dame dependability and security study: progress report howard chivers university of york practical...
TRANSCRIPT
DAME Dependability and DAME Dependability and Security Study: Progress ReportSecurity Study: Progress Report
Howard ChiversHoward Chivers
University of YorkUniversity of York
Practical Security for e-Science Projects25 November 2003
This talk presents my personal perspective, This talk presents my personal perspective, not the considered view of the project or any not the considered view of the project or any
of its partners.of its partners.
But credit and thanks must go to busy But credit and thanks must go to busy developers and industrial partners who have developers and industrial partners who have been consistently helpful and generous with been consistently helpful and generous with their time, and to Martyn Fletcher who is the their time, and to Martyn Fletcher who is the
primary author for study deliverables.primary author for study deliverables.
ContentsContents DAME IntroductionDAME Introduction The Method: Dependability and SecurityThe Method: Dependability and Security Stage One: System ContextStage One: System Context Stage Two: Asset AnalysisStage Two: Asset Analysis SummarySummary
DAMEDAMEEngine flight data
Airline office
Maintenance Centre
European data center
London Airport
New York Airport
American data center
Grid
Project AimsProject Aims
Develop a Grid-enabled diagnostic systemDevelop a Grid-enabled diagnostic system Demonstrate this on the Rolls-Royce AeroEngine Demonstrate this on the Rolls-Royce AeroEngine
diagnostics problemdiagnostics problem– A Diagnostic GridA Diagnostic Grid– Grid management tools for unstructured dataGrid management tools for unstructured data– An practical application demonstratorAn practical application demonstrator
Develop the understanding needed for industrial Develop the understanding needed for industrial deployment:deployment:– Grid middleware and application/services layer integration Grid middleware and application/services layer integration – Scalability and Deployment optionsScalability and Deployment options– Security and Dependability issuesSecurity and Dependability issues
ChallengesChallenges
Support on-line diagnostic workflow in real timeSupport on-line diagnostic workflow in real time Deal with the data from 1000’s engines in Deal with the data from 1000’s engines in
operationoperation Prove distributed pattern matching methodologyProve distributed pattern matching methodology Address customer concerns about grids, including Address customer concerns about grids, including
scalability & securityscalability & security Demonstrate the business case for the technologyDemonstrate the business case for the technology
Why use a grid?Why use a grid?
Implementing a distributed, integrated, workflow has Implementing a distributed, integrated, workflow has considerable potential customer valueconsiderable potential customer value
The workflow requires collaboration between The workflow requires collaboration between multiple stakeholdersmultiple stakeholders
An integrated business process is needed to provide An integrated business process is needed to provide evidence for any diagnosis, and traceability to evidence for any diagnosis, and traceability to subsequent actionsubsequent action
The data is high volume, and is distributed between The data is high volume, and is distributed between stakeholders’ sites (eg maintenance, factory, airports)stakeholders’ sites (eg maintenance, factory, airports)
The variable computing load makes resource sharing The variable computing load makes resource sharing attractive for some processesattractive for some processes
DAME – Project PartnersDAME – Project Partners Universities:Universities:
– University of YorkUniversity of York– University of University of
Sheffield Sheffield – University of University of
OxfordOxford– University of LeedsUniversity of Leeds
Industrial:Industrial:– Rolls-Royce Rolls-Royce
AeroenginesAeroengines– Data Systems and Data Systems and
SolutionsSolutions– CybulaCybula
Infrastructure: - White Rose Grid- National e-Science
Support Centre
DevelopersDevelopers
Leeds
Grid Middleware Services
Sheffield
Modeling & Decision Support
DAME WRGSign-on Portal
SDMDatabase
CBRAnalysis-GEngineModel-G
GT3 ServiceCBR advisor
GT3 ServiceBD25 Enginemodel wrappedas Grid Service
XTO-G
GT3 ServiceXTO plug-ins via a GridService
DataVisualiser
GT3 ServiceJchart Viewer forviewing XTO output
Workflow
Browser basedworkflow tool.Compliant withResource Broker
Resource BrokerGT2 ServiceSchedule workflowtasks on WRGresource
Oxford
Engine Data Store
Engine DataDatabase
York
Data Mining Services
AURA-GAURA-GDatabase
DataStore-GGT3 ServiceSimulates arrival &storage of QUOTEdata
Zmod Viewer
GT3 ServiceBrowser based dataviewer for zmod files
GT3 ServiceZmod datasearch facility
Collaboration tools
GT3 ServiceToolset for multiusercollaboration
WRGGT3/2
WRGGT3/2
WRGGT3/2
WRGGT3/2
DAME workbench
SecurityGT3 SecurityServiceProxy-Management
DAME GUI
GT3 ServiceBrowser based GUIto DAME services
Purpose of the StudyPurpose of the Study
Provide analysis to enable ultimate Provide analysis to enable ultimate deployment of DAME in engine domain.deployment of DAME in engine domain.
