AnextensibleanalysablesystemmodelChristianW.Probst,ReneRydhofHansenTec - PDF document

AnextensibleanalysablesystemmodelChristianW.Probst,ReneRydhofHansenTechnicalUniversityofDenmark,DenmarkAalborgUniversity,Aalborg,DenmarkabstractAnalysingreal-worldsystemsforvulnerabilitieswithrespecttosecurityandsafetythreatsisadifÞcultundertaking,notleastduetoalackofavailabilityofformalisationsforthosesystems.WhilebothformalisationsandanalysescanbefoundforartiÞcialsystemssuch 5 availableatwww.sciencedirect.comwww.compseconline.com/publications/prodinf.htm1363-4127/$Ðseefrontmatter2008ElsevierLtd.Allrightsreserved.doi:10.1016/j.istr.2008.10.012 informationsecuritytechnicalreport13(2008)235–246 1.1.CounteringinsiderthreatsAsmoderneconomiesdependevermoreoninformationtechnologysystems,theinformationhandledbythesesystemsbecomesapreciousgoodinlockstep.Thedisruptionofservicesorlossofdatacancauseincreasinglyseveredamage,leadingtoaneverincreasedinterestintheprotectionofbothdataandsystems.Oneofthetoughestandmostinsidiousproblemsininformationsecurity,andindeedinsecurityingeneral,isthatofprotectingagainstattacksfromaninsider.BydeÞni-tion,aninsiderhasbetteraccess,ismoretrusted,andhasbetterinformationaboutinternalprocedures,high-valuetargets,andpotentialweakspotsinthesecurity.Conse-quently,aninsiderattackhasthepotentialtocausesigniÞ-cant,evencatastrophic,damagetothetargetedinfrastructure.Theproblemiswellrecognisedinthesecuritycommunityaswellasinlaw-enforcementandintelligencecommunities,cf.(Bishop,2005;BrackneyandAnderson,2005;Gollmann,1998;Bishopetal.,2008).Inspiteofthis,therehasbeenrelativelylittlefocusedresearchintodevelopingmodels,automatedtools,andtechniquesforanalysingandsolving(partsof)theproblem.ThemainmeasuretakenstillistoauditlogÞlesaninsiderincidenthasoccurredBrackneyandAnderson,2005Thebiggestproblemisthattypicallyinsiderthreatsoccurinreal-worldsystemswith,,largeofÞcecomplexes,humanactors,andphysicalobjectssuchasfolders,print-outs,andkeys.Whilemanyanalysistechniquesexistforverifyingsafetyandsecurityproperties,theyhavebeendevelopedforapplicationtorigorousformalmodels,whichusuallydonotexistforreal-worldsystems.Formalmodel-lingandanalysis,however,isincreasinglyimportantinamodernenvironmentwithwidelydistributed(physicalandcomputer)systems,computinggrids,andservice-orientedarchitectures,wherethelinebetweentherealandthevirtualdomainismoreblurredthanever.Approachessuchasthreatmodelling(SwiderskiandSnyder,2004)trytotargettheformalisationofthereal-worlddomain,butstillarefarfromtherigidtechniquesavailableinsecurityresearchandformalmethods.Beforepresentingourtechniquesforusingsuchformalmethodsforidentifyinginsiderthreats,weÞrstwanttodeÞne,whatweunderstandbyaninsider,asthisrecentlyhasbeenthetopicofintensediscussions,forexampleBishop,2005;BrackneyandAnderson,2005;Bishopetal.,).Often,insidersandoutsidersaretreatedthesamesincetheycancausethesamedamageoncetheyhavethesameknowledge.However,theyintrinsicallyremaindifferentwithrespecttotheorganisationtheydamagewhiletheinsideristrustedtoperformcertainactions,theoutsidermostcertainlyisnot.Inourworkwethereforemakeacleardistinctionbetweenwhereonlytheformercanbesourceofinsiderthreats.However,asaofsuchathreat,anoutsidermayobtainknowledgethatwillenablehimtocausedamagecomparabletothataninsidermaycause.Itisnoteworthythatthetechniquespresentedinthisworkcanbeappliedtobothinsidersandoutsiders.2.ViewoftheworldInthissectionweintroducethekindofsystemweareaddressingwithourmodel,andthereafterintroducetheactualmodelinSection.Thereisnorealrestrictionastowhichpropertiesofsystemscanbemodelled,suchthatourapproachcanbeusedinalmostanysettingwithvarying2.1.High-leveloverviewThekindofsystemsweareinterestedinischaracterisedbycertainbasicproperties.Weassumethattherearelocationsthatarebysomemeans,andthattherearewhocanmovearoundinthesystem,performingastheymovearound.Again,thenotionsoflocations,actors,actions,anddataareratherlooselocationscan,bephysicallocationssuchasroomsorofÞces,orvirtuallocationsincomputersystems.Intheformercasetheactorswouldprobablybepersons,inthelatterprograms.Theactionsperformedcaneitherberelatedtomovingaround,enteringorleavingaroom,ortooperationsondata,suchasaccess,creation,etc.Consider,forexample,theinsiderproblemasintroducedinSection.ClearlywearemostlyconcernedwithofÞcebuildingsandrealdatasuchasfolders,aswellascomputernetworksanddatathatisavailableonthese.Fig.1showssuchareal-worldsystemcomponentstypicalforthekindofsystemsweareinterestedinnamelyroomsthatarecon-nected,acomputernetwork,accesscontrol,etc.Alltheseareaspectsthatwewanttorepresentinourmodel,astheyinßuencethewayactorscanbehaveinthemodelledsystems.Intheexample,actorscan,,walkaround,pickupdatafromtheprinterorthewastebasket,etc.TheexampleshownintheÞguremodelspartofanenvironmentwithphysical User OfficeServer / PrinterJanitor Worksho p C C Janitor UserHallway C Fig.1–Theexamplesystemusedtoillustrateourapproach.Theusercanusethenetworkconnectiontoprintsomepotentiallycondentialdataintheserverroom.Dependingonthecongurationonthecipherlocks,thejanitormightormightnotbeabletopickupthatprintout.Thebuildingentranceissecuredwithafacerecognition