a formal specification of the midp 2 0 security model
play

A Formal Specification of the MIDP 2.0 Security Model eguelin 1 - PowerPoint PPT Presentation

Motivation Specification Verification Refinement A Formal Specification of the MIDP 2.0 Security Model eguelin 1 Gustavo Betarte 2 Carlos Luna 2 Santiago Zanella B 1 Everest Project, INRIA Sophia Antipolis INRIAMicrosoft Research Joint


  1. Motivation Specification Verification Refinement A Formal Specification of the MIDP 2.0 Security Model eguelin 1 Gustavo Betarte 2 Carlos Luna 2 Santiago Zanella B´ 1 Everest Project, INRIA Sophia Antipolis INRIA–Microsoft Research Joint Laboratory 2 InCo, Universidad de la Rep´ ublica, Uruguay Workshop on Formal Aspects in Security and Trust, 2006 Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  2. Motivation Specification Verification Refinement Outline Motivation 1 Specification 2 Verification 3 Refinement 4 Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  3. Motivation Specification Verification Refinement What is a Mobile Device? Defining characteristics portable scarce resources (compared with other platforms) communicated stores personal information subscribed to pay-per-use services Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  4. Motivation Specification Verification Refinement Some Examples Cell Phones Personal Digital Assistants Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  5. Motivation Specification Verification Refinement The Problem What a secure mobile device should enforce: Data confidentiality and integrity Cost control Availability ...even in the presence of malicious applications Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  6. Motivation Specification Verification Refinement The Problem What a secure mobile device should enforce: Data confidentiality and integrity Cost control Availability ...even in the presence of malicious applications Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  7. Motivation Specification Verification Refinement The Problem A possible scenario If the device supports loading of executable code after issuance... A B Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  8. Motivation Specification Verification Refinement The Problem A possible scenario If the device supports loading of executable code after issuance... A B Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  9. Motivation Specification Verification Refinement The Problem A possible scenario If the device supports loading of executable code after issuance... A B Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  10. Motivation Specification Verification Refinement The Problem A possible scenario If the device supports loading of executable code after issuance... A B Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  11. Motivation Specification Verification Refinement The Problem A possible scenario If the device supports loading of executable code after issuance... A B Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  12. Motivation Specification Verification Refinement The Problem A possible scenario If the device supports loading of executable code after issuance... A B Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  13. Motivation Specification Verification Refinement First Solution Removing the cause Either Don’t allow users to download code but they love to do so (and it’s a big market opportunity) Don’t allow downloaded code to access sensitive APIs but many useful applications must do so (e.g. synchronization, news push) Roughly, MIDP 1.0 used this last solution (a sandbox model) Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  14. Motivation Specification Verification Refinement Second solution Establish a security policy A security policy is a mapping from a set of properties that characterize code to a set of access permissions granted to that code Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  15. Motivation Specification Verification Refinement Second solution Establish a security policy A security policy is a mapping from a set of properties that characterize code to a set of access permissions granted to that code Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  16. Motivation Specification Verification Refinement Layered J2ME - MIDP architecture OEM-specific Applications MIDP Applications Native OEM-specific Applications APIs MIDP CLDC Java Virtual Machine Native Operating System Hardware Users may only download MIDP applications MIDP applications access resources through restricted interface Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  17. Motivation Specification Verification Refinement MIDP Security Model In MIDP 1.0, sandbox -like model In MIDP 2.0, model based on protection domains Protection Domain It’s an abstraction of the context of execution of a piece of code Restricts access to sensitive functions In MIDP 2.0, each application belongs to a suite and each suite is bound to a unique Protection Domain Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  18. Motivation Specification Verification Refinement MIDP Security Model In MIDP 1.0, sandbox -like model In MIDP 2.0, model based on protection domains Protection Domain It’s an abstraction of the context of execution of a piece of code Restricts access to sensitive functions In MIDP 2.0, each application belongs to a suite and each suite is bound to a unique Protection Domain Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  19. Motivation Specification Verification Refinement Protection Domains in Practice Policy Sig K A Sig K B Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  20. Motivation Specification Verification Refinement Protection Domains in Practice Policy Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  21. Motivation Specification Verification Refinement MIDP 2.0 Security Model Protected function − → Permission A Protection Domain determines: A set of permissions granted unconditionally A set of permissions that could be granted with explicit user authorization, together with a mode that specifies its validity blanket until the removal of the suite session for the current session oneshot for a single use oneshot ≤ m session ≤ m blanket . The specified mode is an upper bound Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  22. Motivation Specification Verification Refinement Permissions Acquired by a Suite A suite declares at installation time the permissions it requires Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  23. Motivation Specification Verification Refinement Permissions Acquired by a Suite A suite declares at installation time the permissions it requires Acquired = Requested ∩ (Unconditionally granted ∪ Granted by user authorization) Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  24. Motivation Specification Verification Refinement New Problems Issues Does the security model enforce the security policy? Do implementations conform to the model? How do other operations interfere with the model? Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  25. Motivation Specification Verification Refinement New Problems Issues Does the security model enforce the security policy? Do implementations conform to the model? How do other operations interfere with the model? What is exactly the security model? Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  26. Motivation Specification Verification Refinement Outline Motivation 1 Specification 2 Verification 3 Refinement 4 Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  27. Motivation Specification Verification Refinement Remarks Formalized in the Calculus of Inductive Constructions Developed with the Coq proof assistant Abstract higher-order specification Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

  28. Motivation Specification Verification Refinement The Calculus of Inductive Constructions CIC CIC is an extension of the simple-typed lambda calculus with: Polymorphic types [ ( λ x . x ) : A → A ] Higher-order types [ A → A : ∗ : � ] Dependent types [ ( λ a : A . f a ) : ( ∀ a : A . B a ) ] Implemented in Coq Type checker + Proof assistant Can encode higher-order predicate logic Inductive definitions types ↔ propositions Curry-Howard isomorphism terms ↔ proofs Zanella B´ eguelin, Betarte, Luna A Formal Specification of the MIDP 2.0 Security Model

Recommend


More recommend