Distributed Security Policies for Service-Oriented Architectures over Tactical Networks

transcript

Roberto Rigolin F. Lopes1 and Stephen D. Wolthusen1,2

1. Norwegian Information Security Laboratory, Gjøvik, Norway2. School of Mathematics and Information Security, University of London, UK

{roberto.lopes, stephen.wolthusen}@hig.no

Introduction• Using rich semantics to state security policies

– Combining cross-layer and multi-domain security• Layers: NATO Information Assurance (IA) Layer• Domains: Protection, Detection, Response, Attack, Diligence

and Planning• Restrictions: nodes’ specialization and connectivity

C3 Taxonomy

Communication Services

Core Enterprise Services

COI Services

User-Facing Capabilities

TSIDetection

Protection

Response

Diligence

Security

(x) Planning

SatCom

Dismounted

Mobile

Cross-layers Multi-domain Restrictions

Policy ≡ (cross-layer U multi-domain) ∩ restrictions

Introduction• Example of services

– Tactical Ground Report System

Node C

Node A

Soldier localizationAdversary localization

Vehicle localizationLive camera

Aerial photos

Node B

J. Evans, B. Ewy, M. Swink, S. Pennington, D. Siquieros, and S. Earp, “TIGR: the tactical ground reporting system,” IEEE Communications Magazine, vol. 51, no. 10, pp. 42–49, October 2013.

Observe

OrientDecide

Observe, Orient, Decide and Act

Observe and Act

Example of Service-Oriented Architecture

Packet Handler

Message Handler

Service Mediator

Controller

Policy management

Security handling

Example of Service-Oriented Architecture

SOA PlatformController

Service Mediator

Message Handler

Packet Handler

Operating System

Cryptography

Tactical Platform Guard

Tactical Support Guard

Policy Manager

Privilege Management Policy Manager

Policy Enforcement Point

Policy Decision Point

Policy Administration Point

DetectionDiligenceProtectionPlanningResponseQoS

TSI Node

c<a,b,c>

Structured Security Policies• Security Domains

• Planning, Detection, Protection, Diligence, Response and Attack• NATO Information Assurance

• Communication, Core, Application and Inter-domain

• Rule structure• Conditions implying in Actions• OODA-loop

C3 Taxonomy

Communication Services

Core Enterprise Services

COI Services

User-Facing Capabilities

TSIDetection

Protection

Response

Diligence

Security

(x) PlanningObserve

OrientDecide

The nodes:

Node A

UHF WLAN

Node C

VHFUHFWLAN SatCom

Node B

<Relay>

SatComVHF

HQ Node D

SatComVHF UHFWLAN

Structured Security Policies– Nodes (N), Policies (P) and Security Domains (S)

Node A

UHF WLAN

Node C

VHFUHFWLAN SatCom

Node B

<Relay>

SatComVHF

HQ Node D

SatComVHF UHFWLAN

N1:P1(N1:S1)

N2:P2(N2:S2), N2:P’1(N1:R1)

Ni:Pi(Ni:Si),…, Ni:P’i-1(Ni-1:Ri-1)

Resources and # domains

Structured Security Policies– Nodes (N), Policies (P) and Security Domains (S)

SecurityCore

Planning Detection Diligence Response

is is is is

Protection

Node A Node B Node C

1 2 3 4 5

2 3 43 4 2 3 41 5

OWL DL OWL DLOWL MicroRDFS

OWL DLOWL MicroRDFS

OWL DLOWL Micro

OWL DL

Using rich semantics…

Rich Semantics for Policies - Web Services

MessageSecBinding

TokenProtection

SecurityBinding

SecurityToken

SymmetricBinding AsymmetricBinding

SecurityHeaderLayout

TransportBinding

AlgorithmSuite

Timestamp

hashas

hasSignatureTokenhasEncryptionTokenhasProtectionToken

hasInitiatorTokenhasRecipientSignatureTokenhasRecipientTokenhasInitiatorEncryptionTokenhasInitiatorSignatureToken

SignatureProtectionhas

isWeakerThanisStrongerThanisEquivalentTo

isMoreGeneralThanisMoreSpecificThanhasTechDiffWith

hasTechDiffWith

isMoreGeneralThanisMoreSpecificThanhasTechDiffWithisWeakerThanisStrongerThanisEuivalentTo

QoS requirements

Information sensitivity

Conditions:

Network status

Security Policies• Attribute-based

• Rich semantics

Allow access to resource <Service> with attribute <Sensitivity> if <Service> match BlueForceTracking and action is read

