Secure Computing With The Actor Paradigm

2y ago
9 Views
2 Downloads
514.49 KB
6 Pages
Last View : 15d ago
Last Download : 2m ago
Upload by : Gideon Hoey
Transcription

SecureComputingwiththe ActorParadigmBhavani ThuraisingharnThe MITRE Corporation202 BurlingtonRoadBedford, Massachusetts 01730Abstractputing systems (see, for example, [GAS% ]),receut,lysome work on the security a.spects of the sequent.ia.1process paradigmhas been report.ecl (see for exa.mple[FOUNSO]).However, if t.he nest, generat,ion computing systems are to be made secure, then the securityissues of the models proposed for ma.ssively parallelarchitecturesneed t,o be examined.Since the act,ormodel of concur-rent, comput.a.tion is becoming popular for such systems, we feel t,liat it. is useful t.0 startwith the actors model. Therefore, iu t,his paper we discuss some of the issues on securing t,lie a.ct,or moclel.*The organiza.tionof this paper is as follows. In section 2, we provide an overview of t,lie act,or model a.sgiven in [AGHA8G].I ii se&on 3. our l roposecl moclelfor secure comput.ationwill be discussed. Some of thecomplexitiesinvolved in proving t.hat. a.n a.ct,or syst,emis secure will be noted in section 4. Since the actor model can be rega.rded as a. va.riation of object.oriented computat.ion,some of the related work in securing object-orientedsyst.ems will be given in sectsion5. The paper win be concluded in section 6.This paper describes the a.ctor model of concurrentcomputationand discusses some of t,he issues in securing such a model.1IntroductionVarious computingparadigms (or models of computation) have been proposed for concurrentcomputingsystems.Notable among these are (1) the sequential process pa.radigm,(2) the functiona.pa.ra.digm,and (3) the actor paradigm.In the sequent,ial process paradigm,sequence of tra,nsformationsa.re performed on states which are ma.pping from locat,ions tovalues. The transformationsmay depend on certa.ininputs and may produce certain outputs which maydepend on the inputs (see for example [HOAR78]).Inthe functionalparadigm,a. funct,ion is a, computa.tiona.lelement which acts on data. without the use of a. store.Functionalmodels are deriva,tives from the lambdacalculus based langua.ges such as Lisp. Concurrencyis exploitedby evalua.ting a.rguments of a. funct.ion inparallel and is being used in data flow archit,ectures(see for example [WENG75]).In the a.ctor pa.ra.digm,actors are computationalagent.s which receive communicationfrom other actors and respond to the communicationin a specified manner. That is, these computationalagents communicat,easynchronouslywit,11each other by exchangingmessa.ges which a.re calledtasks (see for example [AGHASG]).Act,or is a morepowerfulmodel of computa.tiontha.n the ot,her twoas the sequential model and the functiona.model canbe defined in terms of the actor model.It is envisaged that the next genera.tion computingsystems willbe those based on massively pa.ra.llel architecturesandthe actor model of computationa.ppears to be an a.ppropriateone for such systems.While much of the previous work on secure computer systems has focussed on nonconcurrentcom-2Modelof ConcurrentCompu-Althoughthe act.or model 1la.s roots in the programminglanguage Simula. [DAIILiO],it, was not until the work of Hewit,t and Baker in 1077 [HEW1771that research began a.ct,ively on such a model for parallel architectures.h4uch of t.he c0ncept.s and ideasthat we know today of t.lie a.ctor motlcl have resultedfrom Agha’s thesis on t,his subject. The cliscussion ouactors given in this section ha.s been obt,ainrtlfrom[AGHA8G].An a.ctor system c0nsist.s of a collect,ion of actorswhich a.re the comput,ationala.gent.s. As st,a.tecl in[AGHASG], comput.a.tion in an a.ct,or system is carriedl We are notproposinghe act,or model to lx t.he icleal one forconcurrentcomput,ingsysberns.Our objectiveis to investi.gat,eonly the securit.y issues for t Ile act or nloclel.7601993 ACM O-89791-635-2 1.50ActortationPcmhsion10 copy without fee all or pan of thir material is granted.provided that the copies M not made or distributed for dbwt commercialadvantage. the ACM copyright notice and the title of the publication andits date appear. and notice is given that copying is by permission of theAssociation for Computing Machinery. To copy otherwise. or m republish,requires a fee and/or specific permission.

