A Policy Management Framework for Self-Protection of Pervasive Systems Ruan He Marc Lacoste Orange Labs Security and Trusted Transactions Dept. {ruan.he,marc.lacoste}@orange-ftgroup.com
Abstract—Although highly promising to meet the challenges of pervasive network security, self-managed protection has been little addressed in this setting. This paper adopts a policy-based management approach to the problem, and presents a policydriven security framework called ASPF. Enforced authorization policies in a device are adapted according to the security context, both at the network and device levels. ASPF describes how an autonomic security manager may control OS-level authorization mechanisms supporting multiple classes of policies. Evaluation of an ASPF implementation shows that the design is applicable for effective and yet flexible self-protection of pervasive systems.
I. I NTRODUCTION Advances in pervasive networking are rapidly taking us to the final frontier in security, revealing a whole new landscape of threats. In open and dynamic environments, malicious nodes may enter a network undetected, and various malwares may invisibly install themselves on a device. When roaming between heterogeneous networks, each with its own protection requirements, a device may also take advantage of security policy conflicts to gain unauthorized privileges. In an embedded setting including limited and often unstable computing and networking resources, denial of service attacks are somewhat easier, with little lightweight security countermeasures. Finally, these decentralized, large-scale systems make end-toend security supervision difficult, and administration by hand impossible, with the risk of some sub-system security policies not being up-to-date. These threats may only be mitigated with security mechanisms highly adaptable to conditions and security requirements (e.g., supporting multiple security policies), with limited overhead, and above all, self-managed [1]. To realize context-aware autonomic adaptations, the policydriven paradigm has successfully demonstrated its power and generality [2]: system functionalities are governed by a set of policies and, as the context changes, new policies may be selected to activate in the system functions better adapted to its new environment. Unfortunately, this approach was little applied to self-protection of pervasive systems. In this paper, we validate the viability of this solution by presenting a policy-driven security management framework called ASPF (Autonomic Security Policy Framework) which describes the design of an autonomic security manager for pervasive systems. ASPF builds on an earlier OS security
Jean Leneutre Telecom ParisTech Network, Mobility and Security Dept.
[email protected]
architecture called VSK (Virtual Security Kernel) [3], [4] that specifies the managed security mechanisms. VSK implements kernel-level policy-neutral authorization, and supports dynamic policy reconfiguration, but without describing any control strategy. ASPF enables to select the most appropriate authorization policy to enforce in the device to match the estimated risk level for the current environment. Two levels of adaptations are possible, policies being tuned (or generated) according to the security context of the network and of the device. Policies are specified in an XACML extension according to the attribute-based model of authorization [5], which provides a fairly generic manner to describe permissions in open systems. An authorization architecture is also defined to refine the ASPF policy adaptation model, and was implemented above the VSK authorization mechanisms. Performance, resilience, and security evaluation results show that the combined ASPF and VSK frameworks enable to achieve effective and yet flexible self-protection. The rest of this paper is organized as follows. After reviewing related work (Section II), we provide some background on our self-protection architecture (Section III). We then present the ASPF adaptation and policy models (Sections IV and V) and authorization architecture (Section VI). We finally present an ASPF implementation over the VSK mechanisms (Section VII), and some evaluation results (Section VIII). II. R ELATED W ORK Self-protection has so far been explored very little. While quite an early idea [1], it was discussed at the level of principles with few frameworks available, mainly for enterprise information systems [6], [7]. To orchestrate the components needed for autonomic security management, a policy-driven design [2], [7] seemed promising, since the approach was successfully applied to other self-* properties: indeed, several generic policy management frameworks [8]–[10] have been proposed to automate device and network reconfigurations to respond to context changes. Unfortunately, these frameworks hardly considered security. Notable exceptions are [10] for large organizations and [11] for pervasive systems which supports authorization and obligation policies. But with those frameworks, it remains unclear how to specify and federate authorization policies described in different security models to overcome heterogeneity of network security policies.
