Secure Interaction with an Email Client



Similar documents
Chapter 11: Input/Output Organisation. Lesson 06: Programmed IO

SiteCount v2.0 Revised: 10/30/2009

rs-ba1 remote control software quick reference guide

M5281/M5283. Serial ATA and Parallel ATA Host Controller. RAID BIOS/Driver/Utility Manual

Remote PC Guide Series - Volume 2a

Required Virtual Interface Maps to... mgmt0. virtual network = mgmt0 wan0. virtual network = wan0 mgmt1. network adapter not connected lan0

USING FILERELICATIONPRO TO REPLICATE SQL SERVER

CRM Connector Installation & Integration USER GUIDE

Lab Diagramming Intranet Traffic Flows

IBM Tivoli Monitoring V6.2.3, how to debug issues with Windows performance objects issues - overview and tools.

Outlook . User Guide IS TRAINING CENTER. 833 Chestnut St, Suite 600. Philadelphia, PA

CS420: Operating Systems OS Services & System Calls

CHAPTER 6: CLASSIC CLIENT OPTION

MOC 5047B: Intro to Installing & Managing Microsoft Exchange Server 2007 SP1

Axapta Object Server MICROSOFT BUSINESS SOLUTIONS AXAPTA

Linux. Installing Linux on Power Systems servers

Operating System Structures

User Manual Version 1.25

I N S T A L L A T I O N M A N U A L

PRIMEQUEST Integration

Remote PC Guide Series - Volume 2b

Introduction to Operating Systems. Perspective of the Computer. System Software. Indiana University Chen Yu

5054A: Designing a High Availability Messaging Solution Using Microsoft Exchange Server 2007

Using Actian PSQL as a Data Store with VMware vfabric SQLFire. Actian PSQL White Paper May 2013

Operating Systems. Module Descriptor

VisiCount Installation. Revised: 8/28/2012

How To Use The Case Diagnostic Tool On A Computer Or Computer

Tool Registration and Software Authorization

Programming and Using the Courier V.Everything Modem for Remote Operation of DDF6000

Installation and Setup

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

Contents. Hardware Configuration Uninstalling Shortcuts Black...29

Frequency, definition Modifiability, existence of multiple operations & strategies

Example of Standard API

ITA Mail Archive Setup Guide

Computer-System Architecture

[HOW TO RECOVER AN INFINITI/EVOLUTION MODEM IDX ] 1

Intel DPDK Boosts Server Appliance Performance White Paper

FX-BTCVT Bluetooth Commissioning Converter Commissioning Guide

AMT Implementation on a UTC RETAIL 3170 POS

5.4.8 Optional Lab: Managing System Files with Built-in Utilities in Windows 7

Yubico YubiHSM Monitor

TCP/IP Networking, Part 2: Web-Based Control

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

Sage Grant Management System Requirements

Configuring a YubiKey for the YubiCloud

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Adaptive Log Exporter Users Guide

Introduction: Implementation of the MVI56-MCM module for modbus communications:

Installation and Program Essentials

Objectives. Chapter 2: Operating-System Structures. Operating System Services (Cont.) Operating System Services. Operating System Services (Cont.

How To Use Mview On A Powerline 2.2 (Powerline) On A Pc Or Macbook 2 (Powerplst) On An Iphone Or Ipa 2 (Aldo) On Your Iphon 2 (

Using RAID Admin and Disk Utility

User Guide. BlackBerry Storm 9530 Smartphone. Version: 4.7

Virtual DHX Driver Help Virtual DHX Driver for Allen-Bradley Networks

SysPatrol - Server Security Monitor

Analysis to develop an ISCSI Layer inside Microsoft Windows NT/2K/XP

Image Verification. Finding Feature Information. Restrictions for Image Verification

How To Write A Profibus Dpl (Profibus) Program

RDM+ Remote Desktop for Mobiles For Blackberry Playbook

Intel Server Board Platform Confidence Test Installation and Operating Instructions

