Towards an Engineering Discipline of Computational Security
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Towards an Engineering Discipline of Computational Security Ali Mili, Alex Vinokurov Lamia Labed Jilani College of Computer Science Institut Superieur de Gestion New Jersey Institute of Technology Bardo 2000 Tunisia Newark NJ 07102-1982 mili@cis.njit.edu Lamia.Labed@isg.rnu.tn Frederick T. Sheldon Rahma Ben Ayed U.S. DOE Oak Ridge National Lab ENIT, University of Tunis PO Box 2008, MS 6085, 1 Bethel Valley Rd Belvedere, 1002 Tunisia Oak Ridge TN 37831-6085 sheldonft@ornl.gov rahma.benayed@enit.rnu.tn September 13, 2006 Abstract 60 percent of a system’s faults and improve its reliability by only ... 3 percent.In a study of IBM software prod- George Boole ushered the era of modern logic by argu- ucts, Adams [1] finds that many faults in the system are ing that logical reasoning does not fall in the realm of only likely to cause failure after hundreds of thousands philosophy, as it was considered up to his time, but in of months of product usage. the realm of mathematics. As such, logical propositions We argue that the same may be true for security: vul- and logical arguments are modeled using algebraic struc- nerabilities in a system may have widely varying im- tures. Likewise, we submit that security attributes must pacts on system security. In fairness, the variance may be modeled as formal mathematical propositions that are be wider for reliability than for security, because in mali- subject to mathematical analysis. In this paper, we ap- cious security violations high impact vulnerabilities may proach this problem by attempting to model security at- be more attractive targets than lower impact vulnerabil- tributes in a refinement-like framework that has tradition- ities, but wide variances are still quite plausible. Wide ally been used to represent reliability and safety claims. variances, to the extent that they are borne out, have broad impacts on security management: Keywords In practice, security ought not be defined as the ab- sence of vulnerabilities, no more than reliability is Computable security attributes, survivability, integrity, defined by the absence of faults. dependability, reliability, safety, security, verification, testing, fault tolerance. In practice, security ought not be measured or quan- tified by the number of vulnerabilities, just as it is widely agreed (as highlighted by Adams’ [1] and 1 Modeling Security as a Depend- Mills’ [7] work) that faults per KLOC is an inap- ability Attribute propriate measure of reliability. Security cannot be improved by focusing on vulner- Even though logically, system reliability is driven ex- abilities, as we have no way to tell whether a given clusively by the existence and possible manifestation vulnerability has low (1) or high (50) impact on se- of faults, empirical observations regularly show a very curity. Rather, security should be managed by pur- weak correlation between faults and reliability. In [7], suing a policy that leads us to the highest impact Mills and Dyer discuss an example where they find a vulnerabilities first (a similar approach to usage pat- variance of 1 to 50 in the impact of faults on reliability; tern testing [4, 7, 9]). i.e. some faults cause system failure 50 times more often than others; while their experiment highlights a variance In light of these observations, we argue in favor of mod- of 1 to 50, we have no doubt that actual variance is in eling security in a way that reflects its visible, measur- fact unbounded. Also, they find that they can remove able, observable attributes, rather than its hypothesized
causes. To this effect, we introduce the outline of a Logic arguments from the ground up using the model-specific for System Security, which represents / captures security refinement ordering. properties in terms of its observable attributes. This logic is defined in terms of the following features: 2.1 Refinement Calculi A notation for security specification, which details Without significant loss of generality, we use homoge- how to capture security requirements of a system. neous relations (i.e. relations from some set to itself) to represent functional specifications and program func- A formula for security certification, which formu- lates the condition under which a system (repre- tions. Among constant relations on some space we consider the universal relation ( ), that we denote sented by its security abstraction) meets a given set by ; the identity relation ( ), that we denote of security requirements (represented by security by , and the empty relation ( ), that we denote by . specifications). We denote the relational product by mere concatenation, i.e. as the product of by , and we use the hat Note that in order to quantify reliability as the mean symbol ( ) to represent relational inversion. A relation time to failure, we must define what it means to fail, is said to be total if and only if ; and a relation which in turn requires that we define specification and is said to be deterministic if and only if . correctness. Likewise, defining and quantifying security We introduce the refinement ordering between rela- requires that we define the concepts of security specifi- tions (interpreted as specifications) as follows: refines cation and security certification. In this paper, we dis- if and only if "!