presenter: li yang school of computer science florida international university security...

Presenter: Li Yang

School of Computer Science

Florida International University

Security Specification and Enforcement in Mediation Systems

Li Yang@FIU/SCS Mediation Security System April, 8 2005 2

Outline

Motivation Background Related Work Our Work

Security Specification Security Enforcement

Future Work


Motivation

Pressing need for data integration Data are scattered in multiple data sources Data sources are heterogeneous

Security is an important problem Protect digital properties Prevent unauthorized users from obtaining

unauthorized data and resources

i..e. Vladimir Levin, more than $10M stolen from citibank, 1994


Motivation

Attackers/Intruders/Malfeasors

Security Architecture

SecurityFeatures

orServices

Requirements& Policies

SecurityMechanisms

User

InformationInformationandandData SourcesData Sources


Motivation

Security is important in the context of data integration The necessary condition to share data

Security challenges for data integration Autonomy of the source security policy Global sensitive data Interconnected and interacted sources




Future Work

Outline


Background

Mediation systems Security specification and enforcement

– hospital system example Elements of security architecture


Mediation Systems

Mediation systems architecture

Contributions: IEEE ISPAN04: Three-layered Mediator Architecture based on DHT

ACMMUM04: A Mediation Framework for Multimedia Delivery

Global_Mediator

Mediator_Composer

Mediator_Composer

Mediator_Composer

Source 1Source 1 Source 2Source 2 Source 3Source 3

Mediator_Connector 1

Mediator_Connector 2

Mediator_Connector n

Client

Goal: integrated query processing

Mediated/ global schema

Source schemas

Mapping between global and source schemas


Mediation Systems

record

id case

address

diagnosis test

prescription

medicine

treatmentGlobal view

Local View 1 Local View 2

Offline Preparation Generate global view Semantic mapping

between the global view and source views

23

1 4

23

id

patient

prescription

medicine treatment

case

xray

record

id case

disease test

address

Online query:1. Query against the global

schema type2. Decompose query into

sub-queries3. Sub-queries process4. return result


Security specification and enforcement – hospital system example

Data: diagnosis, treatment Roles: doctor, nurse Security policies

doctors can read the diagnosis and treatment nurses are not allowed to read the diagnosis, nurses are allowed to read the treatment.

Access Control Rules: <doctor, diagnosis, + read>, <doctor, treatment, + read> <nurse, diagnosis, - read>, <nurse, treatment, + read>

Query: A doctor tries to read the treatment object; <doctor, treatment, read>

Security enforcement The matched rule is retrieved <doctor, treatment, + read> The evaluation result is “granted”


Elements of Security Architecture

Data

Query

ACR

• Data contain relevant information

• From heterogeneous data sources

• XML is exchange model

• Query: information that users want

• Query session represents the user

• XPath or XQuery

• Access Control Rules (ACR)

• ACR describes the access control policy

• R = {subj, obj, op, c, sign, level} & constraints

Three Building blocks in the security architecture: Data, Query, Access Control Rules (ACR)




Future Work

Outline


Related Work

Access Control Specification A fine-grained access control [Damiani02] A flexible authorization framework [Jajodia01] Context constraints in access control [Neumann03]

Access Control Enforcement View-based [Diamiani02] Pre-processing (QFilter [Luo04])

Little work done on security specification and enforcement for mediation systems


View-based Access Control [Damiani02]

Query DataACR

View-based access control

ACR is stored together with D (spatially), and/or

ACR and D are first processed (temporally)

Query is safe without any further care

Each subject/role visible to only safe data for the subject/role

nurse view

receptionist view

Data source View

doctor view

View Computing

ACR

offline

userquery

answer

online


The Pre-Processing Approach

Query ACR Data

Pre-processing approach

ACR and Q are first processed while D is stored elsewhere

The QFilter approach [Luo04]

User’s query are rewritten such that any parts violating access control rules are pruned

answer

Data Source View

user queryQFilter

ACR

Secure query


Motivation Background Related Work Our work


Future Work

Outline


Security specification and enforcement for mediation systems

Challenges in the mediation security Context- aware Multiple policy specification Semantic heterogeneity

Our Work -- Problem Statement


Our Work -- Solution

Generic security policy modeling strategy Object granularity Subject hierarchy Authorization specification at different point Context aware Semantic heterogeneity

Effective security enforcement mechanism Handle the constraints Lower down the cost


Security Specification

Data System: (SH, OH, Sign, OP, C, Rel) SH is partial ordered subjects OH is partial ordered objects Sign denotes authorized or denied OP is the operations C is the session Rel is the relationships



Relationship includes Attribute of each components, i.e, environmental

attributes, subject’s name, object’s sensitive level, employment period.

