C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Reasoning about Secure Interoperation using Soft Constraints
Stefano BistarelliDipartimento di Scienze,
Università di Pescara, Italy;IIT, CNR, Pisa, Italy
Simon Foley, Barry O’Sullivan
Department of Computer ScienceUniversity College Cork
IrelandSpeaker: Stefano Bistarelli
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Thanks to my co-authors….
Barry O’Sullivan University College
Cork, Ireland Cork Constraint
Computation Centre Constraints
Simon Foley University College
Cork, Ireland Security, Policy,
Formal Methods
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaMotivations
AdminSystem
Sales System
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaBasic Security Modeling
Subject DoOperation
SecurityMechanism Object
SecurityPolicy
Subject: processes, … Objects: memory, files, …
Security policy defines rules that govern access to objects by subjects.
Security mechanism ensures security policy is upheld.
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Secure Composition of Systems
Systems are individually secure.Is it safe to allow file sharing between Personnel and Sales systems?
Clare not authorized to access Bob’s files, but, Clare may access Bob’s files via Sales system. Need to reconfigure connections to close this circuitous
access route [COLOPS2003,SAC2004,IAAI2004]. Need to reconfigure system access configurations!
AdminSystem
Sales System
Alice allowedaccess Bob’s files
Clare allowedaccess Alice’s files
connection
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaSecure Interoperation
Computation Foundations [Gong&Qian, 1994] Analyzing the security of interoperating and
individually secure systems can be done in polynomial time.
Given a non-secure network configuration, then re-configuring the connections in an optimal way (to minimize the impact on interoperability) is NP.
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaTalk Outline:
describe how constraints provide a natural approach to modelling and solving the secure interoperation problem Basic Security
Modelling Secure Composition of
systems Secure Interoperation
What are Soft Constraints?
Semiring Framework
Using constraints for Access Configuration Access Reconfiguration Access Interoperation Dealing with Transitivity
Future Work
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Crisp toward soft constraints
P={
x3
x4
x1
x2 V,
{red,blue,yellow}
{blue,yellow}
{red,blue}{yellow}
D,
C={pairwise-different}
C, PC, con, def, a}
x1 x2 x3 x4
combination
projection
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Crisp toward soft constraints
x3
x4
x1
x2
{red,blue,yellow}
{blue,yellow}
{red,blue}{yellow}
C={pairwise-different} 5$3$
2$
15$15$x1 x2 x3 x4
Combination (+)
Projection (min)
15$
13$
13$
<+,min,+,+,0>
<[0,1],max,min,0,1>
<[0,1],max,,0,1>
<{false,true},,,false,true>
ProbabilisticFuzzy
Classical
WeightedC-semiring <A,+,,0,1>:
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaThe Semiring Framework
A c-semiring is a tuple <A,+,×,0,1> such that:A is the set of all consistency values and 0, 1A. 0 is the lowest consistency value and 1 is the highest consistency value;+, the additive operator, is a closed, commutative, associative and idempotent operation such that 1 is its absorbing element and 0 is its unit element;×, the multiplicative operator, is a closed and associative operation such that 0 is its absorbing element, 1 is its unit element and × distributes over +.
Stefano Bistarelli, Ugo Montanari, and Francesca Rossi, Semiring-based Constraint Solving and OptimizationJournal of the ACM, 44(2):201–236, Mar 1997.
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Semiring-based Constraints
Given a semiring <A,+,×, 0, 1> , an ordered set of variables V over a finite domain D, a constraint is a function which maps an assignment of the variables in the support of c, supp(c) to an element of A.Notation c represents the constraint function c evaluated under instantiation , returning a semiring value.Given two constraints c1 and c2, their combination is defined as (c1c2) = c1×c2 .The operation C represents the combination of a set of constraints C.a· b iff a+b=bc1 v c2 iff 8 c1 · c2
Stefano Bistarelli, Ugo Montanari and Francesca Rossi, Soft Concurrent Constraint Programming,Proceedings of ESOP-2002, LNCS, April 2002.
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaTalk Outline:
describe how constraints provide a natural approach to modelling and solving the secure interoperation problem Basic Security
Modelling Secure Composition of
systems Secure Interoperation
What are Soft Constraints?
Semiring Framework
Using constraints for Access Configuration Access Reconfiguration Access Interoperation Dealing with Transitivity
Future Work
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaAccess Configuration
A collection of constraints between entities (subjects, objects) specifying access permissions Represented as a semiring
S=<PERM,+,£,?,>> Srw=<2{r,w},[,Å,;,{r,w}> Sbool=<{F,T},Ç,Æ,F,T>
a b{w}
CS,O(a,b)={w}
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaAccess Configuration
A collection of constraints between entities (subjects, objects) specifying access permissions Represented as a semiring
S=<PERM,+,£,?,>> Srw=<2{r,w},[,Å,;,{r,w}> Sbool=<{F,T},Ç,Æ,F,T>
a b F
CS,O(a,b)=F
a b T
CS,O(a,b)=T
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Configuration: Example
Sbool=<{F,T},Ç,Æ,F,T> CS,O(b,a)=F CS,O(c,b)=F CS,O(x,y)=T
c
ba
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Configuration: Example
Sbool=<{F,T},Ç,Æ,F,T> CS,O(b,a)=F CS,O(c,b)=F CS,O(x,y)=T
c
ba
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Configuration: Example
Sbool=<{F,T},Ç,Æ,F,T> CS,O(b,a)=F CS,O(c,b)=F CS,O(x,y)=T
c
ba
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Configuration: Example
Sbool=<{F,T},Ç,Æ,F,T> CS,O(b,a)=F CS,O(c,b)=F CS,O(x,y)=T
c
ba
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Configuration: Example
Sbool=<{F,T},Ç,Æ,F,T> CS,O(b,a)=F CS,O(c,b)=F CS,O(x,y)=T
c
ba
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaAccess Reconfiguration
Existing configuration CS may be safely re-configured to CS’ when CS’v CS
C>
CS
C?
vSecure reconfigurations
CS’
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Access Reconfiguration: Example
c
ba
c
ba
c
ba
rrwrw
rw
c
ba
wr
rw
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaAccess Interoperation
Has to be a secure reconfiguration of both the sistems S1 and S3
CS1 CS3
c
ba a
c d
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaAccess Interoperation
CS1 CS3
c
ba a
c d
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaAccess Interoperation
CS1 CS3
c
ba a
c d
CS1 CS3
c
baa
c d
c
ba a
c d
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaAccess Transitivity
CS1
c
ba
CS3
a
c d
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaAccess Transitivity
CS1 CS3CS1 CS3
c
ba a
c d
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaAccess Transitivity
CS1 CS3
a
c d
CS1 CS3
c
ba
c
ba a
c d
c
baa
c d
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaAccess Transitivity vs non-
transitivityCS1
c
ba
CS3a
c d
CS1 CS3
CS1
c
ba
c
ba
c
ba
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaWhere to from here?
Real world implementation: Currently seeking funding
to work with a company based in New Hampshire, USA.
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la TelematicaConclusion
We described how constraints provide a natural approach to modelling and solving the secure interoperation problemAccess ConfigurationAccess ReconfigurationAccess Interoperation Transitivity entities
All naturally represented with constraint operations
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
C Consiglio Nazionale delle Ricerche - PisaIit Istituto per l’Informatica e la Telematica
Questions?Thank you for your attention
You have been listening to:
“Reasoning about Secure Interoperation using Soft Constraints”
Stefano Bistarelli, Simon Foley and Barry O’Sullivan
Proceedings of FAST2004, pag. 183-196