Model-based Security Engineering with UML by olliegoblue28

VIEWS: 6 PAGES: 11

									                                                                                 A Need for Security
   Model-based Security
                                                                                 Society and economies rely on computer
   Engineering with UML                                                           networks for communication, finance,
                                                                                  energy distribution, transportation...
                     Jan Jürjens
      Competence Center for IT Security                                          Attacks threaten economical and physical
       Software & Systems Engineering                                              integrity of people and organizations.
            TU Munich, Germany                                                   Interconnected systems can be attacked
                                                                                   anonymously and from a safe distance.
                 juerjens@in.tum.de                                              Networked computers need to be secure.
              http://www.jurjens.de/jan
                                                                                         Jan Jürjens, TU Munich: Model-based Security Engineering with UML   2




Problems                                                                         Causes I
Many flaws found in designs of security-critical                                 •  Designing secure systems correctly is
 systems, sometimes years after publication                                         difficult.
 or use.                                                                            Even experts may fail:
Spectacular Example (1997):                                                        – Needham-Schroeder protocol (1978)
NSA hacker team breaks into U.S.                                                   – attacks found 1981 (Denning, Sacco),
 Department of Defense computers and the                                               1995 (Lowe)
 U.S.electric power grid system. Simulates                                       • Designers often lack background in security.
 power outages and 911 emergency
                                                                                 • Security as an afterthought.
 telephone overloads in Washington, D.C..

         Jan Jürjens, TU Munich: Model-based Security Engineering with UML   3           Jan Jürjens, TU Munich: Model-based Security Engineering with UML   4




Causes II                                                                        Causes III
„Blind“ use of mechanisms:                                                       „Penetrate-and-patch“ (aka „banana
• Security often compromised                                                       strategy):
  by circumventing (rather than
  breaking) them.                                                                • insecure
• Assumptions on system context, physical                                        • disruptive
  environment.                                                                      loose customer trust.
„Those who think that their problem can be solved
  by simply applying cryptography don`t understand
                                                                                 Goal: reduce number of
  cryptography and don`t understand their problem“                                 flaws arising this way.
  (R. Needham).
         Jan Jürjens, TU Munich: Model-based Security Engineering with UML   5           Jan Jürjens, TU Munich: Model-based Security Engineering with UML   6




                                                                                                                                                                 1
Formal Methods                                                                     How used in Security Engineering ?
Lots of very successful research using logic-based                                 Saltzer, Schröder (1975): Security Design Principles.
  methods to analyze systems for security flaws. Often                             Gasser (1988): Formal techniques, not integrated with
  based on specialized, „academic“ notations and                                     system development.
  concerned with crypto protocols or information flow:                             Abrams, Jajodia, Podell (1995): Collection of unlinked
LaPadula, Bell 73; Goguen, Meseguer 82; Millen,                                      approaches.
  Clark, Freedman 87; Burrows, Abadi, Needham 89;                                  Abadi, Needham; Anderson, Needham (1996): Design
  Kemmerer 89; Gong, Needham, Yahalom 90;                                            rules for security protocols.
  Meadows 91; McLean 94; Focardi, Gorrieri 94;                                     Anderson (2001): Use formal techniques for protocols.
  Syverson, van Oorschot 94; Roscoe, Woodcock,                                     Viega, McGraw (2002): How to avoid buffer-overflows.
  Wulf 94; Lowe 96; Schneider 96; Abadi, Gordon 97;                                Seemingly no encompassing, integrated
  Mitchell, Mitchell, Stern 97; Paulson 98, …                                       formally based approach.
          Jan Jürjens, TU Munich: Model-based Security Engineering with UML   7              Jan Jürjens, TU Munich: Model-based Security Engineering with UML   8




