New Approaches in Software Security: Composition of Privileges Dr. Michael Hoche, Martin Kortwinkel EADS Deutschland GmbH Michael.Hoche@eads.com, Martin.Kortwinkel@eads.com SET Congress 2009, Zürich Outline Problem Description Eisting solutions and models Formalization / Abstraction Conceptual Solution Practical Application Conclusion This talk consists of a gentle introduction in the security domain followed by a formal description of the proposed method. Advantageousness is illustrated by providing some application eamples. 2
Problem Description Security is usually a build in property of software Application integration of heterogeneous access rights management is hard work. Usually integrated things comprise their own individual full featured and different a access rights management. There is a strong need to unify them. We introduce a new formal verifiable technique by looking at the well known concept of authorization. We impose a new embedding in a quasi ordering on rights as a natural result of a stronger notion of composition. 3 Problem Description General Subject Object Access Relation The compleity of implicit dependencies in a net of objects Object / Subject Has right 4
Eisting Solutions & Models Part 1 Discretionary Access Control (DAC) Access control only by user identity and his right on resource Mandatory Access Control (MAC) DAC plus additional rules & properties (e.g. label, code word) Role Based Access Control (RBAC) Fi role resource access rights Multi-Level-Security Systems (MLS) Access control by access (vertical) level (e.g. free, restricted,..) Bell-LaPadula-Model MAC combined with security levels Biba-Model / Low-Watermark Mandatory Access Control MAC with policies March 2009 Composition of Rights 5 Eisting Solutions & Models Part 2 Policy based access control Multi-lateral Security Systems MLS (vertical) plus code words (horizontal) Compartment-Model - Lattice-Model Combination of security level and categories by policy based access control for information flow Chinese Wall Brewer-Nash Model Access control cluster (e.g. company), granted access if recent accesses into cluster Clark-Wilson-Model Access by valid transactions (mainly used by host systems), defines enforcement rules and certification rules BMA-Model (British Medical Association) Combination of Clark-Wilson Model and Bell-LaPadula-Model decentralized model, access rights defined by data owner March 2009 Composition of Rights 6
Formalization Restriction on Transitions State Transition Clark-Wilson-Model Objects Invariant 7 Formalization Complete Subject/Object Right Relation Objects Subjects MAC model Right 8
Conclusion eisting models Models are specialized on solving specific problems. The compleity augments not linear with increasing number of objects, subjects, and access right definitions. All models to simple for heterogeneous multi-lateral systems. No model realizes need-to-know access control sufficient, especially not in multi-lateral systems. All models are not very fleible to reorganize access rights. 9 Concept Composition of Privileges Rules Ordering set of right definitions Assigning of rights to objects to perform an operation which defines a mapping of objects to ordered rights. (1st Function) Assigning of rights to subject to perform an operation which defines a mapping of subjects to ordered rights. (2nd Function) Validating right of subject to perform operation by comparing order of results of 1st Function and 2nd Function. 10
Conceptual Solution Subject/Object Right Relation 1 0 Objects / Subjects Rights 11 Conceptual Solution Rights hierarchy & ordering Objects (Rights, ) Object aggregation ma 2 Objects (Rights, ) Permission granted!!! 2 Subjects (Rights, ) Subject aggregation min Subjects (Rights, ) 12
Conceptual Solution Multilateral Subject/Object Right Management Component A Component B Objects a 1 b 1 Objects b c r1 r2 r3 y 0 0 y z Subjects Subjects 13 Conceptual Solution Composition Rights 1,1 1,r3 1,0 r1,1 r2,1 r1,r3 r2,r3 r1,0 r2,0 0,1 0,r3 0,0 14
Conceptual Solution Composition Credentials a c 1,0 b 1,r3 1,1 r1,1 r2,1 r1,r3 r2,r3 r1,0 r2,0 0,1 y 0,r3 0,0 z y 15 Practical Application Right vectors Right vectors (labels) are sets of right definitions with specific semantics. Definition: (What should define a right vector) Mapping of different aspects which defines information access. Each aspect should be independent to others. For each aspect there is an ordering of rights. Each aspect forms his own semantic contet for information access. Eample for right vector: Level of security (free, restricted, confidential, secret, top secret) Geo-localization Time range Role Etendible 16
Right Vector Eample Confidentiality & Time Range Function: higher confidential Function: time interval within 17 Right Vector Eample Geo-localization No Region Function: is complete contained in Frauenfeld Paris Thurgau Corsica Congo New York Melbourne Swiss France Corsica & Medit. Sea Mediterranean Sea Atlantic Ocean Oceania Antarctic Arctic Europe Asia Africa Sea America Australia World 18
ESB implementation For each object type (e.g. Services, data within specific DB) it can be defined access right aspects which are shared for a domain. Result: Definition of right vectors For each element of the vector there is a function which calculates the ordering of the values and can add new elements. Heterogeneous domains can compose their right vectors. 19 Conclusion Advantages of ordered rights method On-the-fly and dynamic at run-time evaluation of access rights Right definitions always consistent Semantics of interpretation is definable by application (no domain specific semantic) Can be used to decide access by contet (need-to-know) Compatible for integration of ontologies. Heterogeneous right definitions of foreign systems has not to be harmonized. They are combinable. Works for aggregated sets of subjects and objects, too. Hom_S(s) Hom_O(o) Construction creates partial or complete Boolean Algebra or lattice which can be efficiently and compactly presented and implemented. The right ordering method can be embedded into each of the eisting access right systems and models. Eisting standards and components like SAML, LDAP, PEP can be used. 20