Security Architecture and Analysis: Session 1b

• Reasoning About System Architectures

• Box Structure Reasoning for Components

Black boxes

State boxes

• Compositional Reasoning for Networks

Reasoning About System Architectures

• It is vital in analyzing security and survivability (and other system properties) to know how to reason about system architectures

“Reasoning” means:

Inferring from available information what architectures and their components do and how they do it

Knowing what constitutes complete definitions and whatinformation is missing

• Reasoning requires mental models for components and architectures

• Models have formal basis, but are effective when applied informally

• We will use the models in an informal way

Know what questions to ask about architectures

Box Structure Reasoning for Components

• Box Structures

A systematic model for component analysis and design

Five fundamental component characteristics: “BURST”

Boundary: What is inside and what is outside?Users: Who are the users?Responses: What is the set of possible responses? Stimuli: What is the set of possible stimuli?Transactions: What are the possible mappings from stimuli to

responses?

Three fundamental component representations:

Black box: Component behavior based on history of useState Box: Component behavior based on retained dataClear box: Component behavior based on procedure (another

course!)

Box Structure Reasoning for Components: BURST

• Component Boundary, Users, Responses, Stimuli, Transactions:

Component Transactions

User 1

User 2

User 3

Stimuli

Responses

Stimuli Responses

Stimuli

Responses

Stimuli

Stimuli

Stimuli Responses

Responses

Responses

BOUNDARY

• Users can be people or programs, local or remote

• The idea of black box behavior

A hand calculator:

Box Structure Reasoning for Components: Black Boxes

• The black box of a component in diagram form

Stimulus (S) Response (R)

Stimulus Stimulus history Response

716 5 7165

716C 5 5

• Black box behavior depends on more than the current stimulus, it also depends on the history of use

Box Structure Reasoning for Components: Black Boxes

• Transition function of a black box

(stimulus history, stimulus) --> (response, new stimulus history)

• Accumulating hand calculator stimulus history (SH) through black box transitions:

Stimulus Stimulus History Response New Stimulus History

C * 0 C 1 C 1 C1 4 C1 14 C14 + C14 14 C14+ 4 C14+ 4 C14+4 3 C14+4 43 C14+43 = C14+43 57 C14+43= C C14+43= 0 *

• Partial transition function of a simple hand calculator(valid arithmetic expression, =) --> (expression value, = appended to SH)

Box Structure Reasoning for Components: Black Boxes

• Transition function of “Add2” black box

Response is sum of last two stimuli:

R = S(I) + S(I -1)

• Transition function of “Max2” black box

Response is maximum of last two stimuli:

R = max(S(I), S(I -1))

• Black box transition function of Microsoft Word

Difficult to write down, but conceptually no differentCan be reasoned about in terms of stimuli and stimulus histories

Box Structure Reasoning for Components: Black Boxes

• Black box transition function of a simple authentication server

Stimulus Condition on SH Response

Add authentication none “OK” data for user Bob

Bob’s ID claim and Bob’s data present in SH, “access evidence does not match evidence denied”

Bob’s ID claim and Bob’s data present in SH, “access evidence and matches evidence granted”

• Black box definitions can be complete:

Define required behavior in all possible circumstances of use

(Almost never done, but invaluable)

Box Structure Reasoning for Components: Black Boxes

• A black box definition deals only with visible external behavior

It is state-free and procedure-free

It is the user view: requirements and specifications

• Any deterministic component exhibits black box behavior

Reasoning with the black box model:

Understand BURST

Given a stimulus, consider possible conditions on the stimulus history to determine possible responses

First question to ask to understand how a component will respond to a stimulus:

What is the history of use?

Box Structure Reasoning for Components: Black Boxes

• Black box reasoning for a data base system (implied BURST):

What is the response, given this stimulus:

Delete a record

Add a record

Update a record

Create a report of all employees with at least 10 yearsexperience who are earning less than 50K

• What do you want the behavior to be?

Box Structure Reasoning for Components: Black Boxes

• Black box reasoning for a virus checker on an email server (implied BURST)

What is the response, given this stimulus:

An input email message that contains a virus

An input email message that does not contain a virus

• What do you want the behavior to be?

Box Structure Reasoning for Components: Black Boxes

• Black box reasoning for a firewall on an email server (implied BURST)

What is the response, given this stimulus:

An input email message

An input email message with a file attachment

• What do you want the behavior to be?

• Opens up a black box to reveal retained data; allows reasoning about the state

• Transition function of a state box

(stimulus, current state) --> (response, new state)

Box Structure Reasoning for Components: State Boxes

• The state box of a component in diagram form

Stimulus (S) Response (R)

state

trans

• State is defined to retain those stimuli from the stimulus history that are required to achieve black box behavior

• The external behavior defined by black box and state box definitions of a component are (better be!) identical

Box Structure Reasoning for Components: State Boxes

Stimulus (S) Response (R)

state

trans Stimulus (S) Response (R)

=

component a

component a

• State box definitions can be complete:

Define required behavior in all possible circumstances of use

(Almost never done, but invaluable)

Box Structure Reasoning for Components: State Boxes

• The state box of “Add2”

S R L

trans

Add2

• Transition function of “Add2”

R := S + L (compute response)L := S (update state)

• The state box of “Max2”

S R K

trans

Max2

• Transition function of “Max2”

R := max(S, K) (compute response)K := S (update state)