informationsecuritytechnicalreport13(2008)235–246 locations(anentrance,aserverroomwithaprinterandawastebasket,auserofÞce,andajanitorÕsworkshopcon-nectedthroughahallway),andnetworklocations(twocomputersconnectedbyanetwork,andaprinterconnectedtooneofthem).Theaccesstotheentrance,theserverroom,andtheuserofÞceisrestrictedbyacipherlock,whilethejanitorworkshopisaccessiblewithaphysicalkey.Theactorsinthissystemareauserandajanitor.2.2.AnanalysablemodeloftheworldWenowdeÞneanddiscussoursystemmodelindetail.Theformalunderpinningsofthemodellinglanguagewillalsobeintroducedanddiscussedtosomeextent,althoughthefocuswillbeonthemodellingaspectsofthelanguage.ThisincludesspeciÞcationofactionsofinterest,dataitemshandled,andactorsandtheir(partly)behaviour,ifknown.ThepresentedmodelisanextensionoftheonepresentedProbstetal.(2006).Besidethemodelitselfwealsopresenthowitcanbeextendedwithspecialisedconstructs,andillustratetheextensibilitywithexamples.Theabstractionisbasedonasystemconsistingofcomponents.WedistinguishbetweenlocationcomponentssuchasofÞcesandcomputers,datacomponents,suchaskeysandactualdata,andmobilecomponents,suchasprocessesandactors.Datacanbeassociatedwith(storedat)locationsandactors,anditcanbesecuredby,,encryption,andlocationscanbesecuredbyaccess-controlmechanisms,,cipherlocks.Tosupportmovementsofdynamiccomponents,loca-tionscanbeconnectedbydirectededges,whichdeÞnefree-domsofmovementsofactors.Therestofthissectionintroducesallofthesystemcomponentsandshowsseveralpossibleextensions.2.2.1.InfrastructureWestartwithdeÞningthenotionofaninfrastructure,whichconsistsofasetof.Theinfrastructuremodelstheavailableconnectionsinthemodelledsystem,beitconnectionsbetweenroomsorcomputers,orbeitpossibletoaccessonelocationfromanotherone.FortheexampleshowninFig.1weobtainthegraphrepresentationinFig.2.Allroomshavebecomenodesinthegraph,ashavecomputers,theprinter,andthewastebasket.Ingeneral,allelementsofasystemwheredatacanbelocatedaremodelledasnodes.Additionally,placesatwhichsomekindofaccesscontrolisappliedcanbeturnedintonodes.Intheexampletheseareallthedoors.Theconnectionsbetweennodesaregeneratedbasedonthetypeofconnectiontheyallowintherealsystem.Forexample,thereisaone-wayconnectionfromthenoderepresentingthehallwaytothenoderepresentingtheserverroomÕscipherlock,sincetheuserwillhavetopasstheaccesscontroltogetintotheroom.Ontheotherhand,thereisnochecktogetoutoftheroomintothehallway,sothereisadirectedgefromtheserverroomnodetothehallwaynode.NotethespecialnodelabelledÔÔOutsideÕÕ,whichrepresentspartsofthesystemthatareofnointerest,inthiscaseeverythingthatisoutsideoftheofÞcecomplex.Collapsednodeslikethis,thatmodelpotentiallylargeareasofthesystemunderinspectionthatareofnointerest,allowthesystemmodellertoconcentrateontheessentialpartstobemodelled.Iftheanalysisresultturnsouttobetooimprecise,collapsednodescanlaterbereplacedbyamoredetailedmodelofthepreviouslyignoredpartofthesystem.Asystemmodelcanhaveseveralofthesecollapsednodes,eachrep-resentingentitiesthatarenotconnectedtoeachother.ChoosingwhattocollapseishighlydependentonthemodelledsystemandtheanalysistobeperformedinthecaseoftheinsideranalysisourforemostinterestistoÞndoutwhetherdataleavesthemodelledsystem,thereforewearenotinterestedinwhatliesoutsideofthatsystem.AsseeninFig.1,itisoftennaturaltogroupseveralloca-tionstogether,,basedontheroomtheyarelocatedin.Groupsoflocationscanprovideinterfacesthatcontrolaccesshowactorscanenter(someofthe)locationsinthegroup.Intheexample,thecipherlockspreventactorswhodonothavethecorrectcodefromenteringsomerooms,whilethecomputerslocatedintheseroomsareaccessibleviathenetwork.2.2.2.ActorsNext,wedeÞne,whichcanmoveintheinfrastructurebyfollowingedgesbetweennodes,and,whichallowtoconstrainthenodesthatanactorcanmovein.Usually,actorscanonlymoveinacertaindomain.Intheexamplesetting,actorswouldbetheuser,thejanitor,orprocessesonthecomputers.Theuserandthejanitorcanmoveinthelocationsrepre-sentingrooms(physicaldomain),buttheycanonlyaccess,,theprinterandthewastebaskettotakeitemsoutofthem(objectdomain).2.2.3.DataBesidesactorsweareinterestedintheobjectstheyworkwith,ingeneral.NotethatweusearatherloosedeÞnitionofanysetofitemscanbeusedtomodeldataat CLSRV CLUSR JAN USR SRV HALL PC1 PC2 PRT WASTE ServerJanitor Worksho p Hallway LJAN FRENT OUT-SIDE FREXIT Fig.2–AbstractionfortheexamplesystemfromFig.1.Thedifferentkindsofarrowsindicatehowconnectionscanbeaccessed.Thesolidlines,,areaccessiblebyactorsmodellingpersons,thedashedlinesbyprocessesexecutingonthenetwork.Thedottedlinesarespecialinthattheyexpresspossibleactionsofactors. informationsecuritytechnicalreport13(2008)235–246 aconvenientlevelofdetail.Dataitemscanbeassociatedwithbothactorsandlocations,representingeitherwhatauserknowsorpossesses,,bycarryingaround,orwhatdataisavailableatacertainlocation.Assigningsuchknowledgetoactorsorlocationsbeforeperforminganactualanalysisallowstoincorporatepreviouslyobtainedinsightsintotheanalysisresultsandfurthermoreallowstoveryeasilytesthypothesesaboutwhatcouldhavehappenedif,,acertainactorhadknownacertainpieceofinformation.Intheexample,datacouldbeusedtomodelcodesforthecipherlocksorthekeyforthereallock,oncewehaveextendedthesystemmodelwithaccesscontrolinSection.Alsoprintoutsmadefromtheworkstationswouldberepresentedasdata.2.2.4.ActionsInordertomodelthebehaviourofactorsinasystem,wewillneedtosupplythatcanbeperformedbythem.Foreachoftheseactionsthesystemneedstospecifyhowtheactionchangesthelocationsofusers,andthestorageofdata.TheactionsweusearebasedonthoseavailableinthesystemdescribedinProbstetal.