Applying Safety Techniques to Security
DRAFT: For Comment
Thitima Srivatanakul
Submitted for the First Year Qualifying Dissertation
University of York
Department of Computer Science
July 2002
i
Abstract
Abstract
Security in computer systems has become increasingly important. It is one characteristic that many critical systems should possess. Despite the availability of sophisticated security mechanisms, security weaknesses still exist in most systems. Systems are now becoming more complex and threats have significantly increased. Clearly these systems must be analysed with particular rigour. Previous work on security analysis has been very informal. There is a need for a more systematic approach if more complex systems and environments are to be handled.
Safety techniques are well-defined and more systematic. They have been proven successful in the safety community. Since safety and security have many similarities, it would seem plausible for approaches in safety to be applied to security. This report investigates the applicability of applying safety techniques to security analysis. A review of various existing techniques from both the safety and security domains is provided. Techniques that have actually been applied across domains are identified. Common concepts of techniques are also identified. Finally, the report proposes a plan of research for the investigation of more systematic application of deviational techniques in security. The approach has the potential for widespread applicability.
iii
Table of Contents
Table of Contents
Chapter 1 Introduction 1
Chapter 2 Security – An Overview 3
2.1 Dependable Systems 3
2.2 Fundamentals of Security 4
2.2.1 Definitions 4
2.2.2 Security Elements 5
2.3 Security and Risk Analysis 5
2.3.1 Security Risk Analysis Process 5
2.3.2 Security Risk Analysis Techniques 8
2.4 Security Policies and Models 8
2.4.1 Bell-LaPadula 9
2.4.2 Biba Model 10
2.4.3 Clark-Wilson Model 10
2.4.4 Separation of Duty 10
2.4.5 Chinese Wall Model 10
2.4.6 Summary 11
2.5 Security Mechanisms 11
2.5.1 Authentication Mechanisms 12
2.5.2 Access Control Mechanisms 12
2.5.3 Communication Security Mechanisms 14
2.5.4 Physical Security of Components of the System 16
2.5.5 Administrative Procedures 17
2.5.6 Summary 17
2.6 Secure System Development 18
2.6.1 Security in Life Cycle 18
2.6.2 Secure System Development Methodologies 19
2.6.3 Security Evaluation 20
2.7 Discussions and Summary 20
Chapter 3 Survey of Techniques 23
3.1 Security and Risk Analysis Techniques 23
3.1.1 Risk Management Tools 24
3.1.2 Flaw Hypothesis Methodology 26
3.1.3 Attack Trees Analysis 27
3.1.4 Attack Net Model 28
3.1.5 Threat Trees Analysis 29
3.1.6 Abuse Case Models 31
3.1.7 Survivable Network Analysis - SNA 32
3.1.8 Summary 33
3.2 Safety and Hazard Analysis Techniques 34
3.2.1 Definitions 34
3.2.2 Safety Lifecycles 35
3.2.3 Safety Techniques 37
3.2.4 Hazard Checklist 40
3.2.5 HAZOPs - Hazards and Operability Analysis 40
3.2.6 Fault Trees Analysis 42
3.2.7 Event Tree Analysis 44
3.2.8 Cause-Consequence Analysis 45
3.2.9 Failure Modes and Effects Analysis 46
3.2.10 Zonal Analysis 47
3.2.11 Summary 47
3.3 Argumentation Recording Techniques 49
3.3.1 MOAT - Methodical Organized Argument Trees 49
3.3.2 GSN - Goal Structuring Notation 50
3.3.3 Summary 51
3.4 Conclusions 51
Chapter 4 Safety Techniques for Security 52
4.1 Current Research Work 52
4.2 Common Concepts in Techniques 54
4.2.1 Problems Addressed 54
4.2.2 Understandable Representations of Analysis 55
4.2.3 Deviation 56
4.3 Summary 56
Chapter 5 Conclusions 57
Chapter 6 Proposal and Work Plan 59
6.1 Proposed Research 59
6.1.1 More Detailed Research Objectives 59
6.2 Case Study Targets 60
6.3 Plan for Future Work 62
6.3.1 The Rigorous Security Analysis of Generalised Programs 62
6.3.2 Security Zonal HAZOPs 63
6.3.3 Security Analysis of Formal Elements 64
6.3.4 Work Plan 65
iv
List of Figures
List of Figures
Figure 21: Relationships among security elements. 5
Figure 22. Risk Analysis Process Framework. [Moffett 2001] 6
Figure 23: Computer System Vulnerabilities [Pfleeger 1996] 11
Figure 24: Secret and Public Key Encryptions. 15
Figure 31: Sample checklist from [Hoyt 1973]. 24
Figure 32: Example of attack tree [Schneier 2000] 28
Figure 33: Sample of Attack Net model [McDermott 2000] 29
Figure 34: Patient Medical Information Threat Tree [Amorso 1994]. 30
Figure 35: Example of Abuse Case Diagram [McDermott 1999] 31
Figure 36: V lifecycle showing safety activities [Pumfrey 1999]. 35
Figure 37: Basic element of Fault Tree notations. 42
Figure 38: Sample of FTA for gas plant valve operation subsystem. 43
