March 14-15, 2005 1CSIIR Workshop

Privilege and Policy Management for Cyber Infrastructures

Dennis Kafura

Markus Lorch

Support provided by: Commonwealth Security Information CenterFermi National Accelerator LaboratoryIBM

March 14-15, 2004 2CSIIR Workshop

Organization

Grand Challenges – Problems– Requirements

PRIMA – a privilege-based approach– Models– Architecture/Mechanisms

Research challenges– Policy– Obligations– Enforcement– Usability

Relationship to I3P and Workshop Themes

March 14-15, 2004 3CSIIR Workshop

Grand Challenge Problems

Societal infrastructures

“Develop tools and principles that allow construction of

large-scale systems for important societal applications that

are highly trustworthy despite being attractive targets.”

Dynamic, pervasive computing environments

“For the dynamic, pervasive computing environments of

the future, give computing end-users security they can

understand and privacy they can control.

From: CRA Workshop on “Grand Research Challenges in Information Security and Assurance,” November 2003.

March 14-15, 2004 4CSIIR Workshop

Cyber Infrastructure Requirements

Grand Challenge Attribute Requirement

Societal infrastructures

large scaledistributed authority

distributed trust establishment

trustworthypredictable

responsive to environment

Dynamic, pervasive computing environments

understandablefamiliar paradigm

unified principle

controllable

restricted rights assignment

differential confidence

March 14-15, 2004 5CSIIR Workshop

PRIMA Models

March 14-15, 2004 6CSIIR Workshop

PRIMA Properties

Grand Challenge

Attribute Requirement PRIMA Model Property

Societal infrastructure

large scale

distributed authorityPM: privilege creation and

delegation

distributed trustestablishment

TM: user-centric trustPM: direct privilege management

trustworthy

predictable AM/PM: dynamic policy

responsive to environment

AM: adaptive policy

Dynamic, pervasivecomputingenvironments

understandablefamiliar paradigm PM: privilege concept

unified principle PM: privilege concept

controllable

restricted rights assignment

PM: least privilege access

differential confidenceTM: incremental trustPM: selective control of privileges

March 14-15, 2004 7CSIIR Workshop

Privilege Structure

Privilege Properties

Fully associated Directly applicable Time limited Externalized Secure Non-repudiation

Implementation

Container: X.509 Attribute Certificate Privilege: XACML rule construct

March 14-15, 2004 8CSIIR Workshop

Enforcement Concepts

Policy Enforcement Point (PEP) checks privileges for:– Applicability (to resource and requestor)– Validity (of time frame and signature)– Authority (with respect to privilege management policy)

All permissible privilege constitute a dynamic policy for a request Policy Decision Point (PDP):

– Makes coarse decision– Adds obligations for PEP

Subjects

Policy Decision Point

Enforcement Point1. service request (with privileges)

7. service response

2. authorization request

(with privileges)

4. authorizationresponse(with obligations)

5. provision execution environment, and start + monitor service

6. service response

ExecutionEnvironment

RequestedService

3. evaluate request against dynamically created policy based on subject provided privileges and applicable privilege management and access control policies

March 14-15, 2004 9CSIIR Workshop

Dynamic Policy

March 14-15, 2004 10CSIIR Workshop

Obligations

Additional constraints to an authorization decision

If PEP cannot fulfill an obligation then it disallows access

Obligation address the mismatch in level of detail between request and policies

Obligations help in maintaining system state

March 14-15, 2004 11CSIIR Workshop

Research Challenges: Policy

What can be adapted from software engineering research for policy:– Testing– Debugging– Formal Analysis– Requirements engineering

Policy extensions– Threat/environment aware

March 14-15, 2004 12CSIIR Workshop

Research Challenges: Obligations

Granularity mismatch– Too many rights to be externalized– Partially addressed by dynamic policy

With respect to the request– Need to add restrictions finer-grained than

request

March 14-15, 2004 13CSIIR Workshop

Research Challenges: Enforcement

Evaluation of mechanisms– Dynamic user accounts– Virtual machine/sandboxing– Service containers

Model– Distributing privileges to dynamically

provision an execution environment, vs.– Pre-provisioning an execution environment

and distributing a privilege for it

March 14-15, 2004 14CSIIR Workshop

Research Challenges: Usability

What are the right conceptual models?– Privileges– Roles– Others? Several? Combinations?

How can users manage their rights?– P3P– Shibboleth release policies– Least-privilege control

March 14-15, 2004 15CSIIR Workshop

Addressing I3P and Workshop Themes

Enterprise Security Management

Policy definition and management

Trust among Distributed Autonomous Parties

PRIMA trust model

Least privilege access

Fully decentralized mechanisms

Discovery/Analysis of Security Properties and

Vulnerabilities

Policy testing

Policy analysis using formal methods

Secure System and Network Response and Recovery

Threat-aware policies

Traceback, Identification, and Forensics

Privilege validation (signing, non-repudiation)

Obligations

Insider Threats Separation of duties through privilege restrictions

Life-cycle Threats Policy requirements engineering

Distributed Ad Hoc Trust/Multi-Level Trust

Privilege management

Secure execution environments

I3P

Age

nd

aW

ork

shop

T

hem

es