Design and Validation of a General Security Model with the Alloy Analyzer - Case Study Example

Design and Validation of a General Security Model with the Alloy Analyzer College Introduction A secure system is one that has confidentiality, integrity, non-repudiation and authentication. In order to understand what a secure system is, new logical formulae’s which define the security properties of the system are created. Security is one of the non functional requirements that have to be considered when a system is being created. Our main reason for study is to find how the architecture of a system is affected when security is to be included in the general architecture. Elements in architecture are computational and have connectors between them and the other elements in the architecture. This control system is a system that is used by different users. This essay looks at the system and its weakness when alloy modeling is not in place and then latter on we take a look at how alloy modeling has influenced the security level of the system. The system is modeled by the use of alloy modeling while the previous systems were created using other modeling techniques Lord (2005, p.56). This system is secure because of the many advantages that come with alloy modeling. In alloy modeling, the procedures are taken as commands by the system hardware and software and they do exactly as the alloy models commands them to do. We are very interested in the way that this will affect the security of the flight control system. Security Overview A secure system involves four main concepts which are integrity, confidentiality, authentication and non- repudiation. Confidentiality is the ability of the system to remain private such that only a user can get access to the important messages that is in his account. Integrity is the ability of the system to enable it to be impossible for another user to change what is in the account of the other user. The security control model that we are discussing here is a good example of a secure system model. Its security is largely attributed to the use o f alloy modeling to work on it. Below is the model that we are discussing. The security model open util/order[Time] and T0 sig Tim{} sig Polic{ hastoRead, hastoWrite: set Processing } sig Formul{ known_as: set Process->Time } sig Processing{ knows: set Formula->Time } sig Sent extends Formula{ sender: one Process, msg: one Msg } sig Msg extends Formula { contents: one Formula, lastWriter: one Process } sig Protected_Msg extends Msg { protected_by: one Policy } sig Recvd extends Formula{ recvr: one Process, msg: one Msg } sig CanWrite extends Formula{ writer: one Process, msg: one Protected_Msg } fact PolicyRule1{ no c: CanWrite | c.writer not in c.msg.protected_by.hasWrite } fact MemoryRule1{ all t: Time - T0/last() | let t’ = T0/next(t) | all p: Process | all m: Msg | m->t in p.knows => m->t’ in p.knows } fact MsgRule1{ no m: Msg | m in m.contents } fact MsgRule2{ all record: Sent | no bad_rec: Sent | (record.msg = bad_rec.msg) && (record.sender != bad_rec.sender) } fact MsgRule3{ all t: Time | all m:Msg | some r: Process | ( m->t in r.knows ) } fact KnowledgeRule1{ all t: Time | all f: Formula | all p: Process | p->t in f.known_by f->t in p.knows } fact KnowledgeRule2{ all t: Time - T0/last() | all p: Process | all m: Msg - Protected_Msg | let t’ = T0/next(t) | m->t in p.knows => m.contents->t’ in p.knows } fact KnowledgeRule3{ all t: Time - T0/last() | all p: Process | all m: Protected_Msg | let t’ = T0/next(t) | ( m->t in p.knows && HasReadAccess(p,m) ) => m.contents->t’ in p.knows } fact KnowledgeRule4{ all t: Time | all p: Process | all m: Protected_Msg | p = m.lastWriter => m.contents->t in p.knows } pred HasReadAccess(p: Process, m: Protected_Msg){ p in m.protected_by.hasRead } pred HasWriteAccess(p: Process, m: Protected_Msg){ p in m.protected_by.hasWrite } pred IsSecret(f: Formula){ all u: Msg - Protected_Msg | f != u.contents } pred IsUnique(f: Formula){ one u: Msg | f = u.contents } pred IsValid(m: Protected_Msg){ m = m } pred Confidentiality(){ all t: Time - T0/last() | all a: Process | all m:Protected_Msg | let t’ = T0/next(t) | ( (m->t in a.knows) && (m.contents->t not in a.knows) && (IsSecret(m.contents)) && (!HasReadAccess(a, m)) ) => (m.contents->t’ not in a.knows) } pred Integrity(){ all m:Protected_Msg | some p: Process | IsValid(m) => ( HasWriteAccess(p,m) && m.lastWriter = p ) } pred Authenticity(){ all t: Time | all m:Protected_Msg | all r: Process | one record: Sent | one c: CanWrite | ( IsValid(m) && (m->t in r.knows) ) => (c.writer = m.lastWriter) && (c.msg = m) && (c->t in r.knows) && (record.sender = c.writer) && (record.msg = m) && (record->t in r.knows) } pred NonRepudiationReceiverSide(){ all t: Time | all m: Msg | all p,q: Process | all record: Recvd | ( (record.recvr = q) && (record.msg = m) && (record->t in p.knows) ) => (m->t in q.knows) } pred NonRepudiationSenderSide(){ all t: Time | all m: Msg | all p,q: Process | all record: Sent | (record.sender = q) && (record.msg = m) && (record->t in p.knows) => ( m.lastWriter = q ) } pred