Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.

Published byBrendon Gladen Modified over 9 years ago

Similar presentations

Presentation on theme: "Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009."— Presentation transcript:

1 Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009

2 Context and Contribution 2  Context  Building secure distributed systems Needed expertise in systems and security Needed expertise in cryptography  Difficulty of dynamic reconfiguration without breaking the security properties of the system  Necessity of high level tools  Programming abstractions  Automatic code generation  Verification of the generated code

3 Context and Contribution 3  Contribution  High-level model : CIF (Component Information Flow)‏ System architecture description : component-based model Security annotations  Transformation tools : Verification of the security properties System code generation  Models and languages  Component-based model : Fractal  Security-typed programming language : JIF  Architecture Description Language : ADL (XML-based)‏

4 Outline  CIF Specification  System representation  System security : Inter and Intra component  CIF Transformation  CIF ADL  ADL Generation  Code Generation  Case study : The battleship game  Conclusion and Future Work 4

5 Outline  CIF Specification  System representation  System security : Inter and Intra component  CIF Transformation  CIF ADL  ADL Generation  Code Generation  Case study : The battleship game  Conclusion and Future Work 5

6  System : assembly of components explicitly bound, with ports used to send and receive data  Each component is configurable : attribution of labels to :  The attributes  The ports 6 CIF Specification System Representation {L3} {L1} {L3'}

7 Labels  Use of Labels : pair of :  Confidentiality policies  Integrity policies  All the policies must be obeyed  Relation at most as restrictive as ( ⊑ )‏  Construction of a security lattice  As data flows through the system, its labels only become more restrictive ! 7 less restrictive more restrictive

8 CIF Specification System Security  In CIF, needed security policies must be guaranteed at two levels  Intra-component  Inter-component  Inter-component  Ports annotation  Intra-component  Secure component code 8

9 CIF Specification Inter-component Security  Associating a label to a port :  impose a security restriction to the request or response  A binding is permitted iff L(client) ⊑ L(server)‏  Example : Confidentiality :Integrity : C1 : I want the message to keep the conf. at least CC1 : I guarantee that the integrity level is I C2 : I consider that the message received has C2 : I want the message to have at least the label C' the integrity I' 9 P' {C'; I'} C2 P {C; I} C1

10 CIF Specification Intra-component Security 10  Annotation of ports and attributes of a component  Verification of component code  Preservation of confidentiality and integrity of annotated elements  Non-interferent data flow  Non-interference :  "The low level users should not be able to deduce anything about high level user’s activity" Foccardi et al.  "Low-security behavior of the program is not affected by any high-security data.” Goguen & Messeguer 1982

11 Outline  CIF Specification  System representation  System security : Inter and Intra component  CIF Transformation  CIF ADL  ADL Generation  Code Generation  Case study : The battleship game  Conclusion and Future Work 11

12 12 CIF Transformation Implementation of the CIF Spec. P2 {C2; I2} C2 P1 {C1; I1} C1 P2 C2 P1 C1 cryptsign verify decrypt C'1 C'2 TC1 TC2

13  ADL : Architecture Description Language  XML-based  Functional part Architecture of the system : components & bindings Location of the component code  Security part Security labels of attributes & ports <port name="start" role="server" signature="src.security.StartItf" label=""/> <port name="send" role="client" signature="src.security.SendItf" label="L"/> 13 C1 start{} send{L} CIF ADL Architecture Description

14 14 CIF Transformation ADL Generation P2 {C2; I2} C2 P1 {C1; I1} C1 P2 C2 P1 C1 cryptsign verify decrypt  ADL Transform : removing the annotations  Implementation :  Confidentiality : asymmetric encryption  Integrity : signature  Assumptions :  Keys distributed safely  Communication channels untrusted  Generation of cryptographic components :  Creation of crypt, sign, verify and decrypt components  Creation of top components containing The main component (server or client)‏ The security components (crypt & sign or verify & decrypt)‏  Connecting the top components with low level bindings

15 15 CIF Transformation Code Generation C1 C'1  Guarantee the non-interference property for one component  Depending on the component code  Implemented in a security-typed language (exp : JIF)‏ Type checking  Implemented in an imperative language Propagation of the attributes' and methods' labels  Propagation of the label  Check the use of component parameters and port messages  Check the information flow : non-interferent?  Controller Called when secret information leaks Decides whether to declassify the information or to throw an exception  If the label is propagated without exceptions, component non- interferent!

