Read-abortion (RA) based synchronization protocols to prevent illegal information flow

JID:YJCSS AID:2864 /FLA

[m3G; v1.143-dev; Prn:30/12/2014; 15:48] P.1 (1-11)

Journal of Computer and System Sciences ••• (••••) •••–•••

Contents lists available at ScienceDirect

Journal of Computer and System Sciences www.elsevier.com/locate/jcss

Read-abortion (RA) based synchronization protocols to prevent illegal information flow Shigenari Nakamura ∗ , Dilawaer Duolikun, Makoto Takizawa Hosei University, Tokyo, Japan

a r t i c l e

i n f o

Article history: Received 1 July 2014 Received in revised form 14 December 2014 Accepted 14 December 2014 Available online xxxx Keywords: Role-based access control (RBAC) model Information flow control Read-abortion role-based synchronization (RA-RBS) protocol Read-abortion object-based synchronization (RA-OBS) protocol

a b s t r a c t In information systems, data in an object may illegally flow into another object through manipulations of the objects. First, we define a legal information flow relation r i ⇒ r j among roles r i and r j . It means, if a subject granted the role r i manipulates objects before another subject granted the role r j , no illegal information flow occur. We discuss safe systems where no illegal information flow occur even if operations from different subjects are performed in any order. Then, we discuss a read-abortion role-based synchronization (RA-RBS) protocol and a read-abortion object-based synchronization (RA-OBS) protocol to prevent illegal information flow in unsafe systems. Here, a transaction is aborted if the transaction reads an object and illegal information flow might occur. We evaluate the RARBS and RA-OBS protocols in terms of number of transactions aborted. © 2014 Published by Elsevier Inc.

1. Introduction Information systems are required to be secure in presence of malicious accesses to resource objects. There are two types of entities, subjects like users and programs and objects like databases and files in information systems. In secure systems, only an authorized subject s is allowed to manipulate an object o in an authorized operation op. In the basic access control (BAC) model [1–3], an access right (or permission) o, op is granted to a subject s. A subject s is allowed to manipulate an object o only if an access right o, op is granted to the subject s. Otherwise, the subject s cannot manipulate the object o in the operation op. In the role-based access control (RBAC) model [4–8], a role is defined to be a set of access rights. A subject s is granted a role r in the RBAC model while each access right is granted to the subject s in the BAC model. In real enterprises, an individual person plays some role like a president and a designer. It depends on a role of each individual how and what information the individual can manipulate in an enterprise. In the RBAC model, a role indicates what a subject playing the role can do on objects in the enterprise. Suppose a subject si is granted a pair of access rights  f , rd and  g , wr  where f and g are file objects and rd and wr stand for read and write operations, respectively. Suppose another subject s j is granted an access right  g , rd. The subject si reads data d in the file f and writes the data d in the file g. The subject s j is not allowed to read the file f . However, the subject s j can obtain the data d by reading the data d stored in the file g. That is, information in the file f flow into the subject s j via the subject si and the file g. This shows illegal information flow from the file f into the subject s j [9,10]. In this paper, we discuss how to prevent illegal information flow in the RBAC model. First, we define a legal information flow relation (r i ⇒ r j ) from a role r i to a role r j in a role set R. This means, there occur no illegal information flow if any subject granted the role r j manipulates objects after a subject granted the role r i manipulates objects. Next, we discuss safe

*

Corresponding author. E-mail addresses: [email protected] (S. Nakamura), [email protected] (D. Duolikun), [email protected] (M. Takizawa).

http://dx.doi.org/10.1016/j.jcss.2014.12.020 0022-0000/© 2014 Published by Elsevier Inc.

JID:YJCSS AID:2864 /FLA

2

[m3G; v1.143-dev; Prn:30/12/2014; 15:48] P.2 (1-11)

