Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fault Tree Representation of Security Requirements0.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Fault Tree Representation of Security Requirements0."— Presentation transcript:

1 Fault Tree Representation of Security Requirements0

2 One Picture is Worth a Thousand Words Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano UMBC meetingOctober 1-2, 2003 Joint work with Cathy Meadows Baltimore, MD Couple Dozen Connectives Work in progress

3 Fault Tree Representation of Security Requirements2 How this work came about Analysis of GDOI group protocol  Requirements expressed in NPATRL  Novel group properties  Medium size specifications –Dozen operators  Lots of fine-tuning  Difficult to read and share specs.  Informal use of fault trees  Intuitive visualization medium  Became favored language  Formal relation with NPATRL

4 Fault Tree Representation of Security Requirements3 Security Requirements Describe what a protocol should do  Verified by  Model checking  Mathematical proof  Pattern-matching (in some cases)  Expressed  Informally  Semi-formally  Formal language  Adequate for toy protocols BUT, do not scale to real protocols

5 Fault Tree Representation of Security Requirements4 Example: Kerberos 5 [CSFW’02]  Semi-formal  But very precise  Bulky and unintuitive  Requires several readings to grasp

6 Fault Tree Representation of Security Requirements5 Example: GDOI [CCS’01]  Formal  NPATRL protocol spec. language  Ok for a computer  Bulky and unintuitive for humans  About 20 operators

7 Fault Tree Representation of Security Requirements6 Example: Authentication  Informal  Made precise as CSP expressions  Simple, but …  … many very similar definitions [Lowe, CSFW’97]

8 Fault Tree Representation of Security Requirements7 The Problem  Desired properties are difficult to  Phrase & get right  Explain & understand  Modify & keep right  Examples  Endless back and forth on GDOI  Are specs. right now?  K5 properties read over and over

9 Fault Tree Representation of Security Requirements8 Dealing with Textual Complexity  HCI response: graphical presentation  Our approach: Dependence Trees  Re-interpretation of fault trees  2D representation of NPATRL  Intuitive for medium size specs.

10 Fault Tree Representation of Security Requirements9 Example: Kerberos 5  Excises the gist of the theorem  Highlights dependencies  Fairly intuitive  … in a minute …

11 Fault Tree Representation of Security Requirements10 Example: GDOI  Isomorphic to NPATRL specifications  Much more intuitive  … in a minute …

12 Fault Tree Representation of Security Requirements11 Example: Authentication  Formalize definitions  Easy to compare …  … and remember …

13 Fault Tree Representation of Security Requirements12 Rest of this Talk  Logic for protocol specs  NPATRL Logic  NRL Protocol Analyzer fragment  Model checking  Precedence trees  Fault trees  NPATRL semantics  Analysis of an example  Future Work

14 Fault Tree Representation of Security Requirements13 NPATRL  Formal language for protocol requirements  Simple temporal logic  Designed for NRL Protocol Analyzer  Simplify input of protocol specs  Sequences of events that should not occur  Applies beyond NPA  Used for many protocols  SET, GDOI, …

15 Fault Tree Representation of Security Requirements14 NPATRL Logic  Events initiator_accept_key( A, (B,S), (K AB,n A ), N)  Classical connectives: , , , …  “Previously”: # ( ) initiator_accept_key(A, (B,S), (K AB,n A ), N)  # server_sent_key(S, (A,B), (K AB ), _) name actuator other agents terms round

16 Fault Tree Representation of Security Requirements15 NPA Fragment NPA uses a small fragment of NPATRL R ::= a  F F ::= E |  E | F 1  F 2 | F 1  F 2 E ::= # a | # (a  F)  Efficient model checking

17 Fault Tree Representation of Security Requirements16 Fault Trees  Safety analysis of system design  Root is a failure situation  Extended to behavior descriptions  Inner nodes are conditions enabling fault  Events  Combinators (logical gates)  Example  A passenger needs a ticket and a photo ID to board a plane, but should not carry a weapon canBoard hasTicket carriesWeapon hasID

18 Fault Tree Representation of Security Requirements17 Precedence Trees  Fault tree representation of NPATRL NPA  Isomorphism R ::= a  F F ::= E |  E | F 1  F 2 | F 1  F 2 E ::= # a | # (a  F) a F R ::= a F E ::= a F1F1 F ::= E E F2F2 F1F1 F2F2

19 Fault Tree Representation of Security Requirements18 “Recency Freshness” in GDOI member_accept_key(M,G,(K GM,K old ),N)  # gcks_loseparwisekey(G,(),(M,K GM ),_)   ( # ( member_requestkey(M,G,(),N)  # gcks_createkey(G,(),K new,K old ),_))) if a member accepts a key from the controller in a protocol run, no newer key should have been distributed prior to the mem- ber's request

