Believing the Integrity of a System Simon Foley
Believing the Integrity of a System Simon Foley Department of Computer Science University College Cork Ireland ARSPA 2004 Workshop on Automated Reasoning for Security Protocol Analysis
UCC Security Research Distributed Systems n n n Distributed security architectures. [Mulcahy, Quillinan] Trust Management. [Quillinan, zhou] Secure Middleware interoperation. [Quillinan, Mulcahy] Secure Virtual Organizations. [Zhou] Supporting enterprise security given many users, components, complex procedures, … but, how does one know whether security has been configured properly?
UCC Security Research Security Analysis n Security modeling/analysis n n n access-control, non-interference, … authentication, non-repudiation, … non-functional properties. Properties difficult to model/analyze. Focus on mechanism validation, does not scale well to enterprise; should consider users, procedures, etc. May encourage de-clarification: compute not your immature gallinaceans prior to them being produced.
Security Research at UCC Configuration Analysis n n Formal methods `lite’: shallow and pragmatic analysis methods for systems. Analyze how a system is configured rather than analyzing its underlying mechanisms and protocols. n n Secure Interoperation [with Bistarelli, O’Sullivan]. Secure Services Configuration [with Aziz, Herbert, Swart]. Integrity [constraints: Bistarelli]. Encourage clarification: don’t count your chickens before they’re hatched!
Outline of Talk n n n Introduction Ad-hoc Approaches to Integrity Formalizing Integrity Towards a Logic of Integrity Conclusions
Conventional Integrity Models Security Policy Principal Do Operation Reference Monitor Resource Prevention of unauthorized modification of information. Application System may also contribute to integrity
Integrity Mechanisms n n n Access Controls Well Formed Transactions Separation of Duties Cryptographic MACs Batch Totals …
Example Bank Account Management dep validate Customer clerk withdraw Well formed transaction trans update dishonest clerk Separation of duty atm Access Control Account dishonest programmer System Does this system have integrity?
Integrity Models/Criteria n n Biba Model, US-DOD Yellow Book, RBAC, Clark Wilson US-Model, GOA Yellow Book, … Operational/access control oriented models that define how to achieve integrity but not what it is. Ad-hoc criteria providing for `best practice’. No guarantee that a user of the system cannot use some unexpected but authorized circuitous route to bypass integrity controls.
Integrity of the Enterprise Customer dep validate Infrastructure withdraw trans update Account atm System Enterprise n n To properly define integrity it is necessary to model system and infrastructure Even if the system is functionally correct the infrastructure is likely to fail: SW, HW, users!
Sample Procedure PURCHASE ORDER PAYMENTS (FIN-P 202) GUILFORD COUNTY SCHOOLS 1. 0 SCOPE: 1. 1 The process for making payments to vendors for purchases initiated by purchase orders. 2. 0 RESPONSIBILITY: 2. 1 Accounts Payable Technician 3. 0 APPROVAL AUTHORITY: […] 4. 0 DEFINITIONS: […] 5. 0 PROCEDURE: 5. 1 Upon receipt of the Vendor’s Invoice AP Technician attaches the yellow copy of the purchase order and the green receiving copy. 5. 2 AP Technician checks for errors, makes any corrections, applies audit stamp and initials on invoice. 5. 3 Batches of invoices are keyed into the AS 400; after each batch an edit report is run and checked any errors are corrected. 5. 4 Batch totals are given to APPA for check printing, APPA submits checks, print registers and submits to accounting; transactions are then closed out for posting. 5. 5 AP Technicians receive checks from Data Processing; check copies are attached to invoices and forwarded to accounting for auditing. 5. 6 Accounting audits copies and notifies AP of problems; AP makes any necessary changes. 5. 7 Accounting returns check copies to AP Technician for filing and distributes checks to vendors. 6. 0 ASSOCIATED DOCUMENTS: […] 7. 0 RECORD RETENTION TABLE: […] 8. 0 REVISION HISTORY: […]
What is System Integrity? n n n External consistency: “[…] correct correspondence between the data object and the real world. ” [Clark. Wilson] Integrity: dependability with respect to absence of improper alteration [IFIP WG 10. 4] Dependability: property of a computer system such that reliance can be justifiably placed on the service it delivers [IFIP WG 10. 4].
