1 ucdavis seclab muri october 2002 issues in the verification of systems tao song, jim alves-foss,...
TRANSCRIPT
![Page 1: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/1.jpg)
UCDavis SecLab MURI October 20021
Issues in the Verification of Issues in the Verification of SystemsSystems
Tao Song, Jim Alves-Foss, Karl LevittComputer Security Lab
Computer Science Department
University of California, Davis
![Page 2: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/2.jpg)
UCDavis SecLab MURI October 20022
IndexIndex
Background of verificationSecurity of systemsVerification of systems
![Page 3: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/3.jpg)
UCDavis SecLab MURI October 20023
Background of verificationBackground of verification
What is verification?– Existing artifact – Formalization– Mathematical proof
![Page 4: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/4.jpg)
UCDavis SecLab MURI October 20024
Background of verificationBackground of verification
Usage of verification– Hardware verification
e.g. ACL2 <-> AMD K5 chipset
– Protocol verification e.g. SMV <-> Security protocol
– System verification e.g. ACL <-> Kit
![Page 5: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/5.jpg)
UCDavis SecLab MURI October 20025
Background of verificationBackground of verification
Why verification?
– Complexity of today's systems
– Increasing error costs
– Commonality in reasoning frameworks.
![Page 6: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/6.jpg)
UCDavis SecLab MURI October 20026
Background of verificationBackground of verification
Formal methods in verification– Theorem Prover
e.g. HOL, PVS, Coq, and ACL2 etc
– Model Checking e.g. COSPAN, SPIN, Mocha and SMV etc
![Page 7: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/7.jpg)
UCDavis SecLab MURI October 20027
Security of systemsSecurity of systems
Basic Concepts of security– Security policy and mechanism– Specifications
e.g. specification of program finger
– Assumptions
![Page 8: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/8.jpg)
UCDavis SecLab MURI October 20028
Security of systemsSecurity of systemsExample: Specification of the program ftpd
SPEC in.ftpd (<?, ?, in.ftpd, ?, OPS1>) SE: <prog>
<prog> -> <validop> *; <validop>-> (OPEN_RD, WorldReadable($F.mode)) | (OPEN_RD, CreatedByProc($P.pid, &$F)) | (OPEN_RD, $F.ouid == $S.uid) | (OPEN_WR, CreatedByProc($P.pid, &$F)) | (OPEN_WR, $F.path == "/var/log/wtmp") | (CHMOD, CreatedByProc($P.pid, &$F)) | (CHOWN, CreatedByProc($P.pid, &$F)) | (EXEC, $path == "/bin/tar" || $path == "/bin/compress" || $path == "/bin/ls" || $path == "/bin/gzip")
|………………………
![Page 9: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/9.jpg)
UCDavis SecLab MURI October 20029
Security of systemsSecurity of systems
System
System Calls
Security Policy
Hierarchical model of system
Specifications for Programs and Protocols
Programs and Network Protocols
Valid Operations of Specifications
![Page 10: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/10.jpg)
UCDavis SecLab MURI October 200210
Security of systemsSecurity of systems
Important issues of systems– Access control
Access triple (uid, pid, fid)
– Setuid programs e.g. Passwd, ftpd, sendmail, etc.
– System calls Important system calls: open, chown, execve,
symlink, chmod, fork, etc.
