Context-based security policies - Semantic Scholar

Context-Based Security Policies: A New Modeling Approach Patrick Brézillon1 and Ghita Kouadri Mostéfaoui2 1 LIP6, Université Paris 6, France [email protected] 2 Software Engineering Group, University of Fribourg, Switzerland [email protected]

Abstract The great enthusiasm which accompanies the wide adoption of handled devices and remote services is very often attenuated by the number and frequency of security problems encountered by users and services providers. The ubiquitous (pervasive) nature of such applications has brought new security vulnerabilities. Security in pervasive computing is thus, still a hot topic. Context-based security is an emerging approach for modeling adaptive security solutions based on the situation of use of the system. Our contribution aims at presenting a new model for specifying context-based security policies. This approach is based on contextual graphs and relies on a set of contextual information collected from the system and user’s environments.

1. Introduction Recent advances in hardware miniaturization and wireless communications allow the emergence of various applications in different domains, thanks to the new capabilities provided for such applications, such as invisibility [1] [2], mobility of users and services, and users’ devices and services heterogeneity, and adaptability. Security policies in these types of environments generally follow a static approach, where security requirements do not change over time. For example, ways to authenticate users and protocols used to encrypt messages are fixed. Additionally, the surrounding situation is rarely taken into account and security requirements mainly depend on the user’s identity (or role). The need for adaptive security (that adapts according to the situation of use) is then a requisite in order to provide fine-grained access

control and to block dangerous manipulations. The situation that surrounds both the requested service environment and the user’s environment is formally called context. Context-awareness has been considered since a time now in designing more adaptive systems, but in the domain of security, it is rather new. In this paper, we propose a new approach called “context-based security” that aims at designing adaptive security solutions and present the use of contextual graphs [12][13] in determining the most appropriate security level for a pervasive application. The remainder of the paper is organized as follow: Section 2 presents our view of the concept of contextbased security. Section 3 gives a brief overview of previous work on context-based security. Section 4 describes our approach, including a brief presentation of contextual graphs, and presents a cased study; a fine-grained access control in a health care distributed system. Section 5 concludes this paper.

2. What is context-based security? As its name suggests, context-based security is all about considering “context” explicitly in the specification of security solutions (access control models, cryptographic protocols, etc). Context-based security emerged recently as a new approach to cope with the new types of security problems introduced by the high mobility of pervasive systems and the heterogeneity of devices used in these types of environments [3]. Figure 1 illustrates the idea behind context-based security. The pervasive environment is initially controlled with a specific configuration of the security

Proceedings of the Second IEEE Annual Conference on Pervasive Computing and Communications Workshops (PERCOMW’04) 0-7695-2106-1/04 $ 20.00 © 2004 IEEE Authorized licensed use limited to: Univ of Calif Irvine. Downloaded on September 1, 2009 at 15:16 from IEEE Xplore. Restrictions apply.

policy in an initial context. This context is continually changing in request to triggers (dynamic changes in the environment). The security policy must then adapt itself to the new context in order to fill the breaches that may be opened by the new context. By a security policy, we mean a specification that expresses clearly and concisely what practices are authorized and what are those that are denied for each type of user in each situation. Formally, a situation is what we call a security context.

remaining network resources (CPU, bandwidth, etc) according to the number of already connected users. In [4], we identify three types of contextual information; Simple: The collected information is used in its original format. For example, it can represent the value of a parameter, Interpreted: The collected data cannot be used as it is but needs to be converted in a more meaningful format. For example, the contextual entry is ”Sunday” that needs to be converted into ”Weekday” or ”Weekend”, Composite: It is a set of simple and/or interpreted entries collected as a whole. If contextual elements are numerous, in the approach proposed by contextual graphs [11][12][13], they will be acquired incrementally when needed.

2.2. Context-based security policies

Figure 1. Context-based security: the big picture

2.1. Security context Kouadri and Brézillon [4] define a security context as a set of information collected from the user's environment and the application environment and that is relevant to the security infrastructure of both the user and the application. A security context is a situation described by a set of information that requires taking a specific security decision us adapting the cryptographic protocol used in the communication, requiring a strongest authentication method or automatically denying access to a service when intrusion detection is triggered. In order to build a security context, and depending on the application domain, many types of contextual information may be used, such as: user’s identity, its interaction history with the service, his/her location, his/her preferences, type of requested service, time/date of request, exchanged information sensitivity, set of supported cryptographic protocols by the user’s application and the service, along with a set of contextual information deduced by computation as the state of the network; for instance, if it is able to handle more user/service interactions by estimating the

Security policies are impossible to circumvent in specifying security requirements even for small or more complicated systems in terms of services they provide. The role of a security policy is to recognize valuable system assets and clarify security responsibilities. Thus, a policy imposes a set of requirements about the security infrastructure and defines which kind of mechanisms need to be implemented. Context-based security policies [5] aim at considering context explicitly as a guide to deduce which mechanisms to enforce in each situation (security context). There is a panel of different formulations for security policies. They range from mathematically oriented models to informal models expressed in natural language. The main issues in these models are readability and usability. Existing policies are generally hard to understand unless by experts of the domain and thus, hard to maintain. The explicit consideration of context worsens these two issues since extra information (context) needs to be taken into account. In Section 3 below, we summarize the main works that consider context in security and present our motivation behind the use of contextual graphs as a modeling tool. The proposed solution is intended to specify contextbased security policies that are easy to read, to use and to maintain.


