Embed Size (px)
DESCRIPTION
Citation preview
Department of Theoretical and Applied ScienceUniversity of Insubria
Barbara Carminati, Elena Ferrari, Michele Guglielmi
Policies for Composed Emergencies in Support of Disaster Management
European Office of Aerospace Research & Development
Emergency Management
Information Sharing
Hurricane Katrina 9/11 Attack Fukushima
Traditional vs Emergency Access Control
Traditional access control models are regulated by a proper set of pre-defined access control policies.
An Emergency access control model should (during an emergency) bypass the regular access control policies and grant users access to resources not normally authorized.
Downgrading of information security
Temporary Controlled Timely
B. Carminati, E. Ferrari, and M. Guglielmi, Secure information sharing on support of emergency management. In proceeding of The Third IEEE International Conference
on Information Privacy, Security, Risk and Trust (PASSAT).
Emergency Access Control Model
Emergency Detection
Temporary access control
policies
Emergency Obligations
Complex Event Processing (CEP) Emergency Policy
Access Control Model
Emergency Descriptions Temporary Access Control Policies(init, end, timeout, priority) (sbj, obj, priv, obl)
Emergency Policy(emg, tacp, obl)
Explosion { init: PS1 p1 PS1 = σ(pressure > 100)(PipeSensors); end: PS2 p2 PS2 = σ(pressure ≤ 100)(PipeSensors); timeout: ∞; priority: high;}
SteamFilesPol { sbj: EPA Agents obj: SteamFiles priv: read obl: null}
ExplosionPol { emg: Explosion tacp: SteamFilesPol obl: FacilityEvacuation}
Composed Emergency
There exist critical scenarios that cannot be handled by emergency policies:
combination of different emergency situations that may give rise to a new and more critical emergency
Sometimes it is necessary to override the tacps and obligations that have been activated as response plans of sub-emergencies with the tacps/ obligations of the composed Emergency
requiring a response plan different from those plans already in place for the atomic emergencies
Composed EmergenciesComposed Emergency PoliciesOverriding Strategies
Reference Scenario
MapsFilesPol { sbj:FireFighters obj: MapsFiles priv: read}
obl: 1. FireFightersCall2. PoliceCall
ChemicalFilesPol { sbj:EPA Agents obj: ChemicalFiles priv: read}
obl: Facility Evacuation
SteamFilesPol { sbj:EPA Agents obj: SteamFiles priv: read}
obl: Warn EPA
Fire Alarm Explosion Toxic Material Loss
Industrial Company Facility Scenario
Reference Scenario
FireAlarm Explosion ToxicMaterialLoss
Ecological Disaster
AllFilesPol { sbj:DHS Agents obj: AllFiles priv: read}
obl: Warn DHS
Composed Emergency
A composed emergency ce is a pair (combination, pr), where pr ∈ {high,low} indicates the priority of the composed emergency, whereas combination:multiple occurrence
Patterna sequence a negation
EcologicalDisaster = (Pattern,high)
Pattern =FireAlarm,Explosion[FireAlarm,1h],ToxicMaterialLoss[Explosion,3h]
Emergency Policy
An emergency policy is a tuple: (emg, tacps, obligations, overriding) where:
emg: is an atomic or composed emergencytacps: is a set of pairs (tacp, exception) obligations: is a set of pairs (obl, exception) overriding: consist of (tacpOver, oblOver), whose values in {maintain, delete, block} denote the overriding strategies for tacps/ obligations, respectively.
exception ∈{true,false} denotes the exception value.
