The satisfaction of software security requirements can be argued using supporting facts and domain assumptions. Sometimes, these facts or assumptions may be questioned, as more knowledge about vulnerabilities becomes available. This results in rebuttals that can be derived from the new information. In this paper, we outline an extension of our OpenArgue tool with an explanation facility that makes a rebuttal more transparent by showing, step by step, why the original security argument does not hold. We achieve this by using the output of the Alligator theorem prover, which constructs explicit and checkable proof objects. We illustrate the feasibility of this approach by applying it to an existing case study of a PIN entry device which involves a security argument that has been rebutted. The output of the prover enables us to unpack the logical reasoning behind the rebuttal at a much greater level of detail. This promises to be useful for argument explanation

Nuseibeh, Bashar

Piwek, Paul

Tun, Thein Than

Yu, Yijun

English

Open Research Online (The Open University)

Open Research OnlineThe Open University’s repository of research publicationsand other research outputsTowards explaining rebuttals in security argumentsConference or Workshop ItemHow to cite:Yu, Yijun; Piwek, Paul; Tun, Thein Than and Nuseibeh, Bashar (2014). Towards explaining rebuttals in securityarguments. In: 14th Workshop on Computational Models of Natural Argument, 10 Dec 2014, Krakow, Poland.For guidance on citations see FAQs.c© 2014 The AuthorsVersion: Version of RecordLink(s) to article on publisher’s website:http://cmna.csc.liv.ac.uk//CMNA14/Yu.pdfCopyright and Moral Rights for the articles on this site are retained by the individual authors and/or other copyrightowners. For more information on Open Research Online’s data policy on reuse of materials please consult the policiespage.oro.open.ac.ukTowards Explaining Rebuttalsin Security ArgumentsYijun YU a,1, Paul PIWEK a and Thein Than TUN a and Bashar NUSEIBEH a,baDepartment of Computing and Communications, The Open University, UKbLero, The Irish Software Engineering Research Centre, University of Limerick, IrelandAbstract. The satisfaction of software security requirements can be argued usingsupporting facts and domain assumptions. Sometimes, these facts or assumptionsmay be questioned, as more knowledge about vulnerabilities becomes available.This results in rebuttals that can be derived from the new information. In this pa-per, we outline an extension of our OpenArgue tool with an explanation facilitythat makes a rebuttal more transparent by showing, step by step, why the originalsecurity argument does not hold. We achieve this by using the output of the AL-LIGATOR theorem prover, which constructs explicit and checkable proof objects.We illustrate the feasibility of this approach by applying it to an existing case studyof a PIN entry device which involves a security argument that has been rebutted.The output of the prover enables us to unpack the logical reasoning behind the re-buttal at a much greater level of detail. This promises to be useful for argumentexplanation.Keywords. Security requirements, Proof systems, Formal arguments1. IntroductionSecurity threats and vulnerabilities in software systems are evolving rapidly. Not long af-ter the ‘heartbleed’ vulnerability of the OpenSSL implementation was reported,2 a moresevere ‘shellshock’ vulnerability was found to have impacted on any bash-based unixdistributions,3 followed by the discovery of the ‘Poodle’ bug in the SSLv3 used by mostweb browsers.4 Security mechanisms that were once trusted are no longer so. In hind-sight, it can be ‘easy’ to find facts against previously established trust assumptions, orarguments in support of security claims. Of course, after fixing the vulnerabilities, asoftware vendor may (at least temporarily) restore faith in the security of a system byupdating security arguments about mitigating with counter-measures deployed.A logical analysis of the satisfaction of security requirements leads to an iterative ar-gumentation process. An initial claim of security goes through rebuttals and mitigations,because facts become debatable due to the lack of complete knowledge about the designof software systems, the model of potential attacks, and the organisational and resource1Email: yijun.yu@open.ac.uk2http://www.bbc.co.uk/news/technology-269696293http://www.bbc.co.uk/news/technology-293756364http://www.bbc.co.uk/news/technology-29627887constraints. Debatable assumptions or facts are referred to as trust assumptions, becauseretaining them requires a leap of faith/trust [5]. The “risk assessment in security argu-mentation” (RISA) approach [4] was proposed in order to expose these trust assump-tions and assess the security risks that were not included in the initial analysis of securityrequirements.Even though questionable trust assumptions are often found after successful attacks,the detailed reasons that lead to the denial of security requirements are usually not madeexplicit. Without such understanding of the reasons, it is likely that similar mistakes willbe repeated in the future. In this paper, we investigate, using a case study, the feasibility ofexploiting the output of a theorem prover with explicit proof objects to explain rebuttalsof security arguments.2. PIN Entry Device exampleBefore introducing the proof system, we first illustrate the application of security argu-ments using a realistic PIN Entry Device (PED) example. The PED is a type of devicewidely-deployed and used by consumers to pay for goods with debit or credit smartcardsat the Points-Of-Sale (POS). When using the device, cardholders typically insert theircards, issued by a financial institution, into a card-reader interface, enter the PIN usingthe PED’s keypad, and confirm the transaction value via a display on the PED itself.Then smartcard-based systems are expected to authenticate cardholders via the PIN andverify the card details against a public-key certificate before transactions can be com-pleted. These certificates are usually stored on the chip but they can also be stored on themagnetic strip for compatibility with card-readers that have not adopted this technology.Most PEDs used in Europe implement the EMV (EuroPay, MasterCard and Visa)protocol in the process of authentication and authorization of payment transactions. Thisprotocol drives the communication at the PED-card interface and the PED-bank inter-face. The protocol by design allows only asymmetrically encrypted transmission of thePIN across these interfaces. However, many card issuers in Europe make the consciousdecision to adopt a low-cost EMV option in their smartcards which researchers [3] havefound to the be vulnerable, since it can be triggered to transmit an unencrypted PIN viathe interface between the PED and card.To illustrate the problem associated with this example, we constructed an incremen-tally updated argument to mimic the process of rebuttal and mitigation of security re-quirements, see Figure 1. In this argumentation diagram, nodes represent the claims, withfactual ground and warrants nested inside. The dotted arrow from a node A to node Bindicates rebuttal of the earlier claim in node A using the facts nested under node B. Thetrust assumptions nested inside the nodes are revealed when facts nested in the rebuttalnodes are found to be inconsistent with them, as indicated by the arrow between the factsinternal to the nodes.Using the OpenArgue tool [11],5 the structured argumentation diagram can be auto-matically transformed into a logic formula in Event Calculus. If this formula is inconsis-tent, rebuttal relationships can be inferred. However, the existence proof of the rebuttalrelationship between two collections of facts doesn’t allow us to explain why inconsis-tency with the trust assumptions has led to the denial of the initial claim.5http://sead1.open.ac.uk/risaFigure 1. Some rebuttals and mitigations about the security claim of the PED system: the upwards arrows(e.g., DK4→ DK2, A9→ A4) indicate from which facts and domain knowledge the trust assumptions (e.g.,DK2, DK4) are in question, whilst the downwards arrows show whether inconsistencies arise from the newlyintroduced knowledge, but not how (which will be explained step by step with the theorem prover).3. Explaining the RebuttalsWe have seen that the OpenArgue system allows one to construct security arguments anddisplay these diagrammatically. However, the reasoning service that supplies informa-tion on rebuttals relies on detecting inconsistencies through failure to find a model fora formula that captures the logical content of the argument. Currently, we are exploringthe addition of a further reasoning service, the ALLIGATOR theorem prover [8].6 It willallows us to identify the premises and reasoning that lead to an inconsistency. In thissection, we briefly describe the prover, illustrate its use with the PED example, and arguewhy it is particularly suited for the current task.3.1. Propositions as Types – Proofs as ObjectsThe ‘propositions as types and proofs as objects’ (PTPO) idea underpins the ALLIGATORtheorem prover. It goes back to the work of Curry, Howard and De Bruijn [6,7]. Wedescribe the idea briefly in this subsectionIn logic, the semantic notion of a valid argument from premises P1, . . . ,Pn to a con-clusion C, written P1, . . . ,Pn |= C, holds if the truth of the premises carries over to theconclusion. This is complemented by a syntactic notion of derivability of the conclusionfrom the premises, written P1, . . . ,Pn ` C. To trace the reasoning behind an argument,following PTPO, we associate each premise Px with an object px. The notation for thisis px : Px. The object px represents the proof (or evidence) for the premise. Similarly,the conclusion C is associated with an object c. In contrast with the premises, this objectis, however, a construction: it is constructed from (some of the) proofs of the premises.Thus, we now write: p1 : P1, . . . , pn : Pn ` c :C.This approach allows us to pose two different questions. Firstly, we can ask thestraightforward yes/no-question whether p1 : P1, . . . , pn : Pn ` c : C. We are askingwhether, given the premises, c is a proof of C. This is a type checking problem: giventhe premises (and the proofs for each of them), is the object c of type C? We treat theproof c as an object and the proposition C as a type, hence the slogan ‘proofs as objects,propositions as types’. Secondly, there is the harder question which asks for a proof ofthe conclusion: p1 : P1, . . . , pn : Pn `?x : C. In other words, we require a proof object cwhich, when substituted for the variable ?x, gives us a valid argument. This is a theoremproving problem. A solution, i.e a value for ?x, represents a proof of C. In fact, c is verycompact representation of a natural deduction proof for C. It is beyond the scope of thispaper to provide the full set of rules for constructing proof objects for conclusions.7 Thefollowing two examples, however, illustrate the idea.(1)p : P ∈ ΓΓ ` p : P startThis rule says that if the proposition P and its evidence is part of the set of premises(notation Γ), then we can derive P as a conclusion from those same premises, with p asthe evidence. Modus ponens is covered by the following rule:(2)Γ ` p : P Γ ` f : P→CΓ ` f · p :C arrow− eliminationThis rule allows us to construct a proof f · p forC from the proof p for P and f for P→C.The constructed proof is obtained through (function) application (signified by ‘·’) of theproof for P→C to the proof for P.6http://mcs.open.ac.uk/pp2464/alligator/7But see the documentation at http://mcs.open.ac.uk/pp2464/alligator/3.2. The PED example revisitedTo adapt the PED example for processing by the theorem prover, we added proof objectsfor each of the PED propositions. We used mnenonic names, so for instance the prooffor a proposition F1 becomes p f1. Thus we obtained the PED premises ΓPED. We thenasked the prover to construct a proof for the contradiction (represented by the symbol⊥): ΓPED `?x : ⊥. On an Intel Core i7 processor the following solution was returned(within less than 0.000 seconds): pdk4impliesndk2 · pdk4 · pi1(pa9impliesdk2andna4 ·(p f10and f11impliesa9 · pair(p f10, p f11))). This object can be expanded into the fol-lowing natural deduction proof:(3)dk4→¬dk2 dk4¬dk2a9→ (dk2∧¬a4)( f10∧ f11)→ a9f10 f11f10∧ f11a9dk2∧¬a4dk2⊥The proof shows that a contradiction arises from proofs for both dk2 and ¬dk2, wheredk2 stands for ‘Defeating the tamper proofing mechanism costs more than $25,000’. Theargument against this proposition (on the left-hand side) is based on dk4 – i.e. ‘Incentiveand expertise (with some imagination) represent enough ingredients to overcome tamperproofing mechanism ’ – implying ¬dk2. The right-hand side of the tree provides a break-down of the argument for dk2 (which can be explicated in English along similar lines).For the current application, we have restricted ourselves to the proposition logic.However, the actual prover can also deal with predicate and higher order logics. Thismakes it possible, at least in principle, to analyse arguments at a finer level of granularity.The proposed proof object-based representations lend themselves particularly well formodeling the content of natural language sentences, including anaphors and presuppo-sitions, which are difficult to model in classical predicate logic (see