190 likes | 491 Views
Detecting Cognitive Causes of Confidentiality Leaks. Rimvydas Rukšėnas , Paul Curzon (Queen Mary, University of London) Ann Blandford (University College London). The topic.
E N D
Detecting Cognitive Causes of Confidentiality Leaks Rimvydas Rukšėnas, Paul Curzon (Queen Mary, University of London) Ann Blandford (University College London) FMIS 2006, Macau
The topic • Ensuring (by formal modelling and verification) secure information flow from the user to a secure device / application. FMIS 2006, Macau
The context • Security of software systems (technical aspects): • the implementation of a system does not leak confidential information. • User-centred security (social dimensions): • work practices; • the relationships between system users; • security threats exploiting social engineering techniques. FMIS 2006, Macau
Our focus • Potential leaks of information caused by the combination of human cognition and interface designs. FMIS 2006, Macau
Outline • Formal user model. • An example. • Conclusion. FMIS 2006, Macau
Formal user modelling • Even behaving rationally, humans systematically make errors when performing tasks with interactive systems. • The erroneous actions are unintentional. They emerge from a combination of specific design decisions and human cognition. • A formal model of cognitively plausible behaviour is helpful in detecting such design flaws. FMIS 2006, Macau
Abstract cognitive principles • Non-determinism: any cognitively plausible action might be taken. • Distinction between mental and physical actions. • User goals: preconceived knowledge of the task and task dependent sub-goals. • Reactive behaviour: people respond to interface prompts, if these seem relevant to their task. • Goal based task completion: users tend to finish interactions once their goal has been achieved. • No-option based termination. FMIS 2006, Macau
UserModel {goals,acts,…} = … TRANSITION ([]i: Goal_Commit: … ) [] ([]i: React_Commit: … ) [] ([]i: Goal_Transition: … ) [] ([]i: React_Transition: … ) [] Exit: … [] Abort: … [] Idle: … Goal_Transition: gcommit[i] = committed Transition(i,goals); gcommit’[i] = done; gcommitted’ = FALSE Generic user model in SAL FMIS 2006, Macau
An example: authentication interface FMIS 2006, Macau
Authentication procedure as a FSM FMIS 2006, Macau
The structure of specifications FMIS 2006, Macau
Enter user name. Enter password. seen[InputName] value' [InputName] = in.name User goals (knowledge) FMIS 2006, Macau
Enter user name. Enter password. Press Enterbutton. Acknowledge a message. seen[InputName] mem.failed mem.entered[InputName] value'[InputName] = in.name Reactive behaviour FMIS 2006, Macau
User perception & interpretation • By label: (i,j): label[i] = NameLabel label[j] = PassLabel InputName = i InputPass = j • By habit: (i,j): precedes(i,j) InputName = i InputPass = j • Random: (label[i] = label[j] ((i,j): precedes(i,j))) InputName InputPass FMIS 2006, Macau
Correctness properties • Usability:System F(LoginMsg) • Security: System [] Tester G(SecurityBreach) • Testermodule: [](j:Inbox): level[j] = Low value[j] = env.password SecurityBreach' = TRUE FMIS 2006, Macau
Confidentiality leakage • precedes(InputName,InputPass) FMIS 2006, Macau
Secure design • precedes(InputName,InputPass) FMIS 2006, Macau
Conclusions • We investigated the formal modelling of cognitive aspects of confidentiality leaks. • We extended our approach, based on usability verification, to address some aspects of information-flow security. • We presented a simple example where the layout of input fields can result in security breaches: www.dcs.qmul.ac.uk/~rimvydas/usermodel/fmis06.zip FMIS 2006, Macau
Future work • Other (more complex) security properties. • Generic user interpretation model. • Scaling-up. FMIS 2006, Macau