(2006)Gunnarsson(2007)partlybecausetheyallowtomodelthetypicalactionsper-formedinreal-worldsystemsquitenaturally.Theactionsallowedareinputandoutputofdata,evaluationofcodeatanotherlocation(startingaprocessonacomputer),andmovingtoanotherlocation.Theeffectofeachactioniscurrentlydescribedbythesemanticsoftheunderlyingprocesscalculus.WeareworkingonintegratingtheeffectspeciÞcationintothesystemdeÞni-tion,inordertoallowanevenmoremodularspeciÞcation,wherethesemanticscanbefreelysubstituted.2.2.5.SystemmodeldeÞnitionsystemmodelinourapproachconsistsofallthecomponentsjustintroduced.Usinglocations,actors,data,andactions,itallowstocapturethemostimportantaspectsofsystemsandinsiderthreatstheuseris,theuserdoesandknows,andtheuserdoesit.Whileverysimpleinnature,thismodelisbothpowerfulenoughtomodelreal-worldscenarios,andatthesametimeßexibleenoughtobeeasilyextendable.2.3.SystemextensionsInthissectionwebrießydescribehowtoaddextensionstothesystemmodel.Theextensionscoveredareaccesscontrol,encryptionanddecryptionofdata,whichwillbeverysimilartoaccesscontrolonlocations,andaloggingcomponent,allowingtocreatelogÞles,whichthencanbeusedinana-lysingthesystem.2.3.1.AccesscontrolTomodelsystemswithaccesscontrol,weneedtomodelhowactorscanobtaintherighttoaccesslocations,andhowaccesstoalocationcanbegrantedordenied.Weassociateactorswithasetofcapabilities,andlocationswithasetofrestrictionsBothrestrictionsandcapabilitiescanbeusedtorestrainthemobilityofactors,byrequiring,,acertainkeytoenteralocation,orallowingaccessonlyforcertainactors,orfromcertainlocations.Toeasepresentationweusedataitemsaskeysandcapabilities,andcheckerfunctionstotestwhetheragivencapabilitymatchesarestrictionornot.Intheexamplesettingwecouldinterpretthefaceoftheactorsascapabilitytoentertheentranceofthebuilding(basedonfacerecog-nition),andthecipherkeysascapabilitiestoentertheserverroomandtheuserofÞce.Theassociatedcheckerswouldimplementthetestwhetheranactorwithagivenfaceisallowedtoenterthebuilding,orwhetheraciphercodematchestheonesstoredinthelock.Inthesemantics,accesscontrolandtherelatedcheckersarerealisedbyreferencemonitorssimilartoGunnarsson(2007)Hansenetal.(2006)Probstetal.(2006)thatcheckwhetheracertainactionisallowedbeforeexecutingit.Fig.3showsthegraphicalrepresentationofaccesscontroladdedtotheexamplesystem(forthetimebeing,ignoretheoverlinedcharacters).EachoftheboxesspeciÞeshowaccessisgrantedtocertainactionsatthelocation.Forexample,knowledgeofthedataitemallowsbothaccesstotheserverroomaswellastheuserofÞce,asspeciÞedby,whileonlyallowsaccesstotheserverroom.Thelinestheentrancerefertotheidentityoftheactorthatwantstoperformanaction,andarehereusedtorepresenttheface2.3.2.EncryptionanddecryptionAconvenientextensionofthedatamodeldescribedintheprevioussectionistomodelencryptionanddecryptionofdata.Weuseanapproachsimilartotheoneforaccesscontrol,thatisweannotatedatawiththekeyithasbeenencryptedwith,andrequireknowledgeofthematchingkeyfordecryp-tion.Thiscanbeseenasrequirements(ofthedataforbeingdecrypted)andcapabilities(oftheuserforbeingabletodecrypt).Adataitemcanbeencryptedwithasetofkeysemptysetofkeysrepresentsunencrypteddata.Itisnoteworthythatthissmallchangesupportsbothasymmetricaswellassymmetricencryptionschemes,asthecheckerforthecapabilitiesandrestrictionsensuresthatthekeysusedforencryptionanddecryptionmatcheachother.2.3.3.LoggingAnotherimportantcomponentinasystemistheabilitytolog(someofthe)performedactions.Again,addingsuchacomponenttooursystemmodelisstraightforwardandrequiresonlyminimalchangestothesystemtheactualloggingisperformedaspartofthesemanticsoftheunder-lyingprocesscalculus.Theadditionstothesystemareaglobalclockandaloggingcomponent.Theloggingcompo-nentmapsalogentrytothereasonwhyanactionwasallowedordeniedthatisacertainkey,theactorÕsidentity,orthelocationfromwhichtherequestcame,aswellasthelocationsfromwheretowheretheactionwasperformed.Intheaccess-controlspeciÞcationswedistinguishloggedandunloggedrestrictions,andmarkloggedonesbyusingoverlinedcharacters(seeFig.3).FromtheviewofthesystemdeÞnitionthereisnodifferencebetweentheversionswithandwithoutloggingallweassumeisthatthereisasubsetofrestrictionsthatareloggedasopposedtoasubsetofrestric-tionsthatarenotlogged.Thedifferencewillonlyoccurintheunderlyingsemantics. informationsecuritytechnicalreport13(2008)235–246 2.4.FormalsemanticsofsystemmodelsThesystemmodeldeÞnedabovehasbeendesignedtobeeasyandintuitiveforuseinthesystemmodellingprocess.Itfurthermorelendsitselfverywelltograph-basedanalysistechniques(seeSectionforanexample).However,inordertobringawidervarietyofadvancedanalysistechniquesandmethodologiestobear,thesystemmodelneedsaformalunderpinning.Probstetal.