (cntd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Additional entities
• M matrix of explicit (discretionary) rights
M = S × S → P(A)
PhD Defense - jump to start 17
The ASP Security Model (cntd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Additional entities
• M matrix of explicit (discretionary) rights
M = S × S → P(A)P(A) set of actions whose assignation of a security
level is explicitly allowed
PhD Defense - jump to start 17
The ASP Security Model (cntd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Additional entities
• M matrix of explicit (discretionary) rights
M = S × S → P(A)P(A) set of actions whose assignation of a security
level is explicitly allowed
In general, p ∈ P(A) if and only if
p = {Nw(γ, λγ), Rqα→β(d, λin)}
PhD Defense - jump to start 17
The ASP Security Model (cntd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Additional entities
• M matrix of explicit (discretionary) rights
M = S × S → P(A)P(A) set of actions whose assignation of a security
level is explicitly allowed
In general, p ∈ P(A) if and only if
p = {Nw(γ, λγ), Rqα→β(d, λin)}
• T set of authorized (access) transmissions
PhD Defense - jump to start 17
The ASP Security Model (cntd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Additional entities
• M matrix of explicit (discretionary) rights
M = S × S → P(A)P(A) set of actions whose assignation of a security
level is explicitly allowed
In general, p ∈ P(A) if and only if
p = {Nw(γ, λγ), Rqα→β(d, λin)}
• T set of authorized (access) transmissions
T = S × S ×A
PhD Defense - jump to start 17
Application of the security framework
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
PhD Defense - jump to start 18
Application of the security framework
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
1.- Base statements:
• Creation (and migration) of new activities are secure
• Emission of requests, with modifiable security levels in the datasent, are secure
• Emission of replies are secure
PhD Defense - jump to start 18
Application of the security framework
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
1.- Base statements:
• Creation (and migration) of new activities are secure
• Emission of requests, with modifiable security levels in the datasent, are secure
• Emission of replies are secure
2.- Support concepts:
• Elementary flows of information
• Flow-paths
PhD Defense - jump to start 18
Application of the security framework
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
1.- Base statements:
• Creation (and migration) of new activities are secure
• Emission of requests, with modifiable security levels in the datasent, are secure
• Emission of replies are secure
2.- Support concepts:
• Elementary flows of information
• Flow-paths
3.- Results:
Confidentiality, from end-to-end in a flow-path, is guaranteed
PhD Defense - jump to start 18
Secure Activity Creation
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
PhD Defense - jump to start 19
Secure Activity Creation
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, γ ∈ S
PhD Defense - jump to start 19
Secure Activity Creation
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, γ ∈ S: (α, γ, Nw(γ, λγ)) ∈ T ⇐⇒
A new activity action is considered secure iff:
PhD Defense - jump to start 19
Secure Activity Creation
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, γ ∈ S: (α, γ, Nw(γ, λγ)) ∈ T ⇐⇒(λα ≤ λγ)
A new activity action is considered secure iff:
1. The new activity has a higher security level compared
to its creator
PhD Defense - jump to start 19
Secure Activity Creation
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, γ ∈ S: (α, γ, Nw(γ, λγ)) ∈ T ⇐⇒(λα ≤ λγ) ∨Nw(γ, λγ) ∈M(α, γ)
A new activity action is considered secure iff:
1. The new activity has a higher security level compared
to its creator
2. or, in case the new activity has a lower security (i.e. a
downgrade), the creation action must be explicitly
allowed
PhD Defense - jump to start 19
Secure Activity Creation
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, γ ∈ S: (α, γ, Nw(γ, λγ)) ∈ T ⇐⇒(λα ≤ λγ) ∨Nw(γ, λγ) ∈M(α, γ)
A new activity action is considered secure iff:
1. The new activity has a higher security level compared
to its creator
2. or, in case the new activity has a lower security (i.e. a
downgrade), the creation action must be explicitly
allowed
Special case: Migration of an existing activity
PhD Defense - jump to start 19
Secure Request Transmission
