Data quality attributes in network-centric systems

Similar documents
Model-Based Embedded System Engineering & Analysis of Performance-Critical Systems

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Intrusion Detection Types

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Access Control. Discretionary Access Control

Discretionary Vs. Mandatory

Security Models Trusted Zones SPRING 2018: GANG WANG

OSATE Analysis Support

Summary. Final Week. CNT-4403: 21.April

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

Access Control Models

Access Control Mechanisms

Involved subjects in this presentation Security and safety in real-time embedded systems Architectural description, AADL Partitioned architectures

Lecture 4: Bell LaPadula

AADL v2.1 errata AADL meeting Sept 2014

Chapter 7: Hybrid Policies

An Implementation of Fog Computing Attributes in an IoT Environment

A SECURITY MODEL FOR MILITARY MESSAGE SYSTEMS

Access control models and policies. Tuomas Aura T Information security technology

Introduction to Security

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

Access Control (slides based Ch. 4 Gollmann)

Complex Access Control. Steven M. Bellovin September 10,

CCM Lecture 14. Security Models 2: Biba, Chinese Wall, Clark Wilson

Access Control Part 3 CCM 4350

Flow Latency Analysis with the Architecture Analysis and Design Language (AADL)

Chapter 6: Integrity Policies

Lecture 8 Wireless Sensor Networks: Overview

Chapter 15: Information Flow

System design issues

The Common Controls Framework BY ADOBE

Wireless Sensor Networks CS742

Computer Security. Access control. 5 October 2017

CSE509: (Intro to) Systems Security

Defenses against Wormhole Attack

Part I: Introduction to Wireless Sensor Networks. Xenofon Fafoutis

(2½ hours) Total Marks: 75

Access control models and policies

Access control models and policies

Issues of Operating Systems Security

Network-centric Security Design for Mobile Ad Hoc Networks

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Post-Class Quiz: Access Control Domain

An Introduction to Cyber-Physical Systems INF5910/INF9910

SAE AADL Error Model Annex: Discussion Items

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

CSC 774 Advanced Network Security

MULTILEVEL POLICY BASED SECURITY IN DISTRIBUTED DATABASE

Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

CS 392/ CS Computer Security. Nasir Memon Polytechnic University Module 7 Security Policies

IDACCS Wireless Integrity protection in a smart grid environment for wireless access of smart meters

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models

WIRELESS SENSOR NETWORK

CSE Computer Security

Sleep/Wake Aware Local Monitoring (SLAM)

Message Authentication and Hash function

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

Mobility best practice. Tiered Access at Google

Key establishment in sensor networks

Anonymous communications: Crowds and Tor

Network Security and Cryptography. 2 September Marking Scheme

SECURITY & PRIVACY DOCUMENTATION

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

CS 161 Multilevel & Database Security. Military models of security

KNX Secure. KNX Position Paper on Data Security and Privacy

Policy, Models, and Trust

European Network on New Sensing Technologies for Air Pollution Control and Environmental Sustainability - EuNetAir COST Action TD1105

Multiple Independent Layers of Security (MILS) Network Subsystem Protection Profile (MNSPP) An Approach to High Assurance Networking Rationale

Wireless Sensor Networks: Security Issues, Challenges and Solutions

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

SDR Guide to Complete the SDR

P1_L6 Mandatory Access Control Page 1

SEI/CMU Efforts on Assured Systems

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Modicon M580 PAC. CSPN Security Target. Version

Randomization. Randomization used in many protocols We ll study examples:

Randomization used in many protocols We ll study examples: Ethernet multiple access protocol Router (de)synchronization Switch scheduling

Out of the Fog: Use Case Scenarios. Industry. Smart Cities. Visual Security & Surveillance. Application

Network Security and Cryptography. December Sample Exam Marking Scheme

MODEL-DRIVEN DEVELOPMENT OF COMMAND AND CONTROL CAPABILITIES FOR JOINT AND COALITION WARFARE

CSE 565 Computer Security Fall 2018

Asset Analysis -I. 1. Fundamental business processes 2.Critical ICT resources for these processes 3.The impact for the organization if

Secure Ethernet Communication for Autonomous Driving. Jared Combs June 2016

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Information Security Policy

QUALITY OF SERVICE EVALUATION IN IEEE NETWORKS *Shivi Johri, **Mrs. Neelu Trivedi

Mobile and Heterogeneous databases Security. A.R. Hurson Computer Science Missouri Science & Technology

