Title: Believing the Integrity of a System
1Believing the Integrity of a System
- Simon Foley
- Department of Computer Science
- University College Cork
- Ireland
ARSPA 2004 Workshop on Automated Reasoning for
Security Protocol Analysis
2UCC Security ResearchDistributed Systems
- Distributed security architectures.
Mulcahy,Quillinan - Trust Management. Quillinan,zhou
- Secure Middleware interoperation.
Quillinan,Mulcahy - Secure Virtual Organizations. Zhou
- Supporting enterprise security given many users,
components, complex procedures, - but, how does one know whether security has been
configured properly?
3UCC Security ResearchSecurity Analysis
- Security modeling/analysis
- access-control, non-interference,
- authentication, non-repudiation,
- non-functional properties.
- Properties difficult to model/analyze.
- Focus on mechanism validation, does not scale
well to enterprise should consider users,
procedures, etc. - May encourage de-clarification compute not your
immature gallinaceans prior to them being
produced.
4Security Research at UCCConfiguration Analysis
- Formal methods lite shallow and pragmatic
analysis methods for systems. - Analyze how a system is configured rather than
analyzing its underlying mechanisms and
protocols. - Secure Interoperation with Bistarelli,OSullivan
. - Secure Services Configuration with
Aziz,Herbert,Swart. - Integrity constraints Bistarelli.
- Encourage clarification dont count your
chickens before theyre hatched!
5Outline of Talk
- Introduction
- Ad-hoc Approaches to Integrity
- Formalizing Integrity
- Towards a Logic of Integrity
- Conclusions
6Conventional Integrity Models
7Integrity Mechanisms
- Access Controls
- Well Formed Transactions
- Separation of Duties
- Cryptographic MACs
- Batch Totals
-
8ExampleBank Account Management
Well formed transaction
Access Control
Separation of duty
Does this system have integrity?
9Integrity Models/Criteria
- Biba Model, US-DOD Yellow Book, RBAC, Clark
Wilson US-Model, GOA Yellow Book, - Operational/access control oriented models that
define how to achieve integrity but not what it
is. - Ad-hoc criteria providing for best practice.
- No guarantee that a user of the system cannot use
some unexpected but authorized circuitous route
to bypass integrity controls.
10Integrity of the Enterprise
validate
update
trans
dep
Customer
atm
Infrastructure
withdraw
System
Enterprise
- To properly define integrity it is necessary to
model system and infrastructure - Even if the system is functionally correct the
infrastructure is likely to fail SW,HW, users!
11Sample Procedure
PURCHASE ORDER PAYMENTS (FIN-P202) GUILFORD
COUNTY SCHOOLS 1.0 SCOPE 1.1 The process for
making payments to vendors for purchases
initiated by purchase orders. 2.0
RESPONSIBILITY 2.1 Accounts Payable
Technician 3.0 APPROVAL AUTHORITY 4.0
DEFINITIONS 5.0 PROCEDURE 5.1 Upon receipt
of the Vendors Invoice AP Technician attaches
the yellow copy of the purchase order and the
green receiving copy. 5.2 AP Technician checks
for errors, makes any corrections, applies audit
stamp and initials on invoice. 5.3 Batches of
invoices are keyed into the AS400 after each
batch an edit report is run and checked and any
errors are corrected. 5.4 Batch totals are given
to APPA for check printing, APPA submits checks,
print registers and submits to accounting
transactions are then closed out for posting. 5.5
AP Technicians receive checks from Data
Processing check copies are attached to invoices
and forwarded to accounting for auditing. 5.6
Accounting audits copies and notifies AP of
problems AP makes any necessary changes. 5.7
Accounting returns check copies to AP Technician
for filing and distributes checks to vendors. 6.0
ASSOCIATED DOCUMENTS 7.0 RECORD RETENTION
TABLE 8.0 REVISION HISTORY
12What is System Integrity?
- External consistency correct correspondence
between the data object and the real world.
ClarkWilson - Integrity dependability with respect to absence
of improper alteration IFIP WG10.4 - Dependability property of a computer system such
that reliance can be justifiably placed on the
service it delivers IFIP WG10.4.
13Formalizing IntegrityDependability as Refinement
- Define the service that system provides.
- Refine this to a system implementation that
provides this service and is robust to failures
in its infrastructure. - systeminfrastructure is as dependable as
service at its interface.
