The development of concurrent software: some prejudices
Download
Report
Transcript The development of concurrent software: some prejudices
An Interdisciplinary
Approach to Grid Security
P Y A Ryan
School of Computing Science
University of Newcastle
DIRC
Dependability Interdisciplinary Research
Collaboration.
6 year (1st July, 2000 - 30th June, 2006 ),
EPSRC funded collaboration of 5 institutes:
–
–
–
–
–
City University, London.
Edinburgh
Lancaster
Newcastle
York
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Aims
From the DIRC web page:
“To address the dependability of computerbased systems. Dependability is a
deliberately broad term to encompass many
facets including reliability, security and
availability. The term "computer-based
systems" highlights the involvement of
human participants. The interdisciplinary
approach includes, for example,
sociologists and psychologists as well as
computer scientists and statisticians.”
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Key messages
Security matters for Grid
Security is challenging
Needs to be addressed early
Needs to be addressed in an
interdisciplinary fashion
Failures will occur.
– Prevention is not enough.
– => need to develop effective detection,
containment and recovery mechanisms,
strategies.
– Synergy between dependability/fault tolerance
and security communities.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Beyond the glass bead game…
Most security vulnerabilities can be traced back to
failures to take due account of human factors:
–
–
–
–
Weak passwords, post-its,…
Social engineering,
Poorly designed, non-intuitive interfaces,
Failures to patch promptly.
However, most work hitherto has concentrated on
purely technical challenges and issues. Notable
exceptions:
–
–
–
–
–
–
Roger Needham
Ross Anderson
Angela Sasse
Doug Tygar
Avi Rubin
Kevin Mitnick ?!
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Goals, policies, rules
Security goals are high-level requirements.
Goals induce constraints (may include
obligations, availability…) on the behaviour
of components, including the humans.
Typically need a mix of technical (crypto,
access control,…) as well as legal, social
enforcement mechanisms (audits,
accountability,…).
The conjunction of rules and mechanisms
as the “security policy”.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Security policy rules
The policy and assumptions should
entail the goals.
Violation of rules does not necessarily
entail a violation of the goals, e.g., use
of weak passwords. Hazard states.
Tendency to assume that everything
can be technically enforced.
Modelling and analysis tractable.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Limits of technical enforcement
Theoretical limits:
– E.g., information flow (confidentiality, integrity)
not enforceable. Pillow talk etc..
Envelope of what is technically enforced
can be pushed out:
– E.g., separation of duty
– Least privilege
– Forced complexity of passwords…
In practice it may not be effective:
– Inflexible
– Unwieldy
– Counterproductive (workarounds, post-its)
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Security culture
Fully technically enforced security doesn’t seem
feasible or desirable.
May be counter-cultural, e.g., clinicians, bank
managers….
Need to deal with exceptions, adaptation…
User involvement in system security is essential.
Security cultures-how do organisations instil and
maintain a culture of security.
– Grid theory.
Need to be able to establish cost effective balance
and mix of socio-technical mechanisms.
Need to better understand, ideally to be able to
model the various stakeholders.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Modelling the users
Mental models-how do humans construct
mental models to interpret the behaviour of
security mechanisms
– “Why Johnny can’t encrypt”
– Rushby style FSM models
– Chaum experiments…
Shaping factors- what influences peoples
attitude and effectiveness:
– Stress, fatigue
– Risk perception, anticipated regret.
– Least effort.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Modelling the adversary
Difference with dependability: accidental vs.
malicious (intentional). Pure actuarial data
not very useful.
Traditionally fairly crude models: e.g.,
Dolev-Yao for security protocols.
Really just rough models of capability. No
motivation, risk perception, expertise,
collusion etc.
Can we do better, e.g., constraint approach.
Game theory.
Psychology of hackers.
Hacker community.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Detection and recovery
Intrusion/failure detection.
Difficulty in distinguishing normal,
accidental and malicious.
Define failure modes (vulnerabilities).
Define recovery modes and strategies.
Learning and adaptation.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Boundaries, structure,
abstraction…
Recurring problem: where to draw the
system boundaries, where to set the
levels of abstraction.
Security properties tend not to behave
well under refinement and
composition.
Creating systems.
Recovery systems.
Legal redress, liability
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Challenges
Establish minimal policy requirements (policy
templates, meta-policies?)
To what extent are security requirements uniform
across grid projects? Data vs. compute grids.
Similar to security requirements across other
domains: military, commercial etc? is RBAC or
maybe TBAC enough?
Medical applications lead to richer info flow
policies.
How special is security really?
Better understanding (models?) of the role of
humans.
Boundaries, levels of abstraction.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan
Ongoing DIRC work
Security cultures-application of grid theory.
GOLD: grid-enabled, virtual (dynamic)
enterprises for the (UK) Pharmaceutical
industry.
Dependability/risk analysis of the Chaum
voting scheme (DSN).
Trials of Chaum-understanding, mental
models, public trust etc.
More (Grid) case studies welcome.
DIRC potentially a useful resource.
An Interdisciplinary Approach to Grid Security,
NESC 25 November 2003
P Y A Ryan