900 likes | 999 Views
Paper Report: Specification and Verification of Security Requirements in a Programming Model for Decentralized CSCW Systems. TANVIR AHMED and ANAND R. TRIPATHI University of Minnesota Student: Yu-Cheng Hsiao Advisor: Dr. Gwan -Hwan Hwang National Taiwan Normal University
E N D
Paper Report:Specification and Verification of Security Requirements in a Programming Model for Decentralized CSCW Systems TANVIR AHMED and ANAND R. TRIPATHI University of Minnesota Student: Yu-Cheng Hsiao Advisor: Dr. Gwan-Hwan Hwang National Taiwan Normal University Internet Computing Laboratory
Abstract • Role-based modelfor programming distributed CSCW systems • Supports specification of dynamic security and coordination requirements. • Model-checking methodologyfor verifying the security properties • Ensure correctness and consistency of a design specification. • Ensure sensitive security requirements cannot be violated when policy enforcement functions are distributed among the participants.
1 - Introduction – CSCW • Computer-Supported Cooperative Work • Support cooperative activities involving a group of users performing tasks related to some shared objectives. • Examples of such systems include online conferencing, collaborative design and development, and workflow environments.
1 - Introduction – Security and Coordination Requirements • Security and coordination requirements in CSCW systems tend to be dynamic and context-based, depending on the execution state of the collaborative tasks and history of participants' actions. Example coordination relationships from Synthesizing Coordination Requirements for Heterogeneous Autonomous Agents
1 - Introduction – Security and Coordination Requirements • The coordination requirements are often weaved with access-control concerns. • Such requirements have been addressed in workflow systems to synchronize authorization and access control mechanisms with task-flow events. • Specification and enforcement of dynamic security and coordination requirements in role-based models is an important problem. • Role-based access-control (RBAC) models have been found to be naturally useful in CSCW systems because of their intrinsic ability to model organizational structures.
1 - Introduction – Security Policies • A security policy is a definition of what it means to be securefor a system, organization or other entity. • For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. • For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people. • Because the security policy is a high level definition of secure behavior, it is meaningless to claim an entity is "secure" without knowing what "secure" means. It is also foolish to make any significant effort to address security without tracing the effort to a security policy. from Wikipedia
1 - Introduction – Security Policies • The expression of administrative-level security requirements. • A distributed CSCW system may require decentralized management as no single organization, site, or participant may be trusted to act as a "reference monitor" for the management and enforcement of all of the policies of the system. • Participants are designated by the CSCW system designer as untrusted for some of the policy enforcement functions.
1 - Introduction - Verification Methodology • Ensure that in decentralized management of a CSCW system the assignment of ownership privileges for an entity to an untrusted participant does not result in violation of any sensitive security requirements. • Determine safe assignments of ownership privileges in a design to satisfy the given set of security requirements.
1 - Introduction - Primary Contributions • Development of a role-based model together with a programming framework for specification of coordination and security requirements in distributed CSCW systems. • Development of a verification methodology based on finite-state model checking to ensure that a design expressed in this model satisfies a given set of requirements for coordination and security. The verification methodology is used to ensure the following kinds of properties in a design: • User interactions follow coordination and task-flow requirements; • Roles do not have conflicting or inconsistent constraints; • Confidential information cannot flow to unauthorized users; • No access rights can be leaked to unauthorized users; • Authorized information can be accessed; • Any dynamic constraints on accessing objects can be satisfied.
2 - Goals and Related Work • Develop a programming framework for constructing secure distributed CSCW systems from their high-level specifications. • A role-based model that is used by the designer of a CSCW system for specifying its architectural design for integrating application-level components and users, and specifying the policies for role-based user participation, coordination, and security. • A middleware system automatically constructs the distributed runtime system for a given design.
2 - Goals and Related Work • Roles are defined in the context of an application rather than the global context of an organization. • Such as: Team, Domain, Role Template
3 - Security Requirements in Role-Based Distributed CSCW Systems • Role Admission and Revocation Constraints • Role-Based Coordination Requirements • Dynamic Access-Control Policies • Meta-Level Security Policies • Information Flow and Access Leakage
3.1 - Role Admission and Revocation Constraints • Role admission constraints specify the conditions that must to be satisfied for a user to be admitted in the role. • These constraints can be based on: • user's current or past membership in some "prerequisite" roles (for allowing admission) • or in "conflicting" roles (for denying admission), • history of past actions by a user, • and role membership cardinality. • Because the role admission condition may not hold after a user has been admitted into the role, a role-revocation condition is needed to verify the validity of a participant's current membership in a role.
3.2- Role-Based Coordination Requirements • Interrole coordination –Coordination between participants in different roles within an activity • Intrarole coordination –Multiple members in a role need to coordinate among themselves • Intrarole coordination can be based on independent, cooperative, or ad hoc modes for role task execution by the members.
3.3 - Dynamic Access-Control Policies • Security requirements in CSCW systems tend to be dynamic in nature. • Such requirements depend on the execution history of the collaborative tasks • They may also depend on temporal conditions
3.4 - Meta-Level Security Policies • Secure management of a CSCW activity requires correct enforcement of the associated policies. • Specification of such meta policies assigning administrative privileges to a role for managing specific entities in an activity needs to be supported. • Such policies may also be dynamic, requiring change in the assignment of administrative privileges depending on the execution state of the activity.
3.5 - Information Flow and Access Leakage • Prevent information flow and access leakage to unauthorized user. • Confidentiality requirements express such information-flow constraints. • Decentralized policy enforcement and dynamic policies for admission of users into roles, it is important to ensure that any assignment of administrative privileges preserves integrity of access authorization and information confidentiality.
