View
218
Download
0
Tags:
Embed Size (px)
Citation preview
C
Iit
A constraint framework for the qualitative analysis of dependability goals: Integrity
Joint work with
Stefano Bistarelli
C Consiglio Nazionale delle RicercheIit Istituto di Informatica e Telematica - PisaUniversità degli Studi “G. D’Annunzio”
Dipartimento di Scienze - Pescara
Simon FoleyUniversity College Cork, Ireland
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
2C
Iit
The Idea
• A System/Application behaviour can be defined as a set of rules– Each rule is a constraint– A system/application behaviour is a
Constraint Satisfaction Problem (CSP)– Properties of the CSP give Security
properties of the System• Confidentiality [Bella-Bistarelli@PADL2001]• Authentication [Bella-Bistarelli@CISPW2002]
• Today example:– Integrity (ext. [Bistarelli-Foley@Policy2003])
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
3C
Iit
(Integrity) Policy
• How do we know whether a security (integrity) policy is correctly configured?
• A policy configuration may allow an unexpected compromise via circuitous authorization route.
• Goal: Analyze policy configurations.– … let’s start with an example …
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
4C
Iit
Is this system Secure?
• Enterprise receives shipments and generates associated payments
• Does this system have integrity?
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
5C
Iit
Is this system Secure?
• One dishonest clerk• Two colluding and dishonest clerks
• Unreliable system/software• …
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
6C
Iit
What is Integrity?
• Conventional Models [Biba,Clark-Wilson,Yellow Book,RBAC]:– Modelled in terms of the system,– Define “best practice” for integrity, and – define integrity in terms of specific
mechanisms to use, but do not proposea denotational definition for integrity
• Define how to (possibly) achieve integrity, but not what it is!
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
7C
Iit
… Integrity?? …
• Define the situations when – modification of information is
authorised– and enforced by the security
mechanism of the system.
• “dependability w.r.t. absence of improper alterations”
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
8C
Iit
What is integrity?
• To properly define integrity it is Necessary to model System and Infrastructure[foley98]
– Even if the system is functionally correct the infrastructure is likely to fail: SW,HW, users!
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
9C
Iit
System Requirements
• First consider the requirement!– Only later consider how to implement
it!
• Enterprise receives shipments and generates associated payments
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
10C
Iit
The idea: A constraint based approach
• Model the components of the system and infrastructure relevant to integrity– In an abstract and declarative way– Constraints to model relationships
between system and infrastructure– Soft constraints to perform a
quantitative/qualitative analysis of the policy (probability/optimization reasoning)
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
11C
Iit
System Requirements
• Enterprise receives shipments and generates associated payments
• Integrity requirement analysis
Black Box
Probity ´ pay · ship
constraint variables pay and ship are invariants on the number of payments and the number of shipments made to date
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
12C
Iit
Implementation and Refinement. Honest Clerks
Clerk ´ inv · shipAppl ´ pay · inv
Imp1 ´ Appl Clerk
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
13C
Iit
Implementation and Refinement. Dishonest Clerks
Clerk ´ inv · ship Ç ship · invAppl ´ pay · inv
Imp2 ´ Appl Clerk
System is not resilient to the faults
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
14C
Iit
Implementation and Refinement. Separation of Duties
Clerk1 ´ con · ship Clerk2 ´ inv · ship
Appl ´ pay · min(inv,con)Imp3 ´ Appl Clerk1 Clerk2
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
15C
Iit
Integrity and Robustness
System is resilient to some faults
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
16C
Iit
Integrity and Robustness
But not to all faults!!!
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
17C
Iit
External Consistency and Dependability
• Integrity is really just (local) refinement– Any implementations need to provide a
consistent “view” at the interface to the supplier.
– Then check if implementation is resilient to failures within the infrastructure.
– Check if interaction between supplier and system implementation are consistent with the original requirement.
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
18C
Iit
Soft Constraints
• To perform a qualitative/quantitative analysis of the system.
• If an implementation satisfying the requirements cannot be found, look for the “best” one (w.r.t. a measure).
• Example:– Suppose payments are made as multiples of
100 and outstanding bills made at the end of the month:
• Probity(pay,ship) ´ pay · ship [constraint]• Probity(a,b) = b-a [measure]• Minimize the measure b-a
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
19C
Iit
Soft Constraints
• Probabilistic reasoning:– Add a probability to the events– Minimize/maximize probability to
have specific actions
• Example– Probability to the shipnote event– Possible implementation
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
20C
Iit
Conclusions
• Constraints are suitable to represent in a
declarative way system properties (Integrity)
• Softness can be added to perform a better
quantitative/qualitative analysis
• The model makes no distinction if the policy
(integrity or other!) is violated deliberately or
indeliberately
• The danger of each violation is represented as a
level
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
21C
Iit
C
Iit
A constraint framework for the qualitative analysis of dependability goals: Integrity
Joint research with
Stefano Bistarelli
C Consiglio Nazionale delle RicercheIit Istituto di Informatica e Telematica - PisaUniversità degli Studi “G. D’Annunzio”
Dipartimento di Scienze - Pescara
Simon FoleyUniversity College Cork, Ireland
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
23C
Iit
Strict rules: Crisp Constraints
P={
x3
x4
x1
x2 V,
{red,blue,yellow}
{blue,yellow}
{red,blue}{yellow}
D,
C={pairwise-different}
C, PC, con, def, a}
x1 x2 x3 x4
combination
projection
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
24C
Iit
Flexible rules: Soft Constraints
x3
x4
x1
x2
{red,blue,yellow}
{blue,yellow}
{red,blue}{yellow}
C={pairwise-different} 5$
3$
2$
15$13$15$13$15$x1 x2 x3 x4
Combination (+)
Projection (min)
15$
13$
13$
C-semiring <A,+,,0,1>:
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
25C
Iit
Flexible rules: Soft Constraints
x3
x4
x1
x2
{red,blue,yellow}
{blue,yellow}
{red,blue}{yellow}
C={pairwise-different} 5$
3$
2$
15$13$15$13$15$x1 x2 x3 x4
Combination (+)
Projection (min)
15$
13$
13$
<+,min,+,+,0>
<[0,1],max,min,0,1>
<[0,1],max,,0,1>
<{false,true},,,false,true>
Probabilistic
Fuzzy
Classical
Weighted
C-semiring <A,+,,0,1>:
A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli
26C
Iit
Semiring-based CSPs: a glimpse of theory
C-semiring <A,+,,0,1>:
combination: c=c1c2=<def,con=con1con2>,
)t()t()t(21
21concon
concon defdefdef
projection: cI=<def,Icon>,
}t'|tt{ )t()t'( con
conIdefdef
Sol(<C,a>)=(C) a
ab (b is better than a) iff a+b=b