Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days...
-
Upload
brendon-gladen -
Category
Documents
-
view
216 -
download
2
Transcript of Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days...
![Page 1: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/1.jpg)
Building Secure Distributed Systems
The CIF model : Component Information Flow
Lilia SfaxiDCS Days -
26/03/2009
![Page 2: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/2.jpg)
Context and Contribution2
Context Building secure distributed systems
Needed expertise in systems and security Needed expertise in cryptography
Difficulty of dynamic reconfiguration without breaking the security properties of the system
Necessity of high level tools Programming abstractions Automatic code generation Verification of the generated code
![Page 3: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/3.jpg)
Context and Contribution3
Contribution High-level model : CIF (Component Information
Flow) System architecture description : component-based
model Security annotations
Transformation tools : Verification of the security properties System code generation
Models and languages Component-based model : Fractal Security-typed programming language : JIF Architecture Description Language : ADL (XML-
based)
![Page 4: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/4.jpg)
Outline
CIF Specification System representation System security : Inter and Intra component
CIF Transformation CIF ADL ADL Generation Code Generation
Case study : The battleship game Conclusion and Future Work
4
![Page 5: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/5.jpg)
Outline
CIF Specification System representation System security : Inter and Intra component
CIF Transformation CIF ADL ADL Generation Code Generation
Case study : The battleship game Conclusion and Future Work
5
![Page 6: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/6.jpg)
System : assembly of components explicitly bound, with ports used to send and receive data
Each component is configurable : attribution of labels to : The attributes The ports
6
CIF Specification System Representation
{L3}
{L1}
{L3'}
![Page 7: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/7.jpg)
Labels
Use of Labels : pair of : Confidentiality policies Integrity policies
All the policies must be obeyed Relation at most as restrictive as (⊑)
Construction of a security lattice
As data flows through the system, its labels only become more restrictive !
7
less restrictive
more restrictive
![Page 8: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/8.jpg)
CIF Specification System Security
In CIF, needed security policies must be guaranteed at two levels Intra-component Inter-component
Inter-component Ports annotation
Intra-component Secure component code
8
![Page 9: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/9.jpg)
CIF SpecificationInter-component Security
Associating a label to a port : impose a security restriction to the request
or response A binding is permitted iff L(client) ⊑ L(server) Example :
Confidentiality : Integrity : C1 : I want the message to keep the conf. at least C C1 : I guarantee that the
integrity level is I
C2 : I consider that the message received has C2 : I want the message to have at least
the label C' the integrity I'
9
P' {C'; I'}
C2P {C; I}
C1
![Page 10: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/10.jpg)
CIF SpecificationIntra-component Security
10
Annotation of ports and attributes of a component
Verification of component code Preservation of confidentiality and integrity
of annotated elements Non-interferent data flow
Non-interference : "The low level users should not be able to deduce
anything about high level user’s activity" Foccardi et al.
"Low-security behavior of the program is not affected by any high-security data.” Goguen & Messeguer 1982
![Page 11: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/11.jpg)
Outline
CIF Specification System representation System security : Inter and Intra component
CIF Transformation CIF ADL ADL Generation Code Generation
Case study : The battleship game Conclusion and Future Work
11
![Page 12: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/12.jpg)
12
CIF TransformationImplementation of the CIF Spec.
P2 {C2; I2}
C2P1 {C1; I1}
C1
P2
C2P1
C1 crypt sign verify decrypt
C'1 C'2
TC1 TC2
![Page 13: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/13.jpg)
ADL : Architecture Description Language XML-based Functional part
Architecture of the system : components & bindings Location of the component code
Security part Security labels of attributes & ports
<definition name="C1"><port name="start" role="server"
signature="src.security.StartItf" label=""/>
<port name="send" role="client" signature="src.security.SendItf" label="L"/>
<content class="src.security.C1Impl"/></definition>
13
C1start{} send{L}
CIF ADLArchitecture Description
![Page 14: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/14.jpg)
14
CIF TransformationADL Generation
P2 {C2; I2}
C2P1 {C1; I1}
C1
P2
C2
P1
C1 crypt sign verify decrypt
ADL Transform : removing the annotations Implementation :
Confidentiality : asymmetric encryption Integrity : signature
Assumptions : Keys distributed safely Communication channels untrusted
Generation of cryptographic components : Creation of crypt, sign, verify and decrypt components Creation of top components containing
The main component (server or client) The security components (crypt & sign or verify & decrypt)
Connecting the top components with low level bindings
![Page 15: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/15.jpg)
15
CIF TransformationCode Generation
C1
C'1
Guarantee the non-interference property for one component
Depending on the component code Implemented in a security-typed language (exp : JIF)
Type checking Implemented in an imperative language
Propagation of the attributes' and methods' labels Propagation of the label
Check the use of component parameters and port messages Check the information flow : non-interferent? Controller
Called when secret information leaks Decides whether to declassify the information or to throw an
exception If the label is propagated without exceptions, component
non-interferent!
