A Security Framework for Executables in a Ubiquitous Computing Environment

  • Published on
    13-Feb-2016

  • View
    19

  • Download
    0

Embed Size (px)

DESCRIPTION

A Security Framework for Executables in a Ubiquitous Computing Environment. Globecom 2004 1 st December 2004 Dr. David Llewellyn-Jones, Prof. Madjid Merabti, Dr. Qi Shi, Dr. Bob Askwith School of Computing and Mathematical Sciences Liverpool John Moores University - PowerPoint PPT Presentation

Transcript

  • A Security Framework for Executables in a Ubiquitous Computing Environment

    Globecom 2004

    1st December 2004

    Dr. David Llewellyn-Jones, Prof. Madjid Merabti, Dr. Qi Shi, Dr. Bob Askwith

    School of Computing and Mathematical SciencesLiverpool John Moores UniversityJames Parsons BuildingByrom StreetLiverpool L3 3AF

    {D.Llewellyn-Jones, M.Merabti, Q.Shi, R.Askwith}@livjm.ac.ukhttp://www.cms.livjm.ac.uk/PUCsec/

  • Ubiquitous computing security

    Ubiquitous computing propertiesComputers form an integral part of the environmentDevices are networkedData flow is highly fluidCode is also likely to move between devicesSecurity in such an environment is paramount

  • Focus on executablesCurrent security paradigm relies on a safe areaPerimeter model prevents incoming threatsOnly certain programs can be usedSafe area is administered by trained professionalsThis model no longer applies in a Ubicomp environmentThere is no perimeterUsers cannot be expected to have the same expertise as administratorsNonetheless, users will demand a safe environmentAdoption of Ubicomp technology is dependent on overcoming these problemsWe focus on safe code execution as the bedrock of all other security requirements

  • Existing security solutions

    A number of solutions exist to facilitate safe code executionSandboxingCertificationProof Carrying CodeDirect Code AnalysisEach has benefits and drawbacksTo achieve a universal and automated solution a hybrid approach is required

  • Hybrid solutionIn this presentation we will present our prototype hybrid solutionOur aim has been to produce an automated systemProperties of code are tested against a security policycode conforming to the policy can be executed without restrictionwhere possible, sandbox techniques can be used to force code conformanceotherwise the code is prevented from execution In order to achieve this, we aim to utilise all four of the described methods, in conjunction with component compositionComponent composition establishes the properties of a composed application based on the properties of the constituent components

  • Hybrid solutionWe propose a 3 stage solutionStage 1: Component analysisStage 2: Component compositionStage 3: Dynamic sandboxed execution

    The implementation will be considered in detail

  • Stage 1: Component analysis

    The following techniques have been discussedCertificationProof Carrying CodeDirect Code Analysis

  • Extended executablesEncodes additional data with the executableAllows all of the techniques to be used in a transparent way

    Plain vanilla code must also be useableextended executable= code | header, blockblock= code | {block [, X-properties [, X-proof]]}KX | block, X-properties, X-proofcode= the vanilla executable codeheader= description of the structure of the dataX-properties= description of the properties established of the code by actor XX-proof= PCC style property proof of the properties established by actor X

  • Direct Code AnalysisWhen plain code is received we require a method of establishing its propertiesWe employ Direct Code Analysis for this taskBased on method developed by Floyd and HoareCode is converted into logic based on pre and post conditions

    Reasoning establishes whether these conditions hold or notCombines PCC process into a single task

  • DCA benefits and drawbacks

    BenefitsBased on an a priori processFully automated processAny property representable in propositional logic can be testedDrawbacksResource intensiveExponential complexityOnly properties representable in propositional logic can be tested

  • DCA Experimental resultsAnalysis of linear code is efficient

    Branching code is more complexdepends on branch directiondepends on internal loop lengthSuccess establishing buffer overrunsImplemented as an automated process;----------------------------------; InitialiseMOV*0 0;----------------------------------; Main loopADD*0 *0 1ADD*2 *0 3;----------------------------------; End of program.EndPost condition(ind(M, 0) < 50)600MHz Intel XScale 80321 ARM compatible processor

  • Stage 2: Component composition

    Having established the properties of individual components we must establish the properties of the composed application

  • Component compositionIndividual components make up the complete applicationComponents may be composed across a networkWe know the properties of each component; must establish the properties of the composed applicationNon-trivial processMany theoretical results exist

    Aim to implement a practical solutionWhy not just analyse the entire application?Definition: An interface E of a component is said to satisfy non-interference iff for any trace t TE there exists a trace t TE such that tHIE = and t(LIE LOE) = t(LIE LOE).

  • Component compositionImplementationBased on an extensible, scriptable techniqueAnalyse the properties of individual components combined with the component topologyUse PROLOG-like XML

    A sandbox methodDefined to be any property A particular property A particular property

  • Component composition experimental resultsSo far our engine has been found to be flexible enough to cope with all the theoretical composition results tested from the literatureThese includeHierarchical results such as Composable AssuranceRestrictive results such as Non-InterferencePractical buffer overrun resultsAnalysis time depends on complexity of system being analysedIn general, scripting ensures that the time required is negligible

  • Example: buffer overrunsSimple component topology

    Component B suffers a buffer overrun vulnerability if more than 64 non-terminated bytes are sent on channel 0May establish A sends no more than 64 bytesComponent composition indicates no buffer overrun vulnerability exists for the composed applicationMay establish A potentially sends more than 64 bytesComponent composition indicate a buffer overrun vulnerability exists under certain circumstances

  • SummaryHave developed a framework for ensuring executable security appropriate for a Ubiquitous Computing environmentOur framework utilisesSandboxingCertificationProof Carrying CodeDirect Code AnalysisComponent compositionCurrent prototype utilisesDirect Code AnalysisComponent compositionFully automated framework

  • Future work

    Investigate dynamic sandboxing techniquesCombine all of the methods into a fully automated frameworkDesign using a simple agent-based component composition modelBuild sensible security policies around the systemIntroduce distributed analysis

  • A Security Framework for Executables in a Ubiquitous Computing Environment

    Globecom 2004

    1st December 2004

    Dr. David Llewellyn-Jones, Prof. Madjid Merabti, Dr. Qi Shi, Dr. Bob Askwith

    School of Computing and Mathematical StatisticsLiverpool John Moores UniversityJames Parsons BuildingByrom StreetLiverpool L3 3AF

    {D.Llewellyn-Jones, M.Merabti, Q.Shi, R.Askwith}@livjm.ac.ukhttp://www.cms.livjm.ac.uk/PUCsec/

Recommended

View more >