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
PhD Defense - jump to start 20
Secure Request Transmission
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, β ∈ S
PhD Defense - jump to start 20
Secure Request Transmission
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, β ∈ S: (α, β, Rqα→β(d, λin)) ∈ T ⇐⇒
A request transmission action is considered secure iff:
PhD Defense - jump to start 20
Secure Request Transmission
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, β ∈ S: (α, β, Rqα→β(d, λin)) ∈ T ⇐⇒(λin ≤ λβ)∧
A request transmission action is considered secure iff:
1. Data is ”released” to an authorized target, AND
PhD Defense - jump to start 20
Secure Request Transmission
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, β ∈ S: (α, β, Rqα→β(d, λin)) ∈ T ⇐⇒(λin ≤ λβ)∧(λα ≤ λin)
A request transmission action is considered secure iff:
1. Data is ”released” to an authorized target, AND
2. Either:
• The data has a higher level than the sender
PhD Defense - jump to start 20
Secure Request Transmission
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, β ∈ S: (α, β, Rqα→β(d, λin)) ∈ T ⇐⇒(λin ≤ λβ)∧(λα ≤ λin)
∨ ((λα > λin) ∧Rqα→β(d, λin) ∈M(α, β))
A request transmission action is considered secure iff:
1. Data is ”released” to an authorized target, AND
2. Either:
• The data has a higher level than the sender
• If data has a lower level than the sender (i.e. a
downgrade), the action must be explicitly allowed
PhD Defense - jump to start 20
Secure Request Transmission
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, β ∈ S: (α, β, Rqα→β(d, λin)) ∈ T ⇐⇒(λin ≤ λβ)∧(λα ≤ λin)
∨ ((λα > λin) ∧Rqα→β(d, λin) ∈M(α, β))∨ ∃γ, δ, fi, d = fut(fγ→δ
i )
A request transmission action is considered secure iff:
1. Data is ”released” to an authorized target, AND
2. Either:
• The data has a higher level than the sender
• If data has a lower level than the sender (i.e. a
downgrade), the action must be explicitly allowed
• The data is a future reference
PhD Defense - jump to start 20
Secure Reply Transmission
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
PhD Defense - jump to start 21
Secure Reply Transmission
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, β ∈ S
PhD Defense - jump to start 21
Secure Reply Transmission
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, β ∈ S: (α, β, Rpβ→α(r)) ∈ T ⇐⇒
A reply transmission action is considered secure iff:
PhD Defense - jump to start 21
Secure Reply Transmission
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, β ∈ S: (α, β, Rpβ→α(r)) ∈ T ⇐⇒(λβ ≤ λα)
A reply transmission action is considered secure iff:
1. The data contained in the reply r (hence of level λβ)
can be released to the corresponding receiving subject
(with λα)
PhD Defense - jump to start 21
Secure Reply Transmission
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
∀α, β ∈ S: (α, β, Rpβ→α(r)) ∈ T ⇐⇒(λβ ≤ λα) ∨ (∃γ, δ, fi, r = fut(fγ→δ
i ))
A reply transmission action is considered secure iff:
1. The data contained in the reply r (hence of level λβ)
can be released to the corresponding receiving subject
(with λα)
2. or, if the data in the reply is only a reference to a
future
PhD Defense - jump to start 21
Secure ASP reduction rules
PhD Defense - jump to start 22
Secure ASP reduction rules
γ fresh activity ι′ 6∈ dom(σ) σ′ = {ι′ 7→ AO(γ)} :: σ
σγ = copy(ι′′, σ) (α, γ, Nw(γ, λγ)) ∈ T
αλ[R[Activeλa(ι′′, mj)]; σ; ι; F ; R; f ] ‖ P −→αλ[R[ι′]; σ′; ι; F ; R; f ] ‖ γλa[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P
(SecNEWACT)
σα(ι) = AO(β) ι′′ 6∈ dom(σβ) fα→βi new future
ιf 6∈ dom(σα) σ′β = Copy&Merge(σα, ι′ ; σβ, ι′′)
σ′α = {ιf 7→ fut(fα→βi )} :: σα (α, β, Rqα→β(σα(ι′), λin)) ∈ T
αλα[R[ι.mj(ι′λin)]; σα; ια; Fα; Rα; fα] ‖ β
λβ [aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→αλα[R[ιf ]; σ′α; ια; Fα; Rα; fα] ‖ β
λβ [aβ; σ′β; ιβ; Fβ; Rβ :: [mj; ι′′; fα→βi ]; fβ] ‖ P
(SecREQUEST)
σα(ι) = fut(fγ→βi ) Fβ(f
γ→βi ) = ιf
σ′α = Copy&Merge(σβ, ιf ; σα, ι) (β, α, Rpβ→α(σβ(ιf))) ∈ T
αλα[aα; σα; ια; Fα; Rα; fα] ‖ βλβ [aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→
αλα[aα; σ′α; ια; Fα; Rα; fα] ‖ βλβ [aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P
(SecREPLY)
PhD Defense - jump to start 22
Secure ASP reduction rules
γ fresh activity ι′ 6∈ dom(σ) σ′ = {ι′ 7→ AO(γ)} :: σ
σγ = copy(ι′′, σ) (α, γ, Nw(γ, λγ)) ∈ T
αλ[R[Activeλa(ι′′, mj)]; σ; ι; F ; R; f ] ‖ P −→αλ[R[ι′]; σ′; ι; F ; R; f ] ‖ γλa[ι′′.mj(); σγ; ι′′; ∅; ∅; ∅] ‖ P
(SecNEWACT)
σα(ι) = AO(β) ι′′ 6∈ dom(σβ) fα→βi new future
