Title: Formal Semantics for Programmable Access Control PART A
1Formal Semantics for Programmable Access Control
(PART A)
2Presentation Outline
- System Security (brief definition)
- MOOSE project
- Meta Object Model (MOM) components and
functionality - MOM Authorization Model
- Denotational Semantics for
- MOM Authorization Model
- Results and Conclusions
3System Security
- Protection afforded to an automated information
system in order to attain the applicable
objectives of preserving the integrity,
availability and confidentiality of information
system resources - NIST Handbook
National Institute of Standards and Technology
4System Security
- How can system security be achieved?
- Authorization
- Authentication
- Auditing
- Secure communication
-
5Heterogeneous Distributed Systems
- You know you have one when the crash of a
computer youve never heard of stops you from
getting any work done - (CPTS 564 Notes Very Interesting Definition)
Any examples?
6Global Enforcement of Confidentiality and
Authorization for Heterogeneous Distributed
Systems
- Difficult to achieve
- because.
- Software components on distributed systems are
typically heterogeneous (different languages and
systems) - Authorization policies are fixed to specific
systems - No flexibility to encompass other models
7Global Enforcement of Confidentiality and
Authorization for Heterogeneous Distributed
Systems
- What has been done so far?
CORBA
Common Object Request Broker Architecture
OLE/COM
Object Linking and Embedding/Common Object Model
8Global Enforcement of Confidentiality and
Authorization for Heterogeneous Distributed
Systems, Cont.
- Secure interoperability is prevented due to
semantic diversity and complexity at the policy
and model level
Is there a solution?
9Programmable Security
- Common architecture that embeds programmable
security constructs at a fundamental level
Introduce new syntax for security policy
expressions
Primitive security mechanisms tied to syntax
within a common model for object systems
10Formal Methods are NEEDED!!!!
Mathematical techniques for specifying and
verifying system properties
ROC formalism for concurrently executing objects
Distributed system verification
HOL logic for reasoning and verification
11MOOSE Architecture(Meta Object Operating System
Environment)
12MOOSE Architecture
- Supports an architecture for the development,
execution, and verification of secure
heterogeneous distributed systems - Meta Object Model core distributed object model
within MOOSE that supports primitive object
functionality
13Meta Object Model (MOM)
- Primitive distributed object model
- Classes and inheritance through meta objects and
delegation - Supports core object functionality (method
invocation, asynchronous message passing,
delegation, aggregation) - Provides a common substrate for secure
interoperability between heterogeneous object
systems
14MOM Components
15Message Handler(MOM Components)
- Main Function constrain the set of messages
that objects receive from their environment
Receipt of a message from message handler
Accept it as a local request (thats not
authorization!!)
Delegate it to adjacent domain
16Object Registry(MOM Components)
Main Function bookkeeping information
associated with each object component
Local identifier of the object component
Miscellaneous information
Component type
17Object Registry An example(MOM Components)
How can the object registry be used?
Component Type Misc o1 MOM-Object o2
MOM-Object
Object Registry for root
Incoming message contains an invocation request
for a method responsible for creating object
named o2. Deny or accept?
18Meta Data Repository(MOM Components)
Main Function contains templates needed to
define meta object instances
Object o2 can create instances containing
subobjects X and Y and methods M1 and M2.
Initial Authorization State of o3
Suppose o3 is a new instance of o2.How can the
meta data table for o2 be used? And why?
19Methods(MOM Components)
Method Interface
Accepts method Invocation Manages synchronization
constraints on methods
Method Arbiter
Establishes communication channels between the
method body and its environment
Method Body
Performs the actual work only communicates with
the arbiter
20Methods An example(MOM Components)
msg
Method interface m1
Method arbiter m1
Method body m1
21Object Access Control List(MOM Components)
Main Function defines the local authorization
state for the MOM objects
KEY or LOCK or recursive
lt Component, Privilege, Token gt
ticket
22Object Access Control List(MOM Components)
Method_1 has a Lock privilege associated with
ticket a.
23MOM Authorization Scheme
- Object Access Control Lists (OACLs)
- Message Filters
- Messages and Tickets
24Ticket-Based Scheme
25Message Filtering
26Original Authorization Model Semantics
- Captured by five rules
- Mostly focused on adding/removing privileges
- Ignores hierarchical structure of objects
(assumes direct access between objects)
Object B
Object A
Universal Object Domain
Object C
27Refined Authorization Model Semantics
- Object hierarchy
- IS
- important
- An object can intervene and deny access
A
B
C
28Refined Authorization Model Semantics
- Object hierarchy taken into account
- Message delegation (authorization of message at
each passing object in the hierarchy) - HOW?
29Authorization During Delegation
30Refined Authorization Model
- PARENT predicate
- ADJ predicate
- ANCESTOR predicate
- DESCENDANT predicate
- LOCK predicate
- KEY predicate
- GRANT.p predicate
- REVOKE.p predicate
- MATCH predicate
- ACCESS predicate
- ADD command
- REMOVE command