Upload
phu-h-nguyen
View
284
Download
0
Embed Size (px)
Citation preview
@ MODULARITY: AOSD’13, FUKUOKA, JAPAN
Model-Driven Adaptive Delegation
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon | March 28, 2013
SnT – Interdisciplinary Centre for Security, Reliability and Trust
University of Luxembourg
www.securityandtrust.lu
Outline
Background & MotivationAccess Control & Delegation
A Motivative Example
Concretizing Security Policy
Model-Driven Adaptive DelegationHow to specify security policies separately from business logic
How to (dynamically) enforce security policies into the system
Adaptation process
Evaluation
Conclusion & Future Work
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 2/29
Outline
Background & MotivationAccess Control & Delegation
A Motivative Example
Concretizing Security Policy
Model-Driven Adaptive DelegationHow to specify security policies separately from business logic
How to (dynamically) enforce security policies into the system
Adaptation process
Evaluation
Conclusion & Future Work
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 2/29
Outline
Background & MotivationAccess Control & Delegation
A Motivative Example
Concretizing Security Policy
Model-Driven Adaptive DelegationHow to specify security policies separately from business logic
How to (dynamically) enforce security policies into the system
Adaptation process
Evaluation
Conclusion & Future Work
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 2/29
Outline
Background & MotivationAccess Control & Delegation
A Motivative Example
Concretizing Security Policy
Model-Driven Adaptive DelegationHow to specify security policies separately from business logic
How to (dynamically) enforce security policies into the system
Adaptation process
Evaluation
Conclusion & Future Work
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 2/29
Background
Access Control (AC)Administering access to resources by enforcing AC policy
An AC policy (stored in XACML file or db) consists of a set of AC rules
Mandatory AC (MAC), Discretionary AC (DAC), Role Based AC(RBAC), Organization Based AC (OrBAC), etc.
For example, with OrBAC model:Permission/prohibition(Org, Role, Activity, View, Context)
Permission(Library, Administrator, ModifyAccount, BorrowerAccount,WorkingDays)
Prohibition(Library, Student, ModifyAccount, PersonnelAccount,Default)
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 3/29
Background
Access Control (AC)Administering access to resources by enforcing AC policy
An AC policy (stored in XACML file or db) consists of a set of AC rules
Mandatory AC (MAC), Discretionary AC (DAC), Role Based AC(RBAC), Organization Based AC (OrBAC), etc.
For example, with OrBAC model:Permission/prohibition(Org, Role, Activity, View, Context)
Permission(Library, Administrator, ModifyAccount, BorrowerAccount,WorkingDays)
Prohibition(Library, Student, ModifyAccount, PersonnelAccount,Default)
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 3/29
A Motivative Example
Library Management SystemBooks can be borrowed and returned on working days. When thelibrary is closed, users can not borrow books. When a book isalready borrowed, a user can make a reservation for this book.
User accounts managed by an administrator (create, modify andremove accounts for new users). A secretary who can order books,add them in the LMS when they are delivered.
The director of the library has the same accesses than thesecretary and he can also consult the accounts of the employees.The administrator and the secretary can consult all accounts ofusers. All users can consult the list of books in the library.
Three types of users: public users who can borrow 5 books for 3weeks, students who can borrow 10 books for 3 weeks and teacherswho can borrow 10 books for 2 months.
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 4/29
An Example of AC policy
AC policyEntities: roles, activities, views and contexts.
Policy: combinations of the entities with a status (permission/deny).
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 5/29
The PDP-PEP frameworkTraditional architecture for managing access control:
Policy Decision Point (PDP) contains the policy.
Policy Enforcement Points (PEPs) enforce the policy.
[Morin2010]
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 6/29
Limitations of the PDP-PEP frameworkProblems with hard-coded access control mechanisms [Morin2010]:
Implicitly vs. Explicitly
The lack of supporting for (advanced) delegation featuresHow to specify and enforce delegation policies?
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 7/29
Delegation
A key role in the administration mechanism[Ben-Ghorbel-Talbi2010]
“Normal” users themselves allowed to grant some authorizations bydelegation.
Delegation of rights allows a user (delegator), to delegate his/heraccess rights to another user (delegatee).
Delegation of obligations (not yet considered in this paper).
Some advanced delegation features:Temporary delegation, transfer delegation, multiple delegation,multi-step delegation, etc.
E.g., transfer (non-monotonic) delegation: the grantor loses thispermission for the duration of delegation
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 8/29
Delegation
A key role in the administration mechanism[Ben-Ghorbel-Talbi2010]
“Normal” users themselves allowed to grant some authorizations bydelegation.
Delegation of rights allows a user (delegator), to delegate his/heraccess rights to another user (delegatee).
Delegation of obligations (not yet considered in this paper).
Some advanced delegation features:Temporary delegation, transfer delegation, multiple delegation,multi-step delegation, etc.
E.g., transfer (non-monotonic) delegation: the grantor loses thispermission for the duration of delegation
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 8/29
Some Delegation Situations
Simple delegation situationsA secretary delegates her/his role to a librarian.