Some Open Problems                                                                 Towards Use in Practice
Secure systems out of (in)secure mechanisms.                                       Increase security with bounded
Security as pervasive property: vs. dependability,                                   investment in time, costs
  program analysis, formal methods, software                                         (crucial for industry). Idea:
  engineering, programming languages, compilers,
  computer architectures, operating systems, reactive                              • Extract models from artefacts arising in industrial
  systems, …, …                                                                      development and use of security-critical systems
Problem: no integration / coherence.                                                 (UML models, source code, configuration data).
How to put all this stuff together in a water-tight                                • Tool-supported theoretically sound efficient
  way within security engineering approach ?                                         automated security analysis.
Necessary for security (attacks on boundaries                                         Model-based Security Engineering
  between views / aspects / levels …).
          Jan Jürjens, TU Munich: Model-based Security Engineering with UML   9              Jan Jürjens, TU Munich: Model-based Security Engineering with UML   10




Model-based Security Engineering                                                   Why UML ?
Combined strategy:
• Analyze models automatically     Requirements
                                                                                   Seemingly de-facto standard in industrial
  against security requirements. Analyze                                            modeling. Large number of developers
• Generate code (or tests) from                                                     trained in UML.
  models automatically.                 Models
• Generate models from code to Codegen.
                                                                                   Relatively precisely defined (given the
                                               Modelgen./
  get changes (or analyze        Testgen.      Reverse E.                           user community).
  legacy systems).                                                                 Many tools in development (also for code-
Goal: model-based = source-               Code
                                         Code
  based.                                                                            generation, testing, reverse engineering,
Idea notation-independent. Here: use UML.                                           simulation, transformation).

          Jan Jürjens, TU Munich: Model-based Security Engineering with UML   11             Jan Jürjens, TU Munich: Model-based Security Engineering with UML   12




                                                                                                                                                                      2
UMLsec: Goals                                                                    UMLsec: How
Extension for secure systems development.                                        Recurring security requirements, adversary
• evaluate UML specifications for weaknesses                                       scenarios, concepts offered as stereotypes
  in design                                                                        with tags on component-level.
• encapsulate established rules of prudent                                       Use associated constraints to verify
  secure engineering as checklist                                                  specifications using automated theorem
• make available to developers not specialized
                                                                                   provers and indicate possible weaknesses.
  in secure systems
• consider security requirements from early                                      Ensures that UML specification provides
  design phases, in system context                                                 desired level of security requirements.
• make certification cost-effective                                              Link to code via round-trip engineering etc.
        Jan Jürjens, TU Munich: Model-based Security Engineering with UML   13            Jan Jürjens, TU Munich: Model-based Security Engineering with UML   14




                                                                                 This tutorial
                                                                                 Background knowledge on using UML for
Example:                                                                           model-based security engineering.
Biometric                                                                        • UMLsec extension
authentication                                                                   • Tools.
system in                                                                        • Industrial applications (biometry, security
industrial                                                                         protocols, electronic purses, …).
development.                                                                     • Attacks against them.
Secure ?                                                                         Research-oriented (not user-oriented).

        Jan Jürjens, TU Munich: Model-based Security Engineering with UML   15            Jan Jürjens, TU Munich: Model-based Security Engineering with UML   16




Requirements on UML extension for security I                                     Requirements on UML extension for security II

Provide basic security requirements such                                         Provide security primitives (e.g.
  as secrecy, integrity, authenticity.                                             (a)symmetric encryption).
Allow considering different threat scenarios                                     Allow considering underlying physical security.
  depending on adversary strengths.                                              Allow addressing security management
Allow including important security concepts                                        (e.g. secure workflow).
  (e.g. tamper-resistant hardware).
                                                                                 Also: Include domain-specific security
Allow incorporating security mechanisms                                            knowledge (Java, smart cards, CORBA, ...).
  (e.g. access control).
        Jan Jürjens, TU Munich: Model-based Security Engineering with UML   17            Jan Jürjens, TU Munich: Model-based Security Engineering with UML   18




