model based security engineering models vs code
play

Model-based Security Engineering: Models vs. Code Jan Jrjens - PowerPoint PPT Presentation

Dec 07, 2022 •277 likes •639 views

Model-based Security Engineering: Models vs. Code Jan Jrjens Department of Computing The Open University, GB http://www.umlsec.org Challenge: Security Security is holistic property: Attackers often circumvent (not: break) mechanisms.

  1. Model-based Security Engineering: Models vs. Code Jan Jürjens Department of Computing The Open University, GB http://www.umlsec.org

  2. Challenge: Security Security is holistic property: • Attackers often circumvent (not: break) mechanisms. • Transform (in)secure components to secure systems ? „Those who think that their problem can be solved by simply applying cryptography don`t understand cryptography and don`t understand their problem“ (B. Lampson / R. Needham). Jan Jürjens, Open University: Model-based Security Engineering 2

  3. Model-based Security Engineering Idea: Extract models Requirements from artefacts in Weave Analyze development and in against use of software. (UML) Models Verify. Gener. Code-/ Reverse Configurations Testgen. Engin. Configure Source Code  Tool-supported, theoretically sound, efficient automated security design & analysis. Jan Jürjens, Open University: Model-based Security Engineering 3

  4. Secure System Lifecycle Security External Static Penetration requirements review analysis testing (tools) Risk-based Abuse Risk Security Risk Security tests cases analysis breaks analysis Requirements Design Test Code Test Field and use cases plans results feedback Model-based Security Engineering [McGraw 2003] Design: Encapsulate prudent security engineering rules. Analysis: Formally based, automated, efficient tools. Note: emphasis on high-level requirements. Jan Jürjens, Open University: Model-based Security Engineering 4

  5. Model-based Security with UMLsec Extension of the Unified Modeling Language (UML) for secure systems development. • evaluate UML models for security • encapsulate established rules of prudent secure engineering • make available to developers not specialized in secure systems • consider security requirements from early design phases, in system context • can use in certification Jan Jürjens, Open University: Model-based Security Engineering 5

  6. UMLsec Insert recurring security requirements, adversary scenarios, security mecha- nisms as predefined markers. Use associated logical constraints to verify specifications using model checkers and ATPs based on formal semantics. Ensures that UML specification enforces the relevant security requirements wrt Dolev-Yao type adversaries. [FASE01,UML02,FOSAD05,ICSE05] Jan Jürjens, Open University: Model-based Security Engineering 6

  7. Example: Crypto-based Distributed System A B Adversary m(x) m(x) [arg b,1,1 = x] return({z} k ) return({y::x} z ) Attacker may … • control system parts, Adversary k -1 , y, x • know data in advance, {z} k, z knowledge: • intercept messages, (cf. [Dolev, Yao 1982]) • delete messages, • inject messages. Jan Jürjens, Open University: Model-based Security Engineering 7

  8. Security Analysis in First-order Logic Approximate adversary knowledge set from above: Predicate knows(E) meaning that adversary may get to know E during the execution of the system. E.g. secrecy requirement: For any secret s , check whether can derive knows(s) from model-generated formulas using automatic theorem prover. [ICSE05] Jan Jürjens, Open University: Model-based Security Engineering 8

  9. Cryptographic Expressions I Exp : quotient of term algebra generated from sets Data , Keys , Var of symbols using • _::_ (concatenation), head(_) , tail(_) • (_) -1 (inverse keys) • { _ }_ (encryption) • Dec_( ) (decryption) • Sign_( ) (signing) • Ext_( ) (extracting from signature) under equations … Jan Jürjens, Open University: Model-based Security Engineering 9

  10. Cryptographic Expressions II ∀∀ E,K. Dec K -1 ({E} K )=E ∀∀ E,K. Ext K (Sign K -1 (E))=E ∀∀ E 1 ,E 2 . head(E 1 ::E 2 )=E 1 ∀∀ E 1 ,E 2 . tail(E 1 ::E 2 )=E 2 • Associativity for :: . Write E 1 ::E 2 ::E 3 for E 1 ::(E 2 ::E 3 ) and fst(E 1 ::E 2 ) for head(E 1 ::E 2 ) etc. Can include further crypto-specific primitives and laws (XOR, …). Jan Jürjens, Open University: Model-based Security Engineering 10

  11. Example: Translation to Logic knows ( N ) ∧ knows ( K C ) ∧ knows ( Sign K C -1 (C::K C ) ) ∧ ∀ init 1 ,init 2 ,init 3 . [ knows ( init 1 ) ∧ knows ( init 2 ) ∧ knows ( init 3 ) ∧ snd ( Ext init 2 (init 3 ) ) = init 2 ) knows ( {Sign K S -1 (…)} … ) ∧ [ knows ( Sign… )] ∧ ∀ resp 1 ,resp 2 . [ … ) ... ] ] Jan Jürjens, Open University: Model-based Security Engineering 11

