We consider the use of aspect-oriented techniques as a flexible way to deal with security policies in distributed systems. Recent work suggests to use aspects for analysing the future behaviour of programs and to make access control decisions based on this; this gives the flavour of dealing with information flow rather than mere access control. We show in this paper that it is beneficial to augment this approach with history-based components as is the traditional approach in reference monitor-based approaches to mandatory access control. Our developments are performed in an aspect-oriented coordination language aiming to describe the Bell-LaPadula policy as elegantly as possible. Furthermore, the resulting language has the capability of combining both history- and future-sensitive policies, providing even more flexibility and power.
Distributed Systems are designed to manage large amounts of information, so they must be secured [9] to provide confidentiality for the information managed by them. The emerging Aspect-Orientation [1] field has been targeted to some security approaches [8]. Recently, a framework named AspectKB [7] has been proposed, with which is possible to model process calculi-like distributed systems and to capture security properties in a realistic way, attaching security policies to each location and then combining the relevant security policies when an interaction between locations takes place.
The way of expressing security policies in the AspectKB framework refers to the traditional nondistributed information-flow [11] style of assuring security, which statically analyses the possible behaviours of the system in order to avoid any potential misuse in the future. In AspectKB, this is exploited by making access control decisions dynamically, yet not considering any state of the locations but possibly some potential future behaviour.
In this paper, we shall consider a multilevel access control policy [6], the Bell-LaPadula model [2], and show some complications when trying to capture such a policy in a distributed framework in general, and in particular in a framework whose security policies focus on looking to the future, since such multilevel policies are better suited for past analysis of how the system reached its current state.
We then propose an extension to the AspectKB framework, allowing to express also policies that look to the past. We do this by adding the notion of a localised state to the locations modelled in the extended framework and allowing the security policies to access those states to make their decisions. With this, multilevel policies as the Bell-LaPadula policy can be easily captured, and we show how.
Since the original AspectKB framework was already intended to combine different security policies, with the extension done in this paper both policies that look to the past and policies that look to the future can be expressed and even combined. This not only benefits when trying to capture specific policies (such as the Bell-LaPadula one), but it also allows us to model every policy in its original way, providing more flexibility to the resulting extended framework. Moreover, we shall argue that for some situations, expressing a policy in its original way could more precisely capture what is intended, and this insight would mean that our extended framework is more powerful as well. We shall start discussing this latter issue in the remainder of this Section (Subsection 1.1). In Section 2 we present a review of the Bell-LaPadula policy in its original formulation, and then we assess the challenges of adapting it to a distributed setting. Section 3 gives a brief review of the Logic used for dealing with the combination of policies. In Section 4 we present our extended framework, and show how to precisely capture the Bell-LaPadula policy. We also discuss why the resulting framework is more flexible than the existing one. In Section 5 we conclude.
The framework we shall be dealing with throughout this paper is the formal language AspectKB. In that framework, which follows a process algebraic approach, the processes are modelled as actions taking place in specific locations, and interacting with other locations modelled as well. Furthermore, security policies can also be modelled, following an aspect-oriented manner. The policies can express their intentions by analysing the continuation (namely the process after the current action) of the involved processes, so that it is possible to know in advance what a process might do in the future. This reflects an information-flow style of providing security.
However, this information-flow style is not as adequate as it was for sequential programs. Indeed, since the only process that can be statically analysed is the one that continues after the current action, all the possible outcomes that may occur due to other processes could not be predicted. This means that, when deciding whether to allow the interaction to happen or not, it is necessary to look to the future of just one process, and this can lead to two possible ways of obtaining imprecise decisions, either over-approximation or under-approximation.
For understanding what over-approximation is, let us assume we pessimistically expect that a particular action done by a process could, because of other processes we do not know about, lead to an insecure state. In this situation we may disallow the process to execute that action, but in some cases there might be no other process performing anything that would lead to an insecure state.
For understanding what under-approximation is, let us assume we optimistically expect that a particular action done by a process will not lead to an insecure state because the very same process will not perform another related action that leads to such a state. In th
This content is AI-processed based on open access ArXiv data.
