An Integrated Model for Access Control and Information Flow Requirements

The virtual machine in the fine-grained information flow tracking is the basis for realization of transparent cloud platform program level control. The information flow control access to sensitive information in the process, because the authority transfer security level and cannot read or write the non sensitive data, the coarse granularity information flow control is difficult to meet the actual demand of diversification, this paper proposes extended DIFC (Distributed Information Flow Control) model, this model avoids component of cloud platform virtual machine because of the higher level of security sensitive data through reading, it sends or modifies the defects of non sensitive data by transfering the authority, and effectively overcomes the defect that the existing information flow control method for the coarse granularity, and the shortcomings which unable to meet the actual demand, this model guarantees the tracking and control of fine-grained information flow within the virtual machine application, and it does not affect the original cloud service operation.

Due to multi-tenancy, access control is a very important component in SaaS (Software as a Service), especially for controlling cross-tenant accesses. Due to the potential information flow among multiple tenants, information flow control should also be carefully addressed. Existing models for SaaS access control have some limitations, especially in information flow control. In this paper, we define a new SaaS-AIFC model to provide comprehensive and improved access and information flow control in SaaS. SaaS-AIFC incorporates two advanced features. First, SaaS-AIFC integrates the advanced role mapping technique to govern the cross-tenant accesses. Role mapping is very flexible and can be very efficient for SaaS with a large number of tenants. We integrate role mapping in SaaS by developing a detailed process for mapping establishment and retrieval during validation. Second, we propose a new IFC model in SaaS-AIFC, which tracks the dependency of data objects and uses the dependency information to achieve flexible information flow control. An architecture design for realizing the SaaS-AIFC model is also proposed.

In multi-domain service-based systems, services from different domains are composed together to accomplish critical tasks. In these systems, data flow from one domain to another through the composed services. Thus, security and trustworthiness are the major concerns. Many access control models have been developed for service-based systems. Also, many data provenance schemes have been proposed in recent years to support data quality assessment and enhancement, data reproduction, etc. However, none of the existing mechanisms consider both access control and data provenance in an integrated model. In this paper, we propose an integrated role-based access control and data provenance model to secure the cross-domain interactions. We develop a role-based data provenance scheme which tracks the roles of originators/contributors of a data object and uses this information to help evaluate data trustworthiness. We also make use of the data provenance information and the derived data quality attributes to assist with cross domain access and information flow control. This integrated model mutually enhances data provenance and access control, providing better security and trustworthiness for many multi-domain service-based applications.

The security of software-intensive systems is frequently attacked. High fines or loss in reputation are potential consequences of not maintaining confidentiality, which is an important security objective. Detecting confidentiality issues in early software designs enables cost-efficient fixes. A Data Flow Diagram (DFD) is a modeling notation, which focuses on essential, functional aspects of such early software designs. Existing confidentiality analyses on DFDs support either information flow control or access control, which are the most common confidentiality mechanisms. Combining both mechanisms can be beneficial but existing DFD analyses do not support this. This lack of expressiveness requires designers to switch modeling languages to consider both mechanisms, which can lead to inconsistencies. In this article, we present an extended DFD syntax that supports modeling both, information flow and access control, in the same language. This improves expressiveness compared to related work and avoids inconsistencies. We define the semantics of extended DFDs by clauses in first-order logic. A logic program made of these clauses enables the automated detection of confidentiality violations by querying it. We evaluate the expressiveness of the syntax in a case study. We attempt to model nine information flow cases and six access control cases. We successfully modeled fourteen out of these fifteen cases, which indicates good expressiveness. We evaluate the reusability of models when switching confidentiality mechanisms by comparing the cases that share the same system design, which are three pairs of cases. We successfully show improved reusability compared to the state of the art. We evaluated the accuracy of confidentiality analyses by executing them for the fourteen cases that we could model. We experienced good accuracy.

Cloud now provides a wide range of services hosted by different providers from different domains. These services can be composed together dynamically to realize important tasks. In a composite service, information may flow from one service to subsequent services from different domains. Such information flow, if not properly controlled, may cause undesired leakage of critical data. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques is not flexible and cannot work with domain-specific information flow control policies. Existing works on access control for web service do not consider the information flow problem in composite services. Existing information flow control (IFC) techniques are not flexible and cannot work with domain-specific information flow control policies. In this paper, we define the WS-AIFC infrastructure for enforcing access and information flow control. The major goal of WS-AIFC is to provide a new IFC mechanism that can allow each domain to define their own IFC policies while WS-AIFC is capable of preventing undesired information leakage (IFC policy violation) among benign, semi-honest service domains. The main idea in WS-AIFC is to derive and record the dependency list for each data object. The system, upon receiving an access request to a critical data object, not only validates the conventional access control policy for the access, but also extracts the data and the corresponding domains in the dependency list and consults these domains to validate their IFC policies for the indirect access. In summary, WS-AIFC empowers individual domains to control how their information flows and achieves enhanced security for service based systems.