3. Related work and motivation Considering context in security is a recent research direction. Most of the efforts are directed towards securing context-aware applications. In [6], Covington et al. explore new access control models and security policies to secure both information and resources in an intelligent home-environment. Their framework makes use of environment roles [7]. In the same direction, Masone designed and implemented RDL (RoleDefinition Language), a simple programming language to describe roles in terms of context information [8]. There have also been similar initiatives in [9] and [10]. Interestingly, we observed that all previous work on combining security and context-aware computing follow the same pattern: using contextual information to enrich the access control model in order to secure context-aware applications with a focus on specific applications. The second main observation is that security decisions follow an old-fashioned rule-based formalism which does not consider systems and networks dynamics. In [4], the authors propose a generic model for managing authorizations in a distributed environment. Their model offers a clear separation between the context handling process, the formalism that models the context-based policy, and the system to protect. In practice, this is equivalent to three main modules; the context bucket, the context engine and the distributed system to protect. This design choice allows security administrators to update the logic that secures the system with minimal efforts. In this work, we extend the latter framework by using contextual graphs as a modeling tool which fits into the context engine (cf. [4]).

4. Contextual graphs for modeling contextbased security policies Even, if the rule-based representation is often adopted as an intuitive solution such as in [6] and [8], it suffers from three main limitations. The first one is the difficulty to maintain such formalisms in case of complex systems to secure. The second limitation is the difficulty to identify all the needed contextual information from the rule-based formalism which awkward the context management task. The third main limitation is that it does not provide a convenient way for understanding the followed strategy of the policy and makes the security management task cumbersome for security administrators. Decision trees are another way to structure the rules. However, the fine-grained nature of context

leads to a combinatorial explosion of the trees size [11]. In order to get round these limitations, we explore a new approach known at “contextual graphs”. This formalism will help specifying context-based security policies and are used as a management tool that eases security administration for complex environments with many heterogeneous services and devices. Contextual graphs are inspired from decision trees, with two main differences. First, they have no decision node, only “chance” nodes where a contextual element is analyzed to select the corresponding path. Second, there are no probabilities. Contextual graphs have been initially developed for an application for incident solving on a subway line [11] [12]. A contextual graph (CxG for short) allows a context-based representation of a given problem solving for operational processes by taking into account the working environment. In our case, they allow to treat security requirements as a problem solving process that allows only safe actions to be taken by the user as long as he interacts with the environment. Schematically, a contextual graph is an acyclic directed graph with a unique input, a unique output, and a serial-parallel organization of nodes connected by oriented arcs. A node can be an action, a contextual node or a recombination node (see Figure 2).

4.1 A case study: Fine-grained access control in a health care distributed system As an example, we use contextual graphs to model the context-based security policy that manages access to health care records in a hospital. Records are stored in a database. The hospital hosts a distributed environment that allows accessing the records from remote terminals. In our case, the input corresponds to the user entering into the environment. The output corresponds to the user leaving the environment with no security incidents on both the environment and the user as long as the user is connected. Figure 2 illustrates the context-based security policy (CxG) that manages our distributed application. For sake of clarity, only a small part of the contextual graph is represented in the figure. Hospital staff wishing to access a patient’s health care record first enters the distributed system by


authenticating herself as being a member of the staff. Then, depending on the role of the user (C1), additional contextual information infers the decision of authorizing access to the record. For example, if the user is the treating physician (C2.1), an additional password authentication is required when the physician is connected from a terminal inside the hospital (C4.1). This additional step is not required if the physician requests the record from the emergency room (C4.0). In the case the physician requests access to the record from a terminal outside the hospital, an additional operation is performed in order to encrypt the communication between the two parties. This is done due to the high sensitivity of the information contained in health care records. As one can observe, for a nurse, only two cases are possible in contrast to a doctor (treating physician or not). A nurse can access the patient’s record if the

request is performed from an emergency room or if it is performed from a terminal inside the hospital. Requests made from outside the hospital are not authorized. Unauthorized path are not shown on the contextual graph. This is to allow specifying only safe paths in order to perform a secure action and is commonly known as closed security policy “which is not explicitly permitted is denied”. According to the user’s role, the time, and the domain from which the request is made, the contextual graph represents the decisions to undertake according to the current context. These decisions are security actions. These actions include authentication methods (code authentication, username/password, etc), notifications, and message encryption. A description of each action is given in the figure caption (Figure 2).

