Security Function Interactions

1
Security Function Interactions

• Pierre Bieber
• Security architecture validation.
• Composition of security functions.
• Secure LAN access control functions.

2
Security Architecture

• Multiple and heterogeneous security functions
• SMAC protocol
• Access Control Switch (ACS), Central Security
  Server (CSS), Security Sub-Network (SSN)
• Internal/external host isolation

3
ITSEC Security Function Validation

• Assurance-correctness
• Model formally security functions
• FOX firewall (Thomson Communications)
• ITSEC level E4
• B specification of packet filters, authentication
  protocol, ...
• Security properties as invariants

4
ITSEC Security Function Interaction Validation

• Assurance-effectiveness
• Suitability analysis,
• Binding analysis,
• Vulnerability assessment.
• Properties enforced by interacting security
  functions
• Consistency compose security functions
• Suitability and circumvention compose untrusted
  function with security functions

5
Composition Framework

• Fiadeiro and Maibaum (COMMUNITY), Wiels and
  Michel (Moka).
• Consistent composition of properties
• Consistency constraint Spec1 and Spec2 should be
  refinements of SharedSpec.
• ComposedSpec is a minimal refinement of both
  Spec1 and Spec2.
• Refinement preservation of invariants

6
Modular description of SMAC

7
ACS Specification

• Attributes
• in boolean // the host is using the medium
• ok boolean // the host is authorised to use
  the medium
• Initialisation
• init in,ok0,0
• Actions
• use in1 if ok
• release in0
• granted ok1
• forbidden in,ok0,0 if !in
• Properties
• in gt ok // If the host is using the medium then
  it is authorised to use it

8
CSS Specification

• Attributes
• ok_I boolean, // Internal hosts are authorised
  to use the medium
• ok_E boolean, // External hosts are authorised
  to use the medium
• Initialisation
• init ok_I,ok_E0,0
• Actions
• grant_Iok_I,ok_E1,0
• grant_Eok_I,ok_E0,1
• Properties
• ! (ok_I ok_E) //Internal and External hosts are
  never authorised simultaneously

9
Composition first step

• Connections
• Relate vocabulary (attribute and action names) of
  shared specification with vocabulary of
  specifications to be composed.
• OneACS dialogue between an internal ACS and
  CSS through SSN

10
Composition second step

• Composed specification
• Composed properties conjunction of the images
  of the properties.
• Consistency
• OneACS (ACS.in gt ok) ! (ok CSS.ok_E)
• TwoACS !(ACS1.in ACS2.in)

11
Circumvention Analysis

• Compose OneACS with OneHost
• untrusted attributes and actions are connected
• Consistent composition constraint is too weak
• untrusted actions (use, release) interfere with
  ok and CSS.ok_E.

12
Secure Composition Constraint

• Untrusted actions should not Interfere with
  security attributes
• Secure composition constraint Secure causal
  dependency
• action forbidden should not depend on the value
  of ACS.in

13
Conclusion

• Security Architecture Validation
• Model security function interactions
• Secure and consistent composition constraints
• refinement weak non-interference
• secure composition constraint applied for
  untrusted/trusted interactions
• Future work
• Relation with Assurance-effectiveness evaluation
  current practices
• Use models to generate intrusion tests
• Apply the Modular Spec test-case generation
  method (M. Doche, FMICS)