Download presentation
Presentation is loading. Please wait.
Published byBrendon Gladen Modified over 9 years ago
1
Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009
2
Context and Contribution 2 Context Building secure distributed systems Needed expertise in systems and security Needed expertise in cryptography Difficulty of dynamic reconfiguration without breaking the security properties of the system Necessity of high level tools Programming abstractions Automatic code generation Verification of the generated code
3
Context and Contribution 3 Contribution High-level model : CIF (Component Information Flow) System architecture description : component-based model Security annotations Transformation tools : Verification of the security properties System code generation Models and languages Component-based model : Fractal Security-typed programming language : JIF Architecture Description Language : ADL (XML-based)
4
Outline CIF Specification System representation System security : Inter and Intra component CIF Transformation CIF ADL ADL Generation Code Generation Case study : The battleship game Conclusion and Future Work 4
5
Outline CIF Specification System representation System security : Inter and Intra component CIF Transformation CIF ADL ADL Generation Code Generation Case study : The battleship game Conclusion and Future Work 5
6
System : assembly of components explicitly bound, with ports used to send and receive data Each component is configurable : attribution of labels to : The attributes The ports 6 CIF Specification System Representation {L3} {L1} {L3'}
7
Labels Use of Labels : pair of : Confidentiality policies Integrity policies All the policies must be obeyed Relation at most as restrictive as ( ⊑ ) Construction of a security lattice As data flows through the system, its labels only become more restrictive ! 7 less restrictive more restrictive
8
CIF Specification System Security In CIF, needed security policies must be guaranteed at two levels Intra-component Inter-component Inter-component Ports annotation Intra-component Secure component code 8
9
CIF Specification Inter-component Security Associating a label to a port : impose a security restriction to the request or response A binding is permitted iff L(client) ⊑ L(server) Example : Confidentiality :Integrity : C1 : I want the message to keep the conf. at least CC1 : I guarantee that the integrity level is I C2 : I consider that the message received has C2 : I want the message to have at least the label C' the integrity I' 9 P' {C'; I'} C2 P {C; I} C1
10
CIF Specification Intra-component Security 10 Annotation of ports and attributes of a component Verification of component code Preservation of confidentiality and integrity of annotated elements Non-interferent data flow Non-interference : "The low level users should not be able to deduce anything about high level user’s activity" Foccardi et al. "Low-security behavior of the program is not affected by any high-security data.” Goguen & Messeguer 1982
11
Outline CIF Specification System representation System security : Inter and Intra component CIF Transformation CIF ADL ADL Generation Code Generation Case study : The battleship game Conclusion and Future Work 11
12
12 CIF Transformation Implementation of the CIF Spec. P2 {C2; I2} C2 P1 {C1; I1} C1 P2 C2 P1 C1 cryptsign verify decrypt C'1 C'2 TC1 TC2
13
ADL : Architecture Description Language XML-based Functional part Architecture of the system : components & bindings Location of the component code Security part Security labels of attributes & ports <port name="start" role="server" signature="src.security.StartItf" label=""/> <port name="send" role="client" signature="src.security.SendItf" label="L"/> 13 C1 start{} send{L} CIF ADL Architecture Description
14
14 CIF Transformation ADL Generation P2 {C2; I2} C2 P1 {C1; I1} C1 P2 C2 P1 C1 cryptsign verify decrypt ADL Transform : removing the annotations Implementation : Confidentiality : asymmetric encryption Integrity : signature Assumptions : Keys distributed safely Communication channels untrusted Generation of cryptographic components : Creation of crypt, sign, verify and decrypt components Creation of top components containing The main component (server or client) The security components (crypt & sign or verify & decrypt) Connecting the top components with low level bindings
15
15 CIF Transformation Code Generation C1 C'1 Guarantee the non-interference property for one component Depending on the component code Implemented in a security-typed language (exp : JIF) Type checking Implemented in an imperative language Propagation of the attributes' and methods' labels Propagation of the label Check the use of component parameters and port messages Check the information flow : non-interferent? Controller Called when secret information leaks Decides whether to declassify the information or to throw an exception If the label is propagated without exceptions, component non- interferent!
16
Outline CIF Specification System representation System security : Inter and Intra component CIF Transformation CIF ADL ADL Generation Code Generation Case study : The battleship game Conclusion and Future Work 16
17
17 Case Study The Battleship Game 1 coordinator and 2 players (at least) Each player has a secret board with a fixed number of ships Each player tries to guess the opponent's ships coordinates : the winner is the first player who finds the n ships of the opponent The coordinator keeps a copy of the players' boards & controls the message exchange
18
18 Case Study The Battleship Game : Inter-component security cryptsign verify decrypt m m Ɛ (m,pub(coord)) S( Ɛ (m,pub(coord))) Ɛ (m,pub(coord)) m
19
19 Case Study The Battleship Game : Intra-component security public class Player { private Board board; public void setBoard(Board board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }
20
20 Case Study The Battleship Game : Intra-component security public class Player { private Board {P1->C;P1<-C} board; public void setBoard(Board board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }
21
21 Case Study The Battleship Game : Intra-component security public class Player { private Board{P1->C;P1<-C} board; public void setBoard(Board{P1->C;P1<-C} board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }
22
22 Case Study The Battleship Game : Intra-component security public class Player { private Board {P1->C;P1<-C} board; public void setBoard(Board{P1->C;P1<-C} board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board{P1->C;P1<-C} myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }
23
23 Case Study The Battleship Game : Intra-component security public class Player { private Board {P1->C;P1<-C} board; public void setBoard(Board{P1->C;P1<-C} board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board{P1->C;P1<-C} myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }
24
24 Case Study The Battleship Game : Intra-component security public class Player { private Board {P1->C;P1<-C} board; public void setBoard(Board{P1->C;P1<-C} board) { this.board = board; } public void init(int nbShips) { int numCovered = 0; for (int j = 1; j < nbShips+1 ; j++){ numCovered += j; } final Ship{P1->C;P1<-C}[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true), new Ship(new Coordinate(1, 3), 2, false), }; Board{P1->C;P1<-C} myBoard = new Board(); int i = 0; for (int count = numCovered; count > 0 && myBoard != null;) { try { Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++]; if (newPiece != null && newPiece.length > count) { newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal); } myBoard.addShip(newPiece); count -= (newPiece == null ? 0 : newPiece.length); } catch (ArrayIndexOutOfBoundsException ignored) { } catch (IllegalArgumentException ignored) {} } setBoard (myBoard); }
25
Outline CIF Specification System representation System security : Inter and Intra component CIF Transformation CIF ADL ADL Generation Code Generation Case study : The battleship game Conclusion and Future Work 25
26
26 Conclusion CIF Component-based model Builds distributed systems secure by construction User specifies security requirements At a high level of abstraction Association of labels to attributes and ports of the component Tools to automate security implementation Inside a component : Generation of JIF code Between components Insertion of cryptographic components
27
27 Future Work Key distribution Secure deployment Safe reconfiguration Privacy
28
Thank you for your attention Lilia Sfaxi DCS Days - 26/03/2009
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.