15
CYBER-SECURITY HORIZON SCAN Security of e-Government | Florent Kirchner | PAGE 1 CEA | 10 AVRIL 2012 FEBRUARY 2013
CEA | 10 AVRIL 2012
CYBER-SECURITYHORIZON SCAN
Security of e-Government | Florent Kirchner
| PAGE 1
FEBRUARY 2013
Why do youtrust (your) software?
DEFENSE IN DEPTH – SAFETY
Leve
l 1:
prev
entio
n of
ab
norm
al
oper
atio
n
Leve
l 2:
cont
rol o
f ab
norm
al
oper
atio
n
Leve
l 3:
cont
rol o
f ac
cide
nts
Leve
l 4:
prev
entio
n of
ac
cide
nt
prog
ress
ion
Leve
l 5:
cons
eque
nce
miti
gatio
n
Butterfly
DEFENSE IN DEPTH – SECURITY
Attacker
Net
wor
k Fi
rew
all
Net
wor
k tra
nsla
tion
Wor
ksta
tion
firew
all
App
licat
ion
inte
grity
Ker
nel
cont
rols
Hyp
ervi
sor
sepa
ratio
n
Har
dwar
e w
atch
dog
Critical cyber-systems require thorough security guarantees
COTS are seeing heavy use
CYBER LEAP YEAR
5 INNOVATION CATEGORIES:
Digital Provenance basing trust decisions on verified assertions
Moving-target Defense attacks only work once if at all
Hardware-enabled trust knowing when you’ve been had
Health-inspired Network Defense from forensics to real-time diagnostics
Cyber Economics crime doesn’t pay
Propose changes to the cybersecurity landscape
MANY COMPONENT TYPES:
Compilers new security languages
COTS new API-level security controls
Network novel privacy protocols
Platforms innovative behavior verification
Models different model-based security
…
CYBER LEAP YEAR
?
FORMAL METHODS
Guaranteed software properties
Based on mathematical reasoning
Properties are formalized using unequivocal logical sentences
Software systems are represented by sets of rulestransforming the system statesatisfying certain properties
On a given perimeter
Formal methods are used to prove that some software properties hold…
… or to provide insight on why other properties do not.
FORMAL METHODS – CODE, COTS & APIS
!
int abs(int x){ int r; if (x >= 0) r = x; else r = - x; return r;}
/*@ requires -1000 <= x <= 1000; ensures \result >= 0; */
int abs(int x){ int r; if (x >= 0) r = x; else r = - x; return r;}
FORMAL METHODS – MODELS
!
% Conflict during interval [B,T]conflict_2D?(s,v) : bool = EXISTS (t: Lookahead): sqv(s+t*v) < sq(D)
% 2-D Conflict Detection (cd2d)cd2d?(s,v) : bool = horizontal_los?(s+B*v) OR omega_vv(s)(v) < 0
% THEOREM: cd2d is correct and completecd2d : THEOREM conflict_2D?(s,v) IFF cd2d?(s,v)
FORMAL METHODS – PROTOCOLS
!
input_clause(intruder_knows_session_key_as_seen_by_B, conjecture,
[ --knows (crypt (s (nonceb (Kab, A, B)), Kab)), --knows (Kab) ]).
*** Derived: intruder_knows_session_key_as_seen_by_B ***
1. A -> S : A,B2. S -> A : {KPb, B}KSs3. A -> B : {Na, A}KPb4. B -> S : B,A5. S -> B : {KPa, A}KSs6. B -> A : {Na, Nb}KPa7. A -> B : {Nb}KPb
PROCESS- VS. PRODUCT-BASED
Formal methods provide additional means to build trust
Process-based assurance
Based on testing, V&V tools designed in the 1980sFamiliar, but expensive to scale up for software-intensive systemsInapplicable to COTS software components
Product-based assurance
Using formal techniques spawned in the 1980s to provide strong guarantees regarding:- Compliance with software safety standards- Absence of software security vulnerabilitiesDisruptive, but can help meet mandatory requirements at reduced costs
The first wave of next-generation verification tools is reaching maturity in terms of cost effectiveness and industrial readiness
THE FORMAL METHODS LEAP
But…
Far out research questions
Difficult to transfer industrially
Scattered contributors worldwide
Insufficiently adopted by the public
Little support from standardization bodies
This leap requires a significant amount of investment acrossa wide range of domains. However it cannot rely solely on the will of a few commited individuals.
Yet…
DARPA-funded disruptive CSFV program: use games to lower the cost of formal verifications
Strong successes from foward-looking industrials
It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.
The [NIST-developed] Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
[Recommend the] feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.
WHITE HOUSE EXECUTIVE ORDER – 2013
Sec. 7(b) The Cybersecurity Framework shall provide a prioritized, flexible, repeatable,
performance-based, and cost-effective approach, including information security measures
and controls, to help owners and operators of critical infrastructure identify, assess, and
manage cyber risk. The Cybersecurity Framework shall focus on identifying cross-sector
security standards and guidelines applicable to critical infrastructure. The Cybersecurity
Framework will also identify areas for improvement that should be addressed through
future collaboration with particular sectors and standards-developing organizations. To
enable technical innovation and account for organizational differences, the Cybersecurity
Framework will provide guidance that is technology neutral and that enables critical
infrastructure sectors to benefit from a competitive market for products and services that
meet the standards, methodologies, procedures, and processes developed to address
cyber risks. The Cybersecurity Framework shall include guidance for measuring the
performance of an entity in implementing the Cybersecurity Framework.
Recommendation: open & ambitious cyber-security policies
