1 / 27

The 8th International Common Criteria Conference 8 th ICCC '0 7

Semiformal framework for ICT Security Development. Andrzej Białas. The 8th International Common Criteria Conference 8 th ICCC '0 7 September 2 5- 2 7, 200 7 , Rome. Andrzej Bialas, Eng., PhD, Information Security Centre. Information security management systems and supporting tools

aaron-davenport
Télécharger la présentation

The 8th International Common Criteria Conference 8 th ICCC '0 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Semiformal framework for ICT Security Development Andrzej Białas The 8th International Common Criteria Conference 8thICCC'07 September 25-27, 2007, Rome

  2. Andrzej Bialas, Eng., PhD, Information Security Centre • Information security management systemsand supporting tools • ICT Security development (Common Criteria) and supporting tools • PKI, e-government security – applications, projects • CI2RCO – Critical Information Infrastructure Research Co-ordination (EU FP6) Institute of Innovationsand Information Society Wita Stwosza 7, 40-954 Katowice, POLAND tel.: +48 32 3595 159e-mail: Andrzej.Bialas@insi.pl

  3. Introduction The presentation deals with the Common Criteria, i.e. ISO/IEC 15408 approach, one of the well established methodologies concerned with the creation of assurance. Assurance is the confidence that an entity, i.e. IT product or system, called the TOE (target of evaluation), meets the security objectives specified for it. The development of e-business, e-government or e-health applications, and the critical information infrastructure protection will not be possible if,based on the assurance, trust and confidence technologiesdo not grow. The assurance foundation is created during a rigorous IT development process.The preciseness and the cost of the elaborated specifications are important. The paper presents an overview of the Author’s extensive work concerning the IT Security Development Framework (ITSDF) based on the ISO/IEC 15408 and ISO/IEC TR 15446. It concerns better formalization of this development process, and improving specification means used to create the Security Target (ST) or Protection Profiles (PP).

  4. Problem: Proposed solution: • How to perform the IT security development: • rigorously, i.e. more precisely, formally, and consistently, with the justification of the selected variants, • and more effectively, i.e. more quickly and cheaply? Elaborating a semiformal model of the IT security development process with the use of the UML/OCL approach, i.e. better formalization of this process Creating a set of semiformal means and methods to build IT security related specifications of the TOEin a more precise and consistent way. Building, on this basis, a computer tool supportingthe IT security development process.

  5. Formalization (Common Criteria) informal expressed in a natural language expressed in a restricted syntax language with defined semantics semiformal expressed in a restricted syntax language with defined semantics based on well-established mathematical concepts formal

  6. Better formalization of the IT security development process … leads to the „ITSDF framework” concept • The IT security development process is related to the elaboration of the ST or PP specifications • The Common Criteria standard provides the IT security developers witha general, informal guide only (ISO/IEC TR 15446) • The effectiveness of the IT security development process, which is rather complicated, depends strongly on the developers’ knowledge and expertise • The problem is how to make the developers’ efforts easier • The proposed solution is based on the advantages coming from the commonly used UML/OCL approach and assumes the elaboration of the semiformal model of the whole IT Security Development Framework (ITSDF framework) 6

  7. IT security development (ST elaboration) Establishing the so-called security problem definition (security environment) specification, encompassing the internal/external assets, their owners, threats to assets, OSPs – Organizational Security Policy rules to be satisfied, and the assumptions. Setting security objectives on this basis – for the TOEand its operational environment. Using Common Criteria components catalogues and analyzing the above objectives, working out the sets of functional and assurance requirements for the TOE and for the operational environment. Using functional and assurance requirements, preparingthe TOE summary specification (TSS). Going to the next, more refined stage, a rationale process is needed

  8. IT Security Development Framework – general model of the ITSDF (ST example) Classes representing specification data containers Classes responsible for the ST elaboration

  9. ITSDF as a state machine 2 state attributes: develstage and stagestatus

  10. ITSDF – develstage attribute of the state machine

  11. Security objectives elaboration stage

  12. Security objectives elaboration – general activity diagram

  13. Summary of works on the ITSDF framework – what has been done? • Analyzing strong and weak points of the IT security development processand identifying developers’ needs concerning computer aided processes • Elaboration of the general UML model of ITSDF framework and its processes responsible for particular development stages – classes responsiblefor development stages and the containers of the specification data • Models refinement using OCL and building mathematical model of ST and PP • Software implementation – wizard driven tool • Development of extra facilities: • risk analysis • TOE-environment responsibility trade-off support • rationale support (covering analyses and visualization relationships) • self-evaluation facilities • evidences and documentation management • reporting facilities and automatic ST/PP generation • Validation and improvement with the use of the existing and newly created STs

  14. Improving specification means … leads to the „enhanced generics” concept • The Common Criteria standard provides developers with specification means(a language) only for the security requirement specification stage, i.e. with the semiformal, security components • Specification style and preciseness for stages other than requirements depend strongly on the developers’ knowledge and expertise. The common understanding of these specifications by a CC consumer is required • For this reason the improvement, unification and extension of the specification means is an important issue • The proposed solution is based on creating a set of semiformal means, called enhanced generics, can be used for other IT security development stages, and has features comparable with the well understood components features 14

