2. Prerequisites
CITADEL framework basic knowledge
Specifications and Verification Tools for
CITADEL Modeling
Related material
CITADEL D4.4 MILS Monitoring System
CITADEL D3.3 CITADEL Design Techniques to
Specify, Verify, and Synthesize Policies for
Run-Time Monitors
Module Configuring - MILS Monitoring System
- State Monitoring. D6.6 Training Materials for
Electronic Delivery
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 2
Other materials and knowledge
3. Monitoring Plane Basic Knowledge
Basic Technology Overview
Specification of State Control /
Monitoring Policies
State Monitoring in CITADEL
Implementation of State Monitoring
applications
Linear Temporal Logic Policies
Sources and Related Reading
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 3
Contents
5. Specific critical functions served by
monitoring within the MILS adaptation
architecture
perform runtime observation to assure that
properties previously proven in the current
assurance case continue to hold
detect conditions that cause the current
configuration to no longer satisfy the current
conformance property
detect violation of assumptions in the current
assurance case or other conditions that should
trigger adaptation
build context awareness.
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 5
Purpose of the Monitoring Plane
6. Provides evaluation of the runtime system
behavior
Works on the system level in coherence
with the Separation Kernel
Addresses the need of creating bespoke
monitors and monitoring applications
For this purpose it implements
● simple and reusable monitoring algorithms and
security policies
● a toolchain for developing new policies
● a way to compose the existing policies and
algorithm
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 6
State Monitoring
8. Kaspersky Security System (KSS)
Is a flexible and extendable security
mechanism
can be integrated in a system as a
separate engine for
● security policies specification
● security verdicts calculation
Developed with MILS concept in mind
● keeps the principle of separation of access
computation and decision enforcement
● offers architectural and language mechanisms,
which, applied together, can form an adjustable
security monitoring system
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 8
Initial technology
9. Putting the security policies
computation away from applications
provides a number of benefits
From application’s point of view
● there is no need for applications to
implement security policies
● there is no need to change applications if
the security policy changes
● security policy is not limited to the means
supported by applications
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 9
Separation advantages (1)
10. From security engine’s point of view
● policies are abstracted away from
applications
● policies operate over abstract domains
● policies are not aware of differences
between applications, resources, etc.
● policy may remain stable even if
applications change significantly
● system-wide security policy is a
composition of smaller policies
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 10
Separation advantages (2)
12. consists of separated execution
environments, where technology
specific applications are executed, e.g.
interaction between processes,
external communications, local
computations, process control, human-
machine interfaces etc.
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 12
Application layer
13. controls the execution of entities,
mediates interactions between entities,
and communicates with the security
system to receive and enforce the
verdicts
for the MILS platform, the role of SRM
is played by the Foundational Plane
Reference monitor
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 13
14. Computes a verdict based on system
state, input data, and configured
security policy
Each entity on its execution is
associated with a security context
A security context is a data structure,
which is used by stateful polices to
keep security related attributes
required to compute a decision
The layer for the security system
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 14
17. The KSS architecture and its framework
are designed to provide support for
diverse security policies, including
monitoring policies
The specification framework consists of
● a set of policies templates for the security
server
● interface definition language (IDL)
● + component definition language (CDL)
● + entity definition language (EDL)
● security specification language (CFG)
● toolchain to translate CFG specification into
executable code
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 17
Monitoring Specification Support
18. KSS: Policy Definition Framework
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 18
19. Industrial process specification
a simple processing unit which consists of the
conveyor transferring the detail and the drill
which makes a hole in this detail in the given
location when the detail is under the drill
the system can be viewed as consisted
of two communicating parties
● entity, sending control commands (SCADA)
● entity, responsible for command
implementation and sending sensor
information (Factory)
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 19
Example
21. Example:
Policy Definition Framework
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 21
The set of
Definition
languages
Configuration
language
Application
developing
practices
IDL, CDL, EDL CFG Component design,
separation of
concerns, SoD, …
22. Traditional access control policies are
locked into a fixed set of internal system
prerequisites and usually don’t consider
time and environment
Linear Temporal Logic is the appropriate
logical tool for modeling the process and
check it execution
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 22
Example: Designing Policies
26. The CITADEL approach to MILS
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 26
27. The Monitoring Plane monitors the
components in the Operational Plane
and the resources in the Foundational
Plane and generates alarms when it
detects event patterns that indicate
faulty or suspicious system behaviour.
The monitored components, properties
and resulting alarms are specified in
the model.
CITADEL’s view on Monitoring
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 27
28. It is up to Foundational Plane, what to
do with the verdicts computed by the
Security System
this helps to implement the monitoring
using the same mechanism
This also helps with adaptivity, i.e. by
passing the verdicts about operations to
adaptation / reconfiguration
mechanisms it can provide a feedback
to the operational plane
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 28
How KSS is used for state monitoring
30. E-box – sensors (specific for State
Monitoring)
A-box – analysers (State Monitoring
policies in terms of the basic KSS
technology)
D-box – log
R-box – reaction: reconfiguration and
adaptation
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 30
In CITADEL Context
31. Types of events under State Monitoring
and Event sensors
Typical monitoring policies
Means of integration of specification
framework monitoring policies with the
system modeling framework
Means of integration with Configuration
and Adaptation mechanisms
What needs to be considered
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 31
32. The monitoring plane shall obtain and
save the data from diverse origins
system data
application data
security events
configuration log
data from external IDS and antimalware
engines
physical characteristics of the process
provided by cyberphysical controls
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 32
Sources of monitoring data
33. Integration of AADL specifications with
configuration of monitoring policies
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 33
Sources of monitoring policies
35. Layered implementation
Allows integrating monitoring plane with
operational plane and monitoring plane
with foundational plane in a way
allowing properly separate their
concerns
Increases flexibility and ability to
support the development of bespoke
monitoring applications
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 35
Implementation
36. Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 36
High-level design
37. Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 37
Implementation Scheme
39. The temporal property (linear temporal logic,
or LTL, formula) is extracted from the
AADL/SLIM specification and exported in
the format that can be accepted by the state
monitoring engine.
