Simon N. Foley

A model for secure information flow

A model that characterizes systems that restrict information flow is proposed. The model, called the confinement model, provides greater flexibility in the binding of entities to their security classes than the current static case. A consequence of the nature of security class binding in the confinement model is its ability to enforce nontransitive information-flow policies. A framework of information-flow policies is defined which forms a distributive lattice under operations for policy ordering and combination. It is shown that a state-based MAC (mandatory access) version of the confinement model is the same as a traditional Bell and LaPadula MAC model, except that the confinement model includes a special rule on dynamic class change.<<ETX>>

The specification and implementation of “commercial” security requirements including dynamic segregation of duties

A framework for the specification of security policies is proposed. It can used to formally specify confidentiality and integrity policies, the latter can be given in terms of ClarkWilson style access triples. The tiamework extends the Clark-Wilson model in that it can be used to specify dynamic segregation of duty. For application systems where security is critical, a multilevel security based approach is defined. Security policies for less critical applications can be implemented using standard Unix based systems. Both implementation strategies are based on the standard protection mechanisms that are provided by the respective systems.

A security model of dynamic labelling providing a tiered approach to verification

In the proposed mandatory access control model, arbitrary, label changing policies can be expressed. The relatively simple model can capture a wide variety of security policies, including high-water marks, downgrading, separation of duties, and Chinese Walls. The model forms the basis for a tiered approach to the formal development of secure systems, whereby security verification can be spread across what makes up the reference monitor and the security requirement specification. The advantage of this approach is that once a trusted computing base (TCB) is in place, reconfiguring it for different security requirements requires verification of just the new requirements. We illustrate the approach with a number of examples, including one policy that permits high-level subjects to make relabelling requests on low-level objects; the policy is multilevel secure.

Challenges for federated, autonomic network management in the Future Internet

Regardless of which networking protocols or technologies form the core of the Future Internet it is clear that the environment as a whole will need to support a very broad range of business and user interaction modes. In todays Internet we observe the growing trend for services to be both provided and consumed by loosely coupled value networks of consumers, providers and combined consumer/providers. In this paper we argue that this trend has major implications for network management in the Future Internet. In particular, we discuss six research challenges that we believe need to be addressed by the network management community if the potential for the Future Internet to flexibly support value networks is to be realized.

Aggregation and Separation as Noninterference Properties

This paper proposes a notation that can be used to describe information flow policies that may have transitivity, aggregation and separation (of duty) exceptions. Operators for comparing, composing and abstracting these policies are described. These allow complex policies to be built from simpler policies. A formal semantics is given based on the notion of noninterference for deterministic systems. An unwinding of this definition is developed that can be used for any policy that does not contain a separation exception.

Multilevel Security and Quality of Protection

Constraining how information may flow within a system is at the heart of many protection mechanisms and many security policies have direct interpretations in terms of information flow and multilevel security style controls. However, while conceptually simple, multilevel security controls have been difficult to achieve in practice. In this paper we explore how the traditional assurance measures that are used in the network multilevel security model can be re-interpreted and generalised to provide the basis of a framework for reasoning about the quality of protection provided by a secure system configuration.

Using Trust Management to Support Transferable Hash-Based Micropayments

A hash-chain based micropayment scheme is cast within a trust management framework. Cryptographic delegation credentials are used to manage the transfer of micropayment contracts between public keys. Micropayments can be efficiently generated and determining whether a contract and/or micropayment should be trusted (accepted) can be described in terms of a trust management compliance check. A consequence is that it becomes possible to consider authorisation based, in part, on monetary concerns. The KeyNote trust management system is used to illustrate the approach.

Authorisation subterfuge by delegation in decentralised networks

This talk is about work by myself and Hongbin Zhou, who’s a PhD student in Cork (except he’s here today). One of the problems that we’re interested in is just simple authorisation, whether or not somebody is allowed to perform some action, get access to some resource. In the good old days we had the traditional view of system administrators who had control over everything, and they had, or at least liked to think that they had, a very clear picture of what the resources were for, and who should have access to the resources, and so on. As a consequence they tend to exercise very tight control, they don’t like giving away authorisation to resources, and it’s usually a battle for somebody to get additional access to any resource. Administrators in these closed systems exercise their principle of “no privilege”, nobody’s allowed to do anything. As a consequence, the opportunity to subvert an administrator is very small, so you really have to work hard to get anywhere within one of these closed systems.

A framework for heterogeneous middleware security

Summary form only given. With the advent of Web services, achieving seamless interoperability between heterogeneous middleware technologies has become increasingly important. While much work investigating functional interoperability between different middleware architectures has been reported, little practical work has been done on providing a unified and/or interoperable view of security between the different approaches. We describe how Secure WebCom - a distributed metacomputing system - provides interoperability support between the COM+/.NET, CORBA and Enterprise Java Beans middleware security architectures. Secure WebCom uses the KeyNote trust management system to help coordinate the trust relationships between the different middleware systems and their associated security policies. Middleware authorisation policies can be encoded in terms of KeyNote cryptographic certificates, and vice-versa. This provides a unified view of security across heterogeneous middleware systems and also provides the basis for decentralised support of middleware security policies.

Management of security policy configuration using a Semantic Threat Graph approach

Managing the configuration of heterogeneous enterprise security mechanisms is a complex task. The effectiveness of a configuration may be constrained by poor understanding and/or management of the overall security policy requirements, which may, in turn, unnecessarily expose the enterprise to known threats. This paper proposes a threat management based approach, whereby knowledge about the effectiveness of mitigating countermeasures is used to guide the autonomic configuration of security mechanisms. This knowledge is modeled in terms of Semantic Threat Graphs, a variation of the traditional Threat/Attack Tree, extended in order to relate semantic information about security configuration with threats, vulnerabilities and countermeasures. An ontology-based approach to representing and reasoning over this knowledge is taken. A case study based on Network Access Controls demonstrates how threats can be analysed and how automated configuration recommendations can be made based on catalogues of countermeasures. These countermeasures are drawn from best-practice standards, including NIST, IETF and PCI-DSS recommendations for firewall configuration.