From Chinese Wall Security Policy Models to Granular Computing - PowerPoint PPT Presentation

1 / 72
About This Presentation
Title:

From Chinese Wall Security Policy Models to Granular Computing

Description:

Chinese (Great) Wall Security Policy. 18. Overview - Trojan Horses ... This is a malicious Trojan Horse problem. 40. Need ACWSP Theorem ... – PowerPoint PPT presentation

Number of Views:864
Avg rating:3.0/5.0
Slides: 73
Provided by: Ty53
Category:

less

Transcript and Presenter's Notes

Title: From Chinese Wall Security Policy Models to Granular Computing


1
From Chinese Wall Security Policy Models to
Granular Computing
  • Tsau Young (T.Y.) Lin
  • tylin_at_cs.sjsu.edu dr.tylin_at_sbcglobal.net
  • Computer Science Department, San Jose State
    University, San Jose, CA 95192,
  • and
  • Berkeley Initiative in Soft Computing,
    UC-Berkeley, Berkeley, CA 94720

2
From Chinese Wall Security Policy. . .
  • The goal of this talk is to illustrate how
    granular computing can be used to solved a long
    outstanding problem in computer security.

3
Outline
  • 1. Overview(Main Ideas)
  • 2. Detail Theory
  • Background
  • Brewer and Nash Vision
  • Formal Theory
  • 2

4
Overview
  • New Methodology Granular Computing
  • Classical ProblemTrojan Horses

5
Overview - Granular computing
  • Historical Notes
  • 1. Zadeh (1979) Fuzzy sets and granularity
  • 2. Pawlak, Tony Lee (1982)Partition Theory(RS)
  • 3. Lin 1988/9 Neighborhood Systems(NS) and
    Chinese
  • Wall (a set of binary relations. A
    non-reflexive. . .)
  • 4. Stefanowski 1989 (Fuzzified partition)
  • 5. Qing Liu Lin 1990 (Neighborhood system)

6
Overview-Granular computing
  • Historical Notes
  • 6. Lin (1992)Topological and Fuzzy Rough Sets
  • 7. Lin Liu Operator View of RS and NS (1993)
  • 8. Lin Hadjimichael Non-classificatory
    hierarchy (1996)

7
Overview Problem Solving Paradigm
  • Divide and Conquer
  • 1. Divide Partition ( Equivalence Relation)
  • 2. Conquer Quotient sets (Bo ZHANG, Knowledge
    Level Processing)
  • 3. Could this be generalized?

8
Overview-Example
  • Partition disjoint granules(Equivalence Class)
  • 04 . . . , 0, 4, 8, . . .4n,
  • 14 . . . , 1, 5, 9, . . . 4n1,
  • 24 . . . , 2, 6, 10, . . . 4n2,
  • 34 . . . , 3, 7, 11, . . . 4n3.
  • Quotient set Z/4 (Z/m)

9
Overview-New Challenge?
  • Granulation overlapping granules
  • B0 . . . , 0, 4, 8, 12,. . . 5, 9,
  • B1 . . . , 1, 5, 9, . . .
  • B2 . . . , 2, 6, 10, . . ., 7,
  • B3 . . . , 3, 7, 11, . . ., 6, .
  • Quotient ?

10
Overview- Granular Computing - New Paradigm ?
  • Classical paradigm is unavailable for general
    granulation
  • Research Direction New Paradigm ?

11
Overview- Granular Computing a New Problem
Solving Paradigm
  • Divide and Conquer (incremental development)
  • 1. Divide Granulation (binary relation)
  • Topological Partition
  • 2. Conquer Topological Quotient Set

12
Application - New Paradigm ?
  • Report
  • Applying an incremental progress
  • in granulation to
  • Classical problem in computer security

13
Overview - Trojan Horses
  • Classical Problem
  • Trojan Horses, e.g.virus propagation

14
Overview - Trojan Horses
  • Grader G is a conscientious student but lacking
    computer skills.
  • So a classmate C sets up a tool box that
    includes, e.g., editor, spread sheet,

15
Overview - Trojan Horses
  • C embeds a copy program
  • into Gs tool it sends
  • a copy of Gs file to C
  • (university system normally allows students to
    exchange information)

16
Overview - Trojan Horses
  • As the Grader is not aware of such
  • Trojan Horses, he cannot stop them
  • The system has to stop them!
  • Can it?

