Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Mike Burmester, Computer Science, Florida State University Joint work with: Prasanta Das, Martin Edwards, MITRE Corporation, Alec Yasinsac, University of South Alabama 06/07/09
  2. 2. <ul><li>Motivation </li></ul><ul><li>The Problem </li></ul><ul><li>Our Goal & Model Requirements </li></ul><ul><li>Proposed solution </li></ul><ul><li>Trust Management Model Formulation </li></ul><ul><li>Rollback Access </li></ul><ul><li>The Way Ahead </li></ul><ul><li>Extensions </li></ul>06/07/09
  3. 3. <ul><li>A stabilization and humanitarian relief scenario </li></ul><ul><li>A coalition of militaries, government agencies, NGOs are involved in a stabilization and humanitarian relief effort in Orange Land, a sub-Sahara nation, in the mist of inter-tribal conflict and a three year drought. </li></ul><ul><li>The Orange Land government is generally pro-west, but there are two factions that have ties to terrorist organizations through their rhetoric and tribal affiliations. </li></ul>06/07/09
  4. 4. <ul><li>Operational environment </li></ul><ul><ul><li>A tactical wide area network is established to support the coordination and cooperation of the operations. </li></ul></ul><ul><ul><li>Each national military, governmental agency as well as the NGOs are on the network with common access based on attributes associated with the group. </li></ul></ul><ul><ul><li>The military consistently present information on insurgent locations and dangerous areas (e.g., improvised explosive device locations) to allow non-military group use of the information for safety and planning. </li></ul></ul><ul><ul><li>The military provides time-lines for general operations that will go force-on-force with insurgents to ensure the non-military efforts are not caught up in these operations, which could result in civilian casualties. </li></ul></ul>06/07/09
  5. 5. <ul><li>Trust environment </li></ul><ul><ul><li>Key to the level of information sharing provided is the trust established between the organizations that information would be available to each group but groups would not share between themselves the information. </li></ul></ul><ul><ul><li>Each organization has its own “ information compartment ” which prevents cross-talk, but allows for coordinated approaches to resolving issues. </li></ul></ul><ul><ul><li>This trust relationship has allowed the military to successfully eliminate a number of insurgent strongholds and clearly map the IEDs (improvised explosive devices) planted. </li></ul></ul>06/07/09
  6. 6. <ul><li>A trust problem </li></ul><ul><ul><li>It has become apparent to the military that information being posted about upcoming efforts is leaked to insurgents. </li></ul></ul><ul><ul><li>Operations have the military arriving within minutes of the insurgents departing and often to find a number of IEDs and other traps established. </li></ul></ul><ul><ul><li>The military is considering removing non-military organizations from the network, but see this as possibly leading to unnecessary endangerment of humanitarian efforts. </li></ul></ul><ul><li>Other possible coalition scenarios </li></ul><ul><ul><li>High seas piracy: coalitions of navies to check piracy off the African coast </li></ul></ul>06/07/09
  7. 7. <ul><li>Trust in a Variable Threat Environment </li></ul><ul><ul><li>Current Trust Management systems are not designed to deal with variable threat environments in which access to networks resources must be restricted or suspended in response to an elevated threat level. </li></ul></ul><ul><li>Ad Hoc Networking Collaboration </li></ul><ul><ul><li>Modeling such requirements for ad hoc networking collaboration can be particularly challenging. </li></ul></ul>06/07/09
  8. 8. <ul><li>Maintenance of Privacy and Data Integrity </li></ul><ul><ul><li>Modeling variable threat scenarios in Trust Management systems can be particularly challenging when privacy and integrity have to be supported. </li></ul></ul><ul><li>No Dynamic Authorization of Access </li></ul><ul><ul><li>What is needed is a flexible and dynamic access control model that takes into account the prevailing threats at the access point. </li></ul></ul>06/07/09
  9. 9. <ul><li>Wide Applicability </li></ul><ul><ul><li>Support coalition information capability among: </li></ul></ul><ul><ul><ul><li>Multinational Military, NGOs, the Intelligence Community </li></ul></ul></ul><ul><ul><ul><li>As well as, the DHS, Federal, State, Local &Tribal Interactions </li></ul></ul></ul><ul><li>Current Trust Relationship Gaps </li></ul><ul><ul><li>Static – Trusted or Untrusted </li></ul></ul><ul><ul><li>Variable Threat Environments Require Flexible Access and Authority for Mission Accomplishment. </li></ul></ul>06/07/09
  10. 10. <ul><li>Flexible Approach to Security Policies </li></ul><ul><ul><li>Responding to temporal and/or locational threats </li></ul></ul><ul><li>Functionality is Restricted by Threat Levels </li></ul><ul><ul><li>Access to network resources is restricted while the threat level at the access point is elevated. </li></ul></ul><ul><ul><li>A dynamic trust model is used to broker network resources between domains with varying threat levels </li></ul></ul><ul><ul><li>Rollback-Access is used to maintain continuity of service by restoring suspended services and records when the threat subsides </li></ul></ul>06/07/09
