Security Support for Intention Driven Elastic Cloud Computing

Security Support for Intention Driven Elastic Cloud Computing Y. Karam, T. Baker, A. Taleb-Bendiab School of Computing and Mathematical Sciences, Liverpool John Moores University, Byrom Street, Liverpool, L3 3AF, UK [email protected], [email protected], [email protected]

Abstract- Cloud computing had enabled many companies to drive efficient and better utilization of computational resources, this by ensuring better empowerment of objectives and user policies over these resources. Various security aspects such as privacy, accountability, authentication, auditing, role-based access control and others, depict several desired policies that need to be available in cloud-based applications for two main reasons: (i) to promote secured cloud usability (ii) and to protect users information/application. This paper presents Secured Objective-Driven programming model created automatically at runtime by PAA Cloud Engine along with the XACML security annotation representation. The later provides a secured separated abstraction layer for the cloud users sits on top of the programming model. Keywords-component; Elastic Clouds, Intention Modeling, PAA, XACML, Automated Planing

I.

INTRODUCTION

The mass and complexity of the existing and upcoming specifications in the web service security area like WSSecurity, SAML (Security Assertion Markup Language), WS-Trust, WS-Policy or the Liberty Alliance’s stack proposal make software developers often neglect the web service security part at first. This is why, as yet, the existing web services in most cases have little or no identity management features. Hence web service invocations are simply “trusted” by default [1]. Complication increases when composing several web services which provide functionality from different underlying applications [2, 3]. To benefit from the advantages of SOA (Service Oriented Architecture), the composition of two or more web services is implemented using the Business Process Execution Language [4, 5]. All these specifications and their implementation frameworks specify their own policy languages, enforcement technique, and data formats. It is evident that a common standardized method for access control and policy enforcement it absolutely needed to build interoperable distributed systems: first of all, because the administration of different systems may require the usage of various access control methods, and second because cooperation between different security domains (e.g,

emerging policies from two different interacting companies) would otherwise become a nightmare [6]. XACML [7] (eXtensible Access Control Markup Language) is the standard proposed by OASIS (the Organization for the Advancement of Structured Information Standards) to simplify these problems. XACML was designed to replace existing access control mechanisms. It makes possible a simple, flexible way to express and enforce access control policies in a variety of environments, using a single language. It has a number of advantages over other access control policy technologies [8]. For instance, security administrators can describe an access-control policy once, without having to rewrite it several times in different application-specific languages. On the other hand, application developers don’t have to invent their own policy language and write code to support it because they can reuse existing standardized code. This paper provides a design-time access control for objective driven programming model through usage of PAA (Provisioning-Assurance-Auditing) and CA-SPA (Concept Aided-Situation Prediction Action) in dynamic cloud based application development environment Neptune [9, 10], in such context we present support for dynamic constraint programming model paradigm, in which specifications of computational problem can be described through propositional logic, predicates, and fluents. With such approach, the entities in a problem are represented as a homogeneous collection of finite constraints over variables, and then the problem is solved using constraint satisfaction methods. Our main objective in this paper is to provide runtime object access control using interoperable standard XACML authorization and policy enforcement language. We prove this by using runtime dispatching calls control aided by policy driven process model design via provisioning, assurance and verification model PAA [10]. This support maintains qualitative specifications of distributed cloud based application design. II.

PROBLEM STATEMENT

In order to secure dynamic aggregation and transformation of authorities between dispatched entities in realtime and to support highly responsive cloud based invocation, the adherence to automatic leveraging of levels of self-management between acting entities is decisive. To