out in response to communicationssent to the system.Communicationsare conta.ined in “tasks.” Tasks consist of three components.A ta.g (which identifies thetask), a target address (which is the ma.il a.ddress ofan actor to which the communicationis sent) and acommunication.Communicationcould contain datavalues, expressions,and even commands.When acommunicationis received by a.n actor, new tasks andactors are created. When an actor is no longer active,it is removed from the system.Similarly,when theprocessing of a task is completed,it is also removedfrom the system.The key issues in the actor model is t.o exploit concurrency, but a.t the same time encourage cooperat,ivecomputing.As a result, the actor model is being proposed for not only systems such as opemting systems,distributedsystems, and pa.ra.llel processing systems,but also for coopera.tive and collaborat.ivecomputingapplications.3An actor accepts a communicationwhen it processes the task containingthe communication.Thetasks sent to an actor are mailed in a. queue. An actoris specified as a pair containinga ma.il a.ddress and abehavior.The behavior is a. function of the communication accepted by the actor. When a.n a.ctor a.ccepts acommunication,in addition to creating new actors andtasks, it must also compute a repla.cement behavior.Certain actors within an actor system communicatewith the outside world.These actors are called therecipients.The outside world could even be anotheractor system.a MultilevelSecureActorWe are concerned with developing a model for concurrent comput,at,ion in a. mult,ilevel environmentwit,11actors as the underlyingcompuMionagent,s. The firstquestion tha.t must be answered is what are the ent,it,iesof cla.ssificat,ion? That is, should t.hey be act,ors, t,a.sks,behaviors, and communicat,ions.The nest, question ishow should computationproceed in such a model SOthat there is no informa.tionflow from a higher levelto a lower level? In this se&ion we propose a. modelfor secure computa,tionba.sed on the act,ors paradigm.The entit,ies of classifica.tion in t,he proposed modelare the actors themselves,among ot.hers (such astasks,behaviors,communicat.ions,and mail addresses). That is, whenever a.n a.ctor is created, it. is assigned a security level. An a.ctor is a pa.ir consisting ofa ma.il a.ddress and a behavior. Tha.t is, an a.ctor is crea.ted by another actor by first, crea.ting a ma.il a.ddressand then assigning a beha.vior t.o the address. the security level of a.n a.ctor is also specified by t,he creat,or.An actor whose securit,y level L may create act,ors a.t.a. level which domina.tes L. If an act,or .-11 a.t level Llcreates an a&or .42 at level L2 where L2 Ll, t.henthe a.ddress of L2 is visible t,o Ll. This means t,hat.a.ny actor at level L(L1 L L2) may send communica.tions t,o A2. A2 will not, be able t.o send anycoiiiiiiuiiica.tionsto the a,ctors a.t level L * (L* L2).We define a. multilevelsecure a.ctor syst,em (RILS/AS)to be a system of actors in which each a&or is a.ssigneda securit,y level and t.he a,ct,ors in the syst,em send t,asksin such a. wa.y that there is no informat,ionflow froma. higher level to a. lower level. Similarlyja mult.ilevela.ct,or model is an a&or model for a mult,ilevel environinent .Consider the example discussed in sect.ion 2. Suppose an actor S,, a.t level L processes the n t,h communicationin its ma.il queue.This communicat,ionmust have been sent by a.11actor a.t level L or below.S, ma.y create new actors at a level which domina.tesL, it ma.y crea.te additional t.asks, and also creat,es a.11a.ctor , n l and specifies a. repla.cement. behavior forWe will describe the essent,ial points with an example taken from AGHA8G].Tl le exa.mple is illustra,tedin figure 1.t When an actor ma,chine X,, a,ccepts thenth communicationin a mail queue, it will crea.te anew actor machine Xn l, which will ca.rry out the replacement behavior of the a.ctor. The new actor machine will point to the cell in the mail-queue in whichthe n 1st communica.tionis placed. That is, whenX, processes the 11th communica.tion,it will determinethe replacementbehavior for t,he n lthcommunication. In other words, while S,,, continues to process thenth communication,Xn l could start processing then lth communication.The two actor machines X,will not affect each others beha.vior.Ea.chand & Iof the actor machines may crea.te their own ta.sks a.ndactors as defined by their respective behaviors.BeforeX, creates Xn l, X, may have a,lrea.dy creat,ed someactors and tasks.Furthermore,X,, may still be inthe process of creating more tasks and actors even a.sX ,, I is doing the same. Once X, completes processing the nth communication,it will no longer processany additionalcommunicat.ions.While processing then lth communication,Xn l could crea.te a. new a.ctor X,, z and a replacementbehavior for X, 2 so thatXn z can process the n, 2th communicationreceivedat the same mail address.t Permission to reproduce figure 1 will be requeskdauthor of [AGHA86] and MIT Press.TowardsSystemfrom t,he77

