Security in a PUC environment using component composition

1. Security in a PUC environment using component composition NGN-ProgNet Workshop 2004 Bob Askwith, David Llewellyn-Jones, Madjid Merabti, Qi Shi Liverpool John Moores University R.Askwith@livjm.ac.uk http://www.cms.livjm.ac.uk/PUCsec/

2. Overview • Second round project • Started in March 2002 • Focus on security in a personal ubiquitous computing (PUC) environment • Security is an increasingly important issue in any situation dealing with programmable components

3. Security scenario • We consider security in a scenario satisfying specific qualities • multiple devices acting in parallel • low power devices with restricted resources • networked environment • potentially heterogeneous environment • These are all properties of a PUC environment • Clearly there are close parallels between this and programmable networks

4. Security methods • In order to tackle security problems, our mandate has been to investigate component composition • Deals with the manner in which the security of a system comprised of multiple components is affected by the security properties of those individual components • Example: email client

5. Proposed framework • Last year we presented a proposed framework as a means of tackling the question of how such system might work • This year we will extend this framework and look at our progress in implementing it

6. Framework processes • There are 3 clear processes involved • There are 3 clear processes involved • Component analysis • There are 3 clear processes involved • Component analysis • Composition analysis • There are 3 clear processes involved • Component analysis • Composition analysis • Dynamic sandboxed execution • There are 3 clear processes involved • Component analysis • Composition analysis • Dynamic sandboxed execution • We’ve made progress on the first of the two processes. This will be detailed in the remainder of the talk.

7. Composition analysis • At the heart of the process lies the composition engine • We have a working scriptable solution based on the composition of agents via network channels • The system compares the composition topology against a number of generalised composition templates

8. Composition analysis • So far our engine has been found to be flexible enough to cope with all the theoretical composition results tested from the literature • These include • Hierarchical results such as Composable Assurance • Restrictive results such as Non-Interference • Practical buffer overrun results (more later)

9. Progress • We have a working prototype system • Coding is underway for the incorporation into a simple demonstrable agent-based system

10. Component analysis • We have identified 3 methods for establishing component properties • Certification • Proof Carrying Code • Direct Code Analysis

11. Direct Code Analysis • There are a number of benefits and drawbacks to each method • Some suitable method for a PUC environment is necessary if the concept can work • We looked at DCA since it constitutes the only fully automated method useable with arbitrary code • DCA allows properties to be traces throughout the potential execution of the code • It provides a provable a priori method of establishing code properties

12. Example • We have established a method of DCA for testing buffer overruns in component code • Suppose component B suffers from a buffer overrun vulnerability if sent more than 64 bytes • Our procedure will signal a vulnerability only if component A has the potential to send more than 64 bytes on channel 0 • The example can be generalised to more components and multiple channels

13. Distributed checking • A difficulty of using Direct Code Analysis in a low power environment is resource usage • In a PUC environment, we aim to distribute the analysis across multiple devices • This requires a trust model • We have developed a trust model based on a distributed algorithm using Cellular Automata • Component analysis is sent only to trustworthy devices

14. Distributed trust mechanism • Our experiments have shown that our trust model • is robust • is scalable • imposes minimal additional resource usage • requires low network bandwidth • localises untrustworthy components • These results are based on simulations using Klemm-Eguíluz generated networks

15. Dynamic sandboxed execution • The final stage configures a sandbox based on the derived properties • The benefit of property discovery is to allow the sandbox to be tailored • Provide maximum security with the minimum overhead • In our example, run-time buffer overrun checking would only be required if the composed application was known to require it • This aspect of the framework will form part of our future work

16. Future work • Dynamic sandboxed execution still to be considered • work can begin once the earlier two stages have been successfully combined • Inclusion of completed work into a prototype, using simple networked agents • to provide a proof of concept for a fully automated method • Testing of combined methods working together in an automated way • working in an automated way with composition across a network

17. Conclusion • Current work: • Component testing using DCA • Distributed DCA checking using trust mechanism • Composition engine to establish composed properties • Future work • Dynamic sandboxed execution • Prototype based on simple networked agents • Testing of combined methods

18. Security in a PUC environment using component composition NGN-ProgNet Workshop 2004 Bob Askwith, David Llewellyn-Jones, Madjid Merabti, Qi Shi Liverpool John Moores University R.Askwith@livjm.ac.uk http://www.cms.livjm.ac.uk/PUCsec/