ιf 6∈ dom(σα) σ′β = Copy&Merge(σα, ι′ ; σβ, ι′′)
σ′α = {ιf 7→ fut(fα→βi )} :: σα (α, β, Rqα→β(σα(ι′), λin)) ∈ T
αλα[R[ι.mj(ι′λin)]; σα; ια; Fα; Rα; fα] ‖ β
λβ [aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→αλα[R[ιf ]; σ′α; ια; Fα; Rα; fα] ‖ β
λβ [aβ; σ′β; ιβ; Fβ; Rβ :: [mj; ι′′; fα→βi ]; fβ] ‖ P
(SecREQUEST)
σα(ι) = fut(fγ→βi ) Fβ(f
γ→βi ) = ιf
σ′α = Copy&Merge(σβ, ιf ; σα, ι) (β, α, Rpβ→α(σβ(ιf))) ∈ T
αλα[aα; σα; ια; Fα; Rα; fα] ‖ βλβ [aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P −→
αλα[aα; σ′α; ια; Fα; Rα; fα] ‖ βλβ [aβ; σβ; ιβ; Fβ; Rβ; fβ] ‖ P
(SecREPLY)
Parallel configurations are now of the form:
P, Q ::= αλα[a;σ; ι;F ;R; f ] ‖ βλβ[· · · ] ‖ · · ·
PhD Defense - jump to start 22
The Secure Information Flow
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
PhD Defense - jump to start 23
The Secure Information Flow
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• The concept elementary flow of information is based
on the ”release” or transmission of information from
an activity
PhD Defense - jump to start 23
The Secure Information Flow
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• The concept elementary flow of information is based
on the ”release” or transmission of information from
an activity
• Hence, it is derived the secure information flownotion:
(α, β, Rqα→β(σ(ι′), λin)) ∈ T
Secϕ∅(α, β)
(β, α, Rpβ→α(σα(ιf))) ∈ T
Secϕ∅(β, α)
(α, γ, Nw(γ, λγ)) ∈ T
Secϕ∅(α, γ)
PhD Defense - jump to start 23
The Secure Information Flow
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• The concept elementary flow of information is based
on the ”release” or transmission of information from
an activity
• Hence, it is derived the secure information flownotion:
(α, β, Rqα→β(σ(ι′), λin)) ∈ T
Secϕ∅(α, β)
(β, α, Rpβ→α(σα(ιf))) ∈ T
Secϕ∅(β, α)
(α, γ, Nw(γ, λγ)) ∈ T
Secϕ∅(α, γ)
The syntax Secϕ∅(α, β) means there is a secure flow
(Secϕ), with no other intermediate activities (∅),happening between activities α and β
PhD Defense - jump to start 23
The Secure Path for Information Flow
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
PhD Defense - jump to start 24
The Secure Path for Information Flow
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• A flow of information is composed of several elementary flowshappening in a sequential order
PhD Defense - jump to start 24
The Secure Path for Information Flow
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• A flow of information is composed of several elementary flowshappening in a sequential order
• A flow-path (fp) is produced when intermediate activities arepresent in between the communication of two given activities(i.e. the end points)
PhD Defense - jump to start 24
The Secure Path for Information Flow
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• A flow of information is composed of several elementary flowshappening in a sequential order
• A flow-path (fp) is produced when intermediate activities arepresent in between the communication of two given activities(i.e. the end points)
• Formally, the secure path for information flow is:
Secϕfp1(α, γ) Secϕfp2(γ, β)
Secϕfp1.γ.fp2(α, β)
PhD Defense - jump to start 24
The Secure Path for Information Flow
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• A flow of information is composed of several elementary flowshappening in a sequential order
• A flow-path (fp) is produced when intermediate activities arepresent in between the communication of two given activities(i.e. the end points)
• Formally, the secure path for information flow is:
Secϕfp1(α, γ) Secϕfp2(γ, β)
Secϕfp1.γ.fp2(α, β)
• There is a secure information flow from end-to-end on any flowpath when:
Secϕγ1···γn(α, β) ⇐⇒Secϕ∅(α, γ1) ∧ Secϕ∅(γ1, γ2) ∧ · · · ∧ Secϕ∅(γn, β)
PhD Defense - jump to start 24
Service-Oriented Computing and futures
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Impossible future updates with symmetric patterns of
communications
β
Active Object Active Object Active Object
λδ < βλ γλ<
γ
AO( )δ
δ
γAO( )
PhD Defense - jump to start 25
Service-Oriented Computing and futures
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Impossible future updates with symmetric patterns of
communications
β
Active Object Active Object Active Object
λδ < βλ γλ<
γ
AO( )δ
δ
γAO( )
Reqγ
PhD Defense - jump to start 25
Service-Oriented Computing and futures
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Impossible future updates with symmetric patterns of
communications