Between subjects, i.e., supervise(s1, s2)

Between permissions, i.e., exclusive(op1, op2)

Between objects, i.e., typeof(o1, o2), exclusive(o1, o2)

Between subject and object, i.e., ownership(s, o)

Between subject and the subject of object, i.e., subject is the parent of the owner of one object, parent(s, o)



Authorization request <subj, op, obj, cxt> subj is the subject obj is the object op is the operation, cxt is the context

Authorization (<subj>, <obj>, <signOp>, <level>) example: (s, o, +op, global)

Constrained Authorization (<subj>, <obj>, <signOp>, <level>) Constraints Example: (s, o, +op, global) workTime()


Authorization constraints

Context-based (Environmental, Relationship) Example:

The parent of a patient can read his medical record in the hospital. cando(s, record, +read) parent(s, record) & inHospital(sessionID)

Subject-based Example:

The subject s1 is the manager of subject s2, and s2 can read the object o1, then subject s1 can read object o1 too.

cando(s1, o1, +read) cando(s2, o1, +read) & manager(s1, s2) Object-based

Example: If subject s is authorized to read o1, and o2 is exclusive with o1, then

subject s is not allowed to read o1. cando(s, o2, - read) cando(s, o1, + read) & exclusiveObj(o1, o2)



Operation-based Example:

No user can issue and endorse the same check. cando(s, check, -endorse) cando(s, check, issue) &

exclusive(issue,endorse) History-based

Example: User can not read o1 after they read o2.

cando(s, o2, -read) inHistory(s,o1,read)



Contributions: (IFIP05)Flexible Authorization Constraints Specification and Enforcement in Mediation Systems,

IRI04, A Role-Based Access Control Model for Information Mediation

Information flow Example:

The subject s who read object o1 with higher sensitive level can not write on the object with lower sensitive level.

cando(s, o2, -write) cando(s, o1, read) & highLevel(o1,o2)

Semantic mapping constraints Example:

Security Policy is pushed from global level to source levels along the semantic mapping path.

cando(s, o2, op, source) cando(s, o1, op, global) & mapping(o1, o2)


Motivation Background Related Work Our work


Future Work

Outline


Security Enforcement

Allow authorized access, deny unauthorized access

Propose security enforcement mechanism for mediation systems

Support constrained authorization Evaluate query while observing security

policies


Constrained Security Enforcement

Solution from OASIS [Bacon02] with context factors Think about whether it is good

Role Explosion!Role Explosion!Bad maintenance!Bad maintenance!

userquery

doctor

View Computing

nurse

receptionist

doctor at work

attending doctor

nurse at work

receptionist at work

data source view

ACR


Hybrid Solution to Security Enforcement

View-based Role-explosion results in bad maintenance

Pre-processing appears to be the best choice But not practical and can not protect schema No constraints handling

Approaches Preparation Processing Maintenance

View-based Medium Good Medium

Pre-processing Good Medium/Good Good

Our approach


Security Enforcement Architecture

Offline view computation combines runtime query filter

Mediation Systems

3. answer

Role based maximal view

1. query

1. query

user

2. secured queryAccess

Control

Authorization repository

Query against the role-based maximal view Access control module filters query Mediation systems execute the secured query and return to the user


Offline View Computation

doctor maximal

view

nurse maximal

view

receptionist maximal

view

doctor

View Computing

nurse

receptionist

doctor at work

attending doctor

nurse at work

receptionist at work

mediated view

ACR

In order to reduce the maintenance cost, we keep the minimum number of views.

Maximal view is the union set of the role’s view under different contexts.


Run Time Access Control

1. Query is received by access control module

2. Policy locator retrieves relevant security policies

3. Dynamic attribute managers check the policy constraints

4. Resolve conflict or make decision

5. The query is pruned to become secure query

6. Forward secure query

AccessControl

PolicyLocator

DecisionCombinator

ConstraintService

DynamicAttribute

Manager N

DynamicAttribute

Manager 1

AuthorizationRepository

1. query

6. Secured query

2

3

45


Motivating Examples

Access Control Rules: 1. cando(s, test, +read, global)parent(s,test) & time() & location()2. cando(s,test,-read,source1)parent(s,test)3. cando(s,xray,+read,source2)cando(s,test,+read, global) & mapping(test,xray)

Query: A user tries to read the test of his kid’s. <s, test, read>

Data:

Enforcement: Source 1: rule 1 and rule 2 (denied) Source 2: rule 1 and rule 3 (allowed)

test

test xraysource1 source 2

global

Contributions: ACM SAC’05 Security specification and enforcement in heterogeneous databases


Implementation

JAVA in Eclipse environment Semantically heterogeneous XML sources Package JDOM for XML processing Semantic mapping information in tables Security policies in relational databases


Implementation


Contributions & Conclusion

Flexible and extensible security policy modeling Context-aware Different point policy specification Semantic heterogeneity

