ABSTRACT
We present an access-control policy specification and verification process that is well-suited to model survivability of information resources under threat of compromise. Our process differs from the traditional policy engineering methodology in many ways. First, we contend that traditional safety-property modeling cannot provide any guarantees when the policy enforcement mechanisms are compromised. Therefore, we extend traditional access control specifications by modeling insecure states and transitions explicitly, to describe possible system behavior after compromise.
Next, we observe that it may not always possible to recover from an insecure state, and both compromise and recovery impact the availability of information. Based on these observations, we refine traditional information security properties as liveness assertions and explicitly add recovery actions to our specifications, to guarantee resources are available to legitimate users infinitely often, in spite of malicious attacks or inadvertent compromise. We explain our process using an example behavioral specification and show how we can define different measures of availability and verify them using standard model-checking techniques within this framework.
- P. Ammann, S. Jajodia, C. D. McCollum, and B. Blaustein. Surviving information warfare attacks on databases. In Proceedings of the 1997 IEEE Symposium on Security and Privacy, pp. 164-174, Oakland, CA, May 1997. Google ScholarDigital Library
- A. Avizienis, J. C. Laprie, and B. Randell. Fundamental concepts of dependability. In LAAS Report, April 2001.Google Scholar
- M. Bishop. Computer Security: Art and Science. Addison-Wesley, ISBN 0-201-44099-7, 2002.Google Scholar
- E. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press 2000.Google Scholar
- M. Cukier, T. Courtney, J. Lyons, H. V. Ramasamy, W. H. Sanders, M. Seri, M. Atighetchi, P. Rubel, C. Jones, F. Webber, P. Pal, R. Watro, and J. Gossett. Providing intrusion tolerance with itua. In Supplement of the 2002 International Conference on Dependable Systems and Networks, June 2002.Google Scholar
- Y. Deswarte, L. Blain, and J. C. Fabre. Intrusion tolerance in distributed systems. In IEEE Symp. on Research in Security and Privacy, Oakland, CA USA, April 1991.Google Scholar
- B. Dutertre, H. Saïdi, and V. Stavridou. Intrusion-tolerant group management in enclaves. In International Conference on Dependable Systems and Networks (DSN'01), pages 203-212, Göteborg, Sweden, July 2001. Google ScholarDigital Library
- R. Ellison, D. Fisher, R. Linger, H. Lipson, T. Longstaff, and N. Mead. Survivable network systems: An emerging discipline. In Technical Report CMU/SEI-97-153, November 1997.Google ScholarCross Ref
- M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. In Communications of the ACM, Vol 19(8), Aug 1976. Google ScholarDigital Library
- S. Jha and J. Wing. Survivability analysis of networked systems. In International Conference on Software Engineering (ICSE), May 2001. Google ScholarDigital Library
- P. Liu and S. Jajodia. Trusted Recovery and Defensive Information Warfare. Kluwer Academic Publishers, ISBN 0-7923-7572-6, 2002. Google ScholarDigital Library
- P. Naldurg and R. Campbell. Specification and verification of network denial of service. Work in Progress.Google Scholar
- P. Naldurg and R. Campbell. Dynamic access control: Presperving safety and trust in computer network defense. In ACM Symposium on Access Control Models and Technologies, Como, Italy, June 2003. Google ScholarDigital Library
- B. Panda and J. Giordano. Defensive information warfare. In Communications of the ACM, Vol. 42, No. 7, p. 31-32, July 1999. Google ScholarDigital Library
- T. Wu, M. Malkin, and D. Boneh. Building intrusion tolerant applications. In Proceedings of the 8th USENIX Security Symposium, August 1999. Google ScholarDigital Library
Index Terms
- Modeling insecurity: policy engineering for survivability
Recommendations
Sustaining Availability of Web Services under Distributed Denial of Service Attacks
The recent tide of Distributed Denial of Service (DDoS) attacks against high-profile web sites demonstrate how devastating DDoS attacks are and how defenseless the Internet is under such attacks. We design a practical DDoS defense system that can ...
Security policy specification for home network
As home network is expanding into ubiquitous computing environment and numerous home network services are available, we need to protect home network system from illegal accesses and a variety of threats. Home network is exposed to various cyber attacks ...
Comments