Emergency Policy
-tacps = (FacilityMapsFilesPol, true)-obligations = (FireFigthersCall, true), (PoliceCall, false)-priority = low-
FireAlarm
-tacps = (SteamFilesPol, true)-obligations = (FacilityEvacuation, true)-priority = high
Explosion
-tacps = (ChemicalFilesPol, true)-obligations = (warnEPA, true)-priority = high
ToxicMaterialLoss
-emg = EcologicalDisaster-tacps = (AllFilesPol, true)-obligations = (warnDHS, true)-overriding = (delete, delete)
EcologicalDisasterEP
deletedmaintained
Composed Emergency
The introduction of policies for composed emergenciesbrings new issues:
when a composed emergency is triggered, its sub-emergencies have been already instantiated and their tacps and obligations have been already activated
the time needed to instantiate the new emergency could be large since for each of the already inserted tacps/obligations it should be determined whether it has to be maintained, deleted or blocked
Emergency Composition Tree
ECT Node
An Emergency Composition Tree node has the following attributes:
tacpsobligationsprioity ∈{high,low}
tacpOver ∈{maintain, delete, block} oblOver ∈{maintain, delete, block}
tacpToDeleteoblToDeletetacpToBlockoblToBlock
ECT Example
-tacps = (AllFilesPol, true)-obligations = (warnDHS, true)-priority = high-tacpOver = delete-oblOver = delete-tacpToDelete = { }-oblToDelete = { PoliceCall }
EcologicalDisaster
-tacps = (FacilityMapsFilesPol, true)-obligations = (FireFigthersCall, true),--priority = low
FireAlarm
-tacps = (SteamFilesPol, true)-obligations = (FacilityEvacuation, true)-priority = high
Explosion
-tacps = (WaterFilesPol, false)-obligations = (WaterMaintenanceCall, false)-priority = low
WaterContamination
-tacps = (GasFilesPol, false)-obligations = (GasMaintenanceCall, false)-priority = high
AirContamination
-tacps = (ChemicalFilesPol, true)-obligations = (warnEPA, true)-priority = high-tacpOver = delete-oblOver = block-tacpToDelete = { WaterFilesPol }-oblToBlock = { WaterMaintenanceCall }
ToxicMaterialLoss
(PoliceCall, false)
ECT Enforcement
For a policy associated with a composed emergency, the enforcement consists of the following steps:retrieval of the ECT node related to the emergency
reading of the tacps and obligations attributes
enforcement of the retrieved tacps/obligations
reading of the overriding lists
execution of the overriding operations
ECT Enforcement Example-tacps = (AllFilesPol, true)-obligations = (warnDHS, true)-priority = high-tacpOver = delete-oblOver = delete-tacpToDelete = { }-oblToDelete = { PoliceCall }
EcologicalDisaster
-tacps = (FacilityMapsFilesPol, true)-obligations = (FireFigthersCall, true),--priority = low
FireAlarm
-tacps = (SteamFilesPol, true)-obligations = (FacilityEvacuation, true)-priority = high
Explosion
-tacps = (WaterFilesPol, false)-obligations = (WaterMaintenanceCall, false)-priority = low
WaterContamination
-tacps = (GasFilesPol, false)-obligations = (GasMaintenanceCall, false)-priority = high
AirContamination
-tacps = (ChemicalFilesPol, true)-obligations = (warnEPA, true)-priority = high-tacpOver = delete-oblOver = block-tacpToDelete = { WaterFilesPol }-oblToBlock = { WaterMaintenanceCall }
ToxicMaterialLoss
(PoliceCall, false)
Indexing Data Structure
The same emergency could be part of one or more composed emergencies, therefore to avoid storage of redundant information we make use of an
indexing data structureThe position is encoded as index[emg] = (tj,lm,cn) wheretj denotes an ECTlm and cn denote the position of the node related to emg in tj (i.e., its level lm and relative position cn in the level, from left to right).
Indexing Data Structure
Suppose to have the following ECTs:
nce1
nce2 nce3
nce4
nce5 nce6 nce2
index[ce1] = (nce1,0,0)index[ce2] = (nce1,1,0)index[ce3] = (nce1,1,1)
index[ce4] = (nce4,0,0)index[ce5] = (nce4,1,0)index[ce6] = (nce4,1,1)
(nce4,1,2)
ECT Generation
In order to generate all ECTs associated with composed emergencies, we have defined an algorithm:It receives as input the policy base containing policies for composed emergencies and returns the set of created ECTs and the associated indexing structure.𝑶 (𝒎×𝒎𝒂𝒙 (𝒏)×(𝒎𝒂𝒙 (𝒏𝒕)+𝒎𝒂𝒙 (𝒏𝒐)))
m = the number of composed emergency max(n) = the maximum number of sub-emergencies involved at any level in a composed emergency max(nt) = the maximum number of tacps associated with policies of all sub-emergenciesmax(no) = the maximum number of obligations associated with policies of all sub-emergencies
Enforcement Analysis
Thanks to ECTs and indexing data structure composed emergency enforcement is efficentretrieval of the ECT node related to the emergency
reading of the tacps and obligations attributes
enforcement of the retrieved tacps/obligations
reading of the overriding lists
execution of the overriding operations
𝑶 (𝒍×𝒄)
𝑶 (𝒏𝒕+𝒏𝒐)
𝑶 (𝒏𝒕+𝒏𝒐)
𝑶 (𝐦𝐚𝐱 (𝒏𝒍 ))
𝑶 (𝐦𝐚𝐱 (𝒏𝒍 ))
𝑶 (𝒍×𝒄+𝒏𝒕+𝒏𝒐+𝒎𝒂𝒙 (𝒏𝒍))
Prototype
Web Application
EmergencyManager
StreamBaseServer
Web Server
EmergencyHandler
User
php
Access ControlRepository
Extend the prototype with the support for composed emergencies
Conclusions
Future Work
Composed Emergency & Emergency Policies
A suitable data structure for an efficient enforcement
Investigate more complex combination patterns.
Incremental maintenance strategies of the ECT data structure
Complement our system with new cloud computing techniques
