presenter: li yang school of computer science florida international university security...
TRANSCRIPT
Presenter: Li Yang
School of Computer Science
Florida International University
Security Specification and Enforcement in Mediation Systems
Li Yang@FIU/SCS Mediation Security System April, 8 2005 2
Outline
Motivation Background Related Work Our Work
Security Specification Security Enforcement
Future Work
Li Yang@FIU/SCS Mediation Security System April, 8 2005 3
Motivation
Pressing need for data integration Data are scattered in multiple data sources Data sources are heterogeneous
Security is an important problem Protect digital properties Prevent unauthorized users from obtaining
unauthorized data and resources
i..e. Vladimir Levin, more than $10M stolen from citibank, 1994
Li Yang@FIU/SCS Mediation Security System April, 8 2005 4
Motivation
Attackers/Intruders/Malfeasors
Security Architecture
SecurityFeatures
orServices
Requirements& Policies
SecurityMechanisms
User
InformationInformationandandData SourcesData Sources
Li Yang@FIU/SCS Mediation Security System April, 8 2005 5
Motivation
Security is important in the context of data integration The necessary condition to share data
Security challenges for data integration Autonomy of the source security policy Global sensitive data Interconnected and interacted sources
Li Yang@FIU/SCS Mediation Security System April, 8 2005 6
Motivation Background Related Work Our Work
Security Specification Security Enforcement
Future Work
Outline
Li Yang@FIU/SCS Mediation Security System April, 8 2005 7
Background
Mediation systems Security specification and enforcement
– hospital system example Elements of security architecture
Li Yang@FIU/SCS Mediation Security System April, 8 2005 8
Mediation Systems
Mediation systems architecture
Contributions: IEEE ISPAN04: Three-layered Mediator Architecture based on DHT
ACMMUM04: A Mediation Framework for Multimedia Delivery
Global_Mediator
Mediator_Composer
Mediator_Composer
Mediator_Composer
Source 1Source 1 Source 2Source 2 Source 3Source 3
Mediator_Connector 1
Mediator_Connector 2
Mediator_Connector n
Client
Goal: integrated query processing
Mediated/ global schema
Source schemas
Mapping between global and source schemas
Li Yang@FIU/SCS Mediation Security System April, 8 2005 9
Mediation Systems
record
id case
address
diagnosis test
prescription
medicine
treatmentGlobal view
Local View 1 Local View 2
Offline Preparation Generate global view Semantic mapping
between the global view and source views
23
1 4
23
id
patient
prescription
medicine treatment
case
xray
record
id case
disease test
address
Online query:1. Query against the global
schema type2. Decompose query into
sub-queries3. Sub-queries process4. return result
Li Yang@FIU/SCS Mediation Security System April, 8 2005 10
Security specification and enforcement – hospital system example
Data: diagnosis, treatment Roles: doctor, nurse Security policies
doctors can read the diagnosis and treatment nurses are not allowed to read the diagnosis, nurses are allowed to read the treatment.
Access Control Rules: <doctor, diagnosis, + read>, <doctor, treatment, + read> <nurse, diagnosis, - read>, <nurse, treatment, + read>
Query: A doctor tries to read the treatment object; <doctor, treatment, read>
Security enforcement The matched rule is retrieved <doctor, treatment, + read> The evaluation result is “granted”
Li Yang@FIU/SCS Mediation Security System April, 8 2005 11
Elements of Security Architecture
Data
Query
ACR
• Data contain relevant information
• From heterogeneous data sources
• XML is exchange model
• Query: information that users want
• Query session represents the user
• XPath or XQuery
• Access Control Rules (ACR)
• ACR describes the access control policy
• R = {subj, obj, op, c, sign, level} & constraints
Three Building blocks in the security architecture: Data, Query, Access Control Rules (ACR)
Li Yang@FIU/SCS Mediation Security System April, 8 2005 12
Motivation Background Related Work Our Work
Security Specification Security Enforcement
Future Work
Outline
Li Yang@FIU/SCS Mediation Security System April, 8 2005 13
Related Work
Access Control Specification A fine-grained access control [Damiani02] A flexible authorization framework [Jajodia01] Context constraints in access control [Neumann03]
Access Control Enforcement View-based [Diamiani02] Pre-processing (QFilter [Luo04])
