1 / 14

Modelling mobility aspects of security policies

Modelling mobility aspects of security policies. Pieter Hartel, Pascal van Eck Sandro Etalle, Roel Wieringa University of Twente. Objectives. Explain the problem that mobility may invalidate (or confuse) good security policies

osborn
Download Presentation

Modelling mobility aspects of security policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modelling mobility aspectsof security policies Pieter Hartel, Pascal van Eck Sandro Etalle, Roel Wieringa University of Twente

  2. Objectives • Explain the problem that mobility may invalidate (or confuse) good security policies • Show that the solution requires the integration of physical and logical security policies • Illustrate this using case studies • Model the essence of the solutions using SPIN WP 2.6 kick off, March 11 2004,Marseille

  3. Three world model Digital security provides passwords to stop unauthorised persons from accessing digital resources. IT Dept Social world Digital world Physical security uses barriers to stop unauthorised persons from gaining access to physical resources. Security Dept Physical world Coordination of physical and digital security via integrated specification of security policies. One Dept WP 2.6 kick off, March 11 2004,Marseille

  4. Bob pings Whitehouse Whitehouse responds Bob moves, or more interestingly… Only ping moves to another machine Moving ping has violated a security policy on mobility Ping $ ping www.whitehouse.gov Reply from 194.109.217.178: time=110ms Reply from 194.109.217.178: time=1072ms Reply from 194.109.217.178: time=90ms Mobile code $ ping www.whitehouse.gov Usage: ping [-t] [-a] [-n count] … WP 2.6 kick off, March 11 2004,Marseille

  5. Data base • Bob submits his tax return anywhere • Alice receives Bob’s tax return at the IRS • Alice discusses Bob’s tax return with her boss in the park • Eve spies on Alice • Alice has violated the security policy on mobility Mobile computers WP 2.6 kick off, March 11 2004,Marseille

  6. Smart card • Alice collects smart card from the bank • Bob offers ‘special deal’ if she pays with plastic… • Can Bob be trusted? • Get new security policy at the bank for ‘special deals’ Mobile smart card WP 2.6 kick off, March 11 2004,Marseille

  7. Modelling • System: objects from the 3 worlds • Policy: (un)acceptable behaviour • Principle: guidance & formula • Verification: (system║policy)╞ principle • SPIN: communicating processes with a trace declaration • Rule out behaviour that has been deemed unacceptable. Examples: • Restrict access control • Restrict information flow • Maintain avaliability • Identify & highlight security objectives. Examples: • Follow least privilege • Compartmentalise • Be reluctant to trust WP 2.6 kick off, March 11 2004,Marseille

  8. System Policy Host accepts “standard” ping only • Principle of the “least privilege” • Any system call except Socket(anywhere) * • Socket(Test) • Any system call except Socket(anywhere) * Ping (Test) Ping (Production) Ping Host Unexpected? WP 2.6 kick off, March 11 2004,Marseille

  9. Two concurrent processes Two concurrent processes System Enumeration type Channel mtype = { Test_Env, Production_Env, Exit, Printf, Recvfrom, Sendto, Socket } ; byte env = Test_Env ; active proctype mobility() { do :: env = Test_Env :: env = Production_Env od } chan c = [0] of {mtype, mtype} ; active proctype system() { do :: c!Exit(env) :: c!Printf(env) :: c!Recvfrom(env) :: c!Sendto(env) :: c!Socket(env) od } Global state Non deterministic choice WP 2.6 kick off, March 11 2004,Marseille

  10. Policy & Principle trace { do :: c?Exit(_) :: c?Printf(_) :: c?Recvfrom(_) :: c?Sendto(_) :: c?Socket(Test_Env) -> break od ; do :: c?Exit(_) :: c?Printf(_) :: c?Recvfrom(_) :: c?Sendto(_) od } active proctype policy() { do :: c?Printf(_) ; c?Exit(_) :: c?Socket(_) ; c?Printf(_) ; do :: c?Sendto(_) ; c?Recvfrom(_) :: break od od } Based on work by Mycroft et al WP 2.6 kick off, March 11 2004,Marseille

  11. Counter example WP 2.6 kick off, March 11 2004,Marseille

  12. Policy System Location determines data base Presentation Layer 1 (office) Presentation Layer 2 (park) • Principle “Compartmentalise” • Connect(here) • Request(here) • Reply(here) • Request(here) • Reply(here) • ... • Disconnect(here) Business logic layer Database layer Not checked by Standard policy DB1 DB2 WP 2.6 kick off, March 11 2004,Marseille

  13. Policy System Location determines applet Payment applet Loyalty applet Management applet • Principle • “Be reluctant to trust” • Payment(vending) • Loyalty(vending) mall Not checked by Standard policy shop bank vending machine pos terminal atm counter WP 2.6 kick off, March 11 2004,Marseille

  14. Conclusions and future work • We can analyse policies, showing that none of the models satisfy our principles • Trace declarations limited, more tool support needed • Models should be more systematic, and hierarchical • How can we enforce policies? WP 2.6 kick off, March 11 2004,Marseille

More Related