Provide analysis as basis for deployment in Provide analysis as basis for deployment in other domains.other domains.
Contribute to Grid community research in Contribute to Grid community research in dependability and security.dependability and security.
Dependability and SecurityDependability and Security
Attributes:Attributes:– ReliabilityReliability– SafetySafety– MaintainabilityMaintainability– Security Security (Confidentiality, Integrity, Availability)(Confidentiality, Integrity, Availability)
Attributes have varying significance in Attributes have varying significance in different systems. different systems.
Security (Risk) AnalysisSecurity (Risk) Analysis
Focus on risk to the overall business processFocus on risk to the overall business process Process Process (see previous talk by Jonathan Moffett)(see previous talk by Jonathan Moffett)
– Define system context:Define system context:» Boundary / actors / assets / external assumptions.Boundary / actors / assets / external assumptions.
– Analyse assets:Analyse assets:» Identify impact / threat for each.Identify impact / threat for each.
– Attackers perspective.Attackers perspective.– Vulnerabilities.Vulnerabilities.
» Identify likelihood.Identify likelihood.
From matrix, identify unacceptable deployment risks, From matrix, identify unacceptable deployment risks, example:example:– High impact and high likelihood need to be reduced.High impact and high likelihood need to be reduced.
Security (Risk) AnalysisSecurity (Risk) Analysis
–
threats
Likelihood
Impact
SystemBoundary
Actors Assets
ExternalAssumptions
System Context
AssetAnalysisAttackers’
Perspective
Vulnerabilities L M H
H
M
L
x
o
Dependability AnalysisDependability Analysis High level analysis for complex systems High level analysis for complex systems
developed at York is rooted in the need for developed at York is rooted in the need for safety cases of layered systems.safety cases of layered systems.
Distributed Middleware Infrastructure
Distributed Hardware Infrastructure
Service 0 Service N
Distributed services
Component under
analysis
Analysis Interface
High level Analysis of a High level Analysis of a Complex SystemComplex System
Focuses on infrastructure. Focuses on infrastructure. Approach at York (based on FMEA – Failure Approach at York (based on FMEA – Failure
Modes an Effects Analysis + SHARD - Software Modes an Effects Analysis + SHARD - Software Hazard Analysis and Resolution in Design):Hazard Analysis and Resolution in Design):– Define high level functions at specified interface.Define high level functions at specified interface.– Apply guidewords (omission, commission etc.) – Apply guidewords (omission, commission etc.) –
undesirable situations.undesirable situations.– Cause.Cause.– Effect.Effect.– Derived requirements - to prevent / mitigate.Derived requirements - to prevent / mitigate.
Satisfy derived requirements to provide Satisfy derived requirements to provide dependability.dependability.
Choice of methodChoice of method
Approaches have complementary strengthsApproaches have complementary strengths In combination:In combination:
– Use security risk analysis to establish whole-system Use security risk analysis to establish whole-system issuesissues
– Use ‘high level analysis’ to deal with non-security Use ‘high level analysis’ to deal with non-security attributes, and provide infrastructure vulnerabilities into attributes, and provide infrastructure vulnerabilities into the main risk analysisthe main risk analysis
– Combined study minimises project cost and customer Combined study minimises project cost and customer involvementinvolvement
Take advantage of other sources of vulnerability Take advantage of other sources of vulnerability informationinformation
ObservationsObservations
The security risk method provides a useful overall The security risk method provides a useful overall framework .framework .
