Download Mason Template 1: Title Slide

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
Document related concepts
no text concepts found
Transcript 
The Secure Information Sharing
Problem and Solution Approaches
Ravi Sandhu
Executive Director and Endowed Chair
Institute for Cyber Security
University of Texas at San Antonio
www.profsandhu.com
© Ravi Sandhu
www.profsandhu.com
Three Themes
Work in Progress
Secure Information
Sharing (IS)
“Share but Protect”
“Mother of all Security Problems”
Policy-EnforcementImplementation Layers (PEI)
&
Usage Control Models (UCON)
2
Trusted
Computing (TC)
© Ravi Sandhu
www.profsandhu.com
What is Trusted Computing (TC)?
Basic premise
• Software alone cannot provide an adequate foundation for trust
Old style Trusted Computing (1970 – 1990’s)
• Multics system
• Capability-based computers
How best to leverage
this technology?
– Intel 432 vis a vis Intel 8086
• Trust with security kernel based on military-style security labels
– Orange Book: eliminate trust from applications
What’s new (2000’s)
• Hardware and cryptography-based root of trust
– Trust within a platform
– Trust across platforms
Massive paradigm shift
• Rely on trust in applications
– No Trojan Horses or
– Mitigate Trojan Horses and bugs by legal and reputational recourse
3
Prevent information leakage by binding
information to Trusted Viewers on the client
© Ravi Sandhu
www.profsandhu.com
What is Information Sharing?
The mother of all security problems
• Share but protect
Requires controls on the client
• Server-side controls do not scale to high assurance
Bigger than (but includes)
• Retail DRM (Digital Rights Management)
• Enterprise DRM
4
© Ravi Sandhu
www.profsandhu.com
What is Information Sharing?
Strength of Enforcement
Content type and value
Weak
Strong
Sensitive and proprietary
Password-protected documents
Software-based client controls
for documents
Hardware based trusted viewers,
displays and inputs
Revenue driven
IEEE, ACM digital libraries protected by
server access controls
DRM-enabled media players
such as for digital music and
eBooks
Dongle-based copy protection,
hardware based trusted viewers,
displays and inputs
Sensitive and revenue
Analyst and business reports protected by
server access controls
Software-based client controls
for documents
Hardware based trusted viewers,
displays and inputs
Roshan Thomas and Ravi Sandhu, “Towards a
Multi-Dimensional Characterization of
Dissemination Control.” POLICY04.
5
Medium
© Ravi Sandhu
www.profsandhu.com
Functionality
Simple
Strength of enforcement
Complex
Legally enforceable
versus system enforced
rights.
Dissemination chains
and flexibility.
Object types supported.
With current stateFlexible,
of knowledge
multi-step, and multi-point.
the informationSupport
sharing
space
Simple, read-only and singlefor complex, multi-version
version
objects.
isobjects.
too complex to
characterize
Support for object
sensitivity/confidentiality.
in a comprehensive
manner
Limited to one-step
disseminations.
Weak/Medium
Strong
Reliance on legal
enforcement;
Limited system enforced
controls.
Strong system- enforceable
rights, revocable rights.
Mostly legal enforcement;
System enforceable controls.
Reliance on legally
enforceable rights.
System supported and
enforceable rights and
sanitization on multiple
versions.
Persistence and
modifiability of rights
and licenses.
Immutable, persistent and viral
on all disseminated copies.
Not viral and modifiable by recipient.
Reliance on legally
enforceable rights.
System enforceable.
Online versus offline
access and persistent
client-side copies
No offline access and no clientside copies.
Allows offline access to client-side
copies.
Few unprotected copies are
tolerated.
No unprotected copies are
tolerated.
Usage controls
Control of basic dissemination.
Flexible, rule-based usage controls on
instances.
Some usage abuse allowed.
No potential for usage abuse.
Preservation of
attribution.
Recipient has legal obligation to
give attribution to disseminator.
