European Symposium on Research in Computer Security

Computer Security -- ESORICS 2015 pp 481-499 | Cite as

A Theory of Gray Security Policies

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9327)

Abstract

This paper generalizes traditional models of security policies, from specifications of whether programs are secure, to specifications of how secure programs are. This is a generalization from qualitative, black-and-white policies to quantitative, gray policies. Included are generalizations from traditional definitions of safety and liveness policies to definitions of gray-safety and gray-liveness policies. These generalizations preserve key properties of safety and liveness, including that the intersection of safety and liveness is a unique allow-all policy and that every policy can be written as the conjunction of a single safety and a single liveness policy. It is argued that the generalization provides several benefits, including that it serves as a unifying framework for disparate approaches to security metrics, and that it separates—in a practically useful way—specifications of how secure systems are from specifications of how secure users require their systems to be.

References

  1. 1.
    Alpern, B., Schneider, F.B.: Defining liveness. Inf. Process. Lett. 21(4), 181–185 (1985)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Alpern, B., Schneider, F.B.: Recognizing safety and liveness. Distrib. Comput. 2, 117–126 (1987)CrossRefMATHGoogle Scholar
  3. 3.
    Alvim, M.S., Chatzikokolakis, K., Palamidessi, C., Smith, G.: Measuring information leakage using generalized gain functions. In: Proceedings of the Computer Security Foundations Symposium, pp. 265–279, June 2012Google Scholar
  4. 4.
    An, X., Jutla, D., Cercone, N.: Privacy intrusion detection using dynamic bayesian networks. In: Proceedings of the International Conference on Electronic Commerce, pp. 208–215 (2006)Google Scholar
  5. 5.
    Andersson, C., Lundin, R.: On the fundamentals of anonymity metrics. In: Fischer-Hübner, S., Duquenoy, P., Zuccato, A., Martucci, L. (eds.) The Future of Identity in the Information Society. The International Federation for Information Processing, vol. 262, pp. 325–341. Springer, USA (2008)CrossRefGoogle Scholar
  6. 6.
    Andrés, M.E., Palamidessi, C., van Rossum, P., Smith, G.: Computing the leakage of information-hiding systems. In: Esparza, J., Majumdar, R. (eds.) TACAS 2010. LNCS, vol. 6015, pp. 373–389. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  7. 7.
    Asnar, Y., Giorgini, P., Massacci, F., Zannone, N.: From trust to dependability through risk analysis. In: Proceedings of the Conference on Availability, Reliability and Security, pp. 19–26, April 2007Google Scholar
  8. 8.
    Au, M.H., Kapadia, A.: PERM: practical reputation-based blacklisting without TTPs. In: Proceedings of the Conference on Computer and Communications Security, pp. 929–940 (2012)Google Scholar
  9. 9.
    Au, M.H., Kapadia, A., Susilo, W.: BLACR: TTP-free blacklistable anonymous credentials with reputation. In: Proceedings of the Symposium on Network and Distributed System Security (2012)Google Scholar
  10. 10.
    Balzarotti, D., Monga, M., Sicari, S.: Assessing the risk of using vulnerable components. In: Proceedings of the Workshop on Quality of Protection, pp. 65–77 (2006)Google Scholar
  11. 11.
    Basin, D., Jugé, V., Klaedtke, F., Zălinescu, E.: Enforceable security policies revisited. ACM Trans. Inf. Syst. Secur. 16(1), 3:1–3:26 (2013)CrossRefMATHGoogle Scholar
  12. 12.
    Braun, C., Chatzikokolakis, K., Palamidessi, C.: Quantitative notions of leakage for one-try attacks. Electron. Notes Theor. Comput. Sci. 249, 75–91 (2009). Proceedings of the Conference on Mathematical Foundations of Programming SemanticsCrossRefMATHGoogle Scholar
  13. 13.
    Chatzikokolakis, K., Palamidessi, C., Panangaden, P.: Anonymity protocols as noisy channels. In: Montanari, U., Sannella, D., Bruni, R. (eds.) TGC 2006. LNCS, vol. 4661, pp. 281–300. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  14. 14.
    Cheng, P.-C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: Proceedings of the Symposium on Security and Privacy, pp. 222–230, May 2007Google Scholar
  15. 15.
    Clark, K., Singleton, E., Tyree, S., Hale, J.: Strata-Gem: risk assessment through mission modeling. In: Proceedings of the Workshop on Quality of Protection, pp. 51–58 (2008)Google Scholar
  16. 16.
    Clarkson, M.R., Myers, A.C., Schneider, F.B.: Quantifying information flow with beliefs. J. Comput. Secur. 17(5), 655–701 (2009)CrossRefGoogle Scholar