# "!%$# '&( *) cuss broad premises that characterize our approach, and present tentative notations and formulas for the proposed We denote this property by ,+- or /.0 and we logic for system security. In section 2 we briefly review our results in using a antisymmetric and transitive). Intuitively, refines 1 if admit that this is a partial ordering (i.e. it is reflexive, refinement calculus to compose verification claims and and only if captures all the requirements information decompose verification goals in terms of reliability and of . Also, a program 2 is correct with respect to a safety. In section 3 we discuss a generalized representa- specification if and only if the program’s function re- tion of reliability, safety and security claims that stems fines . To further convey the meaning of the refinement from our refinement based model. In section 4 we dis- ordering, we note that refines if and only if any cuss formal definitions of some security attributes, and program that is correct with respect to is (a fortiori) explore how these definitions lend these attributes to be correct with respect to . integrated into our refinement-based model. Finally, we briefly summarize and assess our findings in section 6. In addition to its ordering properties, the refinement relation also has lattice-like properties [2]. Two specifi- cations and are said to be consistent if they can be 2 Background: Genesis of our Ap- refined simultaneously; in relational terms, this is written proach 3!# 4&5*!# 6 ) as: In this section we will briefly present the main contribu- The reason why consistency is important for the purpose tions of [6], then we discuss how and why we propose of lattice properties is that only consistent relations admit to extend this work, thereby laying the groundwork for a join (least upper bound). If and are consistent then our subsequent developments. For the sake of readabil- 78 they admit a join with respect to the refinement ordering, ity, we will keep the discussion of this section (and most which is denoted by and defined by of the paper, in fact) fairly non-technical, referring inter- ested readers to bibliographic sources for details; though 87 & 9:!# $ "!#%$# !8 ) The join captures all the requirements information in we may sometimes present mathematical formulas, to fix the reader’s ideas, we do not consider that understand- and all the requirements information in 1 (upper bound) ing the details of these formulas is required to follow our tional, the meet is not: any two relations and 1 have a and nothing more (least). Whereas the join is condi- discussions. Also, while the formulas we present refer to a relation-based refinement calculus, we submit that meet (greatest lower bound), which is denoted by ;1 most of our claims hold for most specification/ refine- and defined by: ;
The meet represents all the requirements information that represents it, and to use the same symbol ( ) to is captured simultaneously by and . represent the recovery routine and the relation that represents it. Because we do not know for each ex- ecution whether holds or not, we do not know 2.2 Composing Dependability Claims 2 + (if holds) or 2 + whether we can claim (if does not hold). Since we are assured 2 In this section we use the lattice-like structure of the re- finement ordering to discuss how to compose depend- that refines at least one of them at each execution, ability claims. Specifically, we consider a system that we know that it refines their meet. we have statically verified for some correctness crite- 2 + 2 + 0& From static analysis, we infer: . From (certifica- rion, that we have tested against some functional ora- , where . From 2 + & ; tion) testing, we infer: cle using some test data, and that we have made fault tolerant by appropriate assertions and recovery routines, fault tolerance, we infer: , where . the question we wish to ask is: How can we add up the From lattice theory, we infer: individual claims that each measure allows us? What claims do these measures, combined together, allow us 25+5 7 7 1 ) to make? How do we know whether the measures we have taken (testing, proving, fault tolerance) are comple- 2.3 Decomposing Dependability Goals menting each other, or whether they are testing the same A more interesting application of the lattice of refinement aspects over and over again? involves decomposing a complex dependability goal into To answer these questions, we have (in [6]) proposed 2 simpler sub-goals. Imagine that we must prove that some a common refinement based model, in which we cast all product refines a complex specification , and imag- three families of methods (static verification, testing, and ine that is structured as the join of several simpler fault tolerance); we have shown that all three methods sub-specifications, say , , ... ; we had shown in can be interpreted as establishing that the system being [2] that the join offers a natural mechanism to structure analyzed refines some specification, that depends on the complex specifications as aggregates of simpler specifi- method and the method’s parameters. Using the join op- 25+( 25+ cations. Lattice properties provide that in order to prove erator, we can then compose eclectic measures, stem- , it suffices to prove for all . ming from different methods, into a single claim. Specif- We consider the question: which method (among ically, we discuss below, briefly, how we interpret all static verification, testing, fault tolerance) is best adapted for each sub-specification . This question is discussed 2 three families of methods by means of refinement. We let be the program that we are interested in. in some detail and illustrated in [6]. We summarize it briefly here: 2 Static Verification. If we prove by static analysis that is correct with respect to some specification Static Verification. Ideal candidates for static verifi- , we represent this claim by: cation are relations that are reflexive and transitive. 