.. but in many projects a wider set of attributes will .. but in many projects a wider set of attributes will be needed.be needed.
Using both forms of analysis explicitly deals with Using both forms of analysis explicitly deals with the flexible deployment of applications envisaged the flexible deployment of applications envisaged in the grid.in the grid.
.. but it remains to be seen if the interface .. but it remains to be seen if the interface requirements between applications and requirements between applications and infrastructure are mature enough to allow infrastructure are mature enough to allow dependability analysis.dependability analysis.
ContextContext
–
threats
Likelihood
Impact
SystemBoundary
Actors Assets
ExternalAssumptions
System Context
AssetAnalysisAttackers’
Perspective
Vulnerabilities L M H
H
M
L
x
o
System ContextSystem Context
System Context document System Context document (DAME/York/TR/03.007)(DAME/York/TR/03.007)
– Business process.Business process.– System boundary.System boundary.– Actors (primary and supporting).Actors (primary and supporting).– Assets (service and data).Assets (service and data).– Service interactions.Service interactions.– External assumptions.External assumptions.
Purpose:Purpose:– Provides a concise reference – allows stakeholders to agree Provides a concise reference – allows stakeholders to agree
on a description of the system.on a description of the system.– Identifies Assets: Services and DataIdentifies Assets: Services and Data
» .. but not hardware?.. but not hardware?
Actors & System ContextActors & System Context
UploadEngineData
Information / request for advice
MaintenanceEngineer (ME)
Domain Expert (DE)- engine expert
DAMEDiagnosis
PerformMinor Repair
Investigate using tools
ProvideDiagnosis
/ Prognosis/ Advice
Remove engine anddispatch for major overhaul
Return overhauledengine to service
Request advicefrom MA
Update EngineRecord
GroundSupportSystem
DowloadEngineData
LocalDiagnosis
Distributed AircraftMaintenance Environment (DAME)
- Miscellaneous Providers.
Engine Data Center (EDC) - DS&S
Service Data Manager (SDM) including Workscope Generator- RR
Maintenance Analyst (MA)- maintenance expert
Investigate usingtoolsUpdate Engine
RecordProvide
Diagnosis/ Prognosis
/ Advice
Airline / Maintenance Contractor(at Airport)
Engine MaintenanceRepair and Overhaul
(MRO) Facility(RR / Contractor)
Remote / DistributedTools and Services
EngineManufacturer
(RR)
Data Center(DS&S)
Request advicefrom DE
Update EngineRecords
Information / requestfor advice
Update Engine Records
PerformInspections
Service AssetsService Assets
-EncodedZmodDataFeature
AURA-G
CBRAnalysis-G
EngineModel-G
SDM-G
EngineDataStore-G
XTO-G
QUOTE / GSS
Portal-CollaborationEnvironment
-ClusterData
DataBaseMiner-G
EngineDataCenter
1
1
1
1
gets SDM Record from
1..*
1
gets EDR from
1
1
gets EDR from
1
1
gets SDM Records from
1
1
gets EDR from
1
1
extracts orders using
1
1
diagnoses fault using
1
1
searches for clusters using
1
1
visualises engine data using
WorkflowManager
Chart-G
CBRWorkflowAdvisor-G
*
1
stores Engine Data Record in
1
1
stores / retrieves DAME results, annotations, etc.
11..*
seaches for patterns using
The EDC contains variousindependent tools andfacilities - only theEngineDataStore isshown here.