Juniper Vendor Security Requirements

Xerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers

Google Cloud Platform: Customer Responsibility Matrix. April 2017

FMN / MLS Lessons learned. Praha November 12th, 2013 Holger W. Kalnischkies

WeVe: When Smart Wearables Meet Intelligent Vehicles

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control

CSC Network Security

Transcription:

Sponsored by the U.S. Department of Defense 2005, 2006 by Carnegie Mellon University Data quality attributes in network-centric systems Jorgen Hansson hansson@sei.cmu.edu Peter H. Feiler Aaron Greenhouse April 2006 page 1

Outline Net-centric systems Data quality attributes Validating security/confidentiality of a software architecture Bell-LaPadula Representation in AADL Analysis in OSATE Conclusions

Net-centric systems Systems-of-systems Distributed per say (tightly and loosely coupled) Heterogeneous Complexity and assumption of the systems vary High-level information systems Computational power Network bandwidth Life-time of systems (battery) Real-time performance requirement vary Notion of consistency and correctness vary - Sensor networks as information providers introduce imperfection

Global Network & System View f(s i ) Internal network Data fusion, aggregation, filtering Freshness? Confidence? Security? DMZ DeMilitarized Zone Network s i Real-time surveillance data Freshness: 10s Confidence: 70% Security: secret Sensor network in a city

Data Flow: Sensor Network to Application PHASE Detect anomaly via sensors Push data Process data #1 (data fusion, filtering, aggregation) Distribute data to clients (clients pull data) Process data #2 and decide on action EXAMPLE Intrusion detection Location data, time of reading Determine object s speed, direction etc. Distribute data together with - level of security - data accuracy - data freshness Decide on a counter action

Data Quality Attributes Temporal correctness Use temporally coherent and valid input data. Deliver data at the right time! Logical correctness, i.e., accuracy/precision Deliver correct data, where logical correctness is given by minimum requirements on accuracy/precision. Confidence Deliver/use data with adequate confidence. Security/confidentiality levels Ensure that data consumers are classified for the data.

Example S1 C2 C3 A1 S2 Feedback C1 C4 C5 A2 S3 C6 C7 C8 A3 Sensor readings at time t0 Sampling Computation Actuation

Example cont d: component view D C1 C2 \ \ \ \ D C3 C4 C5 Feedback I C6 C7 D C8

Observations Ensuring end-to-end latency of a flow does not guarantee that fresh data was used, or that data constraints were enforced Simple scenarios become complex - There are normally more data elements than there are components/tasks) - Modes add to additional complexity for analysis. Need for automated analysis

Specification of Data Data element D parameter Type of data: [base, derived] AVI (absolute data validity interval external consistency) - [x time units]; (x= data is valid forever or until next reading; 0 = inherits from input data) RVI (relative data validity interval logical consistency) - [list of data elements with which D should be consistent] Confidence parameter: [0-1] Accuracy parameter: [0-1] Security level: [0-x] (0=no security; x= highest security)

Temporal Correctness Temporal value coherence AVI Absolute validity RVI interval- (relative expresses data validity the temporal interval) interval during which a data AVI object (absolute fresh data validity interval) logical consistency - Static external consistency - Dynamic, e.g., a function of mode or required precision [list [x of time data units]; elements (x= data with is which valid Dforever RVI Relative validity should interval or until be of next consistent] a set reading; of data 0 elements = inherits from defined as the intersection input of their data) AVIs - Ensures data objects are temporally coherent when RVI AVI a b c = f ( a, b) RVI( a, b) AVI( c) = α, α RVI( a, b) t

Logical Correctness Expressed as precision/accuracy/error Imprecise computation models - Mandatory/optional - Primary/alternative Logical correctness Epsilon-consistency - notion of introduced error, and must never exceed a defined threshold Data similarity - Two values x and x are similar iff x-x =<threshold. Logical correctness can affect temporal correctness (AVI)

Confidence: WPSM and PAN Example Confidence PAN Personal Area Network WPSM The Wearable Sensor System Medical hub (embedded system worn on the belt) GPS system Fluid intake monitor Sleep performance watch Core temperate pill ingested Sensors, worn on the chest, for - Ballistic impact detection - Skin temperature - Heart rate - Respiration rate - Actigraphy - Body orientation Physiological models Area State Confidence Thermal Im. Action 90% Hydration Attention 60% Cognitive Normal 100% Life signs Normal 90% Wound det. Attention 80%

Confidence: WPSM and PAN Example Confidence is a function of Model Latency (confidence decreases over time) State (some states can be determined with higher confidence) Environment (conditions may affect sensors, e.g., heat and humidity) Confidence Important events require high confidence - Normal requires 50% - Attention requires 70% - Immediate action 80%

