Detecting Cognitive Causes of Confidentiality Leaks - PowerPoint PPT Presentation

Detecting cognitive causes of confidentiality leaks l.jpg
Download
1 / 19

Detecting Cognitive Causes of Confidentiality Leaks. Rimvydas Rukšėnas , Paul Curzon (Queen Mary, University of London) Ann Blandford (University College London). The topic.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Detecting Cognitive Causes of Confidentiality Leaks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Detecting cognitive causes of confidentiality leaks l.jpg

Detecting Cognitive Causes of Confidentiality Leaks

Rimvydas Rukšėnas, Paul Curzon

(Queen Mary, University of London)

Ann Blandford

(University College London)

FMIS 2006, Macau


The topic l.jpg

The topic

  • Ensuring (by formal modelling and verification) secure information flow from the user to a secure device / application.

FMIS 2006, Macau


The context l.jpg

The context

  • Security of software systems (technical aspects):

    • the implementation of a system does not leak confidential information.

  • User-centred security (social dimensions):

    • work practices;

    • the relationships between system users;

    • security threats exploiting social engineering techniques.

FMIS 2006, Macau


Our focus l.jpg

Our focus

  • Potential leaks of information caused by the combination of human cognition and interface designs.

FMIS 2006, Macau


Outline l.jpg

Outline

  • Formal user model.

  • An example.

  • Conclusion.

FMIS 2006, Macau


Formal user modelling l.jpg

Formal user modelling

  • Even behaving rationally, humans systematically make errors when performing tasks with interactive systems.

  • The erroneous actions are unintentional. They emerge from a combination of specific design decisions and human cognition.

  • A formal model of cognitively plausible behaviour is helpful in detecting such design flaws.

FMIS 2006, Macau


Abstract cognitive principles l.jpg

Abstract cognitive principles

  • Non-determinism: any cognitively plausible action might be taken.

  • Distinction between mental and physical actions.

  • User goals: preconceived knowledge of the task and task dependent sub-goals.

  • Reactive behaviour: people respond to interface prompts, if these seem relevant to their task.

  • Goal based task completion: users tend to finish interactions once their goal has been achieved.

  • No-option based termination.

FMIS 2006, Macau


Generic user model in sal l.jpg

UserModel {goals,acts,…} =

TRANSITION

([]i: Goal_Commit: … )

[] ([]i: React_Commit: … )

[] ([]i: Goal_Transition: … )

[] ([]i: React_Transition: … )

[] Exit: …

[] Abort: …

[] Idle: …

Goal_Transition:

gcommit[i] = committed

Transition(i,goals);

gcommit’[i] = done;

gcommitted’ = FALSE

Generic user model in SAL

FMIS 2006, Macau


An example authentication interface l.jpg

An example: authentication interface

FMIS 2006, Macau


Authentication procedure as a fsm l.jpg

Authentication procedure as a FSM

FMIS 2006, Macau


The structure of specifications l.jpg

The structure of specifications

FMIS 2006, Macau


User goals knowledge l.jpg

Enter user name.

Enter password.

seen[InputName]

value' [InputName] = in.name

User goals (knowledge)

FMIS 2006, Macau


Reactive behaviour l.jpg

Enter user name.

Enter password.

Press Enterbutton.

Acknowledge a message.

seen[InputName] mem.failed 

mem.entered[InputName]

value'[InputName] = in.name

Reactive behaviour

FMIS 2006, Macau


User perception interpretation l.jpg

User perception & interpretation

  • By label:

    (i,j): label[i] = NameLabel  label[j] = PassLabel  InputName = i InputPass = j

  • By habit:

    (i,j): precedes(i,j) InputName = i InputPass = j

  • Random:

    (label[i] = label[j] ((i,j): precedes(i,j))) 

    InputName  InputPass

FMIS 2006, Macau


Correctness properties l.jpg

Correctness properties

  • Usability:System F(LoginMsg)

  • Security: System [] Tester G(SecurityBreach)

    • Testermodule:

      [](j:Inbox): level[j] = Low  value[j] = env.password

      SecurityBreach' = TRUE

FMIS 2006, Macau


Confidentiality leakage l.jpg

Confidentiality leakage

  • precedes(InputName,InputPass)

FMIS 2006, Macau


Secure design l.jpg

Secure design

  • precedes(InputName,InputPass)

FMIS 2006, Macau


Conclusions l.jpg

Conclusions

  • We investigated the formal modelling of cognitive aspects of confidentiality leaks.

  • We extended our approach, based on usability verification, to address some aspects of information-flow security.

  • We presented a simple example where the layout of input fields can result in security breaches: www.dcs.qmul.ac.uk/~rimvydas/usermodel/fmis06.zip

FMIS 2006, Macau


Future work l.jpg

Future work

  • Other (more complex) security properties.

  • Generic user interpretation model.

  • Scaling-up.

FMIS 2006, Macau


  • Login