Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime

863 views

Published on

Adaptive security systems aim to protect critical
assets in the face of changes in their operational environment. We have argued that incorporating an explicit representation of the environment’s topology enables reasoning on the location of assets being protected and the proximity of potentially harmful agents. This paper proposes to engineer topology aware adaptive security systems by identifying violations of security requirements that may be caused by topological changes, and selecting a set of security controls that prevent such violations. Our approach
focuses on physical topologies; it maintains at runtime a live
representation of the topology which is updated when assets
or agents move, or when the structure of the physical space
is altered. When the topology changes, we look ahead at a
subset of the future system states. These states are reachable when the agents move within the physical space. If security requirements can be violated in future system states, a configuration of security controls is proactively applied to prevent the system from reaching those states. Thus, the system continuously adapts to topological stimuli, while maintaining requirements satisfaction. Security requirements are formally expressed using a propositional temporal logic, encoding spatial properties in Computation Tree Logic (CTL). The Ambient Calculus is used to represent the topology of the operational environment - including location of assets and agents - as well as to identify future system states that are reachable from the current one. The approach is demonstrated and evaluated using a substantive example concerned with physical access control.

Published in: Engineering
  • Be the first to comment

  • Be the first to like this

Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime

  1. 1. Engineering Topology Aware Adaptive Security: Preventing Requirements Violations at Runtime Christos Tsigkanos1, Liliana Pasquale2, Claudio Menghi1, Carlo Ghezzi1, Bashar Nuseibeh2,3 1Politecnico di Milano 2Lero 3The Open University
  2. 2. Motivation Engineering adaptive security systems that continue to protect critical assets in the face of changes in their operational environment. Analysis Environment (Topology) Monitoring Planning System Security Controls Execution Security Requirements X
  3. 3. Topology Structure of space Location of objects and agents • Proximity • Reachability
  4. 4. Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas.
  5. 5. Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas.
  6. 6. Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas. Placement of physical objects and agents.
  7. 7. Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas. Placement of physical objects and agents.
  8. 8. Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas. Placement of physical objects and agents. Proximity Colocation in the same physical area.
  9. 9. Physical Topology Structure of space Location of objects and agents • Proximity • Reachability Containment into physical areas. Placement of physical objects and agents. Proximity Colocation in the same physical area. Reachability Accessibility of a physical agent/object to physical areas/objects.
  10. 10. Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities
  11. 11. Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities
  12. 12. Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities
  13. 13. Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities
  14. 14. Topology Helps Identify Relevant Security Concerns Security Concern Topological Concept Assets Agent, Object Threat Agent Attack Topology Structure and Relationships Vulnerability Characteristic of an object or area Security Control Location of assets and vulnerabilities Forbid access to O6.
  15. 15. … But Topology Changes Topology changes determined by agents/assets movements may facilitate different attacks and render enabled security controls ineffective.
  16. 16. Topology Changes Examples (1/2) Topology change: Potential threat: Bob enters office O6 Eve can access O6 and eavesdrop the safe’s key code
  17. 17. Topology Changes Examples (1/2) Topology change: Potential threat: Bob enters office O6 Eve can access O6 and eavesdrop the safe’s key code
  18. 18. Topology Changes Examples (2/2) Topology change: Potential threat: A valuable server is placed in office O2 Mallory can tamper with the server Server
  19. 19. Topology Changes Examples (2/2) Topology change: Potential threat: A valuable server is placed in office O2 Mallory can tamper with the server Server
  20. 20. Topology Aware Adaptive Security How to engineer the activities of the MAPE loop to reconfigure security controls at runtime when topology changes
  21. 21. Engineering Topology Aware Adaptive Security
  22. 22. Modeling the Topology of the Environment Ambient Calculus … how we use it? For Example: A2[ Eve | Bob | O5 | O6[ Safe ] | O7 ] • Locations, Agents and Assets are specific kinds of Ambients • Agents can move spontaneously depending on their current location
  23. 23. Monitoring
  24. 24. Monitoring The topology model is updated after changes in the environment are detected. For Example: if Eve moves to room O6 A2[ Eve | Bob | O5 | O6[ Safe ] | O7 ] A2[ Bob | O5 | O6[ Eve | Safe ] | O7 ]
  25. 25. Threat Analysis
  26. 26. Threat Analysis Identify violations of security requirements that can take place in future evolutions of the topology model. 1. Generation of future topological configurations 2. Identification of security requirements violations
  27. 27. Generation of Future Topological Configurations
  28. 28. Generation of Future Topological Configurations
  29. 29. Generation of Future Topological Configurations
  30. 30. Threat Analysis Identify violations of security requirements that can take place in future evolutions of the topology model. 1. Generation of future topological configurations 2. Identification of security requirements violations
  31. 31. Specifying Requirements Computation Tree Logic • Branching time logic • Semantics in terms of states and paths For example: Never Bob with another agent in room O6
  32. 32. Identification of Requirements Violations Security Requirement:
  33. 33. Planning
  34. 34. Planning Select security controls that prevent security requirements violations Remove future paths of execution that should not be reached – Progressively pruning the LTS until violating states do not exists – Ensuring satisfaction of other requirements
  35. 35. Planning X X X
  36. 36. Planning Functional Requirement:
  37. 37. Planning X X
  38. 38. Planning Functional Requirement:
  39. 39. Execution
  40. 40. Execution Revoke from agents the permission to access to specific areas depending on the pruned LTS transitions In our example … Pruned LTS Transition: <Eve in O6> Security Control: Revoke from Eve access to O6
  41. 41. Evaluation Applicability Prototype Realisation – Analysis • Ambient Calculus model checking • Domain-specific heuristics – Planning • Security controls selection Expressiveness  Permission  Prohibition X Obligation X Dispensation
  42. 42. Conclusion & Future Work Conclusion A systematic approach to engineer adaptive security systems – Formal representation of the physical topology – Identification of security requirements violations by model checking – Selection of security controls that prevent violations of security requirements Future Work • Investigate applicability to Cyber-Physical Systems • Further evaluate the approach with practitioners
  43. 43. Questions?

×