Service Automata

We propose a novel framework for reliably enforcing security in distributed systems. Service automata monitor the execution of a distributed program and enforce countermeasures before a violation of a security policy can occur. A key novelty of our proposal is that security is enforced in a decentralized though coordinated fashion. This provides the basis for reliably enforcing global security requirements without introducing unnecessary latencies or communication overhead. The novel contributions of this article include the concept of service automata and a generic formalization of service automata in CSP. We also illustrate how the generic model can be tailored to given security requirements by instantiating its parameters in a stepwise and modular manner.

[1]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[2]  Fabio Martinelli,et al.  Synthesis of Local Controller Programs for Enforcing Global Security Properties , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[3]  George Spanoudakis,et al.  A Framework for Hierarchical and Recursive Monitoring of Service Based Systems , 2009, 2009 Fourth International Conference on Internet and Web Applications and Services.

[4]  Alexander Pretschner,et al.  Distributed usage control , 2006, CACM.

[5]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[6]  Peng Ning,et al.  Computer Security - ESORICS 2009, 14th European Symposium on Research in Computer Security, Saint-Malo, France, September 21-23, 2009. Proceedings , 2009, ESORICS.

[7]  David W. Chadwick,et al.  Coordination between distributed PDPs , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[8]  KarjothGünter,et al.  Dynamic enforcement of abstract separation of duty constraints , 2012 .

[9]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[10]  Koushik Sen,et al.  Efficient decentralized monitoring of safety in distributed systems , 2004, Proceedings. 26th International Conference on Software Engineering.

[11]  Álvaro Enrique Arenas,et al.  Controlling Usage in Business Process Workflows through Fine-Grained Security Policies , 2008, TrustBus.

[12]  Ernst-Rüdiger Olderog,et al.  Specifying and analyzing security automata using CSP-OZ , 2007, ASIACCS '07.

[13]  Felix Klaedtke,et al.  Policy Monitoring in First-Order Temporal Logic , 2010, CAV.

[14]  Naftaly H. Minsky,et al.  The Imposition of Protocols Over Open Distributed Systems , 1991, IEEE Trans. Software Eng..

[15]  Christian Schaefer,et al.  A Policy Language for Distributed Usage Control , 2007, ESORICS.

[16]  David A. Basin,et al.  Dynamic Enforcement of Abstract Separation of Duty Constraints , 2009, ESORICS.

[17]  Joachim Biskup,et al.  Computer Security - ESORICS 2007, 12th European Symposium On Research In Computer Security, Dresden, Germany, September 24-26, 2007, Proceedings , 2007, ESORICS.

[18]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[19]  Jean-Pierre Seifert,et al.  Security Enforcement Model for Distributed Usage Control , 2008, 2008 IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (sutc 2008).