S. Nakamura et al. / Journal of Computer and System Sciences ••• (••••) •••–•••

systems where no illegal information flow occur in whatever order subjects manipulate objects. In unsafe systems, illegal information flow might occur depending on the execution order of operations issued by subjects. Transactions have to be synchronized so that no illegal information flow occur. Then, we discuss a read-abortion role-based synchronization (RA-RBS) protocol to synchronize operations issued by different subjects so that no illegal information flow to occur in unsafe systems. Transactions issued by subjects lock objects in role-based modes on writing the objects. If a set V of the lock modes on an object o legally flow into a set P of roles of a transaction T (V ⇒ P ), the transaction T can read the object o. Otherwise, the transaction T aborts. We also discuss a read-abortion object-based synchronization (RA-OBS) protocol. Here, information on from which object data may flow into an object is kept in record in each object while only roles of transactions are considered in the RA-RBS protocol. In Section 2, we overview the BAC model and the RBAC model. In Section 3, we discuss legal information flow relations in the RBAC model. In Section 4, we discuss safe role-based systems where no illegal information flow occur. In Section 5, we discuss the RA-RBS and RA-OBS protocols to prevent illegal information flow to occur in unsafe systems. In Section 6, we evaluate the RA-RBS and RA-OBS protocols in terms of number of transactions aborted. 2. Access control models An information system is composed of entities which are basic components like users, databases, and programs. There are two types of entities, subjects and objects. A subject s is an entity which issues operation requests to objects. Users and programs are examples of subjects. An object o is an entity which receives an operation op request from a subject and performs the operation op. Databases and files are examples of objects. Let S and O be sets of subjects and objects in a system, respectively. Here, let OP be a set of operations on objects in the system. An access rule is a tuple s, o, op where s ∈ S, o ∈ O , and op ∈ OP, i.e. s, o, op ∈ S × O × OP. An access rule s, o, op means that a subject s is allowed to manipulate an object o in an operation op. A pair o, op of an object o and an operation op is referred to as an access right or permission. An authorizer grants an access right o, op to a subject s. A subject s can manipulate an object o in an operation op only if the subject s is granted an access right o, op. Otherwise, the subject s cannot manipulate the object o. Let A be a set of access rights in a system, i.e. A ⊆ O × OP. In this paper, we assume each object supports two types of operations, read(rd) and write(wr), i.e. OP = {rd, wr}. There are two types of access control policies, mandatory and discretionary ones [11]. In the mandatory way, only an authorizer grants access rights to subjects. On the other hand, a subject granted an access right is allowed to grant the access right to other subjects in the discretionary policies [11]. A role r is a collection of access rights, i.e. r ∈ 2 A . In the role-based access control (RBAC) model [5,8,7], a subject is granted a role r. Each person plays a role r in a society, e.g. a president in a company and professor in a university. A role r shows what a subject who plays the role r can do on information in a society. In the lattice-based access control (LBAC) model [12], each entity e is assigned a security class sc. Let SC be a set of security classes in a system. For a pair of security classes sci and sc j in the set SC, an information flow relation sci → sc j is defined if information in an entity e i of the security class sci can flow to an entity e j of the security class sc j . The security class set SC is partially ordered in the information flow relation →. The least upper bound (lub) sc i ∪ sc j of security classes sci and sc j is a security class sck such that sci → sck and sc j → sck and there is no security class sch such that sci → sch → sck and sc j → sch → sck . The greatest lower bound (glb) sci ∩ sc j is a security class sck such that sck → sci and sck → sc j and there is no security class sch such that sck → sch → sci and sck → sch → sc j . The security classes partially ordered in the information flow relation → is specified in a lattice  S , →, ∪, ∩. In the papers [13,14], the role-based locking (RBL) protocols are discussed to prevent illegal information flow to occur by performing transactions which read and write objects according to the RBAC model. The scheduler of transactions is discussed where transactions issued by subjects with roles are ordered so that illegal information flow do not occur [15]. 3. Legal information flow We discuss an information flow relation among roles on the basis of read-write relations on objects. Let R be a set of roles in a system. Let In(r i ) be a set of objects which are allowed to be read by a subject granted a role r i in the role set R, i.e. In(r i ) = {o|o, rd(read) ∈ r i } ⊆ O . Let Out(r i ) be a set of objects which are allowed to be written in a role r i , i.e. Out(r i ) = {o|o, wr(write) ∈ r i } ⊆ O . A pair of different roles r i and r j are equivalent (r i ≡ r j ) iff (if and only if) In(r i ) = In(r j ) and Out(r i ) = Out(r j ). That is, a pair of equivalent roles r i and r j are composed of the same access rights. Example 1. Let us consider a system which includes four file objects f , g, h, and e. Suppose a role r1 is composed of access rights  f , rd and  g , wr , another role r2 is { g , rd, h, wr}, and the other role r3 is { f , rd,  g , rd, h, rd, e , wr}. Here, In(r1 ) = { f } and Out(r1 ) = { g } for the role r1 . In(r2 ) = { g } and Out(r2 ) = {h} for the role r2 . In(r3 ) = { f , g , h} and Out(r3 ) = {e } for the role r3 . Suppose three subjects s1 , s2 , and s3 are granted roles r1 , r2 , and r3 , respectively. The subjects s2 and s3 are allowed to read the file object g written by the subject s1 . The subject s3 is allowed to read the file object h written by the subject s2 . First, the subject s1 reads the file object f and then writes the file object g. Next, suppose the subjects s2 and s3 read the file object g and write the file objects h and e, respectively. If the subject s2 manipulates the file object g after the subject s1 manipulates the file object f , the subject s2 can obtain some data in the file object f by

JID:YJCSS AID:2864 /FLA

[m3G; v1.143-dev; Prn:30/12/2014; 15:48] P.3 (1-11)

S. Nakamura et al. / Journal of Computer and System Sciences ••• (••••) •••–•••

3

Fig. 1. Illegal information flow.

