Security for Cloud Environment through Information Flow Properties Formalization with a First-Order Temporal Logic

The main slowdown of Cloud activity comes from the lack of reliable security. The on-demand security concept aims at delivering and enforcing the client's security requirements. In this paper, we present an approach, Information Flow Past Linear Time Logic (IF-PLTL), to specify how a system can support a large range of security properties. We present in this paper how to control those information flows from lower system events. We give complete details over IF-PLTL syntax and semantics. Furthermore, that logic enables to formalize a large set of security policies. Our approach is exemplified with the Chinese Wall commercial-related policy. Finally, we discuss the extension of IF-PLTL with dynamic relabeling to encompass more realistic situations through the dynamic domains isolation policy.

[1]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[2]  Clara Bertolissi,et al.  Automated analysis of rule-based access control policies , 2013, PLPV.

[3]  Aline Bousquet,et al.  Mandatory Access Control for the Android Dalvik Virtual Machine , 2013, ESOS.

[4]  Joshua D. Guttman,et al.  Verifying information flow goals in Security-Enhanced Linux , 2005, J. Comput. Secur..

[5]  Elisa Bertino,et al.  The SCIFC Model for Information Flow Control in Web Service Composition , 2009, 2009 IEEE International Conference on Web Services.

[6]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[7]  Alireza Sharifi,et al.  Least-restrictive enforcement of the Chinese wall security policy , 2013, SACMAT '13.

[8]  Jérémy Briffaut,et al.  Formalization of Security Properties: Enforcement for MAC Operating Systems and Verification of Dynamic MAC Policies , 2009 .

[9]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[10]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[11]  Joseph Y. Halpern,et al.  Using First-Order Logic to Reason about Policies , 2008, TSEC.

[12]  David Evans,et al.  Enforcing End-to-End Application Security in the Cloud - (Big Ideas Paper) , 2010, Middleware.

[13]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[14]  Felix Klaedtke,et al.  Policy Monitoring in First-Order Temporal Logic , 2010, CAV.

[15]  Crispin Cowan,et al.  Linux Security Module Framework , 2002 .

[16]  Eddy Caron,et al.  Smart Resource Allocation to Improve Cloud Security , 2014 .

[17]  Jonathan Rouzaud-Cornabas,et al.  A new approach to enforce the security properties of a clustered high-interaction honeypot , 2009, 2009 International Conference on High Performance Computing & Simulation.

[18]  Peter J. Stuckey,et al.  Flexible access control policy specification with constraint logic programming , 2003, TSEC.

[19]  Bernd Finkbeiner,et al.  Model Checking Information Flow in Reactive Systems , 2012, VMCAI.

[20]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[21]  Vojtech Rehák,et al.  On decidability of LTL model checking for process rewrite systems , 2009, Acta Informatica.

[22]  Jonathan Rouzaud-Cornabas,et al.  PIGA-Virt: An Advanced Distributed MAC Protection of Virtual Systems , 2011, Euro-Par Workshops.

[23]  Leslie Lamport,et al.  Specifying Concurrent Program Modules , 1983, TOPL.

[24]  Ravi S. Sandhu Lattice-based enforcement of Chinese Walls , 1992, Comput. Secur..

[25]  Patrice Clemente,et al.  From a Generic Framework for Expressing Integrity Properties to a Dynamic mac Enforcement for Operating Systems , 2010, Trans. Comput. Sci..

[26]  Anindya Banerjee,et al.  History-Based Access Control and Secure Information Flow , 2004, CASSIS.

[27]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[28]  Michael Huth,et al.  Access control via belnap logic: Intuitive, expressive, and analyzable policy composition , 2011, TSEC.

[29]  Arnaud Lefray,et al.  Mandatory Access Protection Within Cloud Systems , 2014 .

[30]  Ravi S. Sandhu,et al.  Towards a discipline of mission-aware cloud computing , 2010, CCSW '10.

[31]  Mario Südholt,et al.  Adapting Workflows Using Generic Schemas: Application to the Security of Business Processes , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[32]  J. Rushby Security Requirements Specifications : How and What ? Extended , 2001 .

[33]  Peter Sewell,et al.  Cassandra: distributed access control policies with tunable expressiveness , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[34]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[35]  Shan Shan Huang,et al.  Datalog and emerging applications: an interactive tutorial , 2011, SIGMOD '11.

[36]  Christian Toinard,et al.  Mandatory access control with a multi-level reference monitor: PIGA-cluster , 2013, CLHS '13.

[37]  André Zúquete,et al.  SPL: An Access Control Language for Security Policies and Complex Constraints , 2001, NDSS.

[38]  John DeTreville,et al.  Binder, a logic-based security language , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[39]  Trent Jaeger,et al.  Outlook: Cloudy with a Chance of Security Challenges and Improvements , 2010, IEEE Security & Privacy.

[40]  Luis Miguel Vaquero Gonzalez,et al.  Building safe PaaS clouds: A survey on security in multitenant software platforms , 2012, Comput. Secur..

[41]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[42]  Bertrand Marquet,et al.  Seeding the Cloud: An Innovative Approach to Grow Trust in Cloud Based Infrastructures , 2013, Future Internet Assembly.

[43]  Dennis G. Kafura,et al.  An information flow control meta-model , 2013, SACMAT '13.

[44]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.