Thierry Sans

A Formal Approach to Specify and Deploy a Network Security Policy

Current firewall configuration languages have no well founded semantics. Each firewall implements its own algorithm that parses specific proprietary languages. The main consequence is that network access control policies are difficult to manage and most firewalls are actually wrongly configured. In this paper, we present an access control language based on XML syntax whose semantics is interpreted in the access control model Or-BAC (Organization Based Access Control). We show how to use this language to specify high-level network access control policies and then to automatically derive concrete access control rules to configure specific firewalls through a translation process. Our approach provides clear semantics to network security policy specification, makes management of such policy easier for the administrator and guarantees portability between firewalls.

Nomad: a security model with non atomic actions and deadlines

Modelling security policies requires means to specify permissions and prohibitions. However, this is generally not sufficient to express security properties such as availability and obligations must be also considered. By contrast to permissions and prohibitions, obligations are often associated with deadlines to specify bounded time availability requirements. In this case, a violation only occurs if the obliged action is not performed before the deadline. On the other hand, when specifying high level security policies, it is convenient to consider abstract non atomic actions. Since most access control mechanisms only deal with atomic actions such as read or write, these non atomic actions must be decomposed into more basic ones. In this paper, we define a formal security model called Nomad to express privileges on non atomic actions. This model combines deontic and temporal logics. In Nomad, we model conditional privileges and obligations with deadlines. We also formally analyze how privileges on non atomic actions can be decomposed into more basic privileges on elementary actions.

Anti-correlation as a criterion to select appropriate counter-measures in an intrusion detection framework

Since current computer infrastructures are increasingly vulnerable to malicious activities, intrusion detection is necessary but unfortunately not sufficient. We need to design effective response techniques to circumvent intrusions when they are detected. Our approach is based on a library that implements different types of counter-measures. The idea is to design a decision support tool to help the administrator to choose, in this library, the appropriate counter-measure when a given intrusion occurs. For this purpose, we formally define the notion of anti-correlation which is used to determine the counter-measures that are effective to stop the intrusion. Finally, we present a platform of intrusion detection that implements the response mechanisms presented in this paper.RésuméÉtant donné que les systèmes informatiques sont de plus en plus vulnérables aux activités malveillantes, l’utilisation de la détection d’intrusion est nécessaire mais ne suffit pas. Nous devons élaborer des méthodes efficaces de réaction aux intrusions afin d’arrêter les intrusions détectées. Notre approche est basée sur une bibliothèque de différents types de contre-mesures. L’objectif est d’aider l’administrateur à choisir dans cette bibliothèque la contre-mesure la mieux adaptée quand une intrusion est détectée. Pour ce faire nous définissons formellement la notion d’anti-corrélation qui est utilisée pour sélectionner les contre-mesures permettant d’arrêter l’intrusion. Nous finissons par la présentation d’une plateforme de détection d’intrusion mettant en œuvre les mécanismes présentés dans cet article.

Security policy compliance with violation management

A security policy of an information system is a set of security requirements that correspond to permissions, prohibitions and obligations to execute some actions when some contextual conditions are satisfied. Traditional approaches consider that the information system enforces its associated security policy if and only if actions executed in this system are permitted by the policy (if the policy is closed) or not prohibited (if the policy is open) and every obligatory actions are actually executed in the system (no violation of obligations). In this paper, we investigate a more sophisticated approach in which an information system specification is compliant with its security policy even though some security requirements may be violated. Our proposal is to consider that this is acceptable when the security policy specifies additional requirements that apply in case of violation of other security requirements. In this case, we formally define conditions to be satisfied by an information system to comply with its security policy. We then present a proof-based approach to check if these conditions are enforced.

Selecting appropriate counter-measures in an intrusion detection framework

Since current computer infrastructures are increasingly vulnerable to malicious activities, intrusion detection is necessary but unfortunately not sufficient. We need to design effective response techniques to circumvent intrusions when they are detected. Our approach is based on a library that implements different types of counter-measures. The idea is to design a decision support tool to help the administrator to choose, in this library, the appropriate counter-measure when a given intrusion occurs. For this purpose, we formally define the notion of anti-correlation which is used to determine the counter-measures that are effective to stop the intrusion. Finally, we present a platform of intrusion detection, called DIAMS, that implements the response mechanisms presented in this paper.

