Composing Security Policies on Java Cards Michael McDougall with Rajeev Alur and Carl A. Gunter University of Pennsylvania April 26, 2004.

Slides:



Advertisements
Similar presentations
Inference without the Engine!. What is EZ-Xpert 3.0? EZ-Xpert is a Rapid Application Development (RAD) environment for creating fast and accurate rule-based.
Advertisements

Security of JavaCard smart card applets Erik Poll University of Nijmegen
Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.
A Survey of Runtime Verification Jonathan Amir 2004.
Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.
VeriCon: Towards Verifying Controller Programs in SDNs (PLDI 2014) Thomas Ball, Nikolaj Bjorner, Aaron Gember, Shachar Itzhaky, Aleksandr Karbyshev, Mooly.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Programming Languages Language Design Issues Why study programming languages Language development Software architectures Design goals Attributes of a good.
Chapter 4 Chapter 4: Planning the Active Directory and Security.
CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.
CS 501: Software Engineering Fall 2000 Lecture 16 System Architecture III Distributed Objects.
Programmability with Proof-Carrying Code George C. Necula University of California Berkeley Peter Lee Carnegie Mellon University.
©TheMcGraw-Hill Companies, Inc. Permission required for reproduction or display. COMPSCI 125 Introduction to Computer Science I.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Introduction to Databases Transparencies
©TheMcGraw-Hill Companies, Inc. Permission required for reproduction or display. COMPSCI 125 Introduction to Computer Science I.
Chapter 2: Impact of Machine Architectures What is the Relationship Between Programs, Programming Languages, and Computers.
Interfaces for Control Components Rajeev Alur University of Pennsylvania Joint work with Gera Weiss (and many others)
November 18, 2004 Embedded System Design Flow Arkadeb Ghosal Alessandro Pinto Daniele Gasperini Alberto Sangiovanni-Vincentelli
Testing and Monitoring at Penn An Integrated Framework for Validating Model-based Embedded Software Li Tan University of Pennsylvania September, 2003.
1/25/2000 Active Names: Flexible Location and Transport of Wide-Area Resources Luis Rivera.
5/24/011 Advanced Tool Integration for Embedded Systems Assurance Insup Lee Department of Computer and Information Science University of Pennsylvania.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Proactive Software Security R. Sekar Director, Center for Cybersecurity Stony Brook University.
Complex Security Policies Dave Andersen Advanced Operating Systems Georgia State University.
Documenting Network Design
WELCOME TO THE SEMINAR ON Money Pad, The Future Wallet
Bernd Bruegge & Allen H. Dutoit Object-Oriented Software Engineering: Using UML, Patterns, and Java 1 Introduction to Software Engineering CEN 4010.
Information Security of Embedded Systems : Logics and Proof Methods, Wrap-Up Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer.
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
© Janice Regan, CMPT 128, Jan CMPT 128 Introduction to Computing Science for Engineering Students Creating a program.
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.
11 C H A P T E R Artificial Intelligence and Expert Systems.
Master Thesis Defense Jan Fiedler 04/17/98
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Framework for the Development and Testing of Dependable and Safety-Critical Systems IKTA 065/ Supported by the Information and Communication.
Object-Oriented Software Engineering Practical Software Development using UML and Java Chapter 1: Software and Software Engineering.
© Andrew IrelandDependable Systems Group On the Scalability of Proof Carrying Code for Software Certification Andrew Ireland School of Mathematical & Computer.
COMP 111 Threads and concurrency Sept 28, Tufts University Computer Science2 Who is this guy? I am not Prof. Couch Obvious? Sam Guyer New assistant.
1 cs205: engineering software university of virginia fall 2006 Forgiveness and Permissions.
CS 127 Introduction to Computer Science. What is a computer?  “A machine that stores and manipulates information under the control of a changeable program”
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Methods of Software Development Karl Lieberherr Spring 2007.
A Flexible Access Control Service for Java Mobile Code HPCC lab 문 정 아.
Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.
What’s Ahead for Embedded Software? (Wed) Gilsoo Kim
SAFE KERNEL EXTENSIONS WITHOUT RUN-TIME CHECKING George C. Necula Peter Lee Carnegie Mellon U.
Concepts and Realization of a Diagram Editor Generator Based on Hypergraph Transformation Author: Mark Minas Presenter: Song Gu.
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
Artificial Intelligence: Research and Collaborative Possibilities a presentation by: Dr. Ernest L. McDuffie, Assistant Professor Department of Computer.
Andrey Karaulov, Alexander Strabykin Institute for System Programming Russian Academy of Sciences SYRCoSE: Spring Young Researchers Colloquium on Software.
ITEC 1010 Information and Organizations Chapter V Expert Systems.
Intelligent Control Methods Lecture 2: Artificial Intelligence Slovak University of Technology Faculty of Material Science and Technology in Trnava.
Programming 2 Intro to Java Machine code Assembly languages Fortran Basic Pascal Scheme CC++ Java LISP Smalltalk Smalltalk-80.
Introduction to Computer Programming Concepts M. Uyguroğlu R. Uyguroğlu.
Decisive Themes, July, JL-1 ARTEMIS Decisive Theme for Integrasys Pedro A. Ruiz Integrasys July, 2011.
Sub-fields of computer science. Sub-fields of computer science.
CX Introduction to Web Programming
New Directions in Routing
Introduction Characteristics Advantages Limitations
On-Time Network On-chip
Ap computer science 2 AP COMPUTER SCIENCE A EXAM SPRING OF EVERY YEAR
Software Connectors – A Taxonomy Approach
Introduction to Databases Transparencies
Chapter 27 Security Engineering
Algorithms and Problem Solving
UNIT-I Introduction to Database Management Systems
Chapter 8: Security Policy
Presentation transcript:

