Detecting Cognitive Causes of Confidentiality Leaks

1. Detecting Cognitive Causes of Confidentiality Leaks Rimvydas Rukšėnas, Paul Curzon (Queen Mary, University of London) Ann Blandford (University College London) FMIS 2006, Macau

2. The topic • Ensuring (by formal modelling and verification) secure information flow from the user to a secure device / application. FMIS 2006, Macau

3. The context • Security of software systems (technical aspects): • the implementation of a system does not leak confidential information. • User-centred security (social dimensions): • work practices; • the relationships between system users; • security threats exploiting social engineering techniques. FMIS 2006, Macau

4. Our focus • Potential leaks of information caused by the combination of human cognition and interface designs. FMIS 2006, Macau

5. Outline • Formal user model. • An example. • Conclusion. FMIS 2006, Macau

6. Formal user modelling • Even behaving rationally, humans systematically make errors when performing tasks with interactive systems. • The erroneous actions are unintentional. They emerge from a combination of specific design decisions and human cognition. • A formal model of cognitively plausible behaviour is helpful in detecting such design flaws. FMIS 2006, Macau

7. Abstract cognitive principles • Non-determinism: any cognitively plausible action might be taken. • Distinction between mental and physical actions. • User goals: preconceived knowledge of the task and task dependent sub-goals. • Reactive behaviour: people respond to interface prompts, if these seem relevant to their task. • Goal based task completion: users tend to finish interactions once their goal has been achieved. • No-option based termination. FMIS 2006, Macau

8. UserModel {goals,acts,…} = … TRANSITION ([]i: Goal_Commit: … ) [] ([]i: React_Commit: … ) [] ([]i: Goal_Transition: … ) [] ([]i: React_Transition: … ) [] Exit: … [] Abort: … [] Idle: … Goal_Transition: gcommit[i] = committed  Transition(i,goals); gcommit’[i] = done; gcommitted’ = FALSE Generic user model in SAL FMIS 2006, Macau

9. An example: authentication interface FMIS 2006, Macau

10. Authentication procedure as a FSM FMIS 2006, Macau

11. The structure of specifications FMIS 2006, Macau

12. Enter user name. Enter password. seen[InputName]  value' [InputName] = in.name User goals (knowledge) FMIS 2006, Macau

13. Enter user name. Enter password. Press Enterbutton. Acknowledge a message. seen[InputName] mem.failed  mem.entered[InputName]  value'[InputName] = in.name Reactive behaviour FMIS 2006, Macau

14. User perception & interpretation • By label: (i,j): label[i] = NameLabel  label[j] = PassLabel  InputName = i InputPass = j • By habit: (i,j): precedes(i,j) InputName = i InputPass = j • Random: (label[i] = label[j] ((i,j): precedes(i,j)))  InputName  InputPass FMIS 2006, Macau

15. Correctness properties • Usability:System F(LoginMsg) • Security: System [] Tester G(SecurityBreach) • Testermodule: [](j:Inbox): level[j] = Low  value[j] = env.password  SecurityBreach' = TRUE FMIS 2006, Macau

16. Confidentiality leakage • precedes(InputName,InputPass) FMIS 2006, Macau

17. Secure design • precedes(InputName,InputPass) FMIS 2006, Macau

18. Conclusions • We investigated the formal modelling of cognitive aspects of confidentiality leaks. • We extended our approach, based on usability verification, to address some aspects of information-flow security. • We presented a simple example where the layout of input fields can result in security breaches: www.dcs.qmul.ac.uk/~rimvydas/usermodel/fmis06.zip FMIS 2006, Macau

19. Future work • Other (more complex) security properties. • Generic user interpretation model. • Scaling-up. FMIS 2006, Macau