Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime
44
Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime Christos Tsigkanos 1 , Liliana Pasquale 2 , Claudio Menghi 1 , Carlo Ghezzi 1 , Bashar Nuseibeh 2,3 2 Lero 1 Politecnico di Milano 3 The Open University
-
Upload
liliana-pasquale -
Category
Engineering
-
view
128 -
download
3
Transcript of Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime
Engineering Topology Aware Adaptive
Security:
Preventing Requirements Violations at
Runtime
Christos Tsigkanos1, Liliana Pasquale2, Claudio Menghi1,
Carlo Ghezzi1, Bashar Nuseibeh2,3
2Lero1Politecnico di Milano 3The Open University
Motivation
Engineering adaptive security systems that continue to protect critical assets in the face of changes in their operational environment.
Monitoring Planning
Analysis
Execution
System
Environment(Topology)
Security Controls
Security Requirements
X
Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
Physical Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
Containment
into physical areas.
Physical Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
Containment
into physical areas.
Physical Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
Containment
into physical areas.
Placement
of physical objects and agents.
Physical Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
Containment
into physical areas.
Placement
of physical objects and agents.
Physical Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
Containment
into physical areas.
Placement
of physical objects and agents.
Proximity
Colocation in the same physical area.
Physical Topology
Structure of spaceLocation of
objects and agents• Proximity• Reachability
Containment
into physical areas.
Placement
of physical objects and agents.
Proximity
Colocation in the same physical area.
Reachability
Accessibility of a physical agent/object
to physical areas/objects.
Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
Topology Helps Identify Relevant Security Concerns
Security Concern Topological Concept
Assets Agent, Object
Threat Agent
Attack Topology Structure and Relationships
Vulnerability Characteristic of an object or area
Security Control Location of assets and vulnerabilities
Forbid access to
O6.
… But Topology Changes
Topology changes determined by agents/assets
movements may facilitate different attacks and
render enabled security controls ineffective.
Topology change:
Potential threat:
Bob enters office O6
Eve can access O6 and eavesdrop the
safe’s key code
Topology Changes Examples (1/2)
Topology change:
Potential threat:
Bob enters office O6
Eve can access O6 and eavesdrop the
safe’s key code
Topology Changes Examples (1/2)
Topology change:
Potential threat:
A valuable server is placed in office O2
Mallory can tamper with the server
Server
Topology Changes Examples (2/2)
Topology change:
Potential threat:
A valuable server is placed in office O2
Mallory can tamper with the server
Server
Topology Changes Examples (2/2)
Topology Aware Adaptive Security
How to engineer the activities of the MAPE loop
to reconfigure security controls at runtime when
topology changes
Engineering Topology Aware Adaptive Security
Modeling the Topology of the Environment
Ambient Calculus
For Example: A2[ Eve | Bob | O5 | O6[ Safe ] | O7 ]
• Locations, Agents and Assets are specific kinds of Ambients
• Agents can move spontaneously depending on their current location
… how we use it?
Monitoring
Monitoring
The topology model is updated after changes in the environment are detected.
A2[ Eve | Bob | O5 | O6[ Safe ] | O7 ]
A2[ Bob | O5 | O6[ Eve | Safe ] | O7 ]
For Example: if Eve moves to room O6
Threat Analysis
Identify violations of security
requirements that can take place in future
evolutions of the topology model.
1. Generation of future topological configurations
2. Identification of security requirements violations
Threat Analysis
Generation of Future Topological Configurations
Generation of Future Topological Configurations
Generation of Future Topological Configurations
Identify violations of security
requirements that can take place in future
evolutions of the topology model.
1. Generation of future topological configurations
2. Identification of security requirements violations
Threat Analysis
Specifying Requirements
Computation Tree Logic
• Branching time logic
• Semantics in terms of states and paths
For example: Never Bob with another agent in room O6
Identification of Requirements Violations
Security Requirement:
Planning
Planning
Select security controls that prevent
security requirements violations
Remove future paths of execution that should not be reached– Progressively pruning the LTS until violating states do not exists
– Ensuring satisfaction of other requirements
Planning
XX X
Planning
Functional Requirement:
Planning
XX
Planning
Functional Requirement:
Execution
Execution
Revoke from agents the permission to
access to specific areas depending on the
pruned LTS transitions
In our example …
Pruned LTS Transition: <Eve in O6>
Security Control: Revoke from Eve access to O6
Evaluation
Applicability
Expressiveness
Prototype Realisation
– Analysis
• Ambient Calculus model checking
• Domain-specific heuristics
– Planning
• Security controls selection
Permission
Prohibition
X Obligation
X Dispensation
Conclusion & Future Work
Conclusion
Future Work
A systematic approach to engineer adaptive security systems
– Formal representation of the physical topology
– Identification of security requirements violations by model checking
– Selection of security controls that prevent violations of security
requirements
• Investigate applicability to Cyber-Physical Systems
• Further evaluate the approach with practitioners
Questions?