e.g. Piwek & Krah-mer [9], Ranta, [10] and Cooper et al. [2]).3.3. Arguments with Natural Language Descriptions and Natural DeductionsThe combination of visual diagramatic OpenArgue arguments and the Alligator struc-tured proof objects provide a natural way to reason about the security requirements. Thenaturalness is reflected in two perspectives. First, the natural language descriptions canappear next to the elements in the argument diagram shown in Figure 1. Second, we haveseen that the prover delivers a compact representation of a natural deduction proof. Apartfrom the fact that natural deduction proofs are more suitable for human consumptionthan, for instance, resolution and tableaux proofs, there are further benefits to the proofobject representation. This representation can be checked by an independent short pro-gram for correctness, thus satisfying the de Bruijn criterion: A proof assistant satisfiesthe de Bruijn criterion if it generates proof-objects (of some form) that can be checkedby an easy algorithm. [1].4. DiscussionsWe have shown, using a concrete example, that a prover with explicit proof objects cansupply details on why claims are rebutted, and is therefore a valuable addition to toolsupport for security arguments. In future work, we aim to fully integrate OpenArguewith ALLIGATOR and perform further evaluations. This will include developing assur-ance arguments for the translation between OpenArgue and ALLIGATOR notations anda natural language generation front end to articulate the proof objects.As an alternative to the traditional PED, recently Apple Pay was announced to be“usable, secure and private”8. Although this is a bold new claim, it is yet to be seenwhether legal and technical evidence supports it, and whether there are any hidden trustassumptions of which consumers should be made aware. Our contention is that by codi-fying arguments into a form that can be readily analysed by the argumentation and rea-soning tools that are described in this paper will allow one to separate hype from reality.Acknowledgement Financial support of the ERC (Adv. Grant ASAP No. 291652project), and SFI (grant 03/CE2/I303 I) are gratefully acknowledged.References[1] H. Barendregt and H. Geuvers. Proof-assistants using Dependent Type Systems. In A. Robinson andA. Voronkov, editors, Handbook of Automated Reasoning. Elsevier, 2001.[2] R. Cooper, S. Dobnik, S. Lappin, and S. Larsson. A Probabilistic Rich Type Theory for Semantic Inter-pretation. In Proceedings of the EACL 2014 Workshop on Type Theory and Natural Language Semantics(TTNLS), pages 72–79, Gothenburg, Sweden, 2014. Association for Computational Linguistics.[3] S. Drimer, S. Murdoch, and R. Anderson. Thinking Inside the Box: System-Level Failures of TamperProofing . In SP’2008, pages 281–295. IEEE Press, May 2008.[4] V. Franqueira, T. Tun, Y. Yu, R. Wieringa, and B. Nuseibeh. Risk and Argument: A Risk-based Argu-mentation Method for Practical Security. In RE’11 Proceedings, pages 239–248. IEEE Press, 2011.[5] B. Haley, C. Laney, D. Moffett, and B. Nuseibeh. Using trust assumptions with security requirements.Requir. Eng., 11(2):138–151, Feb. 2006.[6] W. Howard. The formulae-as-types notion of construction. In J. Seldin and J. Hindley, editors, To H.B.Curry: Essays on Combinatory Logic, Lambda Calculus and Formalism, pages 479–490. AcademicPress, Inc., Boston, MA, 1980.[7] R. P. Nederpelt, J. H.Geuvers, and R. C. de Vrijer, editors. Selected Papers on Automath. Studies inLogic and the Foundations of Mathematics. North-Holland, Amsterdam, 1994.[8] P. Piwek. The ALLIGATOR Theorem Prover for Dependent Type Systems: Description and Proof Sam-ple. In Proceedings of the Inference in Computational Semantics Workshop (ICoS-5), Buxton, UK,2006.[9] P. Piwek and E. Krahmer. Presuppositions in Context: Constructing Bridges. In P. Bonzon, M. Cav-alcanti, and R. Nossum, editors, Formal Aspects of Context, volume 20 of Applied Logic Series, pages85–106. Kluwer Academic Publishers, Dordrecht, 2000.[10] A. Ranta. Computational semantics in type theory. Mathematics and Social Sciences, 165:31–57, 2004.[11] Y. Yu, T. T. Tun, A. Tedeschi, V. N. L. Franqueira, and B. Nuseibeh. OpenArgue: Supporting Argumen-tation to Evolve Secure Software Systems. In RE’11, pages 351–352. IEEE press, 2011.8http://www.bbc.co.uk/news/technology-29107449

Towards explaining rebuttals in security arguments

Abstract

Similar works

Full text

Available Versions

Open Research Online (The Open University)