One Picture is Worth a Thousand Words
description
Transcript of One Picture is Worth a Thousand Words
Fault Tree Representation of Security Requirements 1
One Picture is Worth aThousand Words
Iliano Cervesato [email protected]
ITT Industries, inc @ NRL Washington, DC
http://theory.stanford.edu/~iliano
UMBC meeting October 1-2, 2003
Joint work with Cathy Meadows
Baltimore, MD
Couple Dozen Connectives
Work in progress
Work in progress
Fault Tree Representation of Security Requirements 3
How this work came about
Analysis of GDOI group protocolRequirements expressed in NPATRL
Novel group properties Medium size specifications
– Dozen operators Lots of fine-tuning
Difficult to read and share specs. Informal use of fault trees
Intuitive visualization medium Became favored language
Formal relation with NPATRL
Fault Tree Representation of Security Requirements 4
Security Requirements
Describe what a protocol should do
Verified by Model checking Mathematical proof Pattern-matching (in some cases)
Expressed Informally Semi-formally Formal language
Adequate for toy protocolsBUT, do not scale to real protocols
Fault Tree Representation of Security Requirements 5
Example: Kerberos 5[CSFW’02]
Semi-formalBut very precise
Bulky and unintuitiveRequires several readings to grasp
Fault Tree Representation of Security Requirements 6
Example: GDOI[CCS’01]
FormalNPATRL protocol spec. language
Ok for a computer Bulky and unintuitive for humans
About 20 operators
Fault Tree Representation of Security Requirements 7
Example: Authentication
InformalMade precise as CSP expressions
Simple, but …… many very similar definitions
[Lowe, CSFW’97]
Fault Tree Representation of Security Requirements 8
The Problem
Desired properties are difficult toPhrase & get rightExplain & understandModify & keep right
ExamplesEndless back and forth on GDOI
Are specs. right now?K5 properties read over and over
Fault Tree Representation of Security Requirements 9
Dealing with Textual Complexity
HCI response: graphical presentation
Our approach: Dependence TreesRe-interpretation of fault trees2D representation of NPATRLIntuitive for medium size specs.
Fault Tree Representation of Security Requirements 10
Example: Kerberos 5
Excises the gist of the theorem
Highlights dependencies
Fairly intuitive … in a minute …
Fault Tree Representation of Security Requirements 11
Example: GDOI
Isomorphic to NPATRL specifications Much more intuitive
… in a minute …
Fault Tree Representation of Security Requirements 12
Example:Authentication
Formalize definitions Easy to compare …
… and remember …
Fault Tree Representation of Security Requirements 13
Rest of this Talk
Logic for protocol specsNPATRL LogicNRL Protocol Analyzer fragmentModel checking
Precedence treesFault treesNPATRL semantics
Analysis of an example Future Work
Fault Tree Representation of Security Requirements 14
NPATRL
Formal language for protocol requirementsSimple temporal logic
Designed for NRL Protocol AnalyzerSimplify input of protocol specs
Sequences of events that should not occur
Applies beyond NPA
Used for many protocolsSET, GDOI, …
Fault Tree Representation of Security Requirements 15
NPATRL Logic
Eventsinitiator_accept_key( A, (B,S), (KAB,nA), N)
Classical connectives: , , , … “Previously”: # ( )
initiator_accept_key(A, (B,S), (KAB,nA), N)
# server_sent_key(S, (A,B), (KAB), _)
name actuator other agents terms round
Fault Tree Representation of Security Requirements 16
NPA Fragment
NPA uses a small fragment of NPATRL
R ::= a FF ::= E | E | F1 F2 | F1 F2
E ::= #a | #(a F)
Efficient model checking
Fault Tree Representation of Security Requirements 17
Fault Trees
Safety analysis of system designRoot is a failure situation
Extended to behavior descriptions Inner nodes are conditions enabling fault
Events Combinators (logical gates)
ExampleA passenger needs a
ticket and a photo IDto board a plane, butshould not carry aweapon
canBoard
hasTicket
carriesWeapon
hasID
Fault Tree Representation of Security Requirements 18
Precedence Trees
Fault tree representation of NPATRLNPA Isomorphism
R ::= a FF ::= E | E | F1 F2 | F1 F2
E ::= #a | #(a F)
a
F
R ::=a
F
E ::= a
F1
F ::= EE F2
F1 F2
Fault Tree Representation of Security Requirements 21
Conclusions
Explored tree representation of protocol reqs. Promising initial results Complex requirements now intuitive
Precedence trees Draw from fault trees research Specialized to NPATRL and NPA NPATRL semantics Better understanding of NPATRL
Papers “A Fault-Tree Representation of NPATRL Security
Requirements”, with Cathy Meadows WITS’03 TCS (long version, submitted)