ClockSync DAYTIME (RFC867) v9 Module Application Guide

HotelTV2. Easy Start Guide REV A0.6 D October. Web : Mail : support@vestek.com.tr Tel :

Microsoft Access is an outstanding environment for both database users and professional. Introduction to Microsoft Access and Programming SESSION

Quectel Cellular Engine

CSC 2405: Computer Systems II

Chancery SMS Database Split

Using Bluetooth-Enabled PosiTector 6000 with Statistical Process Control Software

D-Link DAP-1360 Repeater Mode Configuration

THE BUSINESS VALUE OF AN ERP SYSTEM

Backup & Restore Guide

SPAMfighter SMTP Anti Spam Server

CHAPTER 1: OPERATING SYSTEM FUNDAMENTALS

SUPER SMC LCD. User's Guide. Revision 1.0

Linux Driver Devices. Why, When, Which, How?

Getting Started with Ascent Xtrata 1.7

Ways to Use USB in Embedded Systems

The care and feeding of Pythons at the Redmond Zoo. (Using Micro Python and pyboard with Windows)

Technical Manual Fifth Edition

Archiving with MS Exchange Server

FirewallTM. isecurity. Out-of-the Box. The Network Security Component of. Version 15. Copyright Raz-Lee Security Ltd.

Lab Diagramming External Traffic Flows

International Journal of Software and Web Sciences (IJSWS) GPS and GSM Based Database Systems for User Access

SNAP Printer Web Server Users Manual

1. Installing and configuring APC UPS Management

1. Requirements for Network Installation on 840D

CUSTOMER RELEASE NOTES

Installation Guide for Workstations

73S1215F, 73S1217F Device Firmware Upgrade Host Driver/Application Development User s Guide April 27, 2009 Rev UG_12xxF_029

EPIC 950 THERMAL TICKET PRINTER

EE8205: Embedded Computer System Electrical and Computer Engineering, Ryerson University. Multitasking ARM-Applications with uvision and RTX

Embedded Programming in C/C++: Lesson-1: Programming Elements and Programming in C

MCN Health Monitor. The finger on the pulse of your critical systems. David Tayler Service Engineer, OSISoft

Getting Started 2. Inserting a Digital Signature Field without Signing 3. Signing an Unsigned Digital Signature Field 3

The Helios Microsoft Windows Server

Transcription:

Secure Interaction with an Email Client Bernhard Beckert Gerd Beuster Universität Koblenz-Landau June 15th, 2006

Verisoft Consortium Beckert Beuster (UKL) Secure Email Client June 15th, 2006 2 / 32

Verisoft Consortium Goal: Pervasively Verified Systems Beckert Beuster (UKL) Secure Email Client June 15th, 2006 2 / 32

Academic System Overview Email Client (User Interface) Signature Module Application Software Com piler Mail Server (SMTP) TCP/IP Networking / Communication Operating System Micro kernel Memory Manage ment System Software Tools Network Screen Keyboard File System Processor Host System Hardware Beckert Beuster (UKL) Secure Email Client June 15th, 2006 3 / 32

Our Involvement & This Talk Our Involvement Development of a Secure Email Client PhD thesis about secure user interfaces This talk Demo of the Email System Formalizing UI security feature Beckert Beuster (UKL) Secure Email Client June 15th, 2006 4 / 32

Verisoft Email System Demo Demo Beckert Beuster (UKL) Secure Email Client June 15th, 2006 5 / 32

Formalizing HCI Security The user should know what the system is doing. Consistency Correspondence between system state and user s opinion about system state Not guaranteed even if... the system does show the relevant information (state display conformance). the user interprets the information correctly. Asynchronous updates can lead to inconsistencies! Beckert Beuster (UKL) Secure Email Client June 15th, 2006 6 / 32

Formalizing HCI Security The user should know what the system is doing. Consistency Correspondence between system state and user s opinion about system state Not guaranteed even if... the system does show the relevant information (state display conformance). the user interprets the information correctly. Asynchronous updates can lead to inconsistencies! Beckert Beuster (UKL) Secure Email Client June 15th, 2006 6 / 32

