An effective model for composition of secure systems
Introduction
One of the most difficult problems in the procurement of a secure system arises in evaluating how secure the system is. Such evaluation is very expensive and time-consuming. The problem can be mitigated by a modular approach, i.e. the security of a system is determined in terms of that of its components. This approach is also adopted in system design. For instance, a distributed system is usually built, in a compositional approach, from a number of components that may be independently developed and evaluated, and a large-scale system is broken up into components (or modules) in a decompositional approach, in order to simplify its design.
Under these circumstances, it would be desirable to apply a composable security property to determine the security of a system from that of its components in such a way that if each of the components meets its security requirement, then the system is stated to satisfy the system security requirement without further evaluation based on the entire system. Thus the security analysis of the system is simplified by means of analyses of its components.
A number of composable security properties have been presented in the literature (Amoroso and Merritt, 1994; Boulahia-Cuppens and Cuppens, 1994; Dinolt et al., 1994; Johnson and Thayer, 1988; Maneki, 1995; McCullough, 1990; McLean, 1996; Meadows, 1992; Millen, 1990; Roscoe and Wulf, 1995; Zakinthinos and Lee, 1995). Most of them demand every component and their system to comply with the same or compatible security requirements (or properties). A primary characteristic of these properties is separability in the sense that the security of a system is decided by analysing that of each component separately, i.e. the security of the component is evaluated without knowing detailed implementations of others. For instance, the hookup property given in McCullough (1990) shows that if each component assessed separately satisfies this property, then the system made up of the components is simply stated to satisfy the same property as well. The use of these properties makes the security analysis of complex systems such as networked or distributed systems much easier, which would otherwise be extremely difficult if not impossible.
However, the separability of these composable properties is usually achieved by assuming the worst scenarios of interaction between components. This leads to imposition of over-strong security requirements on the components. Consequently their performance and functionality may have to be sacrificed unnecessarily in order to satisfy such security requirements. This problem can be avoided by appropriate consideration of connectivity between components. In reality, when components are composed into a system, only some of the input and output entities of the components become those of the system, and others are hidden inside the system. These hidden entities should not be demanded to meet security requirements. This suggests that a security requirement should be enforced only on part of each component rather than on the whole component as required by the composable properties.
To solve this problem, Shi and McDermid (1993) has presented a composable security property that properly takes into account connectivity between components. It enforces a security requirement on part of each component, and places a communication constraint on the other part. As a result, the components are permitted to have weaker security without weakening the system security. The limitation of this property is that it only considers the requirement of non-interference (Goguen and Meseguer, 1982) and the chain-like connection of components.
The aim of this paper is to utilise the principle of this composable property to propose a new separable and composable property that allows the tree-like connection of components and the enforcement of different security requirements (or properties) such as non-interference and non-deducibility given in Goguen and Meseguer (1982), Meadows (1992), Sutherland (1986) and Wittbold and Johnson (1990). The feasibility of this new property is then demonstrated by applying it to a case study of security assessment of a file system. Useful observations derived from this case study are finally discussed which can help to develop cost-effective approaches to design and evaluation of secure systems.
It is worth emphasising that the goal of this paper is to present a model for secure composition of components satisfying different security requirements, rather than to discuss the strengths and weaknesses of these security requirements themselves.
This new property has the following characteristics:
- •
It makes use of interfaces to handle components composition. The advantage of using interfaces is three-fold. First, different constraints are placed accordingly on different interfaces of a component to minimise its security requirement without losing its composability and separability, and without compromising the system security. Secondly, the interfaces can be used to carry out the early security assessment of the component at the specification stage of the system development. Thirdly, the interfaces facilitate the design and maintenance of the component. Since its internal operations are hidden by the interfaces, it is allowed to have different implementations so long as they comply with the operational properties specified by the interfaces.
- •
It permits different components and their system to meet different security requirements, which well suits practical needs. In this aspect, other composable properties can be treated as its special cases because they require each component and their system to satisfy the same or compatible security requirements.
- •
It provides a means of specifying security requirements. In decompositional system development, security requirements for components of a system are generated from the system security requirement. In compositional system development, the security requirement of a system is determined from those of its components. The property ensures that if each component satisfies its security requirement, then their system satisfies the system security requirement.
The application of this new property is limited to the case where the connection of components has a tree-like structure. Examples of such application include networks with bus and star configurations, some distributed name and directory service systems (Coulouris, 1994), and networked authentication systems. In general, components and their connections should be represented as a graph with cycles. This case will be considered when extending the property in future. To this end, the work presented in this paper lays down foundations for the future development of a more general composable property.
The remainder of this paper is structured as follows. In Section 2, a model for the representation of operational properties of a component or system is presented, and interfaces of the component are then specified based on a tree-like structure of components connection. Section 3describes a method for composition of components. In Section 4, security requirements are discussed, and a composable security property is developed to enforce different security requirements and to handle composition of components connected as a tree. In Section 5, we apply this composable property to assessing the security of a file system, and discuss useful observations derived from this case study. Finally our conclusions and future work are outlined in Section 6.
Section snippets
Component model
In this paper, operational properties of a component (or system) are represented by the following model:
Definition 1. A component consists of:
- •
IO, a set of input and output entities, which is partitioned into
I, a set of input entities,
O, a set of output entities,
- •
V, a set of input and output values,
- •
values : IO → PV, a value function,
- •
T : P(V × IO)*, a set of traces.
