Security Architecture and Analysis: Session 1b Reasoning About System Architectures Box Structure...
-
date post
21-Dec-2015 -
Category
Documents
-
view
218 -
download
0
Transcript of Security Architecture and Analysis: Session 1b Reasoning About System Architectures Box Structure...
Security Architecture and Analysis: Session 1b
• Reasoning About System Architectures
• Box Structure Reasoning for Components
Black boxes
State boxes
• Compositional Reasoning for Networks
Reasoning About System Architectures
• It is vital in analyzing security and survivability (and other system properties) to know how to reason about system architectures
“Reasoning” means:
Inferring from available information what architectures and their components do and how they do it
Knowing what constitutes complete definitions and whatinformation is missing
• Reasoning requires mental models for components and architectures
• Models have formal basis, but are effective when applied informally
• We will use the models in an informal way
Know what questions to ask about architectures
Box Structure Reasoning for Components
• Box Structures
A systematic model for component analysis and design
Five fundamental component characteristics: “BURST”
Boundary: What is inside and what is outside?Users: Who are the users?Responses: What is the set of possible responses? Stimuli: What is the set of possible stimuli?Transactions: What are the possible mappings from stimuli to
responses?
Three fundamental component representations:
Black box: Component behavior based on history of useState Box: Component behavior based on retained dataClear box: Component behavior based on procedure (another
course!)
Box Structure Reasoning for Components: BURST
• Component Boundary, Users, Responses, Stimuli, Transactions:
Component Transactions
User 1
User 2
User 3
Stimuli
Responses
Stimuli Responses
Stimuli
Responses
Stimuli
Stimuli
Stimuli Responses
Responses
Responses
BOUNDARY
• Users can be people or programs, local or remote
• The idea of black box behavior
A hand calculator:
Box Structure Reasoning for Components: Black Boxes
• The black box of a component in diagram form
Stimulus (S) Response (R)
Stimulus Stimulus history Response
716 5 7165
716C 5 5
• Black box behavior depends on more than the current stimulus, it also depends on the history of use
Box Structure Reasoning for Components: Black Boxes
• Transition function of a black box
(stimulus history, stimulus) --> (response, new stimulus history)
• Accumulating hand calculator stimulus history (SH) through black box transitions:
Stimulus Stimulus History Response New Stimulus History
C * 0 C 1 C 1 C1 4 C1 14 C14 + C14 14 C14+ 4 C14+ 4 C14+4 3 C14+4 43 C14+43 = C14+43 57 C14+43= C C14+43= 0 *
• Partial transition function of a simple hand calculator(valid arithmetic expression, =) --> (expression value, = appended to SH)
Box Structure Reasoning for Components: Black Boxes
• Transition function of “Add2” black box
Response is sum of last two stimuli:
R = S(I) + S(I -1)
• Transition function of “Max2” black box
Response is maximum of last two stimuli:
R = max(S(I), S(I -1))
• Black box transition function of Microsoft Word
Difficult to write down, but conceptually no differentCan be reasoned about in terms of stimuli and stimulus histories
Box Structure Reasoning for Components: Black Boxes
• Black box transition function of a simple authentication server
Stimulus Condition on SH Response
Add authentication none “OK” data for user Bob
Bob’s ID claim and Bob’s data present in SH, “access evidence does not match evidence denied”
Bob’s ID claim and Bob’s data present in SH, “access evidence and matches evidence granted”
• Black box definitions can be complete:
Define required behavior in all possible circumstances of use
(Almost never done, but invaluable)
Box Structure Reasoning for Components: Black Boxes
• A black box definition deals only with visible external behavior
It is state-free and procedure-free
It is the user view: requirements and specifications
• Any deterministic component exhibits black box behavior
Reasoning with the black box model:
Understand BURST
Given a stimulus, consider possible conditions on the stimulus history to determine possible responses
First question to ask to understand how a component will respond to a stimulus:
What is the history of use?
Box Structure Reasoning for Components: Black Boxes
• Black box reasoning for a data base system (implied BURST):
What is the response, given this stimulus:
Delete a record
Add a record
Update a record
Create a report of all employees with at least 10 yearsexperience who are earning less than 50K
• What do you want the behavior to be?
Box Structure Reasoning for Components: Black Boxes
• Black box reasoning for a virus checker on an email server (implied BURST)
What is the response, given this stimulus:
An input email message that contains a virus
An input email message that does not contain a virus
• What do you want the behavior to be?
Box Structure Reasoning for Components: Black Boxes
• Black box reasoning for a firewall on an email server (implied BURST)
What is the response, given this stimulus:
An input email message
An input email message with a file attachment
• What do you want the behavior to be?