promote dynamic segregation of authorities and responsibilities between functioning entities, the focus on evaluation and assurance for delivered provisioning of computational results against some constrained set of rules prior process of invoking these computations is highly recommended. Risk impact arises by multiple concurrent transactions take place in socially networked system agencies. Such system agencies encountered bad inception of intentions simultaneously influencing the enterprise. The undertaking of such risk will result in consecutive implicit and explicit costly tasks when distributed cloud applications start embarking value to its market consumers. Some definition of risk: “Failure to deliver results due to distrust caused through unsuccessful deputy of confidence between actors in social chain of responsibly” Exchanges of semantics computationally between actors requires a common format and is interpreted by (has the same meaning for) the sender and receiver (semantic interoperability) is still a major concern. Dynamic function calls are bound during run-time, which involves additional steps of searching for computational resolutions during run-time. On the other hand, no run-time search is required for statically bound functions. As applications are becoming larger and more complicated, the need for flexibility is increasing rapidly. Most users have to periodically upgrade their software, and this could become a very tedious task if static polymorphism is applied. This is because any change in requirements requires a major modification in the code. In the case of dynamic binding, the function calls are resolved at run-time, thereby giving the user the flexibility to alter the call without having to modify the code. Role instances can be attached to and removed from base instances at runtime thus accounting for properties that an object exhibits only in specific situations. For example consider a person who is not born as an employee but may be hired at some point during his/her life, and may also quit the job at some later point without invalidating the person that is. Furthermore, roles (classes/objects) are nested in a team (class/object). Teams define a border where data flows automatically translate role instances to base instances and vice versa: A base instance entering a team is lifted to an appropriate role instance (created on-demand and cached for later reuse). Data flows passing a role instance from a team to the outside apply lowering to actually pass the base instance to the sink of the data flow. These translations avoid a typical dilemma of role based languages: should roles be considered as sub-types of their base or perhaps even super-types? Either direction of sub-typing is desirable because one may want to provide role instance where a base instance is expected or vice versa. Object Teams

avoids this dilemma by providing substitutability without sub-typing. By means of lowering a role can be substituted where a base is expected, and using lifting a base can be used as a substitute for an expected role. III.

PROPOSED SOLUTION

To overcome the above shortcomings, we propose a more pragmatic weaving model PAA. It provides a triple way of enhancement to acknowledge object identities by validating and verifying dispatching of calls. The provisioning model is an implicit xml based model used prior to late binding of services in which high level abstract request calls from “intention model” will be serialized based on event driven from composition factoring service. This serialization of late binding will be tested for purposeful assurance against asserted XACML rules and policies. After successful fulfilment of goal requirements against these rules and policies, a confirmation message is sent to process execution engine for the test approved set of transactions against assurance regulations, at the meantime a conflicted transactions which are not capable to fulfil composition of goal requirements, their authorization will be re-planned using alternative strategies so that tactically more alternative resolutions can be made through proposing several provisioning models which proximate fulfilment of goals and their requirements. Figure (1) Knowledge about request

Situation: Unauthorized User

Action to be evaluated Optimistic determinism for calling delegate object

Action Semantics: Attempt Authorization

Predicted State: User Authorized OR User Denied Unauthorized

Pessimistic determinism for token owner object

Figure (1)

XACML provide greater degrees of expressibility— and, as a result, increased complexity While approaches such as role-based access control (RBAC) provide a degree of abstraction, therefore increasing manageability and accessibility, supports multiple subjects per access request, indicating various entities that may be involved in making the request. For example, there is usually a human user who initiates the request, at least indirectly. There are usually one or more applications or code bases that generate the actual low-level request on behalf of the user. To further aid the assurance of the intention model, the Assurance Checker of PAA focuses on the intention processe’s/task’s Validation & Verification (V&V) at this stage, for example: making sure each requirement/process

is uniquely named to overcome the overlap among processes and requirements, and ensuring, for example, a valid shipping date. It also deals with the Authentication (verifying the identity of an entity) and Authorisation (whether a requesting entity will be allowed access to an object) aspects in the application. CA-SPA [9] is used in PAA to specify policies for controlling access to system concerns and ascertain the authorisation with two main authentications. Mechanisms are used to get the authentication credential, the username/password pair which is used when the user wants to access the intention, Provision model and/or the auditing model for modifying them, and the digital signature. During authorisation process, the requesting entity is granted access to a resource by mapping some local policy, e.g., access lists to the entity’s identity or profile, and is bound by a limited expiry time, e.g., logging in to the PAA WikiEditor to amend the Provision model without amending any results in time out and needs to log in again to resume the work. Figure (2) shows the CA-SPA policy in PAA assurance checker representation.

