Logging Mechanism Nonrepudiability Metrics

Science of Security Lablet

Security Metrics-Driven Evaluation, Design, Development, & Deployment

Logging Mechanism Nonrepudiability Metrics

Jason King

Computer Science PhD Student





Repudiation Threats Users can deny performing an action without other parties having any way to prove otherwise



Nonrepudiation • Counter repudiation threats • Secure activity logs

– Includes events that create, delete, view, modify sensitive data

– Includes security events – Protects log entries from being altered



Research Objective

• Improve integrity of logging mechanisms •Mitigate repudiation threats • Developing and validating a set of security

metrics



Logging Mechanism References •Healthcare •Payment Card Industry •Research Articles



Electronic Health Record System OpenEMR Example



Electronic Health Record System PatientOS Example



Electronic Health Record System OpenEMR Immutability



Attributes of Nonrepudiation

• Data transactions logged • Security actions logged • Log entry content • Software-driven immutability

• Timestamp reliability • Log retention • Log backups • Policy-driven immutability



Data Transactions Logged

Derive from requirements specification

Create View

Delete

Modify

Import

Query Export



Natural Language Processing of Functional Requirements

Subject Verb Direct Object A doctor creates prescriptions A patient views allergy information A doctor modifies office visit notes

[Subject] [Verb] [Direct Object]



Data Transactions Logged Example

Health Care Personnel can modify or delete the fields of the office visit [prescriptions, laboratory procedures, referrals,

diagnoses, and/or immunizations]. Data Element Create View Modify Delete

Prescription X X

Lab Procedure X X

Referral X X

Diagnoses X X

Immunization X X



Security Actions Logged Login Logout

Revoke Privilege

Grant Privilege

System Backup

Access Audit Log Initialize Audit Log

System Restore Session Timeout

Account Lockout Print …



Required for Nonrepudiation Additional Content Timestamp Source Machine ID User identification Success/Failure Flag Description of the event ID of affected data Identify of whose data accessed Reason for access

Log Entry Content Data captured for each log entry



Logging Mechanism Evaluation

Software User Actions Log Output



Software-driven Immutability

• Tampering with log files should be detectable – Serialization/digital signatures of log files – Provenance tracking of data writes



Preliminary EHR Evaluation

0%

25%

50%

75%

100% Data Transactions Logged

Security Actions Logged

Log Entry Content

Software-based Immutability

OpenEMR v4.1.1



Preliminary EHR Evaluation

0%

25%

50%

75%

100%

Data Transactions Logged

Security Actions Logged

Log Entry Content

Software-based Immutability

OpenEMR v4.1.1 PatientOS v1.3



Collaboration

Requirement artifacts

Software access for black-box testing

Log Output



Collaboration

Requirement artifacts

Software access for black-box testing

Log Output

Logging strengths

Logging weaknesses

Functional logging requirements

Mitigate repudiation threats



Logging Mechanism Nonrepudiability Metrics

Jason King

Computer Science PhD Student

Documents

Logging Mechanism Nonrepudiability Metrics