Formalising Information Security Evaluations

1
Formalising InformationSecurity Evaluations

• Colin Fidge2, Andrew Matthews3, Tim McComb1,
• Andrew Rae4, Geoffrey Watson1 and Luke Wildman1
• 1The University of Queensland
• 2Queensland University of Technology
• 3Defence Signals Directorate
• 4Invensys Rail Systems

2
Information Security Evaluations

• Communications devices intended for government or
  military applications must be carefully evaluated
  to ensure they preserve data confidentiality
• International standards like the Common Criteria
  for Information Technology Security Evaluation
  define the quality of evaluation required
• However, specific techniques for undertaking
  high grade evaluations are still lacking
• This project, sponsored by the Defence Signals
  Directorate, is devising ways of making
  information security evaluations more rigorous

3
The Challenge

• Information security evaluations are
  simultaneously tedious and difficult
• Communications devices have a high degree of
  internal complexity
• They can be examined from a number of different
  viewpoints, ranging from their design, to how
  theyre used, to how theyre manufactured
• They behave differently in different modes
• Security risks may be quite subtle, such as
  covert channels or the danger of silent and
  complicit faults

4
Domain Separation Devices

• Domain separation devices are used to control
  information flow in secure networks
• Data diodes for unidirectional information flow
• Switches for changing the direction of
  information flow
• Filters for constricting information flow
• Encryption devices for protecting information in
  transit

5
Domain Separation DevicesA Typical Configuration
6
An Encryption Box Networking View
7
An Encryption Box Users View
8
An Encryption Box Conceptual View
9
An Encryption Box Circuitry View
10
An Encryption Box Physical View
11
An Encryption Box Software View

• letter getc() // from pin A0
• if (iscntrl(letter))
• switch (letter)
• case 26
• red_mode 1
• putc(letter) // to pin A1
• output_b(0X20) // to port B
• output_low(pin_C1)
• break

12
Connectivity Analysis

• Basic graph analysis techniques can be used to
  prioritise evaluation of components within a
  device
• Tracing end-to-end paths identifies the security
  critical region and thus eliminates components
  that do not need to be evaluated at all
• Minimal cut-sets then identify components that we
  must show act as downgraders of classified data

13
Encryption Box Critical Access Points
High-security input
Low-security output
14
Encryption Box Security Critical Region
15
Encryption Box A Cut-Set
Downgrader?
16
Separating Data and Control Flow

• The different roles of data and control pathways
  can be used to help dissect a circuit diagram
• The backbone is the data path (or paths) from
  the high-security domain to the low-security one
• Significant control paths are then those that
  feed into the backbone

17
Encryption Box Critical Access Points
High-security input
Low-security output
18
Encryption Box Data Flow Backbone
19
Encryption Box Control Flowto Backbone
20
Evaluating Information Flow Modes

• Each component within a device typically operates
  in several different modes
• Information flow through the component may be
  different for each mode
• Modes may include normal operating behaviours and
  fault modes
• Existing fault analysis techniques can be used to
  identify the fault modes of a particular circuit
• Modes may be local to individual components, or
  global modes that affect several components at
  once

21
Evaluating Information Flow Modes

• Potential information flow through circuit
  graphs can be evaluated for each mode
  separately
• Potential flow through components is modelled in
  adjacency matrices by sets of modes
• End-to-end connectivity is evaluated by
  calculating transitive closures, taking modes
  into account
• Connectivity is defined using intersections of
  global modes, cross products of local modes, and
  sequences of consecutive modes

22
Evaluating Information Flow Modes
Outputs
Adjacency
Cells define mode-specific connectivity
Inputs
Connectivity
23
Encryption Box Information Flow Calculated for
Different Modes
Encryption path
Bypass path
24
Encryption Box A PotentialCovert Channel
Control and synchronisation signals
25
Different Views of a Device

• When looking for component failures that may lead
  to security leaks we must consider not only the
  logical design of the device but also its
  physical construction
• Crosstalk
• Solder/substrate leakage
• Fused connections or missed solder
• Impedance/noise
• Reversed components
• Multiple components on the same chip

26
Different Views of a Device

• We can perform topological analyses across
  different device views
• Ports on the edge of components are named
  consistently
• During connectivity analysis ports from different
  views with the same name are unified
• Interactions between different views of the
  device are thus identified

27
Encryption Box Adjacent Components
All buffer gates on one chip
All xnor resistors in one pack
28
Encryption Box Incorporating Physical
Construction into Connectivity Analysis

• Classified information may be leaked when
• Processor U8 is in bypass mode or
• And gate U6C fails in encryption mode or
• Processor U8 fails to encrypt and
• Shutdown gate U10A fails or
• Flip-flop U2A fails with output 0 or
• And gate U6B fails with output 0 or
• Nand gate U3 fails with output 0 or
• Buffer chip U10 short circuits or
• Xnor gates U4/5 fail with output 1
• Resistor pack 1 short circuits

29
The Secure Information Flow Analyser

• SIFA (pronounced cipher) is a prototype tool
  that embodies the analysis principles described
  above
• It allows diagrams to be structured
  hierarchically
• It allows multiple views of the same device to
  coexist
• It can analyse information flow in various modes
• It reads circuit diagrams in VHDL format, as
  produced by design tools like Protel
• It supports a library of commonly-used component
  models

30
Encryption Box A Logical View in SIFA
High-security input
Low-security output (several steps away)
31
Encryption Box ProcessorsSubmodule in SIFA
Ports with the same name in different views are
unified
32
Encryption Box Physical View in SIFA
All buffer gates are in one chip
33
Encryption Box Results ofSIFAs Fault Analysis
Shortcut from high to low revealed
34
Secure Information Flow AnalyserProof of
Correctness

• To allow the SIFA tool to be used for high
  grade evaluations, which mandate use of formal
  methods, its results must be shown to be
  trustworthy
• Formalise the tools actions in the Z notation
• Demonstrate that they have the desired
  graph-theoretic properties

35
Secure Information Flow Analyser Formal Model
Failure modes causing security leaks

are defined by those information-flow graphs
where at least one component is faulty
and the high-security and low-security domains
are linked
36
Future Work Software Evaluation

• To complete the security evaluation we need to
  confirm our assumptions about information flow
  between microprocessor pins in different modes
• This requires a static analysis of the
  microprocessor software (at least!)

37
Encryption Box Software Slice Between High and
Low-Security Pins

• letter getc() // from pin A0
• if (iscntrl(letter))
• switch (letter)
• case 26
• red_mode 1
• putc(letter) // to pin A1
• output_b(0X20) // to port B
• output_low(pin_C1)
• break

38
Future Work Network Analysis

• The information flow and fault analysis
  techniques used in this project could be applied
  to whole network designs
• Just as we treat circuit diagrams as modal
  digraphs, we could do the same thing to network
  diagrams