![Page 11: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/11.jpg)
UCDavis SecLab MURI October 200211
Security of systemsSecurity of systems
Hard issues in building model of security of systems– Define the security policy– Describe behaviors of systems– Classify objects of systems– Prove security
![Page 12: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/12.jpg)
UCDavis SecLab MURI October 200212
System verificationSystem verification
An idea of the system verification– Use specification to monitor systems– Formalize behaviors of systems according
to specifications– Formalize security policy and assumptions– Formal proof of security
![Page 13: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/13.jpg)
UCDavis SecLab MURI October 200213
System verificationSystem verification
Approach of the system– Using specification to monitor the behavior
of privileged programs– Using ACL2 to formalize and prove security
features of systems
![Page 14: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/14.jpg)
UCDavis SecLab MURI October 200214
System verificationSystem verification
System Services
System-wide Top Level
Host Programs and Network Protocols
Applications
Op
era
tion
al In
teg
rity
Re
so
urc
e U
sa
ge
Ac
ce
ss
Da
ta In
teg
rity
Te
mp
ora
l/Inte
rac
tion
Specification model
![Page 15: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/15.jpg)
UCDavis SecLab MURI October 200215
System verificationSystem verification
i reply_wait cachedARP Request ARP Response
ARP cache timeout
alarmUnsolicited ARP Response
Bogus ARP Response
Malformed Request ARP Request
Specification for ARP (Address Resolution Protocol)
![Page 16: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/16.jpg)
UCDavis SecLab MURI October 200216
Other Protocol SpecificationsOther Protocol SpecificationsOther Protocol SpecificationsOther Protocol SpecificationsDomain Name System (DNS)Network File System (NFS)Distributed Host Configuration Protocol
(DHCP)TCPFTPRIP routing protocolOSPF routing protocol
![Page 17: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/17.jpg)
UCDavis SecLab MURI October 200217
System verificationSystem verification
Requirement of verification– Formal statements of security policy– Formal statements of specifications of
privileged programs and protocols– Formal statements of assumptions
![Page 18: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/18.jpg)
UCDavis SecLab MURI October 200218
System verificationSystem verification
Formal statements of security policy (defun policy() ( and policy_read(pid, fid) policy_write(pid,fid) policy_create(pid,fid) policy_exec(pid, fid) …… ) )
![Page 19: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/19.jpg)
UCDavis SecLab MURI October 200219
System verificationSystem verification
Formal statements of security policy
(defun policy_read( pid, fid)
( or IsRoot(pid) userid of process is root
Readable(pid, fid) the file is readable
WorldReadable(fid)
……
)
)
![Page 20: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/20.jpg)
UCDavis SecLab MURI October 200220
System verificationSystem verification Formal statements of specifications (defun spec() ( and spec_standard(pid, fid) ’standard specification of programs spec_passwd(pid, fid) ’specification of the program passwd
…… spec_ARP()
’specification of the ARP protocol …… ) )
![Page 21: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/21.jpg)
UCDavis SecLab MURI October 200221
System verificationSystem verification
Formal statements of specifications
(defun spec_chage(pid, fid)
( and WorldReadable(fid)
WriteInPath(fid, “/var/spool/at/.SEQ”)
CreatedByProc(chmod,pid,fid)
……
)
)
![Page 22: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/22.jpg)
UCDavis SecLab MURI October 200222
System verificationSystem verification
Formal statements of assumptions (defun assumption() ( and assum_sys_1() assum_sys_2() …… assum_verify_1() assum_verify_2() …… ))
![Page 23: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/23.jpg)
UCDavis SecLab MURI October 200223
System verificationSystem verification
An example of assumptions
(defun assum_sys_n( pid )
( imply ( = pid.setuid 0)
true
)
)
![Page 24: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/24.jpg)
UCDavis SecLab MURI October 200224
System verificationSystem verification
Prototype of verification
(defthm verify()
( imply ( and assumption()
spec())
policy()
)
)
![Page 25: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/25.jpg)
UCDavis SecLab MURI October 200225
System verificationSystem verification
Ongoing work– Build security model of a system
Classify the subjects, objects and operations Define security states and state transitions Extend the model to cover network protocol
– Automatic verification Analysis the assumption of the security of a
system Refine formal statements of specifications
![Page 26: 1 UCDavis SecLab MURI October 2002 Issues in the Verification of Systems Tao Song, Jim Alves-Foss, Karl Levitt Computer Security Lab Computer Science Department](https://reader035.vdocuments.net/reader035/viewer/2022081519/56649e405503460f94b32106/html5/thumbnails/26.jpg)
UCDavis SecLab MURI October 200226
Thank youThank you