• Opens up a black box to reveal retained data; allows reasoning about the state
• Transition function of a state box
(stimulus, current state) --> (response, new state)
Box Structure Reasoning for Components: State Boxes
• The state box of a component in diagram form
Stimulus (S) Response (R)
state
trans
• State is defined to retain those stimuli from the stimulus history that are required to achieve black box behavior
• The external behavior defined by black box and state box definitions of a component are (better be!) identical
Box Structure Reasoning for Components: State Boxes
Stimulus (S) Response (R)
state
trans Stimulus (S) Response (R)
=
component a
component a
• State box definitions can be complete:
Define required behavior in all possible circumstances of use
(Almost never done, but invaluable)
Box Structure Reasoning for Components: State Boxes
• The state box of “Add2”
S R L
trans
Add2
• Transition function of “Add2”
R := S + L (compute response)L := S (update state)
• The state box of “Max2”
S R K
trans
Max2
• Transition function of “Max2”
R := max(S, K) (compute response)K := S (update state)
• State box transition function of Microsoft Word
Difficult to write down, but conceptually no differentCan be reasoned about in terms of stimuli and states
Box Structure Reasoning for Components: State Boxes
• State box reasoning for a virus checker on an email server (implied BURST and state):
What is the response, given this stimulus:
An input email message that contains a virus
An input email message that does not contain a virus
Box Structure Reasoning for Components: State Boxes
• State box reasoning for a firewall on an email server (implied BURST and state):
What is the response, given this stimulus:
An input email message
An input email message with a file attachment
Box Structure Reasoning for Components: Netting It Out
• Rigorous model that can be applied informally in thinking about what components do and how they do it
• Reasoning about behavior at black box level:
Understand BURSTGiven a stimuli, response depends on history of use
• Reasoning about behavior at state box level:
Understand BURST Given a stimuli, response depends on current state
“Oh, yes, the abc vendor’s firewall (or authentication server, or encryption algorithm, or whatever) exhibits black box behavior, and can also be reasoned about as a state box.”
Compositional Reasoning for Networks
A Bank ATM System
ATM ATM ATM ATM... ATM ATM ATM ATM... ATM ATM ATM ATM...
Server Server...
Mainframe
Server
Users
Users
...
Presentation/User Interface Layer
Infrastructure/ CommunicationsLayer
Domain/Enterprise Logic/ Data Layer
Compositional Reasoning for Networks
• What happens from viewpoint of ATM user submitting a transaction?
ATM Server Mainframe Server ATM
[User] o [ATM] o [server] o [mainframe] o [server] o [ATM] o [User]
“o” is composition operator“[, ]” denote the transition function of the componentNote that each use of a component is in the composition
• Component compositions are also known as architecture traces
• ATM Security: Composition with wrong pin number (U for user)
ATM Server ATM Server ATM Server ATM
Tryagain
wrongpin
Tryagain
wrongpin
Accessdenied
User User
U U U U U U U U
Compositional Reasoning for Networks
• Another pin number composition
ATM Server ATM Server ATM Server ATM
wrongpin
Tryagain
wrongpin
Tryagain
rightpin
Accessdenied
Server ATM
Accessgranted
wrongpin
• Compositional reasoning is concerned with the net effect of all the components in a composition
• Net effect means the overall change
From the stimuli to the first component
To the response from the last component
U U U U U U U U
U U U
Compositional Reasoning for Networks
ATM Server ATM Server ATM Server ATM
wrongpin
Tryagain
wrongpin
Tryagain
rightpin
Server ATM
Accessgranted
wrongpin
• Net effects of compositions in informal terms
Net effect: Access grantedBB views:ATM and server SH’s updatedSB views: ATM and server states updated
Accessdenied
Net effect: Access deniedBB views:ATM and server SH’s updatedSB views: ATM and server states updated
U U U U U U U U
U U U
Compositional Reasoning for Networks
When you buy gas at a pump with a speedpass, what is a possible architecture trace of your transaction?
? pumppumpUser User
Compositional Reasoning for Networks
• Computing compositions
Add2 Max2
S1
R2(i) = max(S2(i), S2(i - 1)) = max(R1(i), R1(i - 1)) = max(S1(i) + S1(i - 1), S1(i - 1) + S1(i - 2)) = (S1(i - 1) + max(S1(i), S1(i - 2))
Add2; Max2
R1 = S2 R2
• Add2; Max2 formula can be used to compute values of R2 directly, without obtaining intermediate values for R1 and S2. (Rename S1 and R2 as simply S and R:
Add2; Max2 transition: R(i) = S(i - 1) + max (S(i), S(i - 2))
• Add2; Max2 transition:
Compositional Reasoning for Networks
• What is the composition?
Add2 Max2
Add2
Add2
• Stimuli to Max2 are asynchronous, so simple composition cannot be applied
• Airline reservation system transactions“Any seats to Chicago?”“Yes, two seats available”“Ok, I’ll take them”“Sorry, no seats to Chicago”
Compositional Reasoning for Networks
• Many systems are designed to preserve composition and isolate asynchronous behavior• Bank system preserves independence of transactions based on account numbers • In general, systems are designed for compositional operations
A Bank ATM System
ATM ATM ATM ATM... ATM ATM ATM ATM... ATM ATM ATM ATM...
Server Server...
Mainframe
Server
Users
Users
...
• WWW Client-Server Pair
Compositional Reasoning for Networks
• Stream manager isolates asynchronous packet reconstruction and presents files, etc. in assembled form to permit compositional reasoning
PresentationManager
ExternalViewer
CacheManager
UIManager
ProtocolManager
AccessManager
StreamManager
FileServer
HTTPServer
CommonGatewayInterface
AccessControl
PathResolver
StreamManager
WWW client
WWW server
HTTP
Users
Users
Users
Compositional Reasoning for Networks: 10 Minute Exercise
• What is the composition?
Max2
S1
R2(i) =
Max2; Add2
R1 = S2 R2
• Max2; Add2 transition:
Add2
Compositional Reasoning for Networks: 10 Minute Exercise
• What is the composition?
Max2
S1
R2(i) = S2(i) + S2(i -1)
= R1(i) + R1(i - 1)
= max(S1(i), S1(i - 1)) + max(S1(i - 1), S1(i - 2))
R(i) = max(S(i), S(i - 1)) + max(S(i - 1), S(i - 2))
Max2; Add2
R1 = S2 R2
• Max2; Add2 transition:
Add2