fault tree representation of security requirements0
Post on 21-Dec-2015
216 views
TRANSCRIPT
![Page 1: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/1.jpg)
Fault Tree Representation of Security Requirements 1
![Page 2: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/2.jpg)
One Picture is Worth aThousand Words
Iliano Cervesato [email protected]
ITT Industries, inc @ NRL Washington, DC
http://theory.stanford.edu/~iliano
UMBC meeting October 1-2, 2003
Joint work with Cathy Meadows
Baltimore, MD
Couple Dozen Connectives
Work in progress
Work in progress
![Page 3: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/3.jpg)
Fault Tree Representation of Security Requirements 3
How this work came about
Analysis of GDOI group protocolRequirements expressed in NPATRL
Novel group properties Medium size specifications
– Dozen operators Lots of fine-tuning
Difficult to read and share specs. Informal use of fault trees
Intuitive visualization medium Became favored language
Formal relation with NPATRL
![Page 4: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/4.jpg)
Fault Tree Representation of Security Requirements 4
Security Requirements
Describe what a protocol should do
Verified by Model checking Mathematical proof Pattern-matching (in some cases)
Expressed Informally Semi-formally Formal language
Adequate for toy protocolsBUT, do not scale to real protocols
![Page 5: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/5.jpg)
Fault Tree Representation of Security Requirements 5
Example: Kerberos 5[CSFW’02]
Semi-formalBut very precise
Bulky and unintuitiveRequires several readings to grasp
![Page 6: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/6.jpg)
Fault Tree Representation of Security Requirements 6
Example: GDOI[CCS’01]
FormalNPATRL protocol spec. language
Ok for a computer Bulky and unintuitive for humans
About 20 operators
![Page 7: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/7.jpg)
Fault Tree Representation of Security Requirements 7
Example: Authentication
InformalMade precise as CSP expressions
Simple, but …… many very similar definitions
[Lowe, CSFW’97]
![Page 8: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/8.jpg)
Fault Tree Representation of Security Requirements 8
The Problem
Desired properties are difficult toPhrase & get rightExplain & understandModify & keep right
ExamplesEndless back and forth on GDOI
Are specs. right now?K5 properties read over and over
![Page 9: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/9.jpg)
Fault Tree Representation of Security Requirements 9
Dealing with Textual Complexity
HCI response: graphical presentation
Our approach: Dependence TreesRe-interpretation of fault trees2D representation of NPATRLIntuitive for medium size specs.
![Page 10: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/10.jpg)
Fault Tree Representation of Security Requirements 10
Example: Kerberos 5
Excises the gist of the theorem
Highlights dependencies
Fairly intuitive … in a minute …
![Page 11: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/11.jpg)
Fault Tree Representation of Security Requirements 11
Example: GDOI
Isomorphic to NPATRL specifications Much more intuitive
… in a minute …
![Page 12: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/12.jpg)
Fault Tree Representation of Security Requirements 12
Example:Authentication
Formalize definitions Easy to compare …
… and remember …
![Page 13: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/13.jpg)
Fault Tree Representation of Security Requirements 13
Rest of this Talk
Logic for protocol specsNPATRL LogicNRL Protocol Analyzer fragmentModel checking
Precedence treesFault treesNPATRL semantics
Analysis of an example Future Work
![Page 14: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/14.jpg)
Fault Tree Representation of Security Requirements 14
NPATRL
Formal language for protocol requirementsSimple temporal logic
Designed for NRL Protocol AnalyzerSimplify input of protocol specs
Sequences of events that should not occur
Applies beyond NPA
Used for many protocolsSET, GDOI, …
![Page 15: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/15.jpg)
Fault Tree Representation of Security Requirements 15
NPATRL Logic
Eventsinitiator_accept_key( A, (B,S), (KAB,nA), N)
Classical connectives: , , , … “Previously”: # ( )
initiator_accept_key(A, (B,S), (KAB,nA), N)
# server_sent_key(S, (A,B), (KAB), _)
name actuator other agents terms round
![Page 16: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/16.jpg)
Fault Tree Representation of Security Requirements 16
NPA Fragment
NPA uses a small fragment of NPATRL
R ::= a FF ::= E | E | F1 F2 | F1 F2
E ::= #a | #(a F)
Efficient model checking
![Page 17: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/17.jpg)
Fault Tree Representation of Security Requirements 17
Fault Trees
Safety analysis of system designRoot is a failure situation
Extended to behavior descriptions Inner nodes are conditions enabling fault
Events Combinators (logical gates)
ExampleA passenger needs a
ticket and a photo IDto board a plane, butshould not carry aweapon
canBoard
hasTicket
carriesWeapon
hasID
![Page 18: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/18.jpg)
Fault Tree Representation of Security Requirements 18
Precedence Trees
Fault tree representation of NPATRLNPA Isomorphism
R ::= a FF ::= E | E | F1 F2 | F1 F2
E ::= #a | #(a F)
a
F
R ::=a
F
E ::= a
F1
F ::= EE F2
F1 F2
![Page 19: Fault Tree Representation of Security Requirements0](https://reader034.vdocument.in/reader034/viewer/2022042615/56649d595503460f94a39365/html5/thumbnails/19.jpg)
Fault Tree Representation of Security Requirements 21
Conclusions
Explored tree representation of protocol reqs. Promising initial results Complex requirements now intuitive
Precedence trees Draw from fault trees research Specialized to NPATRL and NPA NPATRL semantics Better understanding of NPATRL
Papers “A Fault-Tree Representation of NPATRL Security
Requirements”, with Cathy Meadows WITS’03 TCS (long version, submitted)