(2006)weshowhowthesemanticsofasystemmodelcanbeformalisedusingaprocessalgebraProcessalgebrashavebeenwidelyusedtomodelandstudyproblemsintheconcurrencyanddistributedsystemscommunities.ThisworkhasledtothedevelopmentofnumerousautomatedtoolsandadvancedtechniquesforanalysisandveriÞcationofsystemproperties.Byformalisingthesemanticsofsystemmodelsusingprocessalgebrasweenabletheuseofthesetoolsandtechniquesforforensicanalysisofoursystemmodels.TheprocessalgebrausedinProbstetal.(2006)iscalledandbelongstotheKlaimfamilyofprocesscalculioriginallydevelopedtostudythetuple-spaceparadigm(olaetal.,1998).TheacKlaimcalculusisavariationoftheKlaimcalculusenhancedwithaccess-controlprimitivesandequippedwithareferencemonitorsemantics,inspiredbysenetal.(2006),thatensurescompliancewithasystemÕsaccess-controlpolicy.Inadditiontoprovidingaconvenientandwell-understoodformalframeworkwithbuilt-insupportforaccesscontrol,ithasawell-establishedandmaturehistoryshowingnumeroussuccessfulapplicationsofformalmethodsandtechniquestoanalysisandveriÞcationofKlaimsystems(Nicolaetal.,1998;Nicolaetal.,2000).Thisprovidesanalystswithaprovenandwell-testedtoolboxforanalysingsystemmodels.Inadditionitformsasolidfoundationforexploringnovelapproachesandintegratingnewtechnologies,therebyenablingforensicanalyststoadapttheanalysisplatformtoemergingthreatsandtheever-changingattacklandscape.ThereferencemonitorsemanticsmentionedaboveensuresthatthesemanticsonlyperformsactionsthatarespeciÞcallyallowed,basedonanumberoffactors,suchas:thetypeofactiontobeperformed,theidentityoftheactorwishingtoperformtheaction,thedatainpossessionoftheactor,and/orthelocationsinvolvedintheaction.ThisconstitutesanimplementationofthecheckersdeÞnedintheprevioussection,andisalsotheplacewhereloggingisaddedtothesystem.3.AmodellinglanguageBeingbasedonacollectionofmathematicaldeÞnitions,theabstractsystemspeciÞcationdescribedsofarisnotwellsuitedforimplementation.InthissectionwethereforedeÞnealanguageforspecifyingsystemmodelsastextÞles,whichthencanbeusedasinputforanalyses.AlthoughanabstractspeciÞcationwillbemappedtoanacKlaimprogram,thesyntaxofthelanguageshouldbeasclosetotheabstractspeciÞcationaspossible.However,theusershouldnothavetoknowanythingabouttheunderlyingtheoryinordertousetheThesyntaxofthespeciÞcationlanguageisgiveninFig.4Fig.5.LikethespeciÞcationfromSection,asystemiscomposedoffourmajorcategories:locations,connections,actors,anddata.Locationsarerepresentedbyalocationnamealongwithalistofrestrictionsthatthelocationmakesonactionsperformedonit.Eachrestrictionisanamespecifyingalocation,anactor,apieceofdata,orrepresentingawildcard,andalistofactionsthatthegivennameisallowedtoperformatthelocation.EachlocationalsospeciÞesthe CLSRV CLUSR JAN USR SRV HALL PC1 PC2 PRT WASTE *: m cU: m *: m *: m U: e,i,o SRV: iPC2: o PC1: mU: e,i,o SRV: i,o *: m cU: mcJ: m LJAN kJ: m FRENT U: mJ: m Out-side FREXIT U: mJ: m Fig.3–TheabstractedexamplesystemfromFig.2,extendedwithpolicyannotations.Therearetwoactors,janitorJanduserU,who,,havedifferentaccessrightstotheuserofceandtheserverroom.Notethedifferencebetweenaccessingtheuserofceortheserverroomwithacipherlock(logged)asopposedtothejanitorworkshopwithakey(notlogged). informationsecuritytechnicalreport13(2008)235–246 domainitismemberof.Thedomainissimplyanameandmustofcoursenotconßictwithnamesusedforotherpurposes.Thelistofrestrictionsforalocationmaybeempty,meaningthatnorestrictionsareimposedontheaccessofthatlocation.Tomodelthatnoaccessisallowedbyanyone,thelistofaccessmodesshouldbeleftemptyasinsafe{ConnectionsarespeciÞedwitharight-pointingarrowfromalocationAtoanotherlocationB,meaningthatthereisanedgefromAtoB.BothendpointsinaconnectionmustbedeÞnedfortheconnectiontobewell-formed.Actorsarerepresentedbyalistofpairsofactornamesandthenameofthelocation(s)theactorislocatedatinitially.Notethat,inthecaseofuncertainty,anactormaybeplacedatseverallocations.ThesetofactornamesmustbedisjointfromthesetoflocationnamesforthespeciÞcationtobewell-formed.ThelocationatwhichanactorislocatedmustbedeÞnedinthelistoflocations.DataisspeciÞedasalistofdataelementsannotatedwithaccessrestrictionsandinformationonwheretheyarelocated(eitheratanactororatalocation).Foreaseofpresentation,thestructureofdataisone-dimensional,namelyasinglestring.Thiscaneasilybeextendedtoamorecomplextuplestructurewithnestedtuplesandsoon.Itshouldbenotedthatsuchachangedoesnotrequirechangestothetechniquespresentedhere.Ifthelistofrestrictionsisempty,thedatumisassumedtobepublic,andifthelistofaccessmodesisemptyforthename,thedatumcannotbeaccessedbyanyactorinthesystem.Accessrestrictionondatamaybedecryptionandread/writerestrictions,modelledasinputandoutputasforloca-tions.Anyactorisfreetopickuporreaddata(aslongashehasaccesstoit),buttogettheinformationthatencrypteddataholdsheneedstohavethenecessarykeytobeabletodecryptit.ThetextinFig.6showstherepresentationoftheexamplesystemfromFig.3.Beyondthesystemgraphshownthere,the Fig.4–Syntaxforspecifyinglocationsandassociatedpolicies.Elementsoflistsareseparatedwithcommas.Notethatforthelistofallowedactionsonlyoneversion(loggedorunlogged)ofeachactionmayoccur. Fig.5–Syntaxforspecifyingconnections,actors,anddata.ThesamerestrictionsforlistsapplyasinFig.4.Specicationofanactioninaisoptional. informationsecuritytechnicalreport13(2008)235–246 