FAKULTAT¨ FUR¨ INFORMATIK DER TECHNISCHEN UNIVERSITAT¨ MUNCHEN¨ Dissertation in Informatik Cross-layer Data-centric Usage Control Enrico Lovat ii FAKULTAT¨ FUR¨ INFORMATIK DER TECHNISCHEN UNIVERSITAT¨ MUNCHEN¨ Lehrstuhl XXII - Software Engineering Cross-layer Data-centric Usage Control Enrico Lovat Vollstandiger¨ Abdruck der von der Fakultat¨ fur¨ Informatik der Technischen Universitat¨ Munchen¨ zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften (Dr. rer. nat.) genehmigten Dissertation. Vorsitzender: Univ.-Prof. Dr. Helmut Seidl Prufer¨ der Dissertation: 1. Univ.-Prof. Dr. Alexander Pretschner 2. Prof. Dr. Frank Piessens, Katholieke Universiteit Leuven, Belgium Die Dissertation wurde am 13.05.2015 bei der Technischen Universitat¨ Munchen¨ eingereicht und durch die Fakultat¨ fur¨ Informatik am 16.06.2015 angenommen. Acknowledgments First and foremost, I shall thank my supervisor, Prof. Dr. Alexander Pretschner. Without your guidance, your example and our loud discussions, probably no part of this work would have ever been completed. Your sharpness and conciseness, especially in scientific writing, the ethic and the passion you put in teaching, the intellectual honesty of admitting when you are wrong and the strength of your arguments when you are not, are only some of the aspects of your leadership that I admire and plan to emulate in the future. My second thanks goes to my second supervisor, Prof. Dr. Frank Piessens. Thanks for providing me extremely valuable feedback; I am grateful for the opportunity of benefiting from your clever advices and my main regret is not having exploited it more often. Thanks to the German Research Foundation (DFG), which supported this work through the Priority Program 1496 “Reliably Secure Software Systems RS3”, grants PR-1266/1-2-3. I would like to thank some of my fellow colleagues and my co-authors for their direct contributions to this work. In particular, thank you Florian, Johan, Martin, Prachi and To- bias for positively engaging in those stimulating never-ending discussions; together with conferences and paper reviews, those represent my idea of scientific research. Thanks to Alexander, Christoph, Cornelius and Sebastian for their picky reviews on the first drafts of this dissertation; you definitely improved its quality. Thanks to all the Bachelor and Master students who did their thesis under my supervi- sion and whose results, mentioned in this work, confirmed the feasibility of the theoretical models I have been working on. I would like to express my gratitude also to some individuals who contributed, at vari- ous stages of my life, to my choice of becoming a computer scientist: thanks Santa Claus, for bringing me my first PC when I was nine; thanks Nico, for making me fall in love with programming before I was legally allowed to drive a scooter; thanks A., for laughing at me in front of my parents, during a vocational guidance event, when I said that I would like to attend a technical high school and become a computer scientist; thanks Prof. Minio, for teaching me how to think instead of how to write code; and thank you K. for making sure that a Master degree was not enough. Without these people’s intervention, I would probably be a carpenter, a bartender or an underpaid code monkey. Most likely a bartender. Last but not least, I want to thank my family for the unconditional support I received over these years: Thanks to my parents, who made me the man I am today with their education and their hard-working example, I did not forget that. Thanks to my wife, for giving up her life to blindly follow me in this adventure; I appreciate all the sacrifices you did to let me pursue this goal and, without your support, this work would have never been possible. And finally, thanks to my beautiful daughter: You are the reason why I arrive late in the morning and I leave early in the evening, taking precious time from my work. You are also the reason why the moment I arrive home marks only half of my working day. And yet, you are the reason why nevertheless I am looking forward to come home every night. Thank you for rearranging my priorities. v vi Abstract Usage control is concerned with what happens to data after access has been granted. In the literature, usage control models have been defined on the grounds of events that, somehow, are related to data. Within the system, data (e.g. “a picture”) may exist in form of different representations, possibly located at different layers of abstraction (e.g. a file, a set of pixels in a window, a Java object, a memory region, etc...). In order to protect data, one must observe and control the usage of all its different representations. This research proposes a usage control model and a language that capture the distinc- tion between data and