Descartes Specification for Wireless Device Control Feba Jacob, Vinitha Subburaj, and Joseph Urban Abstract Hackers are able to maintain long-term access to target environments through wireless devices. An attacker using a wireless device can hack into and infect an organization system with somewhat ease. Wireless device control has become a major concern in organizations as attackers are able to infect systems and initiate major theft by connecting wirelessly to access points inside an organization. By hacking into an organizations network, attackers can cause much damage. Information, especially confidential information about customers, can be leaked. Hackers can also initiate theft of money and resources. Security is a major concern in the computing field as technology advances and hackers are able to find loopholes. The Critical Security Controls effort focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works". Standardization and automation is another top priority, to gain operational efficiencies while also improving effectiveness. There are 20 SANS Critical Controls. Each critical control describes: how attackers exploit the absence of this control; how to implement, automate, and measure the effectiveness of this control; procedures and tools to implement and automate this control; and diagram. Wireless device control is SANS Critical Control 7. This research project focus on Descartes specification for wireless device control to reduce security concerns and for preventing hackers from gaining access to an organization’s system. Introduction/Motivation Wireless device control has become a major issue in organizations as attackers are able to initiate major theft by connecting wirelessly to access points inside an organization [4]. Wireless clients are able to infect systems of traveling employees through remote exploitation during air travel or in cyber cafes. Once reconnected to the network of a target organization, the exploited system is used as back doors. Unauthorized wireless access points on organizations’ network, which were planted and sometimes hidden for unrestricted access to an internal network, have been reported. Wireless devices are a convenient vector for attackers to maintain long-term access into a target environment. Attackers using wireless device are able to hack into and infect organizations’ systems with ease. The Descartes specification language is a tool for developing and executing functional specification [7]. Descartes specification defines the input and output data through analysis and synthesis of data, and relates the output data to the input data such that the output data becomes a function of the input data. Related Works Some Security Issues of Wireless Systems [1] Describes some common wireless systems security problems, the impact the type of industry has on application security, access control aspects, and the effects of the operating system on security Some negative factors include the ability to easily hack into the medium and design errors in early protocols Although Wi-Fi and Bluetooth seem secure, the security layers are not completely covered A Technique for Validating Booch Object-Oriented Designs from Extensions to the Descartes Specification Language [2] Validate Booch object-oriented designs by comparing against validated object-oriented Descartes specifications Necessary to validate specifications to ensure that they represent what the end user requires “Executable specification languages exist for validating the requirements through rapid prototyping and abstract execution capabilities” [2] Booch object-oriented design validation technique deliver high assurance software whose behavior follows the requirements precisely by providing consistency between the analysis and design phases By shifting the validation process to early on in the life cycle, this technique decreases the cost of finding and resolving errors in software caused by non-adherence to requirements Enables software reuse by altering “an existing specification and design and validating the new design against the new specification” [2] Multiple Views of an Executable Software Specification Language [6] An important link in the front end of the software life cycle is the development of accurate, succinct, and unambiguous software specifications “Discusses the usability of Descartes in the context of evaluation criteria proposed by several specification language developers” [6] Focus on the notational flexibility of multiple user views in Descartes specification language Extending the Descartes Specification Language Towards Process Modeling [8] “Describes the use of formal methods to specify requirements and the advantage of using an executable formal specification language processor to develop a process model for the development of a software system” [8] Explains the use of the Descartes specification language, an executable specification language, to define a software process and the language extensions made to Descartes to make it suitable to describe a software process Since handling a process manually will take more time and money and can produce low quality software, automation of a software process will save time and decrease additional work The Protection of Information in Computer Systems [3] Focuses on protection and authentication mechanisms, and do not discuss much about other equally necessary security mechanisms Discusses how to prevent manipulation of computer-stored information from unauthorized user “The term ‘unauthorized’ in the three categories, which include release, modification, or denial of use,” occurs without the consent of the person who manages