  17. 17.
    Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur. 18(6), 1157–1210 (2010)CrossRefGoogle Scholar
  18. 18.
    Clarkson, M.R., Schneider, F.B.: Quantification of integrity. Math. Struct. Comput. Sci. 25(2), 207–258 (2015)MathSciNetCrossRefMATHGoogle Scholar
  19. 19.
    Clauß, S.: A framework for quantification of linkability within a privacy-enhancing identity management system. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 191–205. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  20. 20.
    Clauß, S., Schiffner, S.: Structuring anonymity metrics. In: Proceedings of the Workshop on Digital Identity Management, pp. 55–62 (2006)Google Scholar
  21. 21.
    Deng, Y., Pang, J., Wu, P.: Measuring anonymity with relative entropy. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds.) FAST 2006. LNCS, vol. 4691, pp. 65–79. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  22. 22.
    Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: Proceedings of the Symposium on Security and Privacy, pp. 109–124 (2010)Google Scholar
  23. 23.
    Díaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 54–68. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  24. 24.
    Dolzhenko, E., Ligatti, J., Reddy, S.: Modeling runtime enforcement with mandatory results automata. Int. J. Inf. Secur. 14(1), 47–60 (2015)CrossRefGoogle Scholar
  25. 25.
    Drábik, P., Martinelli, F., Morisset, C.: Cost-aware runtime enforcement of security policies. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 1–16. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  26. 26.
    Drábik, P., Martinelli, F., Morisset, C.: A quantitative approach for inexact enforcement of security policies. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 306–321. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  27. 27.
    Dwaikat, Z., Parisi-Presicce, F.: Risky trust: risk-based analysis of software systems. In: Proceedings of the Workshop on Software Engineering for Secure Systems, pp. 1–7 (2005)Google Scholar
  28. 28.
    Edman, M., Sivrikaya, F., Yener, B.: A combinatorial approach to measuring anonymity. In: Proceedings of the Conference on Intelligence and Security Informatics, pp. 356–363, May 2007Google Scholar
  29. 29.
    Fong, P.W.L.: Access control by tracking shallow execution history. In: Proceedings of the Symposium on Security and Privacy, pp. 43–55 (2004)Google Scholar
  30. 30.
    Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic bayesian network. In: Proceedings of the Workshop on Quality of Protection, pp. 23–30 (2008)Google Scholar
  31. 31.
    Gervais, A., Shokri, R., Singla, A., Capkun, S., Lenders, V.: Quantifying web-search privacy. In: Proceedings of the Conference on Computer and Communications Security, pp. 966–977 (2014)Google Scholar
  32. 32.
    Göktas, E., Athanasopoulos, E., Bos, H., Portokalidis, G.: Out of control: overcoming control-flow integrity. In: Proceedings of the Symposium on Security and Privacy, pp. 575–589 (2014)Google Scholar
  33. 33.
    Goriac, I.: Measuring anonymity with plausibilistic entropy. In: Proceedings of the International Conference on Availability, Reliability and Security, pp. 151–160, September 2013Google Scholar
  34. 34.
    Gowadia, V., Farkas, C., Valtorta, M.: PAID: a probabilistic agent-based intrusion detection system. Comput. Secur. 24(27), 529–545 (2005)CrossRefGoogle Scholar
  35. 35.
    Halpern, J.Y., O’Neill, K.R.: Anonymity and information hiding in multiagent systems. J. Comput. Secur. 13(3), 483–514 (2005)CrossRefGoogle Scholar
  36. 36.
    Heumann, T., Trpe, S., Keller, J.: Quantifying the attack surface of a web application. In: Proceedings of Sicherheit, vol. 170, pp. 305–316 (2010)Google Scholar
  37. 37.
    Howard, M., Pincus, J., Wing, J.M.: Measuring relative attack surfaces. In: Lee, D.T., Shieh, S.P., Tygar, J.D. (eds.) Computer Security in the 21st Century, pp. 109–137. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  38. 38.
    Alford, M.W., Hommel, G., Schneider, F.B., Ansart, J.P., Lamport, L., Mullery, G.P., Zhou, T.H.: Distributed Systems: Methods and Tools for Specification. An Advanced Course. LNCS, vol. 190. Springer, Heidelberg (1985) Google Scholar
  39. 39.
    Lee, A.J., Yu, T.: Towards quantitative analysis of proofs of authorization: applications, framework, and techniques. In: Proceedings of the Computer Security Foundations Symposium, pp. 139–153, July 2010Google Scholar
  40. 40.
