Abstract
We investigate security enforcement mechanisms that run in parallel with a system; the aim is to check and modify the run-time behaviour of a possible attacker in order to guarantee that the system satisfies some security policies. We focus on a CSP-like quantitative process-algebra to model such processes. Weights on actions are modelled with semirings, which represent a parametric structure where to cast different metrics. The basic tools are represented by a quantitative logic and a model checking function. First, the behaviour of the system is removed from the parallel computation with respect to some security property to be satisfied. Secondly, what remains is refined in two formulas with respect to the given operator executed by a controller. The result describes what a controller has to do to prevent a given attack.
The author is supported by MIUR PRIN 2010XSEMLC “Security Horizons”.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Freytag, Gustav. Die Technik des Dramas. Hirzel, 1872.
- 2.
The interested reader can find the formal semantics of GPA processes defined in [9].
- 3.
We can think of further operators between formulas, e.g., \(\{=, \ge , \approx _\epsilon \}\).
- 4.
First described by Stephen Karpman, M.D., in his 1968 article “Fairy Tales and Script Drama Analysis”.
References
Andersen, H.R.: Partial model checking. In: LICS 1995, p. 398. IEEE Computer Society (1995)
Bartoletti, M., Degano, P., Ferrari, G.L., Zunino, R.: Model checking usage policies. Math. Struct. Comput. Sci. 25(3), 710–763 (2015)
Klaedtke, F., Zălinescu, E., Jugé, V., Basin, D.: Enforceable security policies revisited. In: Degano, P., Guttman, J.D. (eds.) Principles of Security and Trust. LNCS, vol. 7215, pp. 309–328. Springer, Heidelberg (2012)
Bauer, L., Ligatti, J., Walker, D.: Edit automata: enforcement mechanisms for run-time security policies. Int. J. Inf. Secur. 4(1–2), 2–16 (2005)
Bielova, N., Massacci, F.: Predictability of enforcement. In: Erlingsson, Ú., Zannone, N., Wieringa, R. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 73–86. Springer, Heidelberg (2011)
Bistarelli, S., Montanari, U., Rossi, F.: Semiring-based constraint satisfaction and optimization. J. ACM 44(2), 201–236 (1997)
Bodei, C., Curti, M., Degano, P., Priami, C.: A quantitative study of two attacks. Electr. Notes Theor. Comput. Sci. 121, 65–85 (2005)
McQueen, M., Boyer, W.: Ideal based cyber security technical metrics for control systems. In: Hämmerli, B.M., Lopez, J. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 246–260. Springer, Heidelberg (2008)
Buchholz, P., Kemper, P.: Quantifying the dynamic behavior of process algebras. In: Gilmore, S., de Luca, L. (eds.) PROBMIV 2001, PAPM-PROBMIV 2001, and PAPM 2001. LNCS, vol. 2165, p. 184. Springer, Heidelberg (2001)
Caravagna, G., Costa, G., Pardini, G.: Lazy security controllers. In: Samarati, P., Petrocchi, M., Jøsang, A. (eds.) STM 2012. LNCS, vol. 7783, pp. 33–48. Springer, Heidelberg (2013)
Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: Proceedings of the 2007 IEEE S&P, pp. 222–230. IEEE Computer Society (2007)
Ciancia, V., Martinelli, F., Ilaria, M., Morisset, C.: Quantitative evaluation of enforcement strategies (position paper). In: Danger, J.-L., Debbabi, M., Marion, J.-Y., Garcia-Alfaro, J., Heywood, N.Z. (eds.) FPS 2013. LNCS, vol. 8352, pp. 178–186. Springer, Heidelberg (2014)
Degano, P., Mezzetti, G., Ferrari, G.-L.: On quantitative security policies. In: Malyshkin, V. (ed.) PaCT 2011. LNCS, vol. 6873, pp. 23–39. Springer, Heidelberg (2011)
Drábik, P., Martinelli, F., Morisset, C.: Cost-aware runtime enforcement of security policies. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 1–16. Springer, Heidelberg (2013)
Drábik, P., Martinelli, F., Morisset, C.: A quantitative approach for inexact enforcement of security policies. In: Freiling, F.C., Gollmann, D. (eds.) ISC 2012. LNCS, vol. 7483, pp. 306–321. Springer, Heidelberg (2012)
Easwaran, A., Kannan, S., Lee, I.: Optimal control of software ensuring safety and functionality. Tech. Rep. MS-CIS-05-20, University of Pennsylvania (2005)
Gay, R., Mantel, H., Sprick, B.: Service automata. In: Barthe, G., Datta, A., Etalle, S. (eds.) FAST 2011. LNCS, vol. 7140, pp. 148–163. Springer, Heidelberg (2012)
Khoury, R., Tawbi, N.: Which security policies are enforceable by runtime monitors? a survey. Computer Science Review 6(1), 27–45 (2012)
Köpf, B., Malacaria, P., Palamidessi, C.: Quantitative security analysis (Dagstuhl seminar 12481). Dagstuhl Reports 2(11), 135–154 (2013)
Larsen, K.G., Xinxin, L.: Compositionality through an operational semantics of contexts. J. Logic Comput. 1(6), 761–795 (1991)
Lluch-Lafuente, A., Montanari, U.: Quantitative mu-calculus and CTL defined over constraint semirings. TCS 346(1), 135–160 (2005)
Martinelli, F.: Analysis of security protocols as open systems. TCS 290(1), 1057–1106 (2003)
Martinelli, F., Matteucci, I.: Through modeling to synthesis of security automata. ENTCS 179, 31–46 (2007)
Martinelli, F., Matteucci, I., Morisset, C.: From qualitative to quantitative enforcement of security policy. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 22–35. Springer, Heidelberg (2012)
Martinelli, F., Matteucci, I., Santini, F.: Quantitative security on distributed systems. In: EPTCS (ed.) Proceedings of the 13th International Workshop on Quantitative Aspects of Programming Languages and Systems (QAPL 2015) (2015) (accepted for publication)
Martinelli, F., Matteucci, I.: Partial model checking, process algebra operators and satisfiability procedures for (automatically) enforcing security properties. Tech. rep, IIT-CNR (2005)
Martinelli, F., Morisset, C.: Quantitative access control with partially-observable markov decision processes. In: Proceedings of CODASPY 2012, pp. 169–180. ACM (2012)
Molloy, I., Dickens, L., Morisset, C., Cheng, P.C., Lobo, J., Russo, A.: Risk-based security decisions under uncertainty. In: Proceedings of the second ACM Conference on Data and Application Security and Privacy, CODASPY 2012, pp. 157–168. ACM (2012)
Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)
Zhang, L., Brodsky, A., Jajodia, S.: Toward Information Sharing: Benefit And Risk Access Control (BARAC). In: Proceedings of POLICY 2006, pp. 45–53 (2006)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Martinelli, F., Matteucci, I., Santini, F. (2015). There are Two Sides to Every Question. In: Bodei, C., Ferrari, G., Priami, C. (eds) Programming Languages with Applications to Biology and Security. Lecture Notes in Computer Science(), vol 9465. Springer, Cham. https://doi.org/10.1007/978-3-319-25527-9_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-25527-9_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25526-2
Online ISBN: 978-3-319-25527-9
eBook Packages: Computer ScienceComputer Science (R0)