[Squeak-e] Re: [cap-talk] automatic policy embodiment and enforcement

Fred Spiessens fsp at info.ucl.ac.be
Thu Aug 12 05:14:27 CEST 2004 

[Message by Fred, reposted to e-lang, users at mozart, and squeak-e by MarkM. 
I wanted to be sure y'all saw this. --MarkM]

Toby,

Three weeks ago Mark Miller, Jonathan Shapiro, Peter Van Roy and myself 
submitted a paper for POPL05, that is to be regarded as a first step in the 
direction you're pointing to. It does not yet deal with _automatic_ mapping 
of policy specifications towards relied-upon abstractions of behavior, but 
it contains a proposal for a formalism to express in which way relied-upon 
("trusted") entities reduce their authority-providing behavior when 
interacting with other entities, and to consequently examine the resulting 
boundaries in authority propagation. We called it "Authority Reduction 
Systems" in the paper, and we derived its mechanisms and features from an 
analytical comparison between H.R.U. Protection Systems and Take-Grant Systems.

I consider your remark as (one of) the next step(s) to be done now:
1) build  tools that proof the "safety properties" of an arbitrary 
configuration that contains some entities of which (part of) their behavior 
restrictions are known or relied upon.
2) build tools that propose the injection of reliable entities at strategic 
places in a configuration, to assure a given set of "safety requirements"  
for a given class of configurations.

I hope we will  then also be able to translate arbitrary security paradigms  
into such "classes of initial configurations", with a minimal set of  
initial conditions, and reliable entities put at strategic places to enforce 
the policy. ( I'm not sure I make myself clear, I suggest you read the paper 
for more details)

I've just started working towards such a tool, using techniques from 
constraint programming which are relatively new to me (all help is very 
welcome!).  I think it is possible to build a tool that can find the minimum 
number of reliable entities to be injected, the minimum set of restrictions 
each of them should respect, and the best places amongst the other agents to 
install them, as to guarantee the requirements of an arbitrary security policy.

You can find our paper "Authority Reduction in Protection Systems" on the 
MILOS project site:
http://renoir.info.ucl.ac.be/twiki/bin/view/INGI/MILOSProject
(last entry under the topic "Capability Theory")

All comments on the paper are very welcome on this mailing list.
I hope it will point you in the right direction.


cheers,

Fred.
-------------------
Fred Spiessens
UCL Louvain-la-Neuve Belgium
http://www.info.ucl.ac.be/people/fsp/fred.html
------------- you're invited to: -------------------------
the Second International Mozart/Oz Conference
(MOZ 2004)
Charleroi, Belgium, Oct. 7-8, 2004
http://www.cetic.be/moz2004
-------------------------------------------------------------


On Aug 11, 2004, at 3:22 AM, Toby Murray wrote:

>In my reading of literature regarding capability systems and implementations I'm yet to find any work that deals with the automatic mapping of an abstract policy specification (in whatever appropriate paradigm) to rules regarding capability propagation between entities, and trusted abstractions built over the base system. While it has recnetly been explicitly recognised in the literature (at least from my understanding) that trusted abstractions enforce security as well (and therefore are an embodiment of the policy) -- with the decisions regarding distribution of capabilities between entities being the other embodiment of policy --  it appears that we'll have to be able to build these abstractions and generate propagation rules automatically that can be enforced by trusted code, if capability systems are to become practical.
>Perhaps capability systems make this problem harder because they allow almost arbitrary security paradigms (in which any policy must be framed) to be mapped onto the base system. (eg. we can do RBAC or Bell-LaPadula if we want to build the right abstractions and come up with the right rules etc.) We have seen very small examples here and there (eg. indirection for temporal revocation, and the example used by Shapiro et. al to show that the *-property can be enforced), but all of these must be crafted by a human who "knows" that the abstraction and associated rules actuall embody and enforce the abstract policy.
>Has any work been done in this area and if so could someone point me in the right direction?
>
>Thanks,
>Toby
>
>-- 
>Toby Murray
>Software Engineer
>Advanced Computer Capabilities Unit
>Information Networks Division
>DSTO, Australia
>
>IMPORTANT: This e-mail remains the property of the Australian Defence
>Organisation and is subject to the jurisdiction of section 70 of the
>Crimes Act 1914. If you have received this e-mail in error, you are
>requested to contact the sender and delete the e-mail.
>
>_______________________________________________
>cap-talk mailing list
>cap-talk at mail.eros-os.org
>http://www.eros-os.org/mailman/listinfo/cap-talk

_______________________________________________
cap-talk mailing list
cap-talk at mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the Squeak-e mailing list