System-enabled preservation and traceback of the attribution chain back to
original disseminator.
Revocation
Simple explicit revocations.
Support for derived and
value-added objects.
Not supported.
Integrity protection for
disseminated objects.
Out of band or non-crypto based
validation.
Audit
Payment
Attribution
can only
be
Look for
sweet
spots
thatAttribution is system enforced.
legally enforced.
are of practical interest
Complex policy-based revocation.
No timeliness guarantees.
to take immediate
and where
progress (andGuaranteed
effect.
killer products)
can be made
Supported.
Reliance on legally
System enforceable rights for
enforceable rights.
derived and valued-added
objects.
Cryptographic schemes for integrity
validation.
Off-line validation.
High-assurance cryptographic
validation.
Audit support for basic
dissemination operations.
Additional support for the audit of
instance usage.
Offline audit analysis.
Real-time audit analysis and
alerts.
Simple payment schemes (if
any).
Multiple pricing models and payment
schemes including resale.
Tolerance of some revenue
loss.
No revenue loss; Objective is
to maximize revenue.
Roshan Thomas and Ravi Sandhu, “Towards a Multi-Dimensional Characterization of Dissemination Control.” POLICY04.
Classic Approaches to Information Sharing
Discretionary Access Control (DAC), Lampson 1971
• Fundamentally broken
• Controls access to the original but not to copies (or extracts)
Mandatory Access Control (MAC), Bell-LaPadula 1971
• Solves the problem for coarse-grained sharing
– Thorny issues of covert channels, inference, aggregation remain but can be
confronted
• Does not scale to fine-grained sharing
– Super-exponential explosion of security labels is impractical
– Fallback to DAC for fine-grained control (as per the Orange Book) is pointless
Originator Control (ORCON), Graubart 1989
• Propagated access control lists: let copying happen but propagate ACLs to
copies (or extracts)
Not very successful
7
© Ravi Sandhu
www.profsandhu.com
Modern Approach to Information Sharing
Prevent leakage by binding information to Trusted Viewers on
the client
• Use a mix of cryptographic and access control techniques
Cryptography and Trusted Computing primitives enable
encapsulation of content in a Trusted Viewer
• Trusted Viewer cannot see plaintext unless it has the correct keys
Access control enables fine-grained control and flexible policy
enforcement by the Trusted Viewer
• Trusted Viewer will not display plaintext (even though it can) unless
policy requirements are met
• Enables policy flexibility and policy-mechanism separation
Without use of hardware-rooted
Trusted Computing assurance of
client-side controls is very weak
8
© Ravi Sandhu
www.profsandhu.com
PEI Models Framework
Security and system goals
(requirements/objectives)
Policy models
Horizontal
view
Enforcement models
Looks at
Individual
layer
Implementation models
Vertical
View
Looks
Across
Layers
9
Target platform, e.g., Trusted
Computing technology
© Ravi Sandhu
www.profsandhu.com
Scoping Information Sharing Problem:
Objective Layer
Scoping the Problem
•
•
•
•
Read-only (versus read-write)
Document-level controls (versus query-level control)
Superdistribution (encrypt once, access wherever authorized)
Support for off-line access without advance set-up (with usage limits)
Scoping the Solution
• Two-phase enforcement
Limits instant and preemptive revocation
– Enroll TPM (Trusted Platform Module) and LaGrande equipped client
computer into a Group
– Within the Group impose additional policy-based controls
Required to support
super-distribution
Supports fine-grained
controls and policy flexibility
10
© Ravi Sandhu
www.profsandhu.com
PEI Models Framework
Security and system goals
(requirements/objectives)
Policy models
Horizontal
view
Enforcement models
Looks at
Individual
layer
Implementation models
Vertical
View
Looks
Across
Layers
11
Target platform, e.g., Trusted
Computing technology
© Ravi Sandhu
www.profsandhu.com
Various states of a member in a group
enroll
Initial state:
Never been a
member
Currently a
member
Past member
State III
State II
State I
enroll
12
disenroll
© Ravi Sandhu
www.profsandhu.com
Access policies for State I
1.
