Annotation de Fractal

1
Building Secure Distributed SystemsThe CIF
model Component Information Flow
Lilia Sfaxi
DCS Days - 26/03/2009
2
Context and Contribution
2

• Context
• Building secure distributed systems
• Needed expertise in systems and security
• Needed expertise in cryptography
• Difficulty of dynamic reconfiguration without
  breaking the security properties of the system
• Necessity of high level tools
• Programming abstractions
• Automatic code generation
• Verification of the generated code

3
Context and Contribution
3

• Contribution
• High-level model CIF (Component Information
  Flow)?
• System architecture description component-based
  model
• Security annotations
• Transformation tools
• Verification of the security properties
• System code generation
• Models and languages
• Component-based model Fractal
• Security-typed programming language JIF
• Architecture Description Language ADL
  (XML-based)?

4
Outline
4

• CIF Specification
• System representation
• System security Inter and Intra component
• CIF Transformation
• CIF ADL
• ADL Generation
• Code Generation
• Case study The battleship game
• Conclusion and Future Work

5
Outline
5

• CIF Specification
• System representation
• System security Inter and Intra component
• CIF Transformation
• CIF ADL
• ADL Generation
• Code Generation
• Case study The battleship game
• Conclusion and Future Work

6
CIF Specification System Representation
6

• System assembly of components explicitly bound,
  with ports used to send and receive data
• Each component is configurable attribution of
  labels to
• The attributes
• The ports

L1
L3
L3'
7
Labels
7

• Use of Labels pair of
• Confidentiality policies
• Integrity policies
• All the policies must be obeyed
• Relation at most as restrictive as (?)?
• Construction of a security lattice
• As data flows through the system, its labels only
  become more restrictive !

more restrictive
less restrictive
8
CIF Specification System Security
8

• In CIF, needed security policies must be
  guaranteed at two levels
• Intra-component
• Inter-component
• Inter-component
• Ports annotation
• Intra-component
• Secure component code

9
(No Transcript)
10
CIF SpecificationIntra-component Security
10

• Annotation of ports and attributes of a component
• Verification of component code
• Preservation of confidentiality and integrity of
  annotated elements
• Non-interferent data flow
• Non-interference
• "The low level users should not be able to deduce
  anything about high level users activity"
  Foccardi et al.
• "Low-security behavior of the program is not
  affected by any high-security data. Goguen
  Messeguer 1982

11
Outline
11

• CIF Specification
• System representation
• System security Inter and Intra component
• CIF Transformation
• CIF ADL
• ADL Generation
• Code Generation
• Case study The battleship game
• Conclusion and Future Work

12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
(No Transcript)
16
Outline
16

• CIF Specification
• System representation
• System security Inter and Intra component
• CIF Transformation
• CIF ADL
• ADL Generation
• Code Generation
• Case study The battleship game
• Conclusion and Future Work

17
Case StudyThe Battleship Game
17

• 1 coordinator and 2 players (at least)?
• Each player has a secret board with a fixed
  number of ships
• Each player tries to guess the opponent's ships
  coordinates the winner is the first player who
  finds the n ships of the opponent
• The coordinator keeps a copy of the players'
  boards controls the message exchange

