Usage Automata Massimo Bartoletti Dipartimento di Matematica e Informatica Università degli Studi di Cagliari

UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

  • Upload

  • View

  • Download

Embed Size (px)

Citation preview

Page 1: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Usage Automata

Massimo Bartoletti

Dipartimento di Matematica e InformaticaUniversità degli Studi di Cagliari

Page 2: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Usage control• Running programs and services requires using

computational resources• Must be done according to a given usage policy• History-based security:

– histories = sequences of security-relevant events– usage policy = predicate on sets of histories

• We are interested in usage policies that can be enforced by execution monitoring

• This coincides with the class of safety properties– deciding rejection of a history must be done in isolation

of other possible histories, and only depends on the past– any rejected history must be rejected in a finite period

Page 3: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Security Automata(Fred B. Schneider. Enforceable Security Policies, 2000)

• Security automata are a class of Büchi automata that exactly characterizes safety properties.

• A security automaton is defined by:– a countable set I of input symbols,– a countable set Q of states,

– a countable set Q0 ⊆ Q of initial states,– a transition function δ : (Q × I) → 2Q

• Using infinite sets for states and symbols is needed when the policy has to control actions on targets ranging over infinite domains – ex: ∀∀∀∀x,y do not allow write(x) after read(“/home/”,y)

Page 4: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

The problem

• Security Automata not good for writing policies over infinite domains (requires infinite paper…)

• Schneider uses Dijkstra’s Guarded Commands to write example policies over infinite domains

• Not clear the relation between GC and SA– are GC more expressive than SA ?– do (general) GC allow for execution monitoring ?– how far are GC statically amenable ?

• I would like to have a formalism that allows for:– (finitely) expressing usage policies over ∞ domains– execution monitoring (but no Turing-equivalent)– static reasoning (a program always respect a policy)

Page 5: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

A usage automaton





x, y are universally quantified variables

Page 6: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Another usage automaton




read(z,y) when z!=x

Chinese Wall: reading an object z is denied after h aving read an object x in the same conflict of interest c lass y

read(oil1, Oil) read(bank1, Bank) read(oil2, Oil) violates

Page 7: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Usage automata

• A usage automaton is defined by:– a finite set of labels α(ρ1,…,ρk), ρ∈ Res U Var– a finite set of states Q (with a start state q0∈Q)– a finite set of (offending) states F⊆Q– a finite set of labelled transitions of the form:

α(ρ1,…,ρk) : gq’q

• A guard g expresses a (equality / inequality) relation between variables and resources.

g ::= true | ρ = ρ’ | not g | g and g

Page 8: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Expressible policies

• Usage automata can express a (strict) subset of the policies expressible through security automata

• Main limitation: guards– can only check equality / inequality between resources– compromise between expressive vs. analyseable

• Although limited, can express interesting policies:– Access control : can access a resource is access right

granted and not later revoked– Isolation : can only read/write the files you have created– SecBB : set of policies for a Secure Bulletin Board– Find more at: jalapa.sourceforge.net

Page 9: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

• Semantics can be given by a mapping a usage automaton φ into a security automaton

• We prefer to map φ into a finite set of FSA– a history ηηηη respects φ iff ηηηη is accepted by all the

FSA obtained from all the possible instantiations of the variables of φ into actual resources

– nice specification, but may produce an infinite set of automata with finite states (and infinite edges)



α(y) : y ≠ xq1

α(r i)q2




α(r i-1)

α(r i+1)


q2Res = { r 0 , r1 , r2 , … }

Page 10: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

• To obtain a finite set of FSA, make the mapping dependent on the ηηηη we are checking

• Instantiate ϕϕϕϕ on:– all the resources contained in ηηηη, and– all the resources mentioned in ϕϕϕϕ, and– a finite set of “unborn” resources #1 … #k

(k is the number of variables of ϕϕϕϕ)

• This is sound w.r.t. “instantiate on all the resources in the universe”

• But, is this suitable for execution monitoring ?


Page 11: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Execution monitoring

• To decide if ηηηη respects ϕϕϕϕ, we have to inspect the whole ηηηη (and compute k |res( ηηηη)| instantiations)

• But ηηηη = execution history: will grow unbound• Semantics unsuitable for execution monitoring!• Solution: instead of instantiation, “abstract”

execution of usage automata– configurations : S = { (σσσσ1,Q1), … , (σσσσn,Qn) }

where σ : σ : σ : σ : Var →→→→ Res


η[0]S1 S2 Si+1

η[1] η[i]

Page 12: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Execution monitoring

• History accepted as long as states in Qi1,…,Qi

nof Si are disjoint from the offending states

• Coherent w.r.t. semantics of usage automata• Consumes one event at each step (keeping the

full history no longer required)• Still, configurations may grow large!

