Formal Semantics for Programmable Access Control PART A

1
Formal Semantics for Programmable Access Control
(PART A)

• by
• Ioanna Dionysiou

2
Presentation Outline

• System Security (brief definition)
• MOOSE project
• Meta Object Model (MOM) components and
  functionality
• MOM Authorization Model
• Denotational Semantics for
• MOM Authorization Model
• Results and Conclusions

3
System Security

• Protection afforded to an automated information
  system in order to attain the applicable
  objectives of preserving the integrity,
  availability and confidentiality of information
  system resources
• NIST Handbook

National Institute of Standards and Technology
4
System Security

• How can system security be achieved?
• Authorization
• Authentication
• Auditing
• Secure communication

5
Heterogeneous Distributed Systems

• You know you have one when the crash of a
  computer youve never heard of stops you from
  getting any work done
• (CPTS 564 Notes Very Interesting Definition)

Any examples?
6
Global Enforcement of Confidentiality and
Authorization for Heterogeneous Distributed
Systems

• Difficult to achieve
• because.

• Software components on distributed systems are
  typically heterogeneous (different languages and
  systems)
• Authorization policies are fixed to specific
  systems
• No flexibility to encompass other models

7
Global Enforcement of Confidentiality and
Authorization for Heterogeneous Distributed
Systems

• What has been done so far?

CORBA
Common Object Request Broker Architecture
OLE/COM
Object Linking and Embedding/Common Object Model
8
Global Enforcement of Confidentiality and
Authorization for Heterogeneous Distributed
Systems, Cont.

• Secure interoperability is prevented due to
  semantic diversity and complexity at the policy
  and model level

Is there a solution?
9
Programmable Security

• Common architecture that embeds programmable
  security constructs at a fundamental level

Introduce new syntax for security policy
expressions
Primitive security mechanisms tied to syntax
within a common model for object systems
10
Formal Methods are NEEDED!!!!
Mathematical techniques for specifying and
verifying system properties
ROC formalism for concurrently executing objects
Distributed system verification
HOL logic for reasoning and verification
11
MOOSE Architecture(Meta Object Operating System
Environment)
12
MOOSE Architecture

• Supports an architecture for the development,
  execution, and verification of secure
  heterogeneous distributed systems
• Meta Object Model core distributed object model
  within MOOSE that supports primitive object
  functionality

13
Meta Object Model (MOM)

• Primitive distributed object model
• Classes and inheritance through meta objects and
  delegation
• Supports core object functionality (method
  invocation, asynchronous message passing,
  delegation, aggregation)
• Provides a common substrate for secure
  interoperability between heterogeneous object
  systems

14
MOM Components
15
Message Handler(MOM Components)

• Main Function constrain the set of messages
  that objects receive from their environment

Receipt of a message from message handler
Accept it as a local request (thats not
authorization!!)
Delegate it to adjacent domain
16
Object Registry(MOM Components)
Main Function bookkeeping information
associated with each object component
Local identifier of the object component
Miscellaneous information
Component type
17
Object Registry An example(MOM Components)
How can the object registry be used?
Component Type Misc o1 MOM-Object o2
MOM-Object
Object Registry for root
Incoming message contains an invocation request
for a method responsible for creating object
named o2. Deny or accept?
18
Meta Data Repository(MOM Components)
Main Function contains templates needed to
define meta object instances
Object o2 can create instances containing
subobjects X and Y and methods M1 and M2.
Initial Authorization State of o3
Suppose o3 is a new instance of o2.How can the
meta data table for o2 be used? And why?
19
Methods(MOM Components)
Method Interface
Accepts method Invocation Manages synchronization
constraints on methods
Method Arbiter
Establishes communication channels between the
method body and its environment
Method Body
Performs the actual work only communicates with
the arbiter
20
Methods An example(MOM Components)
msg
Method interface m1
Method arbiter m1
Method body m1
21
Object Access Control List(MOM Components)
Main Function defines the local authorization
state for the MOM objects
KEY or LOCK or recursive
lt Component, Privilege, Token gt
ticket
22
Object Access Control List(MOM Components)
Method_1 has a Lock privilege associated with
ticket a.
23
MOM Authorization Scheme

• Object Access Control Lists (OACLs)
• Message Filters
• Messages and Tickets

24
Ticket-Based Scheme
25
Message Filtering
26
Original Authorization Model Semantics

• Captured by five rules
• Mostly focused on adding/removing privileges
• Ignores hierarchical structure of objects
  (assumes direct access between objects)

Object B
Object A
Universal Object Domain
Object C
27
Refined Authorization Model Semantics

• Object hierarchy
• IS
• important
• An object can intervene and deny access

A
B
C
28
Refined Authorization Model Semantics

• Object hierarchy taken into account
• Message delegation (authorization of message at
  each passing object in the hierarchy)
• HOW?

29
Authorization During Delegation
30
Refined Authorization Model

• PARENT predicate
• ADJ predicate
• ANCESTOR predicate
• DESCENDANT predicate
• LOCK predicate
• KEY predicate
• GRANT.p predicate

• REVOKE.p predicate
• MATCH predicate
• ACCESS predicate
• ADD command
• REMOVE command