Presentation is loading. Please wait.

Presentation is loading. Please wait.

Beyond Proof-of-compliance: Security Analysis in Trust Management

Published byКоста Стојковић Modified over 5 years ago

Similar presentations

Presentation on theme: "Beyond Proof-of-compliance: Security Analysis in Trust Management"— Presentation transcript:

1 Beyond Proof-of-compliance: Security Analysis in Trust Management
Author: Ninghui Li John C.Mitchell William H. Winsborough Published: Proceedings of 2003 IEEE Symposium on Security and Privacy Presenter: Dongyi Li

2 Trust Management A form of distributed access control that allows one principal to delegate some access decisions to other principals.

3 Simple Inclusion Complete trust delegation
Alice.authenticatedCash  CityBank.authenticatedCash {Cash authenticated by Alice} ⊒ {Cash authenticated by CityBank}

4 Simple Inclusion Complete trust delegation
Texas.Driver  China.Driver

5 Intersection Inclusion Partial trust delegation
Walmart.qualifiedAlcoholCustomer  (SSA.Adult)∩(CityBank.Accountnumber)

6 Linking Inclusion Linking trust delegation
Alice.friend  Alice.husband.friend.wife

7 Linking Inclusion TexasTransportation.ticketfree
UTsystem.University.student

8 Threshold Group trust delegation
In this paper, we cannot represent this kind of delegation by RT language.

9 Threshold Group trust delegation

10 Delegation Simple Inclusion Intersection Inclusion Linking Inclusion
Threshold

11 Simple Member without any delegation
UTSA.student  Bob

12 Simple Member without any delegation.
Rachael.trustworthy  Joey Rachael.trustworthy  Monica

13 Trust Management Simple Member Delegation Simple Inclusion
Intersection Inclusion Linking Inclusion Threshold

14 Delegation Advantages
Greatly enhances flexibility and scalability in distributed systems.

15 Glossary Principal: This paper uses A,B,C,D,E,F,X,Y and Z some time with subscript, to denote principals. I use real names such as Alice and Carrie in my presentation. Role Name: A word over some given standard alphabet, this paper use r, u and w, sometime with subscripts, to denote role names, I use some more comprehensive word.

16 Glossary Role: Takes the form of a principal followed by a role name, separated by a dot; For example: Rachael.friends. Rachael.friends means Rachael has the authority to designate the members of Rachael.friends.

17 Glossary Policy, Policy Statement: Describes memberships and delegations, P; State, State of the TM: The union of all policies of all principals, p; p ↦ p': the state p is changed to p'. p ⊢Q: Given a state p and a Query Q, the relation means that Q is true in p, or Q is allowed in p.

18 Problem in Delegation Delegation reduces the control that a principal has over the resources it owns.

19 Alice.guest Bob

20 Alice.guest Bob.date Bob.date Charlie

21 However… How could you bring her to my party!

22 Alice.guest Bob Alice.guest Bob.date Bob.date Charlie So, Alice.guest  Charlie Alice.guest = {Bob,Charlie}

23 P ↦ P’ {Alice.guest  Bob} ↦ {Alice.guest  Bob;
Alice.guest  Bob.date; Bob.date  Charlie} {Bob} ↦ {Bob,Charlie}

24 Problem origin Problem happens when we add or delete some policies, such as we add Alice.guest  Bob. date; Bob. date Charlie Things may be more and more out of control if Bob delegate more to others.

25 Security Analysis Bob has to be invited.
Charlie should not be invited.

26 Security Analysis Existential Simple Safety, Existential Membership:
Liveness, Existential Boundedness Universal Simple Availability, Universal Membership Bounded Safety, Universal Boundedness Mutual Exclusion, Universal Containment, Universal

27 Existential Membership Simple Safety
Does there exist a state in which a specific principal has access to a given resource? Is Alice.guest  Charlie possible? p ↦ p' ↦ p'' ↦ p''' ↦ p'''' ↦ p''''' ↦ p'''''' … TM is safe when the answer is no.

28 Existential Boundedness Liveness
Is it possible that a set of all principals that have access to a given resource bounded by a given set of principals. Is {Bob} ⊒ Alice.guest possible? p ↦ p' ↦ p'' ↦ p''' ↦ p'''' ↦ p''''' ↦ p'''''' … Alice.invited Alice.guest∩Alice.dislike Is { } ⊒ Alice.invited possible?

