DAME Dependability and DAME Dependability and Security Study: Progress ReportSecurity Study: Progress Report

Howard ChiversHoward Chivers

University of YorkUniversity of York

Practical Security for e-Science Projects25 November 2003

This talk presents my personal perspective, This talk presents my personal perspective, not the considered view of the project or any not the considered view of the project or any

of its partners.of its partners.

But credit and thanks must go to busy But credit and thanks must go to busy developers and industrial partners who have developers and industrial partners who have been consistently helpful and generous with been consistently helpful and generous with their time, and to Martyn Fletcher who is the their time, and to Martyn Fletcher who is the

primary author for study deliverables.primary author for study deliverables.

ContentsContents DAME IntroductionDAME Introduction The Method: Dependability and SecurityThe Method: Dependability and Security Stage One: System ContextStage One: System Context Stage Two: Asset AnalysisStage Two: Asset Analysis SummarySummary

DAMEDAMEEngine flight data

Airline office

Maintenance Centre

European data center

London Airport

New York Airport

American data center

Grid

Project AimsProject Aims

Develop a Grid-enabled diagnostic systemDevelop a Grid-enabled diagnostic system Demonstrate this on the Rolls-Royce AeroEngine Demonstrate this on the Rolls-Royce AeroEngine

diagnostics problemdiagnostics problem– A Diagnostic GridA Diagnostic Grid– Grid management tools for unstructured dataGrid management tools for unstructured data– An practical application demonstratorAn practical application demonstrator

Develop the understanding needed for industrial Develop the understanding needed for industrial deployment:deployment:– Grid middleware and application/services layer integration Grid middleware and application/services layer integration – Scalability and Deployment optionsScalability and Deployment options– Security and Dependability issuesSecurity and Dependability issues

ChallengesChallenges

Support on-line diagnostic workflow in real timeSupport on-line diagnostic workflow in real time Deal with the data from 1000’s engines in Deal with the data from 1000’s engines in

operationoperation Prove distributed pattern matching methodologyProve distributed pattern matching methodology Address customer concerns about grids, including Address customer concerns about grids, including

scalability & securityscalability & security Demonstrate the business case for the technologyDemonstrate the business case for the technology

Why use a grid?Why use a grid?

Implementing a distributed, integrated, workflow has Implementing a distributed, integrated, workflow has considerable potential customer valueconsiderable potential customer value

The workflow requires collaboration between The workflow requires collaboration between multiple stakeholdersmultiple stakeholders

An integrated business process is needed to provide An integrated business process is needed to provide evidence for any diagnosis, and traceability to evidence for any diagnosis, and traceability to subsequent actionsubsequent action

The data is high volume, and is distributed between The data is high volume, and is distributed between stakeholders’ sites (eg maintenance, factory, airports)stakeholders’ sites (eg maintenance, factory, airports)

The variable computing load makes resource sharing The variable computing load makes resource sharing attractive for some processesattractive for some processes

DAME – Project PartnersDAME – Project Partners Universities:Universities:

– University of YorkUniversity of York– University of University of

Sheffield Sheffield – University of University of

OxfordOxford– University of LeedsUniversity of Leeds

Industrial:Industrial:– Rolls-Royce Rolls-Royce

AeroenginesAeroengines– Data Systems and Data Systems and

SolutionsSolutions– CybulaCybula

Infrastructure: - White Rose Grid- National e-Science

Support Centre

DevelopersDevelopers

Leeds

Grid Middleware Services

Sheffield

Modeling & Decision Support

DAME WRGSign-on Portal

SDMDatabase

CBRAnalysis-GEngineModel-G

GT3 ServiceCBR advisor

GT3 ServiceBD25 Enginemodel wrappedas Grid Service

XTO-G

GT3 ServiceXTO plug-ins via a GridService

DataVisualiser

GT3 ServiceJchart Viewer forviewing XTO output

Workflow

Browser basedworkflow tool.Compliant withResource Broker

Resource BrokerGT2 ServiceSchedule workflowtasks on WRGresource

Oxford

Engine Data Store

Engine DataDatabase

York

Data Mining Services

AURA-GAURA-GDatabase

DataStore-GGT3 ServiceSimulates arrival &storage of QUOTEdata

Zmod Viewer

GT3 ServiceBrowser based dataviewer for zmod files

GT3 ServiceZmod datasearch facility

Collaboration tools

GT3 ServiceToolset for multiusercollaboration

WRGGT3/2

WRGGT3/2

WRGGT3/2

WRGGT3/2

DAME workbench

SecurityGT3 SecurityServiceProxy-Management

DAME GUI

GT3 ServiceBrowser based GUIto DAME services

Analysis Approach:Analysis Approach:Dependability & SecurityDependability & Security

