Daniel Conte de Leon

Hidden Implementation Dependencies in High Assurance and Critical Computing Systems

Critical and catastrophic failures in high assurance and critical computing systems can arise from unfounded assumptions of independence between system components, requirements, and constraints (work product sections), which can stem from misunderstandings and miscommunication between system engineers, managers, and operators and from inadequate or incomplete traceability between system work products. In this article, we propose a formal framework for the effective implementation of traceability between work product sections along with a technique for discovering potential causes of critical failures in high assurance and critical computing system models. We introduce a new abstraction of interrelated work product sections called implementation meta-work product and describe how our technique finds these meta-work products. We also demonstrate how this technique can be used to help analysts discover potential causes of safety-related errors in high assurance and critical computing systems by applying it to one case study of a known critical error and to one case study where we anticipate potential safety hazards

Formal Verification and Visualization of Security Policies

Verified and validated security policies are essential components of high assurance computer systems. The design and implementation of security policies are fundamental processes in the development, deployment, and maintenance of such systems. In this paper, we introduce an expert system that helps with the design and implementation of security policies. We show how Prolog is used to verify system correctness with respect to policies using a theorem prover. Managing and visualizing information in high assurance computer systems are challenging tasks. To simplify these tasks, we show how a graph-based visualization tool is used to validate policies and provide system security managers with a process that enables policy reviews and visualizes interactions between the system’s entities. The tool provides not only a representation of the formal model, but also its execution. The introduced executable model is a formal specification and knowledge representation method.

An Architecture for a Policy-Oriented Web Browser Management System: HiFiPol: Browser

Web browsers are a necessity of todays economy and government. This success is attributed to their flexibility, which is afforded by Turing-complete execution and powerful graphic capabilities, both accessible through the network to trusted and untrusted sites. These capabilities, if maliciously undermined, have high potential for data or system compromise. An approach that can be successfully applied to prevent and mitigate compromise is tailoring browser security settings according to device, user/role, and domain. To make such a high-fidelity security configurations practical, we are designing and implementing HiFiPol: Browser: A policy-oriented and multi-platform Hi-Fidelity security Policy management system for web Browsers. In this article, we describe the architecture of HiFiPol: Browser. We describe in detail all components of the architecture, the tasks needed to implement it in a fully operational system, and the current status on the progress of each task. HiFiPol: Browser has been designed to provide: a) a human-friendly and high-level policy specification language and environment, b) security policy conflict detection and resolution, c) automatic instantiation of high-level policies into configurations, and d) distributed browser configuration deployment. We believe that HiFiPol: Browser will enable the design and implementation of domain-, application-, device-, and user-tailored secure policies within a technically diverse organization.

HERMES: A high-level policy language for high-granularity enterprise-wide secure browser configuration management

In this article, we describe the characteristics, structure, and uses of HERMES. HERMES is a high-level security policy description language. Its characteristics are: (1) enable the specification of organizational domain knowledge in a hierarchical manner; (2) enable the specification of security policies at desired granularity levels within the organizational IT and OT infrastructure; (3) enable security policies to be automatically instantiated into security configurations; (4) it is human-centered and designed for ease of use; (5) it is application and device independent. We show an example of using HERMES to write a high-level policy and show examples of how such policy can be instantiated into a domain and device, user and role, application and action specific security configuration. We also describe the integration of HERMES within the HiFiPol:Browser policy management system. We believe HERMES is a necessary step toward securing the client side of the web ecosystem and prevent or mitigate the current onslaught of web browser-based attacks, such as phishing.

A Structured Analysis of SQL Injection Runtime Mitigation Techniques

SQL injection attacks (SQLIA) still remain one of the most commonly occurring and exploited vulnerabilities. A considerable amount of research concerning SQLIA mitigation techniques has been conducted with the primary resulting solution requiring developers to code defensively. Although, defensive coding is a valid solution, the current market demand for websites is being filled by inexperienced developers with little knowledge of secure development practices. Unlike the successful case of ASLR, no SQLIA runtime mitigation technique has moved from research to enterprise use. This paper presents an in-depth analysis and classification, based on Formal Concept Analysis, of the 10 major SQLIA runtime mitigation techniques. Based on this analysis, one technique was identified that shows the greatest potential for transition to enterprise use. This analysis also serves as an enhanced SQLIA mitigation classification system. Future work includes plans to move the selected SQLIA runtime mitigation technique closer to enterprise use.