The director delegates her/his permission of consulting personnelaccounts to a secretary during her/his absence.
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 9/29
Some Delegation Situations
Simple delegation situationsA secretary delegates her/his role to a librarian.
The director delegates her/his permission of consulting personnelaccounts to a secretary during her/his absence.
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 10/29
Some Delegation Situations
Simple delegation situationsA secretary delegates her/his role to a librarian.
The director delegates her/his permission of consulting personnelaccounts to a secretary during her/his absence.
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 11/29
Some Delegation Situations (cont.)
More complex delegation situationsA secretary transfers her/his role to a librarian.
A secretary is allowed to delegate his/her role to a librarian only andto one librarian at a given time.
The director can delegate, on behalf of a secretary, the secretary’srole to a librarian (e.g. during the secretary’s absence).
If a librarian empowered in role secretary by delegation is no longerable to perform this task, then he/she can/cannot delegate, again,this role to another librarian.
Users can always revoke their own delegations.
The director can revoke users from their delegated roles.
The role administrator is not delegable.
And so on.
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 12/29
Concretizing Security Policy
Delegation rules impacting AC rulesContext-aware AC rules & Delegation rules
Deriving AC rules according to Delegation rules
Access control
metamodel
Access control policy
Delegation metamodel
Delegation policy
Active security policy
conforms to (cft) cft
Context Information
depending on both the context and the delegation rules, the appropriate access
control rules are selected
impact both access control and delegation models
Adapt the access control model according to the delegation specifications
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 13/29
Model-Driven Adaptive Security
A Model-Driven FrameworkSeparation of concerns: AC/Delegation/Business Logic
Dynamic Adaptation & Evolution of Secure Systems
Access control
metamodel
Access policy
Architecture metamodel
Base model
Model composition
Security-enforced
architecture model
Self adaptation
000 Running system
Proxy Components Proxy
components
Adaptive execution platform
validation
change/evolution
evolution
evolution
M2 M1 M0
test
Proxy components Proxy
components Business logic components
Delegation metamodel
Delegation policy
Active security policy
Model transformation
test
conforms to (cft)
cft
cft
cft
cft
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 14/29
Overview - Modeling Security Concerns
Access control
metamodel
Access policy
Architecture metamodel
Base model
Model composition
Security-enforced
architecture model
Self adaptation
000 Running system
Proxy Components Proxy
components
Adaptive execution platform
validation
change/evolution
evolution
evolution
M2 M1 M0
test
Proxy components Proxy
components Business logic components
Delegation metamodel
Delegation policy
Active security policy
Model transformation
test
conforms to (cft)
cft
cft
cft
cft
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 15/29
Modeling Security Concerns
A DSL/metamodel for specifying security concernsRBAC-based AC rules.
Advanced Delegation rules.
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 16/29
Overview - Modeling Security Concerns
Access control
metamodel
Access policy
Architecture metamodel
Base model
Model composition
Security-enforced
architecture model
Self adaptation
000 Running system
Proxy Components Proxy
components
Adaptive execution platform
validation
change/evolution
evolution
evolution
M2 M1 M0
test
Proxy components Proxy
components Business logic components
Delegation metamodel
Delegation policy
Active security policy
Model transformation
test
conforms to (cft)
cft
cft
cft
cft
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 17/29
Modeling Security Concerns (cont.)
A DSL/metamodel for specifying active security rulesDerived from the base security rules.
No context, no delegation here.
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 18/29
Overview - Modeling Business Logic
Access control
metamodel
Access policy
Architecture metamodel
Base model
Model composition
Security-enforced
architecture model
Self adaptation
000 Running system
Proxy Components Proxy
components
Adaptive execution platform
validation
change/evolution
evolution
evolution
M2 M1 M0
test
Proxy components Proxy
components Business logic components
Delegation metamodel
Delegation policy
Active security policy
Model transformation
test
conforms to (cft)
cft
cft
cft
cft
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 19/29
Modeling Business Logic (BL)
Component-based architectureA Component-Based Architecture metamodel [Morin2010].
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 20/29
Mapping Resources of Policy Model toBL Resource Components
Mappings
action → method().
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 21/29
Overview - Target Architecture Model
Access control
metamodel
Access policy
Architecture metamodel
Base model
Model composition
Security-enforced
architecture model
Self adaptation
000 Running system
Proxy Components Proxy
components
Adaptive execution platform
validation
change/evolution
evolution
evolution
M2 M1 M0
test
Proxy components Proxy
components Business logic components
Delegation metamodel
Delegation policy
Active security policy
Model transformation
test
conforms to (cft)
cft
cft
cft
cft
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 22/29
Target Component-Based Architecture
Security Enforcement3-layers architecture reflecting access control & delegation rules.
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 23/29
Overview - Adaptation Process
Access control
metamodel
Access policy
Architecture metamodel
Base model
Model composition
Security-enforced
architecture model
Self adaptation
000 Running system
Proxy Components Proxy
components
Adaptive execution platform
validation
change/evolution
evolution
evolution
M2 M1 M0
test
Proxy components Proxy
components Business logic components
Delegation metamodel
Delegation policy
Active security policy
Model transformation
test
conforms to (cft)
cft
cft
cft
cft
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 24/29
Dynamic Adaptation
Enforcing Security Policies at runtimeBased on an adaptive execution platform [morin09a].