Confidence Paradox Trade-off/balance: High confidence requires (i) more sampling, (ii) more sensors etc, which generates more network traffic. More network traffic may (i) shorten battery lifetime, (ii) increase collisions and drops, (iii) increase latency => decreases confidence!! Confidence Only consume more resources when you need to increase confidence: Normal operating mode: Low confidence = low power & low bandwidth Interesting events mode: High confidence = high power & high bandwidth

Dependencies Logical correctness (accuracy) Temporal coherence (correctness and latency) Confidence

Security: Objective concerns that sensitive data should only be disclosed to or accessed/modified by authorized users, i.e., enforcing prevention of unauthorized disclosure of information. Objective: Model security attributes for an architecture to verify that data is properly accessed and handled by users and applications. Means to achieve confidentiality include enforcing access control, perform encryption, partitioning of system frameworks Bell-LaPadula framework: military applications Chinese wall framework: commercial applications Representation of these frameworks is similar, but the analysis differs.

Bell-LaPadula: Subjects and Objects In Bell La Padula, subjects operate on objects. Subjects need permission, expressed as security level, to use objects. The security level of a subject or object is a pair: Classification - Drawn from a partial order of classifications (e.g., unclassified < confidential < secret < top secret). Set of categories - Drawn from a set of labels (e.g., NATO, Nuclear, Crypto). (Class1, Set1) dominates (Class2, Set2) if and only if Class1 >= Class2 Set1 Set2

Example 1 Minimum security level required is (secret, {a,b}) O 1 (secret,{a}) S 1 (topsecret, {a,b,c}) O 4 Uncontrolled sanitization as (conf,(secret,{a}) is dominated by max(class i,cat i ), i=1..3 O 2 (conf,{b}) O 3 (secret,{b}) Access matrix O 1 O 2 O 3 O 4 O 5 S 1 read, append read, write read read append O 5 (conf, {a}) Error: O 4 is read-only Warning: O 1 are O 2 shared more freely than necessary.

Example o 1 s 1 o 2 o 3 s 3 o 4 (1,{a}) (2,{a}) (2,{a}) (3,{a}) (4,{a}) (3,{a}) s 2 (3,{a,b}) o 5 s 5 o 6 o 7 s 6 (1,{b}) o 8 (1,{b}) (1,{b}) (1,{b}) (1,{b}) (1,{b}) ps 1 (*,*) S1 S2 S3 S4 S5 S6 Legend o = Object (circle) Security level = <Level; Category> O1 read read ps = Privileged subject (box) Level: Category O2 s = Subject (box) append append 4 = Top secret a = project a 3 = Secret b = project b O3 append 2 = Confidential read O4 Data flow 1 = Classified append Sanitized data flow 0 = Unclassified O5 read O6 read append Error: s 5 does not dominate o O7 append 1 read Warning: s 3 has unnecessarily high security clearance O8 append

Modeling and Validation Basic confidentiality principle - Security clearance Need-to-know policy - Category membership (e.g., project, division) Principle of confidentiality constancy - The security level of derived data dominates the security level of the input data Controlled sanitization of data - Reducing security levels is only performed by trusted components/ports

Modeling and Validation: Software Level Determine the viability of a software architecture given confidentiality requirements of data objects and security clearance by users Processes, threads, ports An architecture is viable if subjects dominate objects confidentiality is not breached subjects have enough security clearance to perform their function

Modeling and Validation: Software Level Scenarios 1. Derive minimum security clearance of processes/threads based on confidentiality requirements of ports 2. Enforce that confidentiality requirements of data elements (ports) are satisfied by the security clearance of processes/threads 3. Derive access control matrix based on the security levels of processes/threads and data elements 4. Strong validation by detailed analysis of security levels of processes/threads and data elements and the access control rules represented as a matrix

Modeling and Validation: Hardware/Software Level Determine the viability of a system (software architecture mapped to hardware) given confidentiality requirements of data objects and security clearance by users Processors, memory, bus, processes, threads Analysis: Ensure processes and threads are mapped to appropriate hardware, communicate over secured channels, and reside/store data in protected memory Derive minimum security requirements on hardware components given a software architecture

Bell-LaPadula and AADL Mapping In AADL, components pass data through data ports and over connections. Data is not represented explicitly. in1 ExampleSystem Mapping Bell La Padula to AADL: in2 Subject AADL Component Object Port Feature - (Port is a proxy for the data that passes through it.) output

Bell-LaPadula Access Modes Access mode: How an object can observe/alter a subject. Bell La Padula has four access modes: Execute neither observe nor alter Read observation with no alteration Append alteration with no observation Write both observation and alteration Mapping to AADL: In port Read access - Incoming data object is consumed Out port Append access - Outgoing data object is created anew

Security Levels in AADL The security level of a component or port is represented by a pair of property values: Security_Attributes::Class - Drawn from a total order defined by an AADL enumeration type. Security_Attributes::Category - Drawn from a set defined by an AADL enumeration type.

