SPECOM’2004: 9th Conference Speech and Computer St. Petersburg, Russia September 20-22, 2004
ISCA Archive
http://www.isca-speech.org/archive
The Event Calculus Implementation Using ILOG JRules for Security Policy Verification Igor Kotenko (1), Artem Tishkov (2), Maria Tishkova (2) (1) St. Petersburg Institute for Informatics and Automation, 39, 14th line, St. Petersburg, Russia
[email protected] (2 St. Petersburg Institute for Informatics and Automation, 39, 14th line, St. Petersburg, Russia
[email protected] Abstract In this paper an overview of the project Policy-based Security Tools and Framework (POSITIF) is presented. The project funded by Sixth Framework Programme, and SPIIRAS participates in most of stages. In the scientific part of this document an approach for secured system modelling and security policy verification is proposed. Using ILOG JRules we implemented a domainindependent axiomatics of Event Calculus that can be used in POSITIF framework for security policy and system architecture consistency checking.
1. POSITIF objectives The main goal of POSITIF is to develop a framework and tools for policy-based protection of networked systems and applications. A multi-level security policy language (SPL) has to be used to describe the desired security policy (SDL) (high-level requirements and/or detailed controls) while a system description language will be used to describe the target system (interconnection topology, functional and security capabilities). A security checker intends for evaluating if the desired policy can be implemented on the target system and measuring the achieved security level. Then configurations for the security elements have to be automatically generated and deployed through the network. A security monitor uses the security policy for proactive intrusion detection (an intrusion is anything that does not comply with the policy) in addition to standard reactive intrusion detection (check against attack patterns). The framework has ti be usable by any producer of a specific security block or tool because open standardbased languages, interfaces and protocols will be used for policy and system description, configuration instructions and deployment, threat monitoring (e.g. XML, SNMP, IPSP, SAML, IDXP, IDMEF). The framework will be complemented by a suite of security tools (both industrial-grade and open-source) that match the specification and will thus be directly usable within the framework. They will include high-speed (up to 10 Gbps) firewall, VPN and IDS that target the current challenges (wired/wireless protocols, IPv4/IPv6 networks, encrypted protocols, protocols on nonstandard ports, XML-based application protocols, multimedia content) and a lightweight security module (for workstations and mobile devices) to protect them
against network attacks, make them part of the security system and permit secure download of new configurations. To get user requirements and to develop different tests, the project includes three test beds: a metropolitan research environment, a geographic government network and a wired/wireless phone and ISP operator. Project details: Project Acronym: POSITIF Project Reference: 002314 Start Date: 2004-02-01 Duration: 36 months Project Cost: 3.93 million euro Contract Type: Specific Targeted Research Project End Date: 2007-01-31 Project Status: Execution Project Funding: 2.55 million euro
2. Participants The consortium is made up of a balanced mixture of research institutions, industrial companies and end-user representatives. There are five purely research institutions, with different specialities within the security field. There are five commercial companies: four of them will perform applied research and develop industrialgrade security products and services, while the fifth one (Vodafone) will mainly provide user requirements and run a test bed. The end users are represented by the three entities that cover different sectors (research, government, telecommunication operator). Below we describe main participants. POLITO (Italy) is the project coordinator. It is a large technical Italian university with a security group well known both at national and international level. It took part to several EC-funded projects in the security field and is running the EuroPKI non-profit public-key security infrastructure. Within POSITIF, this group will mainly focus on the framework definition (policy and system languages and their transformations). BearingPoint Infonova (Austria) is a large Austrian solution and service provider, part of the BearingPoint group (formerly KPMG Consulting). Within POSITIF, BearingPoint will lead the integration and test work of all the framework s components.
