POLICY GROUP MEETING
November 24th, 1998
3085 ENG II
8:30-9:15 am
In attendance:
Premkumar Devanbu (PD), Michael Gertz (MG), Jim Hoagland (JH), Jeff
Rowe (JR), Dan Zerkle (DZ)
TOPICS:
PROPOSAL MEETING (DARPA 99-10)
Current State of the Proposal
Abstract Focus
Problems
Innovative Claims
Next Meeting
-
Current State of the Proposal
-
Michael has written a couple of pages. A 4-page technical approach/plan
is needed.
-
Abstract Focus
-
Policy language has powerful modeling capabilities
-
Leverage UML and modeling
-
Tight correlation between description language for system and policies
-
DZ has a half-implemented language that allows you to model actions directly
with systems, services (i.e. sendmail).
-
The policies are written in terms of actions, services, systems, actions
(preconditions and post-conditions)
-
The language models the user with a set of attributes (ability to carry
out actions). The arbitrary user can read a file (world-readable files
only). Users without root passwords can never be root. Safety measures
prevent root access.
-
You can search the state of the system and actions available.
-
Ruleset – rules come with actions and preconditions. The post-condition
is that the action is added to the user list.
-
Traceability and Propagation
-
Problems
-
Separation of system and policy.
-
Current modeling capability is weak.
-
Static and dynamic
-
Innovative Claims
-
Modeling tools and infrastructure including languages, compilers, etc.
-
Verification, traceability, propagation
-
Leverage UML tools for security policy modeling
-
Policy evolution more convenient – make policy implications of system changes
obvious
-
Tight coupling between system and policy
-
Example: Policy enacted, changes are made, something new is added, policy
evolves, possibility that something is missed.
-
JR: Local policy restricts certain hosts. Service used host-name as access
control. Using Sun port-mapper – data portion of packet redirects to other
port, so it is possible to circumvent the local policy and have the restrict
host gain access
-
DZ: Explains an example in his modeling system (Graph search algorithm)
-
PD: A system that misclassifies certain types of files. A description of
a service specified by actions. Model services by hand.
-
PD: Building models from source code
-
MG: Map UML to security mechanisms
-
DZ: User gains ability to access systems
-
MG: Easy to map policy to security mechanism (is not separated)
-
JR: Scenarios
-
PD: Behavior of matter – class hierarchy – if inconsistent with ancestors,
then raise a flag (preconditions and post-conditions)
-
DZ: Example: Install a new web server that allows access to a new set of
files which may be internal documents. The policy doesn’t change, but there
is an alternative entry point. You need to be able to model web servers.
-
MG: Literature on how to analyze existing systems? Engineering approach
– system analysis
-
JR: SATAN applies
-
PD: Class framework
-
DZ: Has a class framework in his system. There are classes of services
– a set of variables must be true (Boolean expressions)
-
Check certain conditions
-
Abilities of arbitrary functions
-
Network Management – the science of knowing system protocols, the structure
of existing systems, etc.
-
MG: In a recent workshop on security, one of the main problems was that
they just don’t understand existing systems
-
Next Meeting
-
Michael and Prem will work on the abstract and confer on Friday. They will
send it to Karl.
-
Jeff/Dan work on Proposal
-
Meet next Tuesday (to be scheduled)