Advanced security policy enforcement for tomorrow's reconfigurable systems

Principal Investigator: Michael Reiter
Funding Agency: Office of Naval Research
Agency Number: N00014-10-1-0155

Abstract
A critical shortcoming of today's computing systems is the inability to enforce security policies efficiently and effectively in the face of system reconfigurations and changing missions. We propose to build a software infrastructure for security policy enforcement that offers unprecedented flexibility to adapt to such changes, and that simultaneously integrates a wide array of security mechanisms, such as sandboxes and intrusion-detection systems, into a single framework. The basis of this framework will be a formal logic in which proofs of compliance can be automatically generated and checked, using credentials expressing trust relationships (as is typical in authorization logics) and asserted properties of other enforcement mechanisms (which is not).

The key innovations of our enforcement infrastructure will be the following: (1) a general
architecture that permits the specification and use of different enforcement components and can be used across different applications and system layers (e.g., web applications, databases, file systems); (2) mechanisms for adapting and reacting to the reconfiguration of the system it protects; and (3) tools that will leverage features of our infrastructure to improve administrators’ ability to audit the system and specify desired security policies correctly and conveniently.

1. A general architecture. We plan to develop an enforcement architecture that extends the reach of rigorous, formal approaches to demonstrating security policy compliance via two advances. First, we will extend previous approaches to allow proofs of access to reason about non-logical enforcement mechanisms. Second, we will allow policy to be enforced not just by the resource monitor guarding a resource, but flexibly, at different mediation points in the system. In addition to maximizing reconfigurability, this flexibility will permit enforcement overheads to be distributed among different components of the system, making it possible to effectively protect even resource-scarce and highly burdened components.
2. Mechanisms for supporting reconfiguration of the enforcement infrastructure. Reconfiguration of a system may require that the policy enforcement mechanisms adapt so as to be able to continue to enforce existing policies or to start to enforce new ones. We propose to develop an efficient migration framework to migrate enforcement objects (sandboxes, resource monitor state, etc.) to new locations as needed and to coordinate the mediation of requests by these components even when these requests come from distributed sources. We will also develop approaches to centrally provision the enforcement of certain policies by assigning them to enforcement locations in a way that will respect the resource constraints and anticipated processing loads at those locations, and adaptive schemes by which enforcement obligations can be moved to seek out better positions for them incrementally.
3. Management tools. A critical part of any security infrastructure is the tools that let administrators manage it, as without correct management no infrastructure will be secure. We propose to help administrators manage their systems in two ways. First, we propose to develop techniques to mine the proofs accompanying access requests to predict how implemented security policies need to change to reflect the intentions of policy makers. Second, we propose to develop a user interface for proof-carrying systems to enable administrators to more effectively audit the policy that they or others have configured, and to examine how that policy is enabling or preventing accesses attempted by users of the system.