Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days...
-
Upload
brendon-gladen -
Category
Documents
-
view
219 -
download
2
Transcript of Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days...
Building Secure Distributed Systems
The CIF model : Component Information Flow
Lilia SfaxiDCS Days -
26/03/2009
Context and Contribution2
Context Building secure distributed systems
Needed expertise in systems and security Needed expertise in cryptography
Difficulty of dynamic reconfiguration without breaking the security properties of the system
Necessity of high level tools Programming abstractions Automatic code generation Verification of the generated code
Context and Contribution3
Contribution High-level model : CIF (Component Information
Flow) System architecture description : component-based
model Security annotations
Transformation tools : Verification of the security properties System code generation
Models and languages Component-based model : Fractal Security-typed programming language : JIF Architecture Description Language : ADL (XML-
based)
Outline
CIF Specification System representation System security : Inter and Intra component
CIF Transformation CIF ADL ADL Generation Code Generation
Case study : The battleship game Conclusion and Future Work
4
Outline
CIF Specification System representation System security : Inter and Intra component
CIF Transformation CIF ADL ADL Generation Code Generation
Case study : The battleship game Conclusion and Future Work
5
System : assembly of components explicitly bound, with ports used to send and receive data
Each component is configurable : attribution of labels to : The attributes The ports
6
CIF Specification System Representation
{L3}
{L1}
{L3'}
Labels
Use of Labels : pair of : Confidentiality policies Integrity policies
All the policies must be obeyed Relation at most as restrictive as (⊑)
Construction of a security lattice
As data flows through the system, its labels only become more restrictive !
7
less restrictive
more restrictive
CIF Specification System Security
In CIF, needed security policies must be guaranteed at two levels Intra-component Inter-component
Inter-component Ports annotation
Intra-component Secure component code
8
CIF SpecificationInter-component Security
Associating a label to a port : impose a security restriction to the request
or response A binding is permitted iff L(client) ⊑ L(server) Example :
Confidentiality : Integrity : C1 : I want the message to keep the conf. at least C C1 : I guarantee that the
integrity level is I
C2 : I consider that the message received has C2 : I want the message to have at least
the label C' the integrity I'
9
P' {C'; I'}
C2P {C; I}
C1
CIF SpecificationIntra-component Security
10
Annotation of ports and attributes of a component
Verification of component code Preservation of confidentiality and integrity
of annotated elements Non-interferent data flow
Non-interference : "The low level users should not be able to deduce
anything about high level user’s activity" Foccardi et al.
"Low-security behavior of the program is not affected by any high-security data.” Goguen & Messeguer 1982
Outline
CIF Specification System representation System security : Inter and Intra component
CIF Transformation CIF ADL ADL Generation Code Generation
Case study : The battleship game Conclusion and Future Work
11
12
CIF TransformationImplementation of the CIF Spec.
P2 {C2; I2}
C2P1 {C1; I1}
C1
P2
C2P1
C1 crypt sign verify decrypt
C'1 C'2
TC1 TC2
ADL : Architecture Description Language XML-based Functional part
Architecture of the system : components & bindings Location of the component code
Security part Security labels of attributes & ports
<definition name="C1"><port name="start" role="server"
signature="src.security.StartItf" label=""/>
<port name="send" role="client" signature="src.security.SendItf" label="L"/>
<content class="src.security.C1Impl"/></definition>
13
C1start{} send{L}
CIF ADLArchitecture Description
14
CIF TransformationADL Generation
P2 {C2; I2}
C2P1 {C1; I1}
C1
P2
C2
P1
C1 crypt sign verify decrypt
ADL Transform : removing the annotations Implementation :
Confidentiality : asymmetric encryption Integrity : signature
Assumptions : Keys distributed safely Communication channels untrusted
Generation of cryptographic components : Creation of crypt, sign, verify and decrypt components Creation of top components containing
The main component (server or client) The security components (crypt & sign or verify & decrypt)
Connecting the top components with low level bindings
15
CIF TransformationCode Generation
C1
C'1
Guarantee the non-interference property for one component
Depending on the component code Implemented in a security-typed language (exp : JIF)
Type checking Implemented in an imperative language
Propagation of the attributes' and methods' labels Propagation of the label
Check the use of component parameters and port messages Check the information flow : non-interferent? Controller
Called when secret information leaks Decides whether to declassify the information or to throw an
exception If the label is propagated without exceptions, component
non-interferent!
