Issues in the Verification of Systems
description
Transcript of Issues in the Verification of Systems
UCDavis SecLab MURI October 20021
Issues in the Verification of Issues in the Verification of SystemsSystems
Tao Song, Jim Alves-Foss, Karl LevittComputer Security Lab
Computer Science Department
University of California, Davis
UCDavis SecLab MURI October 20022
IndexIndex
Background of verificationSecurity of systemsVerification of systems
UCDavis SecLab MURI October 20023
Background of verificationBackground of verification
What is verification?– Existing artifact – Formalization– Mathematical proof
UCDavis SecLab MURI October 20024
Background of verificationBackground of verification
Usage of verification– Hardware verification
e.g. ACL2 <-> AMD K5 chipset
– Protocol verification e.g. SMV <-> Security protocol
– System verification e.g. ACL <-> Kit
UCDavis SecLab MURI October 20025
Background of verificationBackground of verification
Why verification?
– Complexity of today's systems
– Increasing error costs
– Commonality in reasoning frameworks.
UCDavis SecLab MURI October 20026
Background of verificationBackground of verification
Formal methods in verification– Theorem Prover
e.g. HOL, PVS, Coq, and ACL2 etc
– Model Checking e.g. COSPAN, SPIN, Mocha and SMV etc
UCDavis SecLab MURI October 20027
Security of systemsSecurity of systems
Basic Concepts of security– Security policy and mechanism– Specifications
e.g. specification of program finger
– Assumptions
UCDavis SecLab MURI October 20028
Security of systemsSecurity of systemsExample: Specification of the program ftpd
SPEC in.ftpd (<?, ?, in.ftpd, ?, OPS1>) SE: <prog>
<prog> -> <validop> *; <validop>-> (OPEN_RD, WorldReadable($F.mode)) | (OPEN_RD, CreatedByProc($P.pid, &$F)) | (OPEN_RD, $F.ouid == $S.uid) | (OPEN_WR, CreatedByProc($P.pid, &$F)) | (OPEN_WR, $F.path == "/var/log/wtmp") | (CHMOD, CreatedByProc($P.pid, &$F)) | (CHOWN, CreatedByProc($P.pid, &$F)) | (EXEC, $path == "/bin/tar" || $path == "/bin/compress" || $path == "/bin/ls" || $path == "/bin/gzip")
|………………………
UCDavis SecLab MURI October 20029
Security of systemsSecurity of systems
System
System Calls
Security Policy
Hierarchical model of system
Specifications for Programs and Protocols
Programs and Network Protocols
Valid Operations of Specifications
UCDavis SecLab MURI October 200210
Security of systemsSecurity of systems
Important issues of systems– Access control
Access triple (uid, pid, fid)
– Setuid programs e.g. Passwd, ftpd, sendmail, etc.
– System calls Important system calls: open, chown, execve,
symlink, chmod, fork, etc.
UCDavis SecLab MURI October 200211
Security of systemsSecurity of systems
Hard issues in building model of security of systems– Define the security policy– Describe behaviors of systems– Classify objects of systems– Prove security
UCDavis SecLab MURI October 200212
System verificationSystem verification
An idea of the system verification– Use specification to monitor systems– Formalize behaviors of systems according
to specifications– Formalize security policy and assumptions– Formal proof of security
UCDavis SecLab MURI October 200213
System verificationSystem verification
Approach of the system– Using specification to monitor the behavior
of privileged programs– Using ACL2 to formalize and prove security
features of systems
UCDavis SecLab MURI October 200214
System verificationSystem verification
System Services
System-wide Top Level
Host Programs and Network Protocols
Applications
Op
era
tion
al In
teg
rity
Re
so
urc
e U
sa
ge
Ac
ce
ss
Da
ta In
teg
rity
Te
mp
ora
l/Inte
rac
tion
Specification model
UCDavis SecLab MURI October 200215
System verificationSystem verification
i reply_wait cachedARP Request ARP Response
ARP cache timeout
alarmUnsolicited ARP Response
Bogus ARP Response
Malformed Request ARP Request
Specification for ARP (Address Resolution Protocol)
UCDavis SecLab MURI October 200216
Other Protocol SpecificationsOther Protocol SpecificationsOther Protocol SpecificationsOther Protocol SpecificationsDomain Name System (DNS)Network File System (NFS)Distributed Host Configuration Protocol
(DHCP)TCPFTPRIP routing protocolOSPF routing protocol
UCDavis SecLab MURI October 200217
System verificationSystem verification
Requirement of verification– Formal statements of security policy– Formal statements of specifications of
privileged programs and protocols– Formal statements of assumptions
UCDavis SecLab MURI October 200218
System verificationSystem verification
Formal statements of security policy (defun policy() ( and policy_read(pid, fid) policy_write(pid,fid) policy_create(pid,fid) policy_exec(pid, fid) …… ) )
UCDavis SecLab MURI October 200219
System verificationSystem verification
Formal statements of security policy
(defun policy_read( pid, fid)
( or IsRoot(pid) userid of process is root
Readable(pid, fid) the file is readable
WorldReadable(fid)
……
)
)
UCDavis SecLab MURI October 200220
System verificationSystem verification Formal statements of specifications (defun spec() ( and spec_standard(pid, fid) ’standard specification of programs spec_passwd(pid, fid) ’specification of the program passwd
…… spec_ARP()
’specification of the ARP protocol …… ) )
UCDavis SecLab MURI October 200221
System verificationSystem verification
Formal statements of specifications
(defun spec_chage(pid, fid)
( and WorldReadable(fid)
WriteInPath(fid, “/var/spool/at/.SEQ”)
CreatedByProc(chmod,pid,fid)
……
)
)
UCDavis SecLab MURI October 200222
System verificationSystem verification
Formal statements of assumptions (defun assumption() ( and assum_sys_1() assum_sys_2() …… assum_verify_1() assum_verify_2() …… ))
UCDavis SecLab MURI October 200223
System verificationSystem verification
An example of assumptions
(defun assum_sys_n( pid )
( imply ( = pid.setuid 0)
true
)
)
UCDavis SecLab MURI October 200224
System verificationSystem verification
Prototype of verification
(defthm verify()
( imply ( and assumption()
spec())
policy()
)
)
UCDavis SecLab MURI October 200225
System verificationSystem verification
Ongoing work– Build security model of a system
Classify the subjects, objects and operations Define security states and state transitions Extend the model to cover network protocol
– Automatic verification Analysis the assumption of the security of a
system Refine formal statements of specifications
UCDavis SecLab MURI October 200226
Thank youThank you