Quantitative Assessment of Access Control in Complex Distributed Systems
funded through the U.S. National Security Agency SoS Lablet
researchers: David M. Nicol and William H. Sanders
Modern networked systems are large and heterogeneous, and employ a variety of access control mechanisms that are the first line of defense against cyber-attack. These mechanisms include, but are not limited to:
- router-based dedicated firewalls, such as the Cisco PIX series;
- host-based firewalls, which could be based in software (such as iptables in Linux, or in-built firewalls in the operating system) or hardware (such as specialized NICs);
- operating-system-based mechanisms, such as discretionary access control in Linux or Windows, or more sophisticated mechanisms, such as the mandatory access control in NSA's SELinux and similar functionality provided for Windows by the Cisco Security Agent; and
- middleware-based mechanisms, such as the Java Security Manager, that provide for specification and enforcement of fine-granularity access control policies for Java programs.
This project is addressing the problem of estimating the degree to which the actual security posture given by the configurations of these diverse mechanisms complies with machine-checkable global policy, when (1) the system is too large to admit to an exhaustive analysis, and (2) we consider the possibility of intruders creating connections through compromised hosts set up as stepping stones. The foundational science we are developing consists of application of the statistical method of importance sampling to the problem of statistically estimating metrics that quantify a system’s compliance with global policy, and to the problem of finding the hosts that, if compromised, would have the largest negative impact on accessibility compliance, under our two assumptions. The results of our research will quickly be included in an existing tool we've developed that exhaustively validates compliance. This will transition the technology into practice; furthermore, the insights we gain will have application in other security domains where the challenge is to estimate the number of rare but disastrous states in combinatorially huge state spaces.