2 + ) Indeed, static verification usually revolves around inductive arguments (of loops, recursive calls); the Testing. We assume that we have tested program 2 reflexivity of the specification makes the basis of in- on test data using oracle , and that all tests have duction trivial, and the transitivity of the specifica- been executed successfully (if not, we redefine ), tion makes the induction step trivial. What makes we claim that this allows us to write: static verification very difficult in general is the need 2 +9 to invent or guess invariant assertions and interme- diate assertions; when the specification at hand is where represents the (pre) restriction of reflexive and transitive, it can be used as a suffi- to . Details can be found in [6]. cient (i.e. sufficiently strong) assertion throughout the program. Verifying programs against reflexive Fault Tolerance. If we test some condition at transitive specifications is so straightforward, it can run-time, and whenever the condition does not hold actually be readily automated. we invoke a recovery routine , then we can claim Testing. Ideal specifications for testing are relations 2 + ; that: that can be coded reliably, as we do not want a faulty oracle to mislead the whole testing process. Be- where we take the liberty to use the same symbol cause testing is done off-line (in the sense: not dur- ( ) to represent the condition and the relation that ing the normal operation of the system), execution 3
efficiency is not a major consideration (by contrast 3 A Unified Representation with executable assertions), but reliability of the or- acle is. In this section we critique the model presented in the previous section, then propose a generalization that ad- Fault Tolerance. Ideal specifications for fault tol- dresses some of its shortcomings. erance are unary relations, i.e. relations that refer to the current state but not to past states (for exam- 3.1 The Need for Generalization ple, in a sorting program, checking that the current array is sorted is a unary property, while checking In order to motivate the need for generalizing the model that the current array is a permutation of the ini- presented in the previous section, we briefly discuss why tial array is a binary property). What makes fault it is inadequate, as it stands. tolerance techniques inefficient is the need for sav- Most dependability measures are best modeled as ing past states (memory overhead) and for checking probabilistic claims rather than firm logical claims. the correctness of current states with respect to past states (CPU overhead). With unary specifications, Most claims are contingent upon implicit condi- we are spared both of these overheads. tions. For example, testing is contingent upon the condition that the testing environment is a faithful In [6] we show an example of application where the over- simulation of the operating environment (or, more all verification effort of a program with respect to a com- precisely, that it is at least as harsh as the operat- pound specification is significantly smaller than the effort ing environment). Also, static verification is con- of applying any one of the methods. tingent upon the condition that the verification rules used in the static proof are borne out by the com- piler and the operating environment. Also, fault 2.4 Extensions of the Model tolerance is contingent upon the condition that the assertion-checking code and the recovery code are In this paper we extend out previous work in three or- free of faults. thogonal directions: 2 Many claims may lend themselves to more than one First, by replacing the logical claims of the origi- interpretation. For example, if we test against or- acle using test data , we can interpret this in one nal model with probabilistic claims, on the grounds that all methods, even formal methods, produce 2 of two ways: either that refines with proba- claims with associated degrees of (un)certainty, and bility 1.0 (subject to the hypothesis discussed above, 2 with associated implicit conditions, which probabil- that the testing environment subsumes the operating ity theory is equipped to capture and reason about. environment); or that refines (not restricted to this time), subject to the subsumption hypothesis, and to the hypothesis that is a faithful represen- Second, by expanding the model to include, not only reliability claims, but also claims dealing with tative 2 of the program’s domain (i.e. fails on if safety and security, on the grounds that these