Figure 39: Event tree for valve operations example [Leveson 1995] 44
Figure 310: Sample Cause-Consequence Analysis. [Leveson 1995] 45
Figure 311: Sample MOAT construction 49
Figure 312: Basic elements of GSN notations. 50
Figure 61: Overview of Aviation System. 61
Figure 62: Timeline of work plan. 65
v
List of Tables
List of Tables
Table 21: Security-Related Terminology. 4
Table 22: Summary of security techniques in security and risk analysis process. 8
Table 23: Sample Access Control Table. 13
Table 24: Security activities with associated life cycle stages. 19
Table 31: Three generations of security analysis development [Baskerville 1993] 23
Table 32: Fragment of survivability map from a mental health treatment subsystem [Ellison 1999]. 33
Table 33: Comparisons of Security Analysis Techniques. 34
Table 34: Summary of Safety Techniques 39
Table 35: HAZOP guide words. [MoD 00-58 1996] 41
Table 36: Sample of HAZOP output for Helicopter Fault Warning System [Redmill 1999] 41
Table 37: Fragment of FMEA for a simple electric circuit. 46
Table 38: Comparisons to the hazard analysis technique. 48
Table 41: Summary of security techniques from safety 53
1
Chapter 1 IntroductionIntroduction
Chapter 1
Introduction
Computer systems affect nearly every aspect of our everyday activities. They are being increasingly relied upon in various fields from business-related systems such as ATM machines or Internet banking to safety-critical systems such as aviation systems, railway systems or medical systems.
Failures or malfunctioning of these systems could lead to dramatic losses. The malfunction of a component in a safety-critical system can be life threatening. Failure to protect sensitive information can lead to financial losses or even affect the survival of the business. Such systems now operate in environments with higher risks. Many of these systems are now expected to operate securely.
There exist security weaknesses in most systems, despite the availability of highly sophisticated security mechanisms. Systems using modern security mechanisms can still be vulnerable to attack. As technology improves, it becomes more difficult to develop a secure system. The knowledge and experience of how to apply technologies effectively is still inadequate [Anderson 2000]. Size and complexity of systems have increased and networking has become commonplace. Security threats have significantly increased. Attacks are becoming more novel, complex and unpredictable.
Many systems now are both safety and security-critical. An example of this is the requirements of aviation systems, where both safety and security requirements are of high concern [FAA 2001, ICAO 2001]. In such a system, a security breach could lead to failures in safety.
Since the systems are at high risk and consequences of systems failure are of high concern, there is the need for good engineering discipline in their development.
Security engineering is about understanding and achieving security properties in a systematic, disciplined and efficient manner. Attempts have been made to apply rigorous practices in the development of some small artefacts (e.g. secure smart cards) but reasoning rigorously about their security has still proved very difficult. As the size and complexity of systems with security requirements grows, the confidence we can have in current approaches will diminish.
2
Chapter 1: Introduction
The domain of safety critical systems has much in common with security: developments are risk-based, there is an emphasis on rigour where possible, independent validation and verification may play critical role in developments, neither safety nor security properties are necessarily preserved under traditional refinement etc.
However, the safety domain traditionally has had to address an extremely wide range of systems and some very large ones at that (e.g. air traffic systems, an area of particular interest to me, may span many countries and require cross-continent cooperation). In contrast, security has been far more restricted in the goals of secure system developments. However, as computer systems become ever more pervasive and the range of security properties required becomes more extensive and novel, security will require techniques and tools that exhibit the flexibility of those used in the safety domain. There have been some attempts to transfer approaches between domains (mostly from safety to security) but the area remains poorly researched. In this report, I shall investigate techniques from both areas and indicate that there is still considerable potential for the transfer of techniques from the safety to the security domain.
