Risk and Argument: A Risk-based Argumentation Method for Practical Security. Trento - 02 September 2011

Size: px

Start display at page:

Download "Risk and Argument: A Risk-based Argumentation Method for Practical Security. Trento - 02 September 2011"

Cora Jordan
8 years ago
Views:

1 Risk and Argument: A Risk-based Argumentation Method for Practical Security Virginia N. L. Franqueira, Thein Than Tun, Yijun Yu, Roel Wieringa and Bashar Nuseibeh Trento - 02 September 2011

2 Agenda Problem Solution Direction Walk-through of RISA method using PED example 1/20

3 Engineering of secure systems is bound by practical limitations Limited resources Uncertainties Incomplete information Unnoticeable, hardly measurable evidence 2/20

4 Consequence & Solution Direction In practice: No absolute security No 100% security requirements satisfaction Way forward: Good enough security satisfaction As low as possible level of security risk Our solution: RISA RIsk assessment in Security Argumentation 3/20

5 From Haley et al. framework to RISA method 1. Identify Functional Requirements Key steps from Haley et al. framework Formal logic 2. Identify 3. Identify 4. Construct Security Security Outer Goals Requirements Argument good enough security 8. Prioritize Risks 7. Mitigate 6. Classify 5. Construct Inner Argument Risks Risks 5. Identify Risks Public Security Catalogues Structured Argumentation Steps for risk assessment in RISA 4/20

6 PIN Entry Devices (PED) example S.Drimer, S.J.Murdoch, and R.Anderson, Thinking Inside the Box: System-Level Failures of Tamper Proofing, in SP 2008, IEEE Press, pp , 295, /20

7 RISA step 1: Identify Functional Requirements functional goal Provide convenient payment option at Points-Of Of-Sale to consumers functional requirement Allow consumers to pay at Points-Of Of-Sale with PIN 6/ Cat.

8 RISA step 2: Identify Security Goals valuable assets PIN card details transaction value design characteristics smartcard itself cryptographic keys security goal Protect the PIN Cat. 7/20

9 RISA step 3: Identify Security Requirements security requirements confidentiality of PIN integrity of PIN security functions enclosure of PED components provides tamper detection & response mechanisms to resist physical attacks encryption/decryption of PIN ensures that the PIN is encrypted within the PED immediately after PIN entry system context diagram Cat. 8/20

10 RISA step 4: Construct Outer Argument Formal proof that behavior of PIN related to confidentiality is satisfiable bank P6 confirmation -transaction CPU P5 card- reader PIN P2 P3 P4 card display keypad PED P1 consumer Outer argument for confidentiality of PIN: (Behavioral premises) P1, P2, P3, P4, P5, P6 confirmation-transaction transaction Cat. 9/20

11 Risk assessment steps of RISA are supported by the CAPEC & CWE public catalogues cwe.mitre.org/ Cat. 10/20

12 RISA step 5: Identify Risks Cat. Structured argumentation used to challenge behavioral premises in practice via risk assessment warrant Correct PINs are accepted Premise P1 by keypad Premise P2 Consumer enters PIN PIN reaches leaves keypad PIN reaches card-reader ground claim ground claim rebuttal R1.1 R1.2 rebuttal R1.6 R1.7 Challenged Risk Reference Premise P2 R1.6: PIN is revealed if sent unencrypted within the PED and the PED enclosure can be tampered CWE-311 & CAPEC /20

13 10

14 RISA step 6: Classify Risks Cat. Risks are classified in terms of: risks transferred to system context risks to be mitigated by the system Possibilities: risk to be completely mitigated by the PED risk to be completely mitigated by the PED context risk to be partially mitigated by both 13/20

15 RISA step 7: Mitigate Risks Cat. Mitigations restore the satisfaction of security requirements by rebutting risks System behavioral premises Risks Mitigations Risk R1.6 & R1.7 & R1.8 Mitigation M2.4: Any transmission of PIN should use well-vetted encryption algorithms & recommended key sizes 14/20

16 10 CWE-311

17 RISA step 8: Prioritize Risks Cat. Empirical data about typical severity of risks or likelihood of exploit can also be found in the catalogues Risk Mitigation Typical risk severity R1.6 & R1.7 & R1.8 M2.4: Any transmission of PIN should use well-vetted encryption algorithms & recommended key sizes Low to very high Interpretation of risk severity depends on many factors 16/20

18 10 CWE-311

19 RISA recursion Other rounds of argumentation may follow recursion stops when the system security is considered good-enough and/or resources for analysis of security have been used 1. Identify Functional Requirements 2. Identify Security Goals 3. Identify Security Requirements 4. Construct Outer Argument good enough security 8. Prioritize Risks 7. Mitigate Risks 6. Classify Risks 5. Identify Risks Public Security Catalogues 18/20

20 Opportunities for future work Addressing residual risks Improvement to estimation/prioritization of risks Tool support for the method: OpenArgue tool to be adapted Validation in the field with industrial case studies Addressing impact of transferred risks in terms of system mitigations Support to search catalogues for risk identification 19/20

21 Conclusion: Mutual benefits Satisfaction analysis (SA) benefits from risk assessment (RA) RA provides systematic input for security argumentation in SA RA allows prioritization of arguments and security requirements from prioritization of risks RA scales the process of argumentation with breadth-first approach Risk assessment (RA) benefits from satisfaction analysis (SA) SA provides systematic description of system context: source of risks SA provides top structure for RA SA argumentation organizes several rounds of RA & facilitates traceability 20/20

22 Questions? C. Haley, R. Laney, J. Moffett, and B. Nuseibeh, Security Requirements Engineering: A Framework for Representation and Analysis,, IEEE Transactions on Software Engineering, 34(1), pp , 153, S.Toulmin, R.Rieke,, and A.Janik, An Introduction to Reasoning,, Macmillan, 1979.

Directives and Instructions Regarding Wireless LAN in Department of Defense (DoD) and other Federal Facilities

Directives and Instructions Regarding Wireless LAN in Department of Defense (DoD) and other Federal Facilities Wireless Infrastructure, Article 12-29-2011 The federal government, and the Department of