claims and only if it fails on the whole domain), with some are interdependent, and that from the user’s stand- probability less than 1.0. While the logic, refine- point it does not matter whether the failure of a sys- ment based, model discussed in section 2 represents tem is due to faulty design or to malicious activity. only the first interpretation, the probabilistic model can represent both. In addition, we will see how the proposed model allows us to keep both interpreta- Third, by integrating failure cost into the equation, tions, and makes use of them both (which is only on the grounds that a complex specification typi- fair, since they are both plausible interpretations). cally has many components, whose failures carry widely varying costs, that we must account for in a If we admit the premise that dependability claims differential manner. 2 are probabilistic, we must now consider failure costs. It is not enough to know that refines This paper does not produce results in the sense of so- with some probability , over some period of oper- 2 lutions that are analyzed, validated and deployed; rather, ational time; we must also know what costs we will incur in the case (probability ) that fails it offers motivated ideas and proposals, that serve as a launching pad for further research. to refine during that time. 4
While the refinement ordering proves to be adequate of this feature is to quantify this cost factor, and as- for representing reliability claims and safety claims, sociate it explicitly with the failure that has caused as we will discuss subsequently, it is not adequate it. for representing security claims. We wish to gener- Verification Cost. Verification costs complement alize the form that specifications can take, and con- the information provided by failure costs, by quan- sequently also generalize the concept of refinement tifying how much it costs to avoid failure, or reduce to capture security properties. the probability of failure. Together these two func- tions help manage risks and risk mitigation. 3.2 A Generalized Model To reflect this characterization, we represent dependabil- We submit the premise that dependability methods can ity claims as follows: be characterized by the following features: *20+ & 2 where 2 is the product, + is the property we claim about Property. This feature represents the property that it, is the specification against which we are making we want to establish about : In section 2 we were interested exclusively in refinement, but it is possi- ble to imagine other properties, such as performance the claim, is the assumption under which we are mak- (with respect to performance requirements), secu- ing the claim, and is the probability with which we are rity (with respect to security requirements), recov- making the claim. We further add two cost functions: erability preservation, etc. + Failure Cost: This function (which we denote by ) maps a property (say, ) and a reference (say, Reference. This feature represents the reference some specification ) into a cost value (quantified with respect to which we are claiming the prop- in financial terms, or in terms of human lives at risk, erty cited above. This can be a functional specifi- + etc). Hence cation (if the property is correctness, or recoverabil- ity preservation), an operational specification (if the 2 + property is a performance property), or a security represents the cost that we expect to incur whenever specification (if the property is a security property), a candidate system fails to satisfy property with etc. respect to . + Assumption. This is the condition assumed by Verification Cost: This function (which we denote the verification method; all verification methods are by ) maps a property (say, ), a reference (say, ), typically based on a set of (often) implicit assump- an assumption (say, ) and a method (say, ), to a tions, and are valid only to the extent that these as- cost value (expressed in Person Months). Hence sumptions hold. We propose to make these assump- tions explicit, so that we can reason about them. + 1 5 that 2 satisfies property + with respect to under represents the cost of applying method to prove Certainty. This feature represents the probability 2 with which we find that the property holds about the assumption . with respect to the reference, conditional upon 2 Although this model appears on the face of it to deal only 2 the Assumption. The same dependability measure (e.g. testing with respect to some oracle using with claims that pertain to the whole system , we can 2 some test data, proving a refinement property with in fact use it to represent verification steps taken on com- 2 2 respect to some specification, etc) can be interpreted ponents of [10]. We use an illustrative example: We let be the composition of two components, say and in more than one way, possibly with different prob- abilities. 2 , and we assume that we have used some method to establish the following claim: Failure Cost. Safety and security requirements are usually associated with costs, which quantify the *2 + & ) amount of loss that results from failing to meet We submit that this can be written as a property of 2 them. Safety costs may include loss or endanger- (rather than merely a property of 2 ) if we add an as- ment of human life, financial loss, endangerment of sumption about 2 . Hence, for example, we can infer a a mission, etc. Security costs may include disclo- claim of the form *25+* #2 + & sure of classified information, loss of availability, exposure of personal information, etc. The purpose 5