SecureSystem(){ Confidentiality() and Integrity() and Authenticity() NonRepudiationReceiverSide() and NonRepudiationSenderSide() } pred Eavesdropping(){ some pro:Process | some m:Protected_Msg | some t: (Time - T0/last()) - T0/prev(T0/last()) | let t’ = T0/next(t) | let t’’ = T0/next(t’) | !HasReadAccess(pro,m) && (m->t in pro.knows) && (m.contents->t not in pro.knows) && (m.contents->t’’ in pro.knows) && IsUnique(m.contents) } pred AntiEavesdropping_System(){ SecureSystem() and Eavesdropping() } pred AntiEavesdropping_Confidentiality(){ Confidentiality() and Eavesdropping() } pred EavesdroppingWhenSentInClear(){ some pro:Process | some m:Protected_Msg | some t: (Time - T0/last()) - T0/prev(T0/last()) | let t’ = T0/next(t) | let t’’ = T0/next(t’) | !HasReadAccess(pro,m) && (m->t in pro.knows) && (m.contents->t not in pro.knows) && (m.contents->t’’ in pro.knows) } pred EavesdroppingWhenSentInClear_System(){ SecureSystem() and EavesdroppingWhenSentInClear() } pred Corruption(){ some m: Protected_Msg | !(HasWriteAccess(m.lastWriter, m)) } pred AntiCorruption_System(){ SecureSystem() and Corruption() } pred AntiCorruption_Integrity(){ Integrity() and Corruption() } pred Spoofing(){ all t: Time | some m: Protected_Msg | some r: Sent | some p: Process | (r.sender != m.lastWriter) && (r.msg = m) && (m->t in p.knows) } pred AntiSpoofing_System(){ SecureSystem() and Spoofing() } pred AntiSpoofing_IntegrityAlone(){ Integrity() and Spoofing() } pred AntiSpoofing_Authenticity(){ Authenticity() and Spoofing() } pred DeniableReception(){ all t: Time | one p,q: Process | one m: Msg | one record: Recvd | record.recvr = q && record.msg = m && record->t in p.knows && m->t not in q.knows } pred AntiDeniableReception_System(){ SecureSystem() and DeniableReception() } pred AntiDeniableReception_NRRS(){ NonRepudiationReceiverSide() and DeniableReception() } pred DeniableSending(){ all t: Time | one p,q: Process | one m: Msg | one r: Sent | r.sender = q && r.msg = m & SecureSystem() and DeniableSending() } pred AntiDeniableSending_NRSS(){ NonRepudiationSenderSide() and DeniableSending() } Now this is how the methods of the model are organized and planned. The memoryrule1 says that any known information is never forgotten. Information that is also known is not forgotten. Confidentiality This model insists that if one process knows a protected message, then the contents of the message are not sent to the clear. The process too does not have the access to read the protected message. Integrity An invalid protected message has a process which has the right to access it and it has to be the source of the protected message. Authenticity If a valid protected message is known, then it means that this other process knows that there is some other process which has access to it. This prevents it from releasing protected information to the other processes. Non-repudiation If a process knows that another process has received a particular message, then this process, must know this message that the other process had. This means that every process has to have its own message security and that there should be no process that knows the information of the other process. If a process knows that some process sent another message then this process must be the sender. This means that every process has to have its own group of processes that send it the messages. Obstacles to the security system Eavesdropping one of the main security breaches is that some process are able to know the content of a protected message. This means that this process had no access to the message that it is being sent to. Therefore the process violates confidentiality. Another security breach is through corruption. This is where a process that does not have access to a message becomes its source. Therefore it breaches integrity of the message. Spoofing was also detected to be present and it violated authenticity by sending a protected message somewhere else. Double reception was also a problem that breached non-repudiation. Alloy security Almost all instances where the security was breached were generated. This shows that the indications made are very consistent and compatible with each other. All the instances of insecurity that were available were generated not to hold using alloy model. However in the case where both the security obstacle and their corresponding predicates were involved together, alloy was unable to detect any security threat. A scope of 5 gives a better confidence that the security definition is guarded. The need to be explicit of the assumptions in the security model was also exposed by the alloy model in the flight system. When using alloy, the action of eavesdropping, where information is taken from one user to another user without the concept of the other user was detected. This bring to the issue of confidentiality where we can now proudly say that the system is confidential and that no one else can be able to see the information that is contained in another users account. Non repudiation is also fulfilled since the system is able to perform its function and be secure as it is supposed