Presentation is loading. Please wait.

Presentation is loading. Please wait.

May 7, 20031 Specification and Construction of Secure Distributed Collaboration Systems Anand Tripathi Department of Computer Science University of Minnesota,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "May 7, 20031 Specification and Construction of Secure Distributed Collaboration Systems Anand Tripathi Department of Computer Science University of Minnesota,"— Presentation transcript:

1 May 7, 20031 Specification and Construction of Secure Distributed Collaboration Systems Anand Tripathi Department of Computer Science University of Minnesota, Minneapolis http://www.cs.umn.edu/Ajanta This work was supported by NSF grant ITR 0082215 and EIA 9818338

2 May 7, 20032 Team Members Tanvir Ahmed (Ph.D. candidate) Richa Kumar (currently with Microsoft)

3 May 7, 20033 Outline Introduction –Research Goals: Requirements in Secure Collaboration A Model for Coordination and Security Specifications Middleware Execution Model and Design Issues –Policy based construction of runtime environment Verification of security properties using finite state model checking Future Directions

4 May 7, 20034 Introduction

5 May 7, 20035 Research Goals Rapid construction of secure distributed CSCW (Computer Supported Cooperative Work) systems from their high level specifications Collaboration groups may be formed ad hoc. Virtual organizations spanning different independent enterprises. Peer-to-peer management of collaboration activities –No single entity trusted by all to manage all aspects of a collaboration

6 May 7, 20036 CSCW Systems Multiple users cooperate using shared artifacts towards some common objectives. Groupware Systems Real-time synchronous interactions Tightly coupled Unstructured and ad-hoc coordination Concurrency issues Minimal security Whiteboard systems, Conferencing tools Workflow Systems Asynchronous, loosely coupled interactions Structured interactions based on existing business models Persistence of shared objects Security: important concern Client-server model with securely managed servers Office / Health-care systems

7 May 7, 20037 A Virtual Organization Enterprise A Enterprise C Enterprise B Enterprise D Activities Coordination / synchronization Security Requirements

8 May 7, 20038 Dynamic and Ad Hoc Collaborations Peer-to-peer management of collaboration activities. Different participants perform functions for managing various aspects of a collaboration environment. –Decentralized management Need for a distributed trust model for assigning management functions to the participants.

9 May 7, 20039 Research Approach 1.A specification model for CSCW systems. Security and Coordination Requirements 2.Derivation of policy modules from the specifications. 3.A policy-driven middleware for secure distributed collaboration. Specification of a Collaboration Environment Derivation of Policy Modules from Specification Policy Driven Distributed Middleware Components and Services Runtime Environment

10 May 7, 200310 Policy-Based Approach Decouples coordination and security aspects of a collaboration from the implementation of its functionality. –Collaborative systems may evolve with changes in administrative policies and user experience. –Integration of new objects, devices, or tools may be needed. –Collaboration environments may span multiple administrative domains. Different policies can be easily plugged in.

11 May 7, 200311 Role-Based Model for CSCW ExamPaper Examiner Grader Student GradeSheet AnswerBook users roles objects Course Examination: Example of a CSCW Activity

12 May 7, 200312 Research Approach Collaboration Systems Specification Analysis and Verification Tools Consistency of coordination constraints Coordination Dependency Analysis Security conflicts in assigning management functions to users Derivation of Policy Templates Object Access Control Policies Event Subscription/Notification Policies Role Management Policies Middleware Components and Functions Generic managers for roles and objects Creation of collaboration-specific policy objects at runtime Integration of policy objects with generic managers & application objects

13 May 7, 200313 A Role-Based Model for CSCW A role defines a set of operations Role operations represent a participant’s tasks and privileges to perform actions on shared objects –A role represents a protection domain Access rights are associated with a role Role operations need satisfy coordination constraints. Current RBAC (Role Based Access Control) models do not adequately support the dynamic and context sensitive requirements of CSCW systems.

14 May 7, 200314 Security and Coordination Requirements in Collaboration Systems

15 May 7, 200315 Requirements for Collaboration Specification Coordination requirements –participants in the same role (intra-role) –participants in different roles (inter-role) Security requirements –Role admission Authentication and authorization of users –“Separation-of-Duties” –Dynamic access control policies Requires a unified model for coordination and security Enforcement of security policies –Who can be trusted to enforce a given policy?