Formalizing HCI Security The user should know what the system is doing. Consistency Correspondence between system state and user s opinion about system state Not guaranteed even if... the system does show the relevant information (state display conformance). the user interprets the information correctly. Asynchronous updates can lead to inconsistencies! Beckert Beuster (UKL) Secure Email Client June 15th, 2006 6 / 32

Example: Email Client Result of latest command: No new email arrived foo edit (m)ail (s)end mail (f)etch mail Beckert Beuster (UKL) Secure Email Client June 15th, 2006 8 / 32

Example: Email Client Result of latest command: No new email arrived foo edit (m)ail (s)end mail (f)etch mail Beckert Beuster (UKL) Secure Email Client June 15th, 2006 10 / 32

How to Guarantee Consistency? We need... a formal method to describe HCI a formal definition of consistency formal model(s) of interaction(s) Beckert Beuster (UKL) Secure Email Client June 15th, 2006 11 / 32

Formal Method Formal Method Describe user and application by IOLTS s σ! s σ! 1 2 s 3 σ? Σ? Σ! s 0 σ? s 4 σ! s 5 σ! s 6 Define security properties by LTL formulae. Beckert Beuster (UKL) Secure Email Client June 15th, 2006 12 / 32

Formal Method Formal Method Describe user and application by IOLTS s σ! s σ! 1 2 s 3 σ? Σ? Σ! s 0 σ? s 4 σ! s 5 σ! s 6 Define security properties by LTL formulae. (see also B. Beckert and G. Beuster, A Method for Formalizing, Analyzing, and Verifying Secure User Interfaces at ICFEM 2006) Beckert Beuster (UKL) Secure Email Client June 15th, 2006 12 / 32

Basic Model Basic Model Application User AppOut CMD Beckert Beuster (UKL) Secure Email Client June 15th, 2006 13 / 32

Formal definition of consistency The user knows what the system is doing. Let... critical hold in all critical states of the application a 0,..., a n represent critical properties of the application u 0,..., u n representing the user s assumptions about these properties Then consistency is defined as... G(critical ((a 0 u 0 ) (a 1 u 1 ) (a n u n ))) Beckert Beuster (UKL) Secure Email Client June 15th, 2006 14 / 32

Formal definition of consistency The user knows what the system is doing. Let... critical hold in all critical states of the application a 0,..., a n represent critical properties of the application u 0,..., u n representing the user s assumptions about these properties Then consistency is defined as... G(critical ((a 0 u 0 ) (a 1 u 1 ) (a n u n ))) Beckert Beuster (UKL) Secure Email Client June 15th, 2006 14 / 32

Formal definition of consistency The user knows what the system is doing. Let... critical hold in all critical states of the application a 0,..., a n represent critical properties of the application u 0,..., u n representing the user s assumptions about these properties Then consistency is defined as... G(critical ((a 0 u 0 ) (a 1 u 1 ) (a n u n ))) Beckert Beuster (UKL) Secure Email Client June 15th, 2006 14 / 32

Application Model Application Model Exit quit [out of memory] Run Mode Command Mode H Send Mode Sent send [SUCCESS] Signed sign H [SUCCESS] insert pub. key Unsigned generate key pair edit view quit viewing quit editing Edit Email Not Changed Changed typing move cursor Receive Mode Checked H check [SUCCESS] Not Checked edit view quit viewing editing Edit Pub. Key Not Changed Changed poll / new email arrived typing move cursor Beckert Beuster (UKL) Secure Email Client June 15th, 2006 15 / 32

Basic Model Basic Model Application User AppOut CMD Beckert Beuster (UKL) Secure Email Client June 15th, 2006 16 / 32

Basic Model with Application Basic Model with Application Application User AppOut Run Mode Command Mode Send Mode H insert pub. key generate key pair Sent [SUCCESS] send Signed sign [SUCCESS] Unsigned quit Receive Mode Checked [SUCCESS] check H Not Checked poll / new email arrived H edit view quit viewing quit editing edit view quit viewing editing Exit [out of memory] Edit Email Not Changed Changed typing move cursor Edit Pub. Key Not Changed Changed typing move cursor CMD Beckert Beuster (UKL) Secure Email Client June 15th, 2006 17 / 32

