Results 1 - 10
of
10
Stale-safe security properties for group-based secure information sharing
, 2008
"... Attribute staleness arises due to the physical distribution of authorization information, decision and enforcement points. This is a fundamental problem in virtually any secure dis-tributed system in which the management and representa-tion of authorization state are not globally synchronized. This ..."
Abstract
-
Cited by 10 (6 self)
- Add to MetaCart
(Show Context)
Attribute staleness arises due to the physical distribution of authorization information, decision and enforcement points. This is a fundamental problem in virtually any secure dis-tributed system in which the management and representa-tion of authorization state are not globally synchronized. This problem is so intrinsic, it is inevitable that access deci-sion will be based on attribute values that are stale. While it may not be practical to eliminate staleness, we can limit un-safe access decisions made based on stale subject and object attributes. In this paper, we propose and formally specify four stale-safe security properties of varying strength which limit such incorrect access decisions. We use Linear Tempo-ral Logic (LTL) to formalize these properties making them suitable to be verified, for example, using model checking. We show how these properties can be applied in the specific context of group-based Secure Information Sharing (g-SIS) as defined in this paper. We specify the authorization deci-sion/enforcement points of the g-SIS system as a Finite State Machine (FSM) and show how this FSM can be modified so as to satisfy one of the stale-safe properties.
Security
"... Secure Information Sharing (SIS) or “share but protect ” is a challenging and elusive problem both because of its broad scope and complexity ranging right from conception (objective and policy) to culmination (implementation). In this paper, we consider how to solve SIS challenges with three main an ..."
Abstract
-
Cited by 9 (1 self)
- Add to MetaCart
(Show Context)
Secure Information Sharing (SIS) or “share but protect ” is a challenging and elusive problem both because of its broad scope and complexity ranging right from conception (objective and policy) to culmination (implementation). In this paper, we consider how to solve SIS challenges with three main and conflicting objectives: scalability, usability and high-assurance. In the context of SIS, high-assurance requires strong controls on the client. It is widely accepted that such controls cannot be entirely software-based. In this regard, we consider solutions based on commercially emerging hardware-rooted Trusted Computing Technology. For SIS, we argue super-distribution (“protect once and access wherever authorized”) and off-line access are necessary to achieve scalability and usability. We limit super-distribution to occur within a group of Trusted Platform Module [1] or TPM-enabled machine. For simplicity, we assume all content that are distributed to be read-only. Drilling down,
Apply Model Checking to Security Analysis in Trust Management
"... Trust management is a form of access control that uses delegation to achieve scalability beyond a single organization or federation. However, delegation can be difficult to control. A resource owner that delegates some authority is naturally concerned not only about who has access today, but also wh ..."
Abstract
-
Cited by 2 (1 self)
- Add to MetaCart
Trust management is a form of access control that uses delegation to achieve scalability beyond a single organization or federation. However, delegation can be difficult to control. A resource owner that delegates some authority is naturally concerned not only about who has access today, but also who will have access after others make changes to the global policy state. They need tools to help answer such questions. This problem has been studied in the case of a trust management language called RT, where, for simple questions concerning specific individuals, polynomial time algorithms are known. However, more useful questions, like “Could anyone who is not an employee ever get access?” are in general intractable. This paper concerns our efforts to build practical tools that answer such questions in many cases nevertheless by using a lightweight approach that leverages a mature model checking tool called SMV. Model checking is an automated technique that checks if desired properties hold in the model. Our experience, reported here, suggests that in our problem domain, such a tool may often be able to identify delegations that are unsafe with respect to security questions like the one mentioned above. We explain our translation from a RT policy and containment query to an SMV model and specification as well as demonstrate the feasibility of our approach with a case study. 1.
IN A TRUST MANAGEMENT ENVIRONMENT
"... “Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness that most frightens us. And as we let our own light shine, we unconsciously give other people permission to do the same. As we are liberated from our own fear, ..."
Abstract
- Add to MetaCart
(Show Context)
“Our deepest fear is not that we are inadequate. Our deepest fear is that we are powerful beyond measure. It is our light, not our darkness that most frightens us. And as we let our own light shine, we unconsciously give other people permission to do the same. As we are liberated from our own fear, our presence automatically liberates others. ” ∼Marianne Williamson This dissertation is dedicated to my family, especially... to my wife, Maria who has showered me with love and encouragement, and has conferred patience in countless ways. Thank you for being my emotional anchor through not only the vagaries of graduate school, but life itself. to my daughter, Stephanie whose own persistence and curiosity reminds me that the little steps taken with a fresh perspective each day eventually lead to our successes. to my daughter, Ashley whose boundless passion and love remind me that family is to be eternally cherished. to Mom and Dad who have been my role-models for hard work and personal sacrifice, and who instilled in me the inspiration to set high goals and the confidence to achieve them. to my sisters, Kari and Jennifer your bold persistence and tenacity to succeed, despite all of the challenges the world throws at you, is an inspiration to me. to my brother-in-law, Marlon your selfless attitude and willingness to help others encourages me to see the best in everyone. to my mother-in-law, Rayka for all of your support and encouragement, particularly to your daughter and grandchildren while I have been immersed with this work. to my sisters-in-law, Svetla and Sneja for all of your encouragement and witty advice on how to get through the past four years. SECURITY POLICY ANALYSIS
Abstract
"... The notion of ‘depth ’ has been used in statistics as a way to identify the center of the bivariate distribution given by the point setÈinÁÊ. We present a general framework for computing such statistical estimators, that makes extensive use of modern graphics architectures. As a result, we derive im ..."