16 May 7, 200316 Intra-Role Coordination Models Independent participation –Participants in a role work independently –Each participant has his/her own workspace –No coordination among the role participants Cooperative participation –Coordinate among themselves A role task can be performed by only one person –Participants in the “nurse-on-duty” role administer daily medication only once to a patient. –Joint participation All participants must perform the role operation together –Three banker managers open a bank vault jointly. –Unrestricted participation Users sharing a whiteboard in a meeting

17 May 7, 200317 Role Admission Constraints Specifies conditions that need to be satisfied when a user requests to join a role. For example: –A list of users who are allowed to join –List of users to be disallowed to gain membership –A user's current or prior membership in some other roles –Role membership cardinality –Events that must happen before a user could be admitted in a role

18 May 7, 200318 Separation-of-Duties Static separation-of-duty –A user can never join two security sensitive roles. Dynamic separation-of-duty –A user cannot join two security sensitive roles concurrently. User-user conflicts User-role conflicts Operational separation-of-duty –In a business process, two sensitive operations should never be performed by the same user. –Object-based separation-of-duties A user in a role cannot perform two sensitive operations on the same object.

19 May 7, 200319 Dynamic Access Control Policies A role operation may be allowed to be executed only after the occurrence of certain events. Role activation or invalidation conditions need to be checked and enforced at runtime. History-based separation-of-duties concerns. Access policies for an object may change: –Creation/termination of activities –Completion of some collaboration phase

20 May 7, 200320 Privacy Hide identities of participants’ in one role from other –E.g., Graders do not know the identity of the candidate Presence of a participant may be made visible only through a role or a pseudonym in a role

21 May 7, 200321 Hierarchical Activity Organization New nested activities may be created with existing or new roles An activity is instantiated multiple times, possibly concurrently, with different sets of users and objects Requirement: Certain roles/objects in the parent activity may be needed to be bound to the roles/objects in a new activity.

22 May 7, 200322 A Model for Specifying Collaboration Systems

23 May 7, 200323 Collaboration Activity Activity Definition –It defines a naming scope for objects and roles. –A large-scale collaboration may involve many activities, which may be nested hierarchically. Activity Template –Defines a reusable pattern for collaboration.

24 May 7, 200324 Activity Template Specification 1.Role Specification –Role Admission Constraints Role operations for users to: join, leave, admit, remove –Role Activation Constraints Conditions that must be true for a user to invoke any of the role operations –Role Operations: an operation definition has two parts Precondition and Action 2.Object Specification –Method Signature –Access Control 3.Nested Activity Templates

25 May 7, 200325 Activity Creation Role Assignment –Static Assignment (Role Reflection) : All users from a role in the parent activity are assigned to a role in the new activity (specified in activity definition). –Dynamic Assignment: Users are assigned to roles in the new activity at the time of activity creation. Objects in the parent activity may be needed to be passed to nested activities. –Access control policies for such objects may need to be updated.

26 May 7, 200326 Activity ExamSession ExamPaperAnswerBook Activity ExamSession ExamPaperAnswerBook Example: Course Activity ExamPaper Activity ExamSession ExamPaperAnswerBook Role CheckerRole Candidate Role Assistant Role Examinee Role Examiner Role Grader AnswerBook GradeSheet Role Instructor Role Student Activity Examination Activity Course Role assignment Role reflection Object parameters

27 May 7, 200327 Activity, Role, Object Management Meta Roles –Creator role: user initiating an activity instance. Creator may not always be trusted for managing the activity. –Owner role is trusted to manage the activity instance. The owner role has “vested interest” in managing the entity.

28 May 7, 200328 Activity, Role, Object Management Activity ownership: –Activity template can specify a role in the outer scope as the owner. –If not specified, the owner of the parent activity is the owner. Role ownership –Activity template can specify the owner. –If not specified, the owner of its activity is the owner. Object ownership –Role creating an object is its owner.

29 May 7, 200329 Role Related Specification Functions Psuedo-variables: thisUser, thisRole, … Membership functions: Boolean function member( UserID, RoleName ) member ( thisUser, Instructor ) member ( Tom, thisRole ) List of current members in a role is given by: members( RoleName ) Number of members in a list: # (members( RoleName ))

30 May 7, 200330 Event Specification Three types of events related to each role operation and object method execution: –“request”, “start”, “finish” (Model by Roberts and Verjus, IFIP 1977) –Example: ExamSession.Checker.Grade.finish Event Counters: #(eventName): number of times the event has occurred Derived events: –Filtering an event list based some predicate –Example: opName.start(invoker=John)

31 May 7, 200331 ExamSession Activity An instance of this activity is created by a student in the Examinee role. Only the student creating this activity should be able to join the Candidate role. Only a member of the Grader role in the Examination activity can join the Checker role. This activity must be managed at a Grader’s node, and not at its creator’s node (i.e. student’s node). ActivityTemplate ExamSession ExamPaperAnswerBook Role CheckerRole Candidate

32 May 7, 200332 ExamSession Specification (1) ACTIVITY ExamSession (OWNER Grader, OBJECTS (ExamPaper exam, AnswerBook ans), ASSIGNED_ROLES Candidate) { TERMINATION_CONDITION # (Checker.Grade.finish) > 0 ROLE Checker { ADMISSION_CONSTRAINTS #members(thisRole) < 1 & member(thisUser, parentActivity.Grader) OPERATION Grade { PRECONDITION # (Candidate.Submit.finish) = 1 ACTION ans.setGrade(data) } } ROLE Candidate { … } }

