Formal Semantics for Programmable Access Control (PART A). by Ioanna Dionysiou. System Security (brief definition) MOOSE project Meta Object Model (MOM) components and functionality MOM Authorization Model Denotational Semantics for MOM Authorization Model Results and Conclusions.
MOM Authorization Model
“Protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources”
National Institute of Standards and Technology
“You know you have one when the crash of a computer you’ve never heard of stops you from getting any work done”
(CPTS 564 Notes – Very Interesting Definition)
Software components on distributed systems are typically heterogeneous (different languages and systems)
Authorization policies are fixed to specific systems
No flexibility to encompass other modelsGlobal Enforcement of Confidentiality and Authorization for Heterogeneous Distributed Systems
Common Object Request Broker Architecture
Object Linking and Embedding/Common Object Model
Global Enforcement of Confidentiality and Authorization for Heterogeneous Distributed Systems, Cont.
Secure interoperability is prevented due to semantic diversity and complexity at the policy and model level
Is there a solution?
Introduce new syntax for security policy expressions
Common architecture that embeds programmable security constructs at a fundamental level
Primitive security mechanisms tied to syntax within a common model for object systems
Mathematical techniques for specifying and verifying system properties
ROC – formalism for concurrently executing objects
Distributed system verification
HOL – logic for reasoning and verification
Message Handler Heterogeneous Distributed Systems, Cont.
Component Type Misc.
Msghan1 Msg_H . . .
Objreg1 OR . . .
Object Access Control List
Component Privilege Key
Method_Interface_1 Key a
Method_Interface_1 Lock a
Method_Interface_1 All q
Method_Interface_2 Key q
Method_1 Lock a
Method_2 Key b
Main Function : constrain the set of messages that objects receive from their environment
Receipt of a message from message handler
Accept it as a local request (that’s not authorization!!)
Delegate it to adjacent domain
Main Function : bookkeeping information associated with each object component
Local identifier of the object component
How can the object registry be used? Heterogeneous Distributed Systems, Cont.
Component Type Misc
Object Registry for root
Incoming message contains an invocation request for a method responsible for creating object named o2. Deny or accept?
Main Function :contains templates needed to define meta object instances
Object o2 can create instances containing subobjects X and Y and methods M1 and M2.
Initial Authorization State of o3
Suppose o3 is a new instance of o2.How can the meta data table for o2 be used? And why?
Accepts method Invocation
Manages synchronization constraints on methods
Establishes communication channels between the method body and its environment
Performs the actual work – only communicates with the arbiter
Main Function : defines the local authorization state for the MOM objects
KEY or LOCK or recursive
< Component, Privilege, Token >
Component Privilege Ticket Heterogeneous Distributed Systems, Cont.
Method_1 Lock a
Method_2 Key b
Method_1 has a Lock privilege associated with ticket a.
o Heterogeneous Distributed Systems, Cont.1
Invoke Method_1 using ticket a Heterogeneous Distributed Systems, Cont.
Check OACL if Method_2 holds ticket a
i l ter
No entry foundMessage Filtering
Object hierarchy Heterogeneous Distributed Systems, Cont.
An object can intervene and deny accessRefined Authorization Model Semantics
Can A access C? Heterogeneous Distributed Systems, Cont.
Can A access D?
Can A access m?
Invoke method m in D
PARENT predicate Heterogeneous Distributed Systems, Cont.
REMOVE commandRefined Authorization Model