C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity Joint work with Stefano Bistarelli C Consiglio Nazionale delle Ricerche Iit Istituto di Informatica e Telematica - Pisa Università degli Studi “G. D’Annunzio” Dipartimento di Scienze - Pescara Simon Foley University College Cork, Ireland

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 2 The Idea A System/Application behaviour can be defined as a set of rules –Each rule is a constraint –A system/application behaviour is a Constraint Satisfaction Problem (CSP) –Properties of the CSP give Security properties of the System Confidentiality Authentication Today example: –Integrity (ext.

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 3 (Integrity) Policy How do we know whether a security (integrity) policy is correctly configured? A policy configuration may allow an unexpected compromise via circuitous authorization route. Goal: Analyze policy configurations. –… let’s start with an example …

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 4 Is this system Secure? Enterprise receives shipments and generates associated payments Does this system have integrity?

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 5 Is this system Secure? One dishonest clerk Two colluding and dishonest clerks Unreliable system/software …

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 6 What is Integrity? Conventional Models [Biba,Clark-Wilson, Yellow Book,RBAC]: –Modelled in terms of the system, –Define “best practice” for integrity, and –define integrity in terms of specific mechanisms to use, but do not propose a denotational definition for integrity Define how to (possibly) achieve integrity, but not what it is!

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 7 … Integrity?? … Define the situations when –modification of information is authorised –and enforced by the security mechanism of the system. “dependability w.r.t. absence of improper alterations”

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 8 What is integrity? To properly define integrity it is Necessary to model System and Infrastructure [foley98] –Even if the system is functionally correct the infrastructure is likely to fail: SW,HW, users!

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 9 System Requirements First consider the requirement! –Only later consider how to implement it! Enterprise receives shipments and generates associated payments

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 10 The idea: A constraint based approach Model the components of the system and infrastructure relevant to integrity –In an abstract and declarative way –Constraints to model relationships between system and infrastructure –Soft constraints to perform a quantitative/qualitative analysis of the policy (probability/optimization reasoning)

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 11 System Requirements Enterprise receives shipments and generates associated payments Integrity requirement analysis Black Box Probity ´ pay · ship constraint variables pay and ship are invariants on the number of payments and the number of shipments made to date

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 12 Implementation and Refinement. Honest Clerks Clerk ´ inv · ship Appl ´ pay · inv Imp1 ´ Appl ­ Clerk

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 13 Implementation and Refinement. Dishonest Clerks Clerk ´ inv · ship Ç ship · inv Appl ´ pay · inv Imp2 ´ Appl ­ Clerk System is not resilient to the faults

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 14 Implementation and Refinement. Separation of Duties Clerk1 ´ con · ship Clerk2 ´ inv · ship Appl ´ pay · min(inv,con) Imp3 ´ Appl ­ Clerk1 ­ Clerk2

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 15 Integrity and Robustness System is resilient to some faults

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 16 Integrity and Robustness But not to all faults!!!

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 17 External Consistency and Dependability Integrity is really just (local) refinement –Any implementations need to provide a consistent “view” at the interface to the supplier. –Then check if implementation is resilient to failures within the infrastructure. –Check if interaction between supplier and system implementation are consistent with the original requirement.

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 18 Soft Constraints To perform a qualitative/quantitative analysis of the system. If an implementation satisfying the requirements cannot be found, look for the “best” one (w.r.t. a measure). Example: –Suppose payments are made as multiples of 100 and outstanding bills made at the end of the month: Probity(pay,ship) ´ pay · ship [constraint] Probity(a,b) = b-a [measure] Minimize the measure b-a

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 19 Soft Constraints Probabilistic reasoning: –Add a probability to the events –Minimize/maximize probability to have specific actions Example –Probability to the shipnote event –Possible implementation

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 20 Conclusions Constraints are suitable to represent in a declarative way system properties (Integrity) Softness can be added to perform a better quantitative/qualitative analysis The model makes no distinction if the policy (integrity or other!) is violated deliberately or indeliberately The danger of each violation is represented as a level

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 21

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity Joint research with Stefano Bistarelli C Consiglio Nazionale delle Ricerche Iit Istituto di Informatica e Telematica - Pisa Università degli Studi “G. D’Annunzio” Dipartimento di Scienze - Pescara Simon Foley University College Cork, Ireland

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 23 Strict rules: Crisp Constraints P={ x3x3 x4x4 x1x1 x2x2 V, {red,blue,yellow} {blue,yellow} {red,blue} {yellow} D, C={pairwise-different} C, PC, con, def, a} x1x1 x2x2 x3x3 x4x4 combination projection

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 24 Flexible rules: Soft Constraints x3x3 x4x4 x1x1 x2x2 {red,blue,yellow} {blue,yellow} {red,blue} {yellow} C={pairwise-different} 5$ 3$ 2$ 15$ 13$15$13$15$ x1x1 x2x2 x3x3 x4x4 Combination (+) Projection (min) 15$13$ C-semiring :

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 25 Flexible rules: Soft Constraints x3x3 x4x4 x1x1 x2x2 {red,blue,yellow} {blue,yellow} {red,blue} {yellow} C={pairwise-different} 5$ 3$ 2$ 15$ 13$15$13$15$ x1x1 x2x2 x3x3 x4x4 Combination (+) Projection (min) 15$13$ Probabilistic Fuzzy Classical Weighted C-semiring :

C Iit A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli 26 Semiring-based CSPs: a glimpse of theory C-semiring : combination: c=c 1  c 2 =, projection: c  I =, Sol( )=(  C)  a a  b (b is better than a) iff a+b=b