ASPF: A Policy Administration Framework for Self-Protection of Large-Scale Systems Ruan He Marc Lacoste Orange Labs Security and Trusted Transactions Dept. {ruan.he,marc.lacoste}@orange-ftgroup.com Jean Leneutre Telecom ParisTech Network, Mobility and Security Dept. jean.leneutre@telecom-paristech.com Abstract—Despite its potential to tackle many security challenges of large-scale systems such as pervasive networks, self-managed protection has been little explored. This paper addresses the problem from a policy management perspective by presenting a policy-driven framework for self-protection of pervasive systems called ASPF (Autonomic Security Policy Framework). Enforced authorization policies in a device are adapted according to the security context, both at the network and device levels. ASPF describes how an autonomic security manager may control OS-level authorization mechanisms sup- porting multiple classes of policies. Evaluation of an ASPF implementation shows that the framework enables effective self-protection of pervasive systems. ASPF is also applicable for autonomic security management of other types of large- scale infrastructures such as cloud environments. Keywords-Autonomic Computing, Self-Protection, Policy Management, Authorization, Pervasive Networks. I. I NTRODUCTION Advances in pervasive networking are rapidly taking us to the final frontier in security, revealing a whole new landscape of threats. In open and dynamic environments, malicious nodes may enter a network undetected, and vari- ous malwares may invisibly install themselves on a device. When roaming between heterogeneous networks, each with its own protection requirements, a device may also take advantage of security policy conflicts to gain unauthorized privileges. In embedded settings including limited and often unstable computing and networking resources, denial of service attacks are easier, with little lightweight security countermeasures. Finally, these decentralized, large-scale systems make end-to-end security supervision difficult. Ad- ministration by hand is clearly impossible, with the risk of some sub-system security policies not being up-to-date. These threats may only be mitigated with mechanisms highly adaptable to execution conditions and security requirements (e.g., supporting multiple authorization policies), with lim- ited overhead. Above all, protection mechanisms should be self-managed [1], following the autonomic approach to security introduced by IBM [2], which defines a self- protecting system as a system that “can anticipate, detect, identify and protect [itself] against threats.” [3]. To realize context-aware autonomic adaptations, the policy-driven paradigm has successfully demonstrated its flexibility and generality [4]: system functionalities are gov- erned by a set of policies. As the context changes, other policies may be selected to activate within the system func- tions better adapted to its new environment. Unfortunately, this type of design was little applied to self-protection of pervasive systems. In this paper, we validate the viability of this approach by presenting a policy-driven security management framework called ASPF (Autonomic Security Policy Framework). ASPF describes the design of an autonomic security manager for pervasive systems. The framework is built on an earlier implemented OS security architecture called Virtual Security Kernel (VSK) [5]–[7] that specifies the managed security mechanisms. VSK implements kernel-level policy-neutral authorization, and supports dynamic policy reconfiguration, but without describing any control strategy of adaptation. The original features of this framework are the following: • ASPF enables the selection of the most appropriate authorization policy to be enforced in the device in order to match the estimated risk level of the current environment. Two levels of adaptation are possible, policies being tuned (or generated) according to the security context of the network and of the device. • Policies are specified in an XACML extension for the attribute-based model of access control [8], which pro- vides a fairly generic manner to describe permissions in open systems. • An authorization architecture is also defined to refine the ASPF models, and is implemented above the VSK authorization mechanisms. Performance, resilience, and security evaluation results show that the combined ASPF and VSK frameworks enable to achieve effective self-protection (Section IX-B evaluates the autonomic maturity level achieved with ASPF regarding security mechanisms). Moreover, ASPF is generic enough to be applied to other types of large-scale infrastructures such as cloud computing environments by defining the proper framework refinement. 104 International Journal on Advances in Security, vol 3 no 3 & 4, year 2010, http://www.iariajournals.org/security/ 2010, © Copyright by authors, Published under agreement with IARIA - www.iaria.org