Little work done on security specification and enforcement for mediation systems
Li Yang@FIU/SCS Mediation Security System April, 8 2005 14
View-based Access Control [Damiani02]
Query DataACR
View-based access control
ACR is stored together with D (spatially), and/or
ACR and D are first processed (temporally)
Query is safe without any further care
Each subject/role visible to only safe data for the subject/role
nurse view
receptionist view
Data source View
doctor view
View Computing
ACR
offline
userquery
answer
online
Li Yang@FIU/SCS Mediation Security System April, 8 2005 15
The Pre-Processing Approach
Query ACR Data
Pre-processing approach
ACR and Q are first processed while D is stored elsewhere
The QFilter approach [Luo04]
User’s query are rewritten such that any parts violating access control rules are pruned
answer
Data Source View
user queryQFilter
ACR
Secure query
Li Yang@FIU/SCS Mediation Security System April, 8 2005 16
Motivation Background Related Work Our work
Security Specification Security Enforcement
Future Work
Outline
Li Yang@FIU/SCS Mediation Security System April, 8 2005 17
Security specification and enforcement for mediation systems
Challenges in the mediation security Context- aware Multiple policy specification Semantic heterogeneity
Our Work -- Problem Statement
Li Yang@FIU/SCS Mediation Security System April, 8 2005 18
Our Work -- Solution
Generic security policy modeling strategy Object granularity Subject hierarchy Authorization specification at different point Context aware Semantic heterogeneity
Effective security enforcement mechanism Handle the constraints Lower down the cost
Li Yang@FIU/SCS Mediation Security System April, 8 2005 19
Security Specification
Data System: (SH, OH, Sign, OP, C, Rel) SH is partial ordered subjects OH is partial ordered objects Sign denotes authorized or denied OP is the operations C is the session Rel is the relationships
Li Yang@FIU/SCS Mediation Security System April, 8 2005 20
Security Specification
Relationship includes Attribute of each components, i.e, environmental
attributes, subject’s name, object’s sensitive level, employment period.
Between subjects, i.e., supervise(s1, s2)
Between permissions, i.e., exclusive(op1, op2)
Between objects, i.e., typeof(o1, o2), exclusive(o1, o2)
Between subject and object, i.e., ownership(s, o)
Between subject and the subject of object, i.e., subject is the parent of the owner of one object, parent(s, o)
Li Yang@FIU/SCS Mediation Security System April, 8 2005 21
Security Specification
Authorization request <subj, op, obj, cxt> subj is the subject obj is the object op is the operation, cxt is the context
Authorization (<subj>, <obj>, <signOp>, <level>) example: (s, o, +op, global)
Constrained Authorization (<subj>, <obj>, <signOp>, <level>) Constraints Example: (s, o, +op, global) workTime()
Li Yang@FIU/SCS Mediation Security System April, 8 2005 22
Authorization constraints
Context-based (Environmental, Relationship) Example:
The parent of a patient can read his medical record in the hospital. cando(s, record, +read) parent(s, record) & inHospital(sessionID)
Subject-based Example:
The subject s1 is the manager of subject s2, and s2 can read the object o1, then subject s1 can read object o1 too.
cando(s1, o1, +read) cando(s2, o1, +read) & manager(s1, s2) Object-based
Example: If subject s is authorized to read o1, and o2 is exclusive with o1, then
subject s is not allowed to read o1. cando(s, o2, - read) cando(s, o1, + read) & exclusiveObj(o1, o2)
Li Yang@FIU/SCS Mediation Security System April, 8 2005 23
Authorization constraints
Operation-based Example:
No user can issue and endorse the same check. cando(s, check, -endorse) cando(s, check, issue) &
exclusive(issue,endorse) History-based
Example: User can not read o1 after they read o2.
cando(s, o2, -read) inHistory(s,o1,read)
Li Yang@FIU/SCS Mediation Security System April, 8 2005 24
Authorization constraints
Contributions: (IFIP05)Flexible Authorization Constraints Specification and Enforcement in Mediation Systems,
IRI04, A Role-Based Access Control Model for Information Mediation
Information flow Example:
The subject s who read object o1 with higher sensitive level can not write on the object with lower sensitive level.
cando(s, o2, -write) cando(s, o1, read) & highLevel(o1,o2)
Semantic mapping constraints Example:
Security Policy is pushed from global level to source levels along the semantic mapping path.