Straight-forward. User
has no access to any group
documents.
enroll
Initial state:
Never been a
member
Currently a
member
Past member
State III
State II
State I
enroll
13
disenroll
© Ravi Sandhu
www.profsandhu.com
Access policies for State II
1.
2.
3.
4.
Access to current documents only (or)
Access to current documents and past
documents
Access can be further restricted with rate
and/or usage limits
Access can be further restricted on basis of
individual user credentials
Initial state:
Never been a
member
enroll
Currently a
member
Past member
State III
State II
State I
enroll
14
disenroll
© Ravi Sandhu
www.profsandhu.com
Access policies for State III
1.
2.
3.
4.
5.
Past member loses access to all documents (or)
can access any document created during his membership (or)
can access documents he accessed during membership (or)
can access all documents created before he left the group (this
includes the ones created before his join time)
all subject to possible additional rate, usage and user credential
restrictions
enroll
Initial state:
Never been a
member
Currently a
member
Past member
State III
State II
State I
enroll
15
disenroll
© Ravi Sandhu
www.profsandhu.com
Access policies for State II.re-enroll
1.
2.
3.
4.
No rejoin of past members is allowed, rejoin with new ID (or)
Past members rejoin the group just like any other user who
has never been a member
The same access policies defined during his prior
membership should again be enforced (or)
access policies could vary between membership cycles
enroll
Initial state:
Never been a
member
Currently a
member
Past member
State III
State II
State I
enroll
16
disenroll
© Ravi Sandhu
www.profsandhu.com
Use-case 1
Access policies: II.1, III.1, II.re-enroll.1
•
Intel’s ViiV: A typical scenario in libraries, book-stores, cafes, etc.
a.
b.
c.
•
17
A master system could be ViiV enabled which subscribes to various
kinds of channels from its content providers
Many devices can in-turn subscribe to this master device and receive
content and thus form a group
When a device leaves the group, it loses access to all the downloaded
content. “Leaving the group” could be determined by various
mechanisms depending on context and available technology (location,
network connectivity, etc.).
Many universities and corporations allow access to their content as
long as one is within their network. Once the user leaves the
network, the user loses access to the content.
© Ravi Sandhu
www.profsandhu.com
Use-case 2
Access policies: II.1, III.2, II.re-enroll.1:
• Project out-sourcing:
– A financial organization could recruit a software-consulting firm to
provide software solutions. This forms a temporary group.
– The incoming members (from the software firm) cannot access any past
documents. These could be design documents that were created in
collaboration with a different external organization.
– When they finish the project and leave the group, they can continue to
have access to the documents exchanged during their membership for
future reference and to add to their profile. This is dependant on financial
institution’s policy.
18
© Ravi Sandhu
www.profsandhu.com
Use-case 3
Access policies: II.2, III.1, II.re-enroll.1:
•
•
•
19
An employee in a company can access all the current documents. When he
employee quits, he should lose access to all documents.
DoD projects / contracts have a multi tiered structure. A member of a
contracting company may be authorized to access certain set of documents
only for the duration of the project – once the project is over, the
contractor’s right to use the document is automatically voided.
In a supply chain situation, there are lots of partners and suppliers who will
send quotes for a given proposal. They need to have access to the proposal
and related content. But once the quote/response is submitted, their
membership context for that particular or group of proposals ceases and
they shouldn’t have access to any of the older content that they had access
to.
© Ravi Sandhu
www.profsandhu.com
Use-case 4
Access policies: II.2, III.2, II.re-enroll.1:
•
Collaborative product development:
–
–
–
–
20
In the case of several automobile models, there are product twins –
models from the same company that resemble each other, except for the
division's brand name and price tag.