Figure 2

A. Policy Enforcement using PAA Rules should be clearly defined over application model entities and authority is to be carried by capabilities. All entities come to live with no default authority, and capabilities can only be acquired in the following ways: - When creating an entity, the creating entity can provide part of its authority to the created entity or automatically gets only initial capability to the created entity. - By introduction: an entity can initiate an exchange of capabilities with another entity, by exerting a permission of a capability that designates the other entity

PAA ensures that no authority can be acquired in any other way, whether via globally or dynamically scoped variables, or via memory probing and forging, this means that the Neptune language has to be purely lexically scoped and completely memory safe. PAA model encompasses a full structured code verification and evaluation through assurance. Listing (1). define pre-alicercvr as PAA; //PEP provisioning{ request.role is not null; request.target is not null; request.requested-action is not null; response.Decision is null; response.Status is null; response.Obligation is null; } Listing 1

B. Policy Evaluation Reification and introspection supports verification of security properties at runtime, we propose to add the necessary logic constraints using PAA constructs. The challenges faced are to instigate the ability of the program to inspect itself in order to verify security properties. In general, introspection can break the encapsulation provided by lexical scoping. To avoid breaking encapsulation the Neptune language and with PAA support allows a user-defined entity to invite third parties (auditors) to inspect an abstract syntax tree representation of itself, such verification of byte code is a cumbersome and error-prone task. Neptune should be restricted to load code from easily verifiable abstract syntax tree (AST) representations of metadata layer and full language statements instead of byte code. Listing (2). //PDP evaluation Assurance{ request.role is valid; request.target is valid; request.requested-action is valid; } Audit{ } Listing 2

C. Situated XACML Concepts with CA-SPA The provisioning requirements show the specific user requirements and the individual services and components the user wants to use in the application at runtime. However, the provision requirements can either be added manually by the user or extracted automatically by the provision generator at runtime during the application execution. The Assurance requirements describe properties that are fundamental for the characterization of a service. We rely on a set of non-functional properties such as validity, availability, service type…etc. In order to provide a suitable language that can be understood by business stakeholders and consumers, this requirement has been

extended to include Concept Aided-Situation Prediction Action (CA-SPA) policy as shown in listing (3), which can be used to add new prediction and action at runtime according to the current situation; more information about CA-SPA can be found in [9]. // define situation Read-Test { if (Concept ["Concepts\alicercvr") { return true; } else returun concept alicercvr as PAA } {if (role ["Subject\Subject-id" && if (target ["Resource\Resource-id"] && if (requested-action ["Action\Action-id"] } define action test-alicercvr using Read-Test { Services=Test_NBLO(me, requestID); ReRoute(s); } //decisions could be also deny, interminate, //notapplicable define prediction alice-permission-to-read to s{ if (Decision ["PDP\Decision".value="Permit" ) && // statuses can be ok, missing-attribute, syntax//error, processing-error ["PDP\Status".value="ok" { then true;}} Listing 3

D.

Dynamic Assurance through Automated Planning Automated planning is one of promissing areas of artificial intelligence used in problem solving and problem optimization using intelligent serach algorithms. planning. Planning is a complex problem which has been investigated extensively by AI research. [11] characterize the problem of planning as follows : “Planning can be interpreted as a kind of problem solving, where an agent uses its beliefs about available actions and their consequences, in order to identify a solution over an abstract set of possible plans”. This approach is efficiently used also in solving non-deterministic formal model checking problems. A satisfiability (SAT) problem is finding the values (in {1, 0}) of literals such that a proposition using these literals is true. An example is the formula : (¬a c) (¬b ¬a) (a b) Solution of the example is: a = 1, b = 0, c = 1, a type of problem is a decision problem, where values must be chosen to satisfy goal between TRUE and FALSE states.

∨ ∧ ∨ ∧ ∨

We used fuzzy logic heuristic solver to choose between XCML response message decsisions which are “Permit”, “Deny”, “Interminate” and “Notapplicable”. Problem modeling used to design initial state of objects and their ultimate favorable goals as in Listing (4). ;;;-----------------------; AUTHORIZING SCRIPT FOR SECURITY ;;;-----------------------(DEFINE (PROBLEM AUTHORIZE-READ) (:DOMAIN SECURITY) (:OBJECTS ALICE BOB CAROL) (:INIT (IS-ADMIN ALICE) (IS-VP BOB)(IS-CFO CAROL) (WANT-PERMISSION) (WANT-AUTHORITY) (= (LAST-REQUESTER) "BOB") (= (LAST-DECISION) "PERMIT")) (:GOAL (REQUESTER-AUTHORIZED)) Listing 4

