1 / 13

WP6: Static Analysis

Presented by Flemming Nielson Informatics and Mathematical Modelling Technical University of Denmark at the 3nd review of DEGAS in April 2005. WP6: Static Analysis. static analysis. security features. class diagrams. sequence diagrams. UML design. activity diagrams. stochastic

monet
Download Presentation

WP6: Static Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presented by Flemming Nielson Informatics and Mathematical Modelling Technical University of Denmark at the 3nd review of DEGAS in April 2005 WP6: Static Analysis

  2. static analysis security features class diagrams sequence diagrams UML design activity diagrams stochastic features Markov model The DEGAS view: WP5, WP6 reflection fully automatic and hidden from the user extraction model in process calculus

  3. Objectives of WP6 • Comparing and finding new language abstractions to design global applications (D9 month 12) • Enhancing understanding and applicability of static analysis for global computing systems (D11 month 24, D14 month 33) • New models and techniques for integrated qualitative and security analysis statically • Proof-of-concepts implementations to validate the above treatment (D19 month 24).

  4. Language Abstractions Within DEGAS we have considered analysis of • ambient calculi (for access control) • π-calculi (for access control and performance) • LySa (network security and performance) An overview of language abstractions are in D9: Basic Static Mechanisms of Process Algebras for Global Applications

  5. Static analysis (over-approximation) Actual behaviour Model checking / Theorem Proving (under-approximation) Basics of Static Analysis Characterising the behaviour:

  6. Enhancing Static Analysis Network security • LySa and its static analysis Access control • π-calculus and Enhanced Operational Semantics Discussed in • D11 Models and Techniques for Static Analysis • D14 Final Report on Static Analysis

  7. Analysis of LySa Over-approximation Attacker + Hardest attacker Static analysis Protocol Actual behaviour

  8. Prototype: the LySatool Constraint generation Constraint solving LySa Constraints Solution Annotated with authentication properties Includes violations of authentication properties In Alternation Free Least Fixed-point logic • Details are in D19 Static Analysers • The LySatool in integrated in Choreographer • The LySatool is available on the internet: http://www.imm.dtu.dk/cs_LySa/lysatool

  9. LySa Durring the Thrid Year • Developed a technique for tracking replay attacks • Implemented analysis of infinite scenarios • Improved efficiency of the LySatool to cater for industrial size protocols • Improved usability (input/output capabilities of the LySatool) • Discovered unknow security issues in • Classical security protocols (Beller-Chang-Yacobi ’93, Bauer-Bereson-Feiertag ’83) • Modern protocol standards (OASIS) • Case studies (D26)

  10. Enhanced Static Analysis • Corrado, Pierpaolo, or Chiara: Please provide a slide (or two) with information about your contribution in D14

  11. Integrating Security and Performance Analysis Design and analysis process Supported by performance analysis using: • PEPA – for timing attacks (facilitated by Choreographer) • EOS for protocol performance / effort spent on attacks Protocol in LySa Static security analysis OK Performance analysis Redesign protocol Not OK

  12. Self-evaluation of WP6 Positioning with respect to state of the art • S1: Strong indicator for discovery of a new class of flaw in a protocol published in the literature • W1: Weak indicator for application to key exchange protocol for DEGAS case study Comparison with competing approaches • S2: Strong indicator for clarifying the fundamentally different behaviours of model checking and static analysis as regards protocol validation • W2: Weak indicator for termination properties of our analysis approach • W2: Weak indicator for allowing to use model checking to validate the flaws reported by static analysis.

  13. Self-evaluation of WP6 Usability and explotation perspectives • S3: Strong indicator for hardening the design of the analysis tool so that also educated users outside of the research group (mainly MSc-students) are able to use the analysis tool. • W4: Weak indicator on the ability to analyse the OASIS protocol for Single Sign On. • W5: good progress towards weak indicator based on the UML to LySa extractor • S6: Strong indicator for the ability to teach the analysis method to advanced MSc-students and PhD-students that subsequently can use it for projects.

More Related