BULL (France) is one of the few European IT manufacturer and will participate trough its TrustWay security division. It develops custom solutions, based on special purpose crypto hardware and appliances. Within the project, it will lead the work related to the development of the advanced high-performance security components. MDG (Italy) represents a typical complex government organization. It is the Italian Ministry of Justice and will offer its internal network as a test case for modeling of a complex information system and will run a test bed to test the framework and assess the project results. PRESECURE (Germany) is a German SME that offers high-end consulting services about security management, intrusion detection and prevention. Within POSITIF, PRESECURE will lead the development activity of the proactive security monitor and will contribute its experience in the definition of several other activities. PWR (Poland), the Wroclaw University of Technology, is large Polish technical university and represents a typical research environment as it manages a metropolitan Gigabit network (soon to be updated to 10 Gbps) that interconnects several academic, public and private entities: university campuses, industrial research sites, public administration offices and health services. It will mainly provide a test bed for the typical research environment (high-speed, low trust in the users, highly mixed data sensitivity levels) but will also perform some developments related to open-source security tools and will lead the dissemination workpackage. SIC (Austria) is a research foundation created by the IAIK institute of the Technical University of Graz (quite famous due to its work on Java security and electronic documents and signatures). As such it draws on the experience of the IAIK researchers and will contribute to the definition and development of the applicationlevel security features into the policy system, the security monitor and the content filters. Our Institute, SPIIRAS (Russia) is the St. Petersburg Institute for Informatics and Automation of the Russian Academy of Sciences. It will participate in POSITIF through its Intelligent Systems Laboratory that in the last several years has been awarded research contracts from the US Air Force research department, via its EOARD (European Office of Aerospace Research and Development) branch. The research performed under contract with EOARD is concerned with innovative mathematical methods for network intrusion detection and simulation of network attacks. In POSITIF SPIIRAS will develop mathematical models for system, policy and threats, as well as mathematical techniques for automated reasoning and intrusion detection. UMU (Spain) is the University of Murcia, a large Spanish university with a research group particularly active in the sectors of PKI and network security (especially IPv6 networks, where the group is partner of various IPv6 projects). Within POSITIF, this group will
lead the policy and system description tasks and will contribute to the development of the related tools. VODAFONE (Italian branch) is a well-know European voice and data telecom operator. It will take part to the project via the Italian branch ot its R&D division and will mainly run a test-bed to model and manage the security of a mixed wireless/wired environment with different end-user devices (notebooks, PDAs, cellular phones). The wireless part will initially support GSM, GPRS and WiFi, while later in the project it will support UMTS too.
3. Current efforts of SPIIRAS team The main current efforts of SPIIRAS are analysis of internal project format and translations in POSITIF, analysis of tools for development of SPL and SDL translators, including implementations of standards and XML parsing, analysis of RuleML for SPL, SDL and internal format definition, analysis of possibilities for using ILOG JRules, the Event Calculus implementation using ILOG JRules for verification of security policy and system architecture, analysis of methods and tools for verification of policy consistency and applicability, including model checking, analysis of using Attack Simulator tool for evaluation of security level and vulnerability assessment. In this paper we describe Event Calculus implementation using ILOG JRules intended for verification of security policy and system architecture. The Event Calculus (EC) is a logical formalism to reason about events. Operating with events coming at arbitrary time and describing event-dependent properties of the world, Event Calculus provides a suitable mechanism to model and study security systems. EC formalism for automated deduction systems allows us to make automated verification in POSITIF Security Checker. Consistency checks should be made for low-level security rules, defined by a user or refined from high-level rules, and probably for high-level rules if they could be translated to strict formalism (formal representation) themselves. Consistency checks also should be made after applying security policy rules to system description. The result of this application, secured system description (SSD) can be formalized and studied using Event Calculus. ILOG JRules is a java-based business rules management system providing a flexible inference engine together with API, and a number of tools with graphical user interface. The SSD translator to Event Calculus together with ILOG JRules can be considered as an automated security policy verifier.
4. Event Calculus The Event Calculus was introduced by Kowalski and Sergot [1]as a logic program framework for reasoning about events and their effects. The basic idea is a formalization of the principle of inertia: `normally, nothing changes'. The reasoning is based upon the supposition that all changes must be due to a cause -- spontaneous changes do not occur. Properties of the world can change only at
particular time points when events (occurrences of actions) are happening. A fluent (time-varying property of the world) holds at a timepoint if it has been initiated by an event at some earlier timepoint, and not terminated by another event in the meantime. Similarly, a fluent is not held at a timepoint if it has been previously terminated and not initiated in the meantime. These principles are realized by domain independent axiomatics. Domain dependent axioms should be provided to describe which actions initiate and terminate which fluents under various circumstances, and to state when actions occur. Concerning to the POSITIF framework the domain dependent axioms should be extracted from SSD as a number of restrictions and possibly completed with rules describing system behaviour.
4.1 Language Formally EC uses multi-sorted first-order language. Additionally to standard domain of individual objects, EC defines the following sorts: fluents: time-varying properties of the world; actions: their instances (events) change state of fluents terminate or initiate fluents; time: real or integer numbers, in our applications starting from 0. The following predicates define fluents' states, their initiation and termination, and events happening: HoldsAt(f,t) is true iff fluent f holds at timepoint t. Happens(a,t) is true iff action a happens at timepoint t. Initiates(a,f,t) expresses that fluent f holds after timepoint t (but not at t) if action a happens at t. Terminates(a,f,t) expresses that fluent f does not hold after time point t (but not at t) if action a happens at t. InitiallyTrue(f) and InitiallyFalse(f) define whether f holds or not at timepoint 0.