Abstract
- Add to MetaCart
The notion of ‘depth ’ has been used in statistics as a way to identify the center of the bivariate distribution given by the point setÈinÁÊ. We present a general framework for computing such statistical estimators, that makes extensive use of modern graphics architectures. As a result, we derive improved algorithms for a number of depth measures such location depth, simplicial depth, Oja depth, colored depth, and dynamic location depth. Our algorithms perform significantly better than currently known implementations, outperforming them by at least one order of magnitude and having a strictly better asymptotic growth rate. 1
Security Verification Techniques Applied to PatchLink COTS Software
"... Verification of the security of software artifacts is a challenging task. An integrated approach that combines verification techniques can increase the confidence in the security of software artifacts. Such an approach has been developed by the Jet ..."
Abstract
- Add to MetaCart
(Show Context)
Verification of the security of software artifacts is a challenging task. An integrated approach that combines verification techniques can increase the confidence in the security of software artifacts. Such an approach has been developed by the Jet
Research on Software Security Testing
"... Abstract—Software security testing is an important means to ensure software security and trustiness. This paper first mainly discusses the definition and classification of software security testing, and investigates methods and tools of software security testing widely. Then it analyzes and conclude ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract—Software security testing is an important means to ensure software security and trustiness. This paper first mainly discusses the definition and classification of software security testing, and investigates methods and tools of software security testing widely. Then it analyzes and concludes the advantages and disadvantages of various methods and the scope of application, presents a taxonomy of security testing tools. Finally, the paper points out future focus and development directions of software security testing technology. Keywords—security testing, security functional testing, security vulnerability testing, testing method, testing tool I.
Checking, Security Properties
"... Attribute staleness arises due to the physical distribution of authorization information, decision and enforcement points. This is a fundamental problem in virtually any secure distributed system in which the management and representation of authorization state are not globally synchronized. This pr ..."
Abstract
- Add to MetaCart
(Show Context)
Attribute staleness arises due to the physical distribution of authorization information, decision and enforcement points. This is a fundamental problem in virtually any secure distributed system in which the management and representation of authorization state are not globally synchronized. This problem is so intrinsic that it is inevitable an access decision will be made based on attribute values that are stale. While it may not be practical to eliminate staleness, we can limit unsafe access decisions made based on stale user and object attributes. In this article, we propose two properties and specify a few variations which limit such incorrect access decisions. We use temporal logic to formalize these properties which are suitable to be verified, for example, by using model checking. We present a case study of the uses of these properties in the specific context of an application called Group-Centric Secure Information Sharing (g-SIS). We specify the authorization information, decision and enforcement points of the g-SIS system for the case with only a single user, object, and group (the small enforcement model) in terms of State Machine (SM) and show how these SMs can be designed so as to satisfy the stale-safe security properties. Next, we formally verify that the small model satisfies these properties and enforces a g-SIS authorization policy using the NuSMV model checker. Finally, we show that by generalizing the
Theoretical Foundation for Model Checking Role Containment in RT
"... Trust management is a scalable and flexible form of access control that relies heavily on delegation techniques. While these techniques may be necessary in large or decentralized systems, stakeholders need an analysis methodology and au-tomated tools for reasoning about who will have access to their ..."
Abstract
- Add to MetaCart
Trust management is a scalable and flexible form of access control that relies heavily on delegation techniques. While these techniques may be necessary in large or decentralized systems, stakeholders need an analysis methodology and au-tomated tools for reasoning about who will have access to their resources today as well as in the future. When an ac-cess control policy fails to satisfy the policy author’s security objectives, tools should provide information that demon-strate how and why the failure occurred. Such information is useful in that it may assist policy authors in constructing policies that satisfy security objectives, which support policy authoring and maintenance. This paper presents a collection of reduction, optimization, and verification techniques use-ful in determining whether security properties are satisfied by RT policies. We provide proofs of correctness as well as demonstrate the degree of effectiveness and efficiency the techniques provide through empirical evaluation. While the type of analysis problem we examine is generally intractable, we demonstrate that our reduction and optimization tech-niques may be able to reduce problem instances into a form that can be automatically verified. 1.
Formal Verification of Security Properties in Trust Management Policy ∗
"... Trust management is a scalable form of access control that relies heavily on delegation. Different parts of the policy are under the control of different principals in the system. While these two character-istics may be necessary in large or decentralized systems, they make it difficult to anticipat ..."
Abstract
- Add to MetaCart
(Show Context)
Trust management is a scalable form of access control that relies heavily on delegation. Different parts of the policy are under the control of different principals in the system. While these two character-istics may be necessary in large or decentralized systems, they make it difficult to anticipate how policy changes made by others will affect whether ones own security objectives are met and will continue to be met in the future. Automated analysis tools are needed for assessing this question. The article devel-ops techniques that support the development of tools that nevertheless are able to solve many analysis problem instances. When an access control policy fails to satisfy desired security objectives, the tools provide information about how and why the failure occurs. Such information can assist policy authors design appropriate policies. The approach to performing the analyses is based on model checking. To assist in making the approach effective, a collection of reduction techniques is introduced. We prove the correctness of these reductions and empirically evaluate their effectiveness. While the class of analysis problem instances we examine is generally intractable, we find that our reduction techniques are often able to reduce some problem instances into a form that can be automatically verified. 1
