Loading in 2 Seconds...

From Chinese Wall Security Policy Models to Granular Computing

Loading in 2 Seconds...

- 126 Views
- Uploaded on

Download Presentation
## From Chinese Wall Security Policy Models to Granular Computing

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

From Chinese Wall Security Policy Models to Granular Computing

Tsau Young (T.Y.) Lin

tylin@cs.sjsu.edu dr.tylin@sbcglobal.net

Computer Science Department, San Jose State University, San Jose, CA 95192,

and

Berkeley Initiative in Soft Computing, UC-Berkeley, Berkeley, CA 94720

From Chinese Wall Security Policy. . .

- The goal of this talk is to illustrate how granular computing can be used to solved a long outstanding problem in computer security.

Overview - Granular computing

Historical Notes

1. Zadeh (1979) Fuzzy sets and granularity

2. Pawlak, Tony Lee (1982):Partition Theory(RS)

3. Lin 1988/9: Neighborhood Systems(NS) and Chinese

Wall (a set of binary relations. A non-reflexive. . .)

4. Stefanowski 1989 (Fuzzified partition)

5. Qing Liu &Lin 1990 (Neighborhood system)

Overview-Granular computing

Historical Notes

6. Lin (1992):Topological and Fuzzy Rough Sets

7. Lin & Liu: Operator View of RS and NS (1993)

8. Lin & Hadjimichael : Non-classificatory hierarchy (1996)

OverviewProblem Solving Paradigm

Divide and Conquer

1. Divide: Partition (= Equivalence Relation)

2. Conquer: Quotient sets (Bo ZHANG, Knowledge Level Processing)

3. Could this be generalized?

Overview-Example

Partition: disjoint granules(Equivalence Class)

[0]4 = {. . . , 0, 4, 8, . . .}={4n},

[1]4 = {. . . , 1, 5, 9, . . .} ={4n+1},

[2]4 = {. . . , 2, 6, 10, . . .} ={4n+2},

[3]4 = {. . . , 3, 7, 11, . . .} ={4n+3}.

Quotient set = Z/4 (Z/m)

Overview-New Challenge?

Granulation: overlapping granules

B0 = {. . . , 0, 4, 8, 12,. . . 5,9, }

B1 = {. . . , 1, 5, 9, . . .}

B2 = {. . . , 2, 6, 10, . . ., 7,}

B3 = {. . . , 3, 7, 11, . . ., 6, }.

Quotient ?

Overview-Granular Computing - NewParadigm ?

Classical paradigm is unavailable for general granulation

Research Direction: New Paradigm ?

Overview- Granular Computing a New Problem Solving Paradigm

Divide and Conquer (incremental development)

1. Divide: Granulation (binary relation)

Topological Partition

2. Conquer: Topological Quotient Set

Application - New Paradigm ?

Report:

Applying an incremental progress

in granulation to

Classical problem in computer security

Overview - Trojan Horses

Grader G is a conscientious student but lacking computer skills.

So a classmate C sets up a tool box that includes, e.g., editor, spread sheet, …;

Overview - Trojan Horses

C embeds a “copy program”

into G’s tool; it sends

a copy of G’s file to C

(university system normally allows students to exchange information)

Overview - Trojan Horses

- As the Grader is not aware of such

Trojan Horses, he cannot stop them;

- The system has to stop them!

Can it?

Overview - Trojan Horses

Can it?

In general, NO

With constraints, YES

Chinese (Great) Wall Security Policy.

Overview - Trojan Horses

Direct Information flow(DIF); CIF, a sequence of DIF’s, leaks the information legally !!!

Grader

DIF

Trojan horse(DIF)

Professor

CIF

Student

Overview

- End of Overview

Details

Background

Background

In UK, a financial service company may consulted by competing companies. Therefore it is vital to have a lawfully enforceable security policy.

3

Background

- Brewer and Nash (BN) proposed Chinese Wall Security Policy Model (CWSP) 1989 for this purpose

Background

- The idea of CWSP was, and still is, fascinating;
- Unfortunately, BN made a technical error.

Outline

- BN’s Vision

BN: Intuitive Wall Model

- Built a set of impenetrable Chinese Walls among company datasets so that
- No corporate data that are in conflict can be stored in the same side of the Walls
- 5

Policy: Simple CWSP (SCWSP)

"Simple Security", BN asserted that

"people (agents) are only allowed

access to information which is not

held to conflict with any other

information that they (agents)

already possess."

Could Policy Enforce the Goal?

- “YES” BN’s intent; technical flaw
- Yes, but it relates an outstanding difficult problem in Computer Security

First analysis

Simple CWSP(SCWSP):

No single agent can read data X and Y

that are in CONFLICT

Is SCWSP adequate?