29 Universal Membership Simple Availability
In every state, does a specific principal have access to a given resource. Is Alice.guest  Bob necessary? p ↦ p' ↦ p'' ↦ p''' ↦ p'''' ↦ p''''' ↦ p'''''' …

30 Universal Boundedness Bounded Safety
In every state, is the set of all principals that have access to a given resource bounded by a given set of principals. Is {Bob} ⊒ Alice.guest necessary? p ↦ p' ↦ p'' ↦ p''' ↦ p'''' ↦ p''''' ↦ p'''''' …

31 Universal Mutual Exclusion
In every state, are two given properties mutually exclusive. p ↦ p' ↦ p'' ↦ p''' ↦ p'''' ↦ p''''' ↦ p'''''' …

32 Universal Inclusion Containment
In every state, does every principal that has one property also have another property. Is {Alice’s guest} ⊒ {Bob’s date} necessary? Alice.guest Bob.date p ↦ p' ↦ p'' ↦ p''' ↦ p'''' ↦ p''''' ↦ p'''''' …

33 HRU Model Harrison-Ruzzo-Ullman Model Access Matrix
‘The safety problem for protection systems under this model is to determine in a given situation whether a subject can acquire a particular right to an object.’ Simple Safety is undecidable

34 Restrictions ‘…to our knowledge, no prior work investigates security analysis for trust management systems in the sense of verifying security properties that consider state changes in which restrictions are placed on allowed changes. ’

35 ‘ Some of previous studies only considering queries in a fixed state’
‘Some consider universal analysis where no restriction is placed on how the state may grow’

36 Restrictions Growth-restricted: no policy defining these roles can be added Shrink-restricted: policy defining these roles cannot be removed. p ↦R p' ↦R p'' ↦R p''' ↦R p'''' ↦R p''''' …

37 Trusted Principals We call those who make the agreement on some restrictions and would like to report their changes on policies as Trusted Principals. So what security questions can we answer even if we cannot monitor those who are un-trusted and can add or delete policies arbitrarily.

38 Lower Bound Imagine …

39 Lower Bound The only policies remaining are in the R-restricted set.
Universal Membership, we are able to know who will always be in the member list. Existential Boundedness, if the answer is ‘no’ in the case of Lower Bound, then the answer is ‘no’ forever.

40 Upper Bound Suppose …

41 Upper Bound G-unbounded: Definite: g-unrestricted roles (un-trusted)
Possible: g-restricted roles (trusted) Alice.guest  Bob.date; Bob.date Charlie

42 Upper Bound Existential Membership
Is it possible that the authorization leaked to some ‘bad guy’? Universal Boundedness Can we always constrain the authorization to a certain group?

43 How to compute upper Bound
We can consider one principal that does not occur in p to determine whether a role is g-unbounded. To decide whether A.r is g-unbounded Step 1: we add E to principal(p) Step 2: check whether there exists a reachable state p' such that A.r E

44 Security Analysis Existential Simple Safety, Existential Membership:
Liveness, Existential Boundedness Universal Simple Availability, Universal Membership Bounded Safety, Universal Boundedness Mutual Exclusion, Universal Containment, Universal

45 Future Work Containment Analysis
Making restrictions according to current policy state.

46 Thank you!

Download ppt "Beyond Proof-of-compliance: Security Analysis in Trust Management"

Similar presentations

ROWLBAC – Representing Role Based Access Control in OWL

ROWLBAC – Representing Role Based Access Control in OWL
The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.

The Role of Trust Management in Distributed Systems Authors Matt Blaze, John Feigenbaum, John Ioannidis, Angelos D. Keromytis Presented By Akshay Gupte.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Rule based Trust management using RT - second lecture Sandro Etalle thanks to Ninghui Li - Purdue William H. Winsborough – University of Texas S. Antonio.

Rule based Trust management using RT - second lecture Sandro Etalle thanks to Ninghui Li - Purdue William H. Winsborough – University of Texas S. Antonio.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
8.2 Discretionary Access Control Models Weiling Li.

8.2 Discretionary Access Control Models Weiling Li.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
1 8. Safe Query Languages Safe program – its semantics can be at least partially computed on any valid database input. Safety is tied to program verification,

1 8. Safe Query Languages Safe program – its semantics can be at least partially computed on any valid database input. Safety is tied to program verification,
Chapter 7  Computer Security 1 Overview  Important components of computer security: o User authentication – determine the identity of an individual accessing.

Chapter 7  Computer Security 1 Overview  Important components of computer security: o User authentication – determine the identity of an individual accessing.
Trust Management II Anupam Datta Fall 2007-08 18739A: Foundations of Security and Privacy.

Trust Management II Anupam Datta Fall A: Foundations of Security and Privacy.
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
Verifiable Security Goals

Verifiable Security Goals
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
An Introduction to Decentralized Trust Management Sandro Etalle University of Twente thanks to William H. Winsborough – University of Texas S. Antonio.

An Introduction to Decentralized Trust Management Sandro Etalle University of Twente thanks to William H. Winsborough – University of Texas S. Antonio.
Copyright © Cengage Learning. All rights reserved.

Copyright © Cengage Learning. All rights reserved.
Chapter 7 Indexing Objectives: To get familiar with: Indexing

Chapter 7 Indexing Objectives: To get familiar with: Indexing
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

Similar presentations

Ads by Google