Formalizing an Adaptive Security Infrastructure in Mobadtl

1
Formalizing an Adaptive Security Infrastructure
in Mobadtl

• Laura Semini Carlo Montangero
• dip. Informatica, Pisa
• Outline

Mobadtl instance ASI
Mobadtl formalization refinement ASI formalization
2
Characteristics of Mobadtl

• Approach to model distributed systems
• Focus on architectural aspects
• Adequate abstraction for overlay computing
• Accommodating mobility
• Temporal logic ? refinement as a methodology
• Mechanic support to verification

model
logic
3
Mobadtl model an intuition
neighborhood Agent movement message being
delivered guardian agent
4
The ingredients of Mobadtl

• Locations
• Neighbourhoods, places where computational
  entities live
• Flat topology
• Security and routing policies
• Agents
• Move from neighbourhood to neighbourhood
• Communicate via asynchronous message passing
• Authorities
• Guardians monitoring agents activities enacting
  routing and security policies
• No a priori choice about routing and security,
  freedom is given to designers
• Profiles
• A means to refer an entity specifying the
  constraints the entity must satisfy
• es flightResService, name(X)

5
The formalism ?DSTL(x)

• A first-order multi-modal logic to
• Name components and state their properties
• Relate properties of different components of a
  system
• Describe properties of the evolution of systems
• With regard to an asynchronous setting

Location
Time
6
Formalizing the model an example

• out(M,P) represents the will of an agent of
  sending a messagge M to a receiver that
  satisfies profile P.
• S (?out(M,P)?guardedby(G)) LEADS_TO G
  msgReq(M,S,P,i)
• Any message sent is first processed by the
  senders guardian

G
S
7
Location layer DSL

• Modalities to locate properties in the state of a
  component
• m(p?q)
• m p ? n r
• m s ? m t ( ? m(s? t) !!!!)

r
n
m
p, q
s
t
8
Location layer semantics
DS 2S
Semantic domain PowerSet
states of m
(ds, ds) ? Rm iff ds is a singleton in
Sm ? ds
ds mF iff ? ds.(ds, ds) ? Rm and ds F
9
Location layer

• Modalities to locate properties in the state of a
  component
• m(p?q)
• m p ? n r
• m s ? m t ( ? m(s? t))

r
n
m
p, q
s
t
10
Temporal layer DSTL

• Future to be intended as the partial order of
  states defined by
• Intra-components transitions
• Inter-component communications

q
n
p
m
r
o
11
No global clock,no global knowlwdge
Valid nq ? or ? or
q
n
p
m
r
o
Non valid nq ? or
12
UNITY like operators

• Simplicity
• Cannot be nested
• past operators
• F1 LEADS_TO F2 F2 BECAUSE F1
• INIT F STABLE F

13
Events ?DSTL(x)

• Explicit event operator, ?F
• Simple events, ?A
• Composed events, ?(A?B)
• Conditioned events, ?A ? B

14
Rules and theorems
15
Outline

• Depict a few, simple and clearly related
  concepts an informal model
• Choose a proper formalism
• Formalize the model to get the description of a
  generic system
• Instantiate the model to get the description of
  a particular system
• Refine the model formalization

16
ASI Components in Mobadtl
senses, collects, and distributes information
about the security environment

• Detector guardian
• Analyzer agent
• Responder guardian

processes Detector data, and occasionally
proposes actions to bring about a new state
executes the actions as directed by the Analyzer
17
ASI Components in Mobadtl
Analyzer
Detector Responder
Detector Responder
log
Detector Responder
generic neighborhoods
generic agents
18
The threshold property
agents can question the trustworthiness of a
guardian. once the number of warnings reaches a
given threshold, we want to consider the guardian
no longer trustworthy (e.g. to route the
messages).
19
The threshold property
out(demote(X,D),sec_w)
out(demote(X,D),sec_w)
20
The threshold property
Analyzer
threshold(2)
in(demote(X,D),S)
in(demote(X,D),S)
21
The threshold property
Responder
out(demote(X,D),adapt)
Analyzer
22
The threshold property
trusted (X)
trusted (X)
Responder
trusted (X)
trusted (X)
trusted (X)
Responders
trusted (X)
trusted (X)
Analyzer
23
The threshold property

• a threshold(2) /\ ag trusted(G) /\ C1 ? C2
• C1 ? out(demote(X,D),sec_w) /\
• C2 ? out(demote(X,D),sec_w)
• LEADS_TO
• G trusted (X) \/
• some communication exc because of unreachablility

24
Conclusions

• ASI components Mobadtl concepts play a central
  role
• guardian ? detection ane response
• profile ? adaptation
• ASI formalization how should the semantics of a
  dynamic security policy be specified?
• unify the temporal-spatial reasoning aspects
• take into account the global-local (or
  distributed-centralized or hierarchical) nature
  of all components of an ASI
• Proof with MaRK (Mobadtl Reasoning Kit)

25
A support tool MaRK

• MaRK Mobadtl Reasoning Kit a tool to support
  the designer while proving properties of Mobadtl
  systems
• The goal to make the proof task as automatic as
  possible
• MaRK is based on the theorem prover Isabelle
  (Paulson Nipkow)
• Specialized for ?DSTL(x)
• Extended to deal with Mobadtl systems

26
A support tool MaRK

• Why theorem proving
• Need to deal with infinite states
• Learning from the proof process itself
• User defined logic, close to users knowledge
• Third party checkable proofs
• Against
• not so automatic, often to interactive, insights
  on internals of provers needed
• But
• tactics, libraries of proofs, tailoring to a
  particular domain make theorem provers more
  usable