In such instances, there could be either a loose collaboration (e.g.
shared design team, parts ordering/manufacturing but different
factories) or a tight collaboration (e.g. joint manufacturing of two
different models).
In either case, the members from different parties join hands and share
documents actively.
They will need access to both old documents and current documents.
Even after the collaboration period, they will need access to the old
documents for further refinement and production.
© Ravi Sandhu
www.profsandhu.com
Various states of an object (document) in a
group
add
Initial state:
Never been a
group doc
Currently a
group doc
Past group
doc
State I
State II
State III
add
21
remove
© Ravi Sandhu
www.profsandhu.com
Access policies for State I
1.
Straight-forward. No
access to group
members.
add
Initial state:
Never been a
group doc
Currently a
group doc
Past group
doc
State I
State II
State III
add
22
remove
© Ravi Sandhu
www.profsandhu.com
Access policies for State II
1.
2.
Access allowed only to
current group members
Access allowed to current
and past group members
add
Initial state:
Never been a
group doc
Currently a
group doc
Past group
doc
State I
State II
State III
add
23
remove
© Ravi Sandhu
www.profsandhu.com
Access policies for State III
1.
2.
3.
No one can access
Any one can access
Past members can
access
add
Initial state:
Never been a
group doc
Currently a
group doc
Past group
doc
State I
State II
State III
add
24
remove
© Ravi Sandhu
www.profsandhu.com
Access policies for State II.re-add
1.
2.
3.
4.
Cannot be re-added.
When a document is re-added, it
will be treated as a new document
that is added into the group.
Only current members can access.
Past members and current
members can access
Initial state:
Never been a
group doc
Currently a
group doc
Past group
doc
State I
State II
State III
add
25
add
remove
© Ravi Sandhu
www.profsandhu.com
Policy Models
Idealized policy:
• Instant revocation
• Pre-emptive revocation
Enforcement models will specify degree of
approximation (among other details)
26
© Ravi Sandhu
www.profsandhu.com
Policy Models
Group membership control
• Group-admins enroll and dis-enroll members
• Group-admins add/remove documents.
For concreteness we assume specific group-level policies
• Members cannot access documents created prior to joining
• Past-members can access documents created during (most recent)
membership
• Past documents cannot be accessed by anybody
• Documents cannot be re-added
The PEI models have specific points where such policies are enforced and
remain robust to changes in policy details
27
© Ravi Sandhu
www.profsandhu.com
Usage Control: The UCON Model
• unified model integrating
• authorization
• obligation
• conditions
• and incorporating
• continuity of decisions
• mutability of attributes
Rights
(R)
Subjects
(S)
Objects
(O)
Usage
Decisions
Subject Attributes (SA)
Authoriz
ations
(A)
Continuity of
Decisions
28
pre-decision
ongoing-decision
before-usage
ongoing-Usage
pre-update
ongoing-update
Mutability of
Attributes
Object Attributes (OA)
Obliga
tions
(B)
Condi
tions
(C)
after-usage
post-update
© Ravi Sandhu
www.profsandhu.com
UCON Policy Model
Operations that we need to model:
• Document read by a member.