Three main elements seem to be missing: (1) descriptions of self-governance strategies; (2) specifications of security policies; and (3) flexible enough authorization mechanisms. A promising approach for (1) is based on Domain-Specific Languages (DSLs) [12], but does not yet address security. For (2) and (3), one main challenge to overcome is the great diversity of access control models [13] proposed to describe policies. Policy-neutral access control (PNAC) languages [14] allow supporting several models, but lack real enforcement mechanisms. At the other end, several PNAC frameworks have been proposed [15], [16] but without any generic enough specification languages. An interesting mid-term [17] combines a highly expressive security model (ABAC) [5], a PNAC language (XACML) and a corresponding authorization architecture. However, self-management of policies is not described. Further work is therefore needed. III. S ELF -P ROTECTION A RCHITECTURE
VSK implements the managed OS-level security mechanisms in a node. It consists of a Virtual Kernel (VK) and of an Access Control Engine (ACE). The VK allows to reconfigure the execution space by providing run-time management capabilities over components and their bindings. It also efficiently controls access to execution space resources, playing the role of an enforcement point for ACE decisions. Otherwise, the VK remains hidden in the background to minimize interactions with the execution space for performance optimization. The ACE is a flexible decision engine allowing run-time selection of multiple authorization policies described in different security models. Its design is compliant with the ABAC vision of access control [5]: security attributes and permissions are separately managed (by an Attribute Manager for subjectattribute mappings, and by a Rule Manager for attributepermissions assignments), and may be dynamically updated. We now present ASPF, a policy management framework which realizes an autonomic security manager above the VSK. The general idea is to adapt system security functionalities to the environment by context-aware change (tuning and/or generation) of authorization policies, such as adapting the policy strength to the ambiant risk level. In the next sections, we describe the ASPF adaptation model, policy model (which describes how to represent the managed authorization policies) and resulting extended authorization architecture. IV. A DAPTATION M ODEL This model formalizes the security policy selection and generation process according to the evolution of context.
Fig. 1.
A 3-Level Architecture for Self-Protection.
We now provide some background on the solution we explored for self-protection of pervasive networks [3], [4]. We consider a system to be organized into a flat number of clusters, each containing a set of nodes. Each cluster is managed by a cluster authority, which controls the cluster structure – nodes may join or leave the cluster dynamically – and enforces a cluster-level security policy, applicable to all nodes in the cluster. Nodes have various resource limitations, ranging from sensors to laptops, and enforce different nodelevel security policies. We now focus on a single cluster, but the approach can be generalized to any number of clusters. For self-protection, we consider a distributed security architecture divided into 3 abstract layers (see Figure 1). For each node, an execution space provides a run-time environment for application- or system-level resources, represented and manipulated as components. Node security management is performed in the VSK layer which controls the execution space, both for application-specific customizations and to enforce authorizations to access resources. Finally, a distributed autonomic management plane supervises the VSK security strategy in each node and performs the necessary adaptations at network and node levels using several feedback loops. This paper provides an answer on how to design that layer using the ASPF framework.
A. A Double Control Loop ASPF regulates security at two levels, using separate feedback loops for self-protection of the network and of the device: 1) Global policy adaptation: This control loop operates at the cluster level to mitigate threats against a whole subnetwork. A cluster manager monitors the environment and agregates security-relevant events to reach a high-level representation of the cluster security context. When the context changes, e.g., an intrusion is detected, a new cluster security policy may be generated. Each node in the cluster then interprets that policy according to its specificities (CPU, memory, battery, etc.), resulting in a new node security policy to be loaded in the authorization sub-system for enforcement. 2) Local policy adaptation: A simpler loop also operates at the node level to defeat attacks against a single node. Based on information on the node security context, this loop tunes security attributes of principals, such as assigning to a subject a different role to reduce his privileges in a hostile environment, without modifying the rest of the node security policy. B. Cluster Model A model of cluster-level adaptations is shown in Figure 2a. A ClusterController class represents the intelligence governing the behavior of nodes in the cluster. The ClusterContext class captures the security context of the cluster, as returned by a dedicated context management infrastructure or intrusion
(a)
(b)
Fig. 2.
ASPF Adaptation Model: (a) Cluster-Level; (b) Node-Level.
detection system through agregation of low-level inputs from different sources (system/network monitoring probes, sensors in the environment...). This class can linked with a more detailed context model describing the dimensions of context (e.g., location information) which may influence an authorization decision. The PolicySet class represents a number of predefined network security policies applicable to the cluster, which may be described in security models of different strengths. A Cluster-Level Policy Combining Algorithm (CLPCA) defines the network-level security governance strategy, i.e., how to select the most adequate cluster security policy based on the ClusterContext. It may also specify how to generate new policies to cope with unknown situations. The PolicySet may then be extended with this new knowledge. By applying the CLPCA, the ClusterController obtains a cluster policy fitting the current cluster security context, policy which then must be applied to the cluster nodes. In our first prototype, the PolicySet contains policies described in DTE, MLS, and RBAC security models, and the cluster context is reduced to a simple security level. The CLPCA is a policy selection algorithm mapping the security level to the policies, e.g., use a DTE (resp. MLS) policy in a friendly (resp. hostile) environment. In the most general case, the CLPCA may be specified using a security-oriented DSL. C. Node Model Two types of adaptations are performed at the node level as shown in Figure 2b. Global adaptations translate the cluster policy into a node-specific policy. Local adaptations tune that policy according to the node context. The corresponding management intelligence are captured respectively by the NodeController and NodeAdapter classes. As a cluster might contain many nodes, a large part of the cluster policy rules might not be relevant for each node and could be filtered. In the case of a communications security policy, required cryptographic algorithms might not be compatible with the node limited resources (e.g., computing
power). Cluster policies must thus be adapted to the specifics of each node. These constraints are described in a node profile that lists the node capabilities (CPU, memory, storage...) and gives indications on subjects and objects directly impacting that node, in order to optimize resources and extract only the meaningful part of the cluster policy information. To perform global adaptations, the NodeController uses the cluster policy, node profile, and a Node-Level Policy Combining Algorithm (NLPCA) to generate a node-specific security policy, which is then loaded in the node authorization subsystem to validate further access requests to node resources. For local adaptations, The NodeAdapter tunes values of some security attributes in the authorization sub-system according to the evolution of the node environment, captured by the NodeContext class. For instance, when a node is attacked, the security level of a highly sensitive resource could be increased from Confidential to Top Secret to truly minimize the number of principals authorized to access the resource. V. P OLICY M ODEL Different types of authorization policies may be enforced in clusters and nodes. The ASPF policy model, shown in Figure 3, is built around the two following guiding principles: • Attribute-based authorization is more suitable for open environments than traditional identity-based access control. Pervasive devices may not be known by their exact names but by a dynamic set of attributes. • Policy-neutrality is mandatory to account for heterogenerous security domains by supporting several classes of authorization policies. The ABMAC (Attribute-Based Multi-Policy Access Control) model [17] satisfies both requirements, and was thus chosen as basis to describe authorization policies. In this model, distinguishing features of system elements (subjects, objects, environment...) are described by attributes on which access decisions are based. Security attributes include principal identities, group membership, roles, security clearances, labels, or any other authorization information. Attributes are clearly
Fig. 3.
The ASPF Policy Model.
separated from access control rules, enabling independent modifications, e.g., activate/deactivate a role depending on location without reloading a full security policy. An ASPF policy consists of an attribute map and of a set of rules. The map links system elements to their attributes. Elements may be subjects, objects, actions, or context data. Examples of corresponding attributes include security domains, resource types, read/write operations, or location/time information. A rule contains a target, described by several attributes and an effect (allow/deny). A sample DTE policy is shown below, granting write authorizations to private resources for subjects in a trusted domain. Trusted Private write grant ...