                                                                                                                                                                   3
Requirements with use case diagrams                                                                     fair exchange
           Sales application
                                   «fair exchange»
                                                                                                     Ensures generic fair exchange condition.
                         buys goods
                                                  sells goods                                        Constraint: after a {start} state in activity
                                                                                                      diagram is reached, eventually reach
           Customer                                                   Business
                                                                                                      {stop} state.
Capture security requirements
 in use case diagrams.                                                                               (Cannot be ensured for systems that an
Constraint: need to appear in                                                                          attacker can stop completely.)
 corresponding activity diagram.
             Jan Jürjens, TU Munich: Model-based Security Engineering with UML                  19               Jan Jürjens, TU Munich: Model-based Security Engineering with UML          20




Example                 fair exchange                                                                  Internet             ,        encrypted , …
                                                     Purchase               «fair exchange»
Customer buys a good                                 {start={Pay}} {stop={Reclaim,Pick up}}          Kinds of communication links resp. system
                                                     Customer                        Business
 from a business.                                                                                     nodes.
Fair exchange means:                                              Request good                       For adversary type A, stereotype s, have set
                                                                                                      ThreatsA (s) {delete, read, insert, access}
                                                                                                                                 




 after payment,                                                       Pay

 customer is                                                                                          of actions that adversaries are capable of.
                                                                    Wait until
 eventually either                                                 delivery due
                                                                                      Deliver        Default attacker:   Stereotype Threats default ()
 delivered good or                                   undelivered         delivered                                                        Internet                 {delete, read, insert}
                                                                                                                                          encrypted                {delete}
 able to reclaim                                       Reclaim
                                                                         Pick up
                                                                                                                                          LAN                      ¡




 payment.                                                                                                                                 smart card               ¡




             Jan Jürjens, TU Munich: Model-based Security Engineering with UML                  21               Jan Jürjens, TU Munich: Model-based Security Engineering with UML          22




   secure links                                                                                      Example                        secure links
Ensures that physical layer meets security                                                                          «secure links»
                                                                                                      Remote access
 requirements on communication.
Constraint: for each dependency d with stereotype
                                                                                                       client machine                     «secrecy»         server machine
 s { secrecy , integrity } between
    ¢




                                                                                                               get_password
 components on nodes n m, have a              £




                                                                                                               client apps                «call»                       web server
                                                                                                                                                                       access control
 communication link l between                                                                                     browser
                                                                                                                                          «Internet»
 n and m with stereotype t such that
• if s =     secrecy : have read                          ¤       Threats A (t).
• if s =     integrity : have insert                          ¤     ThreatsA (t).                    Given default adversary type, is                             secure links
                                                                                                      provided ?
             Jan Jürjens, TU Munich: Model-based Security Engineering with UML                  23               Jan Jürjens, TU Munich: Model-based Security Engineering with UML          24




                                                                                                                                                                                                 4
Example                       secure links                                                         secure dependency
                   «secure links»                                                               Ensure that call and send




                            ?
 Remote access
                                                                                                 dependencies between components respect
                                                                                                 security requirements on communicated data
  client machine                         «secrecy»         server machine
          get_password                                                                           given by tags {secrecy}, {integrity}.
              client apps                «call»                       web server                Constraint: for call or send dependency
                browser                                               access control
                                         «Internet»                                               from C to D (and similarly for {integrity}):
                                                                                                • Msg in D is {secrecy} in C if and only if also in D.
                                                                                                • If msg in D is {secrecy} in C, dependency
Given default adversary type, is                                 secure links
                                                                                                  stereotyped secrecy .
 provided ?
                Jan Jürjens, TU Munich: Model-based Security Engineering with UML          25                 Jan Jürjens, TU Munich: Model-based Security Engineering with UML          26




Example                       secure dependency                                                 Example                     secure dependency




                                                                                                                          ?
                  «secure dependency»                                                                            «secure dependency»
Key generation                                                                                  Key generation

 newkey(): Key                       «interface»                                                 newkey(): Key                     «interface»
                               Random number                                                                                 Random number
                                                            Key generator «critical»                                                                      Key generator «critical»
 Random generator              random(): Real               {secrecy={newkey(),random()}         Random generator            random(): Real               {secrecy={newkey(),random()}
 seed: Real                                                                                      seed: Real
 random(): Real                                 «call»       newkey(): Key                       random(): Real                               «call»       newkey(): Key



  secure dependency                            provided ?                                         secure dependency                          provided ?

