Analysis and Detection of Access Violations in Componentised Systems

1. Analysis and Detection of Access Violations in Componentised Systems David Llewellyn-Jones, Madjid Merabti, Qi Shi, Bob Askwith Advances in Computer Security and Forensics – 13th July 2007 Network & Information Security Technology LaboratorySchool of Computing and Mathematical SciencesLiverpool John Moores UniversityByrom Street, Liverpool L3 3AF, UKEmail: {D.Llewellyn-Jones, M.Merabti, Q.Shi, R.Askwith}@ljmu.ac.uk Web: http://www.cms.livjm.ac.uk/NISTL

2. Contents • Introduction • Access control • Ubiquitous computing • Network elevation of privileges • Composition access control check • Process • Implementation • Experiments and results • Conclusion

3. In theory User can access data only if their access level satisfies the access requirements of the data In practice A user can only access data via a program User Access level Data Access req. User Access level Access req. Program Access level Data Access req. Access Control

4. Distributed Access Control • Taos, local access control • Centralised access control • DSS DACS, DSI, CORBASec • Atomic • Enforced between pairs of components • An alternative approach • Consider wider composition structure

5. Ubiquitous Computing • Networking is wireless and pervasive • Devices are mobile and plentiful • Data flows unimpeded • Easy access to data from anywhere • Access control remains important

6. System A System B Alice’s file read Alice’s program send SU’s program File write File with access by Bob write Bob’s program Bob’s program read send Network Elevation of Privileges • Data sent across a network may be vulnerable • Inconsistent access requirements • Each system individually satisfies access requirements • Combined, incorrect access may occur

7. Solution Overview • Analyse possible data flow through a network • Based on topology and component properties • Analysis takes place when topology changes • Access control requirements are checked • Composition only allowed if requirements met • Need to know • Connections (data flow) between components • Data flow within each component

8. Formalisation • Each component defined 4 data structures • uR, uWU,effective user ID for read, write • dR, dWD, access of files read, written by component • Access mappings • fR, fW : U × D → {0, 1}, determines if read, write access should be granted • Example: read access control lists

9. 1 3 2 4 5 Connections Between Components • Follow data flow through components • For example, simple depth first traversal • Match data access requirements with component access levels • Maintain dR, dWof data accessed, compare with uR, uW for each component using fR, fW. 1 2 3 4 5

10. Component Slicing • Data flow within each component • Use Slicing to follow data • Applied using pre and post conditions

11. 1 3 2 4 3 5 Structure Projection • Follow data flow through components • Take internal data flow into account • Use slicing to determine this • Project the structure • Project connections onto points • Join points if pairs of connections coincide 1 2 3 4 5

12. Current Implementation • Use MATTS component analysis tool • Based on agent components • Performs automatic slicing and topology check • Currently must input connections manually

13. Future Implementation • To exist as a service in the network • Properties determined using instrumentation • Recheck whenever topology changes • Failure means composition would be refused • Success means access control requirements are guaranteed to be fulfilled • Properties cached to reduce overhead

14. Chain of components Analysed as a single application Analysed using composition analysis 600 MHz Intel X-Scale80321 Processor Timing Results

15. Conclusion • Provides useful distributed access control checking technique • Implementation suggests practical solution • Intend to implement in a Networked Appliance setting • Highlights how composition analysis can reduce impact of state explosion