textualrepresentationalsoincludesthedataavailableatactorsorlocations,aswellasthelocationswhereactorsarelocatedinitially.Inordertorunthroughdifferentscenarios,theselocations,aswellasthedataavailable,caneasilybechanged.If,forexample,duringaninvestigationtherewassomedoubt,wherethejanitorwaslocated,theinputcouldbechangedtoJ@outside,serverifhemighthavebeenattheserverroom.4.SystemmodelanalysisInthissectionwepresenttwoanalysistechniquesrelatedtothemodelandlanguagedescribedintheprevioussections.Thegoalofthissectionistointroducethereadertosomeoftheanalyticaltoolsandinsightsneededtogetstarted.Bothanalysesaregraph-basedandworkonthesystemmodeldeÞnedabove.TheÞrstanalysis,calledConditionalReachabilityAnalysis,isdesignedtodetermine,whichlocationsinasystemanactorwithnameandkeyscanreachfromlocationdirectly,orbyperforminganactiononthem.Intheinsider-threatscenariointroducedabove,thisallowstodetermine,whichlocationsaninsidercanreachandwhichdatahecanpotentiallyaccess.Thisanalysiscanbecomparedtoabefore-the-factsystemanalysistoidentifypossiblevulnerabilitiesandactionsthatanauditshouldcheckfor.Thesecondanalysis,calledLog-traceReachabilityAnalysistakesalogÞleasinputandbasedonthisdetermineswhichactorhasbeenwhere,performingwhichactionsandaccess-ingwhichdata.Intheinsider-threatscenariothisanalysisallowstodeterminewhereactorsmighthavebeenbasedontheobservedactions.Inanafter-the-factanalysis,thisanalysiscanalsobeusedtoaddobservationsorinvestigationresultstothelogÞleinordertoevaluatetheirimpact.Therestofthissectionisstructuredasfollows.WeÞrstgiveahigh-levelintroductiontothetwoanalyses,followedbyamoredetailedpresentationoftheirtechnicaldetailsin.Afterthis,weevaluatebothanalysesinSectionbyapplyingthemtotheexamplesystem.InterestedreaderscanÞndthetechnicaldetailsinSection4.1.AnalysisoverviewWhendealingwithinsidersandthethreattheypotentiallymightpose,wedeemtwoscenariosespeciallyimportanttheonehand,wewouldliketoknowanattack,whatcapabilitiescertainactorshaveinthesystembasedonwhattheyknow(and,asaresultofthis,wheretheycanget).Ontheotherhand,onceanattackhashappened,wewouldliketobeabletoidentify,whathashappenedinthesystembefore,under,andaftertheattack.Beforepresentingthetechnicaldetailsinthenextsection(whichsafelycanbeskipped),wegiveamorehigh-leveloverview,howthesetwoanalysesworkonoursystemmodel.Itshouldbenotedthattheseanalysesonlyareexamplesofwhatthesystemcanbeusedfor.Wearecurrentlyworkingoncontrol-ßowanalyses(Nielsonetal.,),whichhoweverarebeyondthescopeoftheworkpre-sentedhere.AnexamplecanbefoundinProbstetal.(2006)4.1.1.BeforethefactWhendesigningasystem,especiallyanaccess-controlsystem,itrapidlybecomesunclear,whichpartsofthesystemareaccessiblebywhichusers.Insystemscombiningnetworkswithrealbuildings,thedistinctionbetweenreachableandunreachablebecomesevenmoreblurry. Fig.6–TextualrepresentationoftheexamplesystemfromFig.3,includingsomedataknownatactorsorstoredatlocations.Forexperiments,thelocationsofactorsanddatacaneasilybechanged. informationsecuritytechnicalreport13(2008)235–246 InthisscenarioourÞrstanalysismaybeapplied.Givenarepresentationofthesystemunderdevelopment(Section),andanextensionwithaccessrestrictions(Sectionthisanalysisallowstoidentifywhichplacesausermayreach,basedonwhoheis,whatheknows,andwhereheislocated.Thisanalysishastwoimmediateapplicationsitallowstoidentifypossibleshortcomingsinanaccess-controlsystem,anditallowstodecidewhomtouseinordertoreachacertainlocationorretrieveacertainpieceofdata.WhiletheÞrstapplicationprobablyisobvious,thesecondmightnotbe.HeretheideaistousetheanalysistoÞndoutwhichusersareabletoreachacertainlocation,basedontheiridentityandknowledge(thewhoandwhatabove).Fromalltheseusers,onethencanchosetheuserwholivesuptocertainexpecta-tions.Thesemightbe,forexample,fewestaccessrights(meaningthatthepotentialcollateraldamageisminimised),oraboveacertainrankinthehierarchy(hopefullymeaningthatthisusercanbetrustedmorethanusersbelowhiminthehierarchy).BeyondtheseareuncountedpossibilitiestouseandinterprettheresultsofthisÞrstanalysis.Theanalysisthatprovidessystemdesignerswiththisknowledgeistheconditionalreachabilityanalysis(CRA,).ItreceivesasystemmodelsuchastheonefromFig.6asinput,andsimulatesforallusersallactionstheymayperform.Inthisprocess,ausermaybelocatedatseveralpositionssimultaneously,thusrepresentinguncertaintyastowheretheuserislocatedexactly.Foreachusertheanalysistracesallpossiblewaystheusermighttakethroughthesystem.Whilethismayoccurpessimisticgiventhattheusereventuallywillonlyperformonesequenceofactions,itisatthesametimeconservativeincomputingasupersetofwhatwillhappeninreallife.Thisisanecessarypropertyforeachanalysiswhoseresultscanbeappliedinameaningfulwaytheanalysiscomputesacertainresultitmustsomehowbepossiblethatthisresultoccurs(Nielsonetal.,1999).Eventhoughtheanalysisthuscomputesmanywaysthroughthesystemthatnoactoreverwillfollow,thecomputedresultstillallowstoseewhatcanhappeninthesystembasedonaccessrightsassignedtolocationsandkeysassignedtoactorsexactlywhatisneededforabefore-the-factanalysistosupportthesystemdesigner.4.1.2.AfterthefactHavingdesignedasystem,possiblywithhelpofananalysislikethejustdescribed,oneneedstoprepareforapotentialattack.Suchapreparationcancomeinseveralformsbeitinformofloggingofactionsperformedbyusers,beitinformofafter-the-factforensicanalysesusingthelogdataasinput.Surprisingly,thisafter-the-factanalysisstillseemstobeappliedfrequently(BrackneyandAnderson,2005WhileinUtopianworldscompletesurveillanceoftenisassumedtobeacceptable(andaccepted),thisiscertainlynotthecaseforoursocieties.Privacyconcernsoftenlimittheamountofdatathatmaybelogged,thusalsolimitinghowusefultheloggedinformationis.Evenworse,itoftenismoreinterestingwhatmighthavehappened(unnoticed)inbetweentwologentries,thanwhatactuallyhasbeenlogged.Inthissituationoursecondanalysismayhelp.Likethebefore-the-factanalysisitreceivesasystemmodelasinput(Section),thistimewiththeloggingextension(Section),andastreamofloggedevents,forexamplerecoveredfromsomekindofloggingsystem.Thiscouldeitherbethedumpofloggingunitsinthesystem,itcould,however,alsobeobser-vationsmadeaspartofaninvestigation,oramixofbothsources.Basedonthese,theanalysisexploreswhatanactormighthavedoneinbetweentwologentries.ThemoreÞne-grainedtheloggingsystemis,themoreprecisetheresultofthisanalysiswillbe,butthemorecoarse-grainedtheloggingsystemis,themorebeneÞcialisouranalysis.Thisisbecausethesetofactionspossiblyperformedbetweentwologentriesisgettingbiggerandbiggerthefurtherthetwologgedactionsareapart.Consequently,itbecomesharderandhardertokeepaclearviewofwhatmighthavehappenedinbetween.Theanalysisthatprovidesinvestigatorswiththisknowl-edgeisthelog-tracereachabilityanalysis(LTRA,SectionItreceivesasystemmodelsuchastheonefromFig.6andasetofloggedeventsasinput,andsimulatesforallusersallactionstheymayperformsuchthatthesetofloggedeventsisgenerated.Theoveralloperationofthisanalysisisverysimilartotheanalysisdescribedbeforeagain,theanalysistracesforallusersallpossiblewaysthattheymighttakethroughthesystem.However,inthisanalysisthesetofallpathsisrestrictedbytherequirementthattheactionsper-formedmustmatchtheloggedevents.Thisrestrictionresultsexactlyinwhatisneededfortheafter-the-factanalysistoolthatmatchesloggedactionsagainstpossibleactions,thusidentifyinglocationsthatanactormighthavereachedanddataitemsanactormighthaveaccessedunnoticed.4.2.TechnicaldetailsThissectionintroducessomeofthetechnicaldetailsunder-lyingouranalyses,includingpseudo-codealgorithmsforcomputingtheanalysisresults.Beforegoinginmoredetailswithrespecttothetwoanalyses,weÞrstdiscussequivalentlocations,animportantissueforbothanalysespresented4.2.1.EquivalentlocationsandactionsAnotionthatwewilluseseveraltimesinthefollowingdiscussionisthatofequivalentlocationsandactions.Bythiswemeanlocationsandactionsthatfromtheviewpointofanobserver,inourcasetheanalysis,cannotbedistinguished.Asaresult,iftheanalysisÞndsoutthatanactorcanbeinalocationlocation,thenhemightjustaswellbeinlocation,ormighthaveperformedanyactionsinbetween.Thisnotionofequivalenceservestwodifferentpurposes.Inthecaseoftheconditionalreachabilityanalysis(Section)weuseittospeeduptheanalysissincetheactorcouldreachallequivalentlocationsanyway,itiseasiertojustcomputethetransitive,reßexivehullofthecurrentlocationandassumetheactorisatanyoftheseorhasperformedanyactionspossibleinbetween.Inthecaseofthelog-tracereachabilityanalysis,equiva-lencyoflocationsandactionsisdeÞnedbasedonwhetheror Dependingonthekindofinstitutionapplyingtheloggingtheserestrictionsmaybeabandonedbyindividualsbysigningaccordingcontracts.Thismaybedeemedagainstpublicpolicyandinoperativeinmanystates. informationsecuritytechnicalreport13(2008)235–246 notreachingalocationfromanotheroneorperforminganactioncausesalogentry.Here,twolocationsand/oractionsaredeemedindistinguishablefromtheviewpointoftheanal-ysisiftheactordoesnotcausealogentry.Log-equivalencyisneededtoÞndoutwhatmighthavehappenedbetweentwologThepseudocodeinFig.7showstherealisationoflog-equivalencyinthelog-tracereachabilityanalysis.Itsimplyvisitsalllocationswhereausermightbe,andcomputestheeffectofeveryunloggedactionthattheuserisallowedtoperformatthatlocation.Thiscomputationisrepeateduntilnofurtherchangestothegraphoccur.Theimplementationofregularequivalencyisquitesimilar,theonlydifferencebeingthatthereisnorestrictionastocausingalogentry.4.2.2.ConditionalreachabilityanalysisAsmentionedbefore,theconditionalreachabilityanalysisisequivalenttoabefore-the-factanalysis,whereasystemdesignermightwanttodeterminewhetheragivensystemlivesuptoasetofaccess-controlrestrictions.Todoso,theanalysisassumestheworstcasethatis,whatevercanhappen,willhappen.Thisisespeciallycrucialwithrespecttodataexchange,whichinourcasemeansthatkeysorsecretdatamightbehandedoverbetweenactorsinthesystem.Likethelog-tracereachabilityanalysis,whichwillbecoveredinthenextsection,thisanalysisisgraphbased.ItstartsfromasystemspeciÞcationaspresentedbefore,constructsagraphfromit,andforeachactorsimulatesallpossibleactionsthatareallowedbythesystem.WhiletheLTRAwillrestrictpossiblepathsthroughthesystemwiththesetofloggedactionsthathavebeenobserved,theconditionalreachabilityanalysisexploresthewholegraphunconstrained,performingeveryactionpossible.Inordertoavoidnon-terminationitkeepstrackofwhichactorwithwhichknowl-edgehasbeenatwhichlocationthus,re-analysingalreadyseenscenarioscanbeavoided.ThealgorithmforCRAisgiveninFig.8.Essentiallyitonlysetsuptheanalysisbyinitialisingalldatastructures,followedbyasinglecalltoequivalent,whichperformsthesimulationofallpossibleactionsanditeratesuntilnofurtherchangesoccur.4.2.3.Log-tracereachabilityanalysisFig.9wepresentagraph-basedalgorithmforevaluating,whateffectsequencesofloggedactionsmighthavehad,byevaluatingallsequencesofactionsonthesystemrepresen-tation.Notethatthealgorithmisintendedtodemonstratetheprinciplesunderlyingthesolutionratherthanbeinganoptimalimplementation.Thealgorithmworksonthesequenceofloggedactions.Totracethepotentialactionsofactors,ittraceswhereactorsmightbelocated,whichdataanactoratalocationandwhichdataisstoredatwhichlocation.Initially,allactorsareassumedtobeoutsidethesystem(locationoutsideintheexample)andtoknowaninitialkeyset,whichmaybeempty.Alsolocationsareinitializedwiththepotentiallyemptyinitialdataset.Followingtheinitialization,thealgorithmconsumesallentriesinthelogsequence.DuringeachiterationitÞrstsimulatesalllog-equivalentactionsthatmightbeexecutedbyactorsattheircurrentlocations.Thissimulationisrepeated Fig.7–Foreachactorinthesystemwecheckforalllocationshecanbelocatedatwhetherhecanperformanyactions.Alltheseactionsareassumedtohavebeenperformed.Inthecaseofthelog-tracereachabilityanalysis,onlyactionsthatwouldnotcausealogentryareconsidered. Fig.8–Algorithmforcomputingwhichplacesanactormayreachinthesystem,basedontheactor’sinitiallocationandknowledge.Initially,allactorsandlocationsareinitializedwiththedatatheyareassumedtoknowbeforehand,andactorsarelocatedattheirpossiblelocations.Thereafter,thealgorithmonlyneedstocallthefunctionequivalent(Fig.7),whichcomputesandsimulatesiterativelyallactionsthatcanbeperformed,untilaxpointisreached.Attheend,foreachactorweknowalllocations,andforeachpairofactorandlocationweknowtheknowledgeatthispoint. informationsecuritytechnicalreport13(2008)235–246 untilnofurtherchangesoccur.Afterhavingsimulatedalllog-equivalentactionsinthecurrentstate,thenextloggedactionisconsumed.Beforesimulatingthisaction,thealgorithmÞrstcheckswhetherthereisexactlyoneactorthatcanhavecausedthelogentry,inwhichcasethedatastructuresareupdatedaccordingly.Finally,attheendofeachiterationtheloggedactionissimulatedforallactorsthatmayhavecausedtheactiontohappen.Afterdoingso,theiterationstartsoverwiththenextloggedaction,untilallactionshavebeenconsumed.Thealgorithmthenrepeatsthesimulationofalllog-equivalentactions.4.3.AnexampleNowweapplythetwoanalysesjustpresentedtotheexamplesystemshowninFigs.3and6.Westartwiththeconditionalreachabilityanalysis(Section).Asshowninthetextualrepresentation,weexpecttheuserandthejanitortobelocatedoutsidethesystem,knowingthecodesand/orkeystotheirofÞceandtheserverroom.Table1showstheresultofapplyingCRAtotheexample.ThetablecontainsanalysisresultsfortwodifferentcasesÞrstweanalysethecaseswheretheuserandthejanitoreacharealoneinthesystem.Asonewouldexpect,theanalysisÞndsoutthateachofthemcanaccesstheroomstheyhavethekeysto,andthattheusercanobtainthesecretÞlestoredonpc1,eitherbyprintingitontheprinterintheserverroom,orbyobtainingitdirectlyfrompc1.TheÞleisonlyreadablebyU,thereforethejanitorcannotobtainit.Inanalysingthesecondcaseweassumetheuserandthejanitortobeactinginthesystemsimultaneously.Inthiscase,thejanitorisabletogetholdofthesecretÞle,namelyiftheuserprintsitintheserverroom.Itshouldbenotedthatthissecondcaseisacoarseapproximationofwhatreallymighthappen,asitdoesnotcontainanyinformationaboutnevertheless,thethreatexists. Fig.9–Algorithmforevaluatingthepossibleeffectofallsequencesofactionsthatcancausetheloggedevents.Foreachloggedeventthealgorithmperformsallactionsthatcouldgounnoticed(line9),andidentiesthesetofactorsthatpossiblycanhavecausedit(lines12–26).Ifonlyoneactorcanhaveperformedaloggedaction,weknowexactlywherethisactorislocated,anditconsequentlyisremovedfromallotherlocations(lines14,18–20,23–25).Finally,theeffectoftheloggedeventissimulated. informationsecuritytechnicalreport13(2008)235–246 Theorderingrelationbasedontimeistakenintoaccountinthelog-tracereachabilityanalysis(Section),whichontopofthesystemdescriptionalsogetsastringofloggedactionsasinput.Therearetwointerestingcaseswithrespecttothetwoactorsweareinvestigating.ConsideringtheÞlesecretonceithasbeenprinted,itisofinterestwhetherthejanitorhasbeeninandlefttheserverroombeforetheÞleisprinted,ornot.Ifnot,thenthereisariskofthejanitorpickingupthesecretÞlefromtheprinterorevenonlyreadingitandleavingitinplace.ForperformingLTRAweassumetwodifferentlogsequences.TheÞrstoneisgeneratedbytheuserenteringthesystem,goingtohisofÞce,loggingontothesystem,printingtheÞlesecret,goingtotheserverroom,pickinguptheprintout,andleavingthesystemagain,fol-lowedbythejanitorcoming,goingtotheserverroom,andleavingagain:NotethatthelogsequencedoesnotmentiontheÞletobeprinted,butsinceitisstoredonpc1theanalysisidentiÞesitaspotentiallyprinted.ThesecondlogsequencedescribesacasewherethejanitorleavestheserverroombeforetheÞleisTheresultforthesetwosequencesisshowninTable2.ItshowsthatfortheÞrstsequencethejanitormayobtainthesecretdocumentthisisbecausewecannotguaranteethattheuserpickeduptheprintout,eventhoughhewasintheserverroomattime23.Thisisbecausewecannotthepickingup.Forthesecondlogsequence,weknowthatthejanitordoesnotentertheserverroomaftertheÞlehasbeenprinted,andtheanalysisresultconÞrmsthis.5.ConclusionWehavepresentedanextensible,analysablesystemmodelforreal-worldsystems.Whilethesystemmodeloriginatedinadesiretoanalyseandpreventinsiderattacks,themodelissufÞcientlygeneral,andeasilyextendableasshown,thatitcanbeusedinmanyotherapplicationareas.Inadditiontotheabstractsystemmodelwehavepresentedamodellinglanguageforrepresentinganddevelopingconcretemodels,andwehaveshownthattheunderlyingmodelcaneasilybeextendedwithdomainspeciÞcconceptsandnotionssuchasaccesscontrol,cryptography,andlogging.Inearlierworkaformalsemanticsfortheabstractsystemmodel,intheformofaprocessalgebra,hasbeenspeciÞedandusedtofurtherextendtheanalystÕstoolboxwithmethodsandtechniquesfromtheprogramminglanguageandprogramanalysiscommunities.Thisisincontrasttomanycurrentapproachesthatoftenlackthisformalunderpinning.Webelievethataformalsemanticsisabsolutelyessentialforfuturedevelopment,bothinordertobetterunderstandtheunderlyingmechanisms,aswellasforenablingamoreformalandrigorousapproachtodealingwithinsiderthreats.Evenmoresowiththegrowingpopularityandsubsequentdeploymentofdistributedanddecentralisedsystems,aswellasnotionssuchasÔÔcloudcomputingÕÕ,gridcomputing,andSoftwareasaService(SaaS).Astheprotectionofthese(oftenmission-critical)informationinfrastructureshasgainedconsiderableimportanceinthelastyears,manyapproacheshavebeendeveloped,whichoftenarebasedonananalysisofpreviousattacks.Whiletheseapproacheshavebeenverysuccessful,webelievethattheycanbeneÞtfrombeingpairedwithstaticanalysistechniquesasshowninpreviousworkProbstetal.,2006).Usingthesetechniques,themodelpre-sentedinthispaperallowstoeitheridentifyaneedtoincreasedprotection,oraneedforspecialalertness,eitheratcertainlocationsoratcertainactors.AspeciÞcadvantageoftheßexibilityofourapproachisthatitcanbeusedthroughouttheentirelife-cycleofasys-fromthedesign,overthepredictionofpossiblyprecarioussituationduringoperation,totheguidanceofauditingafteranattack.Furthermore,duetoitsfoundationon Table1–Resultoftheconditionalreachabilityanalysisfor theexamplesystemfrom Figs.2and6 .Astobeexpected theusercanobtainthesecretle(eitherdirectlyfrompc1 orbyprintingitandpickingitupfromtheprinter).The janitor,ontheotherhand,cannotaccessthele.When bothactorsareanalysedsimultaneously,thenthejanitor canaccesssecretbecausetheusermightprintit,andthe janitorhasaccesstotheserverroom.analysisresultUoutside,entry,exit,hall,lock,user,,server,secret,janJoutside,entry,exit,hall,lock,jan,,server,key,usersimultaneousanalysisresultUoutside,entry,exit,hall,lock,user,,server,secret,janJoutside,entry,exit,hall,lock,jan,,server,key,secret,user Table2–Resultofthelog-tracereachabilityanalysisfor theexamplesystemfrom Figs.2and6 logsequence1Uoutside,entry,exit,hall,lock,user,,server,secret,janJoutside,entry,exit,hall,lock,user,,server,key,secret,userlogsequence2Uoutside,entry,exit,hall,lock,user,,server,secret,janJoutside,entry,exit,hall,lock,user,,server,key,user informationsecuritytechnicalreport13(2008)235–246 staticanalysis,itenablesbothcombingsub-models,,ofdifferentpartsofaninvestigations,toabiggermodel,aswellasadaptingthegranularity(andasaresultthespeed)oftheanalysis.Webelievethatthesearepropertiesessentialforenablingdevelopmentandanalysisoflarge,real-worldscenarios.BishopM.Theinsiderproblemrevisited.In:Proc.ofnewsecurityparadigmsworkshop2005.LakeArrowhead,CA,USA:ACMPress;2005.BishopM,GollmannD,HunkerJ,ProbstCW.DagstuhlseminarÔÔcounteringinsiderthreatsÕÕ,http://www.dagstuhl.de/083022008.lastvisited[accessed12.08.08].BrackneyRC,AndersonRH,editors.Understandingtheinsiderthreat.SantaMonica,CA,U.S.A.:RANDCorporation;2005.GollmannD.Insiderfraud.In:ChristiansonB,CrispoB,HarbinsonWS,RoeM,editors.Proc.ofthe6thinternationalworkshoponsecurityprotocols,vol.1550oflecturenotesincomputerscience.Cambridge,UK:SpringerVerlag;1998.GunnarssonD.Staticanalysisoftheinsiderproblem,MasterÕsthesis,InformaticsandMathematicalModelling,TechnicalUniversityofDenmark,DTU,RichardPetersensPlads,Building321,DK-2800Kgs.Lyngby,supervisedbyChristianW.Probst,IMM,DTU;2007.HansenRR,ProbstCW,NielsonF.SandboxinginmyKlaim.In:TheÞrstinternationalconferenceonavailability,reliabilityandsecurity,ARESÕ06.Vienna,Austria:IEEEComputerSociety;NicolaRD,FerrariG,PuglieseR.KLAIM:akernellanguageforagentsinteractionandmobility.IEEETransactionsonSoftwareEngineering1998;24(5):315Ð30.NicolaRD,FerrariG,PuglieseR,VenneriB.Typesforaccesscontrol.TheoreticalComputSci2000;240(1):215Ð54.NielsonF,NielsonHR,HankinCL.Principlesofprogramanalysis.Springer-Verlag;1999.ProbstCW,HansenRR,NielsonF.Wherecananinsiderattack?In:Workshoponformalaspectsinsecurityandtrust(FAST2006);2006.SwiderskiF,SnyderW.Threatmodeling.MicrosoftPress;2004.ChristianW.ProbstisAssociateProfessorintheLanguage-basedTechnologysectionattheTechnicalUniversityofDenmark.Heworksonprogramminglanguagesandmodel-ling,analysis,andrealizationofsystems,especiallyundersecurityaspects.ReneRydhofHansenisAssitantProfessoratAalborgUniver-sity,Denmark.Heworksintheareaofstaticanalysisforsafeandsecuresystems. informationsecuritytechnicalreport13(2008)235–246