The result is a quite expressive model, while still remaining policy-neutral: as for XACML, specific security models may be supported by refining the model through profiles. For instance, DTE, MLS, and RBAC policies are simply specified by defining the right types of attributes (domains, types, labels, roles...). Similarly, context-aware or history-based policies may be defined by adding specific ContextAttribute subclasses or a HistoryAttribute class respectively. VI. AUTHORIZATION A RCHITECTURE The ASPF authorization architecture implements the adaptation model by extending the XACML authorization framework with autonomic features (see Figure 4). XACML defines 4 main components for policy enforcement (PEP), decisionmaking (PDP), administration (PAP), and attribute management (PIP) [18]. In a VSK setting, the PEP is the Virtual Kernel (VK), the PDP is the Access Control Engine (ACE), the PIP is the Attribute Manager, and the authorization policy is stored in the Rule Manager. Access requests to resources of the execution space are forwarded to the ACE and transformed
to an ABAC-compliant request. Attributes are fetched from the Attribute Manager, and the request is validated against the authorization policy. The decision is then enforced by reconfiguring the execution space to establish access to the resource. ASPF may be seen as an enhanced PDP. Pure decisionmaking is extended with self-management capabilities to autonomically generate or tune the security policies contained in the VSK ACE based on policy sets written by a cluster network administrator (PAP). Figure 4 shows how ASPF realizes the two autonomic adaptation scenarios described previously: generating node-specific authorization policies according to cluster context and node profile information; and tuning node security attributes depending on the node context. VII. I MPLEMENTATION A first ASPF prototype implementation was realized including a set of devices running a kernel composed of VSK and of a node-side ASPF component (implemented using the THINK [19] component-based OS framework), and a cluster authority server (implemented in Java). DTE, MLS and RBAC security policies are currently supported, with 10 subjects (threads) and 60 objects (system calls) to model a typical embedded OS environment, and 3 security levels for the cluster security context. The NLPCA filters the cluster policy according to active subjects or objects described in the node profile. The resulting attribute mappings and rules are then loaded inside the VSK via a dedicated reconfiguration interface ReconfVSK allowing to change dynamically security attributes and policy rules. VIII. E VALUATION The self-protection capabilities of the infrastructure (ASPF+VSK) were evaluated in terms of overall response time and resiliency to attacks. A qualitative assessment of the security of the framework is also given. All measurements were performed on a 2.7GHz DELL OptiPlex 740 desktop PC with Linux/Ubuntu 9.04 and 1GB of RAM, on which are run the cluster authority server and node simulations. A. End-to-End Response Time We measure the overall latency to complete a full selfprotection loop for adaptations at the cluster and node levels. Evaluation results for each step of the loop are shown in Figures 5a and 5b for different types of security policies. In the first benchmark, detection of an attack on a cluster of 100 nodes in a steady state is simulated by direct update of the cluster security context. In practice, this step would be performed by an Intrusion Detection System (IDS) such as Snort, with 1ms as typical order of magnitude for attack detection and countermeasure initiation. The next steps are generation of a node-specific policy (given times are averaged on the number of nodes), invoking the node VSK to load the policy, kernel reconfiguration with the new policy, and return to the steady state. The overall latency averaged over different security models is 33.92ms.
Fig. 4.
The ASPF Authorization Architecture.
(a)
(b)
Fig. 5.
Self-Protection Latencies: (a) Cluster-Level; (b) Node-Level.
In the second benchmark, attacks are detected by a node context handler. The next steps include invoking the VSK, tuning security attributes to adapt to the new security context, and returning to a steady state. The measured overall latency for this adaptation loop is 1.15ms. Overall, the adaptation response times seem reasonable, since the time between two policy reconfigurations is typically from a few seconds to one minute, for instance when switching between wireless networks in different locations. As expected, node-level adaptations are much lighter than cluster-level reconfigurations. This is in part due to the ABAC approach: the same authorization rules may be applied, only attributes values being tuned. For highly dynamic environments, this design makes self-protection more flexible, allowing to follow small variations of the context, without regenerating a full policy. B. Resilience To measure the effectiveness of self-protection using ASPF, we use the methodology for benchmarking self-* capabilities of autonomic systems proposed in [20] based on injection of disturbances (see Figure 6a). The idea, coming from dependability benchmarks, is to introduce in the System Under Test (SUT) disturbances in the form of attacks or faults, and to
measure the impact on the performance workload. This type of benchmark, already used to assess self-healing abilities, measures how well the SUT adapts to the injected changes in terms of speed of recovery, impact on performance, etc. In our case, the SUT is the set VSK+ASPF on which is applied a workload to validate access requests from the execution space. We measure the impact on throughput (number of requests per second validated by the VSK, averaged over a sliding sampling time window τ ) of updating security policies to respond to injected attacks. An attack from a malicious node is simulated by directly changing the cluster security context at the beginning of an injection slot, and waiting from the SUT to come back to a steady state. The results are shown in Figure 6b for τ = 1ms and τ = 0.16ms, which is about the latency value for an end-to-end reconfiguration. The decrease in throughput due to security adaptations depends on the sampling slot value: 89% for τ = 0.16ms (worst case), but only 15% for τ = 1ms (standard situation). These results show that the system is able to protect itself effectively with a reasonable performance cost. The recovery time is almost immediate for τ = 0.16ms, and about 2ms for τ = 1ms. Thus, the system is able to complete successfully its reconfiguration in times which are largely acceptable. These metrics tend to show that ASPF provides self-protection with minimal impact on system resources. C. Security Evaluation Evaluating the quality of the autonomic response is harder: does the system remain secure after a security reconfiguration? To avoid rogue third parties to directly update node authorization policies inside the VSK, a single reconfiguration interface (ReconfVSK) is introduced as unique entry point to control the VSK. This interface remains internal to a node, to avoid policy update requests coming from the network aiming to lower node security settings. ASPF behaves as a distributed security management plane which guarantees complete mediation over this interface: all authorization policy modifications may only be issued by NodeAdapter, NodeController, and ClusterController components along a trusted path. The link
(a)
R EFERENCES
(b)
Fig. 6. Benchmarking Self-Protection Capabilities: (a) Principle; (b) Results.
between node-side and cluster-side ASPF components is also assumed to be a secure, authenticated channel to avoid manin-the-middle attacks or rogue cluster authorities. Finally, an MMU-like hardware mechanism in the node prevents circumventing the NodeAdapter component. These features qualify ASPF as a strongly protected management plane over VSK authorization mechanisms. IX. C ONCLUSION This paper presented ASPF, a policy-based security management framework illustrating the design of an autonomic security manager to control OS-level authorization mechanisms in a pervasive device. ASPF implements several self-protection loops, authorization policies being adapted according to security context variations both at the network and device levels. Policies are described with an attribute-based extension to XACML to support policies specified in multiple authorization models. Performance, resilience, and security evaluations show that, together with VSK, ASPF provides strong and yet flexible security while still achieving good performance, making it applicable to make pervasive systems self-protected. Future work will focus on the definition of the security policy adaptation strategy. We are currently investigating the approach followed in [12], [21], where autonomic management policies are specified using domain-specific languages (DSLs). The next step is thus the design of a DSL for self-protection. Current ASPF adaptation strategies (policycombining algorithms) are purely action-based. However, higher-level strategies using objective or utility function policies are also desirable [22]. By enabling the specification of governance strategies with richer types of policies, the DSL approach should allow describing self-managed security at different levels of granularity which can be refined (e.g., with notions of policy continuum [23]), and thus evolve towards greater autonomic maturity in the corresponding systems.
