Modeling and Analysis of Security for Human Centric Systems Florian - - PowerPoint PPT Presentation

Modeling and Analysis of Security for Human Centric Systems

Florian Kammüller

Middlesex University London & TU Berlin

Assessment of ICT Security Risks in Socio-Technical Systems’16, 16. November 2016

Formal Models for Insider Threat Analysis

• Initial Idea:
• Model infrastructure, actors, policies
• Invalidate global policy by complete exploration of state

space

⇒ Modelchecking State explosion problem

• Interactive theorem proving in Isabelle [7]
• Higher Order Logic: expressive
• Proof of security/violations
• Simulate “Modelchecking” [13]

2

Modeling Human Behaviour for Sociological Explanation

• Max Weber’s sociological explanation model
• 3-step logic of explanation (Hempel and Oppenheimer [1])

collective explanandum social situation actor action (a) (b) (c) (d)

⇒ Macro-Micro-Macro transition (a) Macro-Micro: taxonomy of insider as datatypes in HOL based on psychological results, [12] e.g.

datatype psy_states = happy | revenge | stressed

(b) Micro-Micro: Infrastructure with actors and locations for action theory (c) Micro-Macro: Analysis of insider attacks: invalidation of global policies

3

Applications of Isabelle Insider Framework

• Logical Modeling of Insider Threats (Isabelle Insider

Framework) [3]

• Attack Tree Analysis for Insider Threats on the IoT using
• Isabelle. [16]
• Airplane Safety and Security against Insider Threats. [17]
• Formal Analysis of Insider Threats for Auctions. [15]

4

Current Projects for Practical Application

CHIST-ERA (EU) project SUCCESS: SecUre aCCESSibility for the internet of things (IoT)

CARER Patient Mobile/ Bracelet ATTACKER Nurse/Doctor Patient Hospital Patient Take biomarker Doctor Data registration Nurse Measurement Attacker Data Theft Corrupt Data <threatens> <impersonates> Access control <mitigates>

T2 T1 S1 S2

Steal Patient Data Get Password Access Phone Crack PIN

• Formal design of

privacy-critical IoT scenarios

• Risk visualisation by

attack trees

• Certified implementation

for IoT component architectures

• IoT Pilot scenario:

sensor based monitoring for dementia patients

5

Conclusion and Pitch

• Engineering secure IoT systems
• Health care: cost efficiency vs privacy
• What question do we need to answer
• stakeholders: patient, nurse, doctor
• Privacy vs positive discrimination

6

References I

[1] Frank Stajano and Ross Anderson. The Cocaine Auction Protocol: On The Power Of Anonymous Broadcast. In A. Pfitzmann, ed. Proceedings

• f Information Hiding Workshop 1999. LNCS Springer, 1999.

[2] M. B. Caminati, M. Kerber, C. Lange, and C. Rowat. Sound auction specification and implementation. 16th ACM Conference on Economics and Computation, EC’15. ACM, 2015. [3] F. Kammüller and C. W. Probst, Modeling and verification of insider threats using logical analysis, IEEE Systems Journal, 2016. [Online]. Available: http: //dx.doi.org/10.1109/JSYST.2015.2453215 [4] F. Kammüller. Verification of DNSsec Delegation Signatures. 21st International IEEE Conference on Telecommunication. IEEE, 2014. [5] F. Kammüller and S. Preibusch. Privacy Analysis of a Hidden Friendship Protocol. Data Privacy Management DPM’13, ESORICS.

• Vol. 8247, LNCS, Springer, 2013.

7

References II

[6] F. Kammüller. A Semi-Lattice Model for Multi-Lateral Security. Data Privacy Management DPM’12, ESORICS. p. 118–132, Vol. 7731, LNCS Security and Cryptology, Springer, 2013. [7] T. Nipkow, L. C. Paulson, and M. Wenzel. Isabelle/HOL – A Proof Assistant for Higher-Order Logic, 2283 LNCS. Springer-Verlag, 2002. [8] J. Boender, F. Kammüller, R. Nagarajan. Formalization of quantum protocols using Coq. 12th International Workshop on Quantum Physics and Logic. EPTCS 195, 2015. http://dx.doi. org/10.4204/EPTCS.195 [9] F. Kammüller and C. W. Probst, Invalidating policies using structural information, in WRIT’13, SPW. IEEE, 2013. [10] D. M. Cappelli, A. P . Moore, and R. F. Trzeciak, The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud), 1st ed., ser. SEI Series in Software Engineering. Addison-Wesley Professional, Feb. 2012. [Online]. Available: http://www.amazon.com/exec/obidos/redirect?tag=citeulike07- 20&path=ASIN/0321812573 [11] F. Kammüller. Formalizing Non-Interference for A Small Bytecode-Language in Coq. Formal Aspects of Computing: 20(3):259–275. Springer, 2008.

8

References III

[12] Jason R. C. Nurse and Oliver Buckley and Philip A. Legg and Michael Goldsmith and Sadie Creese and Gordon R. T. Wright and Monica Whitty, Understanding Insider Threat: A Framework for Characterising Attacks, IEEE Security and Privacy Workshops (SPW), WRIT, 2014. [13] F. Kammüller. Refactoring Preserves Security. Data Privacy Management, DPM’16, 11th Int. Workshop ESORICS’16, LNCS, Springer, 2016. [14] F. Kammüller. Isabelle Modelchecking for Insider Threats. Data Privacy Management, DPM’16, 11th Int. Workshop, ESORICS’16. LNCS, Springer, 2016. [15] F. Kammüller, M. Kerber, C. W. Probst. Towards Formal Analysis of Insider Threats for Auctions. 8th ACM CCS International Workshop on Managing Insider Security Threats, MIST’16. ACM, 2016. [16] F. Kammüller, J. R. C. Nurse, and C. W. Probst. Attack Tree Analysis for Insider Threats on the IoT using Isabelle. 4th International Conference

• n Human Aspects of Security, Privacy and Trust, HCII-HAS 2016. Vol.

9750, LNCS, Springer 2016. [17] F. Kammüller and M. Kerber. Investigating Airplane Safety and Security against Insider Threats Using Logical Modeling. IEEE Security and Privacy Workshops, SPW, WRIT’16. 2016.

9