Extraction of Insider Attack Scenarios from a Formal Information System Modeling

International audienceThe early detection of potential threats during the modelling phase of a Secure Information System is required because it favours the design of a robust access control policy and the prevention of malicious behaviours during the system execution. This paper deals with internal attacks which can be made by people inside the organization. Such at- tacks are difficult to find because insiders have authorized system access and also may be familiar with system policies and procedures. We are in- terested in finding attacks which conform to the access control policy, but lead to unwanted states. These attacks are favoured by policies involving authorization constraints, which grant or deny access depending on the evolution of the functional Information System state. In this context, we propose to model functional requirements and their Role Based Access Control (RBAC) policies using B machines and then to formally reason on both models. In order to extract insider attack scenarios from these B specifications our approach first investigates symbolic behaviours. The use of a model-checking tool allows to exhibit, from a symbolic behaviour, an observable concrete sequence of operations that can be followed by an attacker. In this paper, we show how this combination of symbolic execution and model-checking allows to find out such insider attack sce- narios

Preuves par induction implicite : cas des théories associatives-commutatives et observationnelles

Texte intégral accessible uniquement aux membres de l'Université de LorraineAutomated induction proofs are a formal means for systems validation. In the framework of test set induction, we propose two automated proofs methods for conditional specifications: one deals with associative-commutative (AC) theories, the other with observational theories. In the first method, we give an algorithm for computing induction schemes, as well as a new inference system using elaborated AC rewriting techniques. For a class of specifications, the method detects non valid conjectures in a finite time. Interesting experiments on the correctness of digital circuits produced proofs requiring less interaction than other well-known provers. In the observational approach, data type objects are cnsidered as equal if they cannot be distinguished by experiments with observational results. These experiments are represented by particular terms called observable contexts. We propose an automated proof method of observational properties, relying on the computation of a finite set of well-chosen contexts called test contexts, that shematizes all the observable contexts. We also propose methods for computing such test contexts and a new inference system. For an interesting class of specifications, the method detects non observationally valid conjectures in a finite time.Les preuves automatiques par induction sont un moyen formel pour la validation de systèmes informatiques. Dans le cadre de l'induction par ensemble test, nous proposons deux méthodes de preuves automatiques s'appliquant à des spécifications conditionnelles : l'une opérant dans les théories associatives-commutatives (AC), l'autre dans les théories observationnelles. Dans la première méthode nous proposons un calcul des schémas d'induction, ainsi qu'un système d'inférence utilisant des techniques élaborées de réécriture modulo AC. Pour une classe de spécifications, la méthode détecte toute conjecture non valide en un temps fini. Des expérimentations intéressantes sur la correction de circuits digitaux, ont produit des preuves nécessitant moins d'interaction qu'avec d'autres prouveurs connus. Dans l'approche observationnelle, les objets d'un type de données sont considérés comme égaux s'ils ne peuvent être distingués par des expérimentations à résultats observables. Ces expérimentations sont représentées par des termes particuliers appelés contextes observables. Nous proposons une méthode de preuve automatique de propriétés observationnelles reposant sur le calcul d'un ensemble fini de contextes, appelés contextes tests, qui schématise l'ensemble de tous les contextes observables. Nous proposons également des méthodes de calcul de ces contextes tests ainsi qu'un nouveau système d'inférence. Pour une classe de spécifications, la méthode détecte toute conjecture non observationnellement valide en un temps fini

Preuves par induction implicite : cas des théories associatives-commutatives et observationnelles

Texte intégral accessible uniquement aux membres de l'Université de LorraineAutomated induction proofs are a formal means for systems validation. In the framework of test set induction, we propose two automated proofs methods for conditional specifications: one deals with associative-commutative (AC) theories, the other with observational theories. In the first method, we give an algorithm for computing induction schemes, as well as a new inference system using elaborated AC rewriting techniques. For a class of specifications, the method detects non valid conjectures in a finite time. Interesting experiments on the correctness of digital circuits produced proofs requiring less interaction than other well-known provers. In the observational approach, data type objects are cnsidered as equal if they cannot be distinguished by experiments with observational results. These experiments are represented by particular terms called observable contexts. We propose an automated proof method of observational properties, relying on the computation of a finite set of well-chosen contexts called test contexts, that shematizes all the observable contexts. We also propose methods for computing such test contexts and a new inference system. For an interesting class of specifications, the method detects non observationally valid conjectures in a finite time.Les preuves automatiques par induction sont un moyen formel pour la validation de systèmes informatiques. Dans le cadre de l'induction par ensemble test, nous proposons deux méthodes de preuves automatiques s'appliquant à des spécifications conditionnelles : l'une opérant dans les théories associatives-commutatives (AC), l'autre dans les théories observationnelles. Dans la première méthode nous proposons un calcul des schémas d'induction, ainsi qu'un système d'inférence utilisant des techniques élaborées de réécriture modulo AC. Pour une classe de spécifications, la méthode détecte toute conjecture non valide en un temps fini. Des expérimentations intéressantes sur la correction de circuits digitaux, ont produit des preuves nécessitant moins d'interaction qu'avec d'autres prouveurs connus. Dans l'approche observationnelle, les objets d'un type de données sont considérés comme égaux s'ils ne peuvent être distingués par des expérimentations à résultats observables. Ces expérimentations sont représentées par des termes particuliers appelés contextes observables. Nous proposons une méthode de preuve automatique de propriétés observationnelles reposant sur le calcul d'un ensemble fini de contextes, appelés contextes tests, qui schématise l'ensemble de tous les contextes observables. Nous proposons également des méthodes de calcul de ces contextes tests ainsi qu'un nouveau système d'inférence. Pour une classe de spécifications, la méthode détecte toute conjecture non observationnellement valide en un temps fini

Deciding knowledge in security protocols under some e-voting theories

In the last decade, formal methods have proved their interest when analyzing security protocols. Security protocols require in particular to reason about the attacker knowledge. Two standard notions are often considered in formal approaches: deducibility and indistinguishability relations. The first notion states whether an attacker can learn the value of a secret, while the latter states whether an attacker can notice some difference between protocol runs with different values of the secret. Several decision procedures have been developed so far for both notions but none of them can be applied in the context of e-voting protocols, which require dedicated cryptographic primitives. In this work, we show that both deduction and indistinguishability are decidable in polynomial time for two theories modeling the primitives of e-voting protocols

Deciding knowledge in security protocols under some e-voting theories

In the last decade, formal methods have proved their interest when analyzing security protocols. Security protocols require in particular to reason about the attacker knowledge. Two standard notions are often considered in formal approaches: deducibility and indistinguishability relations. The first notion states whether an attacker can learn the value of a secret, while the latter states whether an attacker can notice some difference between protocol runs with different values of the secret. Several decision procedures have been developed so far for both notions but none of them can be applied in the context of e-voting protocols, which require dedicated cryptographic primitives. In this work, we show that both deduction and indistinguishability are decidable in polynomial time for two theories modeling the primitives of e-voting protocols

Symbolic Search of Insider Attack Scenarios from a Formal Information System Modeling

International audienc

Formal analysis of a private access control protocol to a cloud storage

International audienceCloud storage provides an attractive solution for many organizations and enterprises due to its features such as scalability, availability and reduced costs. However, storing data in the cloud is challenging if we want to ensure data security and user privacy. To address these security issues cryptographic protocols are usually used. Such protocols rely on cryptographic primitives which have to guarantee some security properties such that data and user privacy or authentication. Attribute-Based Signature (ABS) and Attribute-Based Encryption (ABE) are very adapted for storing data on an untrusted remote entity. In this work, we enhance the security of cloud storage systems through a formal analysis of a cloud storage protocol based on ABS and ABE schemes. We clarify several ambiguities in the design of this protocol and model the protocol and its security properties with ProVerif an automatic tool for the verification of cryptographic protocols. We discover an unknown attack against user privacy in the Ruj et al. protocol. We propose a correction, and automatically prove the security of the corrected protocol with ProVerif

Formal Analyze of a Private Access Control Protocol to a Cloud Storage

International audienceKeywords: Cloud storage, formal methods, attribute based signature, attribute based encryption, data and user privacy. Abstract: Storing data in the Cloud makes challenging data's security and users' privacy. To address these problems cryptographic protocols are usually designed. Cryptographic primitives have to guarantee some security properties such that data and user privacy or authentication. Attribute-Based Signature (ABS) and Attribute-Based Encryption (ABE) are very suitable for storing data on an untrusted remote entity. In this work, we formally analyze the Ruj et al. protocol of cloud storage based on ABS and ABE schemes. We clarify several ambiguities in the design of this protocol and model the protocol and its security properties with ProVerif an automatic tool for the verification of cryptographic protocols. We discover an unknown attack against user privacy. We propose a correction, and automatically prove the security of the corrected protocol with ProVerif

GenISIS : un outil de recherche d’attaques d’initié en Systèmes d’Information (Article court)

National audienc

Symbolic Search of Insider Attack Scenarios from a Formal Information System Modeling

International audienc