17
Overview - Trojan Horses
  • Can it?
  • In general, NO
  • With constraints, YES
  • Chinese (Great) Wall Security Policy.

18
Overview - Trojan Horses
  • Direct Information flow(DIF) CIF, a sequence of
    DIFs, leaks the information legally !!!

Grader
DIF
Trojan horse(DIF)
Professor
Student
CIF
19
Overview
  • End of Overview

20
Details
  • Background

21
Background
  • In UK, a financial service company may consulted
    by competing companies. Therefore it is vital
    to have a lawfully enforceable security policy.
  • 3

22
Background
  • Brewer and Nash (BN) proposed Chinese Wall
    Security Policy Model (CWSP) 1989 for this
    purpose

23
Background
  • The idea of CWSP was, and still is, fascinating
  • Unfortunately, BN made a technical error.

24
Outline
  • BNs Vision

25
BN Intuitive Wall Model
  • Built a set of impenetrable Chinese Walls among
    company datasets so that
  • No corporate data that are in conflict can be
    stored in the same side of the Walls
  • 5

26
Policy Simple CWSP (SCWSP)
  • "Simple Security", BN asserted that
  • "people (agents) are only allowed
  • access to information which is not
  • held to conflict with any other
  • information that they (agents)
  • already possess."

27
Could Policy Enforce the Goal?
  • YES BNs intent technical flaw
  • Yes, but it relates an outstanding difficult
    problem in Computer Security

28
First analysis
  • Simple CWSP(SCWSP)
  • No single agent can read data X and Y
  • that are in CONFLICT
  • Is SCWSP adequate?

29
Formal Simple CWSP
  • SCWSP says that a system is secure, if
  • (X, Y) ? CIR ? X NDIF Y
  • (X, Y) ? CIR ? X DIF Y
  • (need to know may apply)
  • CIRConflict of Interests Binary Relation

30
More Analysis
  • SCWSP requires no single agent can read X and Y,
  • but do not exclude the possibility a sequence of
    agents may read them
  • Is it secure?

31
Aggressive CWSP (ACWSP)
  • The Intuitive Wall Model implicitly requires No
    sequence of agents can read X and Y
  • A0 reads XX0 and X1,
  • A1 reads X1 and X1,
  • . . .
  • An reads XnY

32
Can SCWSP enforce ACWSP?
  • Related to a Classical Problem
  • Trojan Horses

33
Current States
  • 1.BN-Theory (Rough Computing)-failed
  • 2.Granular Computing Method

34
Formal Model
  • When an agent, who has read both X and Y,
    considers a decision for Y,
  • information in X may be used
  • consciously or unconsciously.

35
Formal Model (DIF)
  • So the fair assumptions are
  • if the same agent can read X and Y
  • X has direct information flowed into Y, in
    notation, X DIF Y
  • also Y DIF X . . .

36
Formal Simple CWSP
  • SCWSP says that a system is secure, if
  • (X, Y) ? CIR ? X NDIF Y
  • (X, Y) ? CIR ? X DIF Y
  • CIRConflict of Interests Binary Relation

37
Composite Information flow
  • Composite Information flow(CIF) is
  • a sequence of DIFs , denoted by ?
  • such that
  • XX0 ?X1 ? . . . ? XnY
  • And we write X CIF Y
  • NCIF No CIF

38
Formal Aggressive CWSP
  • Aggressive CWSP says that a system is secure, if
  • (X, Y) ? CIR ? X NCIF Y
  • (X, Y) ? CIR ? X CIF Y

39
The Problem
  • Simple CWSP ? ? Aggressive CWSP
  • This is a malicious Trojan Horse problem

40
Need ACWSP Theorem
  • Theorem If CIR is anti-reflexive, symmetric and
    anti-transitive, then
  • Simple CWSP ? Aggressive CWSP

41
Solution
  • BNs solution
  • GrC Solution

42
BN-Theory(failed)
  • BN assumed
  • Corporate data are decomposed into
  • Conflict of Interest Classes
  • (CIR-classes)
  • (implies CIR is an equivalence relation)

43
BN-Theory
  • BN assumption CIR-classes

Class B
i, j, k

f, g, h
Class C
Class A
l, m, n
44
BN-Theory
  • Can they be partitioned?



