1 / 26

Issues in the Verification of Systems

Issues in the Verification of Systems. Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department University of California, Davis. Index. Background of verification Security of systems Verification of systems. Background of verification.

kirima
Download Presentation

Issues in the Verification of Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department University of California, Davis UCDavis SecLab MURI October 2002

  2. Index • Background of verification • Security of systems • Verification of systems UCDavis SecLab MURI October 2002

  3. Background of verification • What is verification? • Existing artifact • Formalization • Mathematical proof UCDavis SecLab MURI October 2002

  4. Background of verification • Usage of verification • Hardware verification • e.g. ACL2 <-> AMD K5 chipset • Protocol verification • e.g. SMV <-> Security protocol • System verification • e.g. ACL <-> Kit UCDavis SecLab MURI October 2002

  5. Background of verification • Why verification? • Complexity of today's systems • Increasing error costs • Commonality in reasoning frameworks. UCDavis SecLab MURI October 2002

  6. Background of verification • Formal methods in verification • Theorem Prover • e.g. HOL, PVS, Coq, and ACL2 etc • Model Checking • e.g. COSPAN, SPIN, Mocha and SMV etc UCDavis SecLab MURI October 2002

  7. Security of systems • Basic Concepts of security • Security policy and mechanism • Specifications • e.g. specification of program finger • Assumptions UCDavis SecLab MURI October 2002

  8. Security of systems Example: Specification of the program ftpd SPEC in.ftpd (<?, ?, in.ftpd, ?, OPS1>) SE: <prog> <prog> -> <validop> *; <validop> -> (OPEN_RD, WorldReadable($F.mode)) | (OPEN_RD, CreatedByProc($P.pid, &$F)) | (OPEN_RD, $F.ouid == $S.uid) | (OPEN_WR, CreatedByProc($P.pid, &$F)) | (OPEN_WR, $F.path == "/var/log/wtmp") | (CHMOD, CreatedByProc($P.pid, &$F)) | (CHOWN, CreatedByProc($P.pid, &$F)) | (EXEC, $path == "/bin/tar" || $path == "/bin/compress" || $path == "/bin/ls" || $path == "/bin/gzip") |……………………… UCDavis SecLab MURI October 2002

  9. Security of systems Hierarchical model of system Security Policy System Programs and Network Protocols Specifications for Programs and Protocols Valid Operations of Specifications System Calls UCDavis SecLab MURI October 2002

  10. Security of systems • Important issues of systems • Access control • Access triple (uid, pid, fid) • Setuid programs • e.g. Passwd, ftpd, sendmail, etc. • System calls • Important system calls: open, chown, execve, symlink, chmod, fork, etc. UCDavis SecLab MURI October 2002

  11. Security of systems • Hard issues in building model of security of systems • Define the security policy • Describe behaviors of systems • Classify objects of systems • Prove security UCDavis SecLab MURI October 2002

  12. System verification • An idea of the system verification • Use specification to monitor systems • Formalize behaviors of systems according to specifications • Formalize security policy and assumptions • Formal proof of security UCDavis SecLab MURI October 2002

  13. System verification • Approach of the system • Using specification to monitor the behavior of privileged programs • Using ACL2 to formalize and prove security features of systems UCDavis SecLab MURI October 2002

  14. Access Data Integrity Operational Integrity Temporal/Interaction Resource Usage System verification • Specification model System-wide Top Level System Services Host Programs and Network Protocols Applications UCDavis SecLab MURI October 2002

  15. alarm Bogus ARP Response Unsolicited ARP Response Malformed Request System verification • Specification for ARP (Address Resolution Protocol) ARP Request i ARP Request reply_wait ARP Response cached ARP cache timeout UCDavis SecLab MURI October 2002

  16. Other Protocol Specifications • Domain Name System (DNS) • Network File System (NFS) • Distributed Host Configuration Protocol (DHCP) • TCP • FTP • RIP routing protocol • OSPF routing protocol UCDavis SecLab MURI October 2002

  17. System verification • Requirement of verification • Formal statements of security policy • Formal statements of specifications of privileged programs and protocols • Formal statements of assumptions UCDavis SecLab MURI October 2002

  18. System verification • Formal statements of security policy (defun policy() ( and policy_read(pid, fid) policy_write(pid,fid) policy_create(pid,fid) policy_exec(pid, fid) …… ) ) UCDavis SecLab MURI October 2002

  19. System verification • Formal statements of security policy (defun policy_read( pid, fid) ( or IsRoot(pid) userid of process is root Readable(pid, fid) the file is readable WorldReadable(fid) …… ) ) UCDavis SecLab MURI October 2002

  20. System verification • Formal statements of specifications (defun spec() ( and spec_standard(pid, fid) ’standard specification of programs spec_passwd(pid, fid) ’specification of the program passwd …… spec_ARP() ’specification of the ARP protocol …… ) ) UCDavis SecLab MURI October 2002

  21. System verification • Formal statements of specifications (defun spec_chage(pid, fid) ( and WorldReadable(fid) WriteInPath(fid, “/var/spool/at/.SEQ”) CreatedByProc(chmod,pid,fid) …… ) ) UCDavis SecLab MURI October 2002

  22. System verification • Formal statements of assumptions (defun assumption() ( and assum_sys_1() assum_sys_2() …… assum_verify_1() assum_verify_2() …… )) UCDavis SecLab MURI October 2002

  23. System verification • An example of assumptions (defun assum_sys_n( pid ) ( imply ( = pid.setuid 0) true ) ) UCDavis SecLab MURI October 2002

  24. System verification • Prototype of verification (defthm verify() ( imply ( and assumption() spec()) policy() ) ) UCDavis SecLab MURI October 2002

  25. System verification • Ongoing work • Build security model of a system • Classify the subjects, objects and operations • Define security states and state transitions • Extend the model to cover network protocol • Automatic verification • Analysis the assumption of the security of a system • Refine formal statements of specifications UCDavis SecLab MURI October 2002

  26. Thank you UCDavis SecLab MURI October 2002

More Related