cando(s, o2, op, source) cando(s, o1, op, global) & mapping(o1, o2)
Li Yang@FIU/SCS Mediation Security System April, 8 2005 25
Motivation Background Related Work Our work
Security Specification Security Enforcement
Future Work
Outline
Li Yang@FIU/SCS Mediation Security System April, 8 2005 26
Security Enforcement
Allow authorized access, deny unauthorized access
Propose security enforcement mechanism for mediation systems
Support constrained authorization Evaluate query while observing security
policies
Li Yang@FIU/SCS Mediation Security System April, 8 2005 27
Constrained Security Enforcement
Solution from OASIS [Bacon02] with context factors Think about whether it is good
Role Explosion!Role Explosion!Bad maintenance!Bad maintenance!
userquery
doctor
View Computing
nurse
receptionist
doctor at work
attending doctor
nurse at work
receptionist at work
data source view
ACR
Li Yang@FIU/SCS Mediation Security System April, 8 2005 28
Hybrid Solution to Security Enforcement
View-based Role-explosion results in bad maintenance
Pre-processing appears to be the best choice But not practical and can not protect schema No constraints handling
Approaches Preparation Processing Maintenance
View-based Medium Good Medium
Pre-processing Good Medium/Good Good
Our approach
Li Yang@FIU/SCS Mediation Security System April, 8 2005 29
Security Enforcement Architecture
Offline view computation combines runtime query filter
Mediation Systems
3. answer
Role based maximal view
1. query
1. query
user
2. secured queryAccess
Control
Authorization repository
Query against the role-based maximal view Access control module filters query Mediation systems execute the secured query and return to the user
Li Yang@FIU/SCS Mediation Security System April, 8 2005 30
Offline View Computation
doctor maximal
view
nurse maximal
view
receptionist maximal
view
doctor
View Computing
nurse
receptionist
doctor at work
attending doctor
nurse at work
receptionist at work
mediated view
ACR
In order to reduce the maintenance cost, we keep the minimum number of views.
Maximal view is the union set of the role’s view under different contexts.
Li Yang@FIU/SCS Mediation Security System April, 8 2005 31
Run Time Access Control
1. Query is received by access control module
2. Policy locator retrieves relevant security policies
3. Dynamic attribute managers check the policy constraints
4. Resolve conflict or make decision
5. The query is pruned to become secure query
6. Forward secure query
AccessControl
PolicyLocator
DecisionCombinator
ConstraintService
DynamicAttribute
Manager N
DynamicAttribute
Manager 1
AuthorizationRepository
1. query
6. Secured query
2
3
45
Li Yang@FIU/SCS Mediation Security System April, 8 2005 32
Motivating Examples
Access Control Rules: 1. cando(s, test, +read, global)parent(s,test) & time() & location()2. cando(s,test,-read,source1)parent(s,test)3. cando(s,xray,+read,source2)cando(s,test,+read, global) & mapping(test,xray)
Query: A user tries to read the test of his kid’s. <s, test, read>
Data:
Enforcement: Source 1: rule 1 and rule 2 (denied) Source 2: rule 1 and rule 3 (allowed)
test
test xraysource1 source 2
global
Contributions: ACM SAC’05 Security specification and enforcement in heterogeneous databases
Li Yang@FIU/SCS Mediation Security System April, 8 2005 33
Implementation
JAVA in Eclipse environment Semantically heterogeneous XML sources Package JDOM for XML processing Semantic mapping information in tables Security policies in relational databases
Li Yang@FIU/SCS Mediation Security System April, 8 2005 34
Implementation
Li Yang@FIU/SCS Mediation Security System April, 8 2005 35
Implementation
Li Yang@FIU/SCS Mediation Security System April, 8 2005 36
Implementation
Li Yang@FIU/SCS Mediation Security System April, 8 2005 37
Contributions & Conclusion
Flexible and extensible security policy modeling Context-aware Different point policy specification Semantic heterogeneity
Hybrid Enforcement Strategy Extensibility (constraints) Less maintenance efforts Reusability (views)
Li Yang@FIU/SCS Mediation Security System April, 8 2005 38
Motivation Background Related Work Our work Future Work
Outline
Li Yang@FIU/SCS Mediation Security System April, 8 2005 39
Future Work
An extended authorization model Incorporating post events processing [Kudo00] Post events include auditing, digital signature
verification An aspect-driven approach for security policy
