Modeling insecurity: policy engineering for survivability

SSRS '03 Pub Date : 2003-10-31 DOI:10.1145/1036921.1036931

P. Naldurg, R. Campbell

{"title":"Modeling insecurity: policy engineering for survivability","authors":"P. Naldurg, R. Campbell","doi":"10.1145/1036921.1036931","DOIUrl":null,"url":null,"abstract":"We present an access-control policy specification and verification process that is well-suited to model survivability of information resources under threat of compromise. Our process differs from the traditional policy engineering methodology in many ways. First, we contend that traditional safety-property modeling cannot provide any guarantees when the policy enforcement mechanisms are compromised. Therefore, we extend traditional access control specifications by modeling insecure states and transitions explicitly, to describe possible system behavior after compromise.\n Next, we observe that it may not always possible to recover from an insecure state, and both compromise and recovery impact the availability of information. Based on these observations, we refine traditional information security properties as liveness assertions and explicitly add recovery actions to our specifications, to guarantee resources are available to legitimate users infinitely often, in spite of malicious attacks or inadvertent compromise. We explain our process using an example behavioral specification and show how we can define different measures of availability and verify them using standard model-checking techniques within this framework.","PeriodicalId":414343,"journal":{"name":"SSRS '03","volume":"52 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2003-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"SSRS '03","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1036921.1036931","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

We present an access-control policy specification and verification process that is well-suited to model survivability of information resources under threat of compromise. Our process differs from the traditional policy engineering methodology in many ways. First, we contend that traditional safety-property modeling cannot provide any guarantees when the policy enforcement mechanisms are compromised. Therefore, we extend traditional access control specifications by modeling insecure states and transitions explicitly, to describe possible system behavior after compromise. Next, we observe that it may not always possible to recover from an insecure state, and both compromise and recovery impact the availability of information. Based on these observations, we refine traditional information security properties as liveness assertions and explicitly add recovery actions to our specifications, to guarantee resources are available to legitimate users infinitely often, in spite of malicious attacks or inadvertent compromise. We explain our process using an example behavioral specification and show how we can define different measures of availability and verify them using standard model-checking techniques within this framework.

查看原文本刊更多论文

不安全性建模:可生存性的策略工程

我们提出了一个访问控制策略规范和验证过程，它非常适合于对信息资源在入侵威胁下的生存能力进行建模。我们的过程在许多方面与传统的政策工程方法不同。首先，我们认为当策略执行机制受到损害时，传统的安全属性建模不能提供任何保证。因此，我们通过显式地建模不安全状态和转换来扩展传统的访问控制规范，以描述入侵后可能的系统行为。接下来，我们观察到，从不安全状态恢复可能并不总是可能的，并且折衷和恢复都会影响信息的可用性。基于这些观察，我们将传统的信息安全属性细化为活动性断言，并显式地将恢复操作添加到规范中，以保证合法用户可以无限频繁地使用资源，而不受恶意攻击或无意损害的影响。我们使用一个示例行为规范来解释我们的过程，并展示我们如何定义可用性的不同度量，并在此框架内使用标准模型检查技术来验证它们。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

SSRS '03

自引率

0.00%

发文量