Figure1: An abstractwill process the 1% lth communicationn 1. xl 1received. The question is should X, and Xn l be atthe same level or could the level of X 1 domina,te thelevel of X,. Since X, and Xn l share the same mailaddress, whenever an actor sends a communica.tiontothis mail address it is reasonable to assume tl1a.t thesecurity level of the actor is the same as the first actorto be assigned to such an a.ddress. Therefore,in ourproposed model, X, and Xn l are a.t the sa.me levelL. The essential points are illustra.ted in figure 2.Next we formalize the notions discussed in the previous paragraphs.In particular,we define tasks, actors, and behaviors for a multilevelenvironment.Suppose an actor A at level L crea.tes a ta.sk t. Thent is a triple (i, m, Ic) where i is a ta.g, 172 is a mailaddress to which the task is being sent (i.e., the targetaddress), and k is a communica,tion.The ta.sk t has asecurity level and is equal to L. Tha,t is, we assumethat any informationtha.t is crea.ted by an a.ctor a.tlevel L must be classified at level L also. In our model,tags, mail addresses, and communicationsalso havesecurity levels. The security level of lo and i are a.lsoL. However, if the creation of the task t resulted fromsome other task (possibly sent by a lower level actor)received by A, then informationabout tha,t ta.sk maybe embedded into it. The security level of the mailaddress m is dominated by L. This is because an a.ctorcan create actors at a higher level. Since m is visibleto A, m may have been created by a lower level actor,in which case m is assigned the level of its creator.That is, an actor at level L can have a ma,il a.ddressat a lower level.The set of all possible tasks T is defined byxT IxMxKwhere1 is the set of all possible(1)tags,AB is the setrepresentationof transitionof all possible ma.il a,ddresses, and li is t,he set, of allpossible communications.The set of all possible a.ctors is given byACT MxB(‘2)where M is the set of a,11possible mail a,ddresses andB is the set of a.11possible behaviors.Each a&or -4in ACT is a pair which consist,s of a. ma.il address anda behavior.the security level L of .-l must don1inat.ethe levels of it.s address a.nd behavior.This is beca.usethe actor who crea,tes A a.ssigns a behavior to the mailaddress created for A.Let b be the beha.vior of an a.ctor A at mail a.ddressm, which processes a task with tag t and communica.tion b. The behavior is a. funct,ion which is defined a.sfollows:b(L, I,,, t) (T*, ACT*, A*)(Z3)where T* *(PI, p?, . , p,, ) is a. set. of tasks crea.ted,and ACT* (Al, A?, . . , sl,,,) is a. set of a.ct,ors created, and A* is a.11a&or which shares t,he sa.me ma.ila.ddress as A.The following conditionshold:(i) The tag t of the t,a.sk processed is a. prefix of allta.gs of the tasks crea.ted. Tha,t is:Furthermore,the level of pi is t,he same as t,ha.t. of il.(ii) The tag t of t.he t.ask processed is a. prefix of allmail a.ddresses of t,he a.ct.ors crrat.etl. That is:Vi(1 i m. bi E BEIf: E 1(--l;, (t.t:, bi)))Furthermore,level of ‘4i must domina.te(5)t,he level of -4.

