1 / 11

Formal Methods for Quality of Standards, Conformity Assessment and Security

Formal Methods for Quality of Standards, Conformity Assessment and Security. O. Monkewich, Ph.D., P.Eng. OMC International Phone: +1 613 836-4406 Fax: +1 613 836-5430 E-mail: os.monkewich@sympatico.ca. Formal Methods and Security.

kenyon-craft
Download Presentation

Formal Methods for Quality of Standards, Conformity Assessment and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal Methods for Quality of Standards, Conformity Assessment and Security O. Monkewich, Ph.D., P.Eng. OMC International Phone: +1 613 836-4406 Fax: +1 613 836-5430 E-mail: os.monkewich@sympatico.ca

  2. Formal Methods and Security • Error-free, unambiguous standards specified using SDL, MSC, ASN.1 and TTCN with formal syntax and semantics • Tools based on formal syntax and semantics are certifiable as trusted tools by accredited organizations • Machine-generated, tool-specific source code is difficult to understand or modify by attackers • Source descriptions in SDL are easy to review by non-programmers – benefit from “many eyes” reviews • Conformity assessment can find malicious content and vulnerabilities – test suites can be widely available Manual work offloaded to trusted tools. GSC-8, OTTAWA

  3. DCL a,b,sum Integer; #include <stdio.h> void main() { int x, y, sum; int calc(int, int); puts("\nPlease enter two integers:\n"); scanf("%d", &x); scanf("%d", &y); sum = calc(x,y); printf("\nThe sum of the two numbers you entered is: %d", sum); } int calc(m,n) int m, n; { int s; s = m + n; return (s); } WaitForNumber1 number1, number2 number1(a) WaitForNumber2 sum number2(b) Add sum := CALL Add(a, b) sum := a + b result(sum) sum (a) (b) Figure 1 – (a) Illustrates an SDL process which adds two numbers, a and b, and return their sum. (b) is the corresponding hand-written code in the C programming language. The examples illustrate language readability characteristics from the point of view of the non-programmer. Understandability of open source code GSC-8, OTTAWA

  4. Destination port Destination port Source port Source port Sequence Number Sequence Number Acknowledgement Number Acknowledgement Number F I N S Y N A A P R U Data Data Resvd Resvd Window Window C C S S S S R offset offset K K H H T T G G Checksum Checksum Urgent Pointer Urgent Pointer Options (if any) Options (if any) Data Data A common vulnerability can be detected with conformance testing ANY WEB SITE 10.1.1.20 SYN SYN/ACK RESET 10.1.1.30 10.1.1.10 ATTACKER VICTIM (a) (b) Figure 2 – A common attack method using TCP/IP SYN packets to transfer a covert program one ASCII character at a time. Figure 2 (a) shows how packets can be bounced off any Web site to make detection of the attacker more difficult; Figure 2 (b) represents the TCP packet format showing the Sequence Number field. GSC-8, OTTAWA

  5. TCP Packet Sequence Number Conformance Test in TTCN Figure 3 - a test case in TTCN derived from SDL to test the value of the Sequence Number field in the TCP SYN packet. GSC-8, OTTAWA

  6. TCP Packet in ASN.1 and Constraint Figure 4 - ASN.1 representation of the TCP packet named TCP_SYN and the corresponding TCP_SYN1 with the field values filled in. GSC-8, OTTAWA

  7. . . . . . . Memory Pointer Buffer 2 Buffer 2 Fill Direction Buffer 1 Attacker’s Machine Code Return Pointer New Return Pointer . . . . . . (a) (b) Buffer Overflow Figure 5 – The normal program memory stack with two buffers intended to accept user input, such as credit card number, can be overwritten with attacker’s code. For attacker’s code to work, the attacker must know and understand the victim’s code. This is difficult for the attacker to achieve due to the nature of machine-generated code and the need for special tools to change the code. Formalismsthat define language syntax and semantics makes it possible to prove the correctness of the language typing rules so that no data can flow into places not capable of holding it. GSC-8, OTTAWA

  8. What is placed on the wire to transmit “John Smith”? • Inside the protocol, define the variable type “Name” in ASN.1: • Name := SEQUENCE { FirstName PrintableString, • LastName PritnableString } • Assign values to the variables FirstName and LastName: • FirstName := ‘John’ • LastName := ‘Smith’ • The variable “Name” encoded as BER sequence in Hex: (Seq_Class) (No_Bytes) (Printable_Str) (No_bytes) (John) (Printable_Str) (No_bytes) (Smith) 28 15 13 04 4A 6F 68 6E 13 05 53 6D 69 74 68 Converted into a binary stream of zeros and ones: 00101000 00010101 00010011 00000100 01001010… 0000110 0000101… J o … S m Figure 6 – Using ASN.1 and Basic Encoding Rules (BER) to encode “John Smith” for transmission. This is done using trusted tools – no errors due to manual coding. ASN.1 code portability and Trusted Tools GSC-8, OTTAWA

  9. Destination port Destination port Source port Source port Sequence Number Sequence Number Acknowledgement Number Acknowledgement Number F I N A A P R S Y N U Data Data Resvd Resvd Window Window C C S S S S R offset offset K K H H T T G G Checksum Checksum Urgent Pointer Urgent Pointer Options (if any) Options (if any) Data Data RFC Data Format This non-standard data format is dominant in the Internet literature today. It is changed in arbitrary ways by authors, usually to fit the page. This format cannot be compiled or validated. ASN.1 can be compiled and validated. Figure 7 – The tabular form of specifying packet structure and content is dominant in the literature today, but, machines cannot understand it. GSC-8, OTTAWA

  10. Conclusions • Several aspects of network security can be improved through the use of • Higher quality protocol and test suite Recommendationsspecified in SDL, ASN.1, MSC and TTCN • Trusted tools based on SDL, ASN.1, MSC and TTCN for specification, validation, code generation and testing • Machine-generated code is error-free and difficult to modify by intruder • Conformance tests traceable to specification can detect malicious code GSC-8, OTTAWA

  11. Resolution • That ITU-T Study Groups will apply Recommendation A.3 Supplement 1, Guidelines on the Quality Aspects of Protocol Related Recommendations, whendeveloping new protocol related recommendations • That ITU-TTSB will provide technical support and tools for the development and maintenance of complex Recommendations • That companies that participate in GSC member organizations will make use of commercial tools based on formal methods in their reviews of draft Recommendations • That companies that participate in GSC member organizations willpromote the use of formal languages and tools in IETF GSC-8, OTTAWA

More Related