33 May 7, 200333 ExamSession Specification (2) ROLE Candidate { ADMISSION CONSTRAINTS member(thisUser, parentActivity.Examinee) & member(thisActivity.Creator, thisUser) & members(thisRole) < 1 ACTIVATION CONSTRAINTS date > DATE(Mar, 22, 2002, 8:00) & date < DATE(Mar, 22, 2002, 11:00) OPERATION StartExam { PRECONDITION #(StartExam.start) = 0 ACTION { ans = new AnswerBook( ); exam.readPaper( ) } OPERATION Write { PRECONDITION #(StartExam.finish) = 1 ACTION ans.writeAnswer(data) OPERATION Submit { PRECONDITION #(Write.finish) > 0 ACTION ChangeOwner (ans, Checker) } }

34 May 7, 200334 Middleware Framework

35 May 7, 200335 Middleware Design Issues 1.Decentralized management of roles/objects: –All user nodes may not be equally trusted –A single node may not be trusted by all users –How to select a node where an entity should be managed? 2.Consistency issues in distributed enforcement of coordination preconditions. 3.Security issues in event based coordination –Only the events from authorized entities must be used –Policies for authorized event subscription/notification 4. Dynamic access control policies depend on the collaboration state –Policies for access control of shared objects may change with time as new activities are created

36 May 7, 200336 Middleware Components and Services Role Definitions Generic Role Mangers Policy Modules Activity Definitions Generic Activity Mangers Policy Modules Object Definitions Generic Object Mangers Policy Modules Middleware Components Collaboration Specification with Application Level Objects Middleware Services Name ServicePublic Key ServiceActivity Management

37 May 7, 200337 User Interaction Model User Coordination Interface (UCI) Role Manager Object Manager User Authentication by role manager Role membership certificates Invocation of role operations by user Authentication of role manager by the object manager Invocation of object operations on behalf of the user Object Cache

38 May 7, 200338 Policy Modules Role Management Policy Modules –Role admission, activation, and operation preconditions Role-based Access Control Policy Modules –Policies for creating objects and activities –Access control on object method invocation Event Subscription and Notification Policy Modules –Entities allowed to subscribe to certain types of events –Entities allowed to send specific types of events

39 May 7, 200339 Access Control Policy (ACP) Template.OBJECT(ExamPaper, $z) SUBJECT { ACTIVITY_TEMPLATE = $y.ExamSession, OBJECT = ACTIVITY(Course, $x). ACTIVITY(Examination, $y) OWNER = $x.Instructor ENTRY { SUBJECT = $y.Examiner PERMISSION = setPaper CONDITION = ( #( $y.Examiner.SetPaper.start) = 0 ) } ENTRY { ROLE = Candidate } PERMISSION = readPaper }

40 May 7, 200340 ACP for an ExamPaper Object OBJECT = Course.chemistry.Examination.midterm.ExamPaper.exam OWNER = Course.chemistry.Instructor ENTRY { SUBJECT =..Examination.midterm.Examiner PERMISSION = setPaper CONDITION = ( #(..Examination.midterm.Examiner.SetPaper.start) = 0 ) } ENTRY { SUBJECT {ACTIVITY_TEMPLATE =..Examination.midterm.ExamSession, ROLE = Candidate } PERMISSION = readPaper } $x = Course.chemistry, $y =..Examination.midterm, $z =..ExamPaper.exam

41 May 7, 200341 Verification of Security Properties

42 May 7, 200342 Objectives of Policy Verification User interactions follow coordination and task flow requirements. Roles do not have conflicting or inconsistent constraints. Confidential information cannot flow to unauthorized users. Authorized information can be accessed. Any temporal or conditional constraints on accessing objects can be satisfied. The safety property that no rights can be leaked to unauthorized users.

43 May 7, 200343 Verification of Global Properties 1.Reachability of Operations –Example: OPERATION Op1 PRECONDITION #(Op2.finish) = 1 OPERATION Op2 PRECONDITION #(Op1.finish) = 1 2.Task Flow –Requirements are expressed in path expression constructs: (Campbell and Habermann, 1974) sequence(;), selection( () ) with a count (:n) restrictor Example: Examination := Examiner.SetPaper; Examinee.ExamSession.start

44 May 7, 200344 Global Security Properties 3.Role Based Constraints –Example of inconsistent constraint: ROLE B VALIDATION CONSTRAINTS ! member(A) ROLE C ADMISSION CONSTRAINTS member(A) & member(B) 4.Confidentiality and Information Flow –Condition based constraints “A participant of the examinee role cannot access the content of the exam paper before start of his/her own exam session”. “Identity of a candidate should not be known to the grader until the grades are submitted”.

