Group-Centric Secure Information Sharing Models




Krishnan, Ram Narayan

Journal Title

Journal ISSN

Volume Title



In this dissertation, we introduce a novel approach for secure information sharing characterized as "Group-Centric". Traditional approaches to information sharing include "Dissemination-Centric" and "Query-Centric" sharing. "Dissemination-Centric" sharing focuses on attaching attributes and policies to an object as it is disseminated from producers to consumers in a system. In "Query-Centric" sharing, information seekers construct appropriate queries to obtain authorized information from the system. The primary focus of this mode of sharing has been on preventing inference of unauthorized information from authorized information obtained by querying a database. In contrast, Group-Centric sharing envisions bringing the users and objects together in a group to facilitate sharing for some purpose. The metaphors "secure meeting room" and "subscription service" characterize the Group-Centric approach where participants and information come together to share for some common purpose and authorizations depend upon relative membership period of users (participants) and objects (information). In this dissertation, we follow the Policy, Enforcement and Implementation (PEI) frame- work to develop respective models for Group-Centric Secure Information Sharing (g-SIS). The PEI framework facilitates security policy and design decisions to be made at three distinct yet related layers of secure systems design. At the policy layer, we develop the foundations for a theory of g-SIS by characterizing a set of core properties and specifying a family of models. We focus on semantics of group operations: Join and Leave for users and Add and Remove for objects, each of which can have several variations. We use Linear Temporal Logic (LTL) to characterize the core properties of a group in terms of these operations. We also characterize additional properties for specific types of these operations. We specify the authorization behavior for a family of g-SIS models and prove that these models satisfy the core g-SIS properties. At the enforcement layer, we specify an architecture for g-SIS based on super- distribution, micro-distribution and a hybrid object distribution model. As we will see, the hybrid model addresses the limitations of super-distribution and micro-distribution model. Further, we characterize and define the problem of "stale-safety" in g-SIS. In a distributed system such as g-SIS, "stale-safety" is concerned with enforcing safe authorization behavior given that authorization decisions will inevitably be made based on stale attribute information. Attribute staleness arises due to the physical distribution of authorization information, decision and enforcement points. While it may not be practical to eliminate staleness, we can limit unsafe access decisions made based on stale authorization information such as user and object attributes. We propose and formally specify stale-safe security properties of varying strength. Again, we use LTL to formalize these properties allowing them to be verified using automated techniques such as model checking. We model the authorization information, decision and enforcement points of the g-SIS system as finite state machines and verify using model checking that the model satisfies the stale-safe security properties. Finally, at the implementation layer, we discuss Trusted Computing Technology based protocols and models for g-SIS. A fundamental requirement for g-SIS is that protection needs to extend to clients. Trusted Computing Technology provides a hardware root of trust through the Trusted Platform Module (TPM). A Trusted Reference Monitor (TRM) on client platforms faithfully enforces group policies. We provide concrete TPM based protocols and outline an implementation model to realize the enforcement models discussed earlier. As a proof-of-concept, we implement a critical protocol, called the provisioning, protocol that is concerned with secure provisioning of group credentials on user's platform. At the end of the protocol, the group credentials will only be accessible to the TRM in the user's platform in a trustworthy platform state.



Information sharing, Access control models, Model checking, Security properties, Linear Temporal Logic, Policy specification