reading the file object g which the subject s1 writes. However, the subject s2 is not allowed to read the file object f . Here, the information in the file object f illegally flow into the subject s2 as shown in Fig. 1. Suppose the subject s3 manipulates the file objects g and h in the same way as the subject s2 . Here, since the subject s3 is allowed to read the file object f , the subject s3 can read information in the file object f without illegal information flow from the file object f to the subject s3 . Definition 1. A role r i flows to a role r j (r i → r j ) iff (if and only if) Out (r i ) ∩ In(r j ) = φ . Suppose a pair of subjects si and s j are granted roles r i and r j , respectively. If r i → r j , the subject s j is allowed to read an object which the subject si writes. Hence, the subset si may bring data into the subject s j . A role r i is compatible with a role r j (r i  r j ) iff the role r i does not flow to the role r j , i.e. r i → r j . There is no information flow relation from the role r i to the role r j if r i  r j . A pair of roles r i and r j are compatible with one another (r i  r j ) iff r i  r j and r j  r i . In Example 1, the role r1 flows to the role r3 (r1 → r3 ) since Out(r1 ) (= { g }) ∩ In(r3 ) (= { f , g , h}) = φ . The subject s3 granted the role r3 is allowed to read the file object f which the subject s1 granted the role r1 reads. Hence, even if the subject s3 reads the object g after the subject s1 writes the object g, no illegal information flow occur. The role r1 flows to the role r2 (r1 → r2 ) since Out(r1 ) (= { g }) ∩ In(r2 ) (= { g }) = φ . Here, if the subject s1 granted the role r1 writes the file object g before the subject s2 reads the file object g, the subject s2 might read data of the file object f in the file object g. That is, illegal information flow via the file object g might occur as presented. Similarly, r2 → r3 . We first define the legal information flow relation (⇒): Definition 2. A role r i legally flows to a role r j (r i ⇒ r j ) iff one of the following conditions holds: 1. In(r i ) = φ , r i → r j , and In(r i ) ⊆ In(r j ). 2. For some role rk , r i ⇒ rk and rk ⇒ r j . The legal flow relation ⇒ on roles is transitive but not symmetric. Suppose a pair of subjects si and s j are granted roles r i and r j , respectively. If the role r i flows to the role r j (r i → r j ), i.e. Out(r i ) ∩ In(r j ) = φ , objects written by a subject si might be read by a subject s j . Otherwise, no information from the subject si flow into the subject s j . The condition In(r i ) ⊆ In(r j ) means that every read access right o, rd in the role r i is also in the role r j . Hence, if a transaction T i is granted the role r i and another transaction T j is granted the role r j , the transaction T j is granted a read access right on every object which the transaction T i can write. Hence, if the transaction T j is performed after the transaction T i , no illegal information flow occur. In Example 1, the role r1 legally flows into the role r3 (r1 ⇒ r3 ) since r1 flows to r3 (r1 → r3 ) and In(r1 ) (= { f }) ⊆ In(r3 ) (= { f , g , h}). r2 ⇒ r3 since r2 → r3 and In(r2 ) (= { g }) ⊆ In(r3 ) (= { f , g , h}). r1 ⇒ r2 , r2 ⇒ r1 , r3 ⇒ r1 , and r3 ⇒ r2 . Thus, the information flow relation ⇒ is not symmetric. Definition 3. A pair of roles r i and r j are legally equivalent with one another (r i ⇔ r j ) iff r i ⇒ r j and r j ⇒ r i . It is noted In(r i ) = In(r j ) if r i ⇔ r j . Example 2. Fig. 2 shows three roles r1 , r2 , and r3 . Here, r1 = { f , rd,  g , wr}, r2 = { f , rd,  g , rd, h, wr}, and r3 = { f , rd,  g , rd, h, rd, e , wr}. In(r1 ) = { f } and Out(r1 ) = { g } for the role r1 . In(r2 ) = { f , g } and Out(r2 ) = {h} for the role r2 . In(r3 ) = { f , g , h} and Out(r3 ) = {e } for the role r3 . Here, r1 ⇒ r2 since In(r1 ) ⊆ In(r2 ) and Out(r1 ) ∩ In(r2 ) = φ . r2 ⇒ r3 . In addition, r1 ⇒ r3 . Thus, r1 → r2 → r3 but r3 ⇒ r1 .

JID:YJCSS AID:2864 /FLA

[m3G; v1.143-dev; Prn:30/12/2014; 15:48] P.4 (1-11)

S. Nakamura et al. / Journal of Computer and System Sciences ••• (••••) •••–•••

4

Fig. 2. Legal information flow.

In Example 1, the role r1 flows to the role r2 (r1 → r2 ) since Out(r1 ) ∩ In(r2 ) = φ but r1 ⇒ r2 . As presented in Example 1, illegal information flow occur if the subject s2 granted the role r2 reads the object g after the subject s1 granted the role r1 writes the object g. Definition 4. A role r i illegally flows to a role r j (r i → r j ) iff r i → r j but r i ⇒ r j . In Example 1, the role r1 illegally flows to the role r2 (r1 → r2 ). The illegal flow relation → is not transitive differently from the transitive legal flow relation ⇒. Even if r1 → r2 and r2 → r3 , r1 ⇒ r3 may hold. The following property holds on roles: Theorem 1. Let si and s j be a pair of subjects granted roles r i and r j , respectively. Assume the role r i does not illegally flow to the role r j (r i → r j ), i.e. r i ⇒ r j or r i  r j . There occur no illegal information flow if the subject s j manipulates objects after the subject si manipulates objects. Proof. 1. First, suppose r i ⇒ r j . The subject s j might read an object o j which the subject si writes. According to Definition 2, the subject s j is granted an access right o i , rd if the subject si is granted an access right o i , wr. That is, the subject s j is allowed to read every object which the subject si writes. 2. Secondly, suppose the role r i is compatible with the role r j (r i  r j ). The subject s j does not read any object which the subject si writes. Therefore, no illegal information flow occur.