1
1
models engine using
11
gets extracted orders
* *
ZModViewer-G
Encoder-G
1 *
*
1
*
1
gets EDR from
1
1
getsWorkflowAdvice
*
1
ArrivalNotification
RoleDatabase
MyProxy
1
1
1
1
Data AssetsData Assets
EngineFlight SDMRecordFlightEventAirframe
EngineDataRecordQUOTEFeatureResult
WorkflowRecord
EngineModelResult
AURAResult
ZmodViewerResult
ChartResultCBRResultXTOFeatureResult
AURAEncodedData
SuggestedWorkflow
Annotations
TrackedOrder
CBRRuleSet WorkFlowRuleSet
Case
RoleUser
UserRole
EncodedData
1**1*1
11
1
1
1
1
0..110..1
** *
1
1
1
*
1
*1
0..*
1 *
1
*
1
0..1
10..11
0..1
1
*
1
0..1
1
0..1
1
0..1
1
0..1
*
*
*
1
*
1
1
1 *
*1
1
11
WorkflowRule0..1
*
0..1
1
0..1
1
UserView
1
1..3
*
1
0..*
1
distinguishedName
deadlinestatususerStatus[3]
processPerfomance
inputParamSet
Service & Data co-deploymentService & Data co-deployment
CBRAnalyser
SDMRecord
CBRResult
CBRRuleSet
AURAResult
Get Maintenance Data
Produces
Uses
Uses
Context: MethodContext: Method
Business Use-Cases & initial Service diagram Business Use-Cases & initial Service diagram derived from design documentsderived from design documents
Aim for a Deployment-neutral descriptionAim for a Deployment-neutral description Checks: Checks:
– Build & check data and service models from the Build & check data and service models from the interactions specified in the use-cases. interactions specified in the use-cases.
– Is the data required by each service consistent with the Is the data required by each service consistent with the data model?data model?
– Do members of the project, and its customers, think this Do members of the project, and its customers, think this represents their system?represents their system?
Context: Method (2)Context: Method (2)
Control granularity:Control granularity:– Services at deployment granularity.Services at deployment granularity.– Data, sufficient to distinguish between different use or Data, sufficient to distinguish between different use or
origin.origin.– Assets must be meaningful to customers to allow a Assets must be meaningful to customers to allow a
discussion of threat & impact.discussion of threat & impact. Result:Result:
– 24 Data Types and 14 Services.24 Data Types and 14 Services.– Contrast with Contrast with
» ‘‘Initial brainstorm’ meeting: 4 data types & 4 services Initial brainstorm’ meeting: 4 data types & 4 services » Previous slide (9): 3 data types & 13 services (2 different!)Previous slide (9): 3 data types & 13 services (2 different!)
ObservationsObservations
Methodological analysis is necessary.Methodological analysis is necessary. Need to be flexible about representations & models Need to be flexible about representations & models
to align with project methods.to align with project methods. Control: Control:
– GranularityGranularity– Avoid mechanisms, keep to requirementsAvoid mechanisms, keep to requirements
The ‘grid’ nature may make it difficult to establish The ‘grid’ nature may make it difficult to establish hardware assets - may be a problem or blessing, hardware assets - may be a problem or blessing, but needs to be recognised. but needs to be recognised.
The system is ‘virtual’ – need to be explicit about The system is ‘virtual’ – need to be explicit about the management needed.the management needed.
Asset AnalysisAsset Analysis
Just Started.Just Started. Generated pro-forma of assets and generic Generated pro-forma of assets and generic
concerns.concerns. Reviewed with Industrial Partners:Reviewed with Industrial Partners:
– Reviewed system context document.Reviewed system context document.– Preliminary assets analysis - assigned concerns and Preliminary assets analysis - assigned concerns and
impacts to: impacts to: » Data assetsData assets» Service assetsService assets
Need to document and confirm results with project Need to document and confirm results with project and industrial partners.and industrial partners.
ProcessProcess
Keyword list to prompt discussion on each asset: Keyword list to prompt discussion on each asset: – execution, confidentiality, integrity, availability, execution, confidentiality, integrity, availability,
privacy, completeness,provenance, non-repudiation…privacy, completeness,provenance, non-repudiation…
Only about half these categories used, and not all Only about half these categories used, and not all for every asset.for every asset.
Impact rating: L/M/H in business terms:Impact rating: L/M/H in business terms:– L: significant costL: significant cost
– M: impact on company bottom lineM: impact on company bottom line
– H: long term impact on company bottom lineH: long term impact on company bottom line
Typical ConcernsTypical Concerns
Confidentiality of key industrial properties.Confidentiality of key industrial properties.– The most critical, at present, are algorithms The most critical, at present, are algorithms
Integrity of data used to make business Integrity of data used to make business decisions.decisions.
