Formalizing an Adaptive Security Infrastructure in Mob adtl Laura Semini & Carlo Montangero dip. Informatica, Pisa Outline Mob adtl instance ASI Mob adtl formalization refinement ASI formalization

Characteristics of Mob adtl Approach to model distributed systems Focus on architectural aspects Adequate abstraction for overlay computing Accommodating mobility Temporal logic  refinement as a methodology Mechanic support to verification model logic

Mob adtl model: an intuition neighborhood Agent movement message being delivered guardian agent

The ingredients of Mob adtl Locations:  Neighbourhoods, places where computational entities live  Flat topology  Security and routing policies Agents:  Move from neighbourhood to neighbourhood  Communicate via asynchronous message passing Authorities:  Guardians monitoring agents’ activities enacting routing and security policies  No a priori choice about routing and security, freedom is given to designers Profiles:  A means to refer an entity specifying the constraints the entity must satisfy es: flightResService, name(X)

A first-order multi-modal logic to  Name components and state their properties  Relate properties of different components of a system  Describe properties of the evolution of systems  With regard to an asynchronous setting The formalism: ΔDSTL(x) Location Time

Formalizing the model: an example out(M,P) represents the will of an agent of sending a messagge M to a receiver that satisfies profile P. S (  out(M,P)  guardedby(G)) LEADS_TO G msgReq(M,S,P,i) Any message sent is first processed by the sender’s guardian out(M,P) msgReq(M,S,P,i) S G

Location layer: DSL Modalities to locate properties in the state of a component  m (p  q )  m p  n r  m s  m t (  m (s  t) !!!!) n m p, q r s t

Location layer – semantics DS =2 S Semantic domain: PowerSet (ds, ds’)  R m iff ds’ is a singleton in S m  ds ds╞ m F iff  ds’.(ds, ds’)  R m and ds’╞ F q r p n m states of m

Location layer Modalities to locate properties in the state of a component  m (p  q )  m p  n r  m s  m t (  m (s  t)) n m p, q r st

Future to be intended as the partial order of states defined by  Intra-components transitions  Inter-component communications Temporal layer: DSTL q m n o p r

q No global clock,no global knowlwdge m n o p r Valid: n q  o r  o r Non valid: n q  o r

UNITY like operators  Simplicity  Cannot be nested  + past operators F1 LEADS_TO F2 F2 BECAUSE F1 INIT F STABLE F

Events: ΔDSTL(x) Explicit event operator, ΔF  Simple events, ΔA  Composed events, Δ(A  B)  Conditioned events, ΔA  B

Rules and theorems

Outline 1. Depict a few, simple and clearly related concepts: an informal model 2. Choose a proper formalism 3. Formalize the model to get the description of a generic system 4. Instantiate the model to get the description of a particular system 5. Refine the model formalization

ASI Components in Mob adtl Detectorguardian Analyzeragent Responderguardian senses, collects, and distributes information about the security environment processes Detector data, and occasionally proposes actions to bring about a new state executes the actions as directed by the Analyzer

generic neighborhoods Analyzer ASI Components in Mob adtl Detector & Responder Detector & Responder generic agents Detector & Responder log

The threshold property agents can question the trustworthiness of a guardian. once the number of warnings reaches a given threshold, we want to consider the guardian no longer trustworthy (e.g. to route the messages).

threshold(2) generic agent Analyzer The threshold property out(demote(X,D),{sec_w}) out(demote(X,D’),{sec_w}) Detector in(demote(X,D),S) Detector in(demote(X,D’),S’)

threshold(2) Analyzer The threshold property in(demote(X,D),S) in(demote(X,D’),S’)

The threshold property Analyzer Responder out(demote(X,D),{adapt})

The threshold property ~ trusted (X) Analyzer Responders Responder Responders

The threshold property a threshold(2) /\ ag trusted(G) /\ C1  C2 C1  out(demote(X,D),{sec_w}) /\ C2  out(demote(X,D’),{sec_w}) LEADS_TO G ~ trusted (X) \/ some communication exc because of unreachablility

Conclusions ASI components: Mob adtl concepts play a central role  guardian  detection ane response  profile  adaptation ASI formalization: how should the semantics of a dynamic security policy be specified?  unify the temporal-spatial reasoning aspects  take into account the global-local (or distributed-centralized or hierarchical) nature of all components of an ASI Proof with MaRK (Mob adtl Reasoning Kit)

A support tool: MaRK MaRK = Mob adtl Reasoning Kit: a tool to support the designer while proving properties of Mob adtl systems The goal: to make the proof task as automatic as possible MaRK is based on the theorem prover Isabelle (Paulson & Nipkow)  Specialized for ΔDSTL(x)  Extended to deal with Mob adtl systems

A support tool: MaRK Why theorem proving  Need to deal with infinite states  Learning from the proof process itself  User defined logic, close to user’s knowledge  Third party checkable proofs Against:  not so automatic, often to interactive, insights on internals of provers needed But:  tactics, libraries of proofs, tailoring to a particular domain make theorem provers more usable