2

The least upper bound (lub) r i ∪ r j of a pair of roles r i and r j is a role rk such that r i ⇒ rk and r j ⇒ rk and there is no role rh such that r i ⇒ rh ⇒ rk and r j ⇒ rh ⇒ rk . The greatest lower bound (glb) r i ∩ r j is a role rk such that rk ⇒ r i and rk ⇒ r j and there  is no  role rh such that rk ⇒ rh ⇒ r i and rk ⇒ rh ⇒ r j . For a subset R i of the role set R, the  least upper bound (lub) R i is ri ∈ R i r i . The greatest lower bound (glb) ∩ R i of a role subset R i is similarly defined as ri ∈ R i r i . A role r i is maximal iff there is no role r in a role subset R i such that r i ⇒ r and r ⇒ r i . A role r i is minimal in a role subset R i iff there is no role r in R i such that r ⇒ r i and r i ⇒ r. Here, max( R i ) and min( R i ) are subsets of maximal and minimal roles in a role subset R i , respectively. Let us consider a set R of roles, which includes a role r4 = { g , rd, e , wr} in addition to the three roles r1 , r2 , and r3 shown in Fig. 1. r1 ⇒ r3 and r2 ⇒ r3 but r1 → r2 as presented. r1 → r4 but r1 → r4 . r2  r4 and r3  r4 . Here, max( R ) = {r3 , r4 } and min( R ) = {r1 , r2 , r4 }. We define a legal information flow relation (⇒) among collections of roles as follows: Definition 5. Let R i and R j be subsets of the roles in the role set R (R i , R j ⊆ R). 1. R i legally flows into R j (R i ⇒ R j ) iff for every role r i in R i and every role r j in R j , r i ⇒ r j or r i  r j . 2. R i illegally flows to R j (R i → R j ) iff R i ⇒ R j . It is noted R i ⇒ R j iff max( R i ) ⇒ min( R j ). R i ⇒ R j means that for some pair of roles r i in R i and r j in R j , r i → r j .

JID:YJCSS AID:2864 /FLA

[m3G; v1.143-dev; Prn:30/12/2014; 15:48] P.5 (1-11)

S. Nakamura et al. / Journal of Computer and System Sciences ••• (••••) •••–•••

5

Fig. 3. Legal information flow relation R 1 ⇒ R 2 .

Example 3. Let R 1 and R 2 be a pair of role sets {r1 , r2 , r3 } and {r4 , r5 }, respectively. Suppose r1 ⇒ r2 in the role set R 1 . In addition, suppose the role r3 and each of the roles r1 and r2 are compatible with each other (r1  r3 and r2  r3 ) in the role set R 1 . Suppose r4 ⇒ r5 in the role set R 2 . Here, max( R 1 ) = {r2 , r3 } and min( R 2 ) = {r4 }. Suppose r2 ⇒ r4 and r3 is compatible with the roles r4 and r5 (r3  r4 , r5 ). Here, max( R 1 ) ⇒ min( R 2 ) as shown in Fig. 3. Hence, the subset R 1 of the roles legally flows into the subset R 2 of the roles (R 1 ⇒ R 2 ).

4. Safe systems Let R be a set of roles in a system. We discuss a safe system where no illegal information flow occur in whatever order operations issued by subjects are performed. Definition 6. A role set R is safe iff one of the following conditions holds for every pair of roles r i and r j in R: 1. r i ⇔ r j . 2. r i ⇒ r j and r j  r i . 3. r i  r j .





objects to be read, i.e. r  ∈ R In(r  ). A least upper bound  R of a role set R is a role r where In(r ) is a subset (⊆ O ) of  A greatest lower bound R is a role r where In(r ) is a subset of objects to be read, i.e. r  ∈ R In(r  ). In Example 2, r1 ⇒ r2 , r2 ⇒ r3 , and r1 ⇒ r3 among the roles r1 , r2 , and r3 . In addition, r3  r1 , r3  r2 , and r2  r1 . Hence, the role set {r1 , r2 , r3 } is safe. Suppose there are three subjects s1 , s2 , and s3 who are granted roles r1 , r2 , and r3 , respectively. If the subjects s1 , s2 , and s3 manipulate objects in this sequence, no illegal information flow occur since r1 ⇒ r2 , r1 ⇒ r3 , and r2 ⇒ r3 . Next, suppose the subject s3 first manipulates objects and the subjects s1 and s2 manipulate objects. Here, since r3  r2 , r3  r1 , and r2  r1 , no illegal information flow occur. Thus, no illegal information flow occur even if the subjects s1 , s2 , and s3 manipulate objects in any order. However, the role set {r1 , r2 , r3 } shown in Fig. 1 is not safe because r1 → r2 but r1 ⇒ r2 . Here, if a subject s1 granted the role r1 manipulates objects before a subject s2 granted the role r2 , illegal information flow may occur. Suppose a role set R is safe. Here, no illegal information flow occur even if subjects manipulate objects in any order. From Definitions 2, 3, and 6, for every pair of roles r i and r j in a safe role set, if r i → r j , r i ⇒ r j . If r i  r j , a subject s j granted the role r j does not read any object written by a subset si granted the role r i , i.e. no illegal information flow. 5. Synchronization protocols Next, we consider an unsafe system, where a role set R is not safe. Here, it depends on the order in which subjects manipulate objects whether or not illegal information flow to occur. We have to synchronize transactions so that no illegal information flow occur. 5.1. PM protocol A subject si is granted a subset si . R (⊆ R) of roles in the role set R. A subject si issues a transaction T i to manipulate objects. A transaction is an atomic sequence of read and write operations on objects [16]. Here, a transaction T i is associated with a subset T i . P (⊆ si . R) of the roles granted to the subject si . The role subset T i . P is referred to as purpose [15,17] of a transaction T i issued by a subject si . A transaction T i is allowed to issue an operation op on an object o only if o, op ∈ T i . P .