• Adding/removing a member to/from the group
• Adding/removing a document to/from the group
Member attributes
• Member: boolean
• TS-join: join time
• TS-leave: leave time
Document attributes
• D-Member: boolean
• D-TS-join: join time
• D-TS-leave: leave time
29
© Ravi Sandhu
www.profsandhu.com
Policy model: member enroll/dis-enroll
enroll
member
TS-join
TS-leave
null
null
null
enroll
True
time of join
null
dis-enroll
enroll
enroll, dis-enroll: authorized to Group-Admins
Initial state:
Never been a
member
False
time of join
time of leave
Currently a
member
Past member
State III
State II
State I
enroll
30
disenroll
UCON elements:
Pre-Authorization, attribute predicates, attribute mutability
© Ravi Sandhu
www.profsandhu.com
Policy model: document add/remove
add
D-member
D-TS-join
D-TS-leave
null
null
null
True
time of join
null
add
False
time of join
time of leave
remove
add, remove : authorized to Group-Admins
add
Initial state:
Never been a
group doc
Currently a
group doc
Past group
doc
State I
State II
State III
add
31
remove
UCON elements:
Pre-Authorization, attribute predicates, attribute mutability
© Ravi Sandhu
www.profsandhu.com
Policy model: document read (S,O,read)
Pre-authorization check
• member(S) ≠ null AND D-member(O) ≠ null AND
TS-join(S) ≠ null AND D-TS-join(O) ≠ null AND
– TS-leave(S) = null AND TS-join(S) ≤ D-TS-join(O) OR
– TS-leave(S) ≠ null AND
TS-join(S) ≤ D-TS-join(O) ≤ TS-leave(O)
Ongoing-authorization check: terminate if
• D-TS-leave(O) ≠ null
Details depend on details
of group-level policy
UCON elements:
Pre-Authorization, attribute predicates, attribute mutability
Ongoing-authorization
32
© Ravi Sandhu
www.profsandhu.com
PEI Models Framework
Security and system goals
(requirements/objectives)
Policy models
Horizontal
view
Enforcement models
Looks at
Individual
layer
Implementation models
Vertical
View
Looks
Across
Layers
33
Target platform, e.g., Trusted
Computing technology
© Ravi Sandhu
www.profsandhu.com
Enforcement Models
Design Principle
• Do not inject new policy
• Focus on trade-offs for instant and pre-emptive revocation versus off-line
access
Faithful Enforcement w/o Off-line Access (Faithful Model):
• We need continuous online touch (at start of every access and during access)
• Continuous on-line touch can only be approximated
Usage-limited Off-line Access (Approximate Model):
• We need online touch periodically after some duration (at start of every access
and during access)
– Duration between online touches can be based on time, but time is not practical for
TPM-based TC
– Duration between online touches can be based on usage count, which is practical
for TPM-based TC
34
© Ravi Sandhu
www.profsandhu.com
Enforcement Architecture
Control Center
(CC)
4
2
7
3
5
1
Joining Member
Group-Admin
6
Member
Two sets of attributes
• Authoritative: as known to the CC
• Local: as known on a member’s computer
• Member enroll and dis-enroll (steps 1-2, 5)
• Document add and remove (step 6, 7)
• Read policy enforcement (step 3)
• Attribute update (step 4)
D-Member
Faithful Model: steps 3 and 4 are coupled
Approximate Model: steps 3 and 4 are de-coupled
35
© Ravi Sandhu
www.profsandhu.com
UCON Enforcement Models
Member attributes
• Member-a, Member-l: boolean
• TS-join-a, TS-join-l: join time
• TS-leave-a, TS-leave-l: leave time
Document attributes
• D-Member-a, D-Member-l: boolean
• D-TS-join-a, D-TS-join-l: join time
• D-TS-leave-a, D-TS-leave-l: leave time
Additional Member attributes for Approximate model:
• refresh_count: decremented on every access
• refresh_count_reset: refresh_count is reset to this value when it hits 0
36
© Ravi Sandhu
www.profsandhu.com
Faithful model highlights
• enroll a member: two steps
• Step 1: Group-admin issues enrollment token to Joining Member
• Step 2: Joining Member presents token to CC and receives group membership
credential
– Group key (symmetric key)
– Local attribute values
• dis-enroll a member
• Updates authoritative attributes at CC
• Takes effect on local attributes at next update
• add a document
