Among the research topics of the Security Group we focus on here on enforcement mechanisms that are practical in the sense that they tolerate the fact that humans make mistakes in good faith.

If we look at the way humans organizations manage security we appreciate their flexibility: a policy officer unsatisfied by our thorn driving licence will explicitly ask for another document of his liking, a project officer will not launch a major review of an EU project if a single deliverable is sent with a week delay. She might do it after a continued violation of deadlines. The current formal models for enforcement and authentication don't distinguish between small and big infringements.

The starting point is that a server should be able to compute and communicate to a client the credential that are missing to obtain a service and that it should be possible for either the server or the client to disclose such missing credentials in a piecewise fashion (a generalization of the trust negotiation by Winslett, Yu, Winsborough and others. We have actually theoretically specified by using abduction and fully implemented as web-services using PKI and PMI for credentials. It also worked well: logic only takes a fraction over the time taken by the cryptographic verification of the credentials. You can check the TAAS paper for the details and have a look at the architecture.

Yet, this is not enough because, once access has been granted, security monitors suffer from the same lack of flexibility and do not capture the real working of human organizations. Most papers (Schneider with Erlingsson, Hamlen and Morriset, Ligatti with Bauer and Walker) described in some theorems the good traces potentially enforceable with this or that enforcement mechanism (safety properties, renewal properties, etc.). In collaboration with some researchers from the San Raffaele hospital in Milano (who were interested in the practical aspect of enforcement) we showed that safety and renewal properties are not what you want. They key observation is that most real-life tasks are a repetitions of sub-tasks. We called them iterative properties and you can see the difference between classical security properties such as safety and renewal in the figure on the side. As an example consider a drug dispensation process (a process running hundreds of times and lasting for tens of steps in the hospital IT system ). Safety says that as soon as one single process is wrong you halt the system. Renewal says that until the first mistake is corrected the system will start to silently gobble all other actions. Hardly appealing behaviors for any practical purposes…

Yet many of their proponents have actually implemented systems that enforced those properties. There is a catch here that many people overlook. What distinguishes an enforcement mechanism is not what happens when traces are good, because nothing should happen! The interesting part is how precisely bad traces (that don't satisfy the policy P) are converted into good ones (that do satisfy the policy P). The picture on the sides shows a classification of edit automata which enforce a renewal property P from Bauer, Ligatti and Walker. Implemented systems, being by definition implemented, will actually take care of correcting bad traces that are not in P, in some way. But this part is simply not reflected in the current theories which sits on the bottom of the pile.

Currently we are planning to devise a general mechanism based on the idea of MAP-REDUCE that can lead to a programmable model of a whole range information flow policies (essentially generalizing Secure Multi Execution to a property of your choice).

Within the main stream project we covered a number of themes.

• Effective enforcement of information flow properties based on MAP-REDUCE (ongoing)
• Run-time enforcement that can tolerate errors
• Autonomic authorizations with interactive credential disclosure

The following is a list a people that has been involved in the project at some point in time.

• Natalia Bielova
• Olga Gadyatskaya
• Hristo Koshutanski
• Fabio Massacci - the project leader. Contact Fabio via email name.surname@unitn.it
• Minh Ngo

This activity was supported by a number of projects

• NESSOS
• TENACE
• MASTER

• Bielova N., Devriese D.,Massacci F., Piessens F.: Reactive non-interference for a browser model. Proc. of NSS’11. p 97-104. IEEE 2011. PDFFull version as Technical Report at K.U.Leuven

• Bielova N., Massacci F.: Computer-Aided Generation of Enforcement Mechanisms for Error-Tolerant Policies. Proc. of POLICY’11. p. 89-96. IEEE 2011. PDF
• Bielova N., Massacci F.: Do you really mean what you actually enforced? - Edited automata revisited. . International Journal of Information Security 10(4):239-254 (2011) PDF
• Bielova N., Massacci F.: Iterative Enforcement by Suppression: Towards Practical Enforcement Theories. Journal of Computer Security 2011. PDF
• Bielova N., Massacci F.: Predictability of Enforcement. In Proc. of ESSoS’10. Springer p 73-86.PDF
• Bielova N., Massacci F., Micheletti A.: Towards Practical Enforcement Theories. Proc. of NordSec’09 p. 239-254, Springer 2009. PDF

• Koshutanski H., Massacci F.: Interactive access control for autonomic systems: From theory to implementation. ACM Transactions on Autonomous and Autonomic Systems 3(3): 2008. PDF
• Kohutanski, H., Massacci F.: A Negotiation Scheme for Access Rights Establishment in Autonomic Communication. Journal of Network and Systems Management 15(1):117-136 2007. PDF

• F. Massacci. Why Schneider, Hamlen, Bauer, Ligatti, and Walker (not to mention Pretschner) are all looking in the wrong place. Dagstuhl Seminar on Usage Control. October 2010. Slides in PPTX

• The web system for Autonomic Interactive Authorization is available as open source (http://www.interactiveaccess.org).