Security Levels Example 1 Inputs in1 and in2 are consumed to create a higher-security output object. Security_Attributes::Class => unclassified; Security_Attributes::Category => (A, B); ExampleSystem Security_Attributes::Class => confidential; Security_Attributes::Category => (A, B, C); in1 in2 Security_Attributes::Class => unclassified; Security_Attributes::Category => (B, C); output Security_Attributes::Class => confidential; Security_Attributes::Category => (A, B, C);

Security Level Example 2 system ExampleSystem features in1: in data port { Security_Attributes::Class => unclassified; Security_Attributes::Category => (A, B); }; in2: in data port { Security_Attributes::Class => unclassified; Security_Attributes::Category => (B, C); }; output: out data port { Security_Attributes::Class => confidential; Security_Attributes::Category => (A, B, C); }; properties Security_Attributes::Class => confidential; Security_Attributes::Category => (A, B, C); end ExampleSystem;

Additional Mapping Details The security level of a port is the exact security level of the data that passes through the port. In particular, it is not an upper bound on the level. Makes analysis more precise. The security level of a component is its maximum security level. Right now: Also the current security level. - Problem: (simplification) Makes rules too conservative. Future: Use AADL flows to model current security level. - Pro: Enables more flexibility in modelling - Con: Makes modeling more expensive (must declare flows)

Checking Ports The simple security property The maximum security level of a component must dominate the security level of each of its ports. - Covers basic confidentiality and enforces need-to-know The star property The security level of an out port must dominate the current security* level of its component. The security level of an in port must be dominated by the current security level of its component. * Source of conservativism when maximum security level == current security level.

Checking Component Nesting The security level of a component must dominate the security levels of its subcomponents. (No direct analog in Bell La Padula.) Subcomponent is part of the internals of component. Subcomponent computes on behalf of component. Thus, component is accessing data too. So, component must be authorized to use the data accessed by its subcomponents.

Checking Connections Connections must connect ports with equal security levels. (No direct analog in Bell La Padula.) Derives from - AADL connection semantics - Our use of ports as Bell La Padula objects. Data object that leaves an out port is the same data object that enters an in port.

Security Analysis Plug-in (current status) We are implementing the security analysis as a plug-in to OSATE: Checks simple security property Checks star property Checks nested components Checks connections

Analyzed System Src1: Producer1 (unclassified, {A}) Src2: Producer2 (unclassified, {B}) output (unclassified, {A}) output c1 c2 (unclassified, {B}) CompleteSystem.Impl in1 (Secret, {A, B}) in2 Comp: Computer result (Secret, {A, B}) c3 (confidential, {B, C}) input (confidential, {A, B}) Dest: Consumer (confidential, {B, C})

Analyzed System: Errors Src1: Producer1 (unclassified, {A}) Src2: Producer2 (unclassified, {B}) output (unclassified, {A}) output c1 c2 (unclassified, {B}) CompleteSystem.Impl in1 (Secret, {A, B}) in2 Comp: Computer result (Secret, {A, B}) c3 (confidential, {B, C}) input (confidential, {A, B}) Dest: Consumer (confidential, {B, C})

Plug-in Example 3 Button to run security analysis Results of analysis

Impact on Latency Key management - Key transport (centralized) - Key agreement (peer-to-peer) - Preloading of network-wide keys (sensor networks) - AADL: Model the key management as part of the communication. Encryption protocols - Computational cost increases - Bandwidth usage increases - AADL: Apply cost factor(s) with the security level to be applied to execution times and message size/bandwidth usage.

Security in Sensor Networks: Goals Preventing data disclosure to non-owners - Privacy, confidentiality Preserving data authenticity/message authentication - Data integrity and source authentication Preserving data availability - Protection from subversion in multi-hop networks with ad hoc routing Constraints and limitations Battery energy Computational and communications capability Sensor networks are unattended - vulnerable to physical compromise by adversaries

Conclusions work is on-going (flows, sanitization, access matrix, generation of access matrix, minimum security levels of subjects, Chinese wall) Modeling temporal correctness of data (AVI, RVI) is paramount to ensure freshness (coming next) Accuracy, precision, and confidence are likely to be modeled and validated in a similar way. - Based on flows and modes

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback