Model Checking of Location and Mobility Related Security Policy Specifications in Ambient Calculus

Similar documents
Chapter 3: Propositional Languages

Behavior models and verification Lecture 6

A New Model Checking Tool

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Binary Decision Diagrams

The Maude LTL Model Checker and Its Implementation

A Case Study for CTL Model Update

A New Method to Index and Query Sets

Towards a Logical Reconstruction of Relational Database Theory

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Action Language Verifier, Extended

Property Verification for Generic Access Control Models 1

An Evolution of Mathematical Tools

Model Checking. Dragana Cvijanovic

Foundations of AI. 9. Predicate Logic. Syntax and Semantics, Normal Forms, Herbrand Expansion, Resolution

Verifiable Hierarchical Protocols with Network Invariants on Parametric Systems

Model Checking with Automata An Overview

Timo Latvala. January 28, 2004

Validating Plans with Durative Actions via Integrating Boolean and Numerical Constraints

ANALYZING PROCESS MODELS USING GRAPH REDUCTION TECHNIQUES

Section 8. The Basic Step Algorithm

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

Slides for Faculty Oxford University Press All rights reserved.

Theorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories. ACSys Seminar

EXTENSIONS OF FIRST ORDER LOGIC

T Reactive Systems: Kripke Structures and Automata

Syntax-directed model checking of sequential programs

Journal of Computer and System Sciences

Propositional Calculus: Boolean Algebra and Simplification. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

Propositional Calculus. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

Lecture 2: Symbolic Model Checking With SAT

Contents. Chapter 1 SPECIFYING SYNTAX 1

CS 6783 (Applied Algorithms) Lecture 5

Complex Systems Design &DistributedCalculusandCoordination

The Resolution Algorithm

Formal Modeling for Persistence Checking of Signal Transition Graph Specification with Promela

Integrity Constraints For Access Control Models

Sérgio Campos, Edmund Clarke

MIDTERM EXAM (Solutions)

Static Analysis with Goanna

CLAN: A Tool for Contract Analysis and Conflict Discovery

Model-Checking Concurrent Systems

Constraint Solving. Systems and Internet Infrastructure Security

Introduction to predicate calculus

Distributed Memory LTL Model Checking

AN ABSTRACTION-BASED METHODOLOGY FOR MECHANICAL CONFIGURATION DESIGN

Foundations of Computer Science Spring Mathematical Preliminaries

Overview. Discrete Event Systems - Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Propositional Calculus. Math Foundations of Computer Science

IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 24, NO. 2, APRIL Hongkun Yang, Student Member, IEEE, andsimons.lam, Fellow, IEEE, Fellow, ACM

Formal Verification. Lecture 7: Introduction to Binary Decision Diagrams (BDDs)

Logik für Informatiker Logic for computer scientists

Evaluating Access Control Policies Through Model Checking

Automata Theory for Reasoning about Actions

The Formal Semantics of Programming Languages An Introduction. Glynn Winskel. The MIT Press Cambridge, Massachusetts London, England

Finite State Verification. CSCE Lecture 14-02/25/2016

Verifying IP-Core based System-On-Chip Designs

Term Algebras with Length Function and Bounded Quantifier Elimination

Overview of SRI s. Lee Pike. June 3, 2005 Overview of SRI s. Symbolic Analysis Laboratory (SAL) Lee Pike

ON CONSISTENCY CHECKING OF SPATIAL RELATIONSHIPS IN CONTENT-BASED IMAGE DATABASE SYSTEMS

Notes for Chapter 12 Logic Programming. The AI War Basic Concepts of Logic Programming Prolog Review questions

Model Finder. Lawrence Chung 1

An Attribute-Based Access Matrix Model

A Firewall Application Using Binary Decision Diagram

Formal Verification of Business Continuity Solutions

Cyber Physical System Verification with SAL

Lecture1: Symbolic Model Checking with BDDs. Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

Automated Refinement Checking of Asynchronous Processes. Rajeev Alur. University of Pennsylvania

Formally Certified Satisfiability Solving

Conjunctive queries. Many computational problems are much easier for conjunctive queries than for general first-order queries.

Sequential Dependency and Reliability Analysis of Embedded Systems. Yu Jiang Tsinghua university, Beijing, China

Nonstandard Inferences in Description Logics

State-Based Techniques For Designing, Verifying And Debugging Message Passing Systems

Issues on Decentralized Consistency Checking of Multi-lateral Collaborations

Definition: A context-free grammar (CFG) is a 4- tuple. variables = nonterminals, terminals, rules = productions,,

Enhancement of Feedback Congestion Control Mechanisms by Deploying Active Congestion Control

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Finite State Verification. CSCE Lecture 21-03/28/2017

Faster Constraint Satisfaction Algorithms for Temporal Reasoning' (*)

Software Model Checking with Abstraction Refinement

Propositional Calculus: Boolean Functions and Expressions. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