to. When alloy is used, the cases of integrity are increased as no user or unauthorized user can view the work of the other use. This therefore makes the system more secure as compared to the previous system where the integrity was not guaranteed as one user could easily see what the other users were doing or what they had. This can be seen as the first rule of the alloy model. The second rule states that known information is not forgotten. In the flight control code, every person who has access to the system has to have a username and they also have to have a password. All these are remembered by the computer as they are stored in the cookies area. Therefore the information is not lost eve n in the case where someone decides to change their password. If they do so then the older password is kept so that the next time they want to change their password they do not use the ones that they had previously used. Therefore everything that is in the system remains there forever as long as it has been stored. To avoid unnecessary loops, a message is not supposed to contain itself. If t his was to be allowed then a loop would result such that it will never end. This is prevented in the frame condition of the flight control system. Any message that is found to contain it is immediately removed from the system by t he system model. The third knowledge that the system detect is known as the rule number two. It states that if a system process is able to know a message, then it will know the message forever. This means that it will continue to know its content. Even if the message is protected, then the system still has to remember the message as it will be available in the cookies area and this type in the protected cookies area. Some of the obstacles to security include eavesdropping. In this type of security breach, some elements in the model are able to learn the content of the message that they do not have access to. This can be avoided by storing all the information that is known to be confidential in the private cookies section. Corruption is also a major obstacle. Some process can get messages that they are not supposed to get by knowing that a particular formula was sent by another process. For all the obstacles that are available, alloy is able to generate an instant of security which is used to protect the system. A scope of 5 should be used to give more confidence like it has been used in the flight system. The flight security model is made of an alloy model that has assumptions that are made in them. If a message is eaves dropped then we have to inform the system through the model that the message has to be unique. In so doing, the system does not allow any other model to have the message since it is taken to be unique. A lot of time is also to be spent in checking if the system is working properly. If alloy had the ability to enable users to execute the runs using batches, then there would be less time in trying to test if the system is working correctly as each batch would be tested alone. Conclusion This system is one of the systems that can be said to be secure. It has used alloy model for simulation and in the long run the system is very secure. Before using the alloy model, the system was not secure and so many of the security conditions were breached. Apart from that the security modeling has not changed a lot in the entire architecture of the entire system. The system is therefore reliable and easy to write since the modeling allows for inheritance using the object oriented approach to modeling. If that is used then we reduce the time that is used in writing the model and at the same time changes in one part of the model does not have to necessarily change the models of the other systems. A more secure system is made by the use of alloy modeling as opposed to other modeling techniques. Bibliography LORD, J. O. (2005). Alloy systems. New York, Pitman Pub. Corp. LOVE, B. (2001). Properties of yttrium and the rare earth metals oxygen and alloy systems: oxygen and alloy systems. Wright-Patterson Air Force Base, Ohio, Aeronautical Systems Division, Air Force Systems Command, U. S. Air Force. ALUMINUM ASSOCIATION, & AMERICAN NATIONAL STANDARDS INSTITUTE. (2010).American national standard alloy and temper designation systems for aluminum. New York, American National Standards Institute. LORD, J. O. (2006). Alloy systems, an introductory text. New York, Pitman Pub. Corp. MASSALSKI, T. B., & OKAMOTO, H. (2010). Binary alloy phase diagrams. Materials Park, Ohio, ASM International. UNITED STATES. (2003). Positive material verification prevent errors during alloy steel systems maintenance : BP Texas City, TX refinery fire. Washington, DC, U.S. Chemical Safety and Hazard Investigation Board. http://purl.access.gpo.gov/GPO/LPS76359 MATERIALS SCIENCE INTERNATIONAL TEAM, EFFENBERG, G., & ILENKO, S. (2006). Ternary alloy systems phase diagrams, crystallographic and thermodynamic data. Subvolume B, Noble metal systems selected systems from Ag-Al-Zn to Rh-Ru-Sc. Berlin, Springer-Verlag. http://www.springerlink.com/content/g67027/. Read More