Hybrid Enforcement Strategy Extensibility (constraints) Less maintenance efforts Reusability (views)


Motivation Background Related Work Our work Future Work

Outline


Future Work

An extended authorization model Incorporating post events processing [Kudo00] Post events include auditing, digital signature

verification An aspect-driven approach for security policy

composition Software systems evolve with the time Composition method for structuring security policies Aspect-driven framework for realization of security

control policies for mediation systems

Preliminary result: SEKE04: Enhancing mediation security by aspect-oriented approach ICECCS05: Secure software architecture design by aspect orientation


Future Work High-Confidence System (NSF CREST)

A formal framework for modeling, specifying and verifying system properties

Define the behavior models of components by Petri nets

Specify properties of components by temporal logic, i.e, liveness

Model and verify the architecture of mediation systems

Preliminary results: ASTC04: Modeling and verification of real-time mediation systems

ACM SAC05: Mediation framework modeling and verification

ICECCS05: Modeling and verifying mediation framework


Acknowledgement

Dr. Raimund K. Ege Dr. Huiqun Yu Dr. Peter Clarke Dr. S. Masoud Sadjadi SSA Group in School of Computer Science at

Florida International University Software Engineering Project Group: Adam,Fayaz Amirali; Raskin,Olga; Smith,Nikel Noima NSF HRD 0317692 CREST Grant


Main References

[Bacon02] J. Bacon, K. Moody and W. Yao, A model of OASIS role-based access control and its support for active security. ACM Transactions on Information and System Security, 5(4): 492–540, 2002

[Damiani02] E. Damiani, S. D. Capitani di Vimercati, S. Paraboschi, and P. Samarati. A fine-grained access control system for XML documents. ACM Transactions on Information and System Security, 5(2): 169-202, 2002.

[Jajodia01] S. Jajodia, P. Samarati, M. L. Sapino, and V. S. Subrahmanian. Flexible support for multiple access control policies. ACM Transactions on Database Systems, 26(2): 214-260, 2001.

[Kudo00] M. Kudo and S. Hado. XML document security based on provisional authorization. Proceedings of the 7th ACM conference on Computer and Communications security, pp. 87-96, Athens, Greece, 2000.

[Luo04] Bo Luo, Dongwon Lee, Wang-Chien Lee, and Peng Liu, QFilter: fine-grained run-time XML access control via NFA-based query rewriting, Conference on Information and Knowledge Management, 2004.

[Neumann03] G. Neumann and M. Strembeck. An approach to engineer and enforce context constraints in an RBAC environment. Proceedings of 8th ACM Symposium on Access Control Models and Technologies (SACMAT), Como, Italy, June,2003.


Selected Publications

Li Yang, Dynamic integration strategy for mediation framework. (under review). Li Yang, Flexible authorization constraints specification and enforcement in mediation systems.

(under review). Li Yang, Raimund K. Ege and Huiqun Yu, Modeling and verifying mediation framework. The 10th

IEEE International Conference on the Engineering of Complex Computer Systems (ICECCS’05), Shanghai, China (accepted).

Li Yang, Raimund K. Ege and Huiqun Yu. Security specification and enforcement in heterogeneous databases. The 20th Annual ACM Symposium on Applied Computing(SAC’05), Computer Security Track, Santa Fe, New Mexico, March, 2005 (in press).

Li Yang, Raimund K. Ege and Huiqun Yu. Mediation framework modeling and verification (Abstract). The 20th Annual ACM Symposium on Applied Computing(SAC’05), Software Engineering Track Santa Fe, New Mexico, March, 2005 (in press)

Li Yang, Raimund K. Ege, Onyeka Ezenwoye and Qasem Kharma A role-based access control model for information mediation, The 2004 IEEE International Conference on Information Reuse and Integration, pages 277-282, Las Vegas, NV, 2004.

Li Yang and Raimund K. Ege and Huiqun Yu, Enhancing mediation security by aspect-oriented approach, Software Engineering and Knowledge Engineering (SEKE), Banff, Alberta, Canada, June, 2004.

Raimund K. Ege, Li Yang, Qasem Kharma, Xudong Ni, Three-layered mediator architecture based on DHT , International Symposium on Parallel Architectures, Algorithms, and Networks (I-SPAN), IEEE Computer Society Press, Hong Kong, May, 2004.

Li Yang and Raimund K. Ege, Modeling and verification of real-time mediation systems, Advanced Simulation Technologies Conference (ASTC), pages 61-68, Arlington, Virginia, April, 2004.


Thank you!

Questions or Comments

www.cs.fiu.edu/~lyang03/Li

http://www.cs.fiu.edu/~lyang03/Li

presenter: li yang school of computer science florida international university security...

Documents

motivation security

heterogeneous security

data security challenges

mediation framework

data integration data

mediator mediator

source schemas slide

unauthorized data