IWAISE November 12, 2012

LOGIC AND DISCRETE MATHEMATICS

AS concurrent users access and update databases in terms

Summary of Course Coverage

A Modular Model Checking Algorithm for Cyclic Feature Compositions

Auto-Generating Test Sequences for Web Applications *

Model checking and timed CTL

Integer Programming ISE 418. Lecture 7. Dr. Ted Ralphs

Propositional Calculus. Math Foundations of Computer Science

On Reasoning about Finite Sets in Software Checking

Constraint Satisfaction Problems

Negations in Refinement Type Systems

Formal Verification. Lecture 10

Advanced VLSI Design Prof. Virendra K. Singh Department of Electrical Engineering Indian Institute of Technology Bombay

Static program checking and verification

Transcription:

Model Checking of Location and Mobility Related Security Policy Specifications in Ambient Calculus Devrim Ünal (presenter) devrimu@uekae.tubitak.gov.tr National Institute of Electronics and Cryptology, TUBITAK, Turkey Ozan Akar, Prof. Dr. M. Ufuk Caglayan Computer Networks Research Laboratory (NETLAB), Bogazici University, Turkey

Outline of Presentation Introduction Motivation Related Work A Formal Model for Security Policies for Multi-domain Mobile Networks in Ambient Calculus Model Checking of Security Policy Specifications in Ambient Calculus Model Checker Complexity and Performance Analysis Conclusion

Introduction (Problem Domain) Research services University Domain University Mobile user Government Mobile user Unversity Domain Policy Government Domain Policy Government Domain Government Services Role&Resource map Inter-domain policy Mobile services Information sharing Mobility Internet Inter-domain access Service Provider domain Mobile subscriber Inter-domain policy Service Provider Domain Policy Commercial Commercial Domain Policy Commercial services domain Commercial Mobile user The multi-domain mobile network environment consists of multiple interconnected domains and mobile users, hosts and objects. Interconnection and mobility are the two main concepts that come into consideration where users are allowed to use network connectivity of multiple domains.

Introduction (Contributions) We present a method and a model checking tool for formal specification and verification of location and mobility related security policies for mobile networks. The formal languages used for specification are Predicate Logic and Ambient Calculus. The presented tool is capable of spatial model checking of Ambient Calculus specifications for security policy rules and uses the NuSMV model checker for temporal model checking.

Motivation Security policies in a multi-domain environment require specification and verification of multiple policies. The heterogeneous nature of mobile networks suggests a common formal policy model. Security breaches in multi-domain mobile networks often arise from insufficient representation and enforcement of multiple actions including mobility. Formal verification of policies by use of a common formal policy model provides means to reduce security breaches arising from incomplete, inconsistent and ambiguous specification of multi-domain policies.

Related Work (1) Formal security policy models SECPAL (Becker et al.) Flexible Authorization Framework (Jajodia et al.) Deontic Logic (Cuppens et al.) Various RBAC Models (GT-RBAC, GEO- RBAC, STARBAC, Lot-RBAC,...) Verification of policies Theorem proving for RBAC policies (Sohr et al.) ACPEG First order logic (Zhang et al.) Theorem proving with Coq (Unal et al.) MARGRAVE (?)

Related Work (2) Security Policy Specifications in Ambient Calculus Application-level security policies for ubiquitous computing (Scott) BACI R : Role-based access control for Ambient Calculus (Compagnoni et al.) Model Checking with Ambient Calculus Model checking biological systems (Mardare et al.) Model checking mobile ambients (Charatonik et al.)

A Formal Model for Security Policies for Multi-domain Mobile Networks in Ambient Calculus Formal Model for Security Policy Formal Specification of Mobile Processes in Ambient Calculus Formalization of Location and Mobility Related Policy Constraints

Formal Model for Security Policy Data Sets and Relations Authorization Terms Role Based Access Control Model Location and Mobility Constraints

Data Sets and Relations Domains Hosts Users Roles Objects Object types Authorization Subjects Authorization Objects Relation mapping hosts to domains. Relation between users and domains. Function that specifies the type of an object. Relation for assignment of users to roles. Relation for assignment of roles to permissions.

Authorization Terms The basic security policy rule is the authorization term at = (as, ao, sa, co, fo) as: Authorization Subject (Roles) ao: Authorization Object (Domains, Hosts, Objects, Object Types) sa S A is a signed action of the form (+,read) co: Condition (a generic constraint) is a firstorder logic formula from pre-defined predicates, fo: Formula is an Ambient Logic formula that defines location and mobility constraints. Security Policy SP is a set of authorization terms.

Role Based Access Control Model NIST RBAC Model FPFM (Formal Policy Framework for Mobility) RBAC Model

Location and Mobility Constraints Constraint Represents Represented by Location Locations of objects, users, hosts and domains Mobility The change of locations with time Somewhere modality, parallel and ambient formalizations of ambient logic Sometime and Everytime modalities in ambient logic Location and mobility constraints in the security policy rule. Location constraints are verified using Spatial Model Checking Mobility constraints are verified using Temporal Model Checki ng.

