1 / 13

Overview Model Checking and Security Patter

Overview Model Checking and Security Patter. Maha B Abbey PhD Candidate. Model Checking. Automatic technique for verifying finite state concurrent systems Exhaustive search of system state space to determine if some specification is true or not

yuki
Download Presentation

Overview Model Checking and Security Patter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OverviewModel Checking and Security Patter Maha B Abbey PhD Candidate

  2. Model Checking • Automatic technique for verifying finite state concurrent systems • Exhaustive search of system state space to determine if some specification is true or not • Refers to the process of ensuring that certain desired properties of a system will hold true under conditions and during required states of operations • Provides fault detection mechanism that examine the robustness of the application and find inconsistencies and problems in early stages of development • verification of a system against requirements provides the possibility to perform automatic verification of requirements expressed using notations such as MSCs or sequence diagrams • When designing safety-critical or complex systems, a model checker provides the possibility to test specific properties of the design

  3. Model Checking Process • Model Checking Process • Modeling – formal design • Convert a design into a formalism accepted by a model checking tool. Modeling of a design may require use of abstraction to eliminate irrelevant or unimportant details • Specification – temporal logic (properties to specify) • Before verification, it is necessary to state the properties that the design must satisfy. Temporal logic is commonly used which can assert how the behavior of the system evolves over time. • Issue: Completeness – it is hard even impossible to determine if a given specification covers all the properties that a system should satisfy. • Verification – ideally automatic • Requires manual human touch which consists of analyzing the verification results. Results traces are often generated and used by the designer to track down where the error occurred.

  4. Model Checking – some methods and tools • SDL/SDT • Systems are modeled in term of concurrently executing state machines that communicate via messages (signals) • Graphical notation used mainly for specification capture, textual notation used as machine parsable source of specification knowledge by simulation and analysis tools • Promela/Spin • used for the formal verification of distributed software systems with respect to temporal logic formulas such as LTL. It operates as a simulaotr, following one possible execution path through the system an presenting the resulting execution trace • The tool supports a high level language to specify systems descriptions, called PROMELA (a PROcess MEta LAnguage) which supports dynamic reation of models of concurrent systems • CPN Tool • Colored Petri Nets, based on Petri nets with addition of color which allow to model data, time to model durations, and hierarchy to structure large models • The tool allow syntax checking and code generation. Full and partial state space can be generated and anayzed

  5. Security Patterns • A pattern is a packaged solution to a recurrent problem. • Analysis and design patterns are well established as a convenient and reusable way to build high-quality object-oriented software • Analysis patterns can be used to build conceptual models in a simpler and faster way • Architectural patterns can make software architectures more extensible or using resources more efficiently • Design patterns can be used to make software more flexible and reusable • All security countermeasures can be classified into five groups: Identification and Authentication, Access Control and Authorization, Logging, Cryptography, and Intrusion Detection. • Security patterns describe mechanisms that fall into these categories (or combinations thereof) to stop or mitigate attacks as well as the abstract models that guide the design of these mechanisms

  6. Can Model Checking be applied to Security Patterns? • Some notations used for patterns are • UML • Tropos • agent-oriented development methodology based on knowledge-level concepts (such as actor, goal, and the dependency between actors) with a particular focus on requirements analysis • SQUARE Security QUAlity Requirements Engineering • provides a means for eliciting, categorizing, and prioritizing security requirements for information technology systems and applications • Focus on UML • How to verify a UML model? • Use of model checking needs finite state machines type of notation • The goal is to go from UML to a finite state diagram

  7. UML and Model Checking • Many methodologies (Translation) exist • UML/SDL • UML/Promela • UML/CPN • What should be used as input to Model Checker? • UMLincludes • structural diagrams • Class • Object • Component • Deployment • behavioral diagrams • Use case • Sequence • Collaboration • State • Activity • State and sequence diagrams are the two most representative notations to describe the dynamic behavior of a system • Analyze properties of state diagram (state chart) • Verifying State charts against desirable Sequence diagrams • Verifying State charts against non-desirable Sequence diagrams • Verification with state and sequence diagrams has to be carried out automatically and efficiently