  12. Analysis Check whether can derive knows(s) e.g. using e-Setheo. Surprise: Yes !  Protocol does not preserve secrecy of s . Why ? Use Prolog- based attack generator. Jan Jürjens, Open University: Model-based Security Engineering 12

  13. Man-in-the-Middle Attack Jan Jürjens, Open University: Model-based Security Engineering 13

  14. The Fix e-Setheo: Proof that knows(s) not derivable. Note completeness of FOL (but also undecidability). Jan Jürjens, Open University: Model-based Security Engineering 14

  15. Security Analysis: Model or Code ? Model: + earlier (less expensive to fix flaws) + more abstract  more efficient - more abstract  may miss attacks - programmers may introduce security flaws - even code generators, if not formally verified Code: + „the real thing“ (which is executed)  Do both ! Surprise: Essentially no existing work (eg for crypto prots) ! Jan Jürjens, Open University: Model-based Security Engineering 15

  16. Code Analysis vs. Model Analysis Options: • generate code from models  currently not available in general • generate models from code  next slides • create models and code manually and verify code against models  later in this talk Jan Jürjens, Open University: Model-based Security Engineering 16

  17. Models from Code Generate control flow graph (e.g. aicall (Absint)). Transform to state machine: trans(state,inpattern,condition,action,nextstate) where action can be outpattern or localvar:=value. [ASE05,ASE06] Jan Jürjens, Open University: Model-based Security Engineering 17

  18. Real Life Challenges … Jan Jürjens, Open University: Model-based Security Engineering 18

  19. Experiences Can generate behavioral models from code (e.g. CFGs). Problem: too concrete  understanding + automated verification hard (even with annotations). Constructing abstract specifications from practical software is manually intensive. Jan Jürjens, Open University: Model-based Security Engineering 19

  20. Code Analysis vs. Model Analysis Options: • generate code from models  currently not possible in general • generate models from code  challenging • create models and code manually and verify code against models  next slides Jan Jürjens, Open University: Model-based Security Engineering 20

  21. Verify Code against Models Assumption: Have textual specification. Then: • construct interface spec from textual spec • analyze interface spec for security • verify that software satisfies interface spec Jan Jürjens, Open University: Model-based Security Engineering 21

  22. [with David Model vs. Implementation Kirscheneder ] „meaning“ „meaning“ compare meaning! Defined during Backtrace model creation assignments Sent and received data Elements of connections Find Has Implement Implement -ation Equal? -ation .java Abstract model Jan Jürjens, Open University: Model-based Security Engineering 22

  23. r Example: Interface spec of SSL p q g I) Identify program points: value ( r ), receive ( p ), guard ( g ), send ( q ) II) Check guards enforced Jan Jürjens, Open University: Model-based Security Engineering 23

  24. Implementation of SSL: Identify Values Jan Jürjens, Open University: Model-based Security Engineering 24

  25. public void write(OutputStream out) throws IOException { ... out.write(randomBytes); … } 2nd parameter of Random constructor Identify: randomBytes called by ClientHello.write() (in message ClientHello) public void write(OutputStream out) 2nd parameter of ClientHello constructor throws IOException { ... random.write(out); ... } ClientHello(… , Random random, ) via Handshake.write() { ... this.random = random; ... } initialized in SSLSocket.doClientHandshake() ClientHello clientHello = new ClientHello(..., clientRandom ,...); initialization of the used Random object Random clientRandom = new Random(..., session.random.generateSeed(28) ); „meaning“ class SecureRandom (specified in: FIPS 140-2,RFC 1750) of package java.security Function: generateSeed Jan Jürjens, Open University: Model-based Security Engineering 25

  26. Automate this Sending Messages using patterns ProtocolVersion.write() Random.write() traverse CFG Handshake.write() call of OutputStream. write() ClientHello.write() SSLSocket.doClientHandshake() Jan Jürjens, Open University: Model-based Security Engineering 26

  27. p Checking Guards Guard g enforced by code? q g a) Generate runtime check for g at q from diagram: simple + effective, but performance penalty. b) Testing against checks (symbolic crypto for inequalities). [ICFEM02] c) Automated formal local verification: conditionals between p and q logically imply g (using ATP for FOL). [ASE06] Jan Jürjens, Open University: Model-based Security Engineering 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Model-based Security Security: ganzheitliche Engineering Eigenschaft: Jan Jrjens

Model-based Security Security: ganzheitliche Engineering Eigenschaft: Jan Jrjens

2 Herausforderung: Security Model-based Security Security: ganzheitliche Engineering Eigenschaft: Jan Jrjens Sicherheits-Mechanismen umgehen statt brechen. Sichere Systems aus Computing Department unsicheren Komponenten ? The

