Modeling and Analysis of Security for Human Centric Systems Florian Kammüller Middlesex University London & TU Berlin Assessment of ICT Security Risks in Socio-Technical Systems’16, 16. November 2016
Formal Models for Insider Threat Analysis • Initial Idea: • Model infrastructure, actors, policies • Invalidate global policy by complete exploration of state space ⇒ Modelchecking � State explosion problem • Interactive theorem proving in Isabelle [7] • Higher Order Logic: expressive • Proof of security/violations • Simulate “Modelchecking” [13] 2
Modeling Human Behaviour for Sociological Explanation • Max Weber’s sociological explanation model • 3-step logic of explanation (Hempel and Oppenheimer [1]) social collective situation explanandum (d) (a) (c) actor action (b) ⇒ Macro-Micro-Macro transition ( a ) Macro-Micro: taxonomy of insider as datatypes in HOL based on psychological results, [12] e.g. datatype psy_states = happy | revenge | stressed ( b ) Micro-Micro: Infrastructure with actors and locations for action theory ( c ) Micro-Macro: Analysis of insider attacks: invalidation of global policies 3
Applications of Isabelle Insider Framework • Logical Modeling of Insider Threats (Isabelle Insider Framework) [3] • Attack Tree Analysis for Insider Threats on the IoT using Isabelle. [16] • Airplane Safety and Security against Insider Threats. [17] • Formal Analysis of Insider Threats for Auctions. [15] 4
Current Projects for Practical Application CHIST-ERA (EU) project SUCCESS: SecUre aCCESSibility for the internet of things (IoT) • Formal design of T2 privacy-critical IoT CARER scenarios Nurse/Doctor Mobile/ Bracelet Patient • Risk visualisation by Patient Hospital Take biomarker Patient Access attack trees control ATTACKER Data registration Doctor <mitigates> Measurement T1 • Certified implementation Data Theft Nurse <threatens> <impersonates> for IoT component Corrupt Data Attacker Steal Patient architectures Data S1 S2 Get Password • IoT Pilot scenario: sensor based monitoring Access Phone Crack PIN for dementia patients 5
Conclusion and Pitch • Engineering secure IoT systems • Health care: cost efficiency vs privacy • What question do we need to answer • stakeholders: patient, nurse, doctor • Privacy vs positive discrimination 6
References I [1] Frank Stajano and Ross Anderson. The Cocaine Auction Protocol: On The Power Of Anonymous Broadcast. In A. Pfitzmann, ed. Proceedings of Information Hiding Workshop 1999. LNCS Springer, 1999. [2] M. B. Caminati, M. Kerber, C. Lange, and C. Rowat. Sound auction specification and implementation. 16th ACM Conference on Economics and Computation, EC’15 . ACM, 2015. [3] F. Kammüller and C. W. Probst, Modeling and verification of insider threats using logical analysis, IEEE Systems Journal , 2016. [Online]. Available: http: //dx.doi.org/10.1109/JSYST.2015.2453215 [4] F. Kammüller. Verification of DNSsec Delegation Signatures. 21st International IEEE Conference on Telecommunication . IEEE, 2014. [5] F. Kammüller and S. Preibusch. Privacy Analysis of a Hidden Friendship Protocol. Data Privacy Management DPM’13, ESORICS. Vol. 8247, LNCS, Springer, 2013. 7
References II [6] F. Kammüller. A Semi-Lattice Model for Multi-Lateral Security. Data Privacy Management DPM’12, ESORICS. p. 118–132, Vol. 7731, LNCS Security and Cryptology, Springer, 2013. [7] T. Nipkow, L. C. Paulson, and M. Wenzel. Isabelle/HOL – A Proof Assistant for Higher-Order Logic , 2283 LNCS. Springer-Verlag, 2002. [8] J. Boender, F. Kammüller, R. Nagarajan. Formalization of quantum protocols using Coq. 12th International Workshop on Quantum Physics and Logic . EPTCS 195, 2015. http://dx.doi. org/10.4204/EPTCS.195 [9] F. Kammüller and C. W. Probst, Invalidating policies using structural information, in WRIT’13, SPW . IEEE, 2013. [10] D. M. Cappelli, A. P . Moore, and R. F. Trzeciak, The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud), 1st ed., ser. SEI Series in Software Engineering. Addison-Wesley Professional, Feb. 2012. [Online]. Available: http://www.amazon.com/exec/obidos/redirect?tag=citeulike07- 20&path=ASIN/0321812573 [11] F. Kammüller. Formalizing Non-Interference for A Small Bytecode-Language in Coq. Formal Aspects of Computing : 20 (3):259–275. Springer, 2008. 8
References III [12] Jason R. C. Nurse and Oliver Buckley and Philip A. Legg and Michael Goldsmith and Sadie Creese and Gordon R. T. Wright and Monica Whitty, Understanding Insider Threat: A Framework for Characterising Attacks, IEEE Security and Privacy Workshops (SPW), WRIT , 2014. [13] F. Kammüller. Refactoring Preserves Security. Data Privacy Management, DPM’16, 11th Int. Workshop ESORICS’16, LNCS, Springer, 2016. [14] F. Kammüller. Isabelle Modelchecking for Insider Threats. Data Privacy Management, DPM’16, 11th Int. Workshop, ESORICS’16. LNCS, Springer, 2016. [15] F. Kammüller, M. Kerber, C. W. Probst. Towards Formal Analysis of Insider Threats for Auctions. 8th ACM CCS International Workshop on Managing Insider Security Threats, MIST’16. ACM, 2016. [16] F. Kammüller, J. R. C. Nurse, and C. W. Probst. Attack Tree Analysis for Insider Threats on the IoT using Isabelle. 4th International Conference on Human Aspects of Security, Privacy and Trust, HCII-HAS 2016 . Vol. 9750, LNCS, Springer 2016. [17] F. Kammüller and M. Kerber. Investigating Airplane Safety and Security against Insider Threats Using Logical Modeling. IEEE Security and Privacy Workshops, SPW, WRIT’16 . 2016. 9
Recommend
More recommend