Basic Model with Main Loops insert pub. key generate key pair send [SUCCESS] sign [SUCCESS] check [SUCCESS] quit poll / new email arrived edit view quit viewing quit editing edit view quit viewing editing typing typing [out of memory] move cursor move cursor Application Execution Cycle Get Result Exec. CMD! AppOut AppOut? Show Result CMD? AppOut! Get CMD CMD CMD AppOut Application Logic Run Mode Command Mode Send Mode H Receive Mode H Sent Signed Unsigned Checked Not Checked H Exit Edit Email Not Changed Changed Edit Pub. Key Not Changed Changed Act CMD? CMD! Wait AppOut? CMD Decide Classify AppOut! User Execution Cycle AppOut User Logic Beckert Beuster (UKL) Secure Email Client June 15th, 2006 18 / 32

Example: Email Client Result of latest command: No new email arrived foo edit (m)ail (s)end mail (f)etch mail Beckert Beuster (UKL) Secure Email Client June 15th, 2006 20 / 32

Example: Email Client Result of latest command: No new email arrived foo Problem: How does the user know if command execution is completed? edit (m)ail (s)end mail (f)etch mail Beckert Beuster (UKL) Secure Email Client June 15th, 2006 20 / 32

Example: Email Client Result of latest command: No new email arrived foo Problem: How does the user know if command execution is completed? Add a status line! edit (m)ail (s)end mail (f)etch mail Beckert Beuster (UKL) Secure Email Client June 15th, 2006 20 / 32

Example: Email Client System: Waiting for input... Result of latest command: No new email arrived edit (m)ail (s)end mail (f)etch mail Beckert Beuster (UKL) Secure Email Client June 15th, 2006 22 / 32

Example: Email Client System: Waiting for input... Result of latest command: No new email arrived edit (m)ail (s)end mail (f)etch mail Beckert Beuster (UKL) Secure Email Client June 15th, 2006 24 / 32

Example: Email Client System: Waiting for input... Result of latest command: No new email arrived Problem: A status line is not enough... edit (m)ail (s)end mail (f)etch mail Beckert Beuster (UKL) Secure Email Client June 15th, 2006 24 / 32

Example: Email Client System: Waiting for input... Result of latest command: No new email arrived Problem: A status line is not enough... Add a status key! edit (m)ail (s)end mail (f)etch mail Beckert Beuster (UKL) Secure Email Client June 15th, 2006 24 / 32

Example: Email Client System: Waiting for input... Result of latest command: No new email arrived edit (m)ail (s)end mail (f)etch mail Beckert Beuster (UKL) Secure Email Client June 15th, 2006 26 / 32

Example: Email Client System: Waiting for input... Result of latest command: No new email arrived edit (m)ail (s)end mail (f)etch mail Beckert Beuster (UKL) Secure Email Client June 15th, 2006 28 / 32

Example: Email Client System: Ready! Result of latest command: No new email arrived edit (m)ail (s)end mail (f)etch mail Beckert Beuster (UKL) Secure Email Client June 15th, 2006 30 / 32

A Better Model Application Execution Cycle Get Result Exec. AppOut Act Decide CMD! AppOut!= Processing CMD? AppOut? CMD! AppOut! Show Result CMD? Status Busy Begin Wait ESC AppOut! User Execution Cycle AppOut!= Ready! AppOut?= Processing Status! Get CMD AppOut?= Ready! Show Status CMD End Wait Classify CMD?= Status AppOut? Processing Application Logic CMD AppOut CMD AppOut User Logic Beckert Beuster (UKL) Secure Email Client June 15th, 2006 31 / 32

Conclusion Summary Developed formal model of HCI describing TTY applications Defined consistency Showed that common implementations are not consistent Proposed a consistent alternative Integrated with other methods (not shown in this presentation) Beckert Beuster (UKL) Secure Email Client June 15th, 2006 32 / 32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information