Purpose of the StudyPurpose of the Study

Provide analysis to enable ultimate Provide analysis to enable ultimate deployment of DAME in engine domain.deployment of DAME in engine domain.

Provide analysis as basis for deployment in Provide analysis as basis for deployment in other domains.other domains.

Contribute to Grid community research in Contribute to Grid community research in dependability and security.dependability and security.

Dependability and SecurityDependability and Security

Attributes:Attributes:– ReliabilityReliability– SafetySafety– MaintainabilityMaintainability– Security Security (Confidentiality, Integrity, Availability)(Confidentiality, Integrity, Availability)

Attributes have varying significance in Attributes have varying significance in different systems. different systems.

Security (Risk) AnalysisSecurity (Risk) Analysis

Focus on risk to the overall business processFocus on risk to the overall business process Process Process (see previous talk by Jonathan Moffett)(see previous talk by Jonathan Moffett)

– Define system context:Define system context:» Boundary / actors / assets / external assumptions.Boundary / actors / assets / external assumptions.

– Analyse assets:Analyse assets:» Identify impact / threat for each.Identify impact / threat for each.

– Attackers perspective.Attackers perspective.– Vulnerabilities.Vulnerabilities.

» Identify likelihood.Identify likelihood.

From matrix, identify unacceptable deployment risks, From matrix, identify unacceptable deployment risks, example:example:– High impact and high likelihood need to be reduced.High impact and high likelihood need to be reduced.

Security (Risk) AnalysisSecurity (Risk) Analysis

–

threats

Likelihood

Impact

SystemBoundary

Actors Assets

ExternalAssumptions

System Context

AssetAnalysisAttackers’

Perspective

Vulnerabilities L M H

H

M

L

x

o

Dependability AnalysisDependability Analysis High level analysis for complex systems High level analysis for complex systems

developed at York is rooted in the need for developed at York is rooted in the need for safety cases of layered systems.safety cases of layered systems.

Distributed Middleware Infrastructure

Distributed Hardware Infrastructure

Service 0 Service N

Distributed services

Component under

analysis

Analysis Interface

High level Analysis of a High level Analysis of a Complex SystemComplex System

Focuses on infrastructure. Focuses on infrastructure. Approach at York (based on FMEA – Failure Approach at York (based on FMEA – Failure

Modes an Effects Analysis + SHARD - Software Modes an Effects Analysis + SHARD - Software Hazard Analysis and Resolution in Design):Hazard Analysis and Resolution in Design):– Define high level functions at specified interface.Define high level functions at specified interface.– Apply guidewords (omission, commission etc.) – Apply guidewords (omission, commission etc.) –

undesirable situations.undesirable situations.– Cause.Cause.– Effect.Effect.– Derived requirements - to prevent / mitigate.Derived requirements - to prevent / mitigate.

Satisfy derived requirements to provide Satisfy derived requirements to provide dependability.dependability.

Choice of methodChoice of method

Approaches have complementary strengthsApproaches have complementary strengths In combination:In combination:

– Use security risk analysis to establish whole-system Use security risk analysis to establish whole-system issuesissues

– Use ‘high level analysis’ to deal with non-security Use ‘high level analysis’ to deal with non-security attributes, and provide infrastructure vulnerabilities into attributes, and provide infrastructure vulnerabilities into the main risk analysisthe main risk analysis

– Combined study minimises project cost and customer Combined study minimises project cost and customer involvementinvolvement

Take advantage of other sources of vulnerability Take advantage of other sources of vulnerability informationinformation

ObservationsObservations

The security risk method provides a useful overall The security risk method provides a useful overall framework .framework .