  15. Means and ways to build the IT security specifications

  16. Enhanced generics Generics mnemonic names that express common features, behavioursor actions of different IT security aspects or elements. Format: [domain.][group.]family.mnemonic[derived][instance].description[.refinement][.attributes][.operation] Features: • Parameterization of generics • Operations on generics – iteration, refinement, assigning value to parameter or leaving it uncompleted • Defining any generic on the basisof the other (derivation) • Grouping generics by theirdomains of application • Assigning attributes • Building generics chains – proposing solutions to elementary security problems

  17. Generics groups and families – basic taxonomy

  18. TDA.CrpAnal. DAD.PlainText. SNA.HighPotIntrud. DAD.EncKey_D2. Card attacker [paramSNA] may compromise [paramDAD] – user data being encrypted by the TOE or the key needed to calculate the plain text from cipher text. Refinement:To perform this attack the intruder has to know the cipher text but is neither able to use the decryption function of the TOE nor to observe the behaviour of the TOE during the cryptographic operation. Generics example – (dot notation vs. UML notation) 1/2 [domain.][group.]family.mnemonic[derived][instance].description[.refinement][.attributes][.operation] CrpAnal:TDAItem PlainText:DADItem Plain document to be encrypted. EncKey_I0_D2:DADItem Cryptographic keys used as input parameter for encryption or decryption. HighPotIntrud:SNAItem Intruder having high level skills, enough resources and deep motivation to perform a deliberate attack. ST BSI-DSZ-CC-0153: First Evaluation of Philips P8WE5032 Secure 8-bit Smart Card Controller, Philips Semic. Hamburg 18

  19. TDA.CrpAnal_I0. TDA.CrpAnal_I1. OCON.BlockCipher. Card attacker [paramSNA <=SNA.HighPotenIntrud] may compromise [paramDAD <=DAD.PlainText] – user data being encrypted by the TOE or the key needed to calculate the plain text from cipher text. Card attacker [paramSNA <=SNA.HighPotenIntrud] may compromise [paramDAD <=DAD.EncKey_D2] – user data being encrypted by the TOE or the key needed to calculate the plain text from cipher text. Generics example – (iteration) 2/2 [domain.][group.]family.mnemonic[derived][instance].description[.refinement][.attributes][.operation] CrpAnal_I0:TDAItem DAD.PlainText SNA.HighPotIntrud DAD.EncKey_D2 CrpAnal_I1:TDAItem Both instances are covered by: The TOE will ensure the confidentiality of keys during a cryptographic function performed by the TOE ST BSI-DSZ-CC-0153: First Evaluation of Philips P8WE5032 Secure 8-bit Smart Card Controller, Philips Semic. Hamburg 19

  20. Parameterizationassociations and security (covering) associations Expresses generics parameters (being assets or subjects) allowing iteration GenParAssoc Supporting chains (items proposed to cover other items) „threat->objective->requirement->security functions” SecAssoc 20

  21. Summary of works on the specification means improvements – what has been done? • Analyzing the IT security development process and identifying the developers’ needs concerning specification means • Informal definition of the dot separated generics • Defining the generic syntax (grammar/BNF) and semantics (Richter’s approach, the same as the one used for the OCL) • Development of generic UML/OCL models and taxonomy • Defining parameterization association classes (GenParAssoc) • Defining association classes concerning mutual covering of items belonging to the neighbour stages (SecAssoc) • Defining the UML/OCL models of the CC components • Reaching a unified representation of generics and components allowing its software implementation • Defining navigation functions: participating(), navends(), roles(), multiplicieties() and full class descriptors • Software implementation – design library for different application domains • Library validation and optimization using existing and newly created STs

  22. The ITSDF software implementation – design library

  23. The ITSDF framework software implementation Design tree Wizard Visuali-zation 23

  24. The ITSDF software implementation – design visualization

  25. The ITSDF software implementation – ST evaluation

  26. Features helping to achieve the assurancefor an IT product or system in a more efficient way • the IT security development process is defined more precisely (i.e. in a semiformal way) and developers are guided and supported at any stage, from the preliminary analyses to the final rationale • developers are provided with the unified and semiformal specification means (“a language”) for any development stage; enhanced generics attached to the CC components have the same possibilities as the components • the software tool, being the IT security development framework implementation, offers additional advantages (similarly to other computer-aided tools), e.g. automation, reusability, reporting, statistics, auxiliary analyses, documentation management, decision support, visualization, better compliance with the information security management standards, self-evaluation, etc. The research, modelling and case-study on other existing examples of security targets and protection profiles are almost completed and now the technology transfer can start PLANNED WORKS: CC v3.1 implementation, composite / complex TOE development and packages, library optimization 26

  27. Thank you for your attention e-mail: andrzej.bialas@insi.pl Institute of Innovationsand Information Society

More Related