Specification and Verification of an Attribute-Based Usage Control Approach for Open and Dynamic Computing Environments
Total Page:16
File Type:pdf, Size:1020Kb
Specification and Verification of an Attribute-based Usage Control Approach for Open and Dynamic Computing Environments Christos Grompanopoulos Department of Applied Informatics University of Macedonia This dissertation is submitted for the degree of Doctor of Philosophy 2014 i This Dissertation Advisory Committee (DAC) consists of the following members (listed alphabetically): • Professor Athanasios Manitsaris (Dept. of Applied Informatics, University of Macedonia, Greece.) • Assistant Professor Christos Georgiadis (Dept. of Applied Informatics, University of Macedonia, Greece.) • Associate Professor Ioannis Mavridis (PhD Supervisor) (Dept. of Applied Informatics, University of Macedonia, Greece.) This Dissertation Defence Committee (DDC) consists of the following members (listed alphabetically): • TODO I would like to dedicate this dissertation to my family, for their love, endless support and encouragement. Acknowlegements First and foremost, I would like to express my sincere appreciation and gratitude to my supervisor, Associate Professor Ioannis Mavridis. His guidance and support all these years and during the completion of this dissertation have been invaluable. Even in difficult times, a meeting with him always reinvigorated my enthusiasm and raised my spirits. I am also extremely grateful to the members of my dissertation committee, Professor Athanasios Manitsaris and Assistant Professor Christos Georgiadis, for their time and dedi- cation in reviewing my work and for their advice throughout my dissertation. I would also like to thank my colleague and friend Antonios Gouglidis at the Department of Applied Informatics of the University of Macedonia, for sharing his thoughts and feelings during the completion of this laborious but very rewarding journey. Finally, I would also like to take this opportunity and express my profound gratitude to my parents and all of my family for their continuous support and encouragement. Abstract Computing systems are always evolving in order to keep pace with the requirements that are posed by new computing environments. The widespread of networking technologies transformed the standalone computer model into the client-server computer model. Social trends as frequent traveling and social networking, led to the creation of small-sized com- puting devices that are equipped with sensors to recognize their surrounding environment and adapt accordingly their operations. Therefore, novel computing modes are emerged, as ubiquitous computing and the Internet of Things. The aforementioned type of systems set new requirements in several areas, including also the area of security. Security is an area of great importance in all computing systems. From a computer security, and particularly from an access control point of view the evolution of computing systems induces the creation of Open and Dynamic Computing Environments (ODCE). They are characterized as open since there are no boundaries between the legitimate and illegal users of a system. And dynamic since the configuration of these systems is constantly changing. Despite theim- portance of access control in ODCE there are a few proposals that addressed their analysis and identification of new requirements. Therefore, also existing access control modes are not able to fully support these requirements. In this dissertation, we analyze existing access and usage control approaches to identify a number of unique characteristics posed by ODCE. Secondly, we formally define an attribute based usage control model for ODCE that is designed based on the identified requirements. Last but not least, we check the proposed model for its correctness, i.e., the adherence of v the model to its initially defined specifications. Specifically, we provide information on the RBAC, ABAC and UCON models, which are mostly applicable in the examined case of ODCE. The presented work on the specifi- cation of models renders the aforementioned information valuable regarding the modeling of access or usage control systems since it can help in the identification of required specifi- cations of access/usage control models for ODCE, and further, it examines state-of-the-art models and verification techniques to check the correctness of the designed or produced models in respect to their initial specifications. In turn, we highlight through representative usage scenarios the additional requirements that are introduced when attempting to utilize the UCON family of models in modern computing environments. To meet the require- ments posed by ODCE, the proposed UseCON model incorporates a number of significant features compared with existing access/usage control models. Firstly, UseCON’s extended expressiveness over the existing usage control models is the result of utilizing information originating from either a single or a set of both direct and indirect entities in the creation of the usage allowance decision. Secondly, UseCON inherently supports the utilization of historical information of usages through the automatic management of use entities. We further elaborate on the enhanced expressiveness in UseCON. A number of examples are given to demonstrate the enhanced capabilities of the UseCON model. The simplification of the policy administration process and the support of enhanced policy rules regarding their expressiveness, are included in the advantages of the proposed model. Furthermore, we provide a safety analysis of UseCON’s formal TLA+ specification to prove the correctness of the UseCON model. The verification of consistency, safety and liveness properties for the core model and its internal operations for correctness was done by providing a formal specification of the UseCON model in TLA+, and using the TLC model checker. Lastly, we provide information on the declaration of models in TCL and elaborate on some perfor- mance metrics and in the internal procedures of the TCL model checker. Contents Contents vi List of Figures ix List of Tablesx 1 Introduction1 1.1 Motivation . .2 1.2 Objectives . .4 1.3 Research areas . .5 1.3.1 Requirement analysis . .6 1.3.2 Specifications modeling . .6 1.3.3 Formal verification . .7 1.4 Structure of the dissertation . .7 2 Background9 2.1 Introduction . .9 2.2 Open and Dynamic Computing Environments . 10 2.3 Access control models . 11 2.3.1 Role based access control (RBAC) . 13 2.3.2 Attribute based access control (ABAC) . 16 2.3.3 Usage control (UCON) . 17 2.4 Specification and verification of systems . 21 2.4.1 Specification fundamentals . 21 2.4.2 Verification techniques . 22 2.4.3 Model checking . 24 2.5 Specification and verification in TLA+ . 26 2.6 Related work on the specification and verification of UCON . 29 Contents vii 2.7 Chapter summary . 32 3 Requirements analysis 33 3.1 Introduction . 33 3.2 Access control requirements . 35 3.3 A critique on existing access control solutions . 38 3.3.1 Security characteristics of entities . 38 3.3.2 Contextual information . 40 3.3.3 Historical information of usages . 41 3.4 Chapter summary . 45 4 The proposed model 47 4.1 Introduction . 47 4.2 A brief description . 47 4.3 Specification of UseCON in TLA+ . 50 4.3.1 Basic elements . 51 4.3.2 Transition systems . 58 4.4 Example of a policy specification . 64 4.5 Chapter summary . 70 5 Evaluation 72 5.1 Introduction . 72 5.2 Model characteristics . 72 5.2.1 Abstraction of actions . 73 5.2.2 Utilization of usage information . 77 5.3 Model properties . 80 5.3.1 Use management . 80 5.3.2 An example policy . 83 5.4 Chapter summary . 85 6 Formal verification 86 6.1 Introduction . 86 6.2 Model checking with TLC . 87 6.2.1 Use management . 88 6.2.2 An example policy . 90 6.3 Discussion . 93 Contents viii 6.4 Chapter summary . 97 7 Conclusions 98 7.1 Summary of the contributions . 98 7.2 Future work . 100 7.3 Closing remarks . 101 Appendix A TLA+ source code 102 Appendix B Publications 122 References 125 List of Figures 2.1 The core RBAC model (Ferraiolo et al., 2003). 13 2.2 Basic ABAC scenario (Hu et al., 2014). ................... 18 2.3 Components of the UCON model (Park and Sandhu, 2004). 19 2.4 Family of UCON sub-models. 20 2.5 Transition system . 23 2.6 The model checking process (Baier and Katoen, 2008)........... 25 4.1 Accomplishment status of a single usage . 49 4.2 UseCON usage control system . 50 4.3 Use attributes updates during the exercise of a usage in UseCON . 57 4.4 Transition system of a single usage pre-authorization UseCON model . 59 4.5 Transition system of a single usage ongoing authorization UseCON model . 59 4.6 Transition system of a multiple usage pre-authorization UseCON model . 63 4.7 Transition system of a multiple usage ongoing authorization UseCON model 65 4.8 Examples of usage-revoking strategies . 68 5.1 Sequence of messages for action negotiation . 75 5.2 Violation of safety properties . 82 6.1 Model declaration in TLC . 91 6.2 Deadlock violation results in TLC . 94 6.3 Verification results in TLC . 95 List of Tables 2.1 Comparison of related works . 32 3.1 Utilization of decision criteria in UCON . 44 3.2 An analysis of challenging issues of UCON in ODCE . 46 5.1 Safety and liveness properties in UseCON . 83 6.1 Verification results for UseCON models . 96 Chapter 1 Introduction Technological innovations are constantly transforming the architecture of computer sys- tems. For example, the widespread of networking technologies transformed the standalone computer model into the client-server computer model. Moreover, social trends like fre- quent traveling and social networking, led to the creation of small-sized computing devices (e.g., PDA’s) that are equipped with sensors to recognize their surrounding environment and adapt accordingly their operations. Consequently, novel computing modes are emerged, as ubiquitous computing (Weiser, 1994, 1999), or the Internet of Things (Atzori et al., 2010), Cloud (Foster et al., 2008) and Grid computing environments (Foster et al., 2001). From a computer security, and particularly from an access control point of view, the evolution of computing systems induces the creation of Open and Dynamic Computing Environments (ODCE) (Kagal et al., 2006).