introduction to wolfasi: workshop on logical foundations of an adaptive security infrastructure
DESCRIPTION
Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure. Leo Marcus The Aerospace Corporation Los Angeles July 13, 2004. Goals of Talk. Introduce Adaptive Security Infrastructure Discuss assurance and formalization - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/1.jpg)
Introduction to WOLFASI:Workshop on Logical
Foundations of an Adaptive Security Infrastructure
Leo Marcus
The Aerospace Corporation
Los Angeles
July 13, 2004
![Page 2: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/2.jpg)
Goals of Talk
• Introduce Adaptive Security Infrastructure
• Discuss assurance and formalization
• State some tentative definitions and theorems
![Page 3: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/3.jpg)
Need for Adaptive Security
• Static security architectures cannot cope with rapidly changing security environment, including:– physical parameters– threats– attacks– policies– mission goals
• Systems designed for extended many-decade life– Cannot predict and handle future threats by current
built-in non-flexible mechanisms
![Page 4: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/4.jpg)
Goal for Logical Foundations of an ASI
• Understand how such a system works!
![Page 5: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/5.jpg)
Need for Assurance
• Systems are being specified, designed, and built without a good method for architecting system-wide adaptive security mechanisms, and without a good method for gaining confidence that the mechanisms to be employed will deliver what, and only what, is needed.
• Without assurance, the cure may be worse than the disease.
![Page 6: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/6.jpg)
Need for Formalization of Adaptive Security
• Assurance that proposed adaptive security mechanisms will perform as hoped (specified)
• Currently: rather haphazard collection of devices, poorly specified, with some testing
• Near future: rigorous specification and analysis• Distant future: formal specification and proof.• To begin: formalize significant aspects of
proposed real system
![Page 7: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/7.jpg)
Possibility of Proof
• How can we prove anything about such a complicated system, when we can barely prove the most rudimentary security properties of the most rudimentary devices?
• Answer: hierarchy!– Assuming the building blocks (protocols, algorithms,
devices, interfaces) work as advertised, how do they function together?
• Define the problems that components must solve
![Page 8: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/8.jpg)
Adaptive Security Infrastructure (ASI)
• Unified approach conceptually composed of – Sensor, – Analysis, and – Response capabilities
• To coordinate– Detection of security-relevant input– Security policy– User input– Analysis– Response
![Page 9: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/9.jpg)
Adaptive Security Infrastructure
EnvironmentalSensors
Virus Defs
Threat Warnings
Analyzer and PolicyEngine
User
IDS outputs
Responder
(Rest of the)
System
DetectorUser
![Page 10: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/10.jpg)
Adaptive Security Infrastructure
EnvironmentalSensors
Virus Defs
Threat Warnings
Analyzer and PolicyEngine
User
IDS outputs
Responder
(Rest of the)
System
Detector
UserUser
![Page 11: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/11.jpg)
Adaptive Security Infrastructure
EnvironmentalSensors
Virus Defs
Threat Warnings
Analyzer and PolicyEngine
User
IDS outputs
Responder
(Rest of the)
System
Detector
UserUser
![Page 12: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/12.jpg)
Adaptive Security Infrastructure
EnvironmentalSensors
Virus Defs
Threat Warnings
Analyzer and PolicyEngine
User
IDS outputs
Responder
(Rest of the)System
Detector
UserUser
![Page 13: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/13.jpg)
Potential ResponsesI. Defensive: intended effect internal
• allocation of resources (e.g. power; turning devices on or off)
• routing (including or excluding nodes)• access rights• crypto algorithms, keys, protocols• sensor networks• auditing• authentication• intrusion detection system settings (altering the false
positive/negative ratio)• patches• device or data destruction• installation of new hardware or software
![Page 14: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/14.jpg)
Potential ResponsesII. Offensive: intended effect external
• Electronic – bombs, etc.
• Physical– bombs, etc.
![Page 15: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/15.jpg)
State of the Art
• Much work on detailed aspects of specific components– Intrusion detection– Sensor networks– Architectures– Security policies
• Much less work on unifying principles
![Page 16: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/16.jpg)
Principles for Formalization• Mathematical logical framework• Abstract from realistic scenarios• Not directly concerned with
– Usability– Current technology
• Long term goal: uniform semantics to allow rigorous specifications and verifications of– Architectures– Properties– Capabilities
• Should yield coherent and interesting research directions for component areas
![Page 17: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/17.jpg)
Basic Assumptions• ASI exists in a temporal and spatial world
• Policy, detection, analysis, and response all have temporal and spatial aspects that must be first class citizens in the formalism
• Otherwise, significant and interesting real issues will not be modeled
• Need common semantics connecting policy, detection, analysis, response
![Page 18: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/18.jpg)
Research Issues• 1. How should the semantics of a dynamic
security policy be specified?• 2. How should we take into account the global-
local nature of all components of an ASI?• 3. How should we specify the "security-relevant
resources" available so that at any time the analyzer can choose an appropriate response?
• 4. How should we unify the temporal-spatial reasoning aspects?
• 5. What are the decidability or complexity issues in such a system?
• 6. What is the role of "approximate security"?
![Page 19: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/19.jpg)
Research Issues: Spatial
• Hierarchical architecture
• Central (local) and distributed (global) detection, analysis, and response coordination
• Smooth transition between hierarchies
• Testability of policy satisfaction
• Enforceability of response
![Page 20: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/20.jpg)
Research Issues: Temporal
• Duration of response
• Synchronization
• Relative speeds of changing environment, detection, analysis, communication, response
• Incorporation of time in policy
• Acknowledgments, success reports
![Page 21: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/21.jpg)
Three examples
• Dynamic security policy– Specification language– Analysis– Testing for adherence or consistency
• Pervasive hierarchy assumption– All aspects of ASI are hierarchical
• Response specification– As a dynamically changing resource/scheduling problem– Language and semantics (effect, efficiency, etc.)
![Page 22: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/22.jpg)
Goals for Specification of Adaptive Security Policy
• Facilitate analysis:• Test/prove adherence or consistency• Provide an umbrella guide for deciding if
future events, actions, or responses are to be permitted or tolerated
• Automate reasoning about policy change within the context of larger policy or policy hierarchy
![Page 23: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/23.jpg)
The Pervasive Hierarchy Assumption
• Arbitrary architectural structures (patterns of connectivity, e.g. networks) can exist within the system and within the ASI
• These structures may be dynamically changing
• Any aspect of specification, detection, analysis, or response can be considered in a version relativized to any structure
![Page 24: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/24.jpg)
Defining Local Policy
Let H be a hierarchy description, A an ASI specification (not individual instantiation), and P a policy.
1. P is local with respect to H in A if the satisfaction of P in A is dependent only on the satisfaction of some other (“test”) policy in all subsystems satisfying H.
2. Play with quantifiers1. For all instantiations of A there is a test policy
for P such that…2. There is a test policy for P such that for all
instantiations of A…3. ….in some subsystems satisfying H
![Page 25: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/25.jpg)
Specification, Derivation, and Verification of Response
• A response is a distributed program/algorithm to be run concurrently with ongoing ASI operation
• Specify and evaluate responsive resources– Including communication channels, if needed– Current strength and location
• Plan appropriate action in time and space• Coordinate response with analysis
– Temporary and local fixes while long-term global solution is researched
![Page 26: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/26.jpg)
Other Topics
• Approximate security– Specify achievable security goals
• Statistical properties
• Game-theoretic view– Between environment and ASI– Restrict the environment and design the ASI so
the adversary does not have a winning strategy
![Page 27: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/27.jpg)
Future Theorem
• For any system S implementing the specification S
• For any ASI A implementing the specification A
• For any dynamic security policy P of type P• For any environment E satisfying
conditions E
• S+A satisfies P in E
![Page 28: Introduction to WOLFASI: Workshop on Logical Foundations of an Adaptive Security Infrastructure](https://reader035.vdocument.in/reader035/viewer/2022062518/56814af0550346895db7ffbf/html5/thumbnails/28.jpg)
Problem
• Given E, P, and S, find A, as in previous slide
• As E gets more “realistic”, P has to get weaker in order for there to be any hope of finding an appropriate A.
• This weakening can be– Temporal (allow for longer lapse)– More approximate (allow for less secure)