14Bank Service Requirements
- Service Interface dep,with
- Acct(0) dep gAcct(1)
- Acct(i) dep gAcct(i1)
- with gAcct(i-1)
15Bank Implementation
Enterprise
- Sys(0) trans g Sys(1)
- Sys(i) (trans g Sys(i1)) (with g
Sys(i-1)) - Clerk dep g trans g Clerk
- Clerk (dep g Clerk) (trans g Clerk)
16Bank Dependability
- If clerk follows procedures then (Sys(0)Clerk)
is as dependably safe as Acct(0) at the interface
dep,with. - (Sys(0)Clerk)_at_dep,with refines Acct(0)
- If clerk does not follow procedures then
- (Sys(0)Clerk)_at_dep,with refines Acct(0)
- Model threats within infrastructure.
17ExampleSeparation of Duty
validate
update
trans
dep
Customer
log
audit
atm
withdraw
System
- If one clerk follows procedures then
- (Sys(0)Clerk1Clerk2)_at_dep,with refines
Acct(0)
18External Consistency
- External consistency correct correspondence
between the data object and the real world.
ClarkWilson - No observable difference (at interface I) between
system with reliable infrastructure and the
system with unreliable infrastructure. - systeminfrastructure I systeminfrastructure
19ExampleMACs for Integrity
- cheque deposits protected by MACs
- Dishonest clerk cannot forge new transactions
- System can determine freshness of transaction
- External consistency at dep,with
- (sys(0)clerk)_at_dep,with(sys(0)clerk)_at_dep,wi
th
20Threat AnalysisBehavior Paradigm
- Integrity Analysis study effects of normal
versus abnormal infrastructure behavior. - Authentication Protocol Analysis study effects
that a generic attacker can have on protocol
behavior. - Abnormal infrastructure as a collection of
different attackers. - Will approach scale to large configurations?
21DeclarificationBank Configuration Analysis
- freedom from guile or fraud constitutes the most
excellent principle of procedure. - honesty is the best policy.
22Threat AnalysisLogic Based Paradigm
- Simplify analysis by making only the needed
distinctions and no more. - Authentication protocol analysis behavior of
adversary is implicit in deduction rules. - Integrity analysis infrastructure behavior
implicit in deduction rules.
23Towards a Logic of Integrity
- Principals users, components,
- Formulae
- P believes X
- P said X
- consistent(X)
- Propositional logic operators
- and, or, g
- K-Axiom
- P believes (XgY), P believes X
- P believes Y
24Integrity Analysis
- Principals
- Customer, ATM, Clerk,
- Assumptions about principals
- Cust believes consistent(dep),
- Idealization of enterprise operation
- ATM said consistent(acct)
- Goals
- Cust believes consistent(acct)
25Bank ATM AnalysisCustomer Assumptions
- If satisfied, ATM updates account
- Cust believes
- (ATM believes consistent(dep)
- g (consistent(acct))
- ATM is honest
- Cust believes (ATM said X g ATM believes X)
- ATM only says things than can be believed
- Cust believes
- ATM believes ((Cust believes X) g X)
- Deposit is correct
- Cust believes consistent(dep)
26Bank ATM Analysis Operation and a Goal
- ATM operates properly on deposit
- Cust believes
- (ATM said Cust said consistent(dep))
- Verifiable Goal
- Cust believes consistent(acct)
27Bank ATM AnalysisSeparation of Duty
- Clerk validates deposit.
- Cust believes
- Clerk said Cust said consistent(dep)
- One of ATM and Clerk honest
- Cust believes
- (ATM said X g ATM believes X) or
- (Clerk said X g Clerk believes X)
- Error reconciliation is honest
- Cust believes
- (ATM believes consistent(dep) or
- clerk believes consistent(dep))
- g consistent(dep)
28Conclusions
- Existing integrity approaches ad-hoc.
- Scalability of behavior approach
- Logic approach has disadvantages.
- Variant of Simple Logic, with freshness,
cryptographic channels, etc. - Analysis tool based on Theory Generation.
- Configuration synthesis.
- Cleave gramineous matter for fodder during the
period that the orb is refulgent. - Make hay while the sun shines
- Advert funded PhD position available, starting
October 2004.
29Conclusions
- Cleave gramineous matter for fodder during the
period that the orb is refulgent. - Make hay while the sun shines
- Advert funded PhD position available, starting
October 2004.
30(No Transcript)