ACI_Dispo :ACI_Dispo :

Frédéric Cuppens Ahmed Bouabdallah

Réunion de travail du 10-05-Réunion de travail du 10-05-20052005

Nora Cuppens-Boulahia

2

nora.cuppens@enst-bretagne.fr

État d’avancement et perspective

Finalisé, Nomad : Non atomic actions and deadlines

Enrichissement futur envisagé

En cours, Modélisation de la disponibilité

Protocole TCP/IP avec techniques de Syn Cookies Avec Nomad

Identification des aspects pertinents (au sens AOP)

Expression de la disponibilité

Réseaux Ad-hoc

3

nora.cuppens@enst-bretagne.fr

Nomad

Provides means to specify a security policy Conditional privileges

F(A|C) P(A|C) O(A|C)

Effective privileges Expressed in a language of privileges with deadlines

Extends a logic of temporized actions with request req, waiting Extends a logic of temporized actions

start, doing, done, , , d and d

Provides means to specify non atomic privileges

4

nora.cuppens@enst-bretagne.fr

Axiomatics of the logic of temporized actions

The axioms of classical propositional logic

(A → B) → ( A → B)

(A → B) → ( A → B)

¬ ¬A ↔ A ¬ ¬A ↔ A A ↔ A A ↔ A

start() ↔ |||| done() start(; ) ↔ (start()

|||| done())

start( & ) ↔ (start() start ())

start( & ) ↔ |||| done( & )

if |||| ≥ |||| doing() ↔ (start() (doing()

¬done())) (doing() ¬done())

→ ¬start()

5

nora.cuppens@enst-bretagne.fr

Axiomatics of the logic of temporized actions with request

Axiomatics of logic of temporized actions

waiting() ↔(req() (waiting() ¬ start()))

6

nora.cuppens@enst-bretagne.fr

Obligations with deadlines

Violation of obligations occurs usually after a deadline elapsed

Obligation modality OdA = OdA

OA is an immediate obligation (d0)

Where d is defined 0A = 0A = A

d0 : d+1A = d A (d+1)A = dA (d+1)A

d0 : d1A = d A (d−1)A = d A (d−1)A

7

nora.cuppens@enst-bretagne.fr

Conditional privileges

Most of privileges are only active in specific contexts Diadic operators

O(A|C) (C OA) Od (A|C) (C OdA)

F(A|C) (C FA) Fd (A|C) (C FdA)

P(A|C) (C PA) Pd (A|C) (C PdA)

ConstraintsF(A|C ) ↔ O(¬A|C )

(P(A|C ) C ) → ¬ F(A|C )

8

nora.cuppens@enst-bretagne.fr

Effective privileges

Conditional privileges and conditions satisfied

effective privileges

FeA = (F(A|C) C)

PeA = (P(A|C) C)

OedA = (O

d (A|C) C) (Oe(d+1)A ¬A)

Oe0A = OeA

9

nora.cuppens@enst-bretagne.fr

Expression of security properties in Nomad Access Control requirement

Starting an action should be accepted

Closed policy : d , d (start() Pe(start())

Open policy : d , d (start() Fe(start())

Abiding with prohibition requirement Generalizing access control properties

d (A FeA)

And obviously the absence of conflicts

10

nora.cuppens@enst-bretagne.fr

Violation condition

Fulfillment modality

fullfill(A) OedA A

Violation modality

violation(A) OedA A

Security property associated with obligation

fulfillment

d (violation (A))

11

nora.cuppens@enst-bretagne.fr

Simple Nomad examples

Availability requirement

O1D (start(open_account)|(exist_account req(open_account)))

User contract requirement

O1H(done(open_account)|start(open_account))

Repeated violation specification

repeated_violation (violation(start(change_pwd)

O2D violation(start(change_pwd)))

Decomposition of actions and privileges

13

nora.cuppens@enst-bretagne.fr

Decomposition of non atomic privileges

Example

O(start(block_account ; notify_repeated_violation)| repeated_violation)

Decomposition of immediate obligations

Decomposition of non atomic permissions

Decomposition of non atomic prohibitions

Decomposition of obligations with deadlines

14

nora.cuppens@enst-bretagne.fr

Decomposition of immediate obligations

Theorem of decomposition

O(A B|C) O(A|C) O(B|C) The semantics of temporized actions says

start(&) start() start() start(;) start() |||| start()

O(start(&)|C) O(start() |C) O(start() |C)

O(start(;)|C) O(start() |C) O(|||| start()|C)

Exemple of blocking account O(start(block_account ) | repeated_violation)

O(||block_account|| start(notify_repeated_violation) | repeated_violation)

15

nora.cuppens@enst-bretagne.fr

Decomposition of non atomic permissions Theorems of decomposition

P(A B|C) P(A|C) P(B|C)

P(A|C) O(B|C) P(A B|C)

From the semantics of temporized actions and the weaknessess of its direct application

P (start( ; )|C) P(start() |C) O(|||| start() | (C start()))

P (start( & )|C)

P(start() |C) P(start() |C) O(start() |(C start()))

O(start() |(C start()))

P (start(open_account ; change_pwd)|exist_account)

P(start(open_account) |exist_account) O(||

open_account|| start(change_pwd) |(exist_account start(open_account)))