JID:YJCSS AID:2864 /FLA

[m3G; v1.143-dev; Prn:30/12/2014; 15:48] P.6 (1-11)

S. Nakamura et al. / Journal of Computer and System Sciences ••• (••••) •••–•••

6

In papers [13,14], the purpose marking (PM) protocol is discussed to prevent illegal information flow in the RBAC model. A transaction T i manipulates a variable T i . V which is initially the purpose T i . P . Here, transactions lock objects in role-based modes as follows: 1. First, suppose a transaction T i would like to write an object o. The object o is locked in a mode T i . V . Here, o. P shows lock modes held on an object o. The roles T i . V are added to the variable o. P of the object o. The transaction T i writes the object o. 2. Next, suppose a transaction T i would like to read an object o. Suppose the object o is locked, i.e. o. P = φ . If o. P illegally flows to T i . P (o. P → T i . P ), the transaction T i is aborted. Otherwise, i.e. o. P ⇒ T i . P , the transaction T i reads the object o. The roles o. P are added to the variable T i . V of the transaction T i . 3. If a transaction T i is aborted as presented in step 2, role-based locks held by the transaction T i are released. A transaction T i is referred to as illegally read an object o iff the transaction T i reads the object o where o. P → T i . P . If a transaction T i issues an illegal read operation on an object o, the transaction T i aborts. In the PM protocol, transactions can manipulate objects without illegal information flow to occur. However, role-based lock modes monotonically increase on each object since locks obtained by transactions are not released even if the transactions commit. In addition, it is not easy to release role-based locks on objects which are held by each transaction to be aborted. 5.2. Read-abortion role-based synchronization (RA-RBS) protocol In order to reduce the storage overhead to keep in record role-based lock modes on each object o, only the maximal subset max(o. P ) and the minimal subset min(o. P ) of roles are stored in variables o.MX and o.MN, respectively. Each time a transaction adds a role mode r in an object o, the maximal subset of the role r and o.MX and the minimal subset of the role r and o.MN are stored in the variables o.MX (= max(o.MX ∪ {r })) and o.MN (= min(o.MN ∪ {r })) of the object o, respectively. There are two types, full and partial types of write operations on an object o. In a full write operation, the whole state of the object o is fully overwritten. No data brought from another object by another transaction is stored in the object o. Here, every lock mode held on the object o is released, i.e. o.MX = o.MN = φ when a transaction T i fully writes the object o. Then, the object o is locked as follows: [Full write] 1. o.MX = T i .MX. 2. o.MN = T i .MN. In this approach, each time an object o is written by a transaction, lock modes held by the other transactions are released and then the object o is locked in new lock modes T i .MX and T i .MN. In a partial write operation, only some part of an object o is overwritten. For example, only an age attribute of a person object is changed. Here, the other attributes like name and address of the object o are not changed, which might come from other objects. The lock modes on the object o are changed as follows: [Partial write] 1. o.MX = max(o.MX ∪ T i .MX ). 2. o.MN = min(o.MN ∪ T i .MN). As presented in the PM protocol, lock modes are distributed to objects through transactions. Even if locks held on an object o are released by fully writing the object o, the lock modes, i.e. roles are distributed to other objects and it is difficult to find on which object the lock modes are held in the system. We take a time-based approach to releasing role-based locks. We postulate that the security level of each object decreases over time. Each transaction T i is given TTL (time to live) T i . T when the transaction T i starts. When the transaction T i locks an object o, the time-stamped purpose T i . P is added to the variable o. P . The TTL variable o. T in an object o decreases as time passes. If the TTL variable o. T gets 0, the lock modes are released on an object o, i.e. o.MX = o.MN = φ . Each transaction T i manipulates the following variables: 1. T i . T = TTL of the transaction T i . 2. T i .MX = a subset of maximal roles in the purpose T i . P , i.e. max( T i . P ). 3. T i .MN = a subset of minimal roles in the purpose T i . P , i.e. min( T i . P ). Each object o has the following variables: 1. o. T = TTL of the object o i . 2. o.MX = maximal roles in a set of role locks held on the object o. 3. o .MN = minimal roles in a set of role locks held on the object o.

JID:YJCSS AID:2864 /FLA

[m3G; v1.143-dev; Prn:30/12/2014; 15:48] P.7 (1-11)

S. Nakamura et al. / Journal of Computer and System Sciences ••• (••••) •••–•••

7

Fig. 4. RA-RBS protocol.