• State box transition function of Microsoft Word

Difficult to write down, but conceptually no differentCan be reasoned about in terms of stimuli and states

Box Structure Reasoning for Components: State Boxes

• State box reasoning for a virus checker on an email server (implied BURST and state):

What is the response, given this stimulus:

An input email message that contains a virus

An input email message that does not contain a virus

Box Structure Reasoning for Components: State Boxes

• State box reasoning for a firewall on an email server (implied BURST and state):

What is the response, given this stimulus:

An input email message

An input email message with a file attachment

Box Structure Reasoning for Components: Netting It Out

• Rigorous model that can be applied informally in thinking about what components do and how they do it

• Reasoning about behavior at black box level:

Understand BURSTGiven a stimuli, response depends on history of use

• Reasoning about behavior at state box level:

Understand BURST Given a stimuli, response depends on current state

“Oh, yes, the abc vendor’s firewall (or authentication server, or encryption algorithm, or whatever) exhibits black box behavior, and can also be reasoned about as a state box.”

Compositional Reasoning for Networks

A Bank ATM System

ATM ATM ATM ATM... ATM ATM ATM ATM... ATM ATM ATM ATM...

Server Server...

Mainframe

Server

Users

Users

...

Presentation/User Interface Layer

Infrastructure/ CommunicationsLayer

Domain/Enterprise Logic/ Data Layer

Compositional Reasoning for Networks

• What happens from viewpoint of ATM user submitting a transaction?

ATM Server Mainframe Server ATM

[User] o [ATM] o [server] o [mainframe] o [server] o [ATM] o [User]

“o” is composition operator“[, ]” denote the transition function of the componentNote that each use of a component is in the composition

• Component compositions are also known as architecture traces

• ATM Security: Composition with wrong pin number (U for user)

ATM Server ATM Server ATM Server ATM

Tryagain

wrongpin

Tryagain

wrongpin

Accessdenied

User User

U U U U U U U U

Compositional Reasoning for Networks

• Another pin number composition

ATM Server ATM Server ATM Server ATM

wrongpin

Tryagain

wrongpin

Tryagain

rightpin

Accessdenied

Server ATM

Accessgranted

wrongpin

• Compositional reasoning is concerned with the net effect of all the components in a composition

• Net effect means the overall change

From the stimuli to the first component

To the response from the last component

U U U U U U U U

U U U

Compositional Reasoning for Networks

ATM Server ATM Server ATM Server ATM

wrongpin

Tryagain

wrongpin

Tryagain

rightpin

Server ATM

Accessgranted

wrongpin

• Net effects of compositions in informal terms

Net effect: Access grantedBB views:ATM and server SH’s updatedSB views: ATM and server states updated

Accessdenied

Net effect: Access deniedBB views:ATM and server SH’s updatedSB views: ATM and server states updated

U U U U U U U U

U U U

Compositional Reasoning for Networks

When you buy gas at a pump with a speedpass, what is a possible architecture trace of your transaction?

? pumppumpUser User

Compositional Reasoning for Networks

• Computing compositions

Add2 Max2

S1

R2(i) = max(S2(i), S2(i - 1)) = max(R1(i), R1(i - 1)) = max(S1(i) + S1(i - 1), S1(i - 1) + S1(i - 2)) = (S1(i - 1) + max(S1(i), S1(i - 2))

Add2; Max2

R1 = S2 R2

• Add2; Max2 formula can be used to compute values of R2 directly, without obtaining intermediate values for R1 and S2. (Rename S1 and R2 as simply S and R:

Add2; Max2 transition: R(i) = S(i - 1) + max (S(i), S(i - 2))

• Add2; Max2 transition:

Compositional Reasoning for Networks

• What is the composition?

Add2 Max2

Add2

Add2

• Stimuli to Max2 are asynchronous, so simple composition cannot be applied

• Airline reservation system transactions“Any seats to Chicago?”“Yes, two seats available”“Ok, I’ll take them”“Sorry, no seats to Chicago”

Compositional Reasoning for Networks

• Many systems are designed to preserve composition and isolate asynchronous behavior• Bank system preserves independence of transactions based on account numbers • In general, systems are designed for compositional operations

A Bank ATM System

ATM ATM ATM ATM... ATM ATM ATM ATM... ATM ATM ATM ATM...

Server Server...

Mainframe

Server

Users

Users

...

• WWW Client-Server Pair

Compositional Reasoning for Networks

• Stream manager isolates asynchronous packet reconstruction and presents files, etc. in assembled form to permit compositional reasoning

PresentationManager

ExternalViewer

CacheManager

UIManager

ProtocolManager

AccessManager

StreamManager

FileServer

HTTPServer

CommonGatewayInterface

AccessControl

PathResolver

StreamManager

WWW client

WWW server

HTTP

Users

Users

Users

Compositional Reasoning for Networks: 10 Minute Exercise

• What is the composition?

Max2

S1

R2(i) =

Max2; Add2

R1 = S2 R2

• Max2; Add2 transition:

Add2

Compositional Reasoning for Networks: 10 Minute Exercise

• What is the composition?

Max2

S1

R2(i) = S2(i) + S2(i -1)

= R1(i) + R1(i - 1)

= max(S1(i), S1(i - 1)) + max(S1(i - 1), S1(i - 2))

R(i) = max(S(i), S(i - 1)) + max(S(i - 1), S(i - 2))

Max2; Add2

R1 = S2 R2

• Max2; Add2 transition:

Add2