DAG-Based Attack and Defense Modeling: Don't Miss the Forest for the Attack Trees

This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements

A framework for compositional verification of security protocols

Automatic security protocol analysis is currently feasible only for small protocols. Since larger protocols quite often are composed of many small protocols, compositional analysis is an attractive, but non-trivial approach. We have developed a framework for compositional analysis of a large class of security protocols. The framework is intended to facilitate automatic as well as manual verification of large structured security protocols. Our approach is to verify properties of component protocols in a multi-protocol environment, then deduce properties about the composed protocol. To reduce the complexity of multi-protocol verification, we introduce a notion of protocol independence and prove a number of theorems that enable analysis of independent component protocols in isolation. To illustrate the applicability of our framework to real-world protocols, we study a key establishment sequence in WiMAX consisting of three subprotocols. Except for a small amount of trivial reasoning, the analysis is done using automatic tools

Formally Verifying Information Flow Type Systems for Concurrent and Thread Systems

http://portal.acm.org/Information flow type systems provide an elegant means to enforce confidentiality of programs. Using the proof assistant Isabelle/HOL, we have machine-checked a recent work of Boudol and Castellani~\cite{BC02:tcs}, which defines an information flow type system for a concurrent language with scheduling, and shows that typable programs are non-interferent. As a benefit of using a proof assistant, we are able to deal with a more general language than the one studied by Boudol and Castellani. The development constitutes to our best knowledge the first machine-checked account of non-interference for a concurrent language

Secure Virtual Machine Migration in Cloud Data Centers

While elasticity represents a valuable asset in cloud computing environments, it may bring critical security issues. In the cloud, virtual machines (VMs) are dynamically and frequently migrated across data centers from one host to another. This frequent modification in the topology requires constant reconfiguration of security mechanisms particularly as we consider, in terms of firewalls, intrusion detection/prevention as well as IPsec policies. However, managing manually complex security rules is time-consuming and error-prone. Furthermore, scale and complexity of data centers are continually increasing, which makes it difficult to rely on the cloud provider administrators to update and validate the security mechanisms. In this thesis, we propose a security verification framework with a particular interest in the abovementioned security mechanisms to address the issue of security policy preservation in a highly dynamic context of cloud computing. This framework enables us to verify that the global security policy after the migration is consistently preserved with respect to the initial one. Thus, we propose a systematic procedure to verify security compliance of firewall policies, intrusion detection/prevention, and IPsec configurations after VM migration. First, we develop a process algebra called cloud calculus, which allows specifying network topology and security configurations. It also enables specifying the virtual machines migration along with their security policies. Then, the distributed firewall configurations in the involved data centers are defined according to the network topology expressed using cloud calculus. We show how our verification problem can be reduced to a constraint satisfaction problem that once solved allows reasoning about firewall traffic filtering preservation. Similarly, we present our approach to the verification of intrusion detection monitoring preservation as well as IPsec traffic protection preservation using constraint satisfaction problem. We derive a set of constraints that compare security configurations before and after migration. The obtained constraints are formulated as constraint satisfaction problems and then submitted to a SAT solver, namely Sugar, in order to verify security preservation properties and to pinpoint the configuration errors, if any, before the actual migration of the security context and the virtual machine. In addition, we present case studies for the given security mechanisms in order to show the applicability and usefulness of our framework, and demonstrate the scalability of our approach

Security analysis of a cyber-physical system

Cyber-Physical Systems (CPSs) are an integration of computing and physical processes. Information flow is an inherent property of CPSs and is of particular interest at their cyber-physical boundaries. This thesis focuses on discovering information flow properties and proposes a process to model the information flow in CPSs. A Cooperating FACTS Power System serves as a tangible example to illustrate modeling information flow using the proposed process. The proposed process can be used to model the information flow security, help analyze current information flow security requirements, and aid in the design of further security policies in CPS --Abstract, page iii

Context-Aware and Adaptive Usage Control Model

Information protection is a key issue for the acceptance and adoption of pervasive computing systems where various portable devices such as smart phones, Personal Digital Assistants (PDAs) and laptop computers are being used to share information and to access digital resources via wireless connection to the Internet. Because these are resources constrained devices and highly mobile, changes in the environmental context or device context can affect the security of the system a great deal. A proper security mechanism must be put in place which is able to cope with changing environmental and system context. Usage CONtrol (UCON) model is the latest major enhancement of the traditional access control models which enables mutability of subject and object attributes, and continuity of control on usage of resources. In UCON, access permission decision is based on three factors: authorisations, obligations and conditions. While authorisations and obligations are requirements that must be fulfilled by the subject and the object, conditions are subject and object independent requirements that must be satisfied by the environment. As a consequence, access permission may be revoked (and the access stopped) as a result of changes in the environment regardless of whether the authorisations and obligations requirements are met. This constitutes a major shortcoming of the UCON model in pervasive computing systems which constantly strive to adapt to environmental changes so as to minimise disruptions to the user. We propose a Context-Aware and Adaptive Usage Control (CA-UCON) model which extends the traditional UCON model to enable adaptation to environmental changes in the aim of preserving continuity of access. Indeed, when the authorisation and obligations requirements are fulfilled by the subject and object, and the conditions requirements fail due to changes in the environmental or the system context, our proposed model CA-UCON triggers specific actions in order to adapt to the new situation, so as to ensure continuity of usage. We then propose an architecture of CA-UCON model, presenting its various components. In this model, we integrated the adaptation decision with usage decision architecture, the comprehensive definition of each components and reveals the functions performed by each components in the architecture are presented. We also propose a novel computational model of our CA-UCON architecture. This model is formally specified as a finite state machine. It demonstrates how the access request of the subject is handled in CA-UCON model, including detail with regards to revoking of access and actions undertaken due to context changes. The extension of the original UCON architecture can be understood from this model. The formal specification of the CA-UCON is presented utilising the Calculus of Context-aware Ambients (CCA). This mathematical notation is considered suitable for modelling mobile and context-aware systems and has been preferred over alternatives for the following reasons: (i) Mobility and Context awareness are primitive constructs in CCA; (ii) A system's properties can be formally analysed; (iii) Most importantly, CCA specifications are executable allowing early validation of system properties and accelerated development of prototypes. For evaluation of CA-UCON model, a real-world case study of a ubiquitous learning (u-learning) system is selected. We propose a CA-UCON model for the u-learning system. This model is then formalised in CCA and the resultant specification is executed and analysed using an execution environment of CCA. Finally, we investigate the enforcement approaches for CA-UCON model. We present the CA-UCON reference monitor architecture with its components. We then proceed to demonstrate three types of enforcement architectures of the CA-UCON model: centralised architecture, distributed architecture and hybrid architecture. These are discussed in detail, including the analysis of their merits and drawbacks