  11. 11. <ul><li>Network resources that have to be protected are </li></ul><ul><li>assigned threshold threat values </li></ul><ul><li>Access to a protected resource is subject to: </li></ul><ul><ul><li>Traditional discretionary and mandatory access requirements (Bell-LaPadula). </li></ul></ul><ul><ul><li>The prevailing threat level at access point not exceeding resource’s threshold threat value. </li></ul></ul><ul><li>If the threat level is raised above the threshold while a protected resource is accessed: </li></ul><ul><ul><li>Access to protected resources is suspended while access to non-protected resources continues. </li></ul></ul><ul><ul><li>Access is only restricted to those domains for which the threat level is raised. </li></ul></ul><ul><ul><li>For all other domains there is no restriction, so distributed tasks can proceed normally. </li></ul></ul>06/07/09
  12. 12. <ul><li>Rollback-Access: supporting continuity of service </li></ul><ul><ul><li>Service is restored when the threat level subsides. </li></ul></ul><ul><ul><li>All suspended records become available. </li></ul></ul><ul><ul><li>Records processed in other domains external to the raised threat level domain become available. </li></ul></ul>06/07/09
  13. 13. 06/07/09
  14. 14. <ul><li>The threat levels for the Homeland Security Advisory system </li></ul><ul><li>(  ,  auth ) = </li></ul><ul><li>Red  auth Orange  auth Yellow  auth Blue  auth Green </li></ul>06/07/09
  15. 15. <ul><li>Define: = Information Compartment for threat level </li></ul><ul><ul><li>Implies if then RA is triggered and invoked </li></ul></ul><ul><li>Four-mode characterization of RA </li></ul><ul><ul><li>i: Suspension ii: Transitory </li></ul></ul><ul><ul><li>ii: Segregation iv : Rollback an authorization to lower level threat </li></ul></ul><ul><li>Execution of an action is suspended when </li></ul><ul><ul><li>If then the record in suspended state is stored in </li></ul></ul><ul><ul><li>If threat level is later lowered to , the TM system will rollback (restore) those records of suspended execution for access action in </li></ul></ul>06/07/09
  16. 16. <ul><li>Initially for all </li></ul><ul><ul><li>Rollback of is raised to </li></ul></ul><ul><ul><ul><li>Put in a record of suspended access actions </li></ul></ul></ul><ul><ul><ul><li>Invoke the functionality </li></ul></ul></ul><ul><ul><ul><li>Every object produced during the threat level is assigned the threat level </li></ul></ul></ul>06/07/09
  17. 17. <ul><ul><li>Rollback of is lowered to </li></ul></ul><ul><ul><ul><li>All records in where that are authorized by get restored and labeled as objects with and removed from </li></ul></ul></ul><ul><ul><ul><li>Invoke functionality </li></ul></ul></ul><ul><ul><ul><li>Every object produced during threat level is assigned the threat level </li></ul></ul></ul>06/07/09
  18. 18. 06/07/09
  19. 19. <ul><li>Build a Working Prototype </li></ul><ul><li>Test Against Scenarios </li></ul><ul><ul><li>DoD Focus – Multi-national peacekeeping and humanitarian aide in destabilized area </li></ul></ul><ul><ul><li>DHS Focus – Interagency counterterrorism information sharing across full spectrum </li></ul></ul><ul><li>Validation Metrics </li></ul><ul><ul><li>Behavioral Consistency </li></ul></ul><ul><ul><li>Integration Aspects </li></ul></ul><ul><ul><li>Scalability </li></ul></ul>06/07/09
  20. 20. <ul><li>The model discussed is asymmetric </li></ul><ul><li>It is resource-centric, not user-centric </li></ul><ul><li>Principals with the same clearance requesting access to the same resource are treated equally. </li></ul><ul><ul><li>Some of these principals may be contributing to the elevated threat level </li></ul></ul><ul><li>The system should monitor the behavior of principals and access should be conditioned on good behavior. </li></ul>06/07/09
  21. 21. <ul><li>Wide Applicability Across Federal & Civil Sectors </li></ul><ul><li>Model Based on Bell-LaPadula Foundations </li></ul><ul><li>Dynamic Trust Based on Threat Levels & Locality </li></ul><ul><li>Concept is Provable and Buildable – Validation Important </li></ul><ul><li>Bibliography: Mike Burmester, Prasanta Das, Martin Edwards and Alec Yasinsac. ` Multi-Domain trust management in variable threat environments using rollback-access '. MILCOM 2008 , San Diego, November 17-19, 2008 </li></ul><ul><li> </li></ul>06/07/09
  22. 22. <ul><li>Mike Burmester, Breno DeMedeiros and Alec Yasinsac. Community-centric vanilla-rollback access, or: How I stopped worrying and learned to love my computer. Proc. 13th Int. Security Protocols Workshop, Cambridge, LNCS #4631, Springer, pp. 228--237, 2007 </li></ul><ul><li>Mike Burmester, Breno de Medeiros Rossana Motta. Provably Secure Grouping-proofs for RFID tags , CARDIS 2008. </li></ul><ul><li>Mike Burmester, Breno de Medeiros. The Security of EPCGen2 Anonymous compliant RFID Protocols , ACNS 2008 </li></ul><ul><li>Mike Burmester, Breno de Medeiros Rossana Motta. Robust Anonymous RFID Authentication with Constant Key Lookup . ACM, ASIACCS 2008 </li></ul><ul><li>Mike Burmester and Breno de Medeiros. Towards provable security for route discovery protocols in mobile ad hoc networks , 2008 </li></ul><ul><li>Mike Burmester and Breno de Medeiros. Persistent Security for RFID . Conference on RFID Security, RFIDSec07, 2007 </li></ul><ul><li>Mike Burmester and Breno de Medeiros. RFID Security, Countermeasures and Challenges . 5 th RFID Academic Convocation, The RFID Journal Conference, 2007 </li></ul><ul><li>Tri van Le, Mike Burmester Breno de Medeiros. Universally Composable and Forward Secure RFID Authentication and Key exchange . ACM, ASIACCS 2007. </li></ul><ul><li>Mike Burmester, Tri van Le and Breno de Medeiros. Provably Secure Ubiquitous Systems: Universally Composable RFID Authentication Protocols , SecureComm 2006 </li></ul><ul><li>Mike Burmester, Tri van Le, and Breno de Medeiros. Towards provable security for ubiquitous applications , ACISP 2006 </li></ul>06/07/09