for some reference and some probability . We sub- on survivability, and readily acknowledge a loss of gen- mit that this model enables us to collect every piece of erality; other dimensions of security are under investi- information that we can derive from dependability mea- gation. Survivability is defined in [3] as the capability 2 sures, so that all the verification effort that is expended of a system to fulfill its mission in a timely manner, in on can be exploited (to support queries, as we will dis- the presence of attacks, failures, or accidents [8]. We cuss in section 5). discuss in turn how to represent security (survivability) requirements, and how to represent the claim that a sys- 3.3 Implications of the Model tem meets these security requirements. In the sequel we discuss in turn two aspects of security: survivability and The first implication of this probabilistic model is that integrity. The modeling of other aspects is under investi- verification claims are no longer additive, in the sense gation. that we discussed in section 2. While in the logic, refinement-based model we could sum up all our claims in a single refinement property, in the new probabilistic 4.1 Modeling Survivability model it is generally not possible to do so. Nor is it desir- 4.1.1 Specifying Survivability Requirements able, in fact, as the result would probably be so complex as to be of little use. What we advocate instead is to use We note that there are two aspects to survivability: the an inference system where all the collected claims can ability to deliver some services, and the ability to de- be stored, and subsequently used to answer queries about liver these services in a timely manner; to accommodate the dependability of the system. This will be illustrated these, we formula security requirements by means of two in section 5 through a simple example. relations, one for each aspect. Using a relational speci- The second implication of this model is that it allows fication model presented in [2] we propose to formulate functional requirements as follows: 2 us to introduce a measure of dependability that integrates cost information. When we say that a system has a An input space, that we denote with ; this set con- given MTTF, it is with respect to some implicit specifi- tains all possible inputs that may be submitted to the cation, say . It is also with respect to some implicit system, be they legitimate or illegitimate (part of an understanding of failure cost, i.e. how much we stand to attack/ intrusion). lose if our system fails to satisfy . If we consider that is an aggregate of several sub-specifications, say , , Using space , we define space , which repre- ... , it is conceivable that the components , , ... sents the set of sequences of elements of ; we re- have different failure costs associated with them; for fer to as the set of input histories of the specifica- example, failing to refine will cost significantly more tion. An element of represents an input history than failing to refine , but the MTTF does not reflect of the form ) ) ) ) ) ) ) ) ) this, as it considers both as failures to refine . We in- troduce the concept of Mean Failure Cost (MFC), which combines terms of the form 25+ + where represents the current input, represents the previous input, represents the input before where the term 2 +( represents the probability that, etc. that 2 fails to refine and + represents the cost An output space , which represents all possible that we incur when it does. outputs of the system in question. A relation from to that specifies for each in- 4 Modeling Security put history (which may include intrusion/ attack actions) which possible outputs may be considered In order to integrate security into the refinement model correct (or at least acceptable). Note that is not discussed above, and take advantage of its capability necessarily deterministic, hence there may be more in terms of composing claims and decomposing goals, than one output for a given input history. Note also we must formulate security properties in refinement-like that this relation may be different from relation terms. In [8] Nicol et al. discuss a number of dimen- which specifies the normal functional requirements sions of security, including: data confidentiality, data of the system: while represents the desired func- integrity, authentication, survivability, non-repudiation, tional properties that we expect from the system, etc. In the context of this paper, we focus our attention represents the minimal functional properties we 6