.. but in many projects a wider set of attributes will .. but in many projects a wider set of attributes will be needed.be needed.

Using both forms of analysis explicitly deals with Using both forms of analysis explicitly deals with the flexible deployment of applications envisaged the flexible deployment of applications envisaged in the grid.in the grid.

.. but it remains to be seen if the interface .. but it remains to be seen if the interface requirements between applications and requirements between applications and infrastructure are mature enough to allow infrastructure are mature enough to allow dependability analysis.dependability analysis.

Stage One: System ContextStage One: System Context

ContextContext

–

threats

Likelihood

Impact

SystemBoundary

Actors Assets

ExternalAssumptions

System Context

AssetAnalysisAttackers’

Perspective

Vulnerabilities L M H

H

M

L

x

o

System ContextSystem Context

System Context document System Context document (DAME/York/TR/03.007)(DAME/York/TR/03.007)

– Business process.Business process.– System boundary.System boundary.– Actors (primary and supporting).Actors (primary and supporting).– Assets (service and data).Assets (service and data).– Service interactions.Service interactions.– External assumptions.External assumptions.

Purpose:Purpose:– Provides a concise reference – allows stakeholders to agree Provides a concise reference – allows stakeholders to agree

on a description of the system.on a description of the system.– Identifies Assets: Services and DataIdentifies Assets: Services and Data

» .. but not hardware?.. but not hardware?

Actors & System ContextActors & System Context

UploadEngineData

Information / request for advice

MaintenanceEngineer (ME)

Domain Expert (DE)- engine expert

DAMEDiagnosis

PerformMinor Repair

Investigate using tools

ProvideDiagnosis

/ Prognosis/ Advice

Remove engine anddispatch for major overhaul

Return overhauledengine to service

Request advicefrom MA

Update EngineRecord

GroundSupportSystem

DowloadEngineData

LocalDiagnosis

Distributed AircraftMaintenance Environment (DAME)

- Miscellaneous Providers.

Engine Data Center (EDC) - DS&S

Service Data Manager (SDM) including Workscope Generator- RR

Maintenance Analyst (MA)- maintenance expert

Investigate usingtoolsUpdate Engine

RecordProvide

Diagnosis/ Prognosis

/ Advice

Airline / Maintenance Contractor(at Airport)

Engine MaintenanceRepair and Overhaul

(MRO) Facility(RR / Contractor)

Remote / DistributedTools and Services

EngineManufacturer

(RR)

Data Center(DS&S)

Request advicefrom DE

Update EngineRecords

Information / requestfor advice

Update Engine Records

PerformInspections

Service AssetsService Assets

-EncodedZmodDataFeature

AURA-G

CBRAnalysis-G

EngineModel-G

SDM-G

EngineDataStore-G

XTO-G

QUOTE / GSS

Portal-CollaborationEnvironment

-ClusterData

DataBaseMiner-G

EngineDataCenter

1

1

1

1

gets SDM Record from

1..*

1

gets EDR from

1

1

gets EDR from

1

1

gets SDM Records from

1

1

gets EDR from

1

1

extracts orders using

1

1

diagnoses fault using

1

1

searches for clusters using

1

1

visualises engine data using

WorkflowManager

Chart-G

CBRWorkflowAdvisor-G

*

1

stores Engine Data Record in

1

1

stores / retrieves DAME results, annotations, etc.

11..*

seaches for patterns using

The EDC contains variousindependent tools andfacilities - only theEngineDataStore isshown here.