                Jan Jürjens, TU Munich: Model-based Security Engineering with UML          27                 Jan Jürjens, TU Munich: Model-based Security Engineering with UML          28




   no down–flow                                                                                 Example                     no down-flow
Enforce secure information flow.
Constraint:
Value of any data specified in {secrecy}
 may influence only the values of data
 also specified in {secrecy}.
Formalize by referring to formal
 behavioural semantics.                                                                           no down–flow                   provided ?

                Jan Jürjens, TU Munich: Model-based Security Engineering with UML          29                 Jan Jürjens, TU Munich: Model-based Security Engineering with UML          30




                                                                                                                                                                                              5
Example                 no down-flow                                                   data security




                      ?
                                                                                   Security requirements of data marked
                                                                                      critical enforced against threat
                                                                                    scenario from deployment diagram.
                                                                                   Constraints:
                                                                                   Secrecy of {secrecy} data preserved.
                                                                                   Integrity of {integrity} data preserved.
  no down–flow               provided ?

          Jan Jürjens, TU Munich: Model-based Security Engineering with UML   31             Jan Jürjens, TU Munich: Model-based Security Engineering with UML   32




Example                 data security                                              Example                 data security




Variant of TLS
 (INFOCOM`99).                                                                     Variant of TLS
 data security                                                                       (INFOCOM`99).
 against default                                                                   Violates {secrecy}
 adversary                                                                           of s
 provided ?                                                                          against default
                                                                                     adversary.

          Jan Jürjens, TU Munich: Model-based Security Engineering with UML   33             Jan Jürjens, TU Munich: Model-based Security Engineering with UML   34




   guarded access                                                                  Example                 guarded access
Ensures that in Java, guarded classes
 only accessed through {guard} classes.
Constraints:
• References of                   guarded                    objects
  remain secret.
• Each guarded                          class has {guard}
                                                                                   Provides guarded access :
  class.                                                                            Access to MicSi protected by MicGd.
          Jan Jürjens, TU Munich: Model-based Security Engineering with UML   35             Jan Jürjens, TU Munich: Model-based Security Engineering with UML   36




                                                                                                                                                                      6
Does UMLsec meet requirements?                                                    UMLsec as Integrating Formal Framework
Security requirements:                       secrecy ,…                           Have formalizations of major security
Threat scenarios: Use Threatsadv(ster).                                             requirements in one integrated notation.
Security concepts: For example                                smart card .        Want to relate / combine requirements; get
                                                                                    modularity / composability, hierarchical
Security mechanisms: E.g.                            guarded access .               decomposition, refinement, … :
Security primitives: Encryption built in.                                         For example:
Physical security: Given in deployment diagrams.                                  • If system satisfies secure links and
Security management: Use activity diagrams.                                         subsystems satisfy data security then
                                                                                    system satisfies data security .
Technology specific: Java, CORBA security.
         Jan Jürjens, TU Munich: Model-based Security Engineering with UML   37            Jan Jürjens, TU Munich: Model-based Security Engineering with UML   38




Summary Lecture 1                                                                 Security Analysis
Defined UMLsec extension.                                                         Specify system parts as processes following
Goal: express security requirements within an                                       Dolev, Yao 1982: In addition to expected
  industrially used specification notation in a                                     participants, model attacker who:
  way which allows automated verification.                                        • may participate in some protocol runs,
Aims:
                                                                                  • knows some data in advance,
• model-based security engineering, integrated
  with source-code, configuration data                                            • may intercept messages on the public
                                                                                    network,
• formal framework to relate different security
  aspects.                                                                        • injects messages that it can produce into the
Coming up in Lecture 2: formal security analysis                                    public network.
         Jan Jürjens, TU Munich: Model-based Security Engineering with UML   39            Jan Jürjens, TU Munich: Model-based Security Engineering with UML   40




Security Analysis                                                                 Security Analysis II
Model classes of adversaries.                                                     Keys are symbols, crypto-algorithms are
                                                                                   abstract operations.
May attack different parts of the system
 according to threat scenarios.                                                   • Can only decrypt with right keys.
Example: insider attacker may intercept
                                                                                  • Can only compose with available
 communication links in LAN.
                                                                                    messages.
To evaluate security of specification,
 verify against adversary model.                                                  • Cannot perform statistical attacks.