– typed variables and resources– use wildcards *, - in usage automata

– lazy instantiation of new σσσσ– garbage collection of disposed resources– factorization of states

Page 13: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Some expressiveness issues

• Polyadic α(r1,…,rn) vs. monadic α(r) events– polyadic can be encoded into monadic

• Different choices for relational operators:– α(¬¬¬¬x), α(x,¬¬¬¬y)

– wildcards α(*,y), α(x,-)

– guards: α(z) when z ≠≠≠≠x

– expressive power not comparable

• Arity of usage automata vs. expressive power– the expressive power increases as the number of

variables increases

Page 14: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Deflating Lemma

• Let φ be a usage automaton with k variables

• If η violates φ, you can “collapse” the resources of η to k resources and still obtain a violation

• Consider e.g. the policy Diff(k) “a program cannot use more than k distinct resources”.

• Diff(k) can be expressed by a UA with k+1 vars.


α(x1) : x1 ≠ x0q1 q k+1

α(xk) : xk ≠ xk-1 ∧∧∧∧ … ∧∧∧∧ x1 ≠ x0

• By the deflating lemma, Diff(k) not expressible withk’<k+1 variables

Page 15: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Dynamic vs. static enforcement

• Run-time enforcement may be inefficient• Alternative: static enforcement

– only run programs that are guaranteed to obey the policies on demand, for each possible execution

– then, you can safely turn off the run-time monitor

• Static approximation of programs: usages– a sort of behavioural types– inferred through type & effect systems, CFA, …– independent from the actual calculus/language

used for writing programs

Page 16: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety


U,V ::= εεεεhαααα(r1,…,rk)U ⋅⋅⋅⋅ VU + Vµµµµh.Uννννn.Uϕϕϕϕ[U]




restrictionlocal policy

Page 17: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Model checking usage automata(joint work with P.Degano, G.L. Ferrari, R. Zunino)

• We want to reuse standard, efficient techniques for model checking Basic Process Algebras w.r.t. Finite State Automata

[[ BPA(U) ]] ∩ [[ FSA( ϕϕϕϕ) ]] = 0

• Problem: validity is non-regular!

µµµµh. ννννn. ( ( ( ( new(n) ⋅⋅⋅⋅ αααα(n) + h ⋅⋅⋅⋅ h + ϕϕϕϕ[[[[h]]]] )

– unbounded balanced parentheses ϕϕϕϕ[..[..[..[..ϕϕϕϕ[..[..[..[..ϕϕϕϕ[[[[..]..]..]]..]..]]..]..]]..]..]– infinite number of freshly generated resources

– BPAs have no restriction ννννn

Page 18: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Model checking usage automata

• Model checking recovered in two steps:– usages are transformed to remove the redundant

nestings ϕϕϕϕ[⋅⋅ϕ⋅⋅ϕ⋅⋅ϕ⋅⋅ϕ[⋅⋅⋅⋅⋅⋅⋅⋅]⋅⋅⋅⋅⋅⋅⋅⋅]– usages are “Skolemized” to remove the restrictions ννννn.

For ϕϕϕϕ with arity k, it suffices to use k+1 witnesses.

• A correct and complete model checking technique for deciding the validity of usageg– all the approximations done while constructing U

• The computational complexity is PTIME in the size of U (but EXPTIME in the arity of ϕϕϕϕ)

Page 19: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Securing Java with usage automata(joint work with G. Costa and R. Zunino)










Page 20: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Securing Java with usage automata(joint work with G. Costa and R. Zunino)















Page 21: UsageAutomata · Security Automata (Fred B. Schneider. Enforceable Security Policies, 2000) • Security automata are a class of Büchi automata that exactly characterizes safety

Conclusions• A new formalism for specifying usage policies

• An execution monitor coherent with semantics

• An efficient verification algorithm for deciding when a usage respects the policies on demand

• A tool for model checking usage automata

• Applied to define a new security model for Java

• Unexplored issues:

– existential quantification (for delegation policies)

– tracking calls and returns (for checking return values)