Winfried E. Kühnhauser

Software Architectural Design Meets Security Engineering

Security requirements strongly influence the architectural design of complex IT systems in a similar way as other non-functional requirements. Both security engineering as well as software engineering provide methods to deal with such requirements. However, there is still a critical gap concerning the integration of the methods of these separate fields. In this paper we close this gap with respect to security requirements by proposing a method that combines software engineering approaches with state-of-the-art security engineering principles. This method establishes an explicit alignment between the non-functional goal, the principles in the field of security engineering, and the implementation of a security architecture. The method aims at designing a systems security architecture based on a small, precisely defined, and application-specific trusted computing base. We illustrate this method by means of a case study which describes distributed enterprise resource planning systems using web services to implement business processes across company boundaries.

Root Kits: an operating systems viewpoint

Root Kits are tool boxes containing a collection of highly skilled tools for attacking computer systems. Their algorithms and databases contain professional knowledge about methods and mechanisms for completely automated attacks both over a network as well as from within a system. Root kits attack by maneuvering a system into executing a script with supervisor privileges. Once having gained full control, such scripts begin to install several software packages, including backdoors for easy future access, deception packages and modified versions of administration utilities that conceal system modifications and refuse to counterattack any future infiltration.The security threat imposed by root kits is quite serious. A root kit attack is swift, fully automatic, and has long-lasting effects. An attack has a high success probability, and it requires only a very small amount of knowledge. Last not least, root kits axe easily available in the Internet.This paper is a survey of the works of root kits from an operating systems point of view. Keywords: error exploitation, error proliferation, privilege proliferation, kernel abstractions, trusted computing base, reference monitor, security domains, mandatory and discretionary access control, secure booting, secure program execution

A paradigm for user-defined security policies

One of todays major challenges in computer security is the ever-increasing multitude of individual, application-specific security requirements. As a positive consequence, a wide variety of security policies has been developed, each policy reflecting the specific needs of individual applications. As a negative consequence, the integration of the multitude of policies into todays system platforms made the limitations of traditional architectural foundations of secure computer systems quite obvious. Many of the traditional architectural foundations originally aimed at supporting only a single access control policy within a single trusted system environment. This paper discusses a new paradigm to support user-defined security policies in a distributed multi-policy system. The paradigm preserves the successful properties of the traditional architectural foundations while additionally providing strong concepts for user-defined security policies. Among these concepts are policy separation, encapsulation, persistency, cooperation, and reusability. We illustrate the application of our approach in a DCE environment.One of todays major challenges in computer security is the ever-increasing multitude of individual, application-specific security requirements. As a positive consequence, a wide variety of security policies has been developed, each policy reflecting the specific needs of individual applications. As a negative consequence, the integration of the multitude of policies into todays system platforms made the limitations of traditional architectural foundations of secure computer systems quite obvious. Many of the traditional architectural foundations originally aimed at supporting only a single access control policy within a single trusted system environment. This paper discusses a new paradigm to support user-defined security policies in a distributed multi-policy system. The paradigm preserves the successful properties of the traditional architectural foundations while additionally providing strong concepts for user-defined security policies. Among these concepts are policy separation, encapsulation, persistency, cooperation, and reusability. We illustrate the application of our approach in a DCE environment.

Model-based safety analysis of SELinux security policies

Since security has become an essential asset in numerous application areas, the integration of security policies has become a major issue in the design of security architectures, and many commodity operating systems have been furnished with abstractions to support policy protection and enforcement.

Embedding security policies into a distributed computing environment

This paper discusses the implementation of security policies in multipolicy systems. Multipolicy systems are systems supporting a multitude of security policies, each policy governing the applications within its own and precisely defined security domain.The paper argues that within multipolicy systems, traditional approaches for implementing security policies such as security kernels are both too weak and too strong. In order to support this thesis, we will discuss architectural issues of the implementation of policy separation, policy persistency, total mediation and putting off-the-shelf applications under the control of security policies. Whenever our statements are illustrated by examples, these examples are taken from a case study we implemented for the OSF Distributed Computing Environment.