Writing specifications for problem domain which contain predicates, possible actions and logic functions to be used to constrain achievement of actor’s goals, a domain theory must formally define the causal laws of the operations, i.e. it must allow to axiomatize relevant aspects such as the preconditions of operations and their effects to the world. Usually, domain theories follow some state-transition model, i.e. they introduce a notion of state (or situation), which is a snapshot that describes the world at a certain point in time and they relate actions to transitions between such states. Most approaches define a state extensionally as a set of ground atomic formulas (atoms), where atoms that may change their value over time are called fluents and those that do not change are called state invariants [12]. STRIP type domain definition in listing (5) contains the domain predicates and operators. It may also contain types, constants, static facts and many other things, but, again, these are not supported by the majority of planners [13]. ) ;;;-----------------------; AUTHORIZING PROBLEM DOMAIN SCRIPT FOR SECURITY ;FOR TEST_NBLO ;;;-----------------------(DEFINE (DOMAIN SECURITY) (:REQUIREMENTS :STRIPS :FLUENTS :NEGATIVEPRECONDITIONS) (:PREDICATES (IS-REQUESTER ?PERSON) (IS-REQUESTEE ?PERSON) (WANT-AUTHORITY) (WANT-PERMISSION) (REQUESTER-AUTHORIZED)) (:FUNCTIONS (LAST-REQUESTER) (LAST-DECISION) (PERMIT-TOKEN)) (:ACTION CHECK-IF-TOKEN-RECEIVED :PARAMETERS () :PRECONDITION (AND

(NOT (WANT-AUTHORITY)) (NOT (WANT-PERMISSION)) (AND (LAST-REQUESTER) (LAST-DECISION))) :EFFECT (AND (REQUESTER-AUTHORIZED) (ASSIGN (PERMIT-TOKEN) (LASTREQUESTER)))) (:ACTION REQUEST-READ-PERMIT :PARAMETERS () :PRECONDITION (AND (NOT (WANT-AUTHORITY)) (NOT (WANT-PERMISSION))) :EFFECT (AND (WANT-AUTHORITY) (WANT-PERMISSION))) (:ACTION MAKE-READ-AUTHORIZATION-TOKEN :PARAMETERS () :PRECONDITION (WANT-AUTHORITY) :EFFECT (AND (NOT (WANT-AUTHORITY)) (ASSIGN (LAST-REQUESTER) "BOB"))) (:ACTION MAKE-READ-DENY-TOKEN :PARAMETERS () :PRECONDITION (WANT-PERMISSION) :EFFECT (AND (NOT (WANT-PERMISSION)) (ASSIGN (LAST-DECISION) "INTERMINATE"))) ) Listing (5)

IV.

CASE STUDY

By looking into conventional human distributed computation scenario, Alice, the CEO of Evernet Computing, needs a new version of the budget including R&D numbers from the VP of Engineering, Bob. Alice calls Bob: "Could you get me those numbers?”. The intention model of Alice request in listing (6) shows conceptual abstraction of actor’s desires organized in a sequence of result driven actions.

Valid Decision1 EndPoint1 Listing (6)

Bob jots Alice's request on his to-do list. "Sure thing, Alice, I promise I'll get them for you after I solve this engineering problem." Bob has handed Alice a promise or obligation for the answer. He has not handed her the answer. But neither Bob nor Alice sits on their hands, blocked, waiting for the resolution. Rather, Bob continues to work his current problem. And Alice goes to Carol, the CFO: "Carol, when Bob gets those numbers, plug 'em into the spreadsheet and give me the new budget, okay?" Carol: "No problem." Carol writes Alice's request on her own to-do list, but does not put it either first or last in the list. Rather, she puts it in the conditional part of the list, to be done when the condition is met--in this case, when Bob fulfills his promise. Conceptually, Alice has handed to Carol a copy of Bob's promise for numbers, and Carol has handed to Alice a promise for a new integrated spreadsheet. Carol ambles down the hall for a contract negotiation; Alice goes back to preparing for the IPO.