The overall structure of this report is given below:
Chapter 2 Security – An Overview
Chapter 2 introduces basic security terminology and some fundamental topics and areas of security: security policy, security risk analysis and security mechanisms. It demonstrates how these areas are related and provides a summary of each topic. The methodologies for secure system design and development are briefly discussed. It provides an overview to security research areas and problems being addressed.
Chapter 3 Survey of Techniques
Chapter 3 of this report provides a brief overview of a wide range of analysis techniques from the security and safety domains that have been examined by industry and academia. Particular attention will be paid to security techniques that are well-defined. The process of carrying out the analysis is discussed, as this is fundamental to the analysis techniques studied. The techniques are explored in terms of their approaches, benefits and limitations.
Chapter 4 Safety Techniques for Security
Chapter 4 summarises research work that has been carried out in applying safety techniques to security. The chapter then concludes with common concepts among techniques.
Chapter 5 Conclusions
Chapter 5 provides overall conclusions to the survey from previous chapters. It highlights areas for future research. This is made available for better understanding of the overall report.
Chapter 6 Proposal and Work Plan
Chapter 6 outlines the research work to be performed during the course of study. The application domain (primarily aviation) for future work is discussed together with its security aspects. A provisional plan to achieve the goals of the research is also provided.
3
Chapter 2 Security – An Overview
Chapter 2
Security – An Overview
2.1 Dependable Systems
Computer systems are now being widely used in applications where a high level of dependability is required. Dependability, as defined by Laprie [Laprie 1992], is the trustworthiness of a computer system such that reliance can justifiably be placed on the service it delivers.
Security is often considered to be one of the facets of dependability. Other attributes within dependability include:
· Safety: the expectation that a system does not, under defined conditions, lead to a state in which human life is endangered. [MoD 00-56/2 1996]
· Reliability: the ability of an entity to perform a required function under a given conditions for a given time interval. [Villemeur 1992]
· Availability: the ability of an entity to be in a state to perform a required function under given conditions at a given instant of time. [Villemeur 1992]
The importance of these properties will vary between specific applications. Security is becoming increasingly important as systems are networked. Business and our everyday lives become more dependent on security-related applications. Attacks are becoming increasingly sophisticated and so obtaining significant confidence in the security of a system is hard. A security breach may well impact adversely other properties.
The rest of the chapter presents an overview on security, its fundamental elements, and their relationships and finishes with an outline of methodologies for secure system design and development.
22
Chapter 2: Security – An Overview
2.2 Fundamentals of Security
2.2.1 Definitions
[Oxford Dictionary 1995] gives definition of security as freedom from danger or worry. In a system context, security is more precisely defined as the quality or state of being cost-effectively protected from undue losses [Longley 1987]. Such losses could be loss and damage of assets, loss of goodwill and monetary or loss of ability to continue operations and etc.
Many others [Fisch 2000, Pfleeger 1996] regard computer security as maintaining the three fundamental characteristics:
1. Confidentiality – assets of the computer system are accessible only by authorized parties. They should then be protected from disclosure.
2. Integrity – assets can be modified only by authorized parties or in authorized ways. They should be protected against modification.
3. Availability – assets are accessible to authorized parties. Authorized parties should not be prevented from accessing objects to which they have legitimate access. They should be protected against denial-of-service.
It is with the above definitions, i.e. being cost-effectively protected and maintaining the three fundamental properties that security is considered throughout this report.
However, many authors have included several other security objectives, in addition to the to the main ones described above. Example of these include:
· Accountability – users concerned with the security of information systems should have explicit responsibilities and accountability.
· Anonymity – ensures that users can use a resource or service without disclosing their identities.
· Authentication – authenticating the identity between users, together with its origin and content.
· Non-repudiation – prevention of users denying having sent or received a message (or having carried out some other actions).
These properties are inevitable in some applications. For example, non-repudiation and authentication are widely required in computer communications. Other definitions related to security are provided in Table 21 below.
Term / DefinitionExposure / Possible loss or harm in a computing system.
Vulnerability / A weakness in a system that may be exploited to cause loss or harm
Attack / An exploitation of a system vulnerability.
Threat / Circumstances that have potential to cause loss or harm
Control / A protective measure that reduces a system vulnerability
Table 21: Security-Related Terminology.