Composing Security Policies on Java Cards Michael McDougall with Rajeev Alur and Carl A. Gunter University of Pennsylvania April 26, 2004

HCES April 26, The Problem Predictable program behavior important, but difficult –Bugs are expensive or worse –Safety/Security critical applications Payment card application needs to combine policies Want to understand what will happen when these policies are integrated –Bugs, conflicts

HCES April 26, Current approaches Formal models: automata, logic –Not appropriate for this kind of policy integration –Too restricted or too general Formal methods: model checking, theorem proving, constraint solvers –Work best when tied to a succinct model –Want to exploit domain specific knowledge

HCES April 26, Our solution A new formal model: policy automata –Combines state machines with voting, using defeasible logic Polaris: a tool for creating, analyzing and compiling policy automata

HCES April 26, Open Embedded Systems Chips are getting cheaper, embedded into more and more devices Need to balance functionality with dependability OpEm: Open Embedded Systems –Flexible, more functionality –Safety- and security-critical Specific domain: access control

HCES April 26, Application: Programmable Payment Cards Smart Cards: –Size of a credit card –Contains CPU + memory Application: user-configurable payment cards Example: a card linked to a grant –Parent writes policy, gives to child –Hierarchy of stakeholders: Penn School of Engineering Computer Science

HCES April 26, Hierarchy of Policies Penn Engineering Professor Comp Sci Grad Student P1 P2 P3 P4 P1 P2 P3 P4

HCES April 26, Purchasing Policies Restrictive –Administrative: all merchants must be approved –Risk Reduction: No more than 5 purchases No purchases over $4000 No more than $300 a day –Safety: cannot buy conflicting prescription drugs Permissive –Must be able to pay for ambulance

HCES April 26, Modular Policies Often composed of sub-policies: –different stakeholders –policies evolve over time –different problems (or attacks) –easier to understand and modify Composing sub-policies can lead to conflicts or other unintended effects

HCES April 26, Our Proposed Approach Policy Automata –State machine + a non-monotonic voting system –State machine stores information, chooses vote –Votes are coalesced into Yes/No/Conflict

HCES April 26, Other Applications Purchasing and related systems –Food and drug interactions –Checking out equipment Network access –IP packet filters –HTTP request access control Access to restricted areas In general –wherever stateful policies are used for access control

HCES April 26, Formal Model State machine + Votes Policy Automaton Policy Automaton Policy Automaton request vote Resolution function Conflict or Yes/No

HCES April 26, Defeasible Logic as Votes Defeasible Logic: non-monotonic logic with efficient inference algorithm Special literal “yes” Votes –lists of rules Resolution function –yes not provable f= no (reject) –yes provable and : yes provable f= > (conflict) –yes provable f= yes (accept)

HCES April 26, Analysis Conflict freedom Policy redundancy Specification Safety properties

HCES April 26, Example Automaton: Purchasing “At most 2 purchases over $100” m1m2m3 yes & t.p>100 yes & t.p>100 if true then {} ) yes if true then {} ) yes if t.p >100 then {} ) : yes  R: M:

HCES April 26, Example Automaton: Drug Interaction Drugs interacting with tofranil m0 if (t.class ==MAOI) then {} ! : yes if (t.class==ALBUTEROL) then {} Ã : yes else {} ! tof

HCES April 26, platform Polaris Architecture Front end Analysis engine Code generator automata, properties results, counter- examples automata Java Card compiler (Oberthur) Java Card Java applets

HCES April 26, Java Card Runtime Architecture Manager Applet P1 P2 P3 Policy Applets trans. info votes update Card terminal

HCES April 26, Conclusion Model-based design A unique formal model –Domain-specific model –Stateful policy integration with conflict resolution –Combines state machines and defeasible logic Implementation of development framework –Adapt formal methods techniques to model Implementation of flexible payment card –Embedded defeasible logic engine

HCES April 26, The End