WorSE: A Workbench for Model-based Security Engineering

Abstract IT systems with sophisticated security requirements increasingly apply problem-specific security policies for specifying, analyzing, and implementing security properties. Due to their key role for defining and enforcing strategic security concepts, security polices are extremely critical, and quality assets such as policy correctness or policy consistency are essential objectives in policy engineering. This paper argues for a tool-supported policy engineering approach to increase the efficiency and quality of security policy making. The papers general topic is WorSE, a policy engineering workbench encompassing the automation of engineering steps, pre-built model patterns, integrated plausibility checks, and model analysis tools; the paper especially focuses on tools supporting model engineering and model analysis, and describes their theoretical foundations and practical application.

Heuristic safety analysis of access control models

Model-based security engineering uses formal security models for specifying and analyzing access control systems. Tool-based model analysis encounters a fundamental difficulty here: on the one hand, real-world access control systems generally are quite large and complex and require models that have high expressive power. On the other hand, analysis of such models is often pestered by computational complexity or even non-decidability, making it difficult to devise algorithms for automated analysis tools. One approach to this problem is to limiting the expressive power of the modeling calculus, resulting in restrictions to the spectrum of application scenarios that can be modeled. In this paper we propose a different approach: a heuristic-based method for analyzing the safety properties of access control models with full expressive power. Aiming at generality, the paper focuses on the lineage of HRU-style, automaton-based access control models that are fundamental for modeling the dynamic behavior of contemporary role-based or attribute-based access control systems. The paper motivates a heuristics-based approach to model analysis, describes in detail a heuristic model safety analysis algorithm, and discusses its computational complexity. The algorithm is the core of a security model analysis tool within the context of a security policy engineering workbench; a formal description of major components of its heuristic-based symbolic model execution engine is given, and its capacity to analyze complex real-world access control systems is evaluated.

Towards access control model engineering

Formal security models have significantly improved the understanding of access control systems. They have influenced the way access control policies are specified and analyzed, and they provide a sound foundation for a policys implementation. While their merits are many, designing security models is not an easy task, and their use in commercial systems is still far from everyday practice. This paper argues that model engineering principles and tools supporting these principles are important steps towards model based security engineering. It proposes a model engineering approach based on the idea that access control models share a common, model-independent core that, by core specialization and core extension, can be tailored to a broad scope of domain-specific access control models.

Refereed paper: Policy Groups

This paper contributes to the current discussion on multipolicy systems: systems that support a multitude of independent security domains in which an individual security policy is enforced on the applications. In multipolicy systems, the interoperability between different security domains constitutes a major problem. While security policies are capable of controlling the applications within their domains, interactions between security domains create security loop-holes and cause conflicts between the involved security policies. This paper introduces policy groups as an approach to secure domain interactions. A policy group combines a set of security policies with a set of policies that control inter-domain actions. It composes a multipolicy systems security policies into a single structure and provides a single point of reference for the discussion of a systems security properties. In order to provide a precise foundation for this discussion, the paper introduces a formal model of policy groups based on Harrison, Ruzzo and Ullmans access control calculus. The paper concludes with statements about the decidability of the safety problem for policy groups.

CWASAR: a European infrastructure for secure electronic commerce

This short paper introduces the Cwasar project. The goal of Cwasar is to design and implement a low cost European infrastructure for a secure electronic market place. The project was preceded by a market analysis in Germany, Spain and France, of the basic user requirements for a Euro-pean oriented system. From the results of this analysis, we have deened the main functional and architectural components of Cwasar. The description of these components is the subject of this paper. In particular, we focus on the features speciically designed to cater for the varying security requirements of end users, as well as the problems posed by the diiering legal positions held by individual EU states on the use of security techniques. The Cwasar project is sponsored by the European Union.