Security policies for distributed systems

TL;DR

This paper explores how to enforce intransitive security policies in distributed systems through local verification, message filtering, and process separation, demonstrated via a smart grid case study using CTL model checking.

Contribution

It introduces a method for enforcing global security policies through local checks and message filters in distributed systems, ensuring security in partitioned environments.

Findings

Local verification of filter functions suffices for global security

Security policies can be enforced via process separation and message path restrictions

CTL model checking can verify local security conditions in a smart grid case study

Abstract

A security policy specifies a security property as the maximal information flow. A distributed system composed of interacting processes implicitly defines an intransitive security policy by repudiating direct information flow between processes that do not exchange messages directly. We show that implicitly defined security policies in distributed systems are enforced, provided that processes run in separation, and possible process communication on a technical platform is restricted to specified message paths of the system. Furthermore, we propose to further restrict the allowable information flow by adding filter functions for controlling which messages may be transmitted between processes, and we prove that locally checking filter functions is sufficient for ensuring global security policies. Altogether, global intransitive security policies are established by means of local verification conditions for the (trusted) processes of the distributed system. Moreover, security policies may be implemented securely on distributed integration platforms which ensure partitioning. We illustrate our results with a smart grid case study, where we use CTL model checking for discharging local verification conditions for each process under consideration.