Outline
CIF Specification System representation System security : Inter and Intra component
CIF Transformation CIF ADL ADL Generation Code Generation
Case study : The battleship game Conclusion and Future Work
16
17
Case StudyThe Battleship Game
1 coordinator and 2 players (at least) Each player has a secret board with a fixed number of ships Each player tries to guess the opponent's ships coordinates :
the winner is the first player who finds the n ships of the opponent
The coordinator keeps a copy of the players' boards & controls the message exchange
18
Case StudyThe Battleship Game : Inter-component security
cryptsign
verify decrypt
mm
Ɛ(m,pub(coord))S(Ɛ(m,pub(coord)))
Ɛ(m,pub(coord))
m
19
Case StudyThe Battleship Game : Intra-component security
public class Player {private Board board;public void setBoard(Board board) {
this.board = board;}public void init(int nbShips) {
int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){
numCovered += j;}final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false), };Board myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {
try {Ship newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {
newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);
} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}
}setBoard (myBoard);
}}
20
Case StudyThe Battleship Game : Intra-component security
public class Player {private Board {P1->C;P1<-C} board;public void setBoard(Board board) {
this.board = board;}public void init(int nbShips) {
int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){
numCovered += j;}final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false), };Board myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {
try {Ship newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {
newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);
} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}
}setBoard (myBoard);
}}
21
Case StudyThe Battleship Game : Intra-component security
public class Player {private Board{P1->C;P1<-C} board;public void setBoard(Board{P1->C;P1<-C} board) {
this.board = board;}public void init(int nbShips) {
int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){
numCovered += j;}final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false), };Board myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {
try {Ship newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {
newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);
} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}
}setBoard (myBoard);
}}
22
Case StudyThe Battleship Game : Intra-component security
public class Player {private Board {P1->C;P1<-C} board;public void setBoard(Board{P1->C;P1<-C} board) {
this.board = board;}public void init(int nbShips) {
int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){
numCovered += j;}final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false), };Board{P1->C;P1<-C} myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {
try {Ship newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {
newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);
} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}
}setBoard (myBoard);
}}
23
Case StudyThe Battleship Game : Intra-component security
public class Player {private Board {P1->C;P1<-C} board;public void setBoard(Board{P1->C;P1<-C} board) {
this.board = board;}public void init(int nbShips) {
int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){
numCovered += j;}final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false), };Board{P1->C;P1<-C} myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {
try {Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {
newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);
} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}
}setBoard (myBoard);
}}
24
Case StudyThe Battleship Game : Intra-component security
public class Player {private Board {P1->C;P1<-C} board;public void setBoard(Board{P1->C;P1<-C} board) {
this.board = board;}public void init(int nbShips) {
int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){
numCovered += j;}final Ship{P1->C;P1<-C}[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false), };Board{P1->C;P1<-C} myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {
try {Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {
newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);
} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}
}setBoard (myBoard);
}}
Outline
CIF Specification System representation System security : Inter and Intra component
CIF Transformation CIF ADL ADL Generation Code Generation
Case study : The battleship game Conclusion and Future Work
25
26
Conclusion
CIF Component-based model Builds distributed systems secure by construction
User specifies security requirements At a high level of abstraction Association of labels to attributes and ports of the
component Tools to automate security implementation
Inside a component : Generation of JIF code
Between components Insertion of cryptographic components
27
Future Work
Key distribution Secure deployment Safe reconfiguration Privacy
Thank you for your attention
Lilia SfaxiDCS Days -
26/03/2009