& must have even if we are under attack; hence while with respect to in the presence of an intrusion. Note it is possible to let , it is also possible (per- the conditional nature of this clause: we are not saying haps even typical) to let there be a wide gap between that has to satisfy at all times, as that is a reliability them. condition; nor are we saying that has to satisfy in the presence of an intrusion, as we do not know whether As for representing timeliness requirements, we propose it satisfies in the absence of an intrusion (surely we do the following model: not expect the intrusion to improve the behavior of the , and history space . The same input space system —all we hope for is that it does not degrade it). Rather we are saying that if satisfies in the absence A relation from to the set of positive real num- of an intrusion, then it satisfies it in the presence of an bers, which represents for each input history the intrusion. maximum response time we tolerate for this input The second clause articulates a similar argument, per- sequence, even in the presence of attacks. We de- taining to the response time: if the response time of note this relation by . was within the boundaries set by in the absence of an In the sequel, we discuss under what condition do we intrusion, then it remains within those bounds in the pres- ence of an intrusion. consider that a system satisfies the security require- ments specified by the pair . At the risk of overloading the refinement symbol ( ), + 2 we resolve to use it to represent the property that a sys- 4.1.2 Certifying Survivability Properties tem is secure (according to the definition above) with respect to a survivability specification . The form Given a survivability requirements specification of the of the specification, when it is explicit, resolves the am- form , we want to discuss under what condition biguity. Hence we write we consider that a program that takes inputs in and produces outputs in can be considered to satisfy these survivability requirements. Space limitations preclude us 25+0 from a detailed modeling of attacks/ intrusions, hence we will, for the purposes of this paper, use the following no- to mean that 2 is secure with respect to . tations: Given a legitimate input history , we denote by 4.1.3 Integrating Survivability an input history obtained from by inserting an arbitrary intrusion sequence (i.e. sequence of ac- The definition that we propose here is focused entirely tions that represent an intrusion into the system). on effects rather than causes, and gives meaning to the concept of survivability failure. Using this concept, we Given an input history (that may include intrusion can now quantify security by adding terms of the form the response time of 20+ + actions) we denote by on input history . Using these notations, we introduce the following defini- tion. to the mean failure cost, producing a function that quan- tifies the expected failure cost, without distinction on Definition 1 A system is said to be secure with respect whether the failure is due to a design fault (reliability, to specification if and only if safety) or a an intrusion (security). In [12] Stevens et 1. For all legitimate input history , al. present measures of security in terms of MTTD (D: 6 3 6 " ) vulnerability discovery) and MTTE (E: exploitation of discovered vulnerability). By contrast with our (re) def- inition, these definitions are focused on causes (rather 2. For all legitimate input history , than effect); in fairness, Stevens et al. propose them as 6 ) intruder models rather than security models. The dif- ference between our effect-based measure and Stevens’ cause-based measure is that a vulnerability may be dis- The first clause of this definition can be interpreted as covered without leading to an intrusion, and an intrusion follows: if system behaves correctly with respect to may be launched without leading to a security failure in in the absence of an intrusion, then it behaves correctly the sense of our definition. 7
4.2 Modeling Integrity section, we briefly discuss how to deploy claims repre- sented in this manner to support queries. We will first 4.2.1 Specifying Integrity discuss, in broad terms, some inference rules; then we A requirement for integrity refers, generally, to a sys- show a sample example of illustration. tem’s state, and stipulates limits within which the sys- tem state may vary as the system is running. The system 5.1 Inference Rules model that we take in this section represents the system by its state space (which we refer to as ), and oper- We envision a database in which we accumulate all the ations that interact with the outside world, possibly af- verification claims that we obtain, from various meth- fecting and being affected by the internal state space. We ods, applied to various components (though typically assume that the set of operations (which we refer to as ) the whole system), against various specifications (func- includes an initialization operation, which we call init. tional specifications, security specifications, etc), reflect- ing various properties (correctness, security, recoverabil- Given this model, we submit that an integrity require- ment is specified by providing a subset of . This ity preservation, etc). Queries are submitted to this subset characterizes all the internal states that we con- database and inference rules allow us to determine how sider to meet the integrity requirement. to answer the query in light of available claims. We clas- sify inference rules into a number of categories: 4.2.2 Certifying Integrity Probability Rules. This category includes all the We consider a system defined by a state space and a rules that stem from probability