4.2 Axiomatics The axioms EC1 EC7 represents EC axiomatics used in most applications. An overview of possible EC axiomatizations can be found in [2]. The auxiliary predicate Clipped(t_1,f,t_2) expresses if fluent f was terminated during time interval [t1,t2). Similarly, the auxiliary predicate Declipped(t1,f,t2) expresses if fluent f was initiated during time interval [t1,t2): EC1. Clipped (t1,f,t2)
Happens(a,t1) & t1 t < t2 & Initiates(f,t2)
Fluents which have been initiated by event continue to hold until an event which terminates them. Similarly, fluents which have been terminated by an event continue not to hold until an event which initiates them:
EC4. ¬HoldsAt(f, t2) ¬Declipped(t1,f,t2)
EC5. HoldsAt (f, t) EC6. ¬HoldsAt (f,t)
InitiallyTrue(f) & ¬Clipped(0,f,t) InitiallyFalse(f) & ¬Declipped(0,f,t)
EC7. InitiallyTrue(f) | InitiallyFalse(f)
5. ILOG JRules and EC implementation In this section we describe briefly ILOG JRules [3] concepts and present EC domain-independent axiomatics realization.
5.1 JRules Engine concepts ILOG JRules program execution consists in firing rules from a ruleset implemented by a developer. Condition part of a rule is a pattern used to search matching objects in working memory. Action part of a rule changes the state of working memory by adding, removing and modifying objects. After firing a rule the list of fireable rules called agenda is updated. The program is executed until agenda is empty. The basic notions we mentioned are objects, patterns, working memory, actions, and agenda. JRules objects are ordinary Java objects. They can be represented by instances of Java classes or by instances of XML schemas. In XML the JRules object's attributes are represented by elements. In Java they are represented by public fields of java classes. A pattern is a coded expression capable of designating one or more objects of a given kind. A typical pattern definition is: ( [; == ]).
==
JRules working memory is where JRules stores all the objects with which it is currently working. Objects can be asserted, updated and removed by initiating rules and by action parts rulesets, implemented by a developer. Actions are operations that may change the working memory. A rule may add an object to or remove an object from the working memory (assert and retract actions), modify an object (update action), or execute a method on one of the objects. Actions appear in action parts of rules or when JRules program is initiating. Agenda is where JRules stores the rules whose patterns are matched at the moment. Any rule that enters the agenda is said to be instantiated.
Happens(a,t1) & t1 t < t2 & Terminates (f,t_2)
EC2. Declipped (t_1,f,t_2)
EC3. HoldsAt (f, t2) ¬Clipped (t1,f,t2)
The four axioms above capture the behaviour of fluents once initiated or terminated by an action. But we need also to describe fluents' behaviour before the occurrence of any actions which affect them. Following a general principle of persistence: fluents change their truth values only via the occurrence of initiating and terminating actions:
Happens(a, t1) & Initiates(a,f,t1) & t1 < t2 & Happens(a, t1) & Terminates(a,f,t1) & t1 < t2 &
5.2 Implementation of Java classes for EC Events, fluents, an example of EC domain-independent predicates, and time points implemented as java classes are presented in the following listing: package eclang; public class ECClipped { public String fluent = null; public int time1 = 0; public int time2 = 0;
} package eclang; public class ECError } package eclang; public class ECEvent { public String name = public int time = 0; } package eclang; public class ECFluent { public String name = } package eclang; public class ECTimePoint public int time = 0; }
{
null;
null;
{
The classes for EC predicates have attributes corresponding to their parameters. The ECTimePoint class models time flow, the class ECEvent implements action instances, and the class ECError is defined to place error flag into working memory when some situation of inconsistency or incompleteness occurs (for example if for a fluent f non of InitiallyTrue(f) or InitiallyFalse(f) defined for a modelled system.
5.3 JRules repository implementation for EC A central place where data is kept and maintained is a JRules repository. A repository for event calculus domainindependent axiomatics contains one project and several packages with rules for the axioms. An example of a rule implementation presented in the next subsection.
5.4 Implementation of EC axioms Let P be EC predicate, * is the list of parameter values. For our Implementation P(*) is true if corresponding java object exists in the working memory. The rules presented below place necessary java objects to the working memory. An instance of ECHoldsAt class has an attribute isTrue which represents a truth value for any given time point. The following listing presents the implementation of EC1 axiom in ILOG Rule Language (IRL). when { ECTimePoint(?t1: time); ECTimePoint(?t2: time; time > ?t1); ECHappens(?e: eventName; ?t: time; time > ?t1 ; time