1

1

models engine using

11

gets extracted orders

* *

ZModViewer-G

Encoder-G

1 *

*

1

*

1

gets EDR from

1

1

getsWorkflowAdvice

*

1

ArrivalNotification

RoleDatabase

MyProxy

1

1

1

1

Data AssetsData Assets

EngineFlight SDMRecordFlightEventAirframe

EngineDataRecordQUOTEFeatureResult

WorkflowRecord

EngineModelResult

AURAResult

ZmodViewerResult

ChartResultCBRResultXTOFeatureResult

AURAEncodedData

SuggestedWorkflow

Annotations

TrackedOrder

CBRRuleSet WorkFlowRuleSet

Case

RoleUser

UserRole

EncodedData

1**1*1

11

1

1

1

1

0..110..1

** *

1

1

1

*

1

*1

0..*

1 *

1

*

1

0..1

10..11

0..1

1

*

1

0..1

1

0..1

1

0..1

1

0..1

*

*

*

1

*

1

1

1 *

*1

1

11

WorkflowRule0..1

*

0..1

1

0..1

1

UserView

1

1..3

*

1

0..*

1

distinguishedName

deadlinestatususerStatus[3]

processPerfomance

inputParamSet

Service & Data co-deploymentService & Data co-deployment

CBRAnalyser

SDMRecord

CBRResult

CBRRuleSet

AURAResult

Get Maintenance Data

Produces

Uses

Uses

Context: MethodContext: Method

Business Use-Cases & initial Service diagram Business Use-Cases & initial Service diagram derived from design documentsderived from design documents

Aim for a Deployment-neutral descriptionAim for a Deployment-neutral description Checks: Checks:

– Build & check data and service models from the Build & check data and service models from the interactions specified in the use-cases. interactions specified in the use-cases.

– Is the data required by each service consistent with the Is the data required by each service consistent with the data model?data model?

– Do members of the project, and its customers, think this Do members of the project, and its customers, think this represents their system?represents their system?

Context: Method (2)Context: Method (2)

Control granularity:Control granularity:– Services at deployment granularity.Services at deployment granularity.– Data, sufficient to distinguish between different use or Data, sufficient to distinguish between different use or

origin.origin.– Assets must be meaningful to customers to allow a Assets must be meaningful to customers to allow a

discussion of threat & impact.discussion of threat & impact. Result:Result:

– 24 Data Types and 14 Services.24 Data Types and 14 Services.– Contrast with Contrast with

» ‘‘Initial brainstorm’ meeting: 4 data types & 4 services Initial brainstorm’ meeting: 4 data types & 4 services » Previous slide (9): 3 data types & 13 services (2 different!)Previous slide (9): 3 data types & 13 services (2 different!)

ObservationsObservations

Methodological analysis is necessary.Methodological analysis is necessary. Need to be flexible about representations & models Need to be flexible about representations & models

to align with project methods.to align with project methods. Control: Control:

– GranularityGranularity– Avoid mechanisms, keep to requirementsAvoid mechanisms, keep to requirements

The ‘grid’ nature may make it difficult to establish The ‘grid’ nature may make it difficult to establish hardware assets - may be a problem or blessing, hardware assets - may be a problem or blessing, but needs to be recognised. but needs to be recognised.

The system is ‘virtual’ – need to be explicit about The system is ‘virtual’ – need to be explicit about the management needed.the management needed.

Stage Two: Asset AnalysisStage Two: Asset Analysis

Asset AnalysisAsset Analysis

Just Started.Just Started. Generated pro-forma of assets and generic Generated pro-forma of assets and generic

concerns.concerns. Reviewed with Industrial Partners:Reviewed with Industrial Partners:

– Reviewed system context document.Reviewed system context document.– Preliminary assets analysis - assigned concerns and Preliminary assets analysis - assigned concerns and

impacts to: impacts to: » Data assetsData assets» Service assetsService assets

Need to document and confirm results with project Need to document and confirm results with project and industrial partners.and industrial partners.

ProcessProcess

Keyword list to prompt discussion on each asset: Keyword list to prompt discussion on each asset: – execution, confidentiality, integrity, availability, execution, confidentiality, integrity, availability,

privacy, completeness,provenance, non-repudiation…privacy, completeness,provenance, non-repudiation…

Only about half these categories used, and not all Only about half these categories used, and not all for every asset.for every asset.

Impact rating: L/M/H in business terms:Impact rating: L/M/H in business terms:– L: significant costL: significant cost

– M: impact on company bottom lineM: impact on company bottom line

– H: long term impact on company bottom lineH: long term impact on company bottom line

Typical ConcernsTypical Concerns

Confidentiality of key industrial properties.Confidentiality of key industrial properties.– The most critical, at present, are algorithms The most critical, at present, are algorithms

Integrity of data used to make business Integrity of data used to make business decisions.decisions.