Formalizing Integrity Dependability as Refinement n n n Define the service that system provides. Refine this to a system implementation that provides this service and is robust to failures in its infrastructure. system||infrastructure is as dependable as service at its interface.
Bank Service Requirements dep Acct Customer with Service Interface = {dep, with} Acct(0) = dep g. Acct(1) Acct(i) = dep g. Acct(i+1) [] with g. Acct(i-1)
Bank Implementation Customer dep validate Clerk with trans update Account atm System Enterprise Sys(0) = trans g Sys(1) Sys(i) = (trans g Sys(i+1)) [] (with g Sys(i-1)) Clerk = dep g trans g Clerk = (dep g Clerk) [] (trans g Clerk)
Bank Dependability n If clerk follows procedures then (Sys(0)||Clerk) is as dependably safe as Acct(0) at the interface {dep, with}. n n If clerk does not follow procedures then n n (Sys(0)||Clerk)@{dep, with} refines Acct(0) Model threats within infrastructure.
Example Separation of Duty validate trans dep Customer n Account log audit withdraw update atm System If one clerk follows procedures then (Sys(0)||Clerk 1||Clerk 2)@{dep, with} refines Acct(0)
External Consistency n n External consistency: “[…] correct correspondence between the data object and the real world. ” [Clark. Wilson] No observable difference (at interface I) between system with reliable infrastructure and the system with unreliable infrastructure. system||infrastructure =I system||infrastructure
Example MACs for Integrity validate Customer trans update dep Clerk withdraw Account atm System Enterprise n cheque deposits; protected by MACs n n n Dishonest clerk cannot forge new transactions System can determine freshness of transaction External consistency at {dep, with} (sys(0)||clerk)@{dep, with}=(sys(0)||clerk)@{dep, with}
Threat Analysis Behavior Paradigm n n Integrity Analysis: study effects of normal versus abnormal infrastructure behavior. Authentication Protocol Analysis: study effects that a generic attacker can have on protocol behavior. Abnormal infrastructure as a collection of different attackers. Will approach scale to large configurations?
Declarification Bank Configuration Analysis n n freedom from guile or fraud constitutes the most excellent principle of procedure. honesty is the best policy.
Threat Analysis Logic Based Paradigm n n n Simplify analysis by making only the needed distinctions and no more. Authentication protocol analysis: behavior of adversary is implicit in deduction rules. Integrity analysis: infrastructure behavior implicit in deduction rules.
Towards a Logic of Integrity n n Principals: users, components, … Formulae n n Propositional logic operators n n P believes X P said X consistent(X) and, or, g K-Axiom n P believes (Xg. Y), P believes X P believes Y
Integrity Analysis n Principals: n n Assumptions about principals n n Cust believes consistent(dep), … Idealization of enterprise operation n n Customer, ATM, Clerk, … ATM said consistent(acct) Goals n Cust believes consistent(acct)
Bank ATM Analysis Customer Assumptions n If satisfied, ATM updates account n n ATM is honest n n Cust believes (ATM said X g ATM believes X) ATM only says things than can be believed n n Cust believes (ATM believes consistent(dep) g (consistent(acct)) Cust believes ATM believes ((Cust believes X) g X) Deposit is correct n Cust believes consistent(dep)
Bank ATM Analysis Operation and a Goal n ATM operates properly on deposit n n Cust believes (ATM said Cust said consistent(dep)) Verifiable Goal n Cust believes consistent(acct)
Bank ATM Analysis Separation of Duty n Clerk validates deposit. n n One of ATM and Clerk honest n n Cust believes Clerk said Cust said consistent(dep) Cust believes (ATM said X g ATM believes X) or (Clerk said X g Clerk believes X) Error reconciliation is honest n Cust believes (ATM believes consistent(dep) or clerk believes consistent(dep)) g consistent(dep)
Conclusions n n n n Existing integrity approaches Cleave gramineous matter forad-hoc. fodder during the of period that approach the orb is Scalability behavior refulgent. Logic approach has disadvantages. Make sun shines Varianthay of while Simplethe Logic, with freshness, cryptographic etc. available, Advert: fundedchannels, Ph. D position Analysis tool based on Theory starting October 2004. Generation. Configuration synthesis.
Conclusions n n n Cleave gramineous matter fodder during the period that the orb is refulgent. Make hay while the sun shines Advert: funded Ph. D position available, starting October 2004.
- Slides: 30