Security Policies as Membranes in Systems for Global Computing (talk)

(1)

Why What How Conclusion

Security Policies as Membranes

in Systems for Global Computing

Vladimiro Sassone University of Sussex, UK

GC 2004: MyThS/MIKADO/DART Meeting

Venice 15.06.04

(2)

1 Why

2 What

3 How

Barring actions Counting actions Sequencing actions Controlling coalitions

(3)

Why

Most calculi/languages for GC rely oncode mobilityto model interprocesses interactions;

This leads tosecurity concerns(malicious agents can compromise ‘good’ sites through viruses, spammings, denial-of-service attacks, ...);

Thus, code mobility usually equipped withsecurity checks:

1 _{static checks: make the run-time as efficient as possible, but} it may be not adequate in practice;

(4)

Why

Most calculi/languages for GC rely oncode mobilityto model interprocesses interactions;

This leads tosecurity concerns(malicious agents can compromise ‘good’ sites through viruses, spammings, denial-of-service attacks, ...);

Thus, code mobility usually equipped withsecurity checks:

1 _{static checks: make the run-time as efficient as possible, but} it may be not adequate in practice;

(5)

Simple

Systemsare (plain) collections of sites;

Sitesare places for computations, divided in at least two layers:

a computing body

amembrane, to carry on security related issues

membranesregulate the interactions between the computing body and the environment around the site

differently fromBoudol’s andStefani’s: our membranes arenot fully-fledged computing entities. They only implement

(6)

The Objectives

Run an initial investigation intowhat kindof security policies can be implemented through membranes, andhow.

This is related to, and aims at generalizing for the specific application

the security types developed forDπandKLAIM;

the session types byHonda et al;

(7)

What

1 aformal frameworkto formalize processes running in a GC system, whose activities arelocal computationsandmigrations;

2 membranesto implement advanced checks on incoming agents (including notions oftrustandproof-carrying code);

(8)

A Calculus for Migrations

A minimal calculus (Turing not an issue here)

BasicActions a,b,c, ...∈_Act

Localities l,h,k, ...∈_Loc

Agents P,Q,R ::= nil a.P

go_Tl.P P|Q

!P

Systems N ::= 0

l[[M|iP]]

N1kN2

where

l[[M|iP]]is a site with addressl, membraneMand hosting processP;

(9)

A Calculus for Migrations

A minimal calculus (Turing not an issue here)

BasicActions a,b,c, ...∈_Act

Localities l,h,k, ...∈_Loc

Agents P,Q,R ::= nil a.P

go_Tl.P P|Q

!P

Systems N ::= 0

l[[M|iP]]

N1kN2

where

l[[M|iP]]is a site with addressl, membraneMand hosting processP;

(10)

Dynamic Semantics – local

Local behaviours:

l[[M|ia.P|Q]]−→l[[M|iP|Q]]

(11)

Dynamic Semantics – migration

Migration:

k[[M|igo_Tl.P|Q]] k l[[M0|iR]] −→ k[[M|iQ]] k l[[M0|iP|R]]

This reduction may happen only ifP complies with M0_.

But checking whole processes at migration can be very expensive!

(12)

Dynamic Semantics – migration

Migration:

k[[M|igo_Tl.P|Q]] k l[[M0|iR]] −→ k[[M|iQ]] k l[[M0|iP|R]]

This reduction may happen only ifP complies with M0_.

But checking whole processes at migration can be very expensive!

(13)

The matter with certification

When can we consider PCCs?

They areeasy to verify(they are usually very small, if compared to the process they refer to),but

they can bedangerous(if they don’t certify properly the process behaviour)

A compromise:

we can safely consider PCCs of agents coming fromtrusted

(14)

The matter with certification

When can we consider PCCs?

They areeasy to verify(they are usually very small, if compared to the process they refer to),but

they can bedangerous(if they don’t certify properly the process behaviour)

A compromise:

we can safely consider PCCs of agents coming fromtrusted

(15)

Trust

Each site store the trust it has on other sites, as part of itsmembrane.

Thus, a membrane is a couple(Mt,Mp), where

Mt :Loc → {good,bad,unknown};

(16)

The Migration Rule – revised

k[[M|igo_Tl.P|Q]] k l[[M0_|i_R_]]

−→ k[[M|iQ]] k l[[M0_|i_P_|_R_]] _if_M0_`k T P

whereM0_`k T P is

ifM_t0(k) =goodthen(T enforcesM_p0 )else `P:M_p0

and

predicate enforces is a partial order on policies;

(17)

Why What How Conclusion Barring actions Counting actions Sequencing actions Controlling coalitions

Policies as Constraints on Legal Actions

a site only provides some methods (i.e. only some actions can be executed while running in it)

a policyT is a subset of_Act ∪_Loc where

a process can only execute locally actions inT

a process can only migrate on sites inT

T enforcesT0 _{is simply defined as}_T _⊆_T0_;

judgment`is simple. The key rules are

`P:T

`a.P:T a∈T

`P:T0

`go_T0l.P:T

(18)

Policies as Constraints on Legal Actions

`P:T

`a.P:T a∈T

`P:T0

`go_T0l.P:T

(19)

Policies as Constraints on Legal Actions

`P:T

`a.P:T a∈T

`P:T0

`go_T0l.P:T

(20)

Policies as Constraints on Legal Actions (ctd)

a systemNiswell-formed, written`N:ok, if “good” nodes only hosts “good” agents. Formally:

`P:Mp

`l[[M|iP]] :ok l good `l[[M|iP]] :ok l not good

(21)

Policies as Constraints on Legal Actions (ctd)

a systemNiswell-formed, written`N:ok, if “good” nodes only hosts “good” agents. Formally:

`P:Mp

`l[[M|iP]] :ok l good `l[[M|iP]] :ok l not good

(22)

Counting Legal Actions

sometimes, legal actions can be performed only a certain number of times. E.g.:

a fair mail server allows its clients to send mails,but:

it should block spamming activities of malicious clients;thus:

it could allow sending at mostKmails for each login of each client.