Provenance of critical decisions made using Provenance of critical decisions made using the system.the system.

ObservationsObservations

New system requirements will probably emerge New system requirements will probably emerge from this study:from this study:– Finer grain control of users within rolesFiner grain control of users within roles– The need for provenance for data items as well as The need for provenance for data items as well as

decisions (workflows)decisions (workflows)– The possible separation of different types of raw data to The possible separation of different types of raw data to

facilitate grid processingfacilitate grid processing– The need to audit services in the (virtual) systemThe need to audit services in the (virtual) system

Need to be careful about responsibilities when data Need to be careful about responsibilities when data or services are shared with other systems– e.g. long or services are shared with other systems– e.g. long term data integrity for some data items is important, term data integrity for some data items is important, but outside DAME.but outside DAME.

ObservationsObservations

The customers have real security concerns – The customers have real security concerns – this is not a system where all parts will be this is not a system where all parts will be allowed to ‘run anywhere’. allowed to ‘run anywhere’. – security analysis informs deployment optionssecurity analysis informs deployment options

Keywords (e.g. integrity’) are very broad – Keywords (e.g. integrity’) are very broad – need to record the actual concern in each need to record the actual concern in each case.case.

Linking impact (L/M/H) to business criteria Linking impact (L/M/H) to business criteria helps prevent ‘drift’ of assessments.helps prevent ‘drift’ of assessments.

SummarySummary

Documents ProducedDocuments Produced

Discussion / working documents:Discussion / working documents:– DAME Initial Dependability Assessment - DAME Initial Dependability Assessment -

AME/York/TR/03.001. From meeting with industrial AME/York/TR/03.001. From meeting with industrial partners on 17partners on 17thth March 2003. March 2003.

– Analysis of the Grid – Phillipa Conmy Analysis of the Grid – Phillipa Conmy – Security Risk Brief – Howard ChiversSecurity Risk Brief – Howard Chivers– Options for Merging Dependability and Security Analysis Options for Merging Dependability and Security Analysis

- Howard Chivers.- Howard Chivers. This includes a neutral terminology. This includes a neutral terminology.– DAME Dependability and Security: Asset Analysis pro-DAME Dependability and Security: Asset Analysis pro-

forma.forma. DAME Dependability and Security: System Context DAME Dependability and Security: System Context

Document - Document - DAME/York/TR/03.007.DAME/York/TR/03.007.

Future WorkFuture Work

Complete System Context document and asset Complete System Context document and asset analysis.analysis.

Assess vulnerabilities, including the use of high Assess vulnerabilities, including the use of high level analysis function and dependability key level analysis function and dependability key word analysis.word analysis.

Produce likelihood - impact matrix. Produce likelihood - impact matrix. Target unacceptable risks.Target unacceptable risks. Identify deployment constraints & requirementsIdentify deployment constraints & requirements Identify mitigation mechanisms e.g., encryption, Identify mitigation mechanisms e.g., encryption,

access controls, replication, etc. access controls, replication, etc.

Final ObservationsFinal Observations

Security risk analysis is best carried out as Security risk analysis is best carried out as an integrated part of the system design:an integrated part of the system design:– The context can be part of the standard system The context can be part of the standard system

documentationdocumentation– Deployment and other design tradeoffs can be Deployment and other design tradeoffs can be

made earlymade early– The security analysis will highlight The security analysis will highlight

requirements that might otherwise be missed.requirements that might otherwise be missed.

Final Observations (2)Final Observations (2)

The grid nature of the problem introduces The grid nature of the problem introduces new challenges: DAME is a ‘virtual system’new challenges: DAME is a ‘virtual system’– Mapping to hardware is deferredMapping to hardware is deferred– Requirements for administration of the ‘virtual’ Requirements for administration of the ‘virtual’

system, as well as individual resources system, as well as individual resources Appropriate security is essential before Appropriate security is essential before

systems of this sort can be exploited systems of this sort can be exploited commercially.commercially.