Formal Simple CWSP

SCWSP says that a system is secure, if

“(X, Y) CIR X NDIF Y “

“(X, Y) CIR X DIF Y “

(need to know may apply)

CIR=Conflict of Interests Binary Relation

More Analysis

SCWSP requires no single agent can read X and Y,

- but do not exclude the possibility a sequence of agents may read them

Is it secure?

Aggressive CWSP (ACWSP)

The Intuitive Wall Model implicitly requires: No sequence of agents can read X and Y:

A0 reads X=X0and X1,

A1 reads X1and X1,

. . .

An reads Xn=Y

Formal Model

When an agent, who has read both X and Y, considers a decision for Y,

- information in X may be used

consciously or unconsciously.

Formal Model (DIF)

So the fair assumptions are:

if the same agent can read X and Y

- X has direct information flowed into Y, in notation, X DIF Y
- also Y DIF X . . .

Formal Simple CWSP

SCWSP says that a system is secure, if

“(X, Y) CIR X NDIF Y “

“(X, Y) CIR X DIF Y “

CIR=Conflict of Interests Binary Relation

CompositeInformation flow

CompositeInformation flow(CIF) is

a sequence of DIFs , denoted by

such that

X=X0X1 . . . Xn=Y

And we write X CIF Y

NCIF: No CIF

Formal Aggressive CWSP

Aggressive CWSP says that a system is secure, if

“(X, Y) CIR X NCIF Y “

“(X, Y) CIR X CIF Y “

Need ACWSP Theorem

- Theorem If CIR is anti-reflexive, symmetric and anti-transitive, then
- Simple CWSP Aggressive CWSP

Solution

- BN’s solution
- GrC Solution

BN-Theory(failed)

BN assumed:

- Corporate data are decomposed into

Conflict of Interest Classes

(CIR-classes)

(implies CIR is an equivalence relation)

Some Mathematics

Partition Equivalence relation

- X Y (Equivalence Relation)

if and only if

- both belong to the same class/granule

Equivalence Relation

Generalized Identity

- X X (Reflexive)
- X Y implies Y X (Symmetric)
- X Y, Y Z implies X Z (Transitive)

Is CIR Reflexive?

- Is CIR self conflicting?
- US (conflict) US ?
- NO

Overlapping CIR-classes

- CIR is not an equivalence relation, so CIR classes do overlap

US, UK,

Iraq, . . .

USSR

Summary on Simple CWSP

- “X and Y has no conflict then they can be read by same agent “
- “(X, Y) CIR X NDIF Y”
- B(X) ={Y | X NDIF Y }

={Y | (X, Y ) CIR }

- 6

Granule (“Access Lists”)

B(X) is a set of objects that information of X canNOT be flow into.

- Granule / Neighborhood
- “Access Denied Lists”

DAC and GrC

The association

B: O 2O ; X B(X)

- DAC (Discretionary Access Control Model)
- Basic (binary) Granulation/Neighborhood System

Derived Equivalence Relation

The inverse images of B is a partition (an equivalence relation)

C ={Cp | Cp =B –1 (Bp) p V}

This is the heart of this talk

The set C of the center sets of CIR

The set C of center sets Cp is a partition

US, UK, . . .

Iraq, . . .

German, . . .

Derived Equivalence Relation

- Cp is called the center set of Bp
- A member of Cpis called a center.

Derived Equivalence Relation

- The center set Cp consists of all the points that have the same granule
- Center set Cp = {q | Bq= Bp}

Aggressive CWSP Theorem

- Theorem. If CIR is anti-reflexive, symmetric, anti-transitive, then

C=IJAR(=complement of CIR).

Aggressive CWSP

- CIR (with three conditions) only allows information sharing within one IJAR-class
- An IJAR-class is an equivalence class; so there is no danger the information will spill to outside.

ACWSP

- Theorem If CIR is anti-reflexive, symmetric and anti-transitive, then
- Simple CWSP Strong CWSP

Conclusions

1. Classical Problem Solving Paradigm requires partitioning (equivalence relation) may be too strong

2. Classical idea is extended to granulation (binary relation)

Conclusions

3. A small success in apply new paradigm to computer security

4. CWSP is one of the the bigger problem, managing the Information Flow Model in DAC; this was considered impossible in the past.

Conclusions

5. BN’s requirements implies IJAR is an equivalence class. However, if we impose “need to know” constraint, then IJAR is not an equivalence class. Under such constraints, we have weaker form of CWSP theorem

AppendixAggressive CWSP Theorem

- If CIR is anti-transitive non-empty and if (u, v) CIR implies that w V (at least one of (u, w) or (w, v) belongs to CIR ). Let (x, y) and (y, z) be in IJAR, we need to show that (x, z) be in IJAR. Assume contrarily, it is in CIR, by anti-transitive, one and only one of (x, y) or (y, z) be in CIR, that is the contradiction.

Download Presentation

Connecting to Server..