the information, and possibly contrary to the limitations implemented by the system [3] The purpose of a secure system is to block all unapproved manipulation of information Objectives Review and analyze literature on attacks on wireless device control and Descartes specification language Develop a Descartes specification for attack on wireless device control using SANS Critical Controls Develop a technique and demonstrate that the approach is an improvement over other techniques Present the results in a research report, oral presentation, and poster to others on improving wireless device control with the use of Descartes specification language Summary and Statement of Contribution to work As more wireless devices are used, security concerns are increasing. Hackers are able to gain access to an organizations system by infecting wireless devices of traveling employees or by planting unauthorized access points in the organization’s network. The Descartes specification language is a simple yet powerful tool for developing and executing functional specifications [6, 7]. A Descartes specification for wireless device control has not been developed before. Developing a Descartes specification for wireless device control is important to reduce security concerns and for preventing hackers from gaining access to an organization’s system. References : 1.Fernandez, E.B., Rajput, S., Vanhilst, M. and Larrondo-Petrie, M. M Some security issues of wireless systems. In ISSADS'05 Proceedings of the 5th international conference on Advanced Distributed Systems, Springer-Verlag Berlin, Heidelberg, Pichai, R. and Urban, J A technique for validating Booch object-oriented designs from extensions to the Descartes specification language. In HASE '96 Proceedings of the 1996 High-Assurance Systems Engineering Workshop, Washington, DC, October 1996, IEEE Computer Society, Los Alamitos, CA, Saltzer, J.H. AND Schroeder, M.D The protection of information in computer systems. In Proceedings of the IEEE, 6, 9, 1278 – SANS Critical control 7: Wireless device control. The critical security controls: Twenty critical security controls for effective cyber defense. 5.SANS The critical security controls: Twenty critical security controls for effective cyber defense. 6.Tung, Y., Khwaja, A. A. and Urban, J Multiple views of an executable software specification language. Journal of Systems Software, 21, 3, Urban, J Software development with executable functional specifications. In ICSE ’82 Proceedings of the 6th international conference on software engineering, IEEE Computer Society, Los Alamitos, CA, Urban, J., Subburaj, V. and Ramamoorthy, L Extending the Descartes specification language towards process modeling. In Proceedings of the Federated Conference on Computer Science and Information Systems, Szczecin, September 2011, IEEE Computer Society, Los Alamitos, CA, Texas Tech University 2013 National Science Foundation Research Experiences for Undergraduates Site Project – Cybersecurity, Robotics, and Software Engineering Methodology Review and analyze literature on Descartes specification language to gain a thorough understanding of how it works Review and analyze literature on wireless device control and the consequence if wireless device is used to hack into system Review and analyze literature on how hackers hack into organization’s system to understand the mindset of hackers Develop a Descartes specification for wireless device control Demonstrate that the approach is an improvement over other techniques Present the results in a research report, oral presentation, and poster to others DISCLAIMER: This material is based upon work supported by the National Science Foundation and the Department of Defense under Grant No. CNS An opinions, findings, and conclusions or recommendation expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation or the Department of Defense. Results Became familiarized with Descartes specification language Reviewed and analyzed literature on the Descartes specification language to gain a thorough understanding of how it works. Became familiarized with wireless device control. Reviewed and analyzed literature on wireless device control to understand the consequence if wireless device is used to hack into system. Researched on how hackers exploit hacking into an organization’s system. Understood the mindset of hackers to protect an organization’s system. Develop Descartes specification for wireless device control. Develop a technique and demonstrate that the approach is an improvement over other techniques. Future Research Expand Descartes specification for wireless device control Develop extension to Descartes specification for wireless device control As technology advances and more loopholes are found, create specifications to prevent hacking Specification WIRELESS_DEVICE_CONTROL_(TEST) TEST+ valid_employee+ employee_1 name1 ‘Sarah’ device1 ‘Samsung 84’ employee_2 name2 ‘John’ device2 ‘Blackberry 53’ employee_3 name3 ‘James’ device3 ‘i-phone 5 abc’ hacker hacker_name (1.. ) CHARACTER hacker_device (1.. ) CHARACTER return+ VALID_EMPLOYEE ‘Welcome’ SESSION_UNDERWAY HACKER ‘System Down’ Retrieved from: “SANS Critical Control 7 Step 1: Hardened configurations applied to wireless devices Step 2: Hardened configurations managed by a configuration management system Step 3: Configuration management system manages the configurations on wireless devices Step 4: Wireless IDS monitor usage of wireless communications Step 5: Vulnerability scanners scan wireless devices for potential vulnerabilities Step 6: Wireless clients utilize wireless infrastructure systems in a secure manner” IDS = Intrusion Detection System