Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009

Context and Contribution 2  Context  Building secure distributed systems Needed expertise in systems and security Needed expertise in cryptography  Difficulty of dynamic reconfiguration without breaking the security properties of the system  Necessity of high level tools  Programming abstractions  Automatic code generation  Verification of the generated code

Context and Contribution 3  Contribution  High-level model : CIF (Component Information Flow)‏ System architecture description : component-based model Security annotations  Transformation tools : Verification of the security properties System code generation  Models and languages  Component-based model : Fractal  Security-typed programming language : JIF  Architecture Description Language : ADL (XML-based)‏

Outline  CIF Specification  System representation  System security : Inter and Intra component  CIF Transformation  CIF ADL  ADL Generation  Code Generation  Case study : The battleship game  Conclusion and Future Work 4

Outline  CIF Specification  System representation  System security : Inter and Intra component  CIF Transformation  CIF ADL  ADL Generation  Code Generation  Case study : The battleship game  Conclusion and Future Work 5

 System : assembly of components explicitly bound, with ports used to send and receive data  Each component is configurable : attribution of labels to :  The attributes  The ports 6 CIF Specification System Representation {L3} {L1} {L3'}

Labels  Use of Labels : pair of :  Confidentiality policies  Integrity policies  All the policies must be obeyed  Relation at most as restrictive as ( ⊑ )‏  Construction of a security lattice  As data flows through the system, its labels only become more restrictive ! 7 less restrictive more restrictive

CIF Specification System Security  In CIF, needed security policies must be guaranteed at two levels  Intra-component  Inter-component  Inter-component  Ports annotation  Intra-component  Secure component code 8

CIF Specification Inter-component Security  Associating a label to a port :  impose a security restriction to the request or response  A binding is permitted iff L(client) ⊑ L(server)‏  Example : Confidentiality :Integrity : C1 : I want the message to keep the conf. at least CC1 : I guarantee that the integrity level is I C2 : I consider that the message received has C2 : I want the message to have at least the label C' the integrity I' 9 P' {C'; I'} C2 P {C; I} C1

CIF Specification Intra-component Security 10  Annotation of ports and attributes of a component  Verification of component code  Preservation of confidentiality and integrity of annotated elements  Non-interferent data flow  Non-interference :  "The low level users should not be able to deduce anything about high level user’s activity" Foccardi et al.  "Low-security behavior of the program is not affected by any high-security data.” Goguen & Messeguer 1982

Outline  CIF Specification  System representation  System security : Inter and Intra component  CIF Transformation  CIF ADL  ADL Generation  Code Generation  Case study : The battleship game  Conclusion and Future Work 11

12 CIF Transformation Implementation of the CIF Spec. P2 {C2; I2} C2 P1 {C1; I1} C1 P2 C2 P1 C1 cryptsign verify decrypt C'1 C'2 TC1 TC2

 ADL : Architecture Description Language  XML-based  Functional part Architecture of the system : components & bindings Location of the component code  Security part Security labels of attributes & ports <port name="start" role="server" signature="src.security.StartItf" label=""/> <port name="send" role="client" signature="src.security.SendItf" label="L"/> 13 C1 start{} send{L} CIF ADL Architecture Description

14 CIF Transformation ADL Generation P2 {C2; I2} C2 P1 {C1; I1} C1 P2 C2 P1 C1 cryptsign verify decrypt  ADL Transform : removing the annotations  Implementation :  Confidentiality : asymmetric encryption  Integrity : signature  Assumptions :  Keys distributed safely  Communication channels untrusted  Generation of cryptographic components :  Creation of crypt, sign, verify and decrypt components  Creation of top components containing The main component (server or client)‏ The security components (crypt & sign or verify & decrypt)‏  Connecting the top components with low level bindings

15 CIF Transformation Code Generation C1 C'1  Guarantee the non-interference property for one component  Depending on the component code  Implemented in a security-typed language (exp : JIF)‏ Type checking  Implemented in an imperative language Propagation of the attributes' and methods' labels  Propagation of the label  Check the use of component parameters and port messages  Check the information flow : non-interferent?  Controller Called when secret information leaks Decides whether to declassify the information or to throw an exception  If the label is propagated without exceptions, component non- interferent!

Outline  CIF Specification  System representation  System security : Inter and Intra component  CIF Transformation  CIF ADL  ADL Generation  Code Generation  Case study : The battleship game  Conclusion and Future Work 16

17 Case Study The Battleship Game  1 coordinator and 2 players (at least)‏  Each player has a secret board with a fixed number of ships  Each player tries to guess the opponent's ships coordinates : the winner is the first player who finds the n ships of the opponent  The coordinator keeps a copy of the players' boards & controls the message exchange

18 Case Study The Battleship Game : Inter-component security cryptsign verify decrypt m m Ɛ (m,pub(coord)) ‏ S( Ɛ (m,pub(coord))) ‏ Ɛ (m,pub(coord)) ‏ m

19 Case Study The Battleship Game : Intra-component security public class Player { private Board board; public void setBoard(Board board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }

20 Case Study The Battleship Game : Intra-component security public class Player { private Board {P1->C;P1<-C} board; public void setBoard(Board board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }

21 Case Study The Battleship Game : Intra-component security public class Player { private Board{P1->C;P1<-C} board; public void setBoard(Board{P1->C;P1<-C} board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }

22 Case Study The Battleship Game : Intra-component security public class Player { private Board {P1->C;P1<-C} board; public void setBoard(Board{P1->C;P1<-C} board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board{P1->C;P1<-C} myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }

23 Case Study The Battleship Game : Intra-component security public class Player { private Board {P1->C;P1<-C} board; public void setBoard(Board{P1->C;P1<-C} board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board{P1->C;P1<-C} myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }

24 Case Study The Battleship Game : Intra-component security public class Player { private Board {P1->C;P1<-C} board; public void setBoard(Board{P1->C;P1<-C} board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship{P1->C;P1<-C}[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board{P1->C;P1<-C} myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }

Outline  CIF Specification  System representation  System security : Inter and Intra component  CIF Transformation  CIF ADL  ADL Generation  Code Generation  Case study : The battleship game  Conclusion and Future Work 25

26 Conclusion  CIF  Component-based model  Builds distributed systems secure by construction  User specifies security requirements  At a high level of abstraction  Association of labels to attributes and ports of the component  Tools to automate security implementation  Inside a component : Generation of JIF code  Between components Insertion of cryptographic components

27 Future Work  Key distribution  Secure deployment  Safe reconfiguration  Privacy

Thank you for your attention Lilia Sfaxi DCS Days - 26/03/2009