Modelling human threats in security ceremonies1

Abstract: Socio-Technical Systems (STSs) combine the operations of technical systems with the choices and intervention of humans, namely the users of the technical systems. Designing such systems is far from trivial due to the interaction of heterogeneous components, including hardware components and software applications, physical elements such as tickets, user interfaces, such as touchscreens and displays, and notably, humans. While the possible security issues about the technical components are well known yet continu… Show more

“…In particular, when carrying out a (formal or even semi-formal) analysis of a security ceremony, one should consider also the mistakes that human users may make through their active participation, and that have the potential to lead to violations of the security properties that the ceremony was intended to guarantee. A number of approaches have been proposed to this end, e.g., discussing different threat models of security ceremonies (Sempreboni et al, 2019), providing frameworks for the analysis of security ceremonies (Bella et al, 2022;Carlos et al, 2012), or explicitly modelling and reasoning about human errors in security ceremonies (Basin et al, 2015;Basin et al, 2016;Sempreboni and Viganò, 2020).…”

“…It should be noted that, while formal analysis approaches and tools have advanced to the maturity that allows for the automated analysis of such complex security protocols as TLS 3.1(Blanchet, 2018) and 5G Authentication(Basin et al, 2018), as well as of security ceremonies such as those considered inBasin et al (2016),Bella et al (2022), andSempreboni and Viganò (2020), formal analysis of security protocols and ceremonies in the presence of an active attacker is an undecidable problem, so there is no guarantee that tools will terminate with a proof or a counterexample to the protocol's or ceremony's security. It is thus good practice to complement formal analysis with other approaches such as risk analysis or security assurance approaches (see, e.g., ENISA2022).…”

Perceptions of Beauty in Security Ceremonies

“…In particular, when carrying out a (formal or even semi-formal) analysis of a security ceremony, one should consider also the mistakes that human users may make through their active participation, and that have the potential to lead to violations of the security properties that the ceremony was intended to guarantee. A number of approaches have been proposed to this end, e.g., discussing different threat models of security ceremonies (Sempreboni et al, 2019), providing frameworks for the analysis of security ceremonies (Bella et al, 2022;Carlos et al, 2012), or explicitly modelling and reasoning about human errors in security ceremonies (Basin et al, 2015;Basin et al, 2016;Sempreboni and Viganò, 2020).…”

“…It should be noted that, while formal analysis approaches and tools have advanced to the maturity that allows for the automated analysis of such complex security protocols as TLS 3.1(Blanchet, 2018) and 5G Authentication(Basin et al, 2018), as well as of security ceremonies such as those considered inBasin et al (2016),Bella et al (2022), andSempreboni and Viganò (2020), formal analysis of security protocols and ceremonies in the presence of an active attacker is an undecidable problem, so there is no guarantee that tools will terminate with a proof or a counterexample to the protocol's or ceremony's security. It is thus good practice to complement formal analysis with other approaches such as risk analysis or security assurance approaches (see, e.g., ENISA2022).…”

Perceptions of Beauty in Security Ceremonies

“…Another relevant recent work is seen in [Bella et al 2022a], where the authors propose a formal modelling of human threats imposed on the ceremony using the Tamarin tool [tam 2022].…”

“…They state that the ceremony is directly affected by its users' behaviours, mentioning as an example of this that "a train ticketing system can become insecure if passengers are dishonest and controllers are lazy" [Bella et al 2022a]. More serious scenarios would involve the disclosure of information that was supposed to be kept private by the users of the ceremony, or even the forging of physical elements that aim to exploit the system.…”

Six Characters in Search of a Security Problem: Pirandellian Masks for Security Ceremonies

Formal Methods for Socio-technical Security