representations of data. In this framework, policies can constraint the usage of single representations (e.g., delete file1.jpg after thirty days) as well as all repre- sentations of the same data (e.g., if file2.jpg is a copy of file1.jpg, also delete file2.jpg), even at different layers of abstraction (e.g. if a process is rendering the content of file1.jpg in a window, close the window and kill the process). The core contribution of this work is the formalization and implementation of the first generic model that integrates usage control and cross-layer data flow tracking, and it is presented in the first part of this work. The second part addresses the problem of refining the precision of the framework by augmenting the data flow tracking component with additional information about the sys- tem. In particular, this dissertation analyzes three approaches that leverage, respectively, information about structure of data, amount of data and results from static information flow analysis. All the solution are formalized, implemented and evaluated, and represent the second major contribution of this work. vii viii Zusammenfassung Nutzungskontrolle beschaftigt¨ sich mit der Frage, was mit Daten nach deren initialer Freigabe passieren darf und soll. In der Literatur wurden Modelle der Nutzungskontrolle bisher stets auf Basis von Ereignissen definiert, die einen mehr oder weniger klaren Bezug zu den zu kontrollierenden Daten haben. Daten treten innerhalb eines Systems allerdings in verschiedenen Reprasentationen,¨ und potentiell auf verschiedenen Abstraktionsebenen (z.B. als Datei, als Menge von Pixeln in einem Fenster, als Java Objekt, oder als Region im Hauptspeicher), auf. Um die Nutzung eines Datums kontrollieren zu konnen,¨ mussen¨ daher alle Reprasentationen¨ des Datums uberwacht¨ und kontrolliert werden. In der vorliegenden Arbeit wird ein Modell und eine Spezifikationssprache fur¨ ein Kon- zept der Nutzungskontrolle vorgeschlagen, das explizit zwischen Daten und deren Re- pr¨asentationen unterscheidet. Mit diesem Konzept ist es moglich,¨ sowohl Policies bezuglich¨ einzelner Reprasentationen¨ (z.B. “losche¨ file1.jpg innerhalb von 30 Tagen”), als auch aller Reprasentationen¨ eines Datums (z.B. “falls file2.jpg eine Kopie von file1.jpg ist, losche¨ auch file2.jpg”) zu spezifizieren und diese auf verschiedenen Abstraktionsebenen durchzuset- zen (z.B. “falls ein Prozess den Inhalt von file1.jpg in einem Fenster anzeigt, dann schließe dieses Fenster und beende den entsprechenden Prozess”). Der erste Teil der Arbeit beschaftigt¨ sich mit dem Hauptbeitrag der selbigen, namlich¨ der Formalisierung und Implementierung des ersten generischen Modells, das abstrakti- onsubergreifende¨ Datenflussverfolgung in das Konzept der Nutzungskontrolle integriert. Der zweite Teil der Arbeit adressiert das Problem der Verfeinerung der Prazision¨ durch Adaption der Datenflussverfolgungskomponenten mit zusatzlichen¨ Informationen uber¨ das betrachtete System. Insbesondere diskutiert diese Arbeit drei Ansatze,¨ die die Prazision¨ des Konzepts durch Analyse der Struktur, Berucksichtigung¨ der Quantitat¨ von Daten, sowie durch die Integration von Ergebnissen aus statischer Informationsflussanaly- se verbessern. Die Formalisierung, Implementierung, und Evaluation dieser Ansatze¨ stellt den zweiten Hauptbeitrag dieser Arbeit dar. ix x Contents Acknowledgementsv Abstract vii Zusammenfassung ix Outline of the Thesis xv 1. Introduction1 1.1. Goal..........................................3 1.2. Research Description................................3 1.2.1. Problem...................................3 1.2.2. Thesis Statement..............................4 1.2.3. Solution Strategy..............................5 1.2.4. Contribution................................5 1.3. System Model and Assumptions.........................6 1.4. Running Scenario..................................7 1.5. Structure.......................................7 Part I - Representation-Independent Data Usage Control 11 2. Background: Usage Control 11 2.1. System Model.................................... 11 2.1.1. Events.................................... 11 2.1.2. Refinement................................. 12 2.1.3. Semantic Model of Events and System Runs.............. 12 2.2. Specification-Level Policies............................ 13 2.2.1. Propositions................................. 13 2.2.2. Conditions Outside Temporal and First Order Logic.......... 14 2.2.3. Formal Semantics of Events........................ 14 2.2.4. First Order Future Time Formulae.................... 15 2.3. Implementation-Level Policies.......................... 16 2.3.1. Past Time Conditions............................ 17 2.3.2. ECA Rules.................................. 18 2.3.3. Default Behavior.............................