By engineering these requirements, SAT solver will output set of best optimum NBLO (Neptune Base Language Objects) functions to be decomposed as policy goal requirements to be processed by Neptune. The refectory of new optimized PAA model will result new strategies for annotating XACML policies. PAA also contain a full decision model to control the process flow inside intention model as shown in Listing 6, when Decision1 is ready, next action will be processed. V. Figure (3)

A sophisticated distributed computation has been completed so simply that no one realizes an advanced degree in computer science should have been required Figure (3). The scenario shows a transition of fulfillment of promises as obligations between actors, but still system questions if the transitioning of states had guaranteed the right efficient decision to perform fulfillment of action requirements. Another question is what might have occurred if system probed one or more obligations failure in due time. How will such risk be managed by the system at runtime, and how will successful provisioning of system computation resources be assured. New provisioning models in listing (7, 8) exhibit what risk undertaken from unsuccessful enforcement of individual intermediate access policy which will require administrative policy superimposed dynamically.

define pre-CarolRecv as PAA; //PEP provisioning{ request.role is VP; request.target is not null; request.requested-action is authorizetoken; response.Decision is Deny; //Goal to be fulfilled by piped obligation //if delegate has Admin RBAC role response.FulfillOn is PermitOverride; } Listing (7) – Pessimistic

Approach

define pre-CarolRecv as PAA; //PEP provisioning{ request.role is VP; request.target is not null; request.requested-action is authorizetoken; response.Decision is Permit; //Goal to be fulfilled by piped obligation //if delegate has Admin RBAC role response.FulfillOn is Permit-Override; } Listing (8)

– Optimistic Approach

CONCLUSIONS AND FUTURE WORK

This paper has argued for the design and use of an adaptable automated decision model with minimum administration of policy by human interaction for the optimization of access control driven dynamic provisioning of cloud-based–applications to achieve the cloud elasticity characteristics through the using of the PAA approach. This approach proved to present new mean to modify other aspects of system engineering and providing how to instigate requirements for these aspects like Accountability, Authority, which means it will be straightforward, quick and reliable to amend the cloudbased-applications at run time without the need for the recoding and republishing of the application. The presented approach is distinguished among existing working models through the exposability and expressability of different abstract models that can be easily sit on top of programming model. The approach uses AI automated planning algorithm to solve business computational problem through situation of access control objects. In future work, the introduced approach will examine new hypervisor model that can stimulate more advanced human decision making models like situated cognition or self-aware systems. Focusing on the realization and conceptualization of socially self-thinking cloud based application development through code fragments and their semantics. REFERENCES [1] [2]

[3] [4]

[5]

[6]

[7]

Emig C., Schandua H., Abeck S., "SOA-Aware Authorization Control," ICSEA'06, 2006p. 62 Emig, C., and Brandt, Frank, “Identity as a service-towards a service-oriented identity management architecture”, EUNICE'07, 2007, p. 1-8, Decker, Gero and Kopp, “Modeling Service Choreographies Using BPMN and BPEL4Chor”, CAiSE '08, p. 79-93, , 2008. Momm, C., Karlsruhe Gebhart, M “A Model-Driven Approach for Monitoring Business Performance in Web Service Compositions Internet and Web Applications and Services”, p 343-350, 2009. ICIW '09. Legner, Christine, Müller-Friedberg-Strasse; Loehe, Jan ; “Transforming Inter-Organizational Business Processes into Service-Oriented Architectures Method and Application in the Automotive Industry”, 2007 ITG-GI Conference, p 1-12 . Piervito G. Scaglioso and Cataldo Basile; "Modern Standard-based Access Control in Network Services: XACML in action", Modern Standard-based Access Control in Network Services: XACML in action. OASIS , “XACML 3.0 (eXtensible Access Control Markup Language)” specifications.

[8] Piervito G. Scaglioso, Cataldo Basile, Antonio Lioy, “ Modern Standard-based Access Control in Network Services XML in Action”, IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.12, December 2008. [9] Philip M., Taleb-Bendiab A., “CA-SPA: Balancing the Crosscutting Concerns of Governance and Autonomy in Trusted Software”, AINA’06, IEEE Computer Society, pp. 471–475, (2006). [10]Thar Baker, A. Taleb-Bendiab and Martin Randles (2009), "Auditable Intention-Oriented Web Applications using PAA

Auditing/Accounting Paradigm” (TAMoCo 2009), 16 - 17 September 2009, IOS Press. [11] Russel, S. and Norvig, P. (1995). Artificial Intelligence: A Modern Approach. Prentice-Hall Inc. [12] Joachim Peer, “Web Service Composition as AI Planning a Survey” March 22, 2005. [13] Pednault, E. 1989. “ADL: Exploring the middle ground between STRIPS and the situation calculus” In Proceedings of KR-89, 324332.