policy management & enforcement. overview s3ms deployment center already demoed at m18...
TRANSCRIPT
Policy Management & Enforcement
Overview
S3MS Deployment Center Already demoed at M18
Off-device Inlining demo Already demoed at M18
DEMO 1: On-device Matching DEMO 2: On-device Inlining
S3MS Deployment Center
S3MS Deployment Center
Main changes between M18 and M24 Support for metadata generation Creation of new representation compilers Greatly updated inliner and PDP generator Extended multi-runtime support
.NET CF 2.0, full .NET 2.0, Mono, … Stability and UI improvements
S3MS Deployment Center
+Process()
ComplianceEngine
+Process()
ComplianceModule
+Process()
SignatureComplianceModule
+Process()
InlineComplianceModule
+Process()
ContractComplianceModule
+IsMatch()
ContractPolicyMatcher
1
-ComplianceModules
1..*
*
-Matcher1
Policy Management
Policy Management
Metadata
Off-device inlining
Off-device inlining
DEMO 1 and DEMO 2
Demo 1: On-device matching Demo 2: On-device inlining Uses the Omnys case study Shown on video
Live demo available on demand!
DEMO 1: On-device matching
In this demo, we use semantic matching Hash-based, identical and remote matching also implemented
Semantic matching algorithm is developed by UNITN This demo shows the integration of the matcher into our application
deployer The algorithm details will be detailed by UNITN in a following
presentation
The demo device is setup to only support matching No inlining
DEMO 1: On-device matching
Policy
SCOPE SESSIONSECURITY STATE
BEFORE WebRequest.Create(string url)PERFORMurl.StartsWith("http") -> {skip;}
SCOPE SESSIONSECURITY STATE CONST int maxMessage = 5; int messageSent = 0 RANGE 0 .. 5;
BEFORE SmsMessage.Send()PERFORMmessageSent<maxMessage -> { skip; }
AFTER SmsMessage.Send()PERFORMtrue -> { messageSent = messageSent + 1; }
Contract
SCOPE SESSIONSECURITY STATE
BEFORE WebRequest.Create(string url)PERFORMurl.StartsWith("http") -> {skip;}url.StartsWith("ftp") -> {skip;}
SCOPE SESSIONSECURITY STATE CONST int maxMessage = 5; int messageSent = 0 RANGE 0 .. 5;
BEFORE SmsMessage.Send()PERFORMmessageSent<maxMessage -> { skip; }
AFTER SmsMessage.Send()PERFORMtrue -> { messageSent = messageSent + 1; }
DEMO 1: On-device matching
Policy
SCOPE SESSIONSECURITY STATECONST int maxKbRecieve = 1024;
BEFORE BeginReceive(byte[] buffer, int offset, int size, SocketFlags socketFlags, AsyncCallback callback, Object state) PERFORMsize < maxKbRecieve -> { skip; }
SCOPE SESSIONSECURITY STATE CONST int maxMessage = 7; int messageSent = 0 RANGE 0 .. 7;
BEFORE SmsMessage.Send()PERFORMmessageSent<maxMessage -> { skip; }
AFTER SmsMessage.Send()PERFORMtrue -> { messageSent = messageSent + 1; }
Contract
SCOPE SESSIONSECURITY STATECONST int maxKbRecieve = 512;
BEFORE BeginReceive(byte[] buffer, int offset, int size, SocketFlags socketFlags, AsyncCallback callback, Object state) PERFORMsize < maxKbRecieve -> { skip;}
SCOPE SESSIONSECURITY STATE CONST int maxMessage = 5; int messageSent = 0 RANGE 0 .. 5;
BEFORE SmsMessage.Send()PERFORMmessageSent<maxMessage -> { skip; }
AFTER SmsMessage.Send()PERFORMtrue -> { messageSent = messageSent + 1; }
DEMO 2: On-device inlining
Inlining can be used for legacy applications Without a contract/proof/signature/…
In this demo, we want to limit the access to the contacts
