0 1,000 2,000 3,000 4,000 5,000
0
50
100
150
200
Number of labels (red) / applicable rules (blue)
Memory consumption (MB)
Figure 6. Memory for evaluating a policy decision. 1-5,00 rules/ser-
vices/labels
of the control flow are negligible. An automated formal
verification of LUCON policies against message routes
informs users upfront about possible policy violations and
thus supports policy authors in writing correct rules. Proofs
created by the formal verification support system audits, as
they assert that message routes will not violate security and
privacy requirements.
Our prototype shows that the approach of compiling
policies and message routes into the same logic represen-
tation is both suitable for runtime enforcement and static
verification, without the need to convert back and forth be-
tween different representations and possible semantic gaps.
A major question was if the performance of a Prolog-based
evaluation engine can keep up with the demands of real-
life systems with considerable high message throughput.
Although performance impact of our prototype is notable,
the measured delays in the range of 12-15 ms per policy
decision are still in the range of typical network latency
and suggest that with appropriate optimizations, the policy
framework will easily be able to handle real world use
cases.
ACKNOWLEDGEMENT
This work as been funded by the Federal Ministry for
Economic Affairs and Energy (BMWi) in the project CAR-
BITS (01MD16004B).
REFERENCES
[1] D. Basin, M. Harvan, F. Klaedtke, and E. Z
˘
alinescu. Monpoly: Mon-
itoring usage-control policies. In Proc. of the Second International
Conference on Runtime Verification, RV’11, pages 360–364, Berlin,
Heidelberg, 2012. Springer-Verlag.
[2] D. Basin, F. Klaedtke, and S. Müller. Policy monitoring in first-
order temporal logic. In Computer Aided Verification, volume 6174
of Lecture Notes in Computer Science, pages 1–18. Springer Berlin
Heidelberg, 2010.
[3] D. E. Bell and L. J. LaPadula. Secure computer systems: Mathe-
matical foundations. MITRE Corporation, 1973.
[4] K. J. Biba. Integrity considerations for secure computer systems.
Technical report, MITRE Corp., 04 1977.
[5] G. Chinis, P. Pratikakis, S. Ioannidis, and E. Athanasopoulos. Practi-
cal information flow for legacy web applications. In Proc. of the 8th
Workshop on Implementation, Compilation, Optimization of Object-
Oriented Languages, Programs and Systems, pages 17–28. ACM,
2013.
[6] B. Davis and H. Chen. Dbtaint: cross-application information flow
tracking via databases. Proc. of WebApps, 10, 2010.
[7] D. Denning. A lattice model of secure information flow. Communi-
cations of the ACM, 19(5):236–242, 1976.
[8] Y. Elrakaiby and J. Pang. Dynamic analysis of usage control policies.
In 11th Int. Conf. on Security and Cryptography (SECRYPT), pages
88–100, Vienna, Austria, Nov. 2014.
[9] M. Harvan and A. Pretschner. State-based usage control enforcement
with data flow tracking using system call interposition. In Network
and System Security, 2009. NSS ’09. Third International Conference
on, pages 373–380, Oct 2009.
[10] M. Hilty, A. Pretschner, D. Basin, C. Schaefer, and T. Walter. A
policy language for distributed usage control. In ESORICS, volume
4734, pages 531–546. Springer, 2007.
[11] G. Hohpe and B. Woolf. Enterprise Integration Patterns: Designing,
Building, and Deploying Messaging Solutions. Addison-Wesley
Longman Publishing Co., Inc., Boston, MA, USA, 2003.
[12] B. Katt, X. Zhang, R. Breu, M. Hafner, and J.-P. Seifert. A gen-
eral obligation model and continuity: enhanced policy enforcement
engine for usage control. In Proc. of the 13th ACM Symposium
on Access Control Models and Technologies (SACMAT), pages 123–
132. ACM, 2008.
[13] A. Lazouski, F. Martinelli, and P. Mori. Usage control in computer
security: A survey. Computer Science Review, 4(2):81 – 99, 2010.
[14] A. C. Myers and B. Liskov. A decentralized model for information
flow control. In Proc. of the Sixteenth ACM Symposium on Operating
Systems Principles, SOSP ’97, pages 129–142, New York, NY, USA,
1997. ACM.
[15] A. C. Myers, L. Zheng, S. Zdancewic, S. Chong, , and N. Nystrom.
Jif: Java information flow. Software release, July 2001].
[16] J. Park and R. Sandhu. The U CON
ABC
usage control model. ACM
Trans. Inf. Syst. Secur., 7(1):128–174, Feb. 2004.
[17] T. Pasquier, J. Bacon, J. Singh, and D. Eyers. Data-centric access
control for cloud computing. In Proc. of the 21st ACM on Symposium
on Access Control Models and Technologies, SACMAT ’16, pages
81–88, New York, NY, USA, 2016. ACM.
[18] T. F. J. Pasquier, J. Singh, D. M. Eyers, and J. Bacon. Camflow:
Managed data-sharing for cloud services. CoRR, abs/1506.04391,
2015.
[19] T. F. J.-M. Pasquier, J. Bacon, and D. Eyers. FlowK: Information
Flow Control for the Cloud. 6th Int. Conference on Cloud Computing
Technology and Science (CloudCom), pages 1–8, 2014.
[20] A. Pretschner, M. Büchler, M. Harvan, C. Schaefer, and T. Walter.
Usage control enforcement with data flow tracking for x11. In Proc.
of 5th Intl. Workshop on Security and Trust Management, pages
124–137, 2009.
[21] A. Pretschner, M. Hilty, and D. Basin. Distributed usage control.
Communications of the ACM, 49(9):39–44, 2006.
[22] A. Pretschner, J. Ruesch, C. Schaefer, and T. Walter. Formal analyses
of usage control policies. In Availability, Reliability and Security,
2009. ARES ’09, pages 98–105, March 2009.
[23] A. Sabelfeld and A. Russo. From Dynamic to Static and Back:
Riding the Roller Coaster of Information-Flow Control Research,
pages 352–365. Springer, Berlin, Heidelberg, 2010.
[24] R. Sandhu and J. Park. Usage control: A Vision for Next Generation
Access Control. In MMM-ACNS, volume 2776, pages 17–31.
Springer, 2003.
[25] J. Schütte and G. S. Brost. A data usage control system using
dynamic taint tracking. In Proc. of the Int. Conference on Advanced
Information Network and Applications (AINA), year=2016, month =
mar.
[26] V. Simonet. The flow caml system. Software release, July 2003.
[27] X. Zhang, F. Parisi-Presicce, R. Sandhu, and J. Park. Formal model
and policy specification of usage control. ACM Transactions on
Information and System Security (TISSEC), (4), Nov. 2005.
[28] X. Zhang, J.-P. Seifert, and R. Sandhu. Security enforcement model
for distributed usage control. In Sensor Networks, Ubiquitous and
Trustworthy Computing (SUTC), pages 10–18, 2008.