45 May 7, 200345 Global Security Properties 5.Integrity and Access Leakage –Due to owner assignments, participants of the owner roles get extended privileges. –Express integrity policies to check unintentional leakage of access rights. “A participant of the examinee role can only modify his/her answer book, and that is allowed only during his/her exam-session”. 6.Decentralized Management –Untrusted users in administrative roles may actively try to violate sensitive security requirements

46 May 7, 200346 Verification Methodology Verification is performed by modeling the system using SPIN. Problem: Search space explosion Solution: Aspect specific verification: –Ignore properties, which are not in concern when verifying a specific property or can be independently verified.

47 May 7, 200347 Verification Methodology Verification methodology follows a precedence among the properties it checks. Based on aspects of the global requirements developed four verification models: (1)Task Model (2)Role Model (3) Information Flow Model (4) Owner Assignment Model i. Role constraints ii. Entity access and creation iii. Precondition check

48 May 7, 200348 Related Work Other policy based approaches: –COCA: Prolog based coordination policies for interactive applications –DCWPL: Coordination language to deal group interaction issues and uses predefined roles and functions –CSDL (Cooperative Systems Design Language, ICDCS’94) Similarity with programming methodologies: Aspect-oriented programming, Generative programming,

49 May 7, 200349 Conclusions We have developed a role based specification model and a policy-driven middleware to manage the runtime execution environment of secure distributed collaboration systems. The middleware support –Distributed management of collaboration entities –Derivation and enforcement of security and coordination policies based on trust relationships among users and roles Verification of Security Properties using SPIN

50 May 7, 200350 Current and Future Work Experimentation with collaborative systems with different security and coordination policies. (Tanvir Ahmed and REU students Jordan Raney and Sara Holmdahl) Object caching and replication (John Eberhard) Verification of security properties (Tanvir Ahmed, Ivan Osipkov) Extend this system to support ubiquitous and pervasive computing environments.

51 May 7, 200351 Thank you.

Download ppt "May 7, 20031 Specification and Construction of Secure Distributed Collaboration Systems Anand Tripathi Department of Computer Science University of Minnesota,"

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Outline  Introduction  Background  Distributed DBMS Architecture  Distributed Database Design  Semantic Data Control ➠ View Management ➠ Data Security.

Outline  Introduction  Background  Distributed DBMS Architecture  Distributed Database Design  Semantic Data Control ➠ View Management ➠ Data Security.
Unveiling ProjectWise V8 XM Edition. ProjectWise V8 XM Edition An integrated system of collaboration servers that enable your AEC project teams, your.

Unveiling ProjectWise V8 XM Edition. ProjectWise V8 XM Edition An integrated system of collaboration servers that enable your AEC project teams, your.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Policy Based Design of Secure Distributed Collaboration Systems Tanvir Ahmed Department of Computer Science University of Minnesota, Twin Cities.

Policy Based Design of Secure Distributed Collaboration Systems Tanvir Ahmed Department of Computer Science University of Minnesota, Twin Cities.
Specification and Verification of Security Requirements in a Programming Model for Decentralized CSCW Systems Paper Report: Specification and Verification.

Specification and Verification of Security Requirements in a Programming Model for Decentralized CSCW Systems Paper Report: Specification and Verification.
Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais.

Process Model for Access Control Wael Hassan University of Ottawa Luigi Logrippo, Université du Québec en Outaouais.
8.2 Discretionary Access Control Models Weiling Li.

8.2 Discretionary Access Control Models Weiling Li.
Model-Driven Design and Administration of Access Control in Enterprise Applications April 2005.

Model-Driven Design and Administration of Access Control in Enterprise Applications April 2005.
Oracle Beehive Vivek Pavle Orabyte LLC www.orabyte.com Orabyte.

Oracle Beehive Vivek Pavle Orabyte LLC Orabyte.
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Protocols for Secure Interactions in Distributed Collaboration Systems Masters Plan B Presentation 26 th November 2002 Richa Kumar Advisor: Dr. Anand Tripathi.

Protocols for Secure Interactions in Distributed Collaboration Systems Masters Plan B Presentation 26 th November 2002 Richa Kumar Advisor: Dr. Anand Tripathi.
Using Architecture Frameworks

Using Architecture Frameworks
EEC-681/781 Distributed Computing Systems Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC-681/781 Distributed Computing Systems Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.

Distributed Collaborations Using Network Mobile Agents Anand Tripathi, Tanvir Ahmed, Vineet Kakani and Shremattie Jaman Department of computer science.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.

Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Dr. Kalpakis CMSC 461, Database Management Systems Introduction.

Dr. Kalpakis CMSC 461, Database Management Systems Introduction.

Similar presentations

Ads by Google