Multi-representational security analysis

Security attacks often exploit flaws that are not anticipated in an abstract design, but are introduced inadvertently when high-level interactions in the design are mapped to low-level behaviors in the supporting platform. This paper proposes a multi-representational approach to security analysis, where models capturing distinct (but possibly overlapping) views of a system are automatically composed in order to enable an end-to-end analysis. This approach allows the designer to incrementally explore the impact of design decisions on security, and discover attacks that span multiple layers of the system. This paper describes Poirot, a prototype implementation of the approach, and reports on our experience on applying Poirot to detect previously unknown security flaws in publicly deployed systems.

[1]  Jun Sun,et al.  AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations , 2013, NDSS.

[2]  Orna Kupferman,et al.  Module Checking , 1996, Inf. Comput..

[3]  Marsha Chechik,et al.  Merging partial behavioural models , 2004, SIGSOFT '04/FSE-12.

[4]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[5]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[6]  Manachai Toahchoodee,et al.  An aspect-oriented methodology for designing secure applications , 2009, Inf. Softw. Technol..

[7]  Dawn Xiaodong Song,et al.  ASPIRE: Iterative Specification Synthesis for Security , 2015, HotOS.

[8]  Gavin Lowe,et al.  Casper: a compiler for the analysis of security protocols , 1997, Proceedings 10th Computer Security Foundations Workshop.

[9]  Michael Goldsmith,et al.  Modelling and analysis of security protocols , 2001 .

[10]  Common Attack Pattern Enumeration and Classification — CAPEC TM A Community Knowledge Resource for Building Secure Software , 2013 .

[11]  Dilsun Kirli Kaynar,et al.  Compositional System Security with Interface-Confined Adversaries , 2010, MFPS.

[12]  Bashar Nuseibeh,et al.  Managing inconsistencies in an evolving specification , 1995, Proceedings of 1995 IEEE International Symposium on Requirements Engineering (RE'95).

[13]  Daniel Jackson,et al.  Software Abstractions - Logic, Language, and Analysis , 2006 .

[14]  John C. Mitchell,et al.  Protocol Composition Logic (PCL) , 2007, Computation, Meaning, and Logic.

[15]  Eunsuk Kang Multi-representational security modeling and analysis , 2016 .

[16]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[17]  Joshua D. Guttman,et al.  Strand spaces: why is a security protocol correct? , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[18]  Armin Biere Lingeling Essentials, A Tutorial on Design and Implementation Aspects of the the SAT Solver Lingeling , 2014, POS@SAT.

[19]  Sebastián Uchitel,et al.  Merging Partial Behaviour Models with Different Vocabularies , 2013, CONCUR.

[20]  Heiko Mantel,et al.  On the composition of secure systems , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[21]  Radha Jagadeesan,et al.  Modal Transition Systems: A Foundation for Three-Valued Program Analysis , 2001, ESOP.

[22]  Philip A. Bernstein,et al.  Merging Models Based on Given Correspondences , 2003, VLDB.

[23]  Rick Salay,et al.  Partial models: Towards modeling and reasoning with uncertainty , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[24]  Daniel Jackson,et al.  Structuring Z specifications with views , 1995, TSEM.

[25]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[26]  Peter Y. A. Ryan,et al.  The modelling and analysis of security protocols: the csp approach , 2000 .

[27]  Mehrdad Sabetzadeh,et al.  Matching and Merging of Statecharts Specifications , 2007, 29th International Conference on Software Engineering (ICSE'07).

[28]  Sanjit A. Seshia,et al.  Combinatorial sketching for finite programs , 2006, ASPLOS XII.

[29]  Mehrdad Sabetzadeh,et al.  An algebraic framework for merging incomplete and inconsistent views , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[30]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[31]  Bashar Nuseibeh,et al.  Expressing the relationships between multiple views in requirements specification , 1993, ICSE '93.

[32]  Kathi Fisler,et al.  Verifying cross-cutting features as open systems , 2002, SIGSOFT '02/FSE-10.

[33]  Patrice Godefroid,et al.  Model Checking Partial State Spaces with 3-Valued Temporal Logics , 1999, CAV.

[34]  Bernhard Rumpe,et al.  Synthesis of component and connector models from crosscutting structural views , 2013, ESEC/FSE 2013.