We present a read-abortion role-based synchronization (RA-RBS) protocol to present illegal information flow in an unsafe system. [RA-RBS protocol] 1. A transaction T i issues a write operation to an object o. (a) If wr is a full write, o.MX = T i .MX, o.MN = T i .MN, and o. T = T i . T . (b) If wr is a partial write, o.MX = max(o.MX ∪ T i .MX ), o.MN = min(o.MN ∪ T i .MN), and o. T = max(o. T , T i . T ). (c) Then, the transaction T i writes the object o. 2. A transaction T i issues a read operation to an object o. (a) If o.MX ⇒ T i .MN (Definitions 2, 5), T i .MN = min(o.MN ∪ T i .MN) and the transaction T i reads the object o. (b) Otherwise, the transaction T i is aborted (Definition 4). 3. In each object o, the TTL o. T decreases over time. If the TTL o. T gets 0, every lock mode is released on the object o, i.e. o.MX = o.MN = φ . Suppose there are a pair of transactions T 1 and T 2 as shown in Fig. 4. Here, the purpose T 1 . P is R 1 = {r1 , r2 , r3 } and T 2 . P is R 2 = {r4 , r5 }. The role sets R 1 and R 2 are shown in Fig. 3. Suppose there are three objects o 1 , o2 , and o3 , where o i .MX = o i .MN = φ for i = 1, 2, 3. First, the transaction T 1 reads an object o1 since o1 .MX ⇒ T 1 .MN. Then, the transaction T 1 fully writes the object o2 . o2 .MX = {r2 , r3 } and o2 .MN = {r1 , r3 } as presented in Example 3. Next, the transaction T 2 reads the object o2 since o2 .MX ⇒ T 2 .MN. Here, T 2 .MN is changed with {r1 , r3 }. Finally, the transaction T 2 partially writes the object o3 . Hence, o3 .MX = {r5 } and o3 .MN = {r1 , r3 } as presented in Example 3. 5.3. Read-abortion object-based synchronization (RA-OBS) protocol In the RA-RBS protocol, it is checked if illegal information flow to occur in terms of roles. In reality, each transaction T i manipulates only some, not necessarily all objects in the purpose T i . P . In order to reduce the number of objects to be locked, we discuss a read-abortion object-based synchronization (RA-OBS) protocol where only objects which each transaction really manipulates are locked. A variable T . O is manipulated for a transaction T , initially φ . The variable T . O denotes a set of objects whose data may flow to the transaction T . For each object o, a variable o. O is manipulated, which is initially φ . The variable o. O indicates a set of objects whose data may flow to the object o. [RA-OBS protocol] 1. A transaction T issues a write operation to an object o. (a) If wr is a full write operation, o. O = T . O . (b) If wr is a partial write operation, o. O = o. O ∪ T . O . (c) The transaction T writes the object o. 2. A transaction T issues a read operation to an object o. (a) If o. O ⊆ In( T . P ), T . O = T . O ∪ o. O ∪ {o} and then the transaction T reads the object o (Definition 2). (b) Otherwise, the transaction T is aborted (Definition 4).

JID:YJCSS AID:2864 /FLA

[m3G; v1.143-dev; Prn:30/12/2014; 15:48] P.8 (1-11)

S. Nakamura et al. / Journal of Computer and System Sciences ••• (••••) •••–•••

8

Fig. 5. RA-OBS protocol.

In the RA-OBS protocol, the condition “o. O ⊆ In(T . P )” means that a transaction T is granted a read access right o, rd to read every object o in the variable o. O . In Fig. 5, there are a pair of transactions T 1 and T 2 which manipulate objects o1 , o2 , and o3 where o1 . O = o2 . O = φ and o3 . O = {o4 }. The purposes T 1 . P and T 2 . P are the same as Fig. 3. Suppose the role r1 includes access rights o1 , rd and o2 , wr and the role r2 includes access rights o1 , rd, o2 , rd, and o2 , wr. Since In(T 1 . P ) includes the object o1 , the transaction T 1 reads the object o1 . Here, T 1 . O = {o1 }. Then, the transaction T 1 fully writes the object o2 . Here, the variable o2 . O is changed with {o1 }. Suppose the role r4 includes access rights o1 , rd, o2 , rd, and o3 , wr. Since {o1 , o2 } ⊆ In( T 2 . P ), the transaction T 2 reads the object o2 and T 2 . O = {o1 , o2 }. The transaction T 2 partially writes an object o3 where o3 . O = {o4 }. The variable o3 . O is changed with o3 . O ∪ T 2 . O = {o1 , o2 , o4 }. o3 . O means data in the objects o1 , o2 , and o4 may flow into the object o3 . In the RA-OBS protocol, if an object o is fully written by a transaction T , data previously brought from the object o is considered to be obsolete. Here, information o  . O on the object o recorded in another object o  is removed. The following procedure is performed: 1. For every object o ( = o), o . O = o . O − {o} if o ∈ o . O . 2. For every transaction T  ( = T ) which does not read the object o, T  . O = T  . O − {o}. 5.4. Implementations The variables o. P and o. O of an object o and the variables T . V and T . O of a transaction T are implemented in terms of bitmaps. The bitmaps o. P and T . V of roles are composed of rn bits for number rn of roles r1 , . . . , rrn in a system. The bitmaps o. O and T . O of objects are composed of n bits for number n of objects o 1 , . . . , on . Let x. R and x. O denote bitmaps of roles and objects in an entity, i.e. object or transaction x, respectively. Here, x. B i shows the ith bit in a bitmap x. B. In the object bitmap x. O , if an object o i is included in a variable x. O , the ith bit x. O i is 1, otherwise 0. For example, there are six objects, n = 6 in a system and the variable o 3 . O = {o1 , o2 , o4 } of an object o3 is represented in a bitmap 110100. In the role bitmap x. R, the ith bit x. R i is 1 if a role r i is included in the variable x. R. For example, there are four roles, rn = 4 in a system and the variable T 1 . V = {r2 , r3 } of a transaction T 1 is shown in a bitmap 0110. The union x. B ∪ y . B of bitmaps x. B and y . B is realized by taking a disjunction of the bitmaps x. B and y . B. If an object o i is fully written, the ith bit x. O i of every entity x is changed with 0 in a system as presented in the RA-OBS protocol. The length of an object bitmap x. O is O (n) for number n of objects o 1 , . . . , on . The length of a role bitmap x. R is O (rn) for number rn of roles r1 , . . . , rrn . 6. Evaluation We evaluate the RA-RBS and RA-OBS protocols compared with a non-synchronization based (NBS) protocol on an object set O and a role set R. The NBS protocol means a protocol where no information flow control is implemented. Here, each transaction just reads and writes objects. On the other hand, if a transaction T reads an object o locked in modes which might illegally flow into T , the transaction T is aborted in the RA-RBS and RA-OBS protocols. In the RA-RBS and RA-OBS protocols, locks on objects held by a transaction are not released even if the transaction commits. Hence, on reading objects, transactions may be aborted in the RA-RBS and RA-OBS protocols while no transaction is aborted in the NBS protocol. On the other hand, illegal information flow may occur in the NBS protocol while no illegal information flow in the RA-RBS and RA-OBS protocols. We evaluate the RA-RBS and RA-OBS protocols in terms of number of transactions aborted.

