Formalizing an Adaptive Security Infrastructure in Mobadtl

Laura Semini & Carlo Montangero

dip. Informatica, Pisa

Outline

Mobadtl instance ASI

Mobadtl formalization refinement ASI formalization

Characteristics of Mobadtl

Approach to model distributed systems

Focus on architectural aspects

Adequate abstraction for overlay computing

Accommodating mobility

Temporal logic refinement as a methodology

Mechanic support to verification

model

logic

Mobadtl model: an intuition

neighborhood

Agent movementmessage being deliveredguardianagent

The ingredients of Mobadtl

Locations: Neighbourhoods, places where computational entities live Flat topology Security and routing policies

Agents: Move from neighbourhood to neighbourhood Communicate via asynchronous message passing

Authorities: Guardians monitoring agents’ activities enacting routing and

security policies No a priori choice about routing and security, freedom is

given to designers

Profiles: A means to refer an entity specifying the constraints the

entity must satisfy es: flightResService, name(X)

A first-order multi-modal logic to Name components and state their

properties Relate properties of different components

of a system Describe properties of the evolution of

systems With regard to an asynchronous setting

The formalism: ΔDSTL(x)

Location

Time

Formalizing the model: an example

out(M,P) represents the will of an agent of sending a messagge M to a receiver that satisfies profile P.

S (out(M,P)guardedby(G)) LEADS_TO G msgReq(M,S,P,i)

Any message sent is first processed by the sender’s guardian

out(M,P)

msgReq(M,S,P,i)

S

G

Location layer: DSL

Modalities to locate properties in the state of a component

m(pq) m p n r m s m t ( m(s t) !!!!)

n

m p, q

r

st

Location layer – semantics

DS =2SSemantic domain: PowerSet

(ds, ds’) Rm iff ds’ is a singleton in Sm ds

ds╞ mF iff ds’.(ds, ds’) Rm and ds’╞ F

q

r

p

n

m

states of m

Location layer

Modalities to locate properties in the state of a component

m(pq) m p n r m s m t ( m(s t))

n

m p, q

r

s t

Future to be intended as the partial order of states defined by Intra-components transitions Inter-component communications

Temporal layer: DSTL

q

m

n

o

p

r

q

No global clock,no global knowlwdge

m

n

o

p

r

Valid: nq or or

Non valid: nq or

UNITY like operators

Simplicity Cannot be nested + past operators

F1 LEADS_TO F2 F2 BECAUSE F1

INIT F STABLE F

Events: ΔDSTL(x)

Explicit event operator, ΔF Simple events, ΔA Composed events, Δ(AB) Conditioned events, ΔA B

Rules and theorems

)MMM(MMM

MM

21

21

21

21

31

3221

F'FF')(FnoF')(FF'F

F'STABLEFSTABLEConf

)G (GF LEADS_TO

GF LEADS_TO GF LEADS_TOLCC

G) LEADS_TOF(F

G LEADS_TO FG LEADS_TO FLPD

F LEADS_TO F

F LEADS_TO FF LEADS_TO FLTR

Outline

1. Depict a few, simple and clearly related concepts: an informal model

2. Choose a proper formalism

3. Formalize the model to get the description of a generic system

4. Instantiate the model to get the description of a particular system

5. Refine the model formalization

ASI Components in Mobadtl

Detector guardian

Analyzer agent

Responder guardian

senses, collects, and distributes information aboutthe security environment

processes Detector data, and occasionally proposes actions to bring about a new state

executes the actions as directed by the Analyzer

generic neighborhoods

Analyzer

ASI Components in Mobadtl

Detector &Responder

Detector &Responder

generic agents

Detector &Responder

log

The threshold property

agents can question the trustworthiness of a guardian.

once the number of warnings reaches a given threshold,

we want to consider the guardian no longer trustworthy

(e.g. to route the messages).

threshold(2)

generic agent generic agent

Analyzer

The threshold property

out(demote(X,D),{sec_w}) out(demote(X,D’),{sec_w})

Detectorin(demote(X,D),S)

Detector

in(demote(X,D’),S’)

threshold(2)

Analyzer

The threshold property

in(demote(X,D),S)

in(demote(X,D’),S’)

The threshold property

Analyzer

Responder

out(demote(X,D),{adapt})

The threshold property

~ trusted (X)

~ trusted (X)

~ trusted (X)

~ trusted (X)

~ trusted (X)

~ trusted (X)

~ trusted (X)

Analyzer

Responders

Responder

Responders

The threshold property

a threshold(2) /\ ag trusted(G) /\ C1 C2

C1 out(demote(X,D),{sec_w}) /\

C2 out(demote(X,D’),{sec_w})

LEADS_TO

G ~ trusted (X) \/

some communication exc because of unreachablility

Conclusions

ASI components: Mobadtl concepts play a central role guardian detection ane response profile adaptation

ASI formalization: how should the semantics of a dynamic security policy be specified? unify the temporal-spatial reasoning aspects take into account the global-local (or distributed-centralized or

hierarchical) nature of all components of an ASI

Proof with MaRK (Mobadtl Reasoning Kit)

A support tool: MaRK

MaRK = Mobadtl Reasoning Kit: a tool to support the designer while proving properties of Mobadtl systems

The goal: to make the proof task as automatic as possible

MaRK is based on the theorem prover Isabelle (Paulson & Nipkow) Specialized for ΔDSTL(x) Extended to deal with Mobadtl systems

A support tool: MaRK

Why theorem proving Need to deal with infinite states Learning from the proof process itself User defined logic, close to user’s knowledge Third party checkable proofs

Against: not so automatic, often to interactive, insights on internals

of provers needed

But: tactics, libraries of proofs, tailoring to a particular domain

make theorem provers more usable