Figure 2. Contextual graphs-based security policy

4.2 Elements of the security policy (CxG) A detailed definition of each element of contextual graphs as a generic formalism is presented in [11]. In this paper, we describe each element according to our

use. Namely, in order to specify the context-based access control policy. a) Security Actions A security action is an executable method that aims at enforcing the policy at a given point of the CxG.


In our example (Figure 2), encrypt communication (A4), and log user’s activity (A3) represent security actions. b) Contextual nodes and recombination nodes A contextual element is represented by two types of node, namely a contextual node and a recombination node. A contextual node corresponds to the explicit instantiation of the contextual element. For example, a contextual element could correspond to the role of the requesting user; doctor, treating physician or nurse. A contextual node is represented by C(n, m) where m is the number of exclusive branches corresponding to known practices. The associated recombination node Rn corresponds to the abandon of the instantiation of the contextual element once the action on the branch is accomplished, for example R2. Then, there is a convergence of the different alternatives towards the same action sequence to execute after.

5. Conclusion Even if context has been used since a while in policies specification, it is rarely considered explicitly. As a consequence very few works benefit from the theories and tools already developed in the contextaware computing area in order to model the needed contextual information. Contextual graphs provide a convenient way for specifying security requirements in pervasive environments, and can be used as a security management tool that eases the task of understanding and modifying the security policy. Contextual graphs support incremental knowledge acquisition. The security administrator may easily add/modify secure paths based on new detected breaches. Thus, the security policy has the capacity of evolving by accommodation and assimilation of practices. The acquisition of a new practice corresponds to the addition in the contextual graph of the minimum number of elements (generally one pair contextual node - recombination node and an action). We are actually developing a tool that allows building and modifying contextual graphs-based policies graphically. The resulting application is implemented in Java. It offers a set of default actions such as, logging user’s activity, and support incremental acquisition of practices (i.e., secure paths on the graph).

6. References

[2] M. Satyanarayanan, “Pervasive Computing: Vision and Challenges”, IEEE Communications, 2001. [3] G. Kouadri Mostéfaoui, “Security in Pervasive Environments, What's Next?” in the proceedings of the 2003 International Conference on Security and Management (SAM'03), Las Vegas, Nevada, USA, June 2003, PP 93-96. [4] G. Kouadri Mostéfaoui and P. Brézillon, “A Generic Framework for Context-Based Distributed Authorizations”, in proc. 4th International and Interdisciplinary Conference on Modeling and Using Context (Context’03), LNAI 2680, Springer Verlag, Stanford, CA, June. 2003, pp. 204-217. [5] G. Kouadri Mostéfaoui and J. Pasquier, “Deterministic Context-Based Security Policies: An Object-Oriented Approach” in the proceedings of the ACIS 4th International Conference on Software Engineering Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD’03), Lübeck, Germany, October 2003, PP 160-165. [6] M.J. Covington, P., Fogla, Z. Zhan, M., M. Ahamad “A Context-Aware Security Architecture for Emerging Applications” In Proceedings of the Annual Computer Security Applications Conference (ACSAC), Las Vegas, Nevada, USA, December 2002 [7] M.J. Covington, W. Long, S. Srinivasan, D. Dey, M. Ahamad, A. Abowd. “Securing Context-Aware Applications Using Environment Roles” In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT ’01), Chantilly, Virginia, USA, May 2001 [8] C. Masone “Role Definition Language (RDL): A Language to Describe Context-Aware Roles” Dartmouth College, Computer Science. Hanover, NH. TR2002-426. May 2002 [9] N. Shankar, D. Balfanz “Enabling Secure Ad-hoc Communication Using Context-Aware Security Services” Extended Abstract. In Proceedings of UBICOMP2002 Workshop on Security in Ubiquitous Computing [10] P. Osbakk, N. Ryan “Context Privacy, CC/PP, and P3P” In Proceedings of UBICOMP2002 Workshop on Security in Ubiquitous Computing [11] L. Pasquier “Modélisation de Raisonnements Tenus en Contexte. Application à la Gestion d’Incidents sur une Ligne de Métro“ Ph.D thesis, University of Paris 6. 2002 [12] P. Brézillon, L. Pasquier, and J-Ch Pomerol, “Reasoning with Contextual Graphs” European Journal of Operational Research 136(2) pp 290-298, 2000. [13] P. Brézillon “Modeling and Using Context: Past, Present and Future” Research report, LIP6, University Paris 6, France.

[1] M. Weiser, “The Computer for the 21st Century”, Scientific American , September, 1991.