Using a knowledge-based security orchestration tool to reduce the risk of browser compromise

Today, web browsers are used to access and modify sensitive data and systems including intranets and critical control systems. Due to their computational capabilities and network connectivity, browsers are vulnerable to several types of attacks, even when fully patched. Browsers are also the main target of phishing attacks. Many browser attacks, including phishing, could be prevented or mitigated by using site-, user-, and device-specific security configurations in a diverse browsing ecosystem. However, in our research, we discovered that all major browsers expose disparate security configuration procedures, option names, values, and semantics. This results in an extremely hard to secure browsing ecosystem. We analyzed in detail more than a thousand browser security configuration options in three major browsers and found that only 17 had common names with common semantics. In this paper, we describe the results of this in-depth analysis. We also describe a knowledge-based solution, Open Browser GP, that would enable organizations to implement highly-granular secure configurations for their information and operational technology (IT/OT) browsing ecosystem.

Implementation-Oriented Secure Architectures

We propose a framework for constructing secure systems at the architectural level. This framework is composed of an implementation-oriented formalization of a systems architecture, which we call the formal implementation model, along with a method for the construction of a system based on elementary analysis, implementation, and synthesis steps. Using this framework, security vulnerabilities can be avoided by constraining the architecture of a system to those architectures that can be rigorously argued to implement all corresponding functional and security requirements, and no other. Furthermore, the framework enables the verification and validation of system correctness by enforcing traceability of final system components to their corresponding design, architecture, and requirement work products

Blockchain: properties and misconceptions

The purpose of this article is to clarify current and widespread misconceptions about the properties of blockchain technologies and to describe challenges and avenues for correct and trustworthy design and implementation of distributed ledger system (DLS) or Technology (DLT).,The authors contrast the properties of a blockchain with desired, however emergent, properties of a DLS, which is a complex and distributed system. They point out and justify, with facts and analysis, current misconceptions about the blockchain and DLSs. They describe challenges that these systems will need to address and possible solution avenues for achieving trustworthiness.,Many of the statements that have appeared on the internet, news and academic articles, such as immutable ledger and exact copies, may be misleading. These are desired emergent properties of a complex system, not assured properties. It is well-known within the distributed systems and critical software community that it is extremely hard to prove that a complex system correctly and completely implements emergent properties. Further research and development for trustworthy DLS design and implementation is needed, both practical and theoretical.,This is the first known published attempt at describing current misconceptions about blockchain technologies. Further collaborative work, discussions, potential solutions, evaluations, resulting publications and verified reference implementations are needed to ensure DLTs are safe, secure, and trustworthy.,Interdisciplinary teams with members from academia, business and industry, and from disciplines such as business, entrepreneurship, theoretical and practical computer science, cybersecurity, finance, mathematics and statistics, must be formed. Such teams must collaborate with the objective of developing strategies and techniques for ensuring the correctness and security of future DLSs in which our society may become dependent.,The value and originality of this article is twofold: the disproving, through fact collection and systematic analysis, of current misconceptions about the properties of the blockchain and DLSs, and the discussion of challenges to achieving adequate trustworthiness along with the proposal of general avenues for possible solutions.

Hardening web applications using a least privilege DBMS access model

Within the last three years hundreds of millions of private data records have been compromised in high-profile data breaches, resulting in billions of dollars in economic losses and unrecoverable loss of privacy. One commonality is that attackers obtained administrative-level access to records on a central database. We argue that the widespread practice of highest privilege design and configuration is a significant contributor, where users and applications are given the highest level of privilege needed to execute the union of all needed tasks. One problematic common practice is, in a web-based application, for front-end and middleware processes to have root privileges to the complete DBMS back-end database. This practice is in stark opposition to the well-known secure design principle of least privilege introduced 40 years ago. Enforcing least privilege at all levels of a web application would help prevent future all-lost cyber-compromises. Here we introduce Hierarchical Policy (HPol), a formal access control modeling tool used in modeling web application database security.

Security management of cyber physical control systems using NIST SP 800-82r2

Cyber-attacks and intrusions in cyber-physical control systems are, currently, difficult to reliably prevent. Knowing a systems vulnerabilities and implementing static mitigations is not enough, since threats are advancing faster than the pace at which static cyber solutions can counteract. Accordingly, the practice of cybersecurity needs to ensure that intrusion and compromise do not result in system or environment damage or loss. In a previous paper [2], we described the Cyberspace Security Econometrics System (CSES), which is a stakeholder-aware and economics-based risk assessment method for cybersecurity. CSES allows an analyst to assess a system in terms of estimated loss resulting from security breakdowns. In this paper, we describe two new related contributions: 1) We map the Cyberspace Security Econometrics System (CSES) method to the evaluation and mitigation steps described by the NIST Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82r2. Hence, presenting an economics-based and stakeholder-aware risk evaluation method for the implementation of the NIST-SP-800-82 guide; and 2) We describe the application of this tailored method through the use of a fictitious example of a critical infrastructure system of an electric and gas utility.