Mathieu Jaume

Formal specification and validation of security policies

We propose a formal framework for the specification and validation of security policies. To model a secured system, the evolution of security information in the system is described by transitions triggered by authorization requests and the policy is given by a set of rules describing the way the corresponding decisions are taken. Policy rules are constrained rewrite rules whose constraints are first-order formulas on finite domains, which provides enhanced expressive power compared to classical security policy specification approaches like the ones using Datalog, for example. Our specifications have an operational semantics based on transition and rewriting systems and are thus executable. This framework also provides a common formalism to define, compare and compose security systems and policies. We define transformations over secured systems in order to perform validation of classical security properties.

A Formal Comparison of the Bell & LaPadula and RBAC Models

In this paper we address the problem of comparing access control models. Indeed, many access control models can be found in the literature and in order to choose one model for a particular context, some tools helping such a choice are needed. We develop here a complete example allowing to compare (in a formal way) the Bell and LaPadula (BLP) model and the role-based (RBAC) model. In order to achieve this goal, we first express these models in a uniform way, then we introduce concepts (mostly based on simulations) allowing to compare access control models.

Formalisation and implementation of access control models

Access control software must be based on a security policy model. Flaws in them may come from a lack of precision or some incoherences in the policy model or from inconsistencies between the model and the code. In this paper, we first present a formalisation of access control models based on the work on an algebra of security models by J. McLean (1988). Then, we describe the implementation of this framework and show how it can be used to obtain a particular security model: the Bell and La Padula security model. Last, as an example, we show how such a program can be integrated for secure databases. All our development is done within the Focal (Rioboo et al., 2004) programming environment which provides a language with object-oriented features allowing to write formal specifications, proofs and programs at the same level.

Flow based interpretation of access control: detection of illegal information flows

In this paper, we introduce a formal property characterizing access control policies for which the interpretations of access control as mechanism over objects and as mechanism over information contained into objects are similar. This leads us to define both a flow based interpretation of access control policies and the information flows generated during the executions of a system implementing an access control mechanism. When these two interpretations are not equivalent, we propose to add a mechanism dedicated to illegal information flow detection to the mechanism of access control over objects. Such a mechanism is parameterized by the access control policy and is proved sound and complete. Finally, we briefly describe two real implementations, at two levels of granularity, of our illegal flow detection mechanism: one for the Linux operating system and one for the Java Virtual Machine. We show that the whole approach is effective in detecting real life computer attacks.

Secure States versus Secure Executions

Several points of view exist about security policies among which two main approaches can be distinguished: policies can be defined by some properties over states of a system or by some properties over executions of a system. While enforcing a policy specified by some properties over states is rather easy, designing enforcement mechanisms to ensure security properties over executions is more complex. However, enforcing a property over states is sometimes sufficient to ensure a property over executions. In this paper, we investigate these two approaches in order to provide a formal framework that permits to make the bridge between the definition of secure states and security properties over sequences of secure states corresponding to executions. Along the lines of this paper, we illustrate our definitions by considering access control policies defined as properties over states and flow properties over executions of a system.

Information Flow Tracking for Linux Handling Concurrent System Calls and Shared Memory

Information flow control can be used at the Operating System level to enforce restrictions on the diffusion of security-sensitive data. In Linux, information flow trackers are often implemented as Linux Security Modules. They can fail to monitor some indirect flows when flows occur concurrently and affect the same containers of information. Furthermore, they are not able to monitor the flows due to file mappings in memory and shared memory between processes. We first present two attacks to evade state-of-the-art LSM-based trackers. We then describe an approach, formally proved with Coq [12] to perform information flow tracking able to cope with concurrency and in-memory flows. We demonstrate its implementability and usefulness in Rfblare, a race condition-free version of the flow tracking done by KBlare [4].