Past work concerning operating system protection has focused on two notions: access control and information flow. Access control or protection matrix based protection systems control the ways in which users may manipulate objects. Information flow or security class based systems control the flow of information between users. Although it has been noted that both notions are essential to real protection systems, no previous work has compared the two notions, or developed a protection model that integrates those notions. This paper compares and contrasts access control and information flow and supports the assertion that both notious are essential to real protection systems. It is argued that the military classification model of information flow poorly models reality, and a new information flow model based on the controlled sharing of secrets is introduced. A protection model that integrates access control and information flow is then developed and formally defined, and some example applications of this model are described.

Chapter 23 - Policies, Access Control, and Formal Methods

In this paper, we describe the active network security model from access control and information flow model. We present an access control policy called family tree policy for active network. The family tree policy can correctly represent active network that cannot be correctly modeled by BLP and Chinese wall model. At the same time, we further research the information flow security properties of active network and present the novel methods to research the information flow based on inheriting classes. The properties of information flow are described by properties of the inheriting class inner flow and flow among the different inheriting classes. Research For the inheriting class flow, the classic information flow model can be used. For the flow among the inheriting classes, we present a novel method to research it based on the conception of timestamp and flow.

In connection with the process of implementation by the Federal Service for Technical and Export Control of Russia Information Security Requirements for Operating Systems, the work analyzes the ways of fulfilling the requirements of the functional component ADV_SPM.1 Formal Security Policy Model, including defining the language, depth and detail of the presentation of the access control policy and information flows. Among other things, proposals are given on the composition of the main elements of the model, the use of tools for its verification. The practical possibility of applying the proposed approaches is considered by the example of the presentation of the description and verification of the mandatory entity-role security model for logical access control and information flows as the basis of the access control mechanism in the special-purpose operating system Astra Linux Special Edition.

With the advancement of web services technology, security has become an increasingly important issue. Various security standards have been developed to secure web services at the transport and message level, but application level has received less attention. The security solutions at the application level focus on access control which cannot alone ensure the confidentiality and integrity of information. The solution proposed in this paper consists on a hybrid model that combines access control (AC) and information flow control (IFC). The AC mechanism uses the concept of roles and attributes to control user access to web services' methods. The IFC mechanism uses labels to control how the roles access to the system's objects and verify the information flows between them to ensure the information confidentiality and integrity. This manuscript describes the model, gives the demonstration of the IFC model safety, presents the modeling and implementation of the model and a case study.

With the advancement of web services technology, security has become an increasingly important issue. Various security standards have been developed to secure web services at the transport and message level, but application level has received less attention. The security solutions at the application level focus on access control which cannot alone ensure the confidentiality and integrity of information. The solution proposed in this paper consists on a hybrid model that combines access control (AC) and information flow control (IFC). The AC mechanism uses the concept of roles and attributes to control user access to web services' methods. The IFC mechanism uses labels to control how the roles access to the system's objects and verify the information flows between them to ensure the information confidentiality and integrity. This manuscript describes the model, gives the demonstration of the IFC model safety, presents the modeling and implementation of the model and a case study.

Some logic definitions applicable to a variety of access control and data flow control models are proposed. A formalization of concepts of confidentiality and integrity is provided, on the basis of predicates CanKnow and CanStore. The application of these concepts is demonstrated for simplified versions of the following models: Coalitions, Multi-Level Systems, Role-Based Access Control, High Water Mark, Chinese Wall. Formal definitions and proofs of invariant properties of these models in terms of our concepts are given. It will then appear that these models have many possible variations and combinations of which only few have been studied. These concepts can be useful for developing proofs on access control models, automatically or manually, for developing new models, and for teaching access control and data flow control concepts.

Access control is an important part of security in software, such as business applications, since it determines the access of users to objects and operations and the constraints of this access. Business and access control models are expressed using different representations. In addition, access control rules are not generally defined explicitly from access control models. Even though the business model and access control model are two separate modeling abstractions, they are inter-connected as access control is part of any business model. Therefore, the first goal is to add access control models to business models using the same fundamental building blocks. The second goal is to use these models and define general access control rules explicitly from these models so that the connection between models and their realizations are also present. This paper describes a new common representation for business models and classes of access control models based on the Resource---Event---Agent (REA) modeling approach to business models. In addition, the connection between models and their represented rules is clearly defined. We present a uniform approach to business and access control models. First, access control primitives are mapped onto REA-based access control patterns. Then, REA-based access control patterns are combined to define access control models. Based on these models, general access control rules are expressed in Extended Backus---Naur Form.

Dedicated to the memory of John C. Reynolds (1935--2013). We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic.

We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic. The system, theorems and examples have all been formalized in Coq.