Security in a PUC environment using component composition
-
Upload
omar-scott -
Category
Documents
-
view
15 -
download
0
description
Transcript of Security in a PUC environment using component composition
Security in a PUC environment using component composition
NGN-ProgNet Workshop 2004
Bob Askwith, David Llewellyn-Jones, Madjid Merabti, Qi Shi
Liverpool John Moores University
http://www.cms.livjm.ac.uk/PUCsec/
Overview
• Second round project• Started in March 2002• Focus on security in a personal ubiquitous
computing (PUC) environment• Security is an increasingly important issue in
any situation dealing with programmable components
Security scenario
• We consider security in a scenario satisfying specific qualities– multiple devices acting in parallel
– low power devices with restricted resources
– networked environment
– potentially heterogeneous environment
• These are all properties of a PUC environment• Clearly there are close parallels between this
and programmable networks
Security methods
• In order to tackle security problems, our mandate has been to investigate component composition
• Deals with the manner in which the security of a system comprised of multiple components is affected by the security properties of those individual components
• Example: email client
Proposed framework
• Last year we presented a proposed framework as a means of tackling the question of how such system might work
• This year we will extend this framework and look at our progress in implementing it
Framework processes
• There are 3 clear processes involved• There are 3 clear processes involved1. Component analysis
• There are 3 clear processes involved1. Component analysis
2. Composition analysis
• There are 3 clear processes involved1. Component analysis
2. Composition analysis
3. Dynamic sandboxed execution
• There are 3 clear processes involved1. Component analysis
2. Composition analysis
3. Dynamic sandboxed execution
• We’ve made progress on the first of the two processes. This will be detailed in the remainder of the talk.
• At the heart of the process lies the composition engine
• We have a working scriptable solution based on the composition of agents via network channels
• The system compares the composition topology against a number of generalised composition templates
Composition analysis
Composition analysis
• So far our engine has been found to be flexible enough to cope with all the theoretical composition results tested from the literature
• These include– Hierarchical results such as Composable Assurance
– Restrictive results such as Non-Interference
– Practical buffer overrun results (more later)
Progress
• We have a working prototype system• Coding is underway for the incorporation into a
simple demonstrable agent-based system
• We have identified 3 methods for establishing component properties– Certification
– Proof Carrying Code
– Direct Code Analysis
Component analysis
Direct Code Analysis
• There are a number of benefits and drawbacks to each method
• Some suitable method for a PUC environment is necessary if the concept can work
• We looked at DCA since it constitutes the only fully automated method useable with arbitrary code– DCA allows properties to be traces throughout the potential
execution of the code
– It provides a provable a priori method of establishing code properties
Example
• We have established a method of DCA for testing buffer overruns in component code– Suppose component B suffers from a buffer overrun
vulnerability if sent more than 64 bytes
– Our procedure will signal a vulnerability only if component A has the potential to send more than 64 bytes on channel 0
– The example can be generalised to more components and multiple channels
Distributed checking
• A difficulty of using Direct Code Analysis in a low power environment is resource usage– In a PUC environment, we aim to distribute the
analysis across multiple devices
– This requires a trust model
• We have developed a trust model based on a distributed algorithm using Cellular Automata
• Component analysis is sent only to trustworthy devices
Distributed trust mechanism
• Our experiments have shown that our trust model– is robust
– is scalable
– imposes minimal additional resource usage
– requires low network bandwidth
– localises untrustworthy components
• These results are based on simulations using Klemm-Eguíluz generated networks
• The final stage configures a sandbox based on the derived properties– The benefit of property discovery is to allow the sandbox to be tailored
– Provide maximum security with the minimum overhead
– In our example, run-time buffer overrun checking would only be required if the composed application was known to require it
• This aspect of the framework will form part of our future work
Dynamic sandboxed execution
Future work
• Dynamic sandboxed execution still to be considered– work can begin once the earlier two stages have been
successfully combined
• Inclusion of completed work into a prototype, using simple networked agents– to provide a proof of concept for a fully automated
method
• Testing of combined methods working together in an automated way– working in an automated way with composition
across a network
Conclusion
• Current work:– Component testing using DCA
– Distributed DCA checking using trust mechanism
– Composition engine to establish composed properties
• Future work– Dynamic sandboxed execution
– Prototype based on simple networked agents
– Testing of combined methods
Security in a PUC environment using component composition
NGN-ProgNet Workshop 2004
Bob Askwith, David Llewellyn-Jones, Madjid Merabti, Qi Shi
Liverpool John Moores University
http://www.cms.livjm.ac.uk/PUCsec/