Pushing the Security Boundaries of Ubiquitous Computing

Document Sample
Pushing the Security Boundaries of Ubiquitous Computing Powered By Docstoc
					         Pushing the Security Boundaries of
         Ubiquitous Computing

                   ACSF 2006

                       13th July 2006

David Llewellyn-Jones, Madjid Merabti, Qi Shi, Bob Askwith

       School of Computing and Mathematical Statistics
              Liverpool John Moores University
                   James Parsons Building
            Byrom Street, Liverpool, L3 3AF, UK

 {D.Llewellyn-Jones, M.Merabti, Q.Shi, R.Askwith}@ljmu.ac.uk

• Perimeter Security
   – Ubiquitous Computing
   – Dynamic Boundaries
• Component Composition Analysis
   – Implementation Framework
   – Dynamic Boundary Analysis
• Encrypting External Links
   – Resolving Failures
• Complexity and Timing
• Conclusions and further work
                   Perimeter Security

• Computer security currently relies heavily on perimeter
   – Firewalls
       – Block certain types of incoming and outgoing traffic
   – Intrusion Detection Systems
       – Analyse data entering or leaving a network
       – Detects Denial of Service attacks
   – 97% of organisations responding to the 2005 CSI Computer Crime and
     Security Survey used a firewall

• Policies enforced within network boundaries
                   Ubiquitous Computing Perimeters

• In Ubiquitous Computing environments, the perimeter
  becomes blurred
   – Wireless ad hoc networks
   – Dynamic devices and services moving in and out of networks

• No centralised control, possibly no ownership of devices

• How can the perimeter model of policy enforcement be
  adapted to cope?
                    Alternatives to Perimeter Security

• Security on every device
   – May not be appropriate on low power
   – Often not necessary
• Distributed security
   – A good solution
   – Can be difficult to design and deploy
     such solutions
• Dynamic boundaries
   – Need a process for establishing where the boundaries lie
   – Must dynamically update security
               Dynamic Boundaries

• As devices join and leave, we need a way to dynamically re-
  establish the boundary through remote analysis
                    Component Composition

• In systems without clear boundaries, component
  composition may be a way to ensure security
   – Analyse interaction between devices
   – Ensure that interactions do not affect security
• For example
   – Buffer overrun checking based on interaction between pairs of nodes
   – Access control by following data flow through components
   – Composable Assurance
      – Certain properties can be assured in a complete system if they can be
         shown to hold at the boundaries
      – Shi and Zhang ―An Effective Model for Composition of Secure Systems,‖
         Journal of Systems and Software, 43(3) 1998
                    Application of Component
• Composition properties combine
   – Properties of individual components
   – The interaction between components (the component topology)
• We can therefore use component composition results in two
   – Boundary analysis is a composition property
   – Dynamic boundary analysis can allow further properties to be applied to
• Boundary analysis as a simple composition property
   – Nodes identified with the property of being internal
   – Analyse the topology to establish the boundary based
      – internal – internal links
      – internal – external links
• Having analysed the boundary, can consider other
  security properties
                   Analysis Implementation

• Use the MATTS composition tool
   – Allows composition of systems based on
      – Simulated components
      – Interacting agents
      – Networked Appliance service architecture
• Analyse composition structure using a script
• Presently uses a combination of
   – Certification
   – Formal analysis
   – Topology analysis

• Undertaken in two phases
   – Instrumentation
       – Establish the dependencies between
       – Relates to the movement of data
   – Composition analysis
       – Establish properties of the composed
         system based on the dependencies
       – May require properties of individual
         components to be established to
         complete the composition analysis
                    Composition Analysis

• Analyse a system based on its dependencies
   – Undertaken whenever the dependencies change
   – Result determines whether the security property is satisfied or not
   – Combined with specific security property, establishes whether a particular
     composed system is safe

• How is this undertaken? Analysis is directed by a script
   – Simple XML language script
   – Each script designed for a particular property
                   Composition Script

• What does the script actually do?
   – Script describes a set of satisfying topologies
   – Applied to the composition structure to determine whether the topology
     satisfies it or not
• For example
   – Binary trees
   – Structures without cycles/loops
   – Can depend on the properties of individual components
• Script engine maintains two positions
   – Current position in script
   – Current position in dependency digraph
• We require the dependency digraph to do this
Boundary Analysis Script

                        Set up script

                     Negotiate structure

                      External link and
                       not encrypted?
                    Encrypting External Links

• The script traverses the component structure
• For links from internal to internal nodes
   – No checks are performed
   – The traversal continues along the next link from the internal node
• For links from internal to external nodes
   – The properties of the link are tested
   – If the link is not encrypted, the script fails
   – The traversal continues along the next link from the internal node
• Links from internal nodes are followed, but not those from
  external nodes
• All links that are not internal must be encrypted
• The analysis must be performed each time the
  topology changes
                     Resolving Failures

• The script is used to identify failures of the security policy
• It can also be used to resolve the failures
   – At failure, the problematic link can be identified

   – Generate new encryption service via software factory
   – Place within network between the offending components

• Node traversal

• Encryption checking

• Combined

• The algorithm is dominated by the depth first
  traversal of the nodes
Simulation Timings
                  Conclusions and Future Work

• Perimeter model is currently very successful
• Future changes may make it less applicable
• Dynamic boundary analysis may provide an interim
   – Achieved through component composition analysis
   – Used to enforce component composition results

• Aim to apply the technique to a Networked Appliance
• Create specific security enforcement cases