16 Outline  CIF Specification  System representation  System security : Inter and Intra component  CIF Transformation  CIF ADL  ADL Generation  Code Generation  Case study : The battleship game  Conclusion and Future Work 16

17 17 Case Study The Battleship Game  1 coordinator and 2 players (at least)‏  Each player has a secret board with a fixed number of ships  Each player tries to guess the opponent's ships coordinates : the winner is the first player who finds the n ships of the opponent  The coordinator keeps a copy of the players' boards & controls the message exchange

18 18 Case Study The Battleship Game : Inter-component security cryptsign verify decrypt m m Ɛ (m,pub(coord)) ‏ S( Ɛ (m,pub(coord))) ‏ Ɛ (m,pub(coord)) ‏ m

19 19 Case Study The Battleship Game : Intra-component security public class Player { private Board board; public void setBoard(Board board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }

20 20 Case Study The Battleship Game : Intra-component security public class Player { private Board {P1->C;P1<-C} board; public void setBoard(Board board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }

21 21 Case Study The Battleship Game : Intra-component security public class Player { private Board{P1->C;P1<-C} board; public void setBoard(Board{P1->C;P1<-C} board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }

22 22 Case Study The Battleship Game : Intra-component security public class Player { private Board {P1->C;P1<-C} board; public void setBoard(Board{P1->C;P1<-C} board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board{P1->C;P1<-C} myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }

23 23 Case Study The Battleship Game : Intra-component security public class Player { private Board {P1->C;P1<-C} board; public void setBoard(Board{P1->C;P1<-C} board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board{P1->C;P1<-C} myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }

24 24 Case Study The Battleship Game : Intra-component security public class Player { private Board {P1->C;P1<-C} board; public void setBoard(Board{P1->C;P1<-C} board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship{P1->C;P1<-C}[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board{P1->C;P1<-C} myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }

25 Outline  CIF Specification  System representation  System security : Inter and Intra component  CIF Transformation  CIF ADL  ADL Generation  Code Generation  Case study : The battleship game  Conclusion and Future Work 25

26 26 Conclusion  CIF  Component-based model  Builds distributed systems secure by construction  User specifies security requirements  At a high level of abstraction  Association of labels to attributes and ports of the component  Tools to automate security implementation  Inside a component : Generation of JIF code  Between components Insertion of cryptographic components

27 27 Future Work  Key distribution  Secure deployment  Safe reconfiguration  Privacy

28 Thank you for your attention Lilia Sfaxi DCS Days - 26/03/2009

Download ppt "Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009."

Similar presentations

Elton Mathias and Jean Michael Legait 1 Elton Mathias, Jean Michael Legait, Denis Caromel, et al. OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis,

Elton Mathias and Jean Michael Legait 1 Elton Mathias, Jean Michael Legait, Denis Caromel, et al. OASIS Team INRIA -- CNRS - I3S -- Univ. of Nice Sophia-Antipolis,
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Architecture Representation

Architecture Representation
26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire1 Security Architecture for GRID Applications Séminaire Croisé Sécurité Informatique Ubiquitaire.

26 Mai 2004 Séminaire Croisé : Sécurité Informatique Ubiquitaire1 Security Architecture for GRID Applications Séminaire Croisé Sécurité Informatique Ubiquitaire.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Secure Socket Layer.

Secure Socket Layer.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Component Interaction in Distributed Systems Nat Pryce Imperial College

Component Interaction in Distributed Systems Nat Pryce Imperial College
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.

Polyglot: An Extensible Compiler Framework for Java Nathaniel Nystrom, Michael R. Clarkson, and Andrew C. Myers Presentation by Aaron Kimball & Ben Lerner.
Information Security of Embedded Systems 3.2.2010: Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Security Management.

Security Management.
Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Automatic Implementation of provable cryptography for confidentiality and integrity Presented by Tamara Rezk – INDES project - INRIA Joint work with: Cédric.

Similar presentations

Ads by Google