β
Active Object Active Object Active Object
λδ < βλ γλ<
γ
AO( )δ
δ
γAO( )
Reqγ
f 2
PhD Defense - jump to start 25
Service-Oriented Computing and futures
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Impossible future updates with symmetric patterns of
communications
β
Active Object Active Object Active Object
λδ < βλ γλ<
γ
AO( )δ
δ
γAO( )
Reqγ
f 2
Reqδ
PhD Defense - jump to start 25
Service-Oriented Computing and futures
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Impossible future updates with symmetric patterns of
communications
β
Active Object Active Object Active Object
λδ < βλ γλ<
γ
AO( )δ
δ
γAO( )
Reqγ
f 2
Reqδ
2f’
PhD Defense - jump to start 25
Service-Oriented Computing and futures
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Impossible future updates with symmetric patterns of
communications
β
Active Object Active Object Active Object
λδ < βλ γλ<
γ
AO( )δ
δ
γAO( )
Reqγ
f 2
Reqδ
2f’
λλδ < γ
PhD Defense - jump to start 25
Service-Oriented Computing and futures
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Impossible future updates with symmetric patterns of
communications
β
Active Object Active Object Active Object
λδ < βλ γλ<
γ
AO( )δ
δ
γAO( )
Reqγ
f 2
Reqδ
2f’
λλδ < γ
<βλ γλ
PhD Defense - jump to start 25
Service-Oriented Computing and futures (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Future updates are possible in asymmetric patterns of
communications
β
Active Object Active Object Active Object
λδ < βλ γλ<2f’
γ
AO( )δ
δ
γAO( )
Reqγ
f 2
Reqδ
PhD Defense - jump to start 26
Service-Oriented Computing and futures (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Future updates are possible in asymmetric patterns of
communications
β
Active Object Active Object Active Object
λδ < βλ γλ<2f’
γ
AO( )δ
δ
γAO( )
Reqγ
f 2
Reqδ
future reference
PhD Defense - jump to start 26
Service-Oriented Computing and futures (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Future updates are possible in asymmetric patterns of
communications
β
Active Object Active Object Active Object
λδ < βλ γλ<2f’
γ
AO( )δ
δ
γAO( )
Reqγ
f 2
Reqδ
future reference
λλδ < β
PhD Defense - jump to start 26
Implementation of the Security Model
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Architecture of active objects
passiveobject
futurevalue
currentrequest
pendingrequests
references tofuture values
FutureProxy
BodyProxy
future
local JVM remote JVM
Request queue structure
A
Stub_BBody
B
PhD Defense - jump to start 27
Implementation of the Security Model (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Security schema for active objects
ProActivemiddlewarelayer
Applicationlayer
A
Stub-B
B
Body
PhD Defense - jump to start 28
Implementation of the Security Model (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Security schema for active objects
ProActivemiddlewarelayer
Applicationlayer
A
Stub-B
B
Body
security sublayer EF / DF AF AF EF / DF
PhD Defense - jump to start 28
Implementation of the Security Model (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Security schema for active objects
ProActivemiddlewarelayer
Applicationlayer
A
Stub-B
B
Body
security sublayer EF / DF AF AF EF / DF
JVM Y
Java API Java APIlayerJava
JVM X
PhD Defense - jump to start 28
Implementation of the Security Model (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Security schema for active objects
ProActivemiddlewarelayer
Applicationlayer
A
Stub-B
B
Body
security sublayer EF / DF AF AF EF / DF
JVM Y
Java API Java APIlayerJava
JVM X
request request
PhD Defense - jump to start 28
Implementation of the Security Model (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Security schema for active objects
ProActivemiddlewarelayer
Applicationlayer
A
Stub-B
B
Body
security sublayer EF / DF AF AF EF / DF
JVM Y
Java API Java APIlayerJava
JVM X
request request
requestauthorized
PhD Defense - jump to start 28
Implementation of the Security Model (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Security schema for active objects
ProActivemiddlewarelayer
Applicationlayer
A
Stub-B
B
Body
security sublayer EF / DF AF AF EF / DF
JVM Y
Java API Java APIlayerJava
JVM X
request request
requestauthorized
reply reply
PhD Defense - jump to start 28
Implementation of the Security Model (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Security schema for active objects
ProActivemiddlewarelayer
Applicationlayer
A
Stub-B
B
Body
security sublayer EF / DF AF AF EF / DF
JVM Y
Java API Java APIlayerJava