composition Software systems evolve with the time Composition method for structuring security policies Aspect-driven framework for realization of security
control policies for mediation systems
Preliminary result: SEKE04: Enhancing mediation security by aspect-oriented approach ICECCS05: Secure software architecture design by aspect orientation
Li Yang@FIU/SCS Mediation Security System April, 8 2005 40
Future Work High-Confidence System (NSF CREST)
A formal framework for modeling, specifying and verifying system properties
Define the behavior models of components by Petri nets
Specify properties of components by temporal logic, i.e, liveness
Model and verify the architecture of mediation systems
Preliminary results: ASTC04: Modeling and verification of real-time mediation systems
ACM SAC05: Mediation framework modeling and verification
ICECCS05: Modeling and verifying mediation framework
Li Yang@FIU/SCS Mediation Security System April, 8 2005 41
Acknowledgement
Dr. Raimund K. Ege Dr. Huiqun Yu Dr. Peter Clarke Dr. S. Masoud Sadjadi SSA Group in School of Computer Science at
Florida International University Software Engineering Project Group: Adam,Fayaz Amirali; Raskin,Olga; Smith,Nikel Noima NSF HRD 0317692 CREST Grant
Li Yang@FIU/SCS Mediation Security System April, 8 2005 42
Main References
[Bacon02] J. Bacon, K. Moody and W. Yao, A model of OASIS role-based access control and its support for active security. ACM Transactions on Information and System Security, 5(4): 492–540, 2002
[Damiani02] E. Damiani, S. D. Capitani di Vimercati, S. Paraboschi, and P. Samarati. A fine-grained access control system for XML documents. ACM Transactions on Information and System Security, 5(2): 169-202, 2002.
[Jajodia01] S. Jajodia, P. Samarati, M. L. Sapino, and V. S. Subrahmanian. Flexible support for multiple access control policies. ACM Transactions on Database Systems, 26(2): 214-260, 2001.
[Kudo00] M. Kudo and S. Hado. XML document security based on provisional authorization. Proceedings of the 7th ACM conference on Computer and Communications security, pp. 87-96, Athens, Greece, 2000.
[Luo04] Bo Luo, Dongwon Lee, Wang-Chien Lee, and Peng Liu, QFilter: fine-grained run-time XML access control via NFA-based query rewriting, Conference on Information and Knowledge Management, 2004.
[Neumann03] G. Neumann and M. Strembeck. An approach to engineer and enforce context constraints in an RBAC environment. Proceedings of 8th ACM Symposium on Access Control Models and Technologies (SACMAT), Como, Italy, June,2003.
Li Yang@FIU/SCS Mediation Security System April, 8 2005 43
Selected Publications
Li Yang, Dynamic integration strategy for mediation framework. (under review). Li Yang, Flexible authorization constraints specification and enforcement in mediation systems.
(under review). Li Yang, Raimund K. Ege and Huiqun Yu, Modeling and verifying mediation framework. The 10th
IEEE International Conference on the Engineering of Complex Computer Systems (ICECCS’05), Shanghai, China (accepted).
Li Yang, Raimund K. Ege and Huiqun Yu. Security specification and enforcement in heterogeneous databases. The 20th Annual ACM Symposium on Applied Computing(SAC’05), Computer Security Track, Santa Fe, New Mexico, March, 2005 (in press).
Li Yang, Raimund K. Ege and Huiqun Yu. Mediation framework modeling and verification (Abstract). The 20th Annual ACM Symposium on Applied Computing(SAC’05), Software Engineering Track Santa Fe, New Mexico, March, 2005 (in press)
Li Yang, Raimund K. Ege, Onyeka Ezenwoye and Qasem Kharma A role-based access control model for information mediation, The 2004 IEEE International Conference on Information Reuse and Integration, pages 277-282, Las Vegas, NV, 2004.
Li Yang and Raimund K. Ege and Huiqun Yu, Enhancing mediation security by aspect-oriented approach, Software Engineering and Knowledge Engineering (SEKE), Banff, Alberta, Canada, June, 2004.
Raimund K. Ege, Li Yang, Qasem Kharma, Xudong Ni, Three-layered mediator architecture based on DHT , International Symposium on Parallel Architectures, Algorithms, and Networks (I-SPAN), IEEE Computer Society Press, Hong Kong, May, 2004.
Li Yang and Raimund K. Ege, Modeling and verification of real-time mediation systems, Advanced Simulation Technologies Conference (ASTC), pages 61-68, Arlington, Virginia, April, 2004.
Li Yang@FIU/SCS Mediation Security System April, 8 2005 44
Thank you!
Questions or Comments
www.cs.fiu.edu/~lyang03/Li