Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Describing Secure Interfaces with Interface Automata Matias Lee Pedro R. D’Argenio FaMAF - UNC CONICET FESCA Workshop Matias Lee, Pedro R. D’Argenio Interface Structure for Security
Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Outline Interfaces Structure for Security 1 Interfaces Automata and Interface Structure For Security Composition Bisimulation-based (Strong) Non-deterministic Non-interference Deriving secure ISS 2 Checking BSNNI Synthesizing Secure ISS The algorithm - Example Preserving BSNNI after Composition 3 Preserving BSNNI after Composition Contribution and future works 4 Matias Lee, Pedro R. D’Argenio Interface Structure for Security
Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Deriving secure ISS Why IA and ISS? Preserving BSNNI after Composition Composition Contribution and future works Bisimulation-based (Strong) Non-deterministic Non-interference Outline Interfaces Structure for Security 1 Interfaces Automata and Interface Structure For Security Composition Bisimulation-based (Strong) Non-deterministic Non-interference Deriving secure ISS 2 Checking BSNNI Synthesizing Secure ISS The algorithm - Example Preserving BSNNI after Composition 3 Preserving BSNNI after Composition Contribution and future works 4 Matias Lee, Pedro R. D’Argenio Interface Structure for Security
� � � � � � � Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Deriving secure ISS Why IA and ISS? Preserving BSNNI after Composition Composition Contribution and future works Bisimulation-based (Strong) Non-deterministic Non-interference Interface Automata (IA): We use Interface Automata [De Alfaro, Hezinger 2001,2005] to represent interfaces. E.g.: endT ? acceptT? newT ? � startT ! � s 1 s 2 s 3 endM ? startM ? newT ? � startT ! � s 4 s 5 s 6 s 7 logM ! endT ? IA has three different sorts of actions: input, output and hidden . As usual, input are suffixed by ? and output by ! . We indicate hidden actions by suffixing ; . Matias Lee, Pedro R. D’Argenio Interface Structure for Security
� � � � � � � Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Deriving secure ISS Why IA and ISS? Preserving BSNNI after Composition Composition Contribution and future works Bisimulation-based (Strong) Non-deterministic Non-interference Interface Structure for Security (ISS) Extends IA to cope with security. Visible actions are separated in two classes: public or low: can be observed/manipulated by any user private or high: only for users with appropiate clearance. endT ? acceptT? newT ? � startT ! � s 1 s 2 s 3 endM? startM? newT ? � startT ! � s 5 s 6 s 4 s 7 logM! endT ? High actions are underlined Matias Lee, Pedro R. D’Argenio Interface Structure for Security
Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Deriving secure ISS Why IA and ISS? Preserving BSNNI after Composition Composition Contribution and future works Bisimulation-based (Strong) Non-deterministic Non-interference Why IA and ISS? Component Based Development and Design has become main approach for software development. Example: web services . We need good interface description that allows us to analyze interaction between components. In this way, we can predict if the composed system can satisfy our requirements. IA captures temporal aspects of the component interface. This framework requires that the communication is properly carried out by the interfaces. ISS inherits the properties of IA and also allows us to study properties related with secure data flow. Matias Lee, Pedro R. D’Argenio Interface Structure for Security
Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Deriving secure ISS Why IA and ISS? Preserving BSNNI after Composition Composition Contribution and future works Bisimulation-based (Strong) Non-deterministic Non-interference Example: A distributed transaction processing system (DTPS): a main server ( Transaction Service ) that provides a service a remote transaction process unit ( Trans. Processing Unit ) a supervisor module ( Supervisor ). Matias Lee, Pedro R. D’Argenio Interface Structure for Security
� � � � � � � � � � � � � � � � � Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Deriving secure ISS Why IA and ISS? Preserving BSNNI after Composition Composition Contribution and future works Bisimulation-based (Strong) Non-deterministic Non-interference Transaction Service Trans. Processing Unit endT ? acceptT? newT ? � startT ! � startT ? � nOk ! � s 3 s 1 s 2 t 1 t 2 t 4 endM? startM? ok ! endT ! logF ! newT ? � startT ! � s 4 s 5 s 6 t 3 s 7 logM! endT ? Supervisor logM? logF? mOn? � startM! � u 3 u 1 u 2 endM! logF ? u 5 u 4 logM? Matias Lee, Pedro R. D’Argenio Interface Structure for Security
Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Deriving secure ISS Why IA and ISS? Preserving BSNNI after Composition Composition Contribution and future works Bisimulation-based (Strong) Non-deterministic Non-interference We are interested in studying how the components work together. Therefore, we need a concept of composition. Matias Lee, Pedro R. D’Argenio Interface Structure for Security
Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Deriving secure ISS Why IA and ISS? Preserving BSNNI after Composition Composition Contribution and future works Bisimulation-based (Strong) Non-deterministic Non-interference Outline Interfaces Structure for Security 1 Interfaces Automata and Interface Structure For Security Composition Bisimulation-based (Strong) Non-deterministic Non-interference Deriving secure ISS 2 Checking BSNNI Synthesizing Secure ISS The algorithm - Example Preserving BSNNI after Composition 3 Preserving BSNNI after Composition Contribution and future works 4 Matias Lee, Pedro R. D’Argenio Interface Structure for Security
Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Deriving secure ISS Why IA and ISS? Preserving BSNNI after Composition Composition Contribution and future works Bisimulation-based (Strong) Non-deterministic Non-interference Composition CSP likes parallel composition in IA: the state space is the product of the set of states of the components, synchronization through shared action, i.e. both component should perform a transition with the same synchronizing label (one input, and the other output), and transitions with non-shared actions are interleaved. Besides, shared actions are hidden in the product. Matias Lee, Pedro R. D’Argenio Interface Structure for Security
� � � � � � � � � � � � � � � � � � � � � � � � Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Deriving secure ISS Why IA and ISS? Preserving BSNNI after Composition Composition Contribution and future works Bisimulation-based (Strong) Non-deterministic Non-interference s 2 t 1 u 2 s 3 t 3 u 2 s 3 t 4 u 2 startT ; nOk ! newT ? acceptT ? acceptT ? mOn? startM ; s 1 t 1 u 1 s 1 t 1 u 2 s 4 t 1 u 3 endM ; endT ; newT ? logM ; newT ? s 3 t 3 u 1 s 2 t 1 u 1 s 4 t 1 u 5 s 7 t 1 u 3 s 5 t 1 u 3 ok ! logF ; startT ; logM ; endT ; startT ; nOk ! ok ! s 3 t 4 u 1 s 3 t 2 u 1 s 7 t 1 u 4 s 6 t 3 u 3 s 6 t 2 u 3 endT ; nOk ! logF ; s 6 t 3 u 4 s 6 t 4 u 3 Matias Lee, Pedro R. D’Argenio Interface Structure for Security
Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Deriving secure ISS Why IA and ISS? Preserving BSNNI after Composition Composition Contribution and future works Bisimulation-based (Strong) Non-deterministic Non-interference Error, Incompatible and Compatible states In state s 3 t 4 u 2 , the TP unit sends a message (LogF!) to the Supervisor, which is not ready to receive it. We call this miscommunication . The state s 3 t 4 u 2 is an error state. States s 3 t 3 u 2 and s 2 t 1 u 2 are incompatibles states because they reach an error/incompatible state autonomously (i.e. using only output and/or hidden actions). A state that is not incompatible is called compatible. For example, s 1 t 1 u 2 is compatible. If the initial state of the product is compatible, then the interfaces are compatible. Matias Lee, Pedro R. D’Argenio Interface Structure for Security
Recommend
More recommend