20 Fault Tree Representation of Security Requirements19 “Sequential Freshness” in GDOI member_accept_key(M,G,(K GM,K old ),_)  # gcks_loseparwisekey(G,(),(M,K GM ),_)   ( # (member_acceptkey(M,G,(K GM,K new ),_)  #( gcks_createkey(G,(),K new,K ’ ),_)  # gcks_createkey(G,(),K old,K ’’ ),_)))) if a member accepts a key from the group controller in a proto- col run, then it should not have previously accepted a later key

21 Fault Tree Representation of Security Requirements20 Conclusions  Explored tree representation of protocol reqs.  Promising initial results  Complex requirements now intuitive  Precedence trees  Draw from fault trees research  Specialized to NPATRL and NPA  NPATRL semantics  Better understanding of NPATRL  Papers  “A Fault-Tree Representation of NPATRL Security Requirements”, with Cathy Meadows  WITS’03  TCS (long version, submitted)

22 Fault Tree Representation of Security Requirements21 Future Work – Theory  What properties can be expressed?  All of safety?  Liveness?  Graphical equivalence of requirements?  Expressive power  Recursive trees?  More complex quantifier patterns?  Graphical gist of theorems  Useful classes?  Proofs?

23 Fault Tree Representation of Security Requirements22 Future Work – Practice  Gain further experience  Can they be used for other requirements?  Scaling up  When are trees so big they are non-intuitive?  Existing requirements?  Modularity  Interaction with fault tree community  Broader applications of dependence trees?  Tools we can use?  NPATRL dependence trees

Download ppt "Fault Tree Representation of Security Requirements0."

Similar presentations

Tree Regular Model Checking P. Abdulla, B. Jonsson, P. Mahata and J. d’Orso Uppsala University.

Tree Regular Model Checking P. Abdulla, B. Jonsson, P. Mahata and J. d’Orso Uppsala University.
Signals and Systems March 25, 2013. Summary thus far: software engineering Focused on abstraction and modularity in software engineering. Topics: procedures,

Signals and Systems March 25, Summary thus far: software engineering Focused on abstraction and modularity in software engineering. Topics: procedures,
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
LIFE CYCLE MODELS FORMAL TRANSFORMATION

LIFE CYCLE MODELS FORMAL TRANSFORMATION
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Introduction to System Analysis and Design

Introduction to System Analysis and Design
A Concurrent Logical Framework (Joint work with Frank Pfenning, David Walker, and Kevin Watkins) Iliano Cervesato ITT Industries,

A Concurrent Logical Framework (Joint work with Frank Pfenning, David Walker, and Kevin Watkins) Iliano Cervesato ITT Industries,
Equivalence, DFA, NDFA Sequential Machine Theory Prof. K. J. Hintz Department of Electrical and Computer Engineering Lecture 2 Updated and modified by.

Equivalence, DFA, NDFA Sequential Machine Theory Prof. K. J. Hintz Department of Electrical and Computer Engineering Lecture 2 Updated and modified by.
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato ITT Industries, NRL Washington,

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato ITT Industries, NRL Washington,
Algorithms and Problem Solving-1 Algorithms and Problem Solving.

Algorithms and Problem Solving-1 Algorithms and Problem Solving.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Algorithms and Problem Solving. Learn about problem solving skills Explore the algorithmic approach for problem solving Learn about algorithm development.

Algorithms and Problem Solving. Learn about problem solving skills Explore the algorithmic approach for problem solving Learn about algorithm development.
December 7, 2001DIMI, Universita’ di Udine, Italy Graduate Course on Computer Security Lecture 9: Automated Verification Iliano Cervesato

December 7, 2001DIMI, Universita’ di Udine, Italy Graduate Course on Computer Security Lecture 9: Automated Verification Iliano Cervesato
More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)

More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)
A FAULT-TREE REPRESENTATION OF NPATRL SECURITY REQUIREMENTS Iliano Cervesato, ITT Catherine Meadows Code 5543 Center for High Assurance Computer Systems.

A FAULT-TREE REPRESENTATION OF NPATRL SECURITY REQUIREMENTS Iliano Cervesato, ITT Catherine Meadows Code 5543 Center for High Assurance Computer Systems.
Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.

Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.
Kendall & KendallCopyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall 9 Kendall & Kendall Systems Analysis and Design, 9e Process Specifications.

Kendall & KendallCopyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall 9 Kendall & Kendall Systems Analysis and Design, 9e Process Specifications.
CSC 402, Fall 20001 Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)

CSC 402, Fall Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)

Similar presentations

Ads by Google