Formal Specification of Mobile Processes in Ambient Calculus Ambient Calculus ::= processes ::= capabilities inactivity variable composition name ambient can enter M capability can exit M input can open M asynchronous output null path Ambient Logic a name n ::= true composition negation location disjunction sometime modality void somewhere modality

Specification of Mobility in Ambient Calculus A message is sent from User 1 to User 3: World [DomainA [Server1 [ User1 [message[m out User1. out Server1. out DomainA. in DomainB, in Client2. in User3.0]]]] DomainB [Client2 [User3 [open message.(m).0]]]] * World [DomainA[Server1[User1[]]] DomainB [ Client2[User3[M]]]] Portable 1 disconnects from Domain A and connects to Domain B: World [DomainA[ Portable1[out DomainA. in DomainB.0]] DomainB[]] * World [DomainA[] DomainB[Portable1[]]]

Formalization of Location and Mobility Related Policy Constraints ``Files in Host 2 can not be read from within Portable hosts.'': (as = User, ao = file, sa = (-) read, fo = (Portable [as[]] Host2 [ao[]]), co = T) ``User 1 may not send messages to User 2.'': (as = User1, ao = User2, sa = (-) send, fo = as [message[] T] ao[t], co = T) ``A user can connect Portable 1 to Domain B.'': (as = User, ao = DomainB, sa = (+) connect, fo = (Portable1 [as[]] ao [T]), co = T) ``User 1 can login to Host 2 '': (as = User1, ao = Host2, sa = (+) login, fo = (ao [T] as [T]), co = T)

Applying Location and Mobility Constraints within Policy Rules To check location constraints in security policy, the input to the model checker tool is an Ambient Calculus specification and a set of Ambient Logic formulas. To express that process P satisfies the formula A, P A is used. The satisfaction relation determines the security policy rules applicable in a given mobile network setting.

Model Checking of Security Policy Specifications in Ambient Calculus Model Checker Overview of Model Checking Algorithm Ambient Calculus Model Checker Ambient Topology and Spatial Formula Graphs State Transition System Generation Checking Spatial Modalities Generation of Kripke Structure NuSMV Code Generation Example for Spatial Model Checking Algorithm

Overview of Model Checking Algorithm 1. Define atomic propositions with respect to spatial properties of ambient logic formula and register the (atomic proposition-spatial modality) couples. 2. Reduce ambient logic formula to temporal logic formula (CTL) by replacing spatial modalities with atomic propositions. 3. Generate state transition system of the ambient calculus specification with respect to reduction relations. 4. Generate Kripke Structure from state transition system. 5. Generate NuSMV code from Kripke Structure and CTL Formula.

Ambient Calculus Model Checker

Ambient Topology and Capability Trees Ambient Topology is an acyclic digraph where elements of set of nodes denote ambients within the ambient calculus specification and arcs denote parent-child relation among ambients. Capability Tree is an acyclic digraph where set of nodes denote capabilities and arcs, denote priority relation among capabilities. Nodes contain the information about which ambient the capability is attached and which ambient the capability effects.

Spatial Formula Graphs V Compositon Compositon Compositon Compositon ² ² Compositon Compositon m T k Compositon Compositon l T Compositon j T p A spatial formula graph is an acyclic digraph where node denotes connectives and locations, arcs denote the operator operand relation. F: (²( m [l [j[] ] ] T)) V (²(k[p[] T ] T))

State Transition System Generation State transition system can be represented by an acyclic digraph (replication-free) Nodes represent states and edges represent the execution of a capability For selection of the next capability to execute, some condition checks are carried out. These conditions are the location of the object ambient and the availability of the subject ambient.

Checking Spatial Modalities Ambient logic formulas are decomposed into a CTL formula and a set of spatial formulas by formula reduction. Matching of an ambient topology and a spatial formula is a recursive procedure in which ambient topology nodes are assigned to formula nodes. Match process is successful when all nodes at ambient topology is matched to a spatial formula node.

Spatial Tree Matching Heuristic Functions. Heuristic functions are used at matching the Parallel composition and Somewhere connectives. The number of these trials are reduced by the help of auxiliary heuristic functions.

Generation of Kripke Structure Let AP be a non-empty set of atomic propositions. A Kripke structure is a four-tuple; M = (S, S0, R, L) where S is a finite set of states. S0 S is the set of initial states. R S S is a transition relation L: S 2(AP) is a function that labels each state with the set of atomic propositions true in this state.

Complexity and Performance Analysis Time Complexity Space Complexity Performance Results

Time Complexity Where n is the number of capabilities in the ambient calculus specification, the time complexity of generating state n transition system in worst case is n! k = 0 k! The time complexity of checking spatial modalities are dependent to the type and number of the connectives of the spatial formulas. ( sw not ) O( w a ne d w ) The space complexity of the space generation is where n is the number of capabilities.

Performance Results As an example to performance results, a specification with 16 ambients and 37 capabilities generates nearly 630,000 states with memory consumption under 8 MB and a time of under 300 seconds.

Conclusions and Future Work Case studies and complexity analysis show that size of the state transition system is the most significant element at time and spatial cost of model checking. Number of states grows exponentially as capability numbers increase linearly. A partial order reduction might decrease the number of the states. We are currently develop a partial order reduction technique for ambient calculus.

Thank you for listening... Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback