Model-Driven Adaptive Delegation

@ MODULARITY: AOSD’13, FUKUOKA, JAPAN

Model-Driven Adaptive Delegation

Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon | March 28, 2013

SnT – Interdisciplinary Centre for Security, Reliability and Trust

University of Luxembourg

www.securityandtrust.lu

www.securityandtrust.lu

Outline

Background & MotivationAccess Control & Delegation

A Motivative Example

Concretizing Security Policy

Model-Driven Adaptive DelegationHow to specify security policies separately from business logic

How to (dynamically) enforce security policies into the system

Adaptation process

Evaluation

Conclusion & Future Work

Outline Background Approach Modeling Composing Adaptation Evaluation Conclusion

Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon –Model-Driven Adaptive Delegation March 28, 2013 2/29

Outline






Adaptation process

Evaluation




Outline






Adaptation process

Evaluation




Outline






Adaptation process

Evaluation




Background

Access Control (AC)Administering access to resources by enforcing AC policy

An AC policy (stored in XACML file or db) consists of a set of AC rules

Mandatory AC (MAC), Discretionary AC (DAC), Role Based AC(RBAC), Organization Based AC (OrBAC), etc.

For example, with OrBAC model:Permission/prohibition(Org, Role, Activity, View, Context)

Permission(Library, Administrator, ModifyAccount, BorrowerAccount,WorkingDays)

Prohibition(Library, Student, ModifyAccount, PersonnelAccount,Default)



Background

Access Control (AC)Administering access to resources by enforcing AC policy

An AC policy (stored in XACML file or db) consists of a set of AC rules

Mandatory AC (MAC), Discretionary AC (DAC), Role Based AC(RBAC), Organization Based AC (OrBAC), etc.

For example, with OrBAC model:Permission/prohibition(Org, Role, Activity, View, Context)

Permission(Library, Administrator, ModifyAccount, BorrowerAccount,WorkingDays)

Prohibition(Library, Student, ModifyAccount, PersonnelAccount,Default)




Library Management SystemBooks can be borrowed and returned on working days. When thelibrary is closed, users can not borrow books. When a book isalready borrowed, a user can make a reservation for this book.

User accounts managed by an administrator (create, modify andremove accounts for new users). A secretary who can order books,add them in the LMS when they are delivered.

The director of the library has the same accesses than thesecretary and he can also consult the accounts of the employees.The administrator and the secretary can consult all accounts ofusers. All users can consult the list of books in the library.

Three types of users: public users who can borrow 5 books for 3weeks, students who can borrow 10 books for 3 weeks and teacherswho can borrow 10 books for 2 months.



An Example of AC policy

AC policyEntities: roles, activities, views and contexts.

Policy: combinations of the entities with a status (permission/deny).



The PDP-PEP frameworkTraditional architecture for managing access control:

Policy Decision Point (PDP) contains the policy.

Policy Enforcement Points (PEPs) enforce the policy.

[Morin2010]



Limitations of the PDP-PEP frameworkProblems with hard-coded access control mechanisms [Morin2010]:

Implicitly vs. Explicitly

The lack of supporting for (advanced) delegation featuresHow to specify and enforce delegation policies?



Delegation

A key role in the administration mechanism[Ben-Ghorbel-Talbi2010]

“Normal” users themselves allowed to grant some authorizations bydelegation.

Delegation of rights allows a user (delegator), to delegate his/heraccess rights to another user (delegatee).

Delegation of obligations (not yet considered in this paper).

Some advanced delegation features:Temporary delegation, transfer delegation, multiple delegation,multi-step delegation, etc.

E.g., transfer (non-monotonic) delegation: the grantor loses thispermission for the duration of delegation



Delegation

A key role in the administration mechanism[Ben-Ghorbel-Talbi2010]

“Normal” users themselves allowed to grant some authorizations bydelegation.

Delegation of rights allows a user (delegator), to delegate his/heraccess rights to another user (delegatee).

