These are the slides of a talk I gave at SRI International about one of my journal papers (http://bit.ly/JLAP12).
The idea is to automatically synthesise orchestrators between stateful services that might be incompatible in signature, behavior and security protocols while avoiding deadlocks, livelocks and secrecy attacks
1. Synthesis of secure adaptors
for stateful services
J. Antonio Martín and Ernesto Pimentel
University of Málaga
SRI International, 2012
Paper: http://bit.ly/JLAP12
2. Motivation
● We deal with stateful services, i.e., services with behaviour
● Web Services have security policies
○ WS-Security, WS-SecureConversation, WS-Policy, ...
● Incompatible services send and receive incompatible
cryptographic messages
● We want to deal with incompatible policies and
incompatible behaviour (which arises deadlocks and
livelocks between these stateful services)
client
4. Solution: adaptation
● Deploy an adaptor in the middle of the communication
which adapts incompatibilities in signature, behaviour
and security
● Behavioural adaptation is based on receiving, rearrange
and forward messages at the appropriate time
● Security adaptation extends behavioural adaptation with
symmetric and asymmetric cryptography and digests
through hashing
Get flickr API key
client adaptor Request Frob
Handle Token...
7. Solution: adaptation contracts
● An adaptor is abstractly specified by a security adaptation
contract (SAC)
● The synthesis process takes a contract and returns
a deadlock/livelock-free adaptor
● Secrecy properties are verified over the system and, if
needed, the adaptor is automatically refined to preserve
them
client adaptor
synthesis process
contract
13. Example: Incompatible services
Service a
Service b
HOW:
send! could match
with either
anonymous?, des?,
pub_rsa? or
priv_rsa?
14. Example: Incompatible services
Service a
Service b
HOW:
send! could match
with either
anonymous?, des?,
pub_rsa? or
priv_rsa?
I have the user
U and pass K
15. Example: Incompatible services
Service a
Service b
HOW:
send! could match
with either
anonymous?, des?,
pub_rsa? or
priv_rsa? Goal:
pass info M
I have the user from b to a
U and pass K
16. Example: Incompatible services
Service a
Service b
HOW:
send! could match
with either
anonymous?, des?,
pub_rsa? or
priv_rsa? Goal:
pass info M
I have the user from b to a
U and pass K
Privacy req.:
M should not be
disclosed
17. Adaptation contract
Service a
Service b
Sec. Adaptation Contract
anonymous!M^ < send?M
public_key! <
...
E0 VLTS
18. Adaptation contract
Service a
Service b
Sec. Adaptation Contract
anonymous!M^ < send?M
public_key! <
...
E0 VLTS
19. Adaptation contract, E0
Service a
Service b
Sec. Adaptation Contract
anonymous!M^ < send?M
public_key! <
login!U^,E(K^,U^) <
des!E(K^, M^) < send?M
...
E0 = [k/K, u/U,...] VLTS
20. Adaptation contract, VLTS
Service a
Service b
Sec. Adaptation Contract
1. anonymous!M^ < send?M
2. public_key! <
3. login!U^,E(K^,U^) <
4. des!E(K^, M^) < send?M
...
E0 = [k/K, u/U,...] VLTS
}
22. Interactions compliant with SAC
Service a
Service b
Adaptor
Sec. Adaptation Contract
1. anonymous!M^ < send?M
2. public_key! <
3. login!U^,E(K^,U^) <
27. Secrecy property
Service a
Service b
● What do you want to protect?
● Which channels are subject to attack?
○ Restricted Dolev-Yao model
● Which information is public?
28. Secrecy property
Service a
Service b
Le - Actions not eavesdroppable
by the attacker
La - Actions not accessible nor
eavesdroppable by the attacker
p - Secrecy attack to avoid
29. Secrecy property
Service a
Service b
In our toy example:
La, Le: the attacker can only adaptor
avesdrop actions of service a
p: The attacker should not learn M
In other words, passive attacker and the
adaptor acts as a wrapper around service b
34. Contribution
● Adaptation of services with complex behaviors and security
policies in such a way that:
○ We avoid undesirable situations as deadlocks and livelocks
○ The adaptor is able to decompose and recompose messages
according to the interfaces and security policies of the services
involved
○ It is formally proved that the given secrecy attack is avoided
● The adaptation is specified by an abstract security adaptation
contract which expresses:
○ The initial information required for the adaptation
○ The transformations required to proceed with a successful
communication
○ The security checks to perform throughout the communication