Security Protocol Deployment Risk

Security protocol participants are software and/or hardware agents that are -- as with any system -- potentially vulnerable to failure. Protocol analysis should extend not just to an analysis of the protocol specification, but also to its implementation and configuration in its target environment. However, an in-depth formal analysis that considers the behaviour and interaction of all components in their environment is not feasible in practice. This paper considers the analysis of protocol deployment rather than implementation. Instead of concentrating on detailed semantics and formal verification of the protocol and implementation, we are concerned more with with the ability to trace, at a practical level of abstraction, how the protocol deployment, that is, the configuration of the protocol components, relate to each other and the overall protocol goals. We believe that a complete security verification of a system is not currently achievable in practice and seek some degree of useful feedback from an analysis that a particular protocol deployment is reasonable.

[1]  Barry O'Sullivan,et al.  Multilevel Security and Quality of Protection , 2006, Quality of Protection.

[2]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[3]  Andrew W. Appel,et al.  Polymorphic lemmas and definitions in $\lambda$Prolog and Twelf , 2004, Theory and Practice of Logic Programming.

[4]  Giampaolo Bella,et al.  Formal Correctness of Security Protocols , 2007 .

[5]  Simon N. Foley Conduit cascades and secure synchronization , 2001, NSPW '00.

[6]  Stefano Bistarelli,et al.  Soft Constraint Programming to Analysing Security Protocols , 2004, Theory Pract. Log. Program..

[7]  Stefano Bistarelli Semirings for Soft Constraint Solving and Programming , 2004, Lecture Notes in Computer Science.

[8]  J. K. Millen,et al.  The cascading problem for interconnected networks , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[9]  Giampaolo Bella,et al.  Formal Correctness of Security Protocols (Information Security and Cryptography) , 2007 .

[10]  Mike Bond,et al.  API-Level Attacks on Embedded Systems , 2001, Computer.