c iit a constraint framework for the qualitative analysis of dependability goals: integrity joint...

C

Iit

A constraint framework for the qualitative analysis of dependability goals: Integrity

Joint work with

Stefano Bistarelli

C Consiglio Nazionale delle RicercheIit Istituto di Informatica e Telematica - PisaUniversità degli Studi “G. D’Annunzio”

Dipartimento di Scienze - Pescara

Simon FoleyUniversity College Cork, Ireland

A constraint framework for the qualitative analysis of dependability goals: Integrity, Stefano Bistarelli

2C

Iit

The Idea

• A System/Application behaviour can be defined as a set of rules– Each rule is a constraint– A system/application behaviour is a

Constraint Satisfaction Problem (CSP)– Properties of the CSP give Security

properties of the System• Confidentiality [Bella-Bistarelli@PADL2001]• Authentication [Bella-Bistarelli@CISPW2002]

• Today example:– Integrity (ext. [Bistarelli-Foley@Policy2003])


3C

Iit

(Integrity) Policy

• How do we know whether a security (integrity) policy is correctly configured?

• A policy configuration may allow an unexpected compromise via circuitous authorization route.

• Goal: Analyze policy configurations.– … let’s start with an example …


4C

Iit

Is this system Secure?

• Enterprise receives shipments and generates associated payments

• Does this system have integrity?


5C

Iit

Is this system Secure?

• One dishonest clerk• Two colluding and dishonest clerks

• Unreliable system/software• …


6C

Iit

What is Integrity?

• Conventional Models [Biba,Clark-Wilson,Yellow Book,RBAC]:– Modelled in terms of the system,– Define “best practice” for integrity, and – define integrity in terms of specific

mechanisms to use, but do not proposea denotational definition for integrity

• Define how to (possibly) achieve integrity, but not what it is!


7C

Iit

… Integrity?? …

• Define the situations when – modification of information is

authorised– and enforced by the security

mechanism of the system.

• “dependability w.r.t. absence of improper alterations”


8C

Iit

What is integrity?

• To properly define integrity it is Necessary to model System and Infrastructure[foley98]

– Even if the system is functionally correct the infrastructure is likely to fail: SW,HW, users!


9C

Iit

System Requirements

• First consider the requirement!– Only later consider how to implement

it!



10C

Iit

The idea: A constraint based approach

• Model the components of the system and infrastructure relevant to integrity– In an abstract and declarative way– Constraints to model relationships

between system and infrastructure– Soft constraints to perform a

quantitative/qualitative analysis of the policy (probability/optimization reasoning)


11C

Iit

System Requirements


• Integrity requirement analysis

Black Box

Probity ´ pay · ship

constraint variables pay and ship are invariants on the number of payments and the number of shipments made to date


12C

Iit

Implementation and Refinement. Honest Clerks

Clerk ´ inv · shipAppl ´ pay · inv

Imp1 ´ Appl Clerk


13C

Iit

Implementation and Refinement. Dishonest Clerks

Clerk ´ inv · ship Ç ship · invAppl ´ pay · inv

Imp2 ´ Appl Clerk

System is not resilient to the faults


14C

Iit

Implementation and Refinement. Separation of Duties

Clerk1 ´ con · ship Clerk2 ´ inv · ship

Appl ´ pay · min(inv,con)Imp3 ´ Appl Clerk1 Clerk2


15C

Iit

Integrity and Robustness

System is resilient to some faults


16C

Iit

Integrity and Robustness

But not to all faults!!!


17C

Iit

External Consistency and Dependability

• Integrity is really just (local) refinement– Any implementations need to provide a

consistent “view” at the interface to the supplier.

– Then check if implementation is resilient to failures within the infrastructure.

– Check if interaction between supplier and system implementation are consistent with the original requirement.


18C

Iit

Soft Constraints

• To perform a qualitative/quantitative analysis of the system.

• If an implementation satisfying the requirements cannot be found, look for the “best” one (w.r.t. a measure).

• Example:– Suppose payments are made as multiples of

100 and outstanding bills made at the end of the month:

• Probity(pay,ship) ´ pay · ship [constraint]• Probity(a,b) = b-a [measure]• Minimize the measure b-a


19C

Iit

Soft Constraints

• Probabilistic reasoning:– Add a probability to the events– Minimize/maximize probability to

have specific actions

• Example– Probability to the shipnote event– Possible implementation


20C

Iit

Conclusions

• Constraints are suitable to represent in a

declarative way system properties (Integrity)

• Softness can be added to perform a better

quantitative/qualitative analysis

• The model makes no distinction if the policy

(integrity or other!) is violated deliberately or

indeliberately

• The danger of each violation is represented as a

level


21C

Iit

C

Iit

A constraint framework for the qualitative analysis of dependability goals: Integrity

Joint research with

Stefano Bistarelli

C Consiglio Nazionale delle RicercheIit Istituto di Informatica e Telematica - PisaUniversità degli Studi “G. D’Annunzio”

Dipartimento di Scienze - Pescara

Simon FoleyUniversity College Cork, Ireland


23C

Iit

Strict rules: Crisp Constraints

P={

x3

x4

x1

x2 V,

{red,blue,yellow}

{blue,yellow}

{red,blue}{yellow}

D,

C={pairwise-different}

C, PC, con, def, a}

x1 x2 x3 x4

combination

projection


24C

Iit

Flexible rules: Soft Constraints

x3

x4

x1

x2

{red,blue,yellow}

{blue,yellow}

{red,blue}{yellow}

C={pairwise-different} 5$

3$

2$

15$13$15$13$15$x1 x2 x3 x4

Combination (+)

Projection (min)

15$

13$

13$

C-semiring <A,+,,0,1>:


25C

Iit

Flexible rules: Soft Constraints

x3

x4

x1

x2

{red,blue,yellow}

{blue,yellow}

{red,blue}{yellow}

C={pairwise-different} 5$

3$

2$

15$13$15$13$15$x1 x2 x3 x4

Combination (+)

Projection (min)

15$

13$

13$

<+,min,+,+,0>

<[0,1],max,min,0,1>

<[0,1],max,,0,1>

<{false,true},,,false,true>

Probabilistic

Fuzzy

Classical

Weighted



26C

Iit

Semiring-based CSPs: a glimpse of theory


combination: c=c1c2=<def,con=con1con2>,

)t()t()t(21

21concon

concon defdefdef

projection: cI=<def,Icon>,

}t'|tt{ )t()t'( con

conIdefdef

Sol(<C,a>)=(C) a

ab (b is better than a) iff a+b=b

c iit a constraint framework for the qualitative analysis of dependability goals: integrity joint...

Documents

constraint framework

security integrity policy

integrity joint work

system secure

ireland slide

policy2003 slide

system requirements

security properties