Formalizing an Adaptive Security
Infrastructure in Mobadtl
Laura Semini & Carlo Montangero
dip. Informatica, Pisa
Outline
Mobadtl
Mobadtl formalization
instance
ASI
refinement
ASI formalization
Characteristics of Mobadtl
Approach to model distributed systems
Focus on architectural aspects
model
Adequate abstraction for overlay computing
Accommodating mobility
Temporal logic  refinement as a methodology
logic
Mechanic support to verification
Mobadtl model: an intuition
neighborhood
Agent movement
message being delivered
guardian
agent
The ingredients of Mobadtl

Locations:




Agents:



Move from neighbourhood to neighbourhood
Communicate via asynchronous message passing
Authorities:



Neighbourhoods, places where computational entities live
Flat topology
Security and routing policies
Guardians monitoring agents’ activities enacting routing and
security policies
No a priori choice about routing and security, freedom is
given to designers
Profiles:

A means to refer an entity specifying the constraints the
entity must satisfy
es: flightResService, name(X)
The formalism: ΔDSTL(x)
A first-order multi-modal logic to

Location


Time

Name components and state their
properties
Relate properties of different components
of a system
Describe properties of the evolution of
systems
With regard to an asynchronous setting
Formalizing the model: an example
out(M,P) represents the will of an agent of sending a messagge M to a
receiver that satisfies profile P.
S (out(M,P)guardedby(G)) LEADS_TO G msgReq(M,S,P,i)
G
msgReq(M,S,P,i)
S
out(M,P)
Any message sent is first processed by the sender’s guardian
Location layer: DSL
Modalities to locate properties in the state
of a component
 m(pq)


m p  nr

m s  m t (  m(s t)
n
r
m
p, q
t
s
!!!!)
Location layer – semantics
Semantic domain: PowerSet
r
n
m
DS =2S
p
q
states of m
(ds, ds’)  Rm
iff
ds’ is a singleton in Sm  ds
ds╞ mF
iff  ds’.(ds, ds’)  Rm and ds’╞ F
Location layer
Modalities to locate properties in the state
of a component
 m(pq)


m p  nr

m s  mt
(  m(s t))
r
n
m
p, q
s
t
Temporal layer: DSTL

Future to be intended as the partial order of
states defined by

Intra-components transitions

Inter-component communications
q
n
m
o
p
r
No global clock,no global knowlwdge
Valid: nq  or  or
q
n
m
p
o
Non valid: nq  or
r
UNITY like operators



Simplicity
Cannot be nested
+ past operators
F1 LEADS_TO F2
INIT F
F2 BECAUSE F1
STABLE F
Events: ΔDSTL(x)

Explicit event operator, ΔF



Simple events, ΔA
Composed events, Δ(AB)
Conditioned events, ΔA  B
Rules and theorems
LTR
F1 LEADS_TO F 2 F 2 LEADS_TO F 3
F1 LEADS_TO F 3
LPD
F1 LEADS_TO G F 2 LEADS_TO G
(F1  F 2 ) LEADS_TO G
Conf
STABLE MF STABLE MF'
MF  MF'  M(F  F')
LCC
F LEADS_TO G1 F LEADS_TO G 2
F LEADS_TO (G1  G 2 )
(no M(F  F')  MF  MF' )
Outline
1.
Depict a few, simple and clearly related concepts:
an informal model
2.
Choose a proper formalism
3.
Formalize the model to get the description of a
generic system
4.
Instantiate the model to get
the description of a particular system
5.
Refine the model formalization
ASI Components in Mobadtl
senses, collects, and distributes information about
the security environment

Detector
guardian
processes Detector data, and occasionally proposes actions
to bring about a new state

Analyzer
agent
executes the actions as directed by the Analyzer

Responder
guardian
ASI Components in Mobadtl
Detector &
Responder
Analyzer
Detector &
Responder
log
Detector &
Responder
generic neighborhoods
generic agents
The threshold property
agents can question the trustworthiness of a guardian.
once the number of warnings reaches a given threshold,
we want to consider the guardian no longer trustworthy
(e.g. to route the messages).
The threshold property
Analyzer
Detector
threshold(2)
in(demote(X,D),S)
in(demote(X,D’),S’)
Detector
generic agent
out(demote(X,D),{sec_w})
generic agent
out(demote(X,D’),{sec_w})
The threshold property
Analyzer
threshold(2)
in(demote(X,D),S)
in(demote(X,D’),S’)
The threshold property
Responder
out(demote(X,D),{adapt})
Analyzer
The threshold property
~ trusted (X)
~ trusted (X)
Responder
~ trusted (X)
~ trusted (X)
Responders
~ trusted (X)
Responders
~ trusted (X)
~ trusted (X)
Analyzer
The threshold property
a threshold(2) /\ ag trusted(G) /\ C1  C2
C1  out(demote(X,D),{sec_w}) /\
C2  out(demote(X,D’),{sec_w})
LEADS_TO
G ~ trusted (X) \/
some communication exc because of
unreachablility
Conclusions
ASI components: Mobadtl concepts play a central role


guardian  detection ane response
profile  adaptation
ASI formalization: how should the semantics of a dynamic
security policy be specified?


unify the temporal-spatial reasoning aspects
take into account the global-local (or distributed-centralized or
hierarchical) nature of all components of an ASI
Proof with MaRK (Mobadtl Reasoning Kit)
A support tool: MaRK

MaRK = Mobadtl Reasoning Kit: a tool to support the
designer while proving properties of Mobadtl systems

The goal: to make the proof task as automatic as
possible

MaRK is based on the theorem prover Isabelle
(Paulson & Nipkow)


Specialized for ΔDSTL(x)
Extended to deal with Mobadtl systems
A support tool: MaRK

Why theorem proving





Against:


Need to deal with infinite states
Learning from the proof process itself
User defined logic, close to user’s knowledge
Third party checkable proofs
not so automatic, often to interactive, insights on internals
of provers needed
But:

tactics, libraries of proofs, tailoring to a particular domain
make theorem provers more usable