Modeling Insecurity : Enabling Recovery - Oriented Security with Dynamic Policies

Policy engineering for access-control security has traditionally focused on specification and verification of safety properties (“nothing bad happens”). In most real systems however, resources and access mechanisms are regularly compromised, either maliciously by attackers, or inadvertently due to vulnerabilities caused by poor systems-engineering. I argue that the all-or-nothing nature of assurance provided by safety-engineering cannot describe or reason about systems that are secure and survivable—systems that can be engineered to proactively or reactively change their security policies and policy enforcement mechanisms, and thereby continue to provide assurance for critical resources, in spite of compromises and failures. In this thesis, I present a framework that extends traditional state-transition models of access control security, to describe timing guarantees and stochastic behavior, and show how we can introduce notions of information compromise, subsequent recovery (whenever possible) and flexibleresponse in a modular fashion. Our framework is also capable of describing insider attacks. I show how we need to focus on liveness properties (“something good eventually happens”) to explicitly capture the temporal and dynamic nature of enforceable guarantees required for survivability. I develop a new class of properties expressed as branching-time temporal logic formulas that focus on secure availability as a measure of survivability. For finite-state models, the validation of these formulas is decidable in polynomial time using automated model-checking techniques. To showcase the expressive power of our framework, I apply it to study network Denial of Service (DoS) attacks, and model resilience to such attacks as a survivability property. I show how we can systematically analyze the relative impact of different anti-DoS strategies by changing policies and mechanisms during an attack. Using our automated verification methodology, we formally prove for the first time whether strategies such as selective filtering, strong-authentication, and client-puzzles reduce the vulnerability of an example network to DoS attacks.