Embed Size (px)
Citation preview
Pushing the Security Boundaries of Ubiquitous Computing
ACSF 2006——————
13th July 2006
——————
David Llewellyn-Jones, Madjid Merabti, Qi Shi, Bob Askwith——————
School of Computing and Mathematical StatisticsLiverpool John Moores University
James Parsons BuildingByrom Street, Liverpool, L3 3AF, UK
{D.Llewellyn-Jones, M.Merabti, Q.Shi, R.Askwith}@ljmu.ac.ukhttp://www.cms.livjm.ac.uk/PUCsec/
Overview
• Perimeter Security– Ubiquitous Computing
– Dynamic Boundaries
• Component Composition Analysis– Implementation Framework
– Dynamic Boundary Analysis
• Encrypting External Links– Resolving Failures
• Complexity and Timing• Conclusions and further work
Perimeter Security
• Computer security currently relies heavily on perimeter defences– Firewalls
– Block certain types of incoming and outgoing traffic
– Intrusion Detection Systems
– Analyse data entering or leaving a network
– Detects Denial of Service attacks
– 97% of organisations responding to the 2005 CSI Computer Crime and Security Survey used a firewall
• Policies enforced within network boundaries
Ubiquitous Computing Perimeters
• In Ubiquitous Computing environments, the perimeter becomes blurred– Wireless ad hoc networks
– Dynamic devices and services moving in and out of networks
• No centralised control, possibly no ownership of devices
• How can the perimeter model of policy enforcement be adapted to cope?
Alternatives to Perimeter Security
• Security on every device– May not be appropriate on low power
devices
– Often not necessary
• Distributed security– A good solution
– Can be difficult to design and deploy such solutions
• Dynamic boundaries– Need a process for establishing where the boundaries lie
– Must dynamically update security
Dynamic Boundaries
• As devices join and leave, we need a way to dynamically re-establish the boundary through remote analysis
Component Composition
• In systems without clear boundaries, component composition may be a way to ensure security– Analyse interaction between devices
– Ensure that interactions do not affect security
• For example– Buffer overrun checking based on interaction between pairs of nodes
– Access control by following data flow through components
– Composable Assurance
– Certain properties can be assured in a complete system if they can be shown to hold at the boundaries
– Shi and Zhang “An Effective Model for Composition of Secure Systems,” Journal of Systems and Software, 43(3) 1998
Application of Component Composition
• Composition properties combine– Properties of individual components– The interaction between components (the component topology)
• We can therefore use component composition results in two ways– Boundary analysis is a composition property– Dynamic boundary analysis can allow further properties to be applied to
systems
• Boundary analysis as a simple composition property– Nodes identified with the property of being internal– Analyse the topology to establish the boundary based
– internal – internal links– internal – external links
• Having analysed the boundary, can consider other security properties
Analysis Implementation
• Use the MATTS composition tool– Allows composition of systems based on
– Simulated components
– Interacting agents
– Networked Appliance service architecture
• Analyse composition structure using a script• Presently uses a combination of
– Certification
– Formal analysis
– Topology analysis
Framework
• Undertaken in two phases– Instrumentation
– Establish the dependencies between components
– Relates to the movement of data
– Composition analysis
– Establish properties of the composed system based on the dependencies
– May require properties of individual components to be established to complete the composition analysis
Composition Analysis
• Analyse a system based on its dependencies– Undertaken whenever the dependencies change
– Result determines whether the security property is satisfied or not
– Combined with specific security property, establishes whether a particular composed system is safe
• How is this undertaken? Analysis is directed by a script– Simple XML language script
– Each script designed for a particular property
Composition Script
• What does the script actually do?– Script describes a set of satisfying topologies
– Applied to the composition structure to determine whether the topology satisfies it or not
• For example– Binary trees
– Structures without cycles/loops
– Can depend on the properties of individual components
• Script engine maintains two positions– Current position in script
– Current position in dependency digraph
• We require the dependency digraph to do this
Boundary Analysis Script
Set up script
Negotiate structure
External link and not encrypted?
Encrypting External Links
• The script traverses the component structure• For links from internal to internal nodes
– No checks are performed
– The traversal continues along the next link from the internal node
• For links from internal to external nodes– The properties of the link are tested
– If the link is not encrypted, the script fails
– The traversal continues along the next link from the internal node
• Links from internal nodes are followed, but not those from external nodes
• All links that are not internal must be encrypted• The analysis must be performed each time the
topology changes
Resolving Failures
• The script is used to identify failures of the security policy• It can also be used to resolve the failures
– At failure, the problematic link can be identified
– Generate new encryption service via software factory
– Place within network between the offending components
Complexity
• Node traversal
• Encryption checking
• Combined
• The algorithm is dominated by the depth first traversal of the nodes
Simulation Timings
Conclusions and Future Work
• Perimeter model is currently very successful• Future changes may make it less applicable• Dynamic boundary analysis may provide an interim measure
– Achieved through component composition analysis
– Used to enforce component composition results
• Aim to apply the technique to a Networked Appliance scenario
• Create specific security enforcement cases
