Amélioration de la sécurité des grands réseaux par une infrastructure de méta-politique

Abstract : This paper presents a novel approach where distributed nodes participating to a common infrastructure can modify in a distributed way a Mandatory Access Control policy without any central component. This approach has been designed with the security of large shared networks in mind, such as securing distributed stations connected to the Internet. The local modification enables a node first to adapt its configuration to the application that has to be deployed on that node, and second to react to specific attacks that are detected locally. Moreover, a local approach provides a better fault tolerance since the policy update does not rely on a central component. The general idea is to have a common shared policy including protection rules plus modification rules. A modification rule enables a node first to modify existing protection rules and second to add new types, roles and users in the system in order to define new rules. A modify rule provides also the ability to suppress types, roles and users from the protection rules. So, our approach is to have a meta-control supporting distributed evolutions of local protection rules. This approach is developed as a joint research project with INRIA and FT R&D, called ACI SATIN, where verification techniques will be proposed to verify that the distributed modifications cannot violate the required security properties.