Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days...

transcript

Building Secure Distributed Systems

The CIF model : Component Information Flow

Lilia SfaxiDCS Days -

26/03/2009

Context and Contribution2

Context Building secure distributed systems

Needed expertise in systems and security Needed expertise in cryptography

Difficulty of dynamic reconfiguration without breaking the security properties of the system

Necessity of high level tools Programming abstractions Automatic code generation Verification of the generated code

Context and Contribution3

Contribution High-level model : CIF (Component Information

Flow) System architecture description : component-based

model Security annotations

Transformation tools : Verification of the security properties System code generation

Models and languages Component-based model : Fractal Security-typed programming language : JIF Architecture Description Language : ADL (XML-

based)

Outline

CIF Specification System representation System security : Inter and Intra component

CIF Transformation CIF ADL ADL Generation Code Generation

Case study : The battleship game Conclusion and Future Work

Outline

System : assembly of components explicitly bound, with ports used to send and receive data

Each component is configurable : attribution of labels to : The attributes The ports

CIF Specification System Representation

Labels

Use of Labels : pair of : Confidentiality policies Integrity policies

All the policies must be obeyed Relation at most as restrictive as (⊑)

Construction of a security lattice

As data flows through the system, its labels only become more restrictive !

less restrictive

more restrictive

CIF Specification System Security

In CIF, needed security policies must be guaranteed at two levels Intra-component Inter-component

Inter-component Ports annotation

Intra-component Secure component code

CIF SpecificationInter-component Security

Associating a label to a port : impose a security restriction to the request

or response A binding is permitted iff L(client) ⊑ L(server) Example :

Confidentiality : Integrity : C1 : I want the message to keep the conf. at least C C1 : I guarantee that the

integrity level is I

C2 : I consider that the message received has C2 : I want the message to have at least

the label C' the integrity I'

P' {C'; I'}

C2P {C; I}

CIF SpecificationIntra-component Security

Annotation of ports and attributes of a component

Verification of component code Preservation of confidentiality and integrity

of annotated elements Non-interferent data flow

Non-interference : "The low level users should not be able to deduce

anything about high level user’s activity" Foccardi et al.

"Low-security behavior of the program is not affected by any high-security data.” Goguen & Messeguer 1982

Outline

CIF TransformationImplementation of the CIF Spec.

P2 {C2; I2}

C2P1 {C1; I1}

C1 crypt sign verify decrypt

C'1 C'2

TC1 TC2

ADL : Architecture Description Language XML-based Functional part

Architecture of the system : components & bindings Location of the component code

Security part Security labels of attributes & ports

<definition name="C1"><port name="start" role="server"

signature="src.security.StartItf" label=""/>

C1start{} send{L}

CIF ADLArchitecture Description

CIF TransformationADL Generation

P2 {C2; I2}

C2P1 {C1; I1}

C1 crypt sign verify decrypt

ADL Transform : removing the annotations Implementation :

Confidentiality : asymmetric encryption Integrity : signature

Assumptions : Keys distributed safely Communication channels untrusted

Generation of cryptographic components : Creation of crypt, sign, verify and decrypt components Creation of top components containing

The main component (server or client) The security components (crypt & sign or verify & decrypt)

Connecting the top components with low level bindings

CIF TransformationCode Generation

Guarantee the non-interference property for one component

Depending on the component code Implemented in a security-typed language (exp : JIF)

Type checking Implemented in an imperative language

Propagation of the attributes' and methods' labels Propagation of the label

Check the use of component parameters and port messages Check the information flow : non-interferent? Controller

Called when secret information leaks Decides whether to declassify the information or to throw an

exception If the label is propagated without exceptions, component

non-interferent!

Outline

Case StudyThe Battleship Game

1 coordinator and 2 players (at least) Each player has a secret board with a fixed number of ships Each player tries to guess the opponent's ships coordinates :

the winner is the first player who finds the n ships of the opponent

The coordinator keeps a copy of the players' boards & controls the message exchange

Case StudyThe Battleship Game : Inter-component security

cryptsign

verify decrypt

Ɛ(m,pub(coord))S(Ɛ(m,pub(coord)))

Ɛ(m,pub(coord))

Case StudyThe Battleship Game : Intra-component security

public class Player {private Board board;public void setBoard(Board board) {

this.board = board;}public void init(int nbShips) {

int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){

numCovered += j;}final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),

new Ship(new Coordinate(1, 3), 2, false), };Board myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {

try {Ship newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {

newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);

} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}

}setBoard (myBoard);

public class Player {private Board {P1->C;P1<-C} board;public void setBoard(Board board) {

public class Player {private Board{P1->C;P1<-C} board;public void setBoard(Board{P1->C;P1<-C} board) {

public class Player {private Board {P1->C;P1<-C} board;public void setBoard(Board{P1->C;P1<-C} board) {

new Ship(new Coordinate(1, 3), 2, false), };Board{P1->C;P1<-C} myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {

try {Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {

numCovered += j;}final Ship{P1->C;P1<-C}[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),

try {Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {

Outline

Conclusion

CIF Component-based model Builds distributed systems secure by construction

User specifies security requirements At a high level of abstraction Association of labels to attributes and ports of the

component Tools to automate security implementation

Inside a component : Generation of JIF code

Between components Insertion of cryptographic components

Future Work

Key distribution Secure deployment Safe reconfiguration Privacy

Thank you for your attention

Lilia SfaxiDCS Days -

26/03/2009

Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days...

Documents