18
Case StudyThe Battleship Game Inter-component
security
18
?(m,pub(coord))?
S(?(m,pub(coord)))?
crypt
sign
m
m
m
verify
decrypt
?(m,pub(coord))?
19
Case StudyThe Battleship Game Intra-component
security
19
public class Player private Board
board public void setBoard(Board board)
this.board board public void init(int
nbShips) int numCovered 0 for (int j
1 j lt nbShips1 j) numCovered
j final Ship myCunningStrategy new
Ship(new Coordinate(1, 1), 1, true), new
Ship(new Coordinate(1, 3), 2, false),
Board myBoard new Board() int i
0 for (int count numCovered count gt 0
myBoard ! null) try Ship newPiece
myCunningStrategyi if (newPiece ! null
newPiece.length gt count) newPiece new
Ship(newPiece.pos, count,newPiece.isHorizontal)
myBoard.addShip(newPiece) count -
(newPiece null ? 0 newPiece.length)
catch (ArrayIndexOutOfBoundsException ignored)
catch (IllegalArgumentException ignored)
setBoard (myBoard)
20
Case StudyThe Battleship Game Intra-component
security
20
public class Player private Board
P1-gtCP1lt-C board public void setBoard(Board
board) this.board board public void
init(int nbShips) int numCovered 0 for
(int j 1 j lt nbShips1 j) numCovered
j final Ship myCunningStrategy
new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false),
Board myBoard new Board() int i
0 for (int count numCovered count gt 0
myBoard ! null) try Ship newPiece
myCunningStrategyi if (newPiece ! null
newPiece.length gt count) newPiece new
Ship(newPiece.pos, count,newPiece.isHorizontal)
myBoard.addShip(newPiece) count -
(newPiece null ? 0 newPiece.length)
catch (ArrayIndexOutOfBoundsException ignored)
catch (IllegalArgumentException ignored)
setBoard (myBoard)
21
Case StudyThe Battleship Game Intra-component
security
21
public class Player private BoardP1-gtCP1lt-C
board public void setBoard(BoardP1-gtCP1lt-C
board) this.board board public void
init(int nbShips) int numCovered 0 for
(int j 1 j lt nbShips1 j) numCovered
j final Ship myCunningStrategy
new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false),
Board myBoard new Board() int i
0 for (int count numCovered count gt 0
myBoard ! null) try Ship newPiece
myCunningStrategyi if (newPiece ! null
newPiece.length gt count) newPiece new
Ship(newPiece.pos, count,newPiece.isHorizontal)
myBoard.addShip(newPiece) count -
(newPiece null ? 0 newPiece.length)
catch (ArrayIndexOutOfBoundsException ignored)
catch (IllegalArgumentException ignored)
setBoard (myBoard)
22
Case StudyThe Battleship Game Intra-component
security
22
public class Player private Board
P1-gtCP1lt-C board public void
setBoard(BoardP1-gtCP1lt-C board) this.board
board public void init(int nbShips)
int numCovered 0 for (int j 1 j lt
nbShips1 j) numCovered j final
Ship myCunningStrategy new Ship(new
Coordinate(1, 1), 1, true), new Ship(new
Coordinate(1, 3), 2, false),
BoardP1-gtCP1lt-C myBoard new
Board() int i 0 for (int count
numCovered count gt 0 myBoard ! null)
try Ship newPiece myCunningStrategyi
if (newPiece ! null newPiece.length
gt count) newPiece new Ship(newPiece.pos,
count,newPiece.isHorizontal) myBoard.ad
dShip(newPiece) count - (newPiece null ?
0 newPiece.length) catch
(ArrayIndexOutOfBoundsException ignored)
catch (IllegalArgumentException ignored)
setBoard (myBoard)
23
Case StudyThe Battleship Game Intra-component
security
23
public class Player private Board
P1-gtCP1lt-C board public void
setBoard(BoardP1-gtCP1lt-C board) this.board
board public void init(int nbShips)
int numCovered 0 for (int j 1 j lt
nbShips1 j) numCovered j final
Ship myCunningStrategy new Ship(new
Coordinate(1, 1), 1, true), new Ship(new
Coordinate(1, 3), 2, false),
BoardP1-gtCP1lt-C myBoard new
Board() int i 0 for (int count
numCovered count gt 0 myBoard ! null)
try ShipP1-gtCP1lt-C newPiece
myCunningStrategyi if (newPiece ! null
newPiece.length gt count) newPiece new
Ship(newPiece.pos, count,newPiece.isHorizontal)
myBoard.addShip(newPiece) count -
(newPiece null ? 0 newPiece.length)
catch (ArrayIndexOutOfBoundsException ignored)
catch (IllegalArgumentException ignored)
setBoard (myBoard)
24
Case StudyThe Battleship Game Intra-component
security
24
public class Player private Board
P1-gtCP1lt-C board public void
setBoard(BoardP1-gtCP1lt-C board) this.board
board public void init(int nbShips)
int numCovered 0 for (int j 1 j lt
nbShips1 j) numCovered j final
ShipP1-gtCP1lt-C myCunningStrategy new
Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false),
BoardP1-gtCP1lt-C myBoard new
Board() int i 0 for (int count
numCovered count gt 0 myBoard ! null)
try ShipP1-gtCP1lt-C newPiece
myCunningStrategyi if (newPiece ! null
newPiece.length gt count) newPiece new
Ship(newPiece.pos, count,newPiece.isHorizontal)
myBoard.addShip(newPiece) count -
(newPiece null ? 0 newPiece.length)
catch (ArrayIndexOutOfBoundsException ignored)
catch (IllegalArgumentException ignored)
setBoard (myBoard)
25
Outline
25

• CIF Specification
• System representation
• System security Inter and Intra component
• CIF Transformation
• CIF ADL
• ADL Generation
• Code Generation
• Case study The battleship game
• Conclusion and Future Work

26
Conclusion
26

• CIF
• Component-based model
• Builds distributed systems secure by construction
• User specifies security requirements
• At a high level of abstraction
• Association of labels to attributes and ports of
  the component
• Tools to automate security implementation
• Inside a component
• Generation of JIF code
• Between components
• Insertion of cryptographic components

27
Future Work
27

• Key distribution
• Secure deployment
• Safe reconfiguration
• Privacy

28
Thank you for your attention
Lilia Sfaxi
DCS Days - 26/03/2009