Figure2: An abstractrepresentationof transition(iii) Let I* be the set of ta.gs of newly crea.ted ta,sksand M* be the set of mail addresses of newly createdactors. then no element of I * UAd* is the prefix ofany other element of the same set.(iv) There is always a replacementbehavior b’. Tha.tis:3b’ E B(A* (m, b’)).Furthermore,4A Notesitionssecure a.ctor systemfigurations.One initial configura.tionconsist,s of a setof actors and tasks that. are crea.ted initially.The t,ra.nsitions in a.n actor system are quite different from asequential possibly non deterministicmodel. While ina nondeterministicsequential process a unique transition does occur, as sta.ted in [AGHAfiG]. in concurrent,systems such as actors, ma.ny tra.nsition paths with different viewpoint,s may be consistent. represent,at,ions ofthe actua,l evolution.Beca.use of the complexitiesinvolved in the act,orsystem, could the usua.1 t.echniques t,hat have beenused to prove t.1la.t a syst,em is secure be applied forsuch systems?Usually it is shown that the initialstate of the syst,em is secure and tha.t state t.ransitionsmaintain the security properties.As st,at.ed ea.rlier, thetransitionsin a, concurrent, syst.em are not, st,ra.ightforwa.rd and therefore the t,raditiona.l approa.ch t.o provingtl1a.t a. system is secure may not be sufficientS. Resea.rchneeds to be carried out in order tSo det.ermine ways ofproving the security of concurrent processing syst.ems.(6)the levels of A and A* a.re the sa.me.on Configurationsin a multileveland Tran-At any instant,an actor system is defined by itsconfiguration.A configurationof such an a.ctor system is described by the actors and tasks it contains.To define configurations,we first define a. local statesfunction.A local states function F is a function whosedomain is M* and its range is B where M* is a finiteset of mail addresses and B is the set of all possiblebehaviors.That is, a local states funct.ion defines theactors of the systems by a.ssigning behaviors to mailaddresses. A configurationis a pair (F, T1;) where Fis the local states function and T* is a fin&e subsetof the tasks T such tha.t (i) no task in T* has a. tagwhich is a prefix of either another tag of a task or ofa mail address in the domain of F and (ii) no mailaddress in the domain of F is the prefix of either another mail address in the doma.in of F or of a ta.g of atask in T*. These restrictionsare necessary to ensurethat for a given configuration,there exist transitionswith unprocessedtasks. This way, an a.ctor syst,emcan evolve.The evolution of an actor system is defined by theinitial configurationand transitionsbetween the con-5RelatedWorkAlthoughsecurity issues for the concurrentcomputationalmodels such a.s a.ct.ors a.re yet to be investiga.ted,the work tha.t 1la.s been done so fa.r onobject-orientedda,tabase system securit,y is somewl1a.trela.ted. Much of the work on object.-orienteddata.base systems security(see, for esample.KEEF88,THUR89a,MILL89,THUR90)assume a. passivemodel of objects. Tha.t is, t,he 0bject.s conta.in da.ta values and subjects, which are t,he active ent,ities such asprocesses, send messa.ges t,o objects t,o execut,e cert,ainmethods and retrieve or upda.te the values. The earliest work on an a,ctive model of 0bject.s was proposedsecurit.y int.0in [THUR89b].Tl lis model incorporat.ed19

