UCDavis SecLab

1
Issues in the Verification of Systems

• Tao Song, Jim Alves-Foss, Karl Levitt
• Computer Security Lab
• Computer Science Department
• University of California, Davis

2
Index

• Background of verification
• Security of systems
• Verification of systems

3
Background of verification

• What is verification?
• Existing artifact
• Formalization
• Mathematical proof

4
Background of verification

• Usage of verification
• Hardware verification
• e.g. ACL2 lt-gt AMD K5 chipset
• Protocol verification
• e.g. SMV lt-gt Security protocol
• System verification
• e.g. ACL lt-gt Kit

5
Background of verification

• Why verification?
• Complexity of today's systems
• Increasing error costs
• Commonality in reasoning frameworks.

6
Background of verification

• Formal methods in verification
• Theorem Prover
• e.g. HOL, PVS, Coq, and ACL2 etc
• Model Checking
• e.g. COSPAN, SPIN, Mocha and SMV etc

7
Security of systems

• Basic Concepts of security
• Security policy and mechanism
• Specifications
• e.g. specification of program finger
• Assumptions

8
Security of systems

• Example Specification of the program ftpd
• SPEC in.ftpd (lt?, ?, in.ftpd, ?, OPS1gt)
• SE ltproggt
• ltproggt -gt ltvalidopgt
• ltvalidopgt
• -gt (OPEN_RD, WorldReadable(F.mode))
• (OPEN_RD, CreatedByProc(P.pid, F))
• (OPEN_RD, F.ouid S.uid)
• (OPEN_WR, CreatedByProc(P.pid, F))
• (OPEN_WR, F.path "/var/log/wtmp")
• (CHMOD, CreatedByProc(P.pid, F))
• (CHOWN, CreatedByProc(P.pid, F))
• (EXEC, path "/bin/tar" path
  "/bin/compress"
• path "/bin/ls" path "/bin/gzip")

9
Security of systems
Hierarchical model of system
Security Policy
System
Programs and Network Protocols
Specifications for Programs and Protocols
Valid Operations of Specifications
System Calls
10
Security of systems

• Important issues of systems
• Access control
• Access triple (uid, pid, fid)
• Setuid programs
• e.g. Passwd, ftpd, sendmail, etc.
• System calls
• Important system calls open, chown, execve,
  symlink, chmod, fork, etc.

11
Security of systems

• Hard issues in building model of security of
  systems
• Define the security policy
• Describe behaviors of systems
• Classify objects of systems
• Prove security

12
System verification

• An idea of the system verification
• Use specification to monitor systems
• Formalize behaviors of systems according to
  specifications
• Formalize security policy and assumptions
• Formal proof of security

13
System verification

• Approach of the system
• Using specification to monitor the behavior of
  privileged programs
• Using ACL2 to formalize and prove security
  features of systems

14
System verification

• Specification model

System-wide Top Level
System Services
Host Programs and Network Protocols
Applications
15
System verification

• Specification for ARP (Address Resolution
  Protocol)

ARP Request
i
reply_wait
cached
ARP Request
ARP Response
ARP cache timeout
16
Other Protocol Specifications

• Domain Name System (DNS)
• Network File System (NFS)
• Distributed Host Configuration Protocol (DHCP)
• TCP
• FTP
• RIP routing protocol
• OSPF routing protocol

17
System verification

• Requirement of verification
• Formal statements of security policy
• Formal statements of specifications of privileged
  programs and protocols
• Formal statements of assumptions

18
System verification

• Formal statements of security policy
• (defun policy()
• ( and policy_read(pid, fid)
• policy_write(pid,fid)
• policy_create(pid,fid)
• policy_exec(pid, fid)
• )
• )

19
System verification

• Formal statements of security policy
• (defun policy_read( pid, fid)
• ( or IsRoot(pid) userid of process is
  root
• Readable(pid, fid) the file is
  readable
• WorldReadable(fid)
• )
• )

20
System verification

• Formal statements of specifications
• (defun spec()
• ( and spec_standard(pid, fid)
• standard specification of
  programs
• spec_passwd(pid, fid)
• specification of the program
  passwd
• spec_ARP()
• specification of the ARP protocol
• ) )

21
System verification

• Formal statements of specifications
• (defun spec_chage(pid, fid)
• ( and WorldReadable(fid)
• WriteInPath(fid,
  /var/spool/at/.SEQ)
• CreatedByProc(chmod,pid,fid)
• )
• )

22
System verification

• Formal statements of assumptions
• (defun assumption()
• ( and assum_sys_1()
• assum_sys_2()
• assum_verify_1()
• assum_verify_2()
• ))

23
System verification

• An example of assumptions
• (defun assum_sys_n( pid )
• ( imply ( pid.setuid 0)
• true
• )
• )

24
System verification

• Prototype of verification
• (defthm verify()
• ( imply ( and assumption()
• spec())
• policy()
• )
• )

25
System verification

• Ongoing work
• Build security model of a system
• Classify the subjects, objects and operations
• Define security states and state transitions
• Extend the model to cover network protocol
• Automatic verification
• Analysis the assumption of the security of a
  system
• Refine formal statements of specifications

26
Thank you