JVM X
request request
requestauthorized
reply reply
authorizedreply
PhD Defense - jump to start 28
Implementation of the Security Model (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Detailed Security sub-layer
PhD Defense - jump to start 29
Implementation of the Security Model (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Detailed Security sub-layer
flow control SecurityManager
Java API
EF
or migrateTo)reply,request,turnActive,(newActive,
intercepted action
• EF = flow control mechanism as a Java Security Manager
PhD Defense - jump to start 29
Implementation of the Security Model (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Detailed Security sub-layer
flow control SecurityManager
Java API
EF
or migrateTo)reply,request,turnActive,(newActive,
intercepted action
setup
DFPDP
ContextHandler
XACMLpolicy
file
• EF = flow control mechanism as a Java Security Manager
• DF = Context Handler + Policy Decision Point + XACML file
PhD Defense - jump to start 29
Implementation of the Security Model (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Detailed Security sub-layer
flow control SecurityManager
Java API
EF
or migrateTo)reply,request,turnActive,(newActive,
intercepted action
setup
DFPDP
ContextHandler
XACMLpolicy
fileAF
PIP AOPIP
• EF = flow control mechanism as a Java Security Manager
• DF = Context Handler + Policy Decision Point + XACML file
• AF = Policy Information Point + active object PIP
PhD Defense - jump to start 29
Implementation of the Security Model (contd.)
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Detailed Security sub-layer
flow control SecurityManager
Java API
EF
or migrateTo)reply,request,turnActive,(newActive,
intercepted action
setup
DFPDP
ContextHandler
XACMLpolicy
fileAF
PIP AOPIP
• EF = flow control mechanism as a Java Security Manager
• DF = Context Handler + Policy Decision Point + XACML file
• AF = Policy Information Point + active object PIP
PhD Defense - jump to start 29
Conclusions
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
PhD Defense - jump to start 30
Conclusions
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Expresiveness:
– Assignation of specific security levels to request
parameters and created activities
PhD Defense - jump to start 30
Conclusions
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Expresiveness:
– Assignation of specific security levels to request
parameters and created activities
• Scalability:
– Dynamic checks performed only at activity creation,
and inter-activity communications
PhD Defense - jump to start 30
Conclusions
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• Expresiveness:
– Assignation of specific security levels to request
parameters and created activities
• Scalability:
– Dynamic checks performed only at activity creation,
and inter-activity communications
• Extendable:
– XACML features provide a finer control on the
discretionary access control
PhD Defense - jump to start 30
Perspectives
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
PhD Defense - jump to start 31
Perspectives
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• TCSEC/ITSEC/CC level A/EAL7 can be attained (i.e.
formal design and verification)
PhD Defense - jump to start 31
Perspectives
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• TCSEC/ITSEC/CC level A/EAL7 can be attained (i.e.
formal design and verification)
• Further study of covert channels in distributed systems
PhD Defense - jump to start 31
Perspectives
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• TCSEC/ITSEC/CC level A/EAL7 can be attained (i.e.
formal design and verification)
• Further study of covert channels in distributed systems
• Static type checking in Java can be complemented
with our model
PhD Defense - jump to start 31
Perspectives
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
• TCSEC/ITSEC/CC level A/EAL7 can be attained (i.e.
formal design and verification)
• Further study of covert channels in distributed systems
• Static type checking in Java can be complemented
with our model
• The security mechanism can be applied to the
Components paradigm
PhD Defense - jump to start 31
Q&A
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Questions ?
Thank you for your attention
PhD Defense - jump to start 32
Q&A
Agenda
• Introduction
• Context
• Objectives
• Mechanisms
• ASP SecurityModel
• Implementation
• Conclusions
Questions ?
Thank you for your attention
PhD Defense - jump to start 32