theory, including set of operations . And we consider an integrity speci- especially identities that pertain to conditional prob- fication defined by . ability. Refinement Rules. This category includes all the Definition 2 We say that system meets the integrity specification if and only if the following conditions rules that stem from the partial order structure of 9 are met: the refinement ordering. For example, if refines , then we know, by transitivity of the refinement 1. Operation init satisfies the following condition: ordering, that ) 2 +( 9 *25+ 9 ) 2. All other operations w in W satisfy the following condition: Lattice Rules. This category includes all the rules ) that stem from the lattice structure of the refinement ordering. For Example, if and are specifica- tions that admit a join, we have *20+*7 9 *20+ 2 +( ) This definition can be interpreted as follows: Accord- ing to Schneider et al [11], the condition of integrity is met if and only if integrity constraints are not violated in an undetected manner. If the condition were simply, are Conversion Rules. This category includes the rules not violated, then our definition would stipulate that init that reflect relationships between the various prop- maps the system state inside and subsequent opera- erties that we wish to claim (correctness, recover- tions ( ) keep it inductively in . Because Schneider et. ability preservation, security, etc). Examples of re- al. allow for violation of the condition, provided the vio- 2 lations that we capture by these rules include: the lations are detected, our definition merely specifies that if fact that if is correct with respect to , it is either the basis of induction or the induction step does not 2 recoverability-preserving with respect to ; the fact hold, an exception (which we represent by ) is that the security of is contingent upon the cor- raised. rectness of the components that enforce its security policies; etc. 5 Illustration: Dependability 5.2 A Tool Prototype Queries We have developed a very sketchy prototype of a tool that In the previous section we discussed how we can rep- stores claims and supports queries. In its current form, resent dependability claims in a unified model; in this the prototype includes only probability rules, hence has 8
2 very limited capability. Nevertheless, it allows us to dis- measures and wish to check whether they are suf- cuss our vision of its function and its operation. The first ficient to allow us to claim that refines with a screen of the prototype offers the following options: greater certainty than a threshold probability . Record a Reliability/ Safety Claim. Clicking on this To answer a query, the system composes a theorem that tab prepares the system for receiving details about has the query as goal clause, and uses recorded depend- a dependability claim (reliability, safety, etc) with ability claims and domain knowledge as hypotheses. The respect to a functional specification. Given that such theorem prover we have selected for this purpose is Otter claims have the general form: [5]. *25+ '& 5.3 A Sample Demo + the system prompts the user to fill in fields for the To illustrate the operation of the tool, we take a sim- property ( ), the reference ( ), the assumption ( ), ple example. We will present, in turn, the dependability and the probability ( ). claims that we submit to this system, then the domain Record a Security Claim. Clicking on this tab knowledge, and finally the query; this example is totally presents an entry screen that prompts the user for contrived and intends only to illustrate what we mean a security specification (two fields: a functional re- by composing diverse dependability claims. Also, even quirement and an operational requirement 4.1.1), a though the model that we envision has inference capabil- field for an assumption, and a field for a probabil- ities that are based on many types of rules (probabilis- ity. There is no need for a property field, since the tic identities, refinement rules, lattice identities, relations property is predetermined by the choice of tabs. between various refinement properties, etc), in this demo we only deploy probabilistic rules. Record Cost Information. As we recall, there are For the purposes of this example, we summarily in- two kinds of cost information that we want to troduce the following notations, pertaining to a fictitious record: failure cost, and verification cost. De- nuclear power plant: pending on the user’s selection, the system presents a spreadsheet with four columns (Property, Refer- Specifications. We consider a specification, which ence, Cost, Unit —for failure cost), or six columns we call SafeOp, which represents the requirement (Property, Reference, Method, Assumption, Cost, that the operation of the reactor is safe. We also Unit —for verification cost). This information (naively) assume that this requirement can be de- is stored in tabular form to subsequently answer composed into two sub-requirements, whose speci- queries on failure costs or verification costs. fications, CoreTemp and ExtRad, represent require- ments for safe core temperatures and safe external Record Domain Knowledge. Because dependabil- radiation levels. ity claims are formulated using domain-specific no- tations, a