In this definition, PX denotes the power set of a set X, and X* the sequence set of X. The function values (e) of an input or output entity e
Components composition
We now discuss how to compose the entity and trace sets of components into those of their system. Without loss of generality, let us consider a subsystem Cs composed of components Cc and Cp with a link from Cc to Cp, as shown in Fig. 3. The entities of Cs are actually those of Cc and Cp which are not included in the D-interface of Cc and the Ap,c-interface of Cp, i.e. IOs=(IOc ∪ IOp)\(DIOc ∪ AIOp,c), where \ stands for the set difference. This is because the entities in these two interfaces are
Composable security property
We now proceed to discuss how to compose security properties of components, connected as a directed tree defined in Section 2, to determine the security of their system. The method for traces composition described in Section 3manifests that security requirements should be enforced only on the E-interfaces of the components, because their A- and D-interfaces are all hidden when the components are composed into the system. To enable the system to conform to its security requirement, however, a
File system
In this section we apply the CA property to assessing the security of a file system that is demanded to satisfy NI. For ease of understanding, the system is simplified and depicted as the directed tree in Fig. 7(a). The E-interfaces of components C2 and C3 in the tree comprise only high input and output entities, and the E-interface of C4 comprises only low ones. The entities and connections of these components are illustrated in Fig. 7(b).
Component C1 is responsible for managing and
Conclusions and future work
In this paper we have presented a separable and composable security property based on the principle of the composable property given in Shi and McDermid (1993). This new property can be applied to handling secure composition of components connected as a directed tree, and to enforcing different security requirements by simply specifying their corresponding sets LE, HE and TP. As an application of the property, a case study has been successfully conducted to assess the security of a file system.
Q. Shi received his B.Sc., M.Sc. and Ph.D. degrees in Computer Science. Since 1994, he has been a lecture in the School of Computing and Mathematical Sciences at Liverpool John Moores University, UK. His research is concerned mainly with practical application of formal methods to design and evaluation of secure computer systems, including composable security theory, security architectures and secure communication protocols.
N. Zhang received her B.Sc. and Ph.D. degrees in Electronics Engineering
References (19)
- Amoroso, E., Merritt, M., 1994. Composing system integrity using I/O automata. In: Proceedings of The Annual Computer...
- Bell, D.E., LaPadula, L.J., 1976. Secure computer system: Unified exposition and multics interpretation, ESD-TR-75-306....
- Boulahia-Cuppens, N., Cuppens, F., 1994. Asynchronous composition and required security conditions. In: Proceedings of...
- Coulouris, G., 1994. Distributed Systems: Concepts and Design. Addison-Wesley, Reading,...
- Dinolt, G.W., Benzinger, L.A., Yatabe, M.G., 1994. Combining components and policies. In: Proceedings of The Computer...
- Goguen, J.A., Meseguer, J., 1982. Security policies and security models. In: Proceedings of IEEE Symposium on Security...
- Johnson, D.M., Thayer, F.J., 1988. Security and the composition of machines. In: Proceedings of The Computer Security...
- Kemmerer, R.A., 1983. Shared resource matrix methodology: An approach to identifying storage and timing channels. ACM...
- Maneki, A.P., 1995. Algebraic properties of system composition in the LORAL, Ulysses and McLean trace models. In:...
Cited by (14)
Biometric logical access control enhanced by use of steganography over secured transmission channel
2011, Proceedings of the 6th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications, IDAACS'2011Identity management in System-of-Systems Crisis Management situation
2011, Proceedings of 2011 6th International Conference on System of Systems Engineering: SoSE in Cloud Computing, Smart Grid, and Cyber Security, SoSE 2011Managing runtime re-engineering of a system-of-systems for cyber security
2011, Proceedings of 2011 6th International Conference on System of Systems Engineering: SoSE in Cloud Computing, Smart Grid, and Cyber Security, SoSE 2011Security engineering for embedded systems - The SecFutur vision
2010, ACM International Conference Proceeding SeriesData mishandling and profile building in ubiquitous environments
2010, Proceedings - SocialCom 2010: 2nd IEEE International Conference on Social Computing, PASSAT 2010: 2nd IEEE International Conference on Privacy, Security, Risk and TrustSystem-of-systems boundary check in a public event scenario
2010, 2010 5th International Conference on System of Systems Engineering, SoSE 2010
Q. Shi received his B.Sc., M.Sc. and Ph.D. degrees in Computer Science. Since 1994, he has been a lecture in the School of Computing and Mathematical Sciences at Liverpool John Moores University, UK. His research is concerned mainly with practical application of formal methods to design and evaluation of secure computer systems, including composable security theory, security architectures and secure communication protocols.
N. Zhang received her B.Sc. and Ph.D. degrees in Electronics Engineering (Telecommunications). She then worked for the Department of Computer Science, University of York, for 3 years as a research associate in the area of distributed real-time systems (specialised in timing analysis). Since 1994, she has been a lecturer in the Department of Computing, Manchester Metropolitan University, UK. Her research interests include security and privacy aspects in real-time, digital communication, and payment systems.