         Jan Jürjens, TU Munich: Model-based Security Engineering with UML   41            Jan Jürjens, TU Munich: Model-based Security Engineering with UML   42




                                                                                                                                                                    7
Cryptographic Expressions                                                           Cryptographic Expressions
Exp: quotient of term algebra generated from                                        • ∀E,K.DecK-1({E}K)=E
 sets Data, Keys, Var of symbols using                                              • ∀E,K.ExtK(SignK-1(E))=E
•   _::_ (concatenation), head(_), tail(_),                                         • ∀E1,E2.head(E1::E2)=E1
•   (_)-1 (inverse keys)                                                            • ∀E1,E2.tail(E1::E2)=E2
•   { _ }_ (encryption)                                                             • Associativity for ::.
•   Dec_( ) (decryption)                                                            Write E1::E2::E3 for E1::(E2::E3) and
•   Sign_( ) (signing)                                                                fst(E1::E2) for head(E1::E2) etc.
•   Ext_( ) (extracting from signature)                                             Can include further crypto-specific primitives
under equations …                                                                     and laws (XOR, …).
           Jan Jürjens, TU Munich: Model-based Security Engineering with UML   43              Jan Jürjens, TU Munich: Model-based Security Engineering with UML             44




Adversary Model                                                                     Adversary: Simulation

                                                                                          A                        Adversary                                  B
     A                                          B
                       adversary




                                                                                                   m(x)                                     m(x)
                                                                                                                                                                   [argb,1,1 = x]

                                                                                                                                     return({z}k)
                                    * memorize message                                         return({y::x}z)
        memory                      * delete message
         logic                      * insert message
                                                                                     Adversary                    k-1, y, x
                                    * compose own message
                                                                                     knowledge:
                                    * use cryptographic primitives                                                {z}k, z
           Jan Jürjens, TU Munich: Model-based Security Engineering with UML   45              Jan Jürjens, TU Munich: Model-based Security Engineering with UML             46




Abstract adversary                                                                  Encryption vs. Secrecy
Specify set      of initial knowledge of an
 adversary of type A. Let          be the                                                     {m}K::K                                                {m}K
 Exp-subalgebra generated by          and
                                                                                      A                        B                       A                               B
 the expressions received after n+1st
 iteration of the protocol.
                                                                                    Against eavesdropper:
Definition (Dolev, Yao 1982).
                                                                                    • Secrecy of m, K not preserved.
 S keeps secrecy of M against attackers
                                                                                    • Secrecy of m, K preserved.
 of type A if there is no n with M ∈     .
           Jan Jürjens, TU Munich: Model-based Security Engineering with UML   47              Jan Jürjens, TU Munich: Model-based Security Engineering with UML             48




                                                                                                                                                                                    8
Hybrid Crypto vs. Secrecy                                                          Security analysis in first-order logic
                                {K} PubB                                           Idea: approximate set of possible data
                A                                           B                        values flowing through system from
                                  {m } K
                                                                                     above.
                                                                                   Predicate knows(E) meaning that the
• Secrecy of m not preserved against an                                              adversary may get to know E during
  attacker who can delete and insert                                                 the execution of the protocol.
  messages.                                                                        For any secret s, check whether can
• Secrecy of m preserved against an attacker                                         derive knows(s) using automated
  who can eavesdrop, but not alter the link.                                         theorem prover.
          Jan Jürjens, TU Munich: Model-based Security Engineering with UML   49            Jan Jürjens, TU Munich: Model-based Security Engineering with UML   50