body of domain-specific knowledge is Assumptions. We assume (artificially) that the required to highlight relevant properties and rela- claims we make about refining specifications tionships, and to enable the inference mechanism CoreTemp and ExtRad are contingent upon a com- to process queries. This domain knowledge is bination of conditions that involve two predicates: recorded by selecting the appropriate tab on the sys- FireWall, which represents the property that the sys- tem. tem’s firewall is operating correctly; and ITDetec- tion, which represents the property that the system’s Queries. Clicking on the tab titled Submit Query Insider Threat Detection is working properly. prompts the user to select from a list of query for- Using these notations, we illustrate the deployment of the mat. The only format that is currently implemented tool by briefly presenting the security claims, the domain is titled Validity of a Claim, and its purpose is to knowledge, then the query that we submit to it. check the validity of a claim formulated as *25+ 2 Claims. Using the system’s GUI screens, we enter the following claims, where represents the reac- + for some property , reference (Specification) , tor’s control system: Assumption , and probability . Notice that we *20+ & ) ) *20+ 6 do not have equality, but inequality; this feature can be used if we have taken a number of dependability 9
& ) ) References 25+ 6 & ) ) [1] E.N. Adams. Optimizing preventive service of soft- 25+ & ) ) ware products. IBM Journal of Research and De- velopment, 28(1):2–14, 1984. *25+ & ) ) [2] N. Boudriga, F. Elloumi, and A. Mili. The lat- Domain Knowledge. We submit the following tice of specifications: Applications to a specifica- domain knowledge under the form of predicates, tion methodology. Formal Aspects of Computing, where indep(p,q) means that events and are in- 4:544–571, 1992. dependent; one could questions whether some of the [3] R.J. Ellison, D.A. Fisher, R.C. Linger, H.F. Lipson, claims of independence are well-founded, but we T. Longstaff, and N.R. Mead. Survivable network make these assumptions for the sake of simplicity. systems: An emerging discipline. Technical Report 6 ) CMU/SEI-97-TR-013, CMU Software Engineering *2 + 2 + ) Institute, november 1997. 2 + *25+ 2 + ) [4] R.C. Linger. Cleanroom process model. IEEE Soft- ware, 11(2):50–58, 1994. Query. We submit the query whether the following [5] William McCune. Otter 3.3 reference manual. claim *20+ 9 ) Technical Report Technical Memorandum No 263, Argonne National Laboratory, August 2003. is valid, where is the assumption that the proba- bility of FireWall is 0.90 and the probability of IT- [6] A. Mili, B. Cukic, T. Xia, and R. Ben Ayed. Com- Detection is 0.80. bining fault avoidance, fault removal and fault tol- erance: An integrated model. In Proceedings, 14th The system generates a theorem and submits it to Otter; IEEE International Conference on Automated Soft- then it analyzes the output file to determine if a proof was ware Engineering, pages 137–146, Cocoa Beach, produced. The claim is deemed to be valid. FL, October 1999. IEEE Computer Society. [7] H.D. Mills and M. Dyer et al. Cleanroom software 6 Conclusion engineering. IEEE Software, 4(5):19–25, 1987. In this paper we have considered past work that attempts [8] David M. Nicol, William H. Sanders, and Kishor S. to compose eclectic verification claims and decompose Trivedi. Model based evaluation: From dependabil- aggregate verification goals, and have attempted to ex- ity to security. IEEE Transactions on Dependable tend it. We have attempted to extend it by encompassing Computing, 1(1):48–65, 2004. more dimensions of dependability, acknowledging the [9] S.J. Prowell, C.J. Trammell, R.C. Linger, and J.H. probabilistic nature of claims and goals, integrating fail- Poore. Cleanroom Software Engineering: Technol- ure and verification costs, and highlighting relationships ogy and Process. SEI Series in Software Engineer- between diverse dimensions of dependability. Also, we ing. Addison Wesley, 1999. have defined two aspects of security, namely survivabil- ity and integrity, and explored how these definitions al- [10] YanSong Ren, Rick Buskens, and Oscar Gonzales. low us to integrate security concerns within the broader Dependable initialization of large scale distributed refinement based model of dependability. We envision to software. Technical report, AT& T Bell Labs, De- continue this work by modeling other aspects of security, cember 2004. and by exploring how a computational approach, based on observed security attributes (rather than hypothesized [11] F.B. Schneider, editor. Trust in Cyberspace. Na- causes) may lead in practice to better security manage- tional Academy Press, 1998. ment. A prototype that we have developed to illustrate [12] Fabrice Stevens, Tod Courtney, Sankalp Singh, Ad- our approach shows how we can store various depend- nan Agbaria, John F Meyer, William H Sanders, ability claims, stemming presumably from distinct vali- and Partha Pal. Model based validation of an intru- dation efforts, into a database, then query the database to sion tolerant information system. In Proceedings, see if the available claims warrant specific properties we SRDS, pages 184–194, 2004. are interested in. 10
You can also read