engineering topology aware adaptive security: preventing requirements violations at runtime
TRANSCRIPT
![Page 1: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/1.jpg)
Engineering Topology Aware Adaptive
Security:
Preventing Requirements Violations at
Runtime
Christos Tsigkanos1, Liliana Pasquale2, Claudio Menghi1,
Carlo Ghezzi1, Bashar Nuseibeh2,3
2Lero1Politecnico di Milano 3The Open University
![Page 2: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/2.jpg)
Motivation
Engineering adaptive security systems that continue to protect critical assets in the face of changes in their operational environment.
Monitoring Planning
Analysis
Execution
System
Environment(Topology)
Security Controls
Security Requirements
X
![Page 3: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/3.jpg)
Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
![Page 4: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/4.jpg)
Physical Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
Containment
into physical areas.
![Page 5: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/5.jpg)
Physical Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
Containment
into physical areas.
![Page 6: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/6.jpg)
Physical Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
Containment
into physical areas.
Placement
of physical objects and agents.
![Page 7: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/7.jpg)
Physical Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
Containment
into physical areas.
Placement
of physical objects and agents.
![Page 8: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/8.jpg)
Physical Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
Containment
into physical areas.
Placement
of physical objects and agents.
Proximity
Colocation in the same physical area.
![Page 9: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/9.jpg)
Physical Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
Containment
into physical areas.
Placement
of physical objects and agents.
Proximity
Colocation in the same physical area.
Reachability
Accessibility of a physical agent/object
to physical areas/objects.
![Page 10: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/10.jpg)
Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
![Page 11: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/11.jpg)
Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
![Page 12: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/12.jpg)
Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
![Page 13: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/13.jpg)
Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
![Page 14: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/14.jpg)
Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
Forbid access to
O6.
![Page 15: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/15.jpg)
… But Topology Changes
Topology changes determined by agents/assets
movements may facilitate different attacks and
render enabled security controls ineffective.
![Page 16: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/16.jpg)
Topology change:
Potential threat:
Bob enters office O6
Eve can access O6 and eavesdrop the
safe’s key code
Topology Changes Examples (1/2)
![Page 17: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/17.jpg)
Topology change:
Potential threat:
Bob enters office O6
Eve can access O6 and eavesdrop the
safe’s key code
Topology Changes Examples (1/2)
![Page 18: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/18.jpg)
Topology change:
Potential threat:
A valuable server is placed in office O2
Mallory can tamper with the server
Server
Topology Changes Examples (2/2)
![Page 19: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/19.jpg)
Topology change:
Potential threat:
A valuable server is placed in office O2
Mallory can tamper with the server
Server
Topology Changes Examples (2/2)
![Page 20: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/20.jpg)
Topology Aware Adaptive Security
How to engineer the activities of the MAPE loop
to reconfigure security controls at runtime when
topology changes
![Page 21: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/21.jpg)
Engineering Topology Aware Adaptive Security
![Page 22: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/22.jpg)
Modeling the Topology of the Environment
Ambient Calculus
For Example: A2[ Eve | Bob | O5 | O6[ Safe ] | O7 ]
• Locations, Agents and Assets are specific kinds of Ambients
• Agents can move spontaneously depending on their current location
… how we use it?
![Page 23: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/23.jpg)
Monitoring
![Page 24: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/24.jpg)
Monitoring
The topology model is updated after changes in the environment are detected.
A2[ Eve | Bob | O5 | O6[ Safe ] | O7 ]
A2[ Bob | O5 | O6[ Eve | Safe ] | O7 ]
For Example: if Eve moves to room O6
![Page 25: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/25.jpg)
Threat Analysis
![Page 26: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/26.jpg)
Identify violations of security
requirements that can take place in future
evolutions of the topology model.
1. Generation of future topological configurations
2. Identification of security requirements violations
Threat Analysis
![Page 27: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/27.jpg)
Generation of Future Topological Configurations
![Page 28: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/28.jpg)
Generation of Future Topological Configurations
![Page 29: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/29.jpg)
Generation of Future Topological Configurations
![Page 30: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/30.jpg)
Identify violations of security
requirements that can take place in future
evolutions of the topology model.
1. Generation of future topological configurations
2. Identification of security requirements violations
Threat Analysis
![Page 31: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/31.jpg)
Specifying Requirements
Computation Tree Logic
• Branching time logic
• Semantics in terms of states and paths
For example: Never Bob with another agent in room O6
![Page 32: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/32.jpg)
Identification of Requirements Violations
Security Requirement:
![Page 33: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/33.jpg)
Planning
![Page 34: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/34.jpg)
Planning
Select security controls that prevent
security requirements violations
Remove future paths of execution that should not be reached– Progressively pruning the LTS until violating states do not exists
– Ensuring satisfaction of other requirements
![Page 35: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/35.jpg)
Planning
XX X
![Page 36: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/36.jpg)
Planning
Functional Requirement:
![Page 37: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/37.jpg)
Planning
XX
![Page 38: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/38.jpg)
Planning
Functional Requirement:
![Page 39: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/39.jpg)
Execution
![Page 40: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/40.jpg)
Execution
Revoke from agents the permission to
access to specific areas depending on the
pruned LTS transitions
In our example …
Pruned LTS Transition: <Eve in O6>
Security Control: Revoke from Eve access to O6
![Page 41: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/41.jpg)
Evaluation
Applicability
Expressiveness
Prototype Realisation
– Analysis
• Ambient Calculus model checking
• Domain-specific heuristics
– Planning
• Security controls selection
Permission
Prohibition
X Obligation
X Dispensation
![Page 42: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/42.jpg)
Conclusion & Future Work
Conclusion
Future Work
A systematic approach to engineer adaptive security systems
– Formal representation of the physical topology
– Identification of security requirements violations by model checking
– Selection of security controls that prevent violations of security
requirements
• Investigate applicability to Cyber-Physical Systems
• Further evaluate the approach with practitioners
![Page 43: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/43.jpg)
Questions?
![Page 44: Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime](https://reader030.vdocuments.mx/reader030/viewer/2022032616/55a8a03b1a28abed588b46ab/html5/thumbnails/44.jpg)