Architecture metamodel
Security-enforced
architecture model
Current architecture
model
Code+script generation
Running system
Proxy Components Proxy
components
Adaptive execution platform
validation
M2 M1 M0
Proxy components Proxy
components Business logic components
Model comparison
Model diff
Script
Platform-specific reconfiguration commands
Model diff metamodel
cft
cft
cft
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 25/29
Case Studies
Library Management System - LMSAs described before.
Virtual Meeting System - VMSOffers simplified web conference services.
There are three resources (Meeting, Personnel Account, UserAccount) and six roles (Administrator, Webmaster, Owner, Moderator,Attendee, and Non-attendee).
Auction Sale Management System - ASMSAllows its users to buy and sell products online.
There are five resources (Sale, Bid, Comment, Personnel Account,User Account) and five roles (Administrator, Moderator, Seller, SeniorBuyer, and Junior Buyer).
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 26/29
Case Studies
Library Management System - LMSAs described before.
Virtual Meeting System - VMSOffers simplified web conference services.
There are three resources (Meeting, Personnel Account, UserAccount) and six roles (Administrator, Webmaster, Owner, Moderator,Attendee, and Non-attendee).
Auction Sale Management System - ASMSAllows its users to buy and sell products online.
There are five resources (Sale, Bid, Comment, Personnel Account,User Account) and five roles (Administrator, Moderator, Seller, SeniorBuyer, and Junior Buyer).
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 26/29
Case Studies
Library Management System - LMSAs described before.
Virtual Meeting System - VMSOffers simplified web conference services.
There are three resources (Meeting, Personnel Account, UserAccount) and six roles (Administrator, Webmaster, Owner, Moderator,Attendee, and Non-attendee).
Auction Sale Management System - ASMSAllows its users to buy and sell products online.
There are five resources (Sale, Bid, Comment, Personnel Account,User Account) and five roles (Administrator, Moderator, Seller, SeniorBuyer, and Junior Buyer).
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 26/29
Case Studies (cont.)
Overview of 3 systemsSize of each system.
Number of security rules.
Table: Size of each system in terms of source code.
# Classes # Methods # LOCLMS 62 335 3204VMS 134 581 6077ASMS 122 797 10703
Table: Security rules defined for each system.
# AC rules # Delegations TotalLMS 23 4 27VMS 36 8 44ASMS 89 8 97
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 27/29
Case Studies (cont.)
EvaluationOur metamodels are applicable for different systems without anymodification or adaptation.
The adaptation process: Kermeta 1.4.1 a vs. ATL 3.2.1 b
ahttp://www.kermeta.org/bhttp://www.eclipse.org/atl/
Table: Performance of weaving Security Policies using Kermeta and ATL.
# Rules Kermeta 1.4.1 ATL 3.2.1LMS 27 4s 0.048sVMS 44 7s 0.055sASMS 97 18s 0.140s
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 28/29
Conclusion
ProblemThe need for supporting advanced delegation features and solving hiddenmechanisms in security policies enforcement.
Proposed SolutionA model-driven adaptive framework supporting separation of concernsbetween delegation, AC and business logic.
Future workTesting Delegation Policy via Mutation Analysis [Nguyen2013]
Usage Control [Sandhu2003] and Delegation of Obligations.
Target an optimized models@runtime framework, e.g. Kevoree a
ahttp://www.kevoree.org/
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 29/29
References
Meriam Ben-Ghorbel-Talbi, Frederic Cuppens, Nora Cuppens-Boulahia, and Adel Bouhoula.
A delegation model for extended rbac.International Journal of Information Security, 9(3):209–236, June 2010.
Brice Morin, Tejeddine Mouelhi, Franck Fleurey, Yves Le Traon, Olivier Barais, and Jean-Marc Jézéquel.
Security-driven model-based dynamic adaptation.In Proceedings of the IEEE/ACM international conference on Automated software engineering, ASE ’10, pages 205–214, NewYork, NY, USA, 2010. ACM.
Phu H. Nguyen, Mike Papadakis, and Iram Rubab.Testing delegation policy via mutation analysis.In Mutation workshop, ICST, 2013.
Ravi Sandhu and Jaehong Park.
Usage control: A vision for next generation access control.V. Gorodetsky et al. (Eds.): MMM-ACNS 2003, LNCS 2776, 1:17–31, 2003.
Taming Dynamically Adaptive Systems with Models and Aspects.
In ICSE’09: 31st International Conference on Software Engineering, Vancouver, Canada, May 2009.
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 29/29
Thanks to the Fonds National de la Recherche (FNR), Luxembourgfor supporting this project!
Slides based on LaTeX-Beamer template by Erik ([email protected])
The End! Q&AFinal Remarks
Thank you for your attention!
More information? Interested? => our paper is available!
Contact InfoPhu H. Nguyen, University of Luxembourg
Email: [email protected], Twitter: @nguyenhongphu
Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 29/29