1 / 29

Security Architecture and Analysis: Session 1b Reasoning About System Architectures

Security Architecture and Analysis: Session 1b Reasoning About System Architectures Box Structure Reasoning for Components Black boxes State boxes Compositional Reasoning for Networks. Reasoning About System Architectures.

mitchellj
Télécharger la présentation

Security Architecture and Analysis: Session 1b Reasoning About System Architectures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Architecture and Analysis: Session 1b • Reasoning About System Architectures • Box Structure Reasoning for Components • Black boxes • State boxes • Compositional Reasoning for Networks

  2. Reasoning About System Architectures • It is vital in analyzing security and survivability (and other system • properties) to know how to reason about system architectures • “Reasoning” means: • Inferring from available information what architectures and their • components do and how they do it • Knowing what constitutes complete definitions and what • information is missing • Reasoning requires mental models for components and architectures • Models have formal basis, but are effective when applied informally • We will use the models in an informal way • Know what questions to ask about architectures

  3. Box Structure Reasoning for Components • Box Structures • A systematic model for component analysis and design • Five fundamental component characteristics: “BURST” • Boundary: What is inside and what is outside? • Users: Who are the users? • Responses: What is the set of possible responses? • Stimuli: What is the set of possible stimuli? • Transactions: What are the possible mappings from stimuli to responses? • Three fundamental component representations: • Black box: Component behavior based on history of use • State Box: Component behavior based on retained data • Clear box: Component behavior based on procedure (another course!)

  4. Box Structure Reasoning for Components: BURST • Component Boundary, Users, Responses, Stimuli, Transactions: Stimuli Stimuli Responses User 2 Stimuli Responses Responses Stimuli Component Transactions User 1 BOUNDARY Responses Stimuli Responses • Users can be people or programs, local or remote User 3 Stimuli Responses

  5. Box Structure Reasoning for Components: Black Boxes • The black box of a component in diagram form Stimulus (S) Response (R) • The idea of black box behavior • A hand calculator: Stimulus history Stimulus Response 716 5 7165 716C 5 5 • Black box behavior depends on more than the current stimulus, • it also depends on the history of use

  6. Box Structure Reasoning for Components: Black Boxes • Transition function of a black box • (stimulus history, stimulus) --> (response, new stimulus history) • Accumulating hand calculator stimulus history (SH) through black • box transitions: • Stimulus Stimulus History Response New Stimulus History • C * 0 C • 1 C 1 C1 • 4 C1 14 C14 • + C14 14 C14+ • 4 C14+ 4 C14+4 • 3 C14+4 43 C14+43 • = C14+43 57 C14+43= • C C14+43= 0 * • Partial transition function of a simple hand calculator • (valid arithmetic expression, =) --> (expression value, = appended to SH)

  7. Box Structure Reasoning for Components: Black Boxes • Transition function of “Add2” black box • Response is sum of last two stimuli: • R = S(I) + S(I -1) • Transition function of “Max2” black box • Response is maximum of last two stimuli: • R = max(S(I), S(I -1)) • Black box transition function of Microsoft Word • Difficult to write down, but conceptually no different • Can be reasoned about in terms of stimuli and stimulus histories

  8. Box Structure Reasoning for Components: Black Boxes • Black box transition function of a simple authentication server Stimulus Condition on SH Response Add authentication none “OK” data for user Bob Bob’s ID claim and Bob’s data present in SH, “access evidence does not match evidence denied” Bob’s ID claim and Bob’s data present in SH, “access evidence and matches evidence granted” • Black box definitions can be complete: • Define required behavior in all possible circumstances of use • (Almost never done, but invaluable)

  9. Box Structure Reasoning for Components: Black Boxes • A black box definition deals only with visible external behavior • It is state-free and procedure-free • It is the user view: requirements and specifications • Any deterministic component exhibits black box behavior • Reasoning with the black box model: • Understand BURST • Given a stimulus, consider possible conditions on the stimulus history to determine possible responses • First question to ask to understand how a component will respond to a stimulus: • What is the history of use?

  10. Box Structure Reasoning for Components: Black Boxes • Black box reasoning for a data base system (implied BURST): • What is the response, given this stimulus: • Delete a record • Add a record • Update a record • Create a report of all employees with at least 10 years • experience who are earning less than 50K • What do you want the behavior to be?

  11. Box Structure Reasoning for Components: Black Boxes • Black box reasoning for a virus checker on an email server • (implied BURST) • What is the response, given this stimulus: • An input email message that contains a virus • An input email message that does not contain a virus • What do you want the behavior to be?

  12. Box Structure Reasoning for Components: Black Boxes • Black box reasoning for a firewall on an email server (implied • BURST) • What is the response, given this stimulus: • An input email message • An input email message with a file attachment • What do you want the behavior to be?

