Security in a PUC environment using component composition

NGN-ProgNet Workshop 2004

Bob Askwith, David Llewellyn-Jones, Madjid Merabti, Qi Shi

Liverpool John Moores University

R.Askwith@livjm.ac.uk

http://www.cms.livjm.ac.uk/PUCsec/

Overview

• Second round project• Started in March 2002• Focus on security in a personal ubiquitous

computing (PUC) environment• Security is an increasingly important issue in

any situation dealing with programmable components

Security scenario

• We consider security in a scenario satisfying specific qualities– multiple devices acting in parallel

– low power devices with restricted resources

– networked environment

– potentially heterogeneous environment

• These are all properties of a PUC environment• Clearly there are close parallels between this

and programmable networks

Security methods

• In order to tackle security problems, our mandate has been to investigate component composition

• Deals with the manner in which the security of a system comprised of multiple components is affected by the security properties of those individual components

• Example: email client

Proposed framework

• Last year we presented a proposed framework as a means of tackling the question of how such system might work

• This year we will extend this framework and look at our progress in implementing it

Framework processes

• There are 3 clear processes involved• There are 3 clear processes involved1. Component analysis

• There are 3 clear processes involved1. Component analysis

2. Composition analysis

• There are 3 clear processes involved1. Component analysis

2. Composition analysis

3. Dynamic sandboxed execution

• There are 3 clear processes involved1. Component analysis

2. Composition analysis

3. Dynamic sandboxed execution

• We’ve made progress on the first of the two processes. This will be detailed in the remainder of the talk.

• At the heart of the process lies the composition engine

• We have a working scriptable solution based on the composition of agents via network channels

• The system compares the composition topology against a number of generalised composition templates

Composition analysis

Composition analysis

• So far our engine has been found to be flexible enough to cope with all the theoretical composition results tested from the literature

• These include– Hierarchical results such as Composable Assurance

– Restrictive results such as Non-Interference

– Practical buffer overrun results (more later)

Progress

• We have a working prototype system• Coding is underway for the incorporation into a

simple demonstrable agent-based system

• We have identified 3 methods for establishing component properties– Certification

– Proof Carrying Code

– Direct Code Analysis

Component analysis

Direct Code Analysis

• There are a number of benefits and drawbacks to each method

• Some suitable method for a PUC environment is necessary if the concept can work

• We looked at DCA since it constitutes the only fully automated method useable with arbitrary code– DCA allows properties to be traces throughout the potential

execution of the code

– It provides a provable a priori method of establishing code properties

Example

• We have established a method of DCA for testing buffer overruns in component code– Suppose component B suffers from a buffer overrun

vulnerability if sent more than 64 bytes

– Our procedure will signal a vulnerability only if component A has the potential to send more than 64 bytes on channel 0

– The example can be generalised to more components and multiple channels

Distributed checking

• A difficulty of using Direct Code Analysis in a low power environment is resource usage– In a PUC environment, we aim to distribute the

analysis across multiple devices

– This requires a trust model

• We have developed a trust model based on a distributed algorithm using Cellular Automata

• Component analysis is sent only to trustworthy devices

Distributed trust mechanism

• Our experiments have shown that our trust model– is robust

– is scalable

– imposes minimal additional resource usage

– requires low network bandwidth

– localises untrustworthy components

• These results are based on simulations using Klemm-Eguíluz generated networks

• The final stage configures a sandbox based on the derived properties– The benefit of property discovery is to allow the sandbox to be tailored

– Provide maximum security with the minimum overhead

– In our example, run-time buffer overrun checking would only be required if the composed application was known to require it

• This aspect of the framework will form part of our future work

Dynamic sandboxed execution

Future work

• Dynamic sandboxed execution still to be considered– work can begin once the earlier two stages have been

successfully combined

• Inclusion of completed work into a prototype, using simple networked agents– to provide a proof of concept for a fully automated

method

• Testing of combined methods working together in an automated way– working in an automated way with composition

across a network

Conclusion

• Current work:– Component testing using DCA

– Distributed DCA checking using trust mechanism

– Composition engine to establish composed properties

• Future work– Dynamic sandboxed execution

– Prototype based on simple networked agents

– Testing of combined methods

Security in a PUC environment using component composition

NGN-ProgNet Workshop 2004

Bob Askwith, David Llewellyn-Jones, Madjid Merabti, Qi Shi

Liverpool John Moores University

R.Askwith@livjm.ac.uk

http://www.cms.livjm.ac.uk/PUCsec/