4 - A Role Based Model for CSCW Systems • Activity: Abstraction of a collaboration or workflow task involving a set of users in various roles. • Users perform collaborative tasks involving some shared objects/resources. • In an activity, users are represented by their roles and within an activity roles are assigned privileges to perform certain tasks. • Operation: Role-specific tasks. • An operation typically involves invocation of a method on an object defined within the activity or creation of a new activity.
Central elements of the role-based specification model for programming distributed CSCW systems • Activity Template • Roles • Role Operations • Events • Shared Objects • Nested Activities • Meta Roles: Creator and Owner
4.1 - Activity Template • An activity template defines a pattern for a CSCW activity. • An activity is created and started by instantiating its template using a distributed middleware system. • Any number of instances of a template can be dynamically and independently created.
4.1 - Activity Template An activity represents a namespace, defining and encapsulating the following elements: • A fixed set of roles. • A fixed set of operations associated with each role. • A set of object types that are created and accessed through the role operations. • A fixed set of child activity templates that can be instantiated through the execution of role operations.Each nested activity instance defines an independent and separate namespace. • A dynamic set of events that are generated during the life cycle of the activity, representing the execution history of the role operations.
4.1 - Activity Template • An activity has a fixed number of roles within its scope; the set of operations associated with a role is also fixed. • The creation of new nested child activity results in the creation of new set of roles that are visible only in the scope of that child activity. • Events in the model are used for enforcing dynamic security requirements and coordination constraints.
4.2 - Roles • A role can be viewed as a protection domain with a set of privileges represented by its operations, which perform actions on the objects in the activity's namespace. • A role definition involves specification of three aspects: • Meta-level policies in regard to admission of users to the role • Role operations • Conditions under which a role operation can be executed
4.3 - Role Operations • A role operation may have a precondition and an action. • An operation's precondition must be true to execute its action. • The preconditions are expressed using predicates involving events within the activity's namespace. • They can also include predicates related to role memberships in the activity. • An operation's action can be one of the following: • an object method invocation • creation of a new object • creation of a new nested activity.
4.4 - Events • Events and event counters are used in operation preconditions and role constraints for specifying coordination and dynamic security policies. • Events correspond to execution of role operations and creation/termination of child activities. • Related to each role operation and activity, there are two types of events: start and finish. • These events are implicitly generated by the runtime system. • An event-based predicate is expressed using logical expressions involving event counts and event attributes.
4.5 - Shared Objects • Shared objects are represented in the model by their types and method signatures. • For an object, access-control policies are derived from the various roles' operations involving that object. • These are used by the object servers to control access to their objects.
4.6 - Nested Activities • An activity can create child activities to perform certain subtasks. • A child activity must be defined within the scope of its parent activity. • Each child activity defines its own namespace. • The nesting of activities results in creation of a hierarchically structured namespace. • A nested activity may need to have access to the objects in the scope of its parent activity. • For this, objects in the parent activity's namespace can be passed as reference parameters to a child activity. • A nested activity definition includes a list of the parameter types.
4.7 - Meta Roles: Creator and Owner • In the specification model, associated with every entity—activity, role, and object—there are two system-defined meta roles called owner and creator. • These roles are used by the underlying middleware system for administrative purposes. • The user who instantiates an activity or creates an object is the one and the only member of the creator role for that entity. • This role membership is implicit and immutable. • This role has no permissions associated with it. • We call it a pseudo role.
4.7 - Meta Roles: Creator and Owner • An owner role represents meta-level administrative privileges. • An activity specification can specify only one of the roles as the owner role of an entity. • This results in assignment of entity-specific ownership privileges to the role. • In the implementation model, there is no concrete representation of the owner roles.
5 - A Specification Model For Decentralized CSCW Systems • An activity is specified in XML and it is instantiated by a middleware to generate the runtime environment for the target system. • Before realizing a system from its XML specification, its security properties are verified using model checking.
Three main concepts of the specification model • Hierarchical structuring of activities • Scope rules for objects and roles • Assignment of role members and passing of objects as parameters to nested activities
Fig 1 - Role member assignment and object passing in hierarchical structuring of activities
5.2 - Activity Template Specification • []optional terms • {}zero or more terms • |choice • Boldfacetags in XML schema
5.3 - Condition Specification Three kinds of conditions in the specification model: • Role membership-related • Event history-based • Temporal • time: return the current time
5.3.1 - Role Membership Functions • member(thisUser, roleId) : boolean • members(roleId) : List<RoleMember> • Count operator, # • Ex: The count of the members in a role#(members(roleId))
Fig 5 - Syntax for condition definition: time-and role membership-based predicates
5.3.2 - Event-Based Predicates • Events for role operations and activities: • Start • Finish • List: () • Ex: (EventName), #(EventName) • Index: [i] • Ex: EventName[i] • Each event have two predefined attributes: • Invoker • Time • Ex: opId.start(invoker=thisUser)
Fig 6 - Syntax for condition definition: event-based predicates
5.4 - Role Specification • Role Admission on Activity Creation • Role Admission Constraints • Role Validation Condition • Operation Specification • Role Activation Constraints
5.5 - Meta-Policy Specification • The rules for owner assignment for an entity – activity, role, and object – are as follows: • Static Ownership Assignment • Default Ownership Assignment • Dynamic Ownership Assignment
Fig 11 - Owner assignments in the nested course activity template specification
6 - Design Verification Goals In Model Checking • Different aspects of coordination and security requirements that a collaboration designer may specify as properties to be verified during the design process • Verification Goals • Ensure the design specification is not inconsistent • Ensure security and coordination requirements are satisfied by a specified design