314 views • 6 slides
Security model for hybrid token-based networking models By Rudy Borgstede Contents

Security model for hybrid token-based networking models By Rudy Borgstede Contents

Security model for hybrid token-based networking models By Rudy Borgstede Contents Project Background Complex Resource Provisioning and Token-Based Networking Token Validation Service, the Java Aaauthreach project

504 views • 21 slides
Widget security model based on MIDP and Web Application based on a security model with TLS/SSL

Widget security model based on MIDP and Web Application based on a security model with TLS/SSL

Widget security model based on MIDP and Web Application based on a security model with TLS/SSL and XMLDsig Claes Nilsson Technology Area Group Leader Web Browsing Marcus Liwell Technology Area Group Leader Security and DRM Rev 1

576 views • 12 slides
Basic Concepts Overview First Principle Models Most of science and engineering is based on

Basic Concepts Overview First Principle Models Most of science and engineering is based on

Basic Concepts Overview First Principle Models Most of science and engineering is based on first-principle models First-principle vs. data-driven models Starts with a model Technology-centered vs. problem-centered courses

330 views • 5 slides
1 What is a good model? Models of models of models Intuitively: A model is good if

1 What is a good model? Models of models of models Intuitively: A model is good if

What is modeling? Chair of Softw are Engineering Building an abstraction of reality Software Engineering Abstractions from things, people, and processes Spring Semester 2008 Relationships between these abstractions Abstractions are

389 views • 16 slides
Building Agent-Based Models of Seaport Container Terminals Jos e M Vidal and Nathan Huynh

Building Agent-Based Models of Seaport Container Terminals Jos e M Vidal and Nathan Huynh

Building Agent-Based Models of Seaport Container Terminals Jos e M Vidal and Nathan Huynh Department of Computer Science and Engineering Department of Civil Engineering University of South Carolina 11 May 2010 Model Model Each crane c

409 views • 18 slides
Model-driven approaches to Why models? large-scale e-business The anatomy of models From models

Model-driven approaches to Why models? large-scale e-business The anatomy of models From models

Agenda Model-driven approaches to Why models? large-scale e-business The anatomy of models From models to code system development Standards and maturity Steve Cook IBM Distinguished Engineer Visiting Professor, UKC The architecture is

213 views • 10 slides
Semantics-based reverse engineering of data models from programs Komondoor V Raghavan IBM India

Semantics-based reverse engineering of data models from programs Komondoor V Raghavan IBM India

Semantics-based reverse engineering of data models from programs Komondoor V Raghavan IBM India Research Lab (with G. Ramalingam, J. Field, et al) 1 / 51 Understanding legacy software Common scenario huge existing legacy code base

652 views • 46 slides
General Indicator Modeling for Decision Support based on 3D city and landscape models using Model

General Indicator Modeling for Decision Support based on 3D city and landscape models using Model

Lehrstuhl fr Geoinformatik Technische Universitt Mnchen General Indicator Modeling for Decision Support based on 3D city and landscape models using Model Driven Engineering Mostafa Elfouly, Thomas H. Kolbe Chair of Geoinformatics

782 views • 26 slides
SWIRL++ :Evaluating Performance Models System Overview to Guide Code Transformation in Model

SWIRL++ :Evaluating Performance Models System Overview to Guide Code Transformation in Model

SWIRL++ T. Rusira et al LCPC19 Convolution SWIRL++ :Evaluating Performance Models System Overview to Guide Code Transformation in Model Guided Optimization Convolutional Neural Networks Code Variants Memory Cost Space Pruning

409 views • 29 slides
Security models part 2 Bj orn Victor Fall 2007 Doris Denning model Denning model Chinese

Security models part 2 Bj orn Victor Fall 2007 Doris Denning model Denning model Chinese

Security models part 2 Bj orn Victor Fall 2007 Doris Denning model Denning model Chinese Wall Clark-Wilson Principles BLP: covert channels possible -property too strong Improvement: analyse actual (and indirect) information flow.

676 views • 45 slides
From Conceptual Models From Conceptual Models to Simulation Models to Simulation Models Model

From Conceptual Models From Conceptual Models to Simulation Models to Simulation Models Model

From Conceptual Models From Conceptual Models to Simulation Models to Simulation Models Model Driven Development of Agent- -Based Based Simulations Simulations Model Driven Development of Agent Takashi Iba* Yoshiaki Matsuzawa** Nozomu

235 views • 11 slides
Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code

Security and the .NET Framework Code Access Security Enforces security policy on code Regardless of user running the code Regardless of whether the code is in the same application with other code Other code can be more, less, or

695 views • 21 slides
Supervisory Control Synthesis the Focus in Model-Based Systems Engineering Jos Baeten and

Supervisory Control Synthesis the Focus in Model-Based Systems Engineering Jos Baeten and

