X-Men: A Mutation-Based Approach for the Formal Analysis of Security Ceremonies

Sempreboni, Diego; Viganò, Luca

doi:10.1109/eurosp48549.2020.00014

Cited by 7 publications

(6 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In particular, when carrying out a (formal or even semi-formal) analysis of a security ceremony, one should consider also the mistakes that human users may make through their active participation, and that have the potential to lead to violations of the security properties that the ceremony was intended to guarantee. A number of approaches have been proposed to this end, e.g., discussing different threat models of security ceremonies (Sempreboni et al, 2019), providing frameworks for the analysis of security ceremonies (Bella et al, 2022;Carlos et al, 2012), or explicitly modelling and reasoning about human errors in security ceremonies (Basin et al, 2015;Basin et al, 2016;Sempreboni and Viganò, 2020).…”

Section: Security Ceremonies-the Basicsmentioning

confidence: 99%

“…It should be noted that, while formal analysis approaches and tools have advanced to the maturity that allows for the automated analysis of such complex security protocols as TLS 3.1(Blanchet, 2018) and 5G Authentication(Basin et al, 2018), as well as of security ceremonies such as those considered inBasin et al (2016),Bella et al (2022), andSempreboni and Viganò (2020), formal analysis of security protocols and ceremonies in the presence of an active attacker is an undecidable problem, so there is no guarantee that tools will terminate with a proof or a counterexample to the protocol's or ceremony's security. It is thus good practice to complement formal analysis with other approaches such as risk analysis or security assurance approaches (see, e.g., ENISA2022).…”

mentioning

confidence: 99%

See 1 more Smart Citation

Perceptions of Beauty in Security Ceremonies

et al. 2022

Self Cite

View full text Add to dashboard Cite

When we use secure computer systems, we engage with carefully orchestrated and ordered interactions called “security ceremonies”, all of which exist to assure security. A great deal of attention has been paid to improving the usability of these ceremonies over the last two decades, to make them easier for end-users to engage with. Yet, usability improvements do not seem to have endeared end users to ceremonies. As a consequence, human actors might subvert the ceremony’s processes or avoid engaging with it. Here, we consider whether beautification could be one way of making ceremonies more appealing. To explore beautification in this context, we carried out three studies. Study 1 surveyed 250 participants to derive a wide range of potential dimensions of “beautiful ceremonies”. These statements were sorted into dominant themes and converted into statements, which fed into the second study, with 309 respondents, to reveal the dominant dimensions constituting beauty. Study 3 asked 41 participants to carry out a Q-sort, which revealed the ways that people combine the identified dimensions when characterising security ceremonies as “beautiful”. These studies have allowed us to pin down the perceived dimensions of beauty in the context of security ceremonies, and also to understand how people combine these dimensions in different ways in judging security ceremonies to be beautiful, confirming the old adage of beauty being “in the eye of the beholder”. We conclude by highlighting the constraints imposed by the overarching requirement for security to be maintained in the face of any usability improvements and beautification endeavours.

show abstract

Section: Security Ceremonies-the Basicsmentioning

confidence: 99%

mentioning

confidence: 99%

Perceptions of Beauty in Security Ceremonies

et al. 2022

Self Cite

View full text Add to dashboard Cite

show abstract

“…In more recent works, such as [Sempreboni and Viganò 2020], the authors model the mistakes that humans make when participating in a security ceremony through mutation rules. Such rules model possible human behaviours, automatically adjusting the behaviour of the other agents of the ceremony as well.…”

Section: Basin Et Al Propose a Formal Modelling Of The Human Limitati...mentioning

confidence: 99%

“…Sempreboni and Viganò consider the mutations provoked by human users to be of the following natures: skipping one or more of the actions that the user was supposed to perform, switching/replacing messages, or adding an unforeseen action to the ceremony execution [Sempreboni and Viganò 2020]. To automate their proposal, they have developed a prototype tool that extends Tamarin, called X-Men.…”

Section: Basin Et Al Propose a Formal Modelling Of The Human Limitati...mentioning

confidence: 99%

Six Characters in Search of a Security Problem: Pirandellian Masks for Security Ceremonies

Martimiano

Martina

2022

Anais Do XXII Simpósio Brasileiro De Segurança Da Informação E De Sistemas Computacionais (SBSeg 2022)

View full text Add to dashboard Cite

For the Italian play-writer and 1934 Nobel-Prize winner Luigi Pirandello, a fictional mask is either self-imposed or, in most cases, forced on by society, being what makes life possible. Drawing from that, we believe that due to the non-deterministic nature of the human being, the only way to specify and verify human-tailored security protocols (known as security ceremonies) is by the specification of masks that users wear in order to interact with ceremonies. In the current paper, we review further this literary inspiration and propose six possible masks: the Attentive, the Naive, the Careless, the Fearful, the Busy, and the Elder. We then discuss an example of how we can reason about security involving human beings, and present what still needs to be done.

show abstract

“…This article addresses the general challenge of how to model human threats in security ceremonies with the aim of studying the security properties more realistically than it has been possible so far, that is, in front of users who may raise threats beyond making errors, namely not only by disclosing information or passing objects but also by forging physical elements. While threats that humans raise against the technical system directly, namely by individual interactions with it, have already been investigated [3], the focus of this article is on their extension with threats that humans raise against the technical system indirectly, namely by interacting with other threatening humans without explicit collusion. In other words, we define and formalise threats both on human-to-system channels and on human-to-human channels.…”

Section: Introductionmentioning

confidence: 99%

Modelling human threats in security ceremonies1

Bella

Giustolisi

Schürmann

2022

JCS

View full text Add to dashboard Cite

Socio-Technical Systems (STSs) combine the operations of technical systems with the choices and intervention of humans, namely the users of the technical systems. Designing such systems is far from trivial due to the interaction of heterogeneous components, including hardware components and software applications, physical elements such as tickets, user interfaces, such as touchscreens and displays, and notably, humans. While the possible security issues about the technical components are well known yet continuously investigated, the focus of this article is on the various levels of threat that human actors may pose, namely, the focus is on security ceremonies. The approach is to formally model human threats systematically and to formally verify whether they can break the security properties of a few running examples: two currently deployed Deposit-Return Systems (DRSs) and a variant that we designed to strengthen them. The two real-world DRSs are found to support security properties differently, and some relevant properties fail, yet our variant is verified to meet all the properties. Our human threat model is distributed and interacting: it formalises all humans as potential threatening users because they can execute rules that encode specific threats in addition to being honest, that is, to follow the prescribed rules of interaction with the technical system; additionally, humans may exchange information or objects directly, hence practically favour each other although no specific form of collusion is prescribed. We start by introducing four different human threat models, and some security properties are found to succumb against the strongest model, the addition of the four. The question then arises on what meaningful combinations of the four would not break the properties. This leads to the definition of a lattice of human threat models and to a general methodology to traverse it by verifying each node against the properties. The methodology is executed on our running example for the sake of demonstration. Our approach thus is modular and extensible to include additional threats, potentially even borrowed from existing works, and, consequently, to the growth of the corresponding lattice. STSs can easily become very complex, hence we deem modularity and extensibility of the human threat model as key factors. The current computer-assisted tool support is put to test but proves to be sufficient.

show abstract

X-Men: A Mutation-Based Approach for the Formal Analysis of Security Ceremonies

Cited by 7 publications

References 26 publications

Perceptions of Beauty in Security Ceremonies

Perceptions of Beauty in Security Ceremonies

Six Characters in Search of a Security Problem: Pirandellian Masks for Security Ceremonies

Modelling human threats in security ceremonies1

Contact Info

Product

Resources

About