Acknowledgementsthe active model proposed in [ROSZ89].A more detailed investigationof security for such a model wasdescribed in [JAJOSO].However, concurrentexecution and cooperationwas not a considerationin theseactive models.I thank Jonathan Millen a.nd Arnontheir comments on this paper.The main difference between the active models proposed in the object-orienteddatabase security workand the actor model proposed here is that the objective of the actor model is to exploit concurrentcomputationsas well as ensure cooperation.The activeobject-orientedmodels do not create new objects. Itis assumed that the objects already exist and messages are sent in order to retrieve and update values.The messages are interceptedby a trusted filter.Inthe actor model, new actors are created when communicationis received in order to exploit concurrentproblem solving.6Rosent.halforReferences1986, A Model of[AGHA86]Agha, G., ACTORS:ConcurrentComputationin. DistributedSystems,M.I.T. Press, Cambridge,MA.[DAHL70]Dahl, 0. et al., 1970, Simula CommonBase Language,TechnicalReport S-22, Norwegian Comput,ingCenter.[FOUNSO] Proceedingsrity Foundationsof the Third CompuifrWorkshop, June 1990.[GASS88] Gasser, M., BuildingVan Nostrand,New York.ConclusionSecn-Secure Sysiems,1988,[HEW1771 Hewitt C. and H. Ba.ker, 1977, “Laws forCommunica.tingPa.ra.llel Processes,”ZFIP Cowference Proceedings.In this position paper, we first described the essential points of the actor model of concurrentcomput,ation. As stated earlier, the actor model is particularlyuseful for concurrent and cooperativeproblem solvingapplications.Next we proposed a secure model forconcurrentcomputationwhich is based on the actorparadigm.[HOAR781 Hoare, A. 1978, “Communica.t,ingC0111.11? crl .icalionsoftial Processes,”Vol. 21, no. 8.Sequen-t/tc A cnr,[JAJ090]Jajodia S., and B. I oga.n, 1990, “Iotegrating an Object-OrientedDat,a Model Wit.11 Multilevel Security,”Proceedings of the IEEE Symposium 072,Security and Privacy, Oa.kland, CA.Much remains to be done before an MLSf AS canbe developed.First of all, we did not consider all ofthe constructsof the actor model in our discussions.That is, only a very small subset of the constructswere considered. In order to develop a useful MLS/AS,the security issues for the complete actor model mustbe investigated.Also, our approach is one way tosecuring the actor model. Different altertmtivesneedto be explored before one can be selected. Even withthe model that we have proposed here, we need toprove tha.t there is no informationflow from a higherlevel to a lower level. As stated in section 4, the issuesinvolved may be quite different to those for sequentialprocesses.[KEEF88]Keefe, T., W. T. Tsa.i, a.nd B. M. Thuraisingham,Oct,ober 1988, “A Securit,y Policy forObject-OrientedDBMS,”Proceedings of Ihe 11thNC.9Conference.[MILLSO] Millen, J. and T. Lunt, 1989, “Securit,y forKnowledgeBa.se Ma.nagement. Syst,ems,” Technical Report,, MTR 686, The MITRECorporat.ion,Bedford, MA.[ROZE89]Rozenshtein,D. and N. Minsky, 1989, *‘ALaw-GovernedObject-OrientedSystem,”Journal of Object-OrientedProgramv1il,g,Vol. 2, no.2, March/April.Since the actor model is being proposed for a variety of systems includingmassively parallel architectures and cooperativecomputinga.pplications,we envisage that a MLS/AScould be used for multilevelparallel processing and cooperativecomputingapplications. We also envisage that the actor model couldbe used for implementingrole-ba.sed security policies.The work described in this pa.per is just the first steptowards developingan MLS/AS.[THUR89]Thuraisingham,B. M., Oct,ober1989,“MandatorySecurityin Object,-Orient,etlDa.t.aba.se Mana.gement.Syst.ems,”Proccrdirtgsofth.e ACMCoufereweon Object-OrieniedPIVgrammingSystems, Lnngua.ges nud .4pplicnlious(OOPSLA),New Orleans, LA.80

[THUR89b] Thuraisingham,B. M., and F. Chase,1989, “An Object-Oriented Approach to Developing Secure Software Systems,” CIPHER (IEEE).[THURSO] Thuraisingham, B. M., March/April1990,“Security in Object-Oriented Database Systems,”Journal of Object-OrieniedPrograntmin.g,Vol. 2,no. 6.[WENG75] Weng, K., 1975, Stream-Oriented Computation in Data Flow Schemas, TM 68, MIT Laboratory for Computer Science.81

the same level or could the level of X 1 domina,te the level of X,. Since X, and Xn l share the same mail address, whenever an actor sends a communica.tion to this mail address it is reasonable to assume tl1a.t the security level of the actor is the same as the first actor

Related Documents:

May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)

Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .

On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.

̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions

Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have

Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được

IV. SECURE TRANSPORT: A SECURE ACTOR TO ACTOR COMMUNICATION CHANNEL DREMS provides a security architecture (Requirements 4 and 6) based on (1) spatial and temporal separation among the actors, (2) fine grained actor privileges that control what system services can be used by an actor, (3) ensuring that only one actor actively controls a device .

Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.