  8. Model Checking and Security Patterns Related work (1) • Model checking techniques to analyze the consistency of security pattern compositions • formally specify the behavioral aspect of the security patterns, as well as the properties of each security pattern • model checker is used to perform the analysis and check whether the characteristics of each security pattern still hold after they are composed. • Analysis results show that the approach is able to find the design errors that may lead to security holes and flaws. • Using Security Patterns to Model and Analyze Security Requirement • Use of UML to represent structural and behavioral information • verification of requirements properties enabled by adding formal constraints to the patterns • Use the security patterns to construct a basic foundation for the system and refine the UML high-level structural and behavioral models of the system • generate a Promela model of the system from the UML diagrams • Specify properties for the system by instantiating the specification patterns from the Constraints field of security patterns • Use a model checker SPIN to determine if the properties are satisfied

  9. Model Checking and Security Patterns Related work (2) • UMLsec • allows one to express security-related information within the diagrams of a UML system specification • UML profile using the standard UML extension mechanisms stereotypes, tagged values and constraints. Stereotypes are used together with tags to formulate security requirements and assumptions on the system environment, and constraints give criteria used to determine whether the requirements are met by the system design

  10. Model Checking and Security Patterns Related work (3) • UMLsec • evaluate UML specifications for vulnerabilities in design • encapsulate established rules of prudent security engineering • make available to developers not specialized in security • consider security from early design phases, in system context • make verification cost-effective • UML Extension mechanisms (Stereotype, Tagged value, Constraint, Profile) • UMLsec: general ideas • Activity diagram: secure control flow, coordination • Class diagram: exchange of data preserves security levels • Sequence diagram: security-critical interaction • State chart diagram: security preserved within object • Deployment diagram: physical security requirements • Package: holistic view on security • UML verification framework supporting the construction of automated requirements analysis tools for UML diagrams-> The framework is connected to industrial CASE tools using XMI and allows convenient access to this data and to the human user. • plug-in that utilizes the model-checker Spin to verify security properties of UMLsec models

  11. Some References • “Model Checking” Edmund M. Clarke jr., Orna Grumberg, Donron A. Peled,The MIT Press ISBN 0262032708 • “Model Checking Security Pattern Compositions”, Jing Dong, Tu Peng, Yajing Zhao, Seventh International Conference on Quality Software (QSIC 2007), 0-7695-3035-4/07 2007 IEEE • “From security patterns to implementation using petri nets”, Viktor Horvath, Till Dörges, ICSE 2008 • “Early Safety Analysis: from Use Cases to Component-based Software Development”, Yunja Choi, JOT 2002 • “Security Patterns”, Ed Fernandez, EFSSI 2006 • “Using Security Patterns to Model and Analyze Security Requirements”, Betty H.C. Chengy, Sascha Konrad, Laura A. Campbell, Ronald Wassermann, IEEE Workshop on Requirements for High Assurance Systems 2003 • “Using Security Patterns to Model and Analyze Security Requirements”, Betty H.C. Chengy, Sascha Konrad, Laura A. Campbell, and Ronald Wassermann, CDA-9700732, CCR-9901017 RHAS03 • Promela/Spin, http://spinroot.com • SDL/SDT http://www.sdl-forum.org/ • CPN Tool http://wiki.daimi.au.dk/cpntools/cpntools.wiki • UMLsec http://www4.in.tum.de/~umlsec/

  12. Possible directions and additional research • Constraints definition are an important element for model checking – How can OCL be used in a process of security patterns verification using model checking techniques? • Model checking security patterns for web services • Use existing patterns developed by the Security research group • Use UMLsec Integrated approach to security verification • Conceptual models and design models • Can properties on a conceptual model be propagated to the design model? • Proving that the security model is correct, can the design model be also? • Design models are usually more detailed than conceptual models. Can security related semantics never change while going from one to the other?

  13. Feedback

More Related