Policies aremultisetscontaining elements fromAct ∪Loc;

T enforcesT0 _{is multisets inclusion;}

`adapts straightforwardly from the case of sets:

`P :T

`a.P:T∪ {a}

`P:T0

`go_T0l.P:T∪ {l}

(23)

Counting Legal Actions

sometimes, legal actions can be performed only a certain number of times. E.g.:

a fair mail server allows its clients to send mails,but:

it should block spamming activities of malicious clients;thus:

it could allow sending at mostKmails for each login of each client.

Policies aremultisetscontaining elements fromAct ∪Loc;

T enforcesT0 _{is multisets inclusion;}

`adapts straightforwardly from the case of sets:

`P :T

`a.P:T∪ {a}

`P:T0

`go_T0l.P:T∪ {l}

(24)

Counting Legal Actions (ctd)

This setting enforces athread-wiseproperty. Indeed,

if two different agentsPandQindividually send at mostK mails,

when they both run in the mail server, the agentP|Qcan send more thanK mails (actually, it can send2K mails)

Thus, the well-formedness predicate for good sites is changed as

∀i.(Pi a thread and `Pi :Mp) `l[[M|iP1|. . .|Pn]] :ok

l good

(25)

Sequencing Legal Actions

sometimes, legal actions can be performed only in a certain order. E.g.

before exploiting the functionalities of a mail server, you must have logged in,and

before loggin out, you must have saved the status of the transaction.

This can be easily formalized by(deterministic) finite automata

usr.pwd.(list+send+retr+del+reset)∗.quit

Policies are DFAs;

T enforcesT0 _{is inclusion of DFAs’s languages;}

(26)

Sequencing Legal Actions

sometimes, legal actions can be performed only in a certain order. E.g.

before exploiting the functionalities of a mail server, you must have logged in,and

before loggin out, you must have saved the status of the transaction.

This can be easily formalized by(deterministic) finite automata

usr.pwd.(list+send+retr+del+reset)∗.quit

Policies are DFAs;

T enforcesT0 _{is inclusion of DFAs’s languages;}

(27)

Sequencing Legal Actions (ctd)

As well-known, inclusion of regular languages can be calculated easily, once given the associated DFAs

What about predicate`P:T?

we expect that calculating it is harder than verifying PCCs (i.e. verifying predicate enforces)

But, how harder? Is it decidable?

(28)

Sequencing Legal Actions (ctd2)

an agent can be easily associated to aconcurrent regular expression: regular exprs withshuffle⊗andshuffle closure _.

e.g., agent !(a.b | c.go_Tl.P) can be represented as

((a·b)⊗(c·l))

we are only interested in thelocal behaviourof the agent.

we can derive the language associated to this CRE and check whether it is contained in the language accepted by the policy;

CREs can be represented as Petri nets. Inclusion of a Petri net in a DFA isdecidable, even ifsuper-exponential;

(29)

Sequencing Legal Actions (ctd2)

an agent can be easily associated to aconcurrent regular expression: regular exprs withshuffle⊗andshuffle closure _.

e.g., agent !(a.b | c.go_Tl.P) can be represented as

((a·b)⊗(c·l))

we are only interested in thelocal behaviourof the agent.

we can derive the language associated to this CRE and check whether it is contained in the language accepted by the policy;

CREs can be represented as Petri nets. Inclusion of a Petri net in a DFA isdecidable, even ifsuper-exponential;

(30)

Controlling Coalitions at a Site

policies as multisets and as DFAs can only express thread-oriented properties;

Dealing with the overall behaviour of a site; Two options: When agentPwant to migrate onl, containing agentR

1 _{freeze and retrieve the current content of the site, viz.}_R_;

check whetherP|Rrespects the policy of the site;

reactivateRand, according to the result of the checking

phase, activateP.

2 _{let membranes evolving at run-time: they are decreased}

with the privileges granted toP.

(31)

Controlling Coalitions at a Site

phase, activateP.

(32)

Controlling Coalitions at a Site

phase, activateP.

(33)

Controlling Coalitions at a Site

phase, activateP.

(34)

Controlling Coalitions at a Site (ctd)

A new migration rule:

k[[M|igo_Tl.P|Q]] k l[[M0_|i_R_]]

−→ k[[M|iQ]] k l[[M00_|i_P_|_R_]] _if_M0_`k

T PM00

whereM0_`k

T P M00:

verifies whetherPrespectsM0

p(by examining its PCCT or its

code, according to the trust level in its origin,k);

ifPrespectsM0

p, it decreaseMp0 with the privileges granted toP.

This returnsM00

(35)

Controlling Coalitions at a Site (ctd2)

Well-formed systems are now defined w.r.t. a functionΘassociating each good site to a initial policy.

Θ`l[[M|iP]] :ok

l good

(pol(P)tMp)enforcesΘ(l)

where

pol(P)returns the minimal policy satisfied byP;

tmerges together two policies.

(36)

Conclusions

a formal framework to reason on the role of membranes as security policies

several variations expressing finer and finer policies

to be done:

a richer calculus (including communications, restrictions, ...) more complex policies (not expressible with DFAs)

...

the paper is available at