Fault Tree Represent at ion of Securit y Requirement s 0 Work in - - PowerPoint PPT Presentation

fault tree represent at ion of securit y requirement s 0
SMART_READER_LITE
LIVE PREVIEW

Fault Tree Represent at ion of Securit y Requirement s 0 Work in - - PowerPoint PPT Presentation

Jul 16, 2023 375 likes •623 views

Fault Tree Represent at ion of Securit y Requirement s 0 Work in progress Work in progress One Picture is Worth a Thousand Words Couple Dozen Connectives I liano Cer vesat o iliano@itd.nrl.navy.mil I TT I ndust r ies, inc @ NRL Washingt

slide-1
SLIDE 1

Fault Tree Represent at ion of Securit y Requirement s

slide-2
SLIDE 2

One Picture is Worth a Thousand Words

I liano Cer vesat o

iliano@itd.nrl.navy.mil

I TT I ndust r ies, inc @ NRL Washingt on, DC

ht t p:/ / t heory.st anf ord.edu/ ~iliano

UMBC meeting October 1-2, 2003

Joint work with Cathy Meadows

Baltimore, MD

Couple Dozen Connectives

Work in progress Work in progress

slide-3
SLIDE 3

Fault Tree Represent at ion of Securit y Requirement s 2

How this work came about

Analysis of GDOI group prot ocol

!Requir ement s expressed in NP ATRL

" Novel gr oup pr oper t ies " Medium size specif icat ions – Dozen oper at ors " Lot s of f ine-t uning

!Dif f icult t o read and shar e specs. !I nf ormal use of f ault t rees

" I nt uit ive visualizat ion medium " Became f avor ed language

!For mal r elat ion wit h NPATRL

slide-4
SLIDE 4

Fault Tree Represent at ion of Securit y Requirement s 3

Security Requirements

Describe what a prot ocol should do

  • Ver if ied by

! Model checking ! Mat hemat ical pr oof ! Pat t er n-mat ching (in some cases)

  • Expr essed

! I nf or mally ! Semi-f or mally ! For mal language

  • Adequat e f or t oy pr ot ocols

BUT, do not scale t o r eal prot ocols

slide-5
SLIDE 5

Fault Tree Represent at ion of Securit y Requirement s 4

Example: Kerberos 5

[CSFW’02]

  • Semi-f ormal

!But ver y pr ecise

  • Bulky and unint uit ive

!Requir es sever al r eadings t o gr asp

slide-6
SLIDE 6

Fault Tree Represent at ion of Securit y Requirement s 5

Example: GDOI

[CCS’01]

  • Formal

!NPATRL pr ot ocol spec. language

  • Ok f or a comput er
  • Bulky and unint uit ive f or humans

!About 20 oper at or s

slide-7
SLIDE 7

Fault Tree Represent at ion of Securit y Requirement s 6

Example: Authentication

  • I nf ormal

!Made pr ecise as CSP expr essions

  • Simple, but …

!… many ver y similar def init ions

[Lowe, CSFW’97]

slide-8
SLIDE 8

Fault Tree Represent at ion of Securit y Requirement s 7

The Problem

  • Desired propert ies are dif f icult t o

!Phrase & get right !Explain & underst and !Modif y & keep right

  • Examples

!Endless back and f ort h on GDOI

" Ar e specs. r ight now?

!K5 propert ies read over and over

slide-9
SLIDE 9

Fault Tree Represent at ion of Securit y Requirement s 8

Dealing with Textual Complexity

  • HCI response: graphical present at ion
  • Our approach: Dependence Trees

!Re-int erpret at ion of f ault t rees !2D represent at ion of NPATRL !I nt uit ive f or medium size specs.

slide-10
SLIDE 10

Fault Tree Represent at ion of Securit y Requirement s 9

Example: Kerberos 5

  • Excises t he gist
  • f t he t heor em
  • Highlight s

dependencies

  • Fair ly int uit ive

! … in a minut e …

slide-11
SLIDE 11

Fault Tree Represent at ion of Securit y Requirement s 10

Example: GDOI

  • I somor phic t o NP

ATRL specif icat ions

  • Much mor e int uit ive

! … in a minut e …

slide-12
SLIDE 12

Fault Tree Represent at ion of Securit y Requirement s 11

Example: Authentication

  • Formalize def init ions
  • Easy t o compare …

!… and r emember …

slide-13
SLIDE 13

Fault Tree Represent at ion of Securit y Requirement s 12

Rest of this Talk

  • Logic f or prot ocol specs

!NPATRL Logic !NRL Prot ocol Analyzer f ragment !Model checking

  • Precedence t rees

!Fault t rees !NPATRL semant ics

  • Analysis of an example
  • Fut ure Work
slide-14
SLIDE 14

Fault Tree Represent at ion of Securit y Requirement s 13

NPATRL

  • Formal language f or prot ocol requirement s

!Simple t empor al logic

  • Designed f or NRL Prot ocol Analyzer

!Simplif y input of pr ot ocol specs

" Sequences of event s t hat should not occur

!Applies beyond NP A

  • Used f or many prot ocols

!SET, GDOI , …

slide-15
SLIDE 15

Fault Tree Represent at ion of Securit y Requirement s 14

NPATRL Logic

  • Event s

init iat or _accept _key( A, (B,S), (KAB,nA), N)