Provenance of critical decisions made using Provenance of critical decisions made using the system.the system.
ObservationsObservations
New system requirements will probably emerge New system requirements will probably emerge from this study:from this study:– Finer grain control of users within rolesFiner grain control of users within roles– The need for provenance for data items as well as The need for provenance for data items as well as
decisions (workflows)decisions (workflows)– The possible separation of different types of raw data to The possible separation of different types of raw data to
facilitate grid processingfacilitate grid processing– The need to audit services in the (virtual) systemThe need to audit services in the (virtual) system
Need to be careful about responsibilities when data Need to be careful about responsibilities when data or services are shared with other systems– e.g. long or services are shared with other systems– e.g. long term data integrity for some data items is important, term data integrity for some data items is important, but outside DAME.but outside DAME.
ObservationsObservations
The customers have real security concerns – The customers have real security concerns – this is not a system where all parts will be this is not a system where all parts will be allowed to ‘run anywhere’. allowed to ‘run anywhere’. – security analysis informs deployment optionssecurity analysis informs deployment options
Keywords (e.g. integrity’) are very broad – Keywords (e.g. integrity’) are very broad – need to record the actual concern in each need to record the actual concern in each case.case.
Linking impact (L/M/H) to business criteria Linking impact (L/M/H) to business criteria helps prevent ‘drift’ of assessments.helps prevent ‘drift’ of assessments.
Documents ProducedDocuments Produced
Discussion / working documents:Discussion / working documents:– DAME Initial Dependability Assessment - DAME Initial Dependability Assessment -
AME/York/TR/03.001. From meeting with industrial AME/York/TR/03.001. From meeting with industrial partners on 17partners on 17thth March 2003. March 2003.
– Analysis of the Grid – Phillipa Conmy Analysis of the Grid – Phillipa Conmy – Security Risk Brief – Howard ChiversSecurity Risk Brief – Howard Chivers– Options for Merging Dependability and Security Analysis Options for Merging Dependability and Security Analysis
- Howard Chivers.- Howard Chivers. This includes a neutral terminology. This includes a neutral terminology.– DAME Dependability and Security: Asset Analysis pro-DAME Dependability and Security: Asset Analysis pro-
forma.forma. DAME Dependability and Security: System Context DAME Dependability and Security: System Context
Document - Document - DAME/York/TR/03.007.DAME/York/TR/03.007.
Future WorkFuture Work
Complete System Context document and asset Complete System Context document and asset analysis.analysis.
Assess vulnerabilities, including the use of high Assess vulnerabilities, including the use of high level analysis function and dependability key level analysis function and dependability key word analysis.word analysis.
Produce likelihood - impact matrix. Produce likelihood - impact matrix. Target unacceptable risks.Target unacceptable risks. Identify deployment constraints & requirementsIdentify deployment constraints & requirements Identify mitigation mechanisms e.g., encryption, Identify mitigation mechanisms e.g., encryption,
access controls, replication, etc. access controls, replication, etc.
Final ObservationsFinal Observations
Security risk analysis is best carried out as Security risk analysis is best carried out as an integrated part of the system design:an integrated part of the system design:– The context can be part of the standard system The context can be part of the standard system
documentationdocumentation– Deployment and other design tradeoffs can be Deployment and other design tradeoffs can be
made earlymade early– The security analysis will highlight The security analysis will highlight
requirements that might otherwise be missed.requirements that might otherwise be missed.
Final Observations (2)Final Observations (2)
The grid nature of the problem introduces The grid nature of the problem introduces new challenges: DAME is a ‘virtual system’new challenges: DAME is a ‘virtual system’– Mapping to hardware is deferredMapping to hardware is deferred– Requirements for administration of the ‘virtual’ Requirements for administration of the ‘virtual’
system, as well as individual resources system, as well as individual resources Appropriate security is essential before Appropriate security is essential before
systems of this sort can be exploited systems of this sort can be exploited commercially.commercially.