OPA: Onion Policy Administration Model — Another approach to manage rights in DRM

Digital Rights Management frameworks (DRM) aim at protecting and controlling information contents widely distributed on client devices. Using a license, the content owner specifies which rights can be rendered to end-users. Basically, only the content owner must be able to define this license, but some DRM models go further. In superdistribution scenario, the content owner does not directly manage enduser’s rights but rather delegate this task to a third-party called a distributor. Nevertheless, this distribution cannot be done without any control. In existing approaches, the content owner restricts the license issued by the distributors. In this paper, we provide a new approach, called the Onion Policy Administration approach (OPA). Rather than restricting licenses issued by the different distributors, OPA aims at controlling which rights are finally rendered to end-users. The main idea of OPA is to have a traceability of the content distribution. The content must keep track of all third-parties it crossed in the distribution chain. In this case, everyone can distribute the content and define a new license without any restriction. In these licenses, the content owner and distributors specify end-user’s rights. Using the content traceability, the DRM controller can gather all licenses involved in the distribution chain and evaluate them. In order to be rendered, a right must be allowed by both the content owner and all distributors involved in the distribution chain.

Protection of relationships in XML documents with the XML-BB model

Since XML tends to become the main format to exchange data over the Internet, it is necessary to define a security model to control the access to the content of these documents. Several such models have already been suggested, but we claim that none of them is sufficiently expressive to properly express some basic security requirements, especially those related to entity relationships protection. To cope with these limitations, we suggest to structure the access control policy using the new concept of block. This is used to hide relationships between nodes selected in different blocks. It provides means to specify confidentiality restriction associated with some relationships. An access control model, called XML-BB (XML Block Based Access Control), that includes this concept of block is presented and a formal semantics for this model is defined.

A Flexible and Distributed Architecture to Enforce Dynamic Access Control

Avoiding unauthorized access in an information system usually means enforcing access control mechanisms. Traditional access control only aims at deciding if an access can be granted or not. Dynamic access control goes further as it aims at controlling also if an ongoing access is still authorized while it is running. Rights Expression Languages, such as MPEG-REL, take into account dynamic aspects of access control policy. However, existing access control architectures are not adequate to enforce such dynamic access control. In this paper, we first explain what dynamic access control involves and why existing architectures are not appropriate. We then provide a flexible and distributed architecture where different components interact to enforce dynamic access control. Using temporal logic of actions, we specify the different interactions between components in the architecture and specify more precisely the component in charge of giving the decision. Finally, we discuss about technical and security issues about how the architecture can be implemented to enable Digital Rights Management (DRM) applications.

FORM: a federated rights expression model for open DRM frameworks

Digital Rights Management frameworks (DRM) aim at protecting and controlling information contents widely distributed on client devices. Using a license, the content provider can decide which rights can be rendered and who are the authorized end-users (as identity holders) allowed to exercise those rights. Most of the time, it is hard to add new feature to the client application, it is even impossible when the new feature is not considered trustworthy by the corporation distributing the rendering application. In a same way, the rendering application identifies the end-user with a dedicated identity and it is impossible to take into account an identity provided by an external corporation. In this paper, we aim at providing a federated approach called FORM where a content provider can decide to trust external rendering rights and external identities. We even go further introducing identity providers, actions providers as we consider content providers. Thus, all kind of providers can define license specifying what can be done with the object they provide. FORM defines a new license model and a new license interpretation mechanism taking into account all licenses issued by a federation of object providers.

XML-BB: a model to handle relationships protection in XML documents

Since XML became the core meta language for many data formats, we need a fine-grained access control model for XML to protect sensitive information carried by XML elements or by relationships between these elements. Several models have already been suggested, but we claim that none of them is sufficiently expressive to properly express some basic security requirements, especially those related to entity relationships protection. To cope with these limitations, we suggest to structure the access control policy using the new concept of block. This is used to hide relationships between nodes selected in different blocks. It provides means to specify confidentiality restriction associated with some relationships. An access control model, called XML-BB (XML Block Based Access Control), that includes this concept of block is presented and the implementation of this model is described.