formalizing an adaptive security infrastructure in mob adtl laura semini & carlo montangero dip....
Post on 21-Dec-2015
215 views
TRANSCRIPT
Formalizing an Adaptive Security Infrastructure in Mobadtl
Laura Semini & Carlo Montangero
dip. Informatica, Pisa
Outline
Mobadtl instance ASI
Mobadtl formalization refinement ASI formalization
Characteristics of Mobadtl
Approach to model distributed systems
Focus on architectural aspects
Adequate abstraction for overlay computing
Accommodating mobility
Temporal logic refinement as a methodology
Mechanic support to verification
model
logic
The ingredients of Mobadtl
Locations: Neighbourhoods, places where computational entities live Flat topology Security and routing policies
Agents: Move from neighbourhood to neighbourhood Communicate via asynchronous message passing
Authorities: Guardians monitoring agents’ activities enacting routing and
security policies No a priori choice about routing and security, freedom is
given to designers
Profiles: A means to refer an entity specifying the constraints the
entity must satisfy es: flightResService, name(X)
A first-order multi-modal logic to Name components and state their
properties Relate properties of different components
of a system Describe properties of the evolution of
systems With regard to an asynchronous setting
The formalism: ΔDSTL(x)
Location
Time
Formalizing the model: an example
out(M,P) represents the will of an agent of sending a messagge M to a receiver that satisfies profile P.
S (out(M,P)guardedby(G)) LEADS_TO G msgReq(M,S,P,i)
Any message sent is first processed by the sender’s guardian
out(M,P)
msgReq(M,S,P,i)
S
G
Location layer: DSL
Modalities to locate properties in the state of a component
m(pq) m p n r m s m t ( m(s t) !!!!)
n
m p, q
r
st
Location layer – semantics
DS =2SSemantic domain: PowerSet
(ds, ds’) Rm iff ds’ is a singleton in Sm ds
ds╞ mF iff ds’.(ds, ds’) Rm and ds’╞ F
q
r
p
n
m
states of m
Location layer
Modalities to locate properties in the state of a component
m(pq) m p n r m s m t ( m(s t))
n
m p, q
r
s t
Future to be intended as the partial order of states defined by Intra-components transitions Inter-component communications
Temporal layer: DSTL
q
m
n
o
p
r
UNITY like operators
Simplicity Cannot be nested + past operators
F1 LEADS_TO F2 F2 BECAUSE F1
INIT F STABLE F
Events: ΔDSTL(x)
Explicit event operator, ΔF Simple events, ΔA Composed events, Δ(AB) Conditioned events, ΔA B
Rules and theorems
)MMM(MMM
MM
21
21
21
21
31
3221
F'FF')(FnoF')(FF'F
F'STABLEFSTABLEConf
)G (GF LEADS_TO
GF LEADS_TO GF LEADS_TOLCC
G) LEADS_TOF(F
G LEADS_TO FG LEADS_TO FLPD
F LEADS_TO F
F LEADS_TO FF LEADS_TO FLTR
Outline
1. Depict a few, simple and clearly related concepts: an informal model
2. Choose a proper formalism
3. Formalize the model to get the description of a generic system
4. Instantiate the model to get the description of a particular system
5. Refine the model formalization
ASI Components in Mobadtl
Detector guardian
Analyzer agent
Responder guardian
senses, collects, and distributes information aboutthe security environment
processes Detector data, and occasionally proposes actions to bring about a new state
executes the actions as directed by the Analyzer
generic neighborhoods
Analyzer
ASI Components in Mobadtl
Detector &Responder
Detector &Responder
generic agents
Detector &Responder
log
The threshold property
agents can question the trustworthiness of a guardian.
once the number of warnings reaches a given threshold,
we want to consider the guardian no longer trustworthy
(e.g. to route the messages).
threshold(2)
generic agent generic agent
Analyzer
The threshold property
out(demote(X,D),{sec_w}) out(demote(X,D’),{sec_w})
Detectorin(demote(X,D),S)
Detector
in(demote(X,D’),S’)
The threshold property
~ trusted (X)
~ trusted (X)
~ trusted (X)
~ trusted (X)
~ trusted (X)
~ trusted (X)
~ trusted (X)
Analyzer
Responders
Responder
Responders
The threshold property
a threshold(2) /\ ag trusted(G) /\ C1 C2
C1 out(demote(X,D),{sec_w}) /\
C2 out(demote(X,D’),{sec_w})
LEADS_TO
G ~ trusted (X) \/
some communication exc because of unreachablility
Conclusions
ASI components: Mobadtl concepts play a central role guardian detection ane response profile adaptation
ASI formalization: how should the semantics of a dynamic security policy be specified? unify the temporal-spatial reasoning aspects take into account the global-local (or distributed-centralized or
hierarchical) nature of all components of an ASI
Proof with MaRK (Mobadtl Reasoning Kit)
A support tool: MaRK
MaRK = Mobadtl Reasoning Kit: a tool to support the designer while proving properties of Mobadtl systems
The goal: to make the proof task as automatic as possible
MaRK is based on the theorem prover Isabelle (Paulson & Nipkow) Specialized for ΔDSTL(x) Extended to deal with Mobadtl systems
A support tool: MaRK
Why theorem proving Need to deal with infinite states Learning from the proof process itself User defined logic, close to user’s knowledge Third party checkable proofs
Against: not so automatic, often to interactive, insights on internals
of provers needed
But: tactics, libraries of proofs, tailoring to a particular domain
make theorem provers more usable