    Leversage, D.J., Byres, E.J.: Estimating a system’s mean time-to-compromise. IEEE Secur. Priv. 6(1), 52–60 (2008)CrossRefGoogle Scholar
  41. 41.
    Ligatti, J., Lujo, B., Walker, D.: Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur. 12(3), 1–41 (2009)CrossRefGoogle Scholar
  42. 42.
    Ligatti, J., Reddy, S.: A theory of runtime enforcement, with results. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 87–100. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  43. 43.
    Mallios, Y., Bauer, L., Kaynar, D., Ligatti, J.: Enforcing more with less: formalizing target-aware run-time monitors. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012. LNCS, vol. 7783, pp. 17–32. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  44. 44.
    Mallios, Y., Bauer, L., Kaynar, D., Martinelli, F., Morisset, C.: Probabilistic cost enforcement of security policies. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 144–159. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  45. 45.
    Manadhata, P.K., Wing, J.M.: An attack surface metric. IEEE Trans. Softw. Eng. 37(3), 371–386 (2011)CrossRefGoogle Scholar
  46. 46.
    Manadhata, P., Wing, J., Flynn, M., McQueen, M.: Measuring the attack surfaces of two FTP daemons. In: Proceedings of the Workshop on Quality of Protection, pp. 3–10 (2006)Google Scholar
  47. 47.
    Mardziel, P., Alvim, M.S., Hicks, M., Clarkson, M.R.: Quantifying information flow for dynamic secrets. In: Proceedings of the Symposium on Security and Privacy, pp. 540–555 (2014)Google Scholar
  48. 48.
    Martinelli, F., Matteucci, I., Morisset, C.: From qualitative to quantitative enforcement of security policy. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 22–35. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  49. 49.
    McQueen, M.A., Boyer, W.F., Flynn, M.A., Beitel, G.A.: Time-to-compromise model for cyber risk reduction estimation. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds.) Quality of Protection. Advances in Information Security, vol. 23, pp. 49–64. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  50. 50.
    Molloy, I., Dickens, L., Morisset, C., Cheng, P.-C., Lobo, J., Russo, A.: Risk-based security decisions under uncertainty. In: Proceedings of the Conference on Data and Application Security and Privacy, pp. 157–168 (2012)Google Scholar
  51. 51.
    Ngo, T.M., Huisman, M.: Quantitative security analysis for programs with low input and noisy output. In: Jürjens, J., Piessens, F., Bielova, N. (eds.) ESSoS. LNCS, vol. 8364, pp. 77–94. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  52. 52.
    Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: Proceedings of the Workshop on Quality of Protection, pp. 31–38 (2006)Google Scholar
  53. 53.
    Schneider, F.B.: Decomposing Properties into Safety and Liveness using Predicate Logic. Technical report 87–874, Cornell University, October 1987Google Scholar
  54. 54.
    Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)MathSciNetCrossRefGoogle Scholar
  55. 55.
    Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 41–53. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  56. 56.
    Smith, G.: On the foundations of quantitative information flow. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  57. 57.
    Specker, E.: Nicht konstruktiv beweisbare sätze der analysis. J. Symbolic Logic 14, 145–158 (1949)MathSciNetCrossRefMATHGoogle Scholar
  58. 58.
    Verslype, K., De Decker, B.: Measuring the user’s anonymity when disclosing personal properties. In: Proceedings of the International Workshop on Security Measurements and Metrics, pp. 2:1–2:8 (2010)Google Scholar
  59. 59.
    Xi, L., Feng, D.: FARB: fast anonymous reputation-based blacklisting without TTPs. In: Proceedings of the Workshop on Privacy in the Electronic Society, pp. 139–148 (2014)Google Scholar
  60. 60.
    Xi, L., Shao, J., Yang, K., Feng, D.: ARBRA: anonymous reputation-based revocation with efficient authentication. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 33–53. Springer, Heidelberg (2014) Google Scholar
  61. 61.
    Yu, K.Y., Yuen, T.H., Chow, S.S.M., Yiu, S.M., Hui, L.C.K.: PE(AR)\(^{2}\): privacy-enhanced anonymous authentication with reputation and revocation. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 679–696. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  62. 62.
    Zadeh, L.A.: Fuzzy sets. Inf. Control 8(3), 338–353 (1965)CrossRefMATHGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of Computer Science and EngineeringUniversity of South FloridaTampaUSA

Personalised recommendations