  • Classical connect ives: ∧, ∨, ¬, …
  • “Previously”: #

( )

init iat or _accept _key(A, (B,S), (KAB,nA), N) ⇒ # server _sent _key(S, (A,B), (KAB), _)

name act uat or

  • t her agent s

t erms round

slide-16
SLIDE 16

Fault Tree Represent at ion of Securit y Requirement s 15

NPA Fragment

NPA uses a small f ragment of NPATRL

R ::= a ⇒ F F ::= E | ¬E | F1 ∧ F2 | F1 ∨ F2 E ::= # a | # (a ∧ F)

  • Ef f icient model checking
slide-17
SLIDE 17

Fault Tree Represent at ion of Securit y Requirement s 16

Fault Trees

  • Saf et y analysis of syst em design

!Root is a f ailure sit uat ion

" Ext ended t o behavior descr ipt ions

!I nner nodes ar e condit ions enabling f ault

" Event s " Combinat or s (logical gat es)

  • Example

!A passenger needs a t icket and a phot o I D t o boar d a plane, but should not carr y a weapon

canBoard hasTicket carriesWeapon hasI D

slide-18
SLIDE 18

Fault Tree Represent at ion of Securit y Requirement s 17

Precedence Trees

  • Fault t ree represent at ion of NPATRLNPA

!I somor phism

R ::= a ⇒ F F ::= E | ¬E | F1 ∧ F2 | F1 ∨ F2 E ::= # a | # (a ∧ F) a

F R ::=

a

F E ::=

a

F1 F ::= E E F2 F1 F2

slide-19
SLIDE 19

Fault Tree Represent at ion of Securit y Requirement s 18

“Recency Freshness” in GDOI

member_accept _key(M,G,(KGM,Kold),N) ⇒

# gcks_loseparwisekey(G,(),(M,KGM),_)

∨ ¬(# ( member_request key(M,G,(),N) ∧ # gcks_creat ekey(G,(),Knew,Kold),_)))

if a member accept s a key f r om t he cont r oller in a pr ot ocol r un, no newer key should have been dist r ibut ed pr ior t o t he mem- ber ' s r equest

slide-20
SLIDE 20

Fault Tree Represent at ion of Securit y Requirement s 19

“Sequential Freshness” in GDOI

member_accept _key(M,G,(KGM,Kold),_) ⇒

# gcks_loseparwisekey(G,(),(M,KGM),_)

∨ ¬(# (member_accept key(M,G,(KGM,Knew),_) ∧ # (gcks_creat ekey(G,(),Knew,K’),_) ∧ # gcks_creat ekey(G,(),Kold,K’’),_))))

if a member accept s a key f r om t he gr oup cont r oller in a pr ot o- col r un, t hen it should not have pr eviously accept ed a lat er key

slide-21
SLIDE 21

Fault Tree Represent at ion of Securit y Requirement s 20

Conclusions

  • Explor ed t r ee r epr esent at ion of pr ot ocol reqs.

! Pr omising init ial r esult s ! Complex r equir ement s now int uit ive

  • Pr ecedence t r ees

! Dr aw f r om f ault t r ees r esear ch ! Specialized t o NPATRL and NPA ! NPATRL semant ics ! Bet t er under st anding of NPATRL

  • Paper s

! “A Fault -Tr ee Repr esent at ion of NPATRL Secur it y Requir ement s”, wit h Cat hy Meadows

" WI TS’03 " TCS (long version, submit t ed)

slide-22
SLIDE 22

Fault Tree Represent at ion of Securit y Requirement s 21

Future Work – Theory

  • What propert ies can be expressed?

!All of saf et y? !Liveness?

  • Graphical equivalence of requirement s?
  • Expressive power

!Recur sive t rees? !Mor e complex quant if ier pat t er ns?

  • Graphical gist of t heorems

!Usef ul classes? !Pr oof s?

slide-23
SLIDE 23

Fault Tree Represent at ion of Securit y Requirement s 22

Future Work – Practice

  • Gain f urt her experience

!Can t hey be used f or ot her requir ement s?

  • Scaling up

!When ar e t r ees so big t hey ar e non-int uit ive?

" Exist ing r equir ement s?

!Modular it y

  • I nt eract ion wit h f ault t ree communit y

!Br oader applicat ions of dependence t rees? !Tools we can use?

" NPATRL <

  • >

dependence t r ees