Post on 29-Dec-2015
Analysis and Detection of Access Analysis and Detection of Access Violations in Componentised SystemsViolations in Componentised Systems
David Llewellyn-Jones, Madjid Merabti, Qi Shi, Bob AskwithAdvances in Computer Security and Forensics – 13th July 2007
Network & Information Security Technology LaboratorySchool of Computing and Mathematical SciencesLiverpool John Moores UniversityByrom Street, Liverpool L3 3AF, UKEmail: {D.Llewellyn-Jones, M.Merabti, Q.Shi, R.Askwith}@ljmu.ac.ukWeb: http://www.cms.livjm.ac.uk/NISTL
ContentsContents
• Introduction– Access control
– Ubiquitous computing
– Network elevation of privileges
• Composition access control check– Process
– Implementation
• Experiments and results• Conclusion
Access ControlAccess Control
• In theory– User can access data
only if their access level satisfies the access requirements of the data
• In practice– A user can only
access data via a program
User
Data
Access level
Access req.
User
Program
Access level
Access req.
Data Access req.
Access level
Distributed Access ControlDistributed Access Control
• Taos, local access control– Centralised access control
• DSS DACS, DSI, CORBASec– Atomic
– Enforced between pairs of components
• An alternative approach– Consider wider composition structure
Ubiquitous ComputingUbiquitous Computing
• Networking is wireless and pervasive• Devices are mobile and plentiful• Data flows unimpeded
– Easy access to data from anywhere
– Access control remains important
• Data sent across a network may be vulnerable– Inconsistent access requirements
– Each system individually satisfies access requirements
– Combined, incorrect access may occur
Network Elevation of PrivilegesNetwork Elevation of Privileges
System BSystem A
Alice’s file
Alice’s program
File with access by Bob
Bob’s program
SU’s program
File
Bob’s program
read
write
write
read
send
send
Solution OverviewSolution Overview
• Analyse possible data flow through a network– Based on topology and component properties
– Analysis takes place when topology changes
– Access control requirements are checked
– Composition only allowed if requirements met
• Need to know– Connections (data flow) between components
– Data flow within each component
FormalisationFormalisation
• Each component defined 4 data structures– uR, uW U, effective user ID for read, write
– dR, dW D, access of files read, written by component
• Access mappings– fR, fW : U × D → {0, 1}, determines if read, write access
should be granted
• Example: read access control lists
dR = Alice uR = BobfR (uR, dR) =
1 if uR dR
Bob 0 otherwise
Fred
Connections Between ComponentsConnections Between Components
• Follow data flow through components– For example, simple depth first traversal
• Match data access requirements with component access levels– Maintain dR, dW of data accessed, compare with uR, uW
for each component using fR, fW.
1 2
3
54
2
5
1
3
4
Component SlicingComponent Slicing
• Data flow within each component– Use Slicing to follow data
– Applied using pre and post conditions
Structure ProjectionStructure Projection
• Follow data flow through components– Take internal data flow into account
– Use slicing to determine this
• Project the structure– Project connections onto points
– Join points if pairs of connections coincide
1 2
3
54
3
4
5
2
1
3
Current ImplementationCurrent Implementation
• Use MATTS component analysis tool– Based on agent components
– Performs automatic slicing and topology check
– Currently must input connections manually
Future ImplementationFuture Implementation
• To exist as a service in the network– Properties determined using instrumentation
• Recheck whenever topology changes– Failure means composition would be refused
– Success means access control requirements are guaranteed to be fulfilled
– Properties cached to reduce overhead
Timing ResultsTiming Results
• Chain of components– Analysed as a single
application– Analysed using
composition analysis• 600 MHz Intel X-Scale
80321 Processor
ConclusionConclusion
• Provides useful distributed access control checking technique
• Implementation suggests practical solution– Intend to implement in a Networked Appliance
setting
• Highlights how composition analysis can reduce impact of state explosion