A Policy Management Framework for Self-Protection of Pervasive Systems Ruan He Marc Lacoste Orange Labs Security and Trusted Transactions Dept. {ruan.he,marc.lacoste}@orange-ftgroup.com Jean Leneutre Telecom ParisTech Network, Mobility and Security Dept. jean.leneutre@telecom-paristech.com Abstract—Although highly promising to meet the challenges of pervasive network security, self-managed protection has been little addressed in this setting. This paper adopts a policy-based management approach to the problem, and presents a policy- driven security framework called ASPF. Enforced authorization policies in a device are adapted according to the security context, both at the network and device levels. ASPF describes how an autonomic security manager may control OS-level authorization mechanisms supporting multiple classes of policies. Evaluation of an ASPF implementation shows that the design is applicable for effective and yet flexible self-protection of pervasive systems. I. I NTRODUCTION Advances in pervasive networking are rapidly taking us to the final frontier in security, revealing a whole new landscape of threats. In open and dynamic environments, malicious nodes may enter a network undetected, and various malwares may invisibly install themselves on a device. When roaming between heterogeneous networks, each with its own protection requirements, a device may also take advantage of security policy conflicts to gain unauthorized privileges. In an embed- ded setting including limited and often unstable computing and networking resources, denial of service attacks are some- what easier, with little lightweight security countermeasures. Finally, these decentralized, large-scale systems make end-to- end security supervision difficult, and administration by hand impossible, with the risk of some sub-system security policies not being up-to-date. These threats may only be mitigated with security mechanisms highly adaptable to conditions and secu- rity requirements (e.g., supporting multiple security policies), with limited overhead, and above all, self-managed [1]. To realize context-aware autonomic adaptations, the policy- driven paradigm has successfully demonstrated its power and generality [2]: system functionalities are governed by a set of policies and, as the context changes, new policies may be selected to activate in the system functions better adapted to its new environment. Unfortunately, this approach was little applied to self-protection of pervasive systems. In this paper, we validate the viability of this solution by presenting a policy-driven security management framework called ASPF (Autonomic Security Policy Framework) which describes the design of an autonomic security manager for pervasive systems. ASPF builds on an earlier OS security architecture called VSK (Virtual Security Kernel) [3], [4] that specifies the managed security mechanisms. VSK imple- ments kernel-level policy-neutral authorization, and supports dynamic policy reconfiguration, but without describing any control strategy. ASPF enables to select the most appropriate authorization policy to enforce in the device to match the estimated risk level for the current environment. Two levels of adaptations are possible, policies being tuned (or generated) according to the security context of the network and of the device. Policies are specified in an XACML extension according to the attribute-based model of authorization [5], which provides a fairly generic manner to describe permis- sions in open systems. An authorization architecture is also defined to refine the ASPF policy adaptation model, and was implemented above the VSK authorization mechanisms. Performance, resilience, and security evaluation results show that the combined ASPF and VSK frameworks enable to achieve effective and yet flexible self-protection. The rest of this paper is organized as follows. After review- ing related work (Section II), we provide some background on our self-protection architecture (Section III). We then present the ASPF adaptation and policy models (Sections IV and V) and authorization architecture (Section VI). We finally present an ASPF implementation over the VSK mechanisms (Section VII), and some evaluation results (Section VIII). II. RELATED WORK Self-protection has so far been explored very little. While quite an early idea [1], it was discussed at the level of prin- ciples with few frameworks available, mainly for enterprise information systems [6], [7]. To orchestrate the components needed for autonomic security management, a policy-driven design [2], [7] seemed promising, since the approach was successfully applied to other self-* properties: indeed, several generic policy management frameworks [8]–[10] have been proposed to automate device and network reconfigurations to respond to context changes. Unfortunately, these frameworks hardly considered security. Notable exceptions are [10] for large organizations and [11] for pervasive systems which supports authorization and obligation policies. But with those frameworks, it remains unclear how to specify and federate authorization policies described in different security models to overcome heterogeneity of network security policies.