Pushing the Security Boundaries of Ubiquitous Computing

ACSF 2006——————

13th July 2006

——————

David Llewellyn-Jones, Madjid Merabti, Qi Shi, Bob Askwith——————

School of Computing and Mathematical StatisticsLiverpool John Moores University

James Parsons BuildingByrom Street, Liverpool, L3 3AF, UK

{D.Llewellyn-Jones, M.Merabti, Q.Shi, R.Askwith}@ljmu.ac.ukhttp://www.cms.livjm.ac.uk/PUCsec/

Overview

• Perimeter Security– Ubiquitous Computing

– Dynamic Boundaries

• Component Composition Analysis– Implementation Framework

– Dynamic Boundary Analysis

• Encrypting External Links– Resolving Failures

• Complexity and Timing• Conclusions and further work

Perimeter Security

• Computer security currently relies heavily on perimeter defences– Firewalls

– Block certain types of incoming and outgoing traffic

– Intrusion Detection Systems

– Analyse data entering or leaving a network

– Detects Denial of Service attacks

– 97% of organisations responding to the 2005 CSI Computer Crime and Security Survey used a firewall

• Policies enforced within network boundaries

Ubiquitous Computing Perimeters

• In Ubiquitous Computing environments, the perimeter becomes blurred– Wireless ad hoc networks

– Dynamic devices and services moving in and out of networks

• No centralised control, possibly no ownership of devices

• How can the perimeter model of policy enforcement be adapted to cope?

Alternatives to Perimeter Security

• Security on every device– May not be appropriate on low power

devices

– Often not necessary

• Distributed security– A good solution

– Can be difficult to design and deploy such solutions

• Dynamic boundaries– Need a process for establishing where the boundaries lie

– Must dynamically update security

Dynamic Boundaries

• As devices join and leave, we need a way to dynamically re-establish the boundary through remote analysis

Component Composition

• In systems without clear boundaries, component composition may be a way to ensure security– Analyse interaction between devices

– Ensure that interactions do not affect security

• For example– Buffer overrun checking based on interaction between pairs of nodes

– Access control by following data flow through components

– Composable Assurance

– Certain properties can be assured in a complete system if they can be shown to hold at the boundaries

– Shi and Zhang “An Effective Model for Composition of Secure Systems,” Journal of Systems and Software, 43(3) 1998

Application of Component Composition

• Composition properties combine– Properties of individual components– The interaction between components (the component topology)

• We can therefore use component composition results in two ways– Boundary analysis is a composition property– Dynamic boundary analysis can allow further properties to be applied to

systems

• Boundary analysis as a simple composition property– Nodes identified with the property of being internal– Analyse the topology to establish the boundary based

– internal – internal links– internal – external links

• Having analysed the boundary, can consider other security properties

Analysis Implementation

• Use the MATTS composition tool– Allows composition of systems based on

– Simulated components

– Interacting agents

– Networked Appliance service architecture

• Analyse composition structure using a script• Presently uses a combination of

– Certification

– Formal analysis

– Topology analysis

Framework

• Undertaken in two phases– Instrumentation

– Establish the dependencies between components

– Relates to the movement of data

– Composition analysis

– Establish properties of the composed system based on the dependencies

– May require properties of individual components to be established to complete the composition analysis

Composition Analysis

• Analyse a system based on its dependencies– Undertaken whenever the dependencies change

– Result determines whether the security property is satisfied or not

– Combined with specific security property, establishes whether a particular composed system is safe

• How is this undertaken? Analysis is directed by a script– Simple XML language script

– Each script designed for a particular property

Composition Script

• What does the script actually do?– Script describes a set of satisfying topologies

– Applied to the composition structure to determine whether the topology satisfies it or not

• For example– Binary trees

– Structures without cycles/loops

– Can depend on the properties of individual components

• Script engine maintains two positions– Current position in script

– Current position in dependency digraph

• We require the dependency digraph to do this

Boundary Analysis Script

Set up script

Negotiate structure

External link and not encrypted?

Encrypting External Links

• The script traverses the component structure• For links from internal to internal nodes

– No checks are performed

– The traversal continues along the next link from the internal node

• For links from internal to external nodes– The properties of the link are tested

– If the link is not encrypted, the script fails

– The traversal continues along the next link from the internal node

• Links from internal nodes are followed, but not those from external nodes

• All links that are not internal must be encrypted• The analysis must be performed each time the

topology changes

Resolving Failures

• The script is used to identify failures of the security policy• It can also be used to resolve the failures

– At failure, the problematic link can be identified

– Generate new encryption service via software factory

– Place within network between the offending components

Complexity

• Node traversal

• Encryption checking

• Combined

• The algorithm is dominated by the depth first traversal of the nodes

Simulation Timings

Conclusions and Future Work

• Perimeter model is currently very successful• Future changes may make it less applicable• Dynamic boundary analysis may provide an interim measure

– Achieved through component composition analysis

– Used to enforce component composition results

• Aim to apply the technique to a Networked Appliance scenario

• Create specific security enforcement cases