JID:YJCSS AID:2864 /FLA

[m3G; v1.143-dev; Prn:30/12/2014; 15:48] P.9 (1-11)

S. Nakamura et al. / Journal of Computer and System Sciences ••• (••••) •••–•••

9

Fig. 6. Illegal read operations ratio in the NBS protocol (n = 50).

In the evaluation, there are n objects, O = {o 1 , . . . , on } Each object o i supports read (rd) and write (wr) operations. First, rn (≥ 1) roles r1 , . . . , rrn are defined by randomly selecting access rights on n objects o 1 , . . . , on in the object set O . Here, R = {r1 , . . . , rrn }. Here, mran(≤ 2n) shows the maximum number of access rights to be included in each role r i . Each role r i is composed of ani (≤ mran) access rights. In the evaluation, the number ani for each role r i is randomly selected out of numbers 1, . . . , mran. Then, ani access rights are randomly selected in 2n access rights o 1 , rd, o1 , wr, . . . , on , rd, on , wr so that no duplicate access right is included. In the RA-RBS and RA-OBS protocols, the more number of transactions are performed, the more number of transactions are aborted. There are tn (≥ 1) transactions T 1 , . . . , T tn . Each transaction T k is a sequence of read and write operations on the objects in the object set O . Here, mtan (≥ 1) is the maximum number of operations in each transaction T k . Each transaction T k is composed of tank (≤ mtan) operations. The number tank for each transaction T k is randomly obtained in 1, . . . , mtan. Each transaction T k is granted one role pk which is randomly selected in the role set R. Each operation op on an object o i is randomly selected in the role pk of the role set R, i.e. o i , op ∈ pk so that duplicate operations may be included. Here, an operation type op is randomly selected in read (rd) and write (wr) so that 50% of operations are read ones. In addition, for each write operation op, full and partial write types are randomly selected, i.e. full write and partial write are 25% of operations, respectively. A sequence T of the transactions T 1 , . . . , T tn are serially performed on the object set O given the role set R in the RA-RBS protocol, the RA-OBS protocol, and NBS protocol. In the NBS protocol, if a transaction reads an object, there might occur illegal information flow as discussed. The number nif of read operations which imply illegal information flow is measured. In the RA-RBS and RA-OBS protocols, each time a transaction T k issues a read operation, it is checked if illegal information flow to occur as discussed in this paper. If illegal information flow might occur, the transaction T k is aborted. Thus, no illegal information flow occur but some transactions may be aborted in the RA-RBS and RA-OBS protocols. In the RA-RBS and RA-OBS protocols, the more number of transactions are performed, the more number of transactions are aborted. The numbers rabort and oabort of transactions aborted in the RA-RBS and RA-OBS protocols are measured, respectively. In the evaluation, we consider twenty roles (rn = 20) on fifty objects (n = 50). First, a collection R of roles r1 , . . . , r20 are randomly generated on the objects o 1 , . . . , o50 , R = {r1 , . . . , r20 } and O = {o1 , . . . , o50 }. Here, mran = 20. Then, a sequence T of tn transactions T 1 , . . . , T tn are randomly created on the object set O with the role set R. Here, 10 ≤ mtan ≤ 200. The sequence T of the transactions T 1 , . . . , T tn are serially performed on the object set O in the RA-RBS, RA-OBS, and NBS protocols. We create a role set R and a transaction sequence T by randomly selecting a pair of an object and an operation on the object set O three hundreds times for each mran. For a given role set R and each of the RA-RBS, RA-OBS and NBS protocols, the transaction sequence T is performed five hundreds times. Then, we calculate the average values of rabort, oabort, and nif for the RA-RBS, RA-OBS, and NBS protocols, respectively. Fig. 6 shows the illegal read ratio, i.e. the ratio of the number nif of illegal read operations to the total number of read operations issued by the transactions in the NBS protocol. The more number tn of transactions are performed, the more number of illegal read operations are issued. For example, if twenty transactions are performed (tn = 20), about 30% of read operations are illegal. If one hundred transactions are performed (tn = 100), about 55% of read operations are illegal. Fig. 7 shows the ratios of the numbers rabort and oabort of transactions aborted to the total number tn of transactions in the RA-RBS and RA-OBS protocols. As shown in Fig. 7, about 16% and 22% of the transactions are aborted in the RA-RBS and RA-OBS protocols, respectively, for tn ≥ 150. The abort ratios rabort/tn and oabort/tn of the transactions aborted are O (log tn) as shown in Fig. 7. The abortion ratio oabort/tn is about 5% smaller than rabort /tn. In the RA-OBS protocol, only