France, German


C
US, Russia UK?
45
BN-theory
  • Is CIR Equivalence Relation?
  • NO (will prove)

46
Some Mathematics
  • A partition ? Equivalence Relation

Class B
i, j, k

f, g, h
Class C
Class A
l, m, n
47
Some Mathematics
  • Partition ? Equivalence relation
  • X ? Y (Equivalence Relation)
  • if and only if
  • both belong to the same class/granule

48
Equivalence Relation
  • Generalized Identity
  • X ? X (Reflexive)
  • X ? Y implies Y ? X (Symmetric)
  • X ? Y, Y ? Z implies X ? Z (Transitive)

49
Is CIR Symmetric?
  • US ? (conflict) USSR
  • implies
  • USSR ? (conflict) US ?
  • YES

50
Is CIR Transitive?
  • US ? (conflict) Russia
  • Russia ? (conflict) UK
  • UK ? ? US
  • NO

51
Is CIR Reflexive?
  • Is CIR self conflicting?
  • US ? (conflict) US ?
  • NO

52
Is CIR Equivalence Relation?
  • NO

53
Overlapping CIR-classes
  • CIR is not an equivalence relation, so CIR
    classes do overlap


US, UK,
Iraq, . . .
USSR
54
BN-Theory
  • BN-Theory Failed, but
  • BN intention is valid

55
New Theory
  • Formalize BNs intuition
  • O the set of objects(company datasets)
  • X, Y, . . . are objects

56
Summary on Simple CWSP
  • X and Y has no conflict then they can be read by
    same agent
  • ? (X, Y) ? CIR ? X NDIF Y
  • B(X) Y X NDIF Y
  • Y (X, Y ) ? CIR
  • 6

57
Granule (Access Lists)
  • B(X) is a set of objects that information of X
    canNOT be flow into.
  • Granule / Neighborhood
  • Access Denied Lists

58
DAC and GrC
  • The association
  • B O ? 2O ? X ?? B(X)
  • DAC (Discretionary Access Control Model)
  • Basic (binary) Granulation/Neighborhood System

59
Derived Equivalence Relation
  • The inverse images of B is a partition (an
    equivalence relation)
  • C Cp Cp B 1 (Bp) p ? V
  • This is the heart of this talk

60
The set C of the center sets of CIR
  • The set C of center sets Cp is a partition

Iraq, . . .
US, UK, . . .
German, . . .
61
C and CIR classes
  • IJARCp

Cp -classes
CIR-class
Cp -classes
62
C and CIR classes

Cp -classes
CIR-class
Cp -classes
63
C and CIR classes
  • CIR Anti-reflexive, symmetric, anti-transitive

Cp -classes
CIR-class
Cp -classes
64
Derived Equivalence Relation
  • Cp is called the center set of Bp
  • A member of Cp is called a center.

65
Derived Equivalence Relation
  • The center set Cp consists of all the points that
    have the same granule
  • Center set Cp q Bq Bp

66
Aggressive CWSP Theorem
  • Theorem. If CIR is anti-reflexive, symmetric,
    anti-transitive, then
  • CIJAR(complement of CIR).

67
Aggressive CWSP
  • CIR (with three conditions) only allows
    information sharing within one IJAR-class
  • An IJAR-class is an equivalence class so there
    is no danger the information will spill to
    outside.

68
ACWSP
  • Theorem If CIR is anti-reflexive, symmetric and
    anti-transitive, then
  • Simple CWSP ? Strong CWSP

69
Conclusions
  • 1. Classical Problem Solving Paradigm requires
    partitioning (equivalence relation) may be too
    strong
  • 2. Classical idea is extended to granulation
    (binary relation)

70
Conclusions
  • 3. A small success in apply new paradigm to
    computer security
  • 4. CWSP is one of the the bigger problem,
    managing the Information Flow Model in DAC this
    was considered impossible in the past.

71
Conclusions
  • 5. BNs requirements implies IJAR is an
    equivalence class. However, if we impose need to
    know constraint, then IJAR is not an equivalence
    class. Under such constraints, we have weaker
    form of CWSP theorem

72
AppendixAggressive CWSP Theorem
  • If CIR is anti-transitive non-empty and if (u, v)
    ? CIR implies that ? w ? V (at least one of (u,
    w) or (w, v) belongs to CIR ). Let (x, y) and (y,
    z) be in IJAR, we need to show that (x, z) be in
    IJAR. Assume contrarily, it is in CIR, by
    anti-transitive, one and only one of (x, y) or
    (y, z) be in CIR, that is the contradiction.
Write a Comment
User Comments (0)
About PowerShow.com