Issues in the Verification of Systems

UCDavis SecLab MURI October 20021

Issues in the Verification of Issues in the Verification of SystemsSystems

Tao Song, Jim Alves-Foss, Karl LevittComputer Security Lab

Computer Science Department

University of California, Davis


IndexIndex

Background of verificationSecurity of systemsVerification of systems


Background of verificationBackground of verification

What is verification?– Existing artifact – Formalization– Mathematical proof



Usage of verification– Hardware verification

e.g. ACL2 <-> AMD K5 chipset

– Protocol verification e.g. SMV <-> Security protocol

– System verification e.g. ACL <-> Kit



Why verification?

– Complexity of today's systems

– Increasing error costs

– Commonality in reasoning frameworks.



Formal methods in verification– Theorem Prover

e.g. HOL, PVS, Coq, and ACL2 etc

– Model Checking e.g. COSPAN, SPIN, Mocha and SMV etc


Security of systemsSecurity of systems

Basic Concepts of security– Security policy and mechanism– Specifications

e.g. specification of program finger

– Assumptions


Security of systemsSecurity of systemsExample: Specification of the program ftpd

SPEC in.ftpd (<?, ?, in.ftpd, ?, OPS1>) SE: <prog>

<prog> -> <validop> *; <validop>-> (OPEN_RD, WorldReadable($F.mode)) | (OPEN_RD, CreatedByProc($P.pid, &$F)) | (OPEN_RD, $F.ouid == $S.uid) | (OPEN_WR, CreatedByProc($P.pid, &$F)) | (OPEN_WR, $F.path == "/var/log/wtmp") | (CHMOD, CreatedByProc($P.pid, &$F)) | (CHOWN, CreatedByProc($P.pid, &$F)) | (EXEC, $path == "/bin/tar" || $path == "/bin/compress" || $path == "/bin/ls" || $path == "/bin/gzip")

|………………………



System

System Calls

Security Policy

Hierarchical model of system

Specifications for Programs and Protocols

Programs and Network Protocols

Valid Operations of Specifications



Important issues of systems– Access control

Access triple (uid, pid, fid)

– Setuid programs e.g. Passwd, ftpd, sendmail, etc.

– System calls Important system calls: open, chown, execve,

symlink, chmod, fork, etc.



Hard issues in building model of security of systems– Define the security policy– Describe behaviors of systems– Classify objects of systems– Prove security


System verificationSystem verification

An idea of the system verification– Use specification to monitor systems– Formalize behaviors of systems according

to specifications– Formalize security policy and assumptions– Formal proof of security



Approach of the system– Using specification to monitor the behavior

of privileged programs– Using ACL2 to formalize and prove security

features of systems



System Services

System-wide Top Level

Host Programs and Network Protocols

Applications

Op

era

tion

al In

teg

rity

Re

so

urc

e U

sa

ge

Ac

ce

ss

Da

ta In

teg

rity

Te

mp

ora

l/Inte

rac

tion

Specification model



i reply_wait cachedARP Request ARP Response

ARP cache timeout

alarmUnsolicited ARP Response

Bogus ARP Response

Malformed Request ARP Request

Specification for ARP (Address Resolution Protocol)


Other Protocol SpecificationsOther Protocol SpecificationsOther Protocol SpecificationsOther Protocol SpecificationsDomain Name System (DNS)Network File System (NFS)Distributed Host Configuration Protocol

(DHCP)TCPFTPRIP routing protocolOSPF routing protocol



Requirement of verification– Formal statements of security policy– Formal statements of specifications of

privileged programs and protocols– Formal statements of assumptions



Formal statements of security policy (defun policy() ( and policy_read(pid, fid) policy_write(pid,fid) policy_create(pid,fid) policy_exec(pid, fid) …… ) )



Formal statements of security policy

(defun policy_read( pid, fid)

( or IsRoot(pid) userid of process is root

Readable(pid, fid) the file is readable

WorldReadable(fid)

……

)

)


System verificationSystem verification Formal statements of specifications (defun spec() ( and spec_standard(pid, fid) ’standard specification of programs spec_passwd(pid, fid) ’specification of the program passwd

…… spec_ARP()

’specification of the ARP protocol …… ) )



Formal statements of specifications

(defun spec_chage(pid, fid)

( and WorldReadable(fid)

WriteInPath(fid, “/var/spool/at/.SEQ”)

CreatedByProc(chmod,pid,fid)

……

)

)



Formal statements of assumptions (defun assumption() ( and assum_sys_1() assum_sys_2() …… assum_verify_1() assum_verify_2() …… ))



An example of assumptions

(defun assum_sys_n( pid )

( imply ( = pid.setuid 0)

true

)

)



Prototype of verification

(defthm verify()

( imply ( and assumption()

spec())

policy()

)

)



Ongoing work– Build security model of a system

Classify the subjects, objects and operations Define security states and state transitions Extend the model to cover network protocol

– Automatic verification Analysis the assumption of the security of a

system Refine formal statements of specifications


Thank youThank you

Issues in the Verification of Systems

Documents

Transcript of Issues in the Verification of Systems