EFFICIENT ALGORITHMIC SAFETY ANALYSIS OF HRU SECURITY MODELS

Anja Fischer, Winfried Kühnhauser

Abstract

In order to achieve a high degree of security, IT systems with sophisticated security requirements increasingly apply security models for specifying, analyzing and implementing their security policies. While this approach achieves considerable improvements in effectiveness and correctness of a system’s security properties, model specification, analysis and implementation are yet quite complex and expensive. This paper focuses on the efficient algorithmic safety analysis of HRU security models. We present the theory and practical application of a method that decomposes a model into smaller and autonomous sub-models that are more efficient to analyze. A recombination of the results then allows to infer safety properties of the original model. A security model for a real-world enterprise resource planning system demonstrates the approach.

References

  1. Ammann, P. E. and Sandhu, R. S. (1991). Safety Analysis for the Extended Schematic Protection Model. In Proc. IEEE Symposium on Security and Privacy. IEEE Press.
  2. Bell, D. E. and LaPadula, L. J. (1973). Secure Computer Systems: Mathematical Foundations (Vol.I). Technical Report AD 770 768, MITRE.
  3. Brewer, D. F. and Nash, M. J. (1989). The Chinese Wall Security Policy. In Proc. IEEE Symposium on Security and Privacy. IEEE Press.
  4. Bryce, C., Kühnhauser, W. E., Amouroux, R., and Lopéz, M. (1997). CWASAR: A European Infrastructure for Secure Electronic Commerce. Journal of Computer Security, IOS Press.
  5. Common3.1 (2009). Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 3.
  6. Crampton, J. and Khambhammettu, H. (2008). Delegation in Role-based Access Control. Int. Journal of Information Security.
  7. Denning, D. E. (1976). A Lattice Model of Secure Information Flow. Communications of the ACM.
  8. Efstathopoulos, P. and Kohler, E. (2008). Manageable FineGrained Information Flow. In Proc. 2008 EuroSys Conference. ACM SIGOPS.
  9. Goguen, J. and Meseguer, J. (1982). Security Policies and Security Models. In Proc. IEEE Symposium on Security and Privacy. IEEE.
  10. Halfmann, U. and Kühnhauser, W. E. (1999). Embedding Security Policies Into a Distributed Computing Environment. Operating Systems Review.
  11. Harrison, M. A. and Ruzzo, W. L. (1978). Monotonic Protection Systems. In DeMillo, R., Dobkin, D., Jones, A., and Lipton, R., editors, Foundations of Secure Computation. Academic Press.
  12. Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. (1975). On Protection in Operating Systems. Operating Systems Review, 5th Symposium on Operating Systems Principles.
  13. Harrison, M. A., Ruzzo, W. L., and Ullman, J. D. (1976). Protection in Operating Systems. Communications of the ACM.
  14. Kleiner, E. and Newcomb, T. (2006). Using CSP to Decide Safety Problems for Access Control Policies. Technical Report RR-06-04, Oxford University Computing Laboratory.
  15. Kleiner, E. and Newcomb, T. (2007). On the Decidability of the Safety Problem for Access Control Policies. Electronic Notes in Theoretical Computer Science (ENTCS).
  16. Krohn, K. and Rhodes, J. (1965). Algebraic Theory of Machines. I. Prime Decomposition Theorem for Finite Semigroups and Machines. Transactions of the American Mathematical Society.
  17. Li, N., Mitchell, J. C., and Winsborough, W. H. (2005). Beyond Proof-of-compliance: Security Analysis in Trust Management. JACM.
  18. Lipton, R. and Snyder, L. (1978). On Synchronization and Security. In DeMillo, R., Dobkin, D., Jones, A., and Lipton, R., editors, Foundations of Secure Computation. Academic Press.
  19. Loscocco, P. A. and Smalley, S. D. (2001). Integrating Flexible Support for Security Policies into the Linux Operating System. In Cole, C., editor, Proc. 2001 USENIX Ann. Techn. Conference.
  20. Pittelli, P. A. (1988). The Bell-LaPadula Computer Security Model Represented as a Special Case of the HarrisonRuzzo-Ullman Model. In Proc. National Computer Security Conference. NBS/NCSC.
  21. Sandhu, R. S. (1992). The Typed Access Matrix Model. In Proc. IEEE Symposium on Security and Privacy. IEEE.
  22. Sandhu, R. S., Coyne, E. J., Feinstein, H. L., and Youman, C. E. (1996). Role-Based Access Control Models. IEEE Computer.
  23. SAP AG (2009). SAP History. http://www.sap.com/.
  24. Vimercati, S. D. C. d., Samarati, P., and Jajodia, S. (2005). Policies, Models, and Languages for Access Control. In 4th Int. Workshop on Databases in Networkes Information Systems, Volume 3433/2005 of LNCS. Springer.
Download


Paper Citation


in Harvard Style

Fischer A. and Kühnhauser W. (2010). EFFICIENT ALGORITHMIC SAFETY ANALYSIS OF HRU SECURITY MODELS . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010) ISBN 978-989-8425-18-8, pages 49-58. DOI: 10.5220/0002986600490058


in Bibtex Style

@conference{secrypt10,
author={Anja Fischer and Winfried Kühnhauser},
title={EFFICIENT ALGORITHMIC SAFETY ANALYSIS OF HRU SECURITY MODELS},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)},
year={2010},
pages={49-58},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002986600490058},
isbn={978-989-8425-18-8},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)
TI - EFFICIENT ALGORITHMIC SAFETY ANALYSIS OF HRU SECURITY MODELS
SN - 978-989-8425-18-8
AU - Fischer A.
AU - Kühnhauser W.
PY - 2010
SP - 49
EP - 58
DO - 10.5220/0002986600490058