Operating systems must be flexible in their support for security policies, providing sufficient mechanisms for supporting the wide variety of real-world security policies. Such flexibility requires controlling the propagation of access rights, enforcing fine-grained access rights and supporting the revocation of previously granted access rights. Previous systems are lacking in at least one of these areas. In this paper we present an operating system security architecture that solves these problems. Control over propagation is provided by ensuring that the security policy is consulted for every security decision. This control is achieved without significant performance degradation through the use of a security decision caching mechanism that ensures a consistent view of policy decisions. Both fine-grained access rights and revocation support are provided by mechanisms that are directly integrated into the service-providing components of the system. The architecture is described through its prototype implementation in the Flask microkernelbased operating system, and the policy flexibility of the prototype is evaluated. We present initial evidence that the architecture’s impact on both performance and code complexity is modest. Moreover, our architecture is applicable to many other types of operating systems and environments. 1

The access matrix model as formalized by Harrison, Ruzzo, and Ullman (HRU) has broad expressive power. Unfortunately, HRU has weak safety properties (i.e., the determination of whether or not a given subject can ever acquire access to a given object). Most security policies of practical interest fall into the undecidable cases of HRU. This is true even for monotonic policies (i.e., where access rights can be deleted only if the deletion is itself reversible). In this paper we define the typed access matrix (TAM) model by introducing strong typing into HRU (i.e., each subject or object is created to be of a particular type which thereafter does not change). We prove that monotonic TAM (MTAM) has strong safety properties similar to Sandhu's Schematic Protection Model. Safety in MTAM's decidable case is, however, NP-hard. We develop a model called ternary MTAM which has polynomial safety for its decidable case, and which nevertheless retains the full expressive power of MTAM. There is compelling evidence that the decidable safety cases of ternary MTAM are quite adequate for modeling practial monotonic security policies.

This paper presents an approach to control information flow in object-oriented systems that takes into account, besides authorizations on objects, also how the information has been obtained and/or transmitted. These aspects are considered by allowing exceptions to the restrictions stated by the authorizations. Exceptions are specified by means of waivers associated with methods. Two kinds of waivers are supported: invoke-waivers, specifying exceptions applicable during a method's execution, and reply-waivers, specifying exceptions applicable to the information returned by a method. Information flowing from one object into another object is subject to the different waivers of the methods enforcing the transmission. We formally characterize information transmission and flow in a transaction taking into consideration different interaction modes among objects. We then define security specifications, meaning authorizations and waivers, and characterize safe information flows. We formally de...

There is a growing interest in establishing rules to regulate the privacy of citizens in the treatment of sensitive personal data such as medical and financial records. Such rules must be respected by software used in these sectors. The regulatory statements are somewhat informal and must be interpreted carefully in the software interface to private data. This paper describes techniques to formalize regulatory privacy rules and how to exploit this formalization to analyze the rules automatically. Our formalism, which we call privacy APIs, is an extension of access control matrix operations to include (1) operations for notification and logging and (2) constructs that ease the mapping between legal and formal language. We validate the expressive power of privacy APIs by encoding the 2000 and 2003 HIPAA consent rules in our system. This formalization is then encoded into Promela and we validate the usefulness of the formalism by using the SPIN model checker to verify properties that distinguish the two versions of HIPAA. 1

The central goal of secure information sharing is to “share but protect” where the motivation to “protect ” is to safeguard the sensitive content from unauthorized disclosure (in contrast to protecting the content to avoid loss of revenue as in retail Digital Rights Management). This elusive goal has been a major driver for information security for over three decades. Recently, the need for secure information sharing has dramatically increased with the explosion of the Internet and the convergence of outsourcing, offshoring and B2B collaboration in the commercial arena and the real-world demonstration of the tragic consequences of lack of information sharing in the national security arena. As technology has made the “share” aspect ever easier so has it increased the difficulty of enforcing the “protect” aspect. The central contribution of this paper is to show that the emergence of industrial strength Trusted Computing

this paper appeared under the title \Providing Flexibility in Information Flow Control for Object-Oriented Systems" in the Proc. of the IEEE Symposium on Research in Security and Privacy, Oakland, CA, May 1997.

Originator Control is an access control policy that requires recipients to gain originator’s approval for redissemination of disseminated digital object. Originator control policies are one of the generic and key concerns of usage control. Usage control is an emerging concept which encompasses traditional access control and digital rights management solutions. However, current commercial Digital Rights Management (DRM) solutions lack enforcement of access control policies such as role-based access control (RBAC), mandatory access control (MAC), discretionary access control (DAC) and originator control because their control of access to digital object is mainly based on payment. In this paper, we attempt to combine originator control policies and usage control. Then we show how this can extend traditional originator control solutions to enforce access control policies even outside of a local control environment where a central control authority is not available. License and ticket concepts are proposed and used for originator control in usage control. Also, we define seven different solution approaches to deal with various dissemination situations. In addition, we discuss some published DRM solutions and relate these to our solution approaches. 1.

In this paper, we propose a conceptual framework for developing a family of models for Group-Centric information sharing. The traditional approach to information sharing, characterized as Dissemination-Centric in this paper, focuses on attaching attributes and policies to an object (sometimes called “sticky policies”) as it is disseminated from producers to consumers in a system. In contrast, Group-Centric sharing envisions bringing the subjects and objects together in a group to facilitate sharing. The metaphor is that of a secure meeting room where participants and information come together to “share ” information for some common purpose. Another metaphor is that of the subscription model where, depending on policy, joining users may or may not be authorized to access past content. We argue that in such contexts, and in accordance with different application use cases, authorizations are influenced by the temporal ordering of subject and object group membership and by the precise nature of membership operations. For instance some subjects may only get future information added to the group while others may also be able to access previously added information. We develop a lattice of models based on variations of these basic membership operations, and discuss usage scenarios to illustrate practical applications of this lattice. Two principles guide Group-Centric models. First, “share but differentiate” which promotes sharing while differentiating user authorizations depending on temporal aspect of membership. Next, “groups within groups ” which advocates relationships (such as a hierarchy) between multiple groups. In this paper, we confine our attention to read accesses in a single group.

We develop the foundations for a theory of Group-Centric Secure Information Sharing (g-SIS), characterize a specific family of models in this arena and identify several directions in which this theory can be extended. Traditional approach to information sharing, characterized as Dissemination-Centric, focuses on attaching attributes and policies to an object as it is disseminated from producers to consumers in a system. In contrast, Group-Centric sharing envisions bringing the users and objects together in a group to facilitate sharing. The metaphors “secure meeting room ” and “subscription service ” characterize the Group-Centric approach where participants and information come together to share for some common purpose. Our focus in this paper is on semantics of group operations: Join and Leave for users and Add and Remove for objects, each of which can have several variations called types. We use Linear Temporal Logic to first characterize the core properties of a group in terms of these operations. We then characterize additional properties for specific types of these operations. Finally, we specify the authorization behavior for read access in a single group for a family of g-SIS models and show that these models satisfy the above-mentioned properties using the NuSMV model checker. Categories and Subject Descriptors

Dissemination control (DCON) is emerging as one of the most important and challenging goals for information security. DCON is concerned with controlling information and digital objects even after they have been delivered to a legitimate recipient. The need for DCON arises in many different domains ranging from the dissemination of digital music and movies, eBooks, business proprietary and sensitive electronic documents as well as the propagation of mailing lists in relation to direct marketing. Our goal in this short paper is to present some of the multidimensional technical issues that need to be modeled and understood so as to provide a comprehensive set of DCON capabilities. It represents a first but necessary step in our ongoing work in formulating a family of DCON models. 1.