![Page 16: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/16.jpg)
Outline
CIF Specification System representation System security : Inter and Intra component
CIF Transformation CIF ADL ADL Generation Code Generation
Case study : The battleship game Conclusion and Future Work
16
![Page 17: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/17.jpg)
17
Case StudyThe Battleship Game
1 coordinator and 2 players (at least) Each player has a secret board with a fixed number of ships Each player tries to guess the opponent's ships coordinates :
the winner is the first player who finds the n ships of the opponent
The coordinator keeps a copy of the players' boards & controls the message exchange
![Page 18: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/18.jpg)
18
Case StudyThe Battleship Game : Inter-component security
cryptsign
verify decrypt
mm
Ɛ(m,pub(coord))S(Ɛ(m,pub(coord)))
Ɛ(m,pub(coord))
m
![Page 19: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/19.jpg)
19
Case StudyThe Battleship Game : Intra-component security
public class Player {private Board board;public void setBoard(Board board) {
this.board = board;}public void init(int nbShips) {
int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){
numCovered += j;}final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false), };Board myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {
try {Ship newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {
newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);
} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}
}setBoard (myBoard);
}}
![Page 20: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/20.jpg)
20
Case StudyThe Battleship Game : Intra-component security
public class Player {private Board {P1->C;P1<-C} board;public void setBoard(Board board) {
this.board = board;}public void init(int nbShips) {
int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){
numCovered += j;}final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false), };Board myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {
try {Ship newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {
newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);
} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}
}setBoard (myBoard);
}}
![Page 21: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/21.jpg)
21
Case StudyThe Battleship Game : Intra-component security
public class Player {private Board{P1->C;P1<-C} board;public void setBoard(Board{P1->C;P1<-C} board) {
this.board = board;}public void init(int nbShips) {
int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){
numCovered += j;}final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false), };Board myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {
try {Ship newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {
newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);
} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}
}setBoard (myBoard);
}}
![Page 22: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/22.jpg)
22
Case StudyThe Battleship Game : Intra-component security
public class Player {private Board {P1->C;P1<-C} board;public void setBoard(Board{P1->C;P1<-C} board) {
this.board = board;}public void init(int nbShips) {
int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){
numCovered += j;}final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false), };Board{P1->C;P1<-C} myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {
try {Ship newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {
newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);
} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}
}setBoard (myBoard);
}}
![Page 23: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/23.jpg)
23
Case StudyThe Battleship Game : Intra-component security
public class Player {private Board {P1->C;P1<-C} board;public void setBoard(Board{P1->C;P1<-C} board) {
this.board = board;}public void init(int nbShips) {
int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){
numCovered += j;}final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false), };Board{P1->C;P1<-C} myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {
try {Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {
newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);
} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}
}setBoard (myBoard);
}}
![Page 24: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/24.jpg)
24
Case StudyThe Battleship Game : Intra-component security
public class Player {private Board {P1->C;P1<-C} board;public void setBoard(Board{P1->C;P1<-C} board) {
this.board = board;}public void init(int nbShips) {
int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){
numCovered += j;}final Ship{P1->C;P1<-C}[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),
new Ship(new Coordinate(1, 3), 2, false), };Board{P1->C;P1<-C} myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {
try {Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {
newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);
} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}
}setBoard (myBoard);
}}
![Page 25: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/25.jpg)
Outline
CIF Specification System representation System security : Inter and Intra component
CIF Transformation CIF ADL ADL Generation Code Generation
Case study : The battleship game Conclusion and Future Work
25
![Page 26: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/26.jpg)
26
Conclusion
CIF Component-based model Builds distributed systems secure by construction
User specifies security requirements At a high level of abstraction Association of labels to attributes and ports of the
component Tools to automate security implementation
Inside a component : Generation of JIF code
Between components Insertion of cryptographic components
![Page 27: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/27.jpg)
27
Future Work
Key distribution Secure deployment Safe reconfiguration Privacy
![Page 28: Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.](https://reader030.fdocuments.us/reader030/viewer/2022032516/56649c785503460f9492d8d9/html5/thumbnails/28.jpg)
Thank you for your attention
Lilia SfaxiDCS Days -
26/03/2009