JID:YJCSS AID:2864 /FLA

10

[m3G; v1.143-dev; Prn:30/12/2014; 15:48] P.10 (1-11)

S. Nakamura et al. / Journal of Computer and System Sciences ••• (••••) •••–•••

Fig. 7. Ratios of transactions aborted in the RA-RBS and RA-OBS protocols (n = 50).

objects which transactions read and write are considered. In addition, each time an object o is fully written, the information o . O on the object o is removed in every other object o  . 7. Concluding remarks In this paper, we discussed protocols for synchronizing transactions to prevent illegal information flow based on the role-based access control (RBAC) model. We first defined the legal information flow relation r i ⇒ r j among a pair of roles r i and r j . If a subject granted the role r j manipulates objects after the subject si manipulates objects, no illegal information flow occur. Then, we defined safe systems where no illegal information flow occur even if transactions issued by subjects are performed in any order. In unsafe systems, transactions have to be synchronized so that no illegal information flow occur. We proposed a pair of synchronization protocols; the read-abortion role-based synchronization (RA-RBS) and read-abortion object-based synchronization (RA-OBS) protocols to prevent illegal information flow in unsafe systems. In the RA-RBS protocol, the storage overhead to keep in record lock modes is reduced. Lock modes on objects are released if some time passes. In the RA-OBS protocol, information on objects whose data may flow to each object is kept in record. Locks on objects are released if the objects are fully written by transactions. We evaluated the RA-RBS and RA-OBS protocols in terms of number of transactions aborted. In the evaluation, more than half of read operations are shown to be illegal without information flow control. We showed that no illegal information flow occur but about 10% to 20% of transactions are shown to be aborted in the RA-RBS and RA-OBS protocols. We are now discussing synchronization protocols to reduce the number of transactions to be aborted and to reduce the electric power consumption [18] of computer. References [1] E.B. Fernadez, R.C. Summers, C. Wood, Database Security and Integrity, Addison–Wesley, 1980. [2] S.L. Osborn, Mandatory access control and role-based access control revisited, in: Proc. of 2nd ACM Workshop on Role-Based Access Control, 1997, pp. 31–40. [3] K.-S. Fisher-Hellmann, Information Flow Based Security Control Beyond RBAC, Springer Vieweg, 2012. [4] A.A. Eliott, G.S. Knight, Role explosion: acknowledging the problem, in: Proceedings of the 2010 International Conference on Software Engineering Research and Practice, 2010, pp. 349–355. [5] D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli, Role-Based Access Controls, Artech, 2003. [6] D.F. Ferraiolo, D.R. Kuhn, R. Sandhu, RBAC standard rationale: comments on a critique of the ANSI standard on role based access control, IEEE Secur. Priv. 5 (6) (2007) 51–53. [7] S. Osborn, R.S. Sandhu, Q. Munawer, Configuring role-based access control to enforce mandatory and discretionary access control policies, ACM Trans. Inf. Syst. Secur. 3 (2) (2000) 85–106. [8] R.S. Sandhu, Role-based access control models, IEEE Comput. 29 (2) (1996) 28–47. [9] D.E.R. Denning, Cryptography and Data Security, Addison–Wesley, 1982. [10] S. Nakamura, D. Duolikun, A. Aikebaier, T. Enokido, M. Takizawa, Role-based information flow control models, in: Proc. of IEEE the 28th International Conference on Advanced Information Networking and Applications, AINA-2014, 2014, pp. 1140–1147. [11] C.J. Date, An Introduction to Database Systems, 8th edition, Addison–Wesley, 2003. [12] R.S. Sandhu, Lattice-based access control models, IEEE Comput. 26 (11) (1993) 9–19. [13] T. Enokido, M. Takizawa, A purpose-based synchronization protocol for secure information flow control, Int. J. Comput. Syst. Sci. Eng. 25 (2) (2010) 25–32. [14] T. Enokido, M. Takizawa, Purpose-based information flow control for cyber engineering, IEEE Trans. Ind. Electron. 58 (6) (2011) 2216–2225.

JID:YJCSS AID:2864 /FLA

[m3G; v1.143-dev; Prn:30/12/2014; 15:48] P.11 (1-11)

S. Nakamura et al. / Journal of Computer and System Sciences ••• (••••) •••–•••

11

[15] T. Enokido, M. Takizawa, A legal information flow (LIF) scheduler based on role-based access control model, Int. J. Comput. Stand. Interfaces 31 (5) (2009) 906–912. [16] J. Gray, A. Reuter, Transaction Processing: Concepts and Techniques, Morgan Kaufmann, 1993. [17] M. Yasuda, T. Tachikawa, M. Takizawa, A purpose-oriented access control model for information flow management, in: Proc. of 14th IFIP International Information Security Conference, IFIP/SEC’98, 1998, pp. 230–239. [18] D. Duolikun, A. Aikebaier, T. Enokido, M. Takizawa, Energy-aware passive replication of processes, Int. J. Mob. Multimed. 9 (1–2) (2004) 53–65.