building secure distributed systems the cif model : component information flow lilia sfaxi dcs days...

Building Secure Distributed Systems

The CIF model : Component Information Flow

Lilia SfaxiDCS Days -

26/03/2009

Context and Contribution2

Context Building secure distributed systems

Needed expertise in systems and security Needed expertise in cryptography

Difficulty of dynamic reconfiguration without breaking the security properties of the system

Necessity of high level tools Programming abstractions Automatic code generation Verification of the generated code

Context and Contribution3

Contribution High-level model : CIF (Component Information

Flow) System architecture description : component-based

model Security annotations

Transformation tools : Verification of the security properties System code generation

Models and languages Component-based model : Fractal Security-typed programming language : JIF Architecture Description Language : ADL (XML-

based)

Outline

CIF Specification System representation System security : Inter and Intra component

CIF Transformation CIF ADL ADL Generation Code Generation

Case study : The battleship game Conclusion and Future Work

4

Outline




5

System : assembly of components explicitly bound, with ports used to send and receive data

Each component is configurable : attribution of labels to : The attributes The ports

6

CIF Specification System Representation

{L3}

{L1}

{L3'}

Labels

Use of Labels : pair of : Confidentiality policies Integrity policies

All the policies must be obeyed Relation at most as restrictive as (⊑)

Construction of a security lattice

As data flows through the system, its labels only become more restrictive !

7

less restrictive

more restrictive

CIF Specification System Security

In CIF, needed security policies must be guaranteed at two levels Intra-component Inter-component

Inter-component Ports annotation

Intra-component Secure component code

8

CIF SpecificationInter-component Security

Associating a label to a port : impose a security restriction to the request

or response A binding is permitted iff L(client) ⊑ L(server) Example :

Confidentiality : Integrity : C1 : I want the message to keep the conf. at least C C1 : I guarantee that the

integrity level is I

C2 : I consider that the message received has C2 : I want the message to have at least

the label C' the integrity I'

9

P' {C'; I'}

C2P {C; I}

C1

CIF SpecificationIntra-component Security

10

Annotation of ports and attributes of a component

Verification of component code Preservation of confidentiality and integrity

of annotated elements Non-interferent data flow

Non-interference : "The low level users should not be able to deduce

anything about high level user’s activity" Foccardi et al.

"Low-security behavior of the program is not affected by any high-security data.” Goguen & Messeguer 1982

Outline




11

12

CIF TransformationImplementation of the CIF Spec.

P2 {C2; I2}

C2P1 {C1; I1}

C1

P2

C2P1

C1 crypt sign verify decrypt

C'1 C'2

TC1 TC2

ADL : Architecture Description Language XML-based Functional part

Architecture of the system : components & bindings Location of the component code

Security part Security labels of attributes & ports

<definition name="C1"><port name="start" role="server"

signature="src.security.StartItf" label=""/>

<port name="send" role="client" signature="src.security.SendItf" label="L"/>

<content class="src.security.C1Impl"/></definition>

13

C1start{} send{L}

CIF ADLArchitecture Description

14

CIF TransformationADL Generation

P2 {C2; I2}

C2P1 {C1; I1}

C1

P2

C2

P1

C1 crypt sign verify decrypt

ADL Transform : removing the annotations Implementation :

Confidentiality : asymmetric encryption Integrity : signature

Assumptions : Keys distributed safely Communication channels untrusted

Generation of cryptographic components : Creation of crypt, sign, verify and decrypt components Creation of top components containing

The main component (server or client) The security components (crypt & sign or verify & decrypt)

Connecting the top components with low level bindings

15

CIF TransformationCode Generation

C1

C'1

Guarantee the non-interference property for one component

Depending on the component code Implemented in a security-typed language (exp : JIF)

Type checking Implemented in an imperative language

Propagation of the attributes' and methods' labels Propagation of the label

Check the use of component parameters and port messages Check the information flow : non-interferent? Controller

Called when secret information leaks Decides whether to declassify the information or to throw an

exception If the label is propagated without exceptions, component

non-interferent!

Outline




16

17

Case StudyThe Battleship Game

1 coordinator and 2 players (at least) Each player has a secret board with a fixed number of ships Each player tries to guess the opponent's ships coordinates :

the winner is the first player who finds the n ships of the opponent

The coordinator keeps a copy of the players' boards & controls the message exchange

18

Case StudyThe Battleship Game : Inter-component security

cryptsign

verify decrypt

mm

Ɛ(m,pub(coord))S(Ɛ(m,pub(coord)))

Ɛ(m,pub(coord))

m

19

Case StudyThe Battleship Game : Intra-component security

public class Player {private Board board;public void setBoard(Board board) {

this.board = board;}public void init(int nbShips) {

int numCovered = 0;for (int j = 1; j < nbShips+1 ; j++){

numCovered += j;}final Ship[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),

new Ship(new Coordinate(1, 3), 2, false), };Board myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {

try {Ship newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {

newPiece = new Ship(newPiece.pos, count,newPiece.isHorizontal);}myBoard.addShip(newPiece);count -= (newPiece == null ? 0 : newPiece.length);

} catch (ArrayIndexOutOfBoundsException ignored) {} catch (IllegalArgumentException ignored) {}

}setBoard (myBoard);

}}

20


public class Player {private Board {P1->C;P1<-C} board;public void setBoard(Board board) {









}}

21


public class Player {private Board{P1->C;P1<-C} board;public void setBoard(Board{P1->C;P1<-C} board) {









}}

22


public class Player {private Board {P1->C;P1<-C} board;public void setBoard(Board{P1->C;P1<-C} board) {




new Ship(new Coordinate(1, 3), 2, false), };Board{P1->C;P1<-C} myBoard = new Board();int i = 0;for (int count = numCovered; count > 0 && myBoard != null;) {





}}

23







try {Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {




}}

24





numCovered += j;}final Ship{P1->C;P1<-C}[] myCunningStrategy = { new Ship(new Coordinate(1, 1), 1, true),


try {Ship{P1->C;P1<-C} newPiece = myCunningStrategy[i++];if (newPiece != null && newPiece.length > count) {




}}

Outline




25

26

Conclusion

CIF Component-based model Builds distributed systems secure by construction

User specifies security requirements At a high level of abstraction Association of labels to attributes and ports of the

component Tools to automate security implementation

Inside a component : Generation of JIF code

Between components Insertion of cryptographic components

27

Future Work

Key distribution Secure deployment Safe reconfiguration Privacy

Thank you for your attention

Lilia SfaxiDCS Days -

26/03/2009

building secure distributed systems the cif model : component information flow lilia sfaxi dcs days...

Documents

component security

cif model

security policies

security lattice

security restriction

component ports annotation

highsecurity data

restrictive slide