Lecture 6
Lecture 6 Models and Tools for Reasoning About Security
.
Plan for Today
.
Goals for Today
.
Taxonomy of Approaches
.
NSA and Formal Verification
.
Three Security "Models"
.
Bell- LaPadula Model
.
Simple-security and * Properties
.
What Does it Mean for a System to be "Secure"?
.
BLP Controversy
.
Nail in Coffin: McLean's System Z
.
System Z
.
Biba Integrity Model
.
Homework
.
Clark-Wilson Integrity Model
.
The Orange Book
.
Four Old Theorem Proving Systems (1984)
.
Modern Tools
.
NRL Protocol Analyzer [ Syverson and Meadows 93]
.
TMN Protocol Example
.
Specification Input: pre- and post-conditions, event
.
Run NRL Protocol Analyzer on TMN
.
TMN Protocol Example
.
NRL Protocol Analyzer
.
Model Checking Approaches
.
FDR [Roscoe 94]
.
Needham -Schroeder Public-Key Example
.
Flaw Found Using FDR
.
Mur [Dill et al. 92]
.
Examples Done by Mitchell, Mitchell, Stern [97]
.
Brutus [Clarke, Jha , Marrerro 96]
.
Brutus cont'd
.
Woo-Lam Example
.
Brutus Current Status
.
Theorem Proving Approaches
.
Isabelle [Paulson 94]
.
Proving Protocol Properties
.
(Variant of) Otway -Rees Example
.
An Attack
.
Status of Work
.
Other Theorem Proving Systems
.
Hybrid Approach: Kindred's Theory Generation
.
Limitations of Tools and Techniques
.
Main Criticism
.
Readings, Next Lecture
.
Back to
Lectures
Heather L. Marko
Last Modified: October 1998