MessageSecBinding

TokenProtection

SecurityBinding

SecurityToken

SymmetricBinding AsymmetricBinding

SecurityHeaderLayout

TransportBinding

AlgorithmSuitehashas

hasSignatureTokenhasEncryptionTokenhasProtectionToken

hasInitiatorTokenhasRecipientSignatureTokenhasRecipientTokenhasInitiatorEncryptionTokenhasInitiatorSignatureTokenhas

SignatureProtectionhas

isMoreGeneralThanisMoreSpecificThanhasTechDiffWith

isMoreGeneralThanisMoreSpecificThanhasTechDiffWithisWeakerThanisStrongerThanisEuivalentTo

2.1 2.2

Allow or Deny

Stronger, Equal or Weaker

Distributed Security Policies – Security Core• (1) Multi-Domain, (2) Cross-layer and (3) Rules

SecurityCore

Action

Condition

TSI Common

Planning

Diligence

usesProtection

NewCondition

3 NewAction

NewDomain

Capability

Inter-domainCommunication Core

Domain

NewCapability <NATO’s C3 Taxonomy>

Application

Attack

Detection

Response

owl:thingowl:intersectionOFowl:unionOfowl:equivalentClass

owl:thingowl:intersectionOFowl:unionOfowl:equivalentClassowl:equivalentPropertyowl:inverseOfowl:functionalPropertyowl:inverseFunctionalPropertyowl:symmetricPropertyowl:transitivePropertyowl:hasValueowl:disjointWithowl:sameAsowl:differentFromowl:distinctMembersowl:someValuesFromowl:allValuesFromowl:cardinalityowl:minCardinalityowl:maxCardinality

OWL-lite20 axioms

OWL-DL25 axioms

Structured Security Policies - Performance

AllowDeny

Validate

Is valid? YesNo

Distributed Security Policies

Preparation Mission

SecurityCore<OWL DL>

Node C

Detection<OWL lite>

Diligence<OWL lite>

Protection<OWL lite>

Diligence<RDFS>

Protection<RDFS>

Node B

Node A

Version Alpha

Version Bravo

Version Charlie

• Pre-distribution of policy statements– The system can keep versions of the policies

Planning

Detection

Protection

Diligence

Response

Attack

Communication

Application

Inter-domain

ActionCondition

NewCondition

Cross-layer

Multi-domain

• Examples of policies:

Distributed Security Policies• Multi-domain• Cross-layer

Packet Handler

Message Handler

Service Mediator

ActionCondition

Distributed Security Policies• Scenario: three types of nodes moving

Multi-hop network

Pi(P’i-1)Pi+1(P’i-1, (P’i))

Nodes’ type

Service request

Union of security domains

HQ Node D

SatComVHF UHFWLAN

Distributed Security Policies• Connectivity Graph and Security Domains

UHF, VHF, SatCom

Observe, Act Orient, Act Decide

1 Detection2 Protection3 Attack4 Diligence5 Response6 Planning

Ni-1 Ni Ni+1

Security domains

{1,2,3} {1,2,3,4,5} {1,2,3,4,5,6}

UHF, WLAN UHF, VHF,

SatCom

UHF, WLAN

Observe, Act Orient, Decide, Act -Observe, Orient, Act Orient, Decide, Act -

Distributed Security Policies• Security domains and the OODA-loop

– This mapping is done during the preparation

Observe

OrientDecide

DetectionProtection

Attack

Diligence

Response

Planning

Attack

Diligence

Planning

Response Response

Preparation<standard SOA>

Mission<distributed SOA>

1 2Dynamic

Pre-load keys and policies

Distributed Security Policies – OODA-loop

Handheld

Laptop

<Mobile>HQ Laptop

In short

decreases

Specialization

General SpecializedLow

Node B

Node C

Node A

DetectionDiligencePlanningProtectionResponse

DetectionDiligenceProtectionResponse

DetectionDiligence

Protection

# policy domains increase

Server(s)Battalion

Sensor network(s)

increases

# classes, instances and axioms

<OWL-DL>

<OWL-Lite>

<RDFS>

Conclusion• OWL-DL might be suitable for security policies in

tactical networks; – Nodes’ type demands careful design and deployment – But the language is flexible and distributed by design

• Critical points on policy design and deployment: – Policy structure and distribution over tactical networks

• The policy distribution uses the security domains and the mission context in an attempt to connect Cyber and Kinetic domains. – Security policies can adapt to the mission’s profile

• The nodes rely on the network connectivity to complement its security capabilities

Distributed Security Policies for Service-Oriented Architectures over Tactical Networks

Roberto Rigolin F. Lopes1 and Stephen D. Wolthusen1,2

1. Norwegian Information Security Laboratory, Gjøvik, Norway2. School of Mathematics and Information Security, University of London, UK

{roberto.lopes, stephen.wolthusen}@hig.no

Distributed Security Policies for Service-Oriented Architectures over Tactical Networks

Science