First-order logic: basic rules                                                     Given Sequence Diagram …
For initial adversary knowledge (K0): Define
  knows(E) for any E initially known to the
  adversary (protocol-specific, e.g. KA , KA-1).
Define above equations.
For evolving knowledge (Kn) define
∀ E1,E2.(knows(E1)∧ knows(E2)                        




     knows(E1::E2) ∧ knows({E1}E2) ∧
     knows(DecE2(E1)) ∧ knows(SignE2 (E1)) ∧
     knows(ExtE2 (E1)))
∀ E.(knows(E)       




     knows(head(E)) ∧ knows(tail(E)))
          Jan Jürjens, TU Munich: Model-based Security Engineering with UML   51            Jan Jürjens, TU Munich: Model-based Security Engineering with UML   52




… and Physical Layer Model …                                                       … Translate to 1st Order Logic
                                                                                   Connection (or statechart transition)
                                                                                   TR1=(in(msg_in),cond(msg_in),out(msg_out))
                                                                                   followed by TR2 gives predicate PRED(TR1)=
                                                                                         msg_in. [knows(msg_in) cond(msg_in)
                                                                                                    knows(msg_out)
                                                                                                      PRED(TR2)]
Deployment diagram.                                                                (Assume: order enforced (!).)
                                                                                   Can include senders, receivers in messages.
Derived adversary model: read, delete,
                                                                                   Abstraction: find all attacks, may have false
 insert data.                                                                        positives.
          Jan Jürjens, TU Munich: Model-based Security Engineering with UML   53            Jan Jürjens, TU Munich: Model-based Security Engineering with UML   54




                                                                                                                                                                     9
Example: Translation to Logic                                                     Execute in System Context




knows(N) knows(KC) knows(SignKC-1(C::KC))
     init1,init2,init3.[knows(init1) knows(init2)
      knows(init3) snd(Extinit2(init3)) = init2
          knows({SignKS-1(…)}…) […] [… ...]…]                                     Activity diagram.
         Jan Jürjens, TU Munich: Model-based Security Engineering with UML   55          Jan Jürjens, TU Munich: Model-based Security Engineering with UML   56




Formulate Data Security Requirements                                              Example: Proposed Variant of TLS (SSL)

                                                                                  Apostolopoulos,
                                                                                   Peris, Saha;
                                                                                   IEEE Infocom
                                                                                   1999.
                                                                                  Goal: send secret
                                                                                   protected by
                                                                                   session key
Class diagram.                                                                     using fewer
Gives conjecture: knows(s) derivable ?                                             server resources.
         Jan Jürjens, TU Munich: Model-based Security Engineering with UML   57          Jan Jürjens, TU Munich: Model-based Security Engineering with UML   58




TLS Variant in TPTP notation I                                                    TLS Variant in TPTP notation II




         Jan Jürjens, TU Munich: Model-based Security Engineering with UML   59          Jan Jürjens, TU Munich: Model-based Security Engineering with UML   60




                                                                                                                                                                  10
Surprise …                                                                        … which means:
                                                                                  Can derive knows(s ) (!).
                                                                                  That is: Protocol does not preserve
                                                                                   secrecy of s against adversaries.
                                                                                     Completely insecure wrt stated goals.
                                                                                  But why ?
                                                                                  Could look at proof tree.
                                                                                  Or: use prolog-based attack generator.
         Jan Jürjens, TU Munich: Model-based Security Engineering with UML   61            Jan Jürjens, TU Munich: Model-based Security Engineering with UML   62




Man-in-the-Middle Attack                                                          The fix




                     ?
         Jan Jürjens, TU Munich: Model-based Security Engineering with UML   63
                                                                                                       ?
                                                                                  e-Setheo: knows(s) not derivable. Thus secure.
                                                                                           Jan Jürjens, TU Munich: Model-based Security Engineering with UML   64




Summary Lecture 2
Automated formal security analysis for security
 requirements included in UMLsec models as
 stereotypes.
Running example: TLS variant with security
 flaw.
Exercise: find flaw, propose correction .
Coming up tomorrow: Electronic purses,
 biometric authentication systems (including
 more flaws). General results and reasoning
 techniques.

         Jan Jürjens, TU Munich: Model-based Security Engineering with UML   65




                                                                                                                                                                    11

								
To top