Supervisory Control Synthesis the Focus in Model-Based Systems Engineering Jos Baeten and Asia van de Mortel-Fronczak Systems Engineering Group Department of Mechanical Engineering November 23, 2011 What is a model? 2 A model is an

705 views • 43 slides
Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina

Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina

Weird machines: a model for code-reuse attacks Sergey Bratus Rebecca Shapiro Anna Shubina Dartmouth T rust Lab Outline Code re-use: unexpected computation, programming models Containing computation: Coarse intent-based ABI-level

487 views • 27 slides
Managing Security Investment Part III Tyler Moore Computer Science & Engineering Department,

Managing Security Investment Part III Tyler Moore Computer Science & Engineering Department,

Notes Managing Security Investment Part III Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX September 25, 2012 Gordon-Loeb model Baseline models Notes Outline Gordon-Loeb model 1 Breach probability function

406 views • 8 slides
Multicast monitoring and visualization tools A. Binczewski R. Krzywania R. apacz Multicast

Multicast monitoring and visualization tools A. Binczewski R. Krzywania R. apacz Multicast

Multicast monitoring and visualization tools A. Binczewski R. Krzywania R. apacz Multicast technology now - briefly Bright aspects: Well-known technology Reduces network traffic and conserves the bandwidth IPv4 and IPv6

657 views • 26 slides
TOOL CHOICE MATTERS Kavaler, Trockman, Vasilescu, Filkov SOFTWARE DEVELOPMENT KEEPS CHANGING

TOOL CHOICE MATTERS Kavaler, Trockman, Vasilescu, Filkov SOFTWARE DEVELOPMENT KEEPS CHANGING

TOOL CHOICE MATTERS Kavaler, Trockman, Vasilescu, Filkov SOFTWARE DEVELOPMENT KEEPS CHANGING Waterfall OOP Alexa, Good Morning. flexible o ff the shelf - sets thermostat to 69F modular - turn on lights - play

699 views • 23 slides
An Open Source MSDL/C-BML Interface to VR-Forces Dr. Mark Pullen Mohammad Ababneh Lisa Nicklas

An Open Source MSDL/C-BML Interface to VR-Forces Dr. Mark Pullen Mohammad Ababneh Lisa Nicklas

An Open Source MSDL/C-BML Interface to VR-Forces Dr. Mark Pullen Mohammad Ababneh Lisa Nicklas Michael Connor Alexandre Barreto GMU C4I Center Open Source MSDL/C-BML Interface to VR-Forces 2012

679 views • 30 slides
Introduction to the R Statistical Computing Environment Getting Started with R John Fox McMaster

Introduction to the R Statistical Computing Environment Getting Started with R John Fox McMaster

Introduction to the R Statistical Computing Environment Getting Started with R John Fox McMaster University ICPSR 2017 John Fox (McMaster University) Getting Started with R ICPSR 2017 1 / 6 Lecture Outline To be covered as time permits:

442 views • 3 slides
Towards Automated Computationally Faithful Specify protocol participants as processes following

Towards Automated Computationally Faithful Specify protocol participants as processes following

2 Security Analysis a la Dolev-Yao Towards Automated Computationally Faithful Specify protocol participants as processes following Dolev, Yao 1982: In addition to Verification of Cryptoprotocols expected participants, model attacker who: Jan

146 views • 4 slides
Java In the Database Rick Hillegas Apache Derby August 28, 2006 General Overview Derby

Java In the Database Rick Hillegas Apache Derby August 28, 2006 General Overview Derby

Java In the Database Rick Hillegas Apache Derby August 28, 2006 General Overview Derby Overview User Code in the Database SQL Support Demo Overview Demo SQL Derby Overview Lightweight, 0-admin, pure Java database

300 views • 27 slides
Using iPad for Teaching: My Experiences and Best Practices Chen-Wei Wang EECS, Lassonde, York

Using iPad for Teaching: My Experiences and Best Practices Chen-Wei Wang EECS, Lassonde, York

Using iPad for Teaching: My Experiences and Best Practices Chen-Wei Wang EECS, Lassonde, York August 28, 2020 Pre-Tutorial Exercise You considered a Java example in 3 slides: Q1. How would you teach this example? Hint. Will you restrict your

376 views • 10 slides
ObfusMem: A Low-Overhead Access Obfuscation fo for Trusted Memories Amro Awad 1 , Yipeng Wang 2 ,

ObfusMem: A Low-Overhead Access Obfuscation fo for Trusted Memories Amro Awad 1 , Yipeng Wang 2 ,

ObfusMem: A Low-Overhead Access Obfuscation fo for Trusted Memories Amro Awad 1 , Yipeng Wang 2 , Deborah Shands 3 , Yan Solihin 2 1 Sandia National Laboratories 2 North Carolina State University 3 National Science Foundation ISCA 2017 Presented

811 views • 24 slides

More recommend