Upload
darleen-todd
View
218
Download
2
Tags:
Embed Size (px)
Citation preview
1
Structuring Knowledge for a Structuring Knowledge for a Security Trade-offs Knowledge Security Trade-offs Knowledge
BaseBase
Structuring Knowledge for a Structuring Knowledge for a Security Trade-offs Knowledge Security Trade-offs Knowledge
BaseBase
Golnaz ElahiGolnaz Elahi Department of Computer ScienceDepartment of Computer Science
Eric YuEric YuFaculty of Information StudyFaculty of Information Study
University of TorontoUniversity of Toronto
IdentityIdentity, Privacy and Security Initiative Research Privacy and Security Initiative Research SymposiumSymposiumMay 2May 2ndnd 2008 2008
2
Strategic Dependencies among Actors
3
Modelling Strategic Actor Relationships and Rationales
-the i* modelling framework
Strategic Actors: have goals, beliefs, abilities, commitments are semi-autonomous
• freedom of action, constrained by relationships with others
• not fully knowable or controllable• has knowledge to guide action, but only
partially explicit depend on each other
• for goals to be achieved, tasks to be performed, resources to be furnished
4
Strategic Rationales about alternative configurations of relationships with other actors –
Why? How? How else?
5
i* Evaluation Procedure
Semi-automatable propagation of qualitative evaluation labels uses evaluation guidelines and human judgment.
6
Security Trade-offs Modeling and Analysis using i*
Employee
Security
UsabilityConfidentiality
+
Integrity
+
Authenticate to access the host
+
Maintain network address integrity
Access to host remotely
++
Malicious Employee
Commit a fraud
Fraud through local network
(LAN)
Fraud over the Internet
Protect password
Password losing
password
7
Structuring Knowledge for a Structuring Knowledge for a Security Trade-offs Knowledge Security Trade-offs Knowledge
BaseBase
Structuring Knowledge for a Structuring Knowledge for a Security Trade-offs Knowledge Security Trade-offs Knowledge
BaseBase
A Goal-Oriented Approach A Goal-Oriented Approach
8
Problems
9
Security Knowledge Sources
Textbooks Guidelines Standards Checklists Documentation from past projects Security Design Patterns Structured Catalogues &
Knowledge Bases
Excerpt from the NIST 800-36 guidelines
10
Structuring Knowledge**
**
11
Motivations and Questions
What would be a good way to organize and structure knowledge to assist designers in making security trade-offs?
We suggest a Goal-Oriented approach for structuring security trade-offs knowledge.
12
Analyzing the Structure of the Knowledge in the NIST 800-36 Guidelines
Identity-based access control
Identification Authentication
Accountability
And And
And Information System
Information System
Authenticator
Static authentication
Dynamic authentication
Multi-factor authentication
Encryption [authenticator
value]
Security [authentication]
Transit [authenticator]
Store [authenticator]
Authenticate the identity
Provide something
have
Provide something alone know
Sample a personal
characteristic
Identification
And
Authenticator lose
Guessing the password
ImposterImposter
Obtain authenticator
Decrypting the password
--
--
Difficult to guess [authentication]
Difficult to decrypt [authentication]
Difficult to obtain [authentication]
Protected in transit [authentication]
Protected store in system
[authentication]
Easy to use
Low cost
Prevent-
Prevent
--
Some -
Some -Some -
Some -
Quality Goals
Goals
Security Mechanis
m
Actor
Attacker
Attack
Impacts
Vulnerability
13
The KB Schema
Attack
Vulnerability
Asset
Goal
Security Goal
Security Mechanism
Task
System/Individual tasks
Actor
OperationalizeContribute
System/Individual Goal
Malicious Goal
Exploit
AttackerSystem Actor
OperationalizeContribute
HaveHave
Have
Prevent
DetectRecover
Have
Have
ProtectPatch
HaveTarget
The KB Schema
Contribute
Contribute
UseProduce
Contribute
Actors and their goals Mechanisms and
contributions of mechanisms on goals and other mechanisms
Attackers and attacks
Impact of attacks on goals and impact of security mechanisms on attacks
14
Example of Structured Knowledge
Identity-based access control
Identification Authentication
Accountability
And And
And Information System
Information System
Authenticator
Static authentication
Dynamic authentication
Multi-factor authentication
Encryption [authenticator
value]
Security [authentication]
Transit [authenticator]
Store [authenticator]
Authenticate the identity
Provide something
have
Provide something alone know
Sample a personal
characteristic
Identification
And
Authenticator lose
Guessing the password
ImposterImposter
Obtain authenticator
Decrypting the password
--
--
Difficult to guess [authentication]
Difficult to decrypt [authentication]
Difficult to obtain [authentication]
Protected in transit [authentication]
Protected store in system
[authentication]
Easy to use
Low cost
Prevent-
Prevent
--
Some -
Some -Some -
Some -
15
Reusable Unit of Knowledge
Attack
Softgoals
Security mechanism
contribution
Contribution and type (prevent,
detect, recover)
contribution
Actor
Goals
What are the consequences of applying a particular security mechanism on malicious and non-malicious goals and mechanisms?
Which actor or system’s component should employ a particular security mechanism?
16
Reusable Unit of Knowledge
Malicious gaol
Attack
AssetVulnerability
Goal
contribution
Softgoals
contribution
Attacker
•What is the impact of a particular attack on other goals and mechanisms?
•What vulnerabilities exist in a particular asset or mechanism?
•What attacks threaten a particular mechanism, asset, or goal?
•Who may threaten the system?
17
Reusable Unit of Knowledge
What security mechanisms prevent or detect a particular attack or recover the system after the occurrence of the attack?
18
Reusable Unit of Knowledge: Example
Prevent password guessing
Log-in convenience
Password security
Increase the period between login attempts with each unsuccessful
attempt
-
Deny login after a limited number of
failed attempts
Prevent --
--
+
Automated password guessing
Detect --
Prevent -
Detect --
19
Conclusion Trade-offs between competing goals and
the alternative solutions are expressed by relating consequences of applying each alternative to the goals.
The knowledge models enable goal model evaluation techniques to evaluate the goals satisfaction.
During the process modeling, missing points and relationships are discovered.
20
Limitations and Ongoing work
The visual goal-oriented knowledge models are not well scalable This makes the browsing, understating, and
analyzing knowledge expressed in the visual goal models difficult.
Therefore, to solve the scalability problem 1. It is needed to store the goal-oriented knowledge
structure in goal-oriented text formats.2. It is required to have query languages to extract
a fragment of the large chunk of knowledge. 3. The unit of knowledge to extract from the KB
needs to be defined.
21
References: [Mead 05] Mead, N. R., McGraw, G., A portal for software
security, IEEE Security & Privacy, 2(4), 75-79 (2005) [Barnum 05] Barnum, S., McGraw, G., Knowledge for
software security, IEEE Security & Privacy 3(2), 74-78 (2005)
[NIST 800-36] Grance, T., Stevens, M., Myers, M., Guide to Selecting Information Technology Security Products, Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-36 (2003)
[ER07] G. Elahi, E. Yu, A goal oriented approach for modeling and analyzing security trade-offs, In Proceeding of 26th International Conference of Conceptual Modeling, 2007, 375-390.
[RE03] L. Liu, E. Yu, J. Mylopoulos, Security and Privacy Requirements Analysis within a Social Setting. In IEEE Joint Int. Conf. on Requirements Engineering, 2003, 151-161.
Eric Yu: www.fis.utoronto.ca/~yu
Golnaz Elahi: http://www.cs.toronto.edu/~gelahi/