Delegation of obligations (not yet considered in this paper).

Some advanced delegation features:Temporary delegation, transfer delegation, multiple delegation,multi-step delegation, etc.

E.g., transfer (non-monotonic) delegation: the grantor loses thispermission for the duration of delegation



Some Delegation Situations

Simple delegation situationsA secretary delegates her/his role to a librarian.

The director delegates her/his permission of consulting personnelaccounts to a secretary during her/his absence.













Some Delegation Situations (cont.)

More complex delegation situationsA secretary transfers her/his role to a librarian.

A secretary is allowed to delegate his/her role to a librarian only andto one librarian at a given time.

The director can delegate, on behalf of a secretary, the secretary’srole to a librarian (e.g. during the secretary’s absence).

If a librarian empowered in role secretary by delegation is no longerable to perform this task, then he/she can/cannot delegate, again,this role to another librarian.

Users can always revoke their own delegations.

The director can revoke users from their delegated roles.

The role administrator is not delegable.

And so on.




Delegation rules impacting AC rulesContext-aware AC rules & Delegation rules

Deriving AC rules according to Delegation rules

Access control

metamodel

Access control policy

Delegation metamodel

Delegation policy

Active security policy

conforms to (cft) cft

Context Information

depending on both the context and the delegation rules, the appropriate access

control rules are selected

impact both access control and delegation models

Adapt the access control model according to the delegation specifications



Model-Driven Adaptive Security

A Model-Driven FrameworkSeparation of concerns: AC/Delegation/Business Logic

Dynamic Adaptation & Evolution of Secure Systems

Access control

metamodel

Access policy

Architecture metamodel

Base model

Model composition

Security-enforced

architecture model

Self adaptation

000 Running system

Proxy Components Proxy

components

Adaptive execution platform

validation

change/evolution

evolution

evolution

M2 M1 M0

test

Proxy components Proxy

components Business logic components


Delegation policy


Model transformation

test

conforms to (cft)

cft

cft

cft

cft



Overview - Modeling Security Concerns

Access control

metamodel

Access policy


Base model

Model composition

Security-enforced

architecture model

Self adaptation

000 Running system


components


validation

change/evolution

evolution

evolution

M2 M1 M0

test




Delegation policy



test

conforms to (cft)

cft

cft

cft

cft



Modeling Security Concerns

A DSL/metamodel for specifying security concernsRBAC-based AC rules.

Advanced Delegation rules.



Overview - Modeling Security Concerns

Access control

metamodel

Access policy


Base model

Model composition

Security-enforced

architecture model

Self adaptation

000 Running system


components


validation

change/evolution

evolution

evolution

M2 M1 M0

test




Delegation policy



test

conforms to (cft)

cft

cft

cft

cft



Modeling Security Concerns (cont.)

A DSL/metamodel for specifying active security rulesDerived from the base security rules.

No context, no delegation here.



Overview - Modeling Business Logic

Access control

metamodel

Access policy


Base model

Model composition

Security-enforced

architecture model

Self adaptation

000 Running system


components


validation

change/evolution

evolution

evolution

M2 M1 M0

test




Delegation policy



test

conforms to (cft)

cft

cft

cft

cft



Modeling Business Logic (BL)

Component-based architectureA Component-Based Architecture metamodel [Morin2010].



Mapping Resources of Policy Model toBL Resource Components

Mappings

action → method().



Overview - Target Architecture Model

Access control

metamodel

Access policy


Base model

Model composition

Security-enforced

architecture model

Self adaptation

000 Running system


components


validation

change/evolution

evolution

evolution

M2 M1 M0

test




Delegation policy



test

conforms to (cft)

cft

cft

cft

cft



Target Component-Based Architecture

Security Enforcement3-layers architecture reflecting access control & delegation rules.



Overview - Adaptation Process

Access control

metamodel

Access policy


Base model

Model composition

Security-enforced

architecture model

Self adaptation

000 Running system


components


validation

change/evolution

evolution

evolution

M2 M1 M0

test




Delegation policy



test

conforms to (cft)

cft

cft

cft

cft



Dynamic Adaptation

Enforcing Security Policies at runtimeBased on an adaptive execution platform [morin09a].


Security-enforced

architecture model

Current architecture

model

Code+script generation

Running system


components


validation

M2 M1 M0



Model comparison

Model diff

Script

Platform-specific reconfiguration commands

Model diff metamodel

cft

cft

cft



Case Studies

Library Management System - LMSAs described before.

Virtual Meeting System - VMSOffers simplified web conference services.

There are three resources (Meeting, Personnel Account, UserAccount) and six roles (Administrator, Webmaster, Owner, Moderator,Attendee, and Non-attendee).

Auction Sale Management System - ASMSAllows its users to buy and sell products online.

There are five resources (Sale, Bid, Comment, Personnel Account,User Account) and five roles (Administrator, Moderator, Seller, SeniorBuyer, and Junior Buyer).



Case Studies








Case Studies








Case Studies (cont.)

Overview of 3 systemsSize of each system.

Number of security rules.

Table: Size of each system in terms of source code.

# Classes # Methods # LOCLMS 62 335 3204VMS 134 581 6077ASMS 122 797 10703

Table: Security rules defined for each system.

# AC rules # Delegations TotalLMS 23 4 27VMS 36 8 44ASMS 89 8 97



Case Studies (cont.)

EvaluationOur metamodels are applicable for different systems without anymodification or adaptation.

The adaptation process: Kermeta 1.4.1 a vs. ATL 3.2.1 b

ahttp://www.kermeta.org/bhttp://www.eclipse.org/atl/

Table: Performance of weaving Security Policies using Kermeta and ATL.

# Rules Kermeta 1.4.1 ATL 3.2.1LMS 27 4s 0.048sVMS 44 7s 0.055sASMS 97 18s 0.140s



Conclusion

ProblemThe need for supporting advanced delegation features and solving hiddenmechanisms in security policies enforcement.

Proposed SolutionA model-driven adaptive framework supporting separation of concernsbetween delegation, AC and business logic.

Future workTesting Delegation Policy via Mutation Analysis [Nguyen2013]

Usage Control [Sandhu2003] and Delegation of Obligations.

Target an optimized models@runtime framework, e.g. Kevoree a

ahttp://www.kevoree.org/



References

Meriam Ben-Ghorbel-Talbi, Frederic Cuppens, Nora Cuppens-Boulahia, and Adel Bouhoula.

A delegation model for extended rbac.International Journal of Information Security, 9(3):209–236, June 2010.

Brice Morin, Tejeddine Mouelhi, Franck Fleurey, Yves Le Traon, Olivier Barais, and Jean-Marc Jézéquel.

Security-driven model-based dynamic adaptation.In Proceedings of the IEEE/ACM international conference on Automated software engineering, ASE ’10, pages 205–214, NewYork, NY, USA, 2010. ACM.

Phu H. Nguyen, Mike Papadakis, and Iram Rubab.Testing delegation policy via mutation analysis.In Mutation workshop, ICST, 2013.

Ravi Sandhu and Jaehong Park.

Usage control: A vision for next generation access control.V. Gorodetsky et al. (Eds.): MMM-ACNS 2003, LNCS 2776, 1:17–31, 2003.

Taming Dynamically Adaptive Systems with Models and Aspects.

In ICSE’09: 31st International Conference on Software Engineering, Vancouver, Canada, May 2009.



Thanks to the Fonds National de la Recherche (FNR), Luxembourgfor supporting this project!

Slides based on LaTeX-Beamer template by Erik ([email protected])

www.fnr.lu

www.fnr.lu

www.fnr.lu

The End! Q&AFinal Remarks

Thank you for your attention!

More information? Interested? => our paper is available!

Contact InfoPhu H. Nguyen, University of Luxembourg

Email: [email protected], Twitter: @nguyenhongphu