[1] D. Chess, C. Palmer, and S. White, “Security in an Autonomic Computing Environment,” IBM Systems Journal, vol. 42, no. 1, pp. 107–118, 2003. [2] J. Strassner, Policy-Based Network Management: Solutions for the Next Generation. Morgan Kaufman, 2003. [3] R. He and M. Lacoste, “Applying Component-Based Design to SelfProtection of Ubiquitous Systems,” in 3rd ACM workshop on Software Engineering for Pervasive Services (SEPS), 2008. [4] R. He, M. Lacoste, and J. Leneutre, “An OS Architecture for Device Self-Protection,” in International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS), 2009. [5] E. Damiani, S. Di Vimercati, and P. Samarati, “New Paradigms for Access Control in Open Environments,” in International Symposium on Signal Processing and Information, 2005. [6] B. Claudel, N. De Palma, R. Lachaize, and D. Hagimont, “SelfProtection for Distributed Component-Based Applications,” in International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS), 2007. [7] J. Agosta et al., “Towards Autonomic Enterprise Security: SelfDefending Platforms, Distributed Detection, and Adaptive Feedback,” Intel Technology Journal, vol. 10, no. 4, 2006. [8] D. Agrawal, K.-W. Lee, and J. Lobo, “Policy-Based Management of Networked Computing Systems,” IEEE Communications Magazine, vol. 43, no. 10, pp. 69–75, 2005. [9] J. Strassner, N. Agoulmine, and E. Lehtihet, “FOCALE: A Novel Autonomic Networking Architecture,” in Latin American Autonomic Computing Symposium (LAACS), 2006. [10] N. Damianou, N. Dulay, E. Lupu, and M. Sloman, “The Ponder Policy Specification Language,” in International Workshop on Policies for Distributed Systems and Networks (POLICY), 2001. [11] K. Twidle, N. Dulay, E. Lupu, and M. Sloman, “Ponder2: A Policy System for Autonomous Pervasive Environments,” in International Conference on Autonomic and Autonomous Systems (ICAS), 2009. [12] L. Broto, D. Hagimont, P. Stolf, N. De Palma, and S. Temate, “Autonomic Management Policy Specification in Tune,” in Symposium on Applied Computing (SAC), 2008. [13] NIST, “A Survey of Access Control Models,” in NIST Privilege (Access) Management Workshop, 2009, available at: http://csrc.nist.gov/news events/privilege-management-workshop/. [14] S. De Capitani di Vimercati, S. Foresti, P. Samarati, and S. Jajodia, “Access Control Policies and Languages,” International Journal of Computational Science and Engineering, vol. 3, no. 2, pp. 94–102, 2007. [15] P. Loscocco and S. Smalley, “Integrating Flexible Support for Security Policies into the Linux Operating System,” in USENIX Annual Technical Conference, 2001. [16] M. Lacoste, T. Jarboui, and R. He, “A Component-Based Policy-Neutral Architecture for Kernel-Level Access Control,” Annals of Telecommunications, vol. 64, no. 1-2, pp. 121–146, 2009. [17] B. Lang, I. Foster, F. Siebenlist, R. Ananthakrishnan, and T. Freeman, “A Flexible Attribute-Based Access Control Method for Grid Computing,” Journal of Grid Computing, vol. 7, no. 2, pp. 169–180, 2009. [18] OASIS, “eXtensible Access Control Markup Language (XACML),” http://www.oasis-open.org/. [19] M. Anne et al., “Think: View-Based Support of Non-Functional Properties in Embedded Systems,” in International Conference on Embedded Software and Systems (ICESS), 2009. [20] A. Brown and C. Redlin, “Measuring the Effectiveness of Self-Healing Autonomic Systems,” in International Conference on Autonomic Computing (ICAC), 2005. [21] P.-A. Muller, F. Fleurey, and J.-M. J´ez´equel, “Weaving Executability in Object-Oriented Meta Languages,” in International Conference on Model Driven Engineering Languages and Systems (MODELS), 2005. [22] J. Kephart and W. Walsh, “An Artificial Intelligence Perspective on Autonomic Computing Policies,” in IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY), 2004. [23] J. Strassner, J. de Souza, D. Raymer, S. Samudrala, S. Davy, and K. Barrett, “The Design of a New Policy Model to Support OntologyDriven Reasoning for Autonomic Networking,” in Latin American Network Operations and Management Symposium (LANOMS), 2007.