believing the integrity of a system
DESCRIPTION
Believing the Integrity of a System. Simon Foley Department of Computer Science University College Cork Ireland. ARSPA 2004 Workshop on Automated Reasoning for Security Protocol Analysis. UCC Security Research Distributed Systems. Distributed security architectures. [Mulcahy,Quillinan] - PowerPoint PPT PresentationTRANSCRIPT
Believing the Integrity of a System
Simon FoleyDepartment of Computer Science
University College CorkIreland
ARSPA 2004 Workshop on Automated Reasoning for Security Protocol Analysis
UCC Security ResearchDistributed Systems
Distributed security architectures. [Mulcahy,Quillinan]
Trust Management. [Quillinan,zhou]
Secure Middleware interoperation. [Quillinan,Mulcahy]
Secure Virtual Organizations. [Zhou]
Supporting enterprise security given many users, components, complex procedures, …
but, how does one know whether security has been configured properly?
UCC Security ResearchSecurity Analysis
Security modeling/analysis access-control, non-interference, … authentication, non-repudiation, … non-functional properties.
Properties difficult to model/analyze. Focus on mechanism validation, does not scale
well to enterprise; should consider users, procedures, etc.
May encourage de-clarification: compute not your immature gallinaceans prior to them being produced..
Security Research at UCCConfiguration Analysis
Formal methods `lite’: shallow and pragmatic analysis methods for systems.
Analyze how a system is configured rather than analyzing its underlying mechanisms and protocols.
Secure Interoperation [with Bistarelli,O’Sullivan]. Secure Services Configuration [with Aziz,Herbert,Swart]. Integrity [constraints: Bistarelli].
Encourage clarification: don’t count your chickens before they’re hatched!
Outline of Talk
Introduction Ad-hoc Approaches to Integrity Formalizing Integrity Towards a Logic of Integrity Conclusions
Conventional Integrity Models
Principal DoOperation
ReferenceMonitor Resource
SecurityPolicy
Prevention of unauthorized modification of information.
Application System may also contribute to integrity
Integrity Mechanisms
Access Controls Well Formed Transactions Separation of Duties Cryptographic MACs Batch Totals …
ExampleBank Account Management
Customer
validate update
Account
atm
dep
withdraw
trans
System
clerk
Does this system have integrity?
Access ControlAccess Control
Well formed Well formed transactiontransaction
dishonestdishonestclerkclerk
dishonestdishonestprogrammerprogrammer
Separation of dutySeparation of duty
Integrity Models/Criteria Biba Model, US-DOD Yellow Book, RBAC,
Clark Wilson US-Model, GOA Yellow Book, … Operational/access control oriented models
that define how to achieve integrity but not what it is.
Ad-hoc criteria providing for `best practice’. No guarantee that a user of the system
cannot use some unexpected but authorized circuitous route to bypass integrity controls.
Integrity of the Enterprise
To properly define integrity it is necessary to model system and infrastructure
Even if the system is functionally correct the infrastructure is likely to fail: SW,HW, users!
Customer
validate update
Account
atm
dep
withdraw
trans
Enterprise
System
Infrastructure
PURCHASE ORDER PAYMENTS (FIN-P202)GUILFORD COUNTY SCHOOLS1.0 SCOPE:1.1 The process for making payments to vendors for purchases initiated by purchase orders.2.0 RESPONSIBILITY:2.1 Accounts Payable Technician3.0 APPROVAL AUTHORITY: […]4.0 DEFINITIONS: […] 5.0 PROCEDURE:5.1 Upon receipt of the Vendor’s Invoice AP Technician attaches the yellow copy of the purchase order and the green receiving copy.5.2 AP Technician checks for errors, makes any corrections, applies audit stamp and initials on invoice.5.3 Batches of invoices are keyed into the AS400; after each batch an edit report is run and checked and any errors are corrected.5.4 Batch totals are given to APPA for check printing, APPA submits checks, print registers and submits to accounting; transactions are then closed out for posting.5.5 AP Technicians receive checks from Data Processing; check copies are attached to invoices and forwarded to accounting for auditing.5.6 Accounting audits copies and notifies AP of problems; AP makes any necessary changes.5.7 Accounting returns check copies to AP Technician for filing and distributes checks to vendors.6.0 ASSOCIATED DOCUMENTS: […]7.0 RECORD RETENTION TABLE: […]8.0 REVISION HISTORY: […]
Sample Procedure
What is System Integrity? External consistency: “[…] correct
correspondence between the data object and the real world.” [ClarkWilson]
Integrity: dependability with respect to absence of improper alteration [IFIP WG10.4]
Dependability: property of a computer system such that reliance can be justifiably placed on the service it delivers [IFIP WG10.4].
Formalizing IntegrityDependability as Refinement
Define the service that system provides.
Refine this to a system implementation that provides this service and is robust to failures in its infrastructure.
system||infrastructure is as dependable as service at its interface.
Bank Service Requirements
Service Interface = {dep,with}Acct(0) = dep Acct(1)Acct(i) = dep Acct(i+1) [] with Acct(i-1)
Customer Acct
dep
with
Bank Implementation
Sys(0) = trans Sys(1) Sys(i) = (trans Sys(i+1)) [] (with Sys(i-1)) Clerk = dep trans Clerk Clerk = (dep Clerk) [] (trans Clerk)
Customerdep
with
Enterprise
transupdate
Account
atm
System
validate
Clerk
If clerk follows procedures then (Sys(0)||Clerk) is as dependably safe as Acct(0) at the interface {dep,with}. (Sys(0)||Clerk)@{dep,with} refines Acct(0)
If clerk does not follow procedures then (Sys(0)||Clerk)@{dep,with} refines Acct(0)
Model threats within infrastructure.
Bank Dependability
ExampleSeparation of Duty
If one clerk follows procedures then (Sys(0)||Clerk1||Clerk2)@{dep,with} refines
Acct(0)
CustomerAccount
atm
dep
withdraw
trans
System
audit
updatevalidate
log
External Consistency External consistency: “[…] correct
correspondence between the data object and the real world.” [ClarkWilson]
No observable difference (at interface I) between system with reliable infrastructure and the system with unreliable infrastructure.
system||infrastructure =I system||infrastructure
ExampleMACs for Integrity
cheque deposits; protected by MACs Dishonest clerk cannot forge new transactions System can determine freshness of transaction
External consistency at {dep,with}(sys(0)||clerk)@{dep,with}=(sys(0)||
clerk)@{dep,with}
Customer
validate update
Account
atm
dep
withdraw
trans
Enterprise
System
Clerk
Threat AnalysisBehavior Paradigm Integrity Analysis: study effects of normal
versus abnormal infrastructure behavior. Authentication Protocol Analysis: study
effects that a generic attacker can have on protocol behavior.
Abnormal infrastructure as a collection of different attackers.
Will approach scale to large configurations?
DeclarificationBank Configuration Analysis
freedom from guile or fraud constitutes the most excellent principle of procedure.
honesty is the best policy.
Threat AnalysisLogic Based Paradigm
Simplify analysis by making only the needed distinctions and no more.
Authentication protocol analysis: behavior of adversary is implicit in deduction rules.
Integrity analysis: infrastructure behavior implicit in deduction rules.
Principals: users, components, … Formulae
P believes X P said X consistent(X)
Propositional logic operators and, or,
K-Axiom P believes (XY), P believes X P believes Y
Towards a Logic of Integrity
Integrity Analysis Principals:
Customer, ATM, Clerk, … Assumptions about principals
Cust believes consistent(dep), … Idealization of enterprise operation
ATM said consistent(acct) Goals
Cust believes consistent(acct)
Bank ATM AnalysisCustomer Assumptions If satisfied, ATM updates account
Cust believes (ATM believes consistent(dep) (consistent(acct))
ATM is honest Cust believes (ATM said X ATM believes X)
ATM only says things than can be believed Cust believes ATM believes ((Cust believes X) X)
Deposit is correct Cust believes consistent(dep)
Bank ATM Analysis Operation and a Goal
ATM operates properly on deposit Cust believes (ATM said Cust said consistent(dep))
Verifiable Goal Cust believes consistent(acct)
Bank ATM AnalysisSeparation of Duty Clerk validates deposit.
Cust believes Clerk said Cust said consistent(dep)
One of ATM and Clerk honest Cust believes (ATM said X ATM believes X) or (Clerk said X Clerk believes X)
Error reconciliation is honest Cust believes (ATM believes consistent(dep) or clerk believes consistent(dep)) consistent(dep)
Conclusions
Existing integrity approaches ad-hoc. Scalability of behavior approach Logic approach has disadvantages. Variant of Simple Logic, with
freshness, cryptographic channels, etc.
Analysis tool based on Theory Generation.
Configuration synthesis.
Cleave gramineous matter for fodder during the period that the orb is refulgent.
Make hay while the sun shines Advert: funded PhD position
available, starting October 2004.
Conclusions
Cleave gramineous matter for fodder during the period that the orb is refulgent.
Make hay while the sun shines Advert: funded PhD position
available, starting October 2004.