Phase 1: Model Integration
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 39
40. State monitoring engine is then composed
with this property and appropriate security
configuration in order to generate the state
monitor code, the C-file with all the policy
logic
Phase 2: Monitoring Configuration
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 40
41. The solution specific monitor library is linked
then with the state monitor (KSS) to
implement the state monitoring according to
the specification given at the model level
Phase 3: Technical Integration
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 41
42. Summary:
specify the objects for monitoring
get the data (from the operational plane
etc.)
renew sensors
for every objects check the completion
of the monitoring rules
Creating Bespoke Monitoring
Applications
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 42
43. How to create
a bespoke monitoring application (1)
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 43
The process of monitors synthesis
For the given SLIM definition, monitor
code is generated for every FDIR
component
● A component of Fault Detection, Isolation
and Recovery:
● optional input ports, for connecting the
monitor to monitored components
● at least one alarm port
44. How to create
a bespoke monitoring application (2)
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 44
The generated code of the monitoring
library:
The IDL specification for every FDIR
component
The common CFG for components
Some C code supporting CFG
The monitor is based on the monitoring
library
45. How to create
a bespoke monitoring application (3)
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 45
What is automated:
Connection to Adaptation Engine (AE)
and Configuration (CA)
● handshakes are similar to CF-testbed
Alarm generation (JSON format/CF-
testbed) and deliver to AE and CA
Searching for event potentially
requiring monitor starting/ stopping/
restarting
46. How to create
a bespoke monitoring application (4)
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 46
What is not automated:
Sensors (are individual per case)
Initial configuration transfer
48. What is LTL
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 48
Linear Temporal Logic (LTL) is a useful
tool in formal specification and runtime
verification of temporal safety
properties
LTL formulae define a set of event
traces where each even has an index
and an identifier of its type such as
observed command
action
other observable event
49. Specification of LTL Policies for
Runtime Monitors (1)
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 49
In the CITADEL Modeling Language
the policies are specified as AADL
properties of a monitor component,
representing the actual runtime monitor.
The monitor component is a component of
category system tagged with property
FDIR (to specify that it is a component of
the Fault Detection, Isolation and Recovery
subsystem).
It also specifies
● an alarm port, used to model raising of the
alarm
● the input ports representing the signals coming
from the SUS
50. Specification of LTL Policies for
Runtime Monitors (2)
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 50
The alarm port can also be tagged with an
optional property MonitoringProperty,
● an LTL formula over parameters, input ports
and data subcomponents of the monitor
● MonitoringProperty specifies the nominal
operational conditions, that is, the alarm should
be raised when the MonitoringProperty does not
hold
● This property can be used in reasoning
about possible reconfigurations by the
Adaptation System, and for automatic synthesis
of monitor code
51. Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 51
Example of LTL specification in AADL
52. Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 52
Example of LTL specification in KSS
The runtime verification of policies in the CITADEL Monitoring Plane is
implemented by the Kaspersky Security System (KSS). The monitoring
properties specified in the CITADEL Modeling Language are
automatically extracted and translated into the input configuration of
the KSS.
The above monitoring property will be converted into the following KSS
LTL specification
53. Process definition
with LTL in KSS CFG
(industrial case mentioned earlier)
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 53
54. where ’|’,’!’ and ’==>’ mean OR, NOT and IMPLY
respectively.
This specification is detailed with KSS CFG language to
set the informal drilling safety properties for drilling are
expressed in LTL as a custom policy for security server
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 54
Process definition
with LTL in KSS CFG
(industrial case mentioned earlier)
55. [1] CITADEL D4.4 MILS Monitoring System
[2] CITADEL D3.3 CITADEL Design Techniques to Specify, Verify, and
Synthesize Policies for Run-Time Monitors
[3] Tverdyshev S., Blasum H., Rudina E., Kulagin D., Dyakin P., Moiseev
S. (2016) Security Architecture and Specification Framework for Safe and
Secure Industrial Automation. In: Rome E., Theocharidou M., Wolthusen
S. (eds) Critical Information Infrastructures Security. CRITIS 2015.
Lecture Notes in Computer Science, vol 9578. Springer, Cham
[4] Kort, Semen, Kulagin, Dimitry, & Rudina, Ekaterina. (2017). An
approach to Separation of Duties validation for MILS security
configurations. Zenodo. http://doi.org/10.5281/zenodo.571156
[5] CITADEL D4.5 Integrated and tested Adaptive MILS Platform
[6] CITADEL. D4.3 MILS adaptation system
[7] Module Configuring - MILS Monitoring System - State Monitoring.
D6.6 Training Materials for Electronic Delivery
Kaspersky Lab UK Training – Advanced Technical Module – State Monitoring 55
Sources and related reading