• Updates authoritative attributes at CC
• remove a document
• Updates authoritative attributes at CC
• Propagated to clients as DRLs (Document Revocation List)
37
© Ravi Sandhu
www.profsandhu.com
Faithful model highlights: (S,O,read)
•
Pre-Obligation
•
•
•
Pre-Condition
•
•
Local attributes of S and O continuously updated based on authoritative values from CC
Local DRL continuously updated from authoritative DRL at CC
Ongoing-Condition
•
•
Based on just updated local attributes of S and O and DRL
Ongoing-Obligation
•
•
•
Requires connectivity to enable updates
Pre-Authorization
•
•
Local attributes of S and O are updated based on authoritative values from CC
Local DRL updated from authoritative DRL at CC
Requires connectivity to enable updates
Ongoing-Authorization
•
Based on continuously updated local attributes of S and O and DRL
UCON elements:
Requires full power of UCON
38
© Ravi Sandhu
www.profsandhu.com
Approximate model highlights
• enroll a member: two steps
• Step 1: Group-admin issues enrollment token to Joining Member
• Step 2: Joining Member presents token to CC and receives group membership
credential
– Group key (symmetric key)
– Local attribute values
• dis-enroll a member
• Updates authoritative attributes at CC
• Takes effect on local attributes at next update
• add a document
• Updates authoritative attributes at CC
• remove a document
• Updates authoritative attributes at CC
• Propagated to clients as DRLs (Document Revocation List)
Different from Faithful model
39
© Ravi Sandhu
www.profsandhu.com
Approximate model highlights: (S,O,read)
• Pre-Obligation
• Local attributes of S and O are periodically updated based on authoritative
values from CC
• Pre-Condition
• Requires connectivity to enable updates when required
• Pre-Authorization
• Based on just updated local attributes of S and O
• Ongoing-Obligation
• Local attributes of S and O are continuously periodically updated based on
authoritative values from CC
• Ongoing-Condition
• Requires connectivity to enable updates when required
• Ongoing-Authorization
• Based on continuously periodically updated local attributes of S and O
UCON elements:
Requires full power of UCON
40
© Ravi Sandhu
www.profsandhu.com
PEI Models Framework
Security and system goals
(requirements/objectives)
Policy models
Horizontal
view
Enforcement models
Looks at
Individual
layer
• Out of scope for this talk
Implementation models
Vertical
View
Looks
Across
Layers
41
Target platform, e.g., Trusted
Computing technology
© Ravi Sandhu
www.profsandhu.com
Conclusion
Information sharing is an important security problem
and a potential growth area
Trusted computing is a good fit for solving some sweet
spots in this space
The PEI models framework is useful in closing the
policy-implementation gap
UCON is a useful framework for stating policy and
enforcement models
42
© Ravi Sandhu
www.profsandhu.com
Q&A
Work in Progress
Secure Information
Sharing (IS)
“Share but Protect”
“Mother of all Security Problems”
Policy-EnforcementImplementation Layers (PEI)
&
Usage Control Models (UCON)
43
Trusted
Computing (TC)
© Ravi Sandhu
www.profsandhu.com
Related documents
Exploring the Guenon Mystery: An Evolutionary Analysis
Exploring the Guenon Mystery: An Evolutionary Analysis
AFOSR-review-2007-UT.. - The University of Texas at Dallas
AFOSR-review-2007-UT.. - The University of Texas at Dallas
ravi shankar - Sulivan Sweetland
ravi shankar - Sulivan Sweetland
Question 1: Express each number as product of its prime factors
Question 1: Express each number as product of its prime factors
Junior Round 2 2013 File
Junior Round 2 2013 File
Older Adults Oral Health Issues
Older Adults Oral Health Issues
SNS College of Engineering THE PRESENT CONTINUOUS Tense
SNS College of Engineering THE PRESENT CONTINUOUS Tense
Nishkam Ravi - Graduate Computing Resources
Nishkam Ravi - Graduate Computing Resources
UNIT-1 Electric Circuit
UNIT-1 Electric Circuit
AP Course Information for Students: The following Advanced
AP Course Information for Students: The following Advanced