  13. Box Structure Reasoning for Components: State Boxes • The state box of a component in diagram form state Stimulus (S) Response (R) trans • Opens up a black box to reveal retained data; allows reasoning about • the state • Transition function of a state box • (stimulus, current state) --> (response, new state)

  14. Box Structure Reasoning for Components: State Boxes • State is defined to retain those stimuli from the stimulus history that • are required to achieve black box behavior • The external behavior defined by black box and state box definitions • of a component are (better be!) identical component a state component a Stimulus (S) Stimulus (S) Response (R) Response (R) trans = • State box definitions can be complete: • Define required behavior in all possible circumstances of use • (Almost never done, but invaluable)

  15. Box Structure Reasoning for Components: State Boxes • Transition function of “Add2” • R := S + L (compute response) • L := S (update state) • The state box of “Add2” Add2 L S R trans • The state box of “Max2” • Transition function of “Max2” • R := max(S, K) (compute response) • K := S (update state) Max2 K S R trans • State box transition function of Microsoft Word • Difficult to write down, but conceptually no different • Can be reasoned about in terms of stimuli and states

  16. Box Structure Reasoning for Components: State Boxes • State box reasoning for a virus checker on an email server • (implied BURST and state): • What is the response, given this stimulus: • An input email message that contains a virus • An input email message that does not contain a virus

  17. Box Structure Reasoning for Components: State Boxes • State box reasoning for a firewall on an email server (implied • BURST and state): • What is the response, given this stimulus: • An input email message • An input email message with a file attachment

  18. Box Structure Reasoning for Components: Netting It Out • Rigorous model that can be applied informally in • thinking about what components do and how they do it • Reasoning about behavior at black box level: • Understand BURST • Given a stimuli, response depends on history of use • Reasoning about behavior at state box level: • Understand BURST • Given a stimuli, response depends on current state • “Oh, yes, the abc vendor’s firewall (or authentication server, or • encryption algorithm, or whatever) exhibits black box behavior, • and can also be reasoned about as a state box.”

  19. Compositional Reasoning for Networks A Bank ATM System Domain/Enterprise Logic/ Data Layer Users Mainframe ... Infrastructure/ Communications Layer Server Server ... Server Presentation/User Interface Layer ATM ATM ATM ... ATM ATM ATM ATM ... ATM ATM ATM ATM ... ATM Users

  20. Compositional Reasoning for Networks • What happens from viewpoint of ATM user submitting a transaction? User ATM Server Mainframe Server ATM User • [User] o [ATM] o [server] o [mainframe] o [server] o [ATM] o [User] • “o” is composition operator • “[, ]” denote the transition function of the component • Note that each use of a component is in the composition • Component compositions are also known as architecture traces • ATM Security: Composition with wrong pin number (U for user) U U U U U U U U ATM Server ATM Server ATM Server ATM Try again wrong pin Try again wrong pin Access denied

  21. Compositional Reasoning for Networks • Another pin number composition U U U Server ATM right pin Access granted U U U U U U U U ATM Server ATM Server ATM Server ATM wrong pin Try again wrong pin Try again wrong pin Access denied • Compositional reasoning is concerned with the net effect of • all the components in a composition • Net effect means the overall change • From the stimuli to the first component • To the response from the last component

  22. Compositional Reasoning for Networks • Net effects of compositions in informal terms Net effect: Access granted BB views:ATM and server SH’s updated SB views: ATM and server states updated U U U Server ATM right pin Access granted U U U U U U U U ATM Server ATM Server ATM Server ATM wrong pin Try again wrong pin Try again wrong pin Access denied Net effect: Access denied BB views:ATM and server SH’s updated SB views: ATM and server states updated

  23. Compositional Reasoning for Networks When you buy gas at a pump with a speedpass, what is a possible architecture trace of your transaction? ? User pump pump User

  24. Compositional Reasoning for Networks • Computing compositions Add2; Max2 Add2 Max2 S1 R1 = S2 R2 • Add2; Max2 transition: R2(i) = max(S2(i), S2(i - 1)) = max(R1(i), R1(i - 1)) = max(S1(i) + S1(i - 1), S1(i - 1) + S1(i - 2)) = (S1(i - 1) + max(S1(i), S1(i - 2)) • Add2; Max2 formula can be used to compute values of R2 directly, • without obtaining intermediate values for R1 and S2. (Rename S1 • and R2 as simply S and R: • Add2; Max2 transition: R(i) = S(i - 1) + max (S(i), S(i - 2))

  25. Compositional Reasoning for Networks • What is the composition? Add2 Add2 Max2 Add2 • Stimuli to Max2 are asynchronous, so simple composition • cannot be applied • Airline reservation system transactions • “Any seats to Chicago?” • “Yes, two seats available” • “Ok, I’ll take them” • “Sorry, no seats to Chicago”

  26. Compositional Reasoning for Networks A Bank ATM System Users Mainframe ... Server Server ... Server ATM ATM ATM ... ATM ATM ATM ATM ... ATM ATM ATM ATM ... ATM Users • Many systems are designed to preserve composition and isolate • asynchronous behavior • Bank system preserves independence of transactions based on • account numbers • In general, systems are designed for compositional operations

  27. Compositional Reasoning for Networks • WWW Client-Server Pair File Server Users Users External Viewer Common Gateway Interface Users WWW client Presentation Manager UI Manager WWW server Path Resolver Access Manager Cache Manager Protocol Manager HTTP Server Access Control HTTP Stream Manager Stream Manager • Stream manager isolates asynchronous packet reconstruction and presents • files, etc. in assembled form to permit compositional reasoning

  28. Compositional Reasoning for Networks: 10 Minute Exercise • What is the composition? Max2; Add2 Max2 Add2 S1 R1 = S2 R2 • Max2;Add2 transition: R2(i) =

  29. Compositional Reasoning for Networks: 10 Minute Exercise • What is the composition? Max2; Add2 Max2 Add2 S1 R1 = S2 R2 • Max2;Add2 transition: R2(i) = S2(i) + S2(i -1) = R1(i) + R1(i - 1) = max(S1(i), S1(i - 1)) + max(S1(i - 1), S1(i - 2)) R(i) = max(S(i), S(i - 1)) + max(S(i - 1), S(i - 2))

More Related