T HREAT A NALYSIS

As the focus of this thesis is the security of RFID systems, methods which can analyse the threats to systems should be reviewed. Approaching this systematically would offer the advantage of identifying how a system influences attack instantiation, as well as solution implementation. A method which makes this possible is the attack tree method and this is now briefly reviewed.

4.3.2.1

A

T

Attack Trees are a threat modelling method proposed by Schneier (1999, 2004). They are an attacker centric approach to deriving a depiction of the ways a system’s goals can be invalidated. Attacks are modelled from an attacker’s perspective as a

tree structure. The root node of the tree represents the attacker’s attack goal and the

leaf nodes depict ways of achieving that goal. As an attack can be a goal, it can be further decomposed into further attacks – in effect, this can be a recursive process until sufficient decomposition has been attained.

Attack trees can be augmented with logical operations and by assigning values to attack tree nodes. Two logical operations can be used for this purpose. Conjunction (logical “And”) between nodes, represented as a diagrammatic arc, indicates a dependency between nodes in achieving a parent goal. Disjunction (logical “Or”) between nodes is the default state, and does not have any special diagrammatic symbol. It specifies that there are different ways of achieving a parent goal. Values can be added to each node to signify, for example, the cost and skill required, or whether an attack is legal. Adding these constructs to nodes is intended to enhance an attack tree’s semantics; however, they have the distinct disadvantage of introducing specific application detail making them application specific. (Schneier 1999, 2004).

When these constructs are specified throughout the branches of an attack tree, it is then possible to determine the likely sequences an attacker could choose. The node values in a sequence are aggregated to derive an indication of the overall value of the sequence. For example, the cost of an attack sequence could be derived by adding together the cost of each component. When such calculations are applied to all branches, the branch of least cost could be identified, which could be the most likely

instantiated for a specific system implementation, again, these make any particular attack tree specific to that system. (Schneier 1999, 2004).

Figure 12 - Attack tree for opening a safe

This attack tree represents the series of attacks an attacker may enact to obtain access to a safe. (Schneier 1999)

To indicate an attacker’s behaviour, the nodes of an attack tree are traversed from leaf node to root node, or vice versa. As each node is the composition or decomposition of an attack, the steps in achieving the attack goal are a sequence of attacks. As illustrated in Figure 12, for example, in order for an attacker to open a safe, the attacker could learn the combination by getting the combination from the target, and this could by achieved by eavesdropping on a conversation where the combination is being discussed (Schneier 1999). Each sequence through an attack tree represents a way the attacker behaves to attain the attack goal. This suggests that a systematic approach to analysing threats can be achieved using this method. (Schneier 1999, 2004).

Attack trees have been used previously in RFID research for modelling threats against privacy. The ways tags reveal information about the objects they are associated with has been analysed by Spiekermann and Ziekow (2005) using this method. However, recall from Chapter 3 that the lack of alignment to system layers was a perceived shortcoming as the method lacked the ability to determine which security solutions were feasible. This shows that attack trees are an accepted way of

modelling RFID threats, but that there are outstanding problems to be solved in their use in RFID security.

Attack trees are not the only threat modelling approach which would be useful for analysing attacks in an RFID system. The main benefit they offer is the ability to structure attacks hierarchically – which can be linked to the architectural property of RFID systems (see Chapter 3).

4.3.3

S

A

One approach to analysing solutions on a ‘whole of system’ basis is to study solutions in the context of actual systems. However, some authors report that this is not so straightforward for researchers. In our work on developing an intrusion detection system for RFID, Mirowski and Hartnett (2007) reported that the availability of actual systems for examining security was limited. We had to evaluate the intrusion detection system using, not an actual RFID system, but sanitised RFID data injected with synthetic attacks from a system. This had the disadvantage of being an artificial representation of what attacks may look like rather than being an actual representation. As the data was sourced from a live system, any attacks which may have been prevalent but unbeknownst to us may have influenced the accuracy of the results. In addition, very little information was available about the users of the system, and thus, the context of the data was minimal.

Recognising that the availability of RFID data was also an ongoing problem for other researchers, Mirowski et al. (2008) released RFID data on the internet for other researchers to use. Since releasing the (presumed) attack free output data on the internet, it has had over 900 downloads1. This suggests that there is an ongoing need for actual systems to be available for analysis of solutions. To this end, this section reviews a method which may be suitable for analysing solutions for security in RFID systems on a ‘whole of system’ basis.

4.3.3.1

A

B

M

S

(ABMS)

ABMS is a simulation methodology which models a system as a collection of agents and the relationships between those agents. Although what exactly constitutes an

agent is contentious, in general, an agent executes various simple independent behaviours (Macal and North 2005; Korth 2006). While the individual rules of each agent could be simple, the model’s agents collectively exhibit more complex behaviours than a single agent. This is called emergent behaviour. This is seen as beneficial, as often systems are easier to understand as constituent components (Bonabeau 2002). Thus, highly complex systems can be modelled using relatively simple components, whilst still attaining the behaviour of the ‘whole system’. An example of this emergent behaviour is that of termites working together to create large mounds that have very complicated temperature control structures. Even though no single termite plans to produce a specific mound, the mound emerges through termite interactions. In simulations of similar phenomenon, the design of each agent is simple, but the whole system emerges through these simple interactions.

From a review of general simulation literature (Robinson 2004), it seems likely that consideration should be given to two general simulation issues: firstly, how the simulation can be implemented – and thus, how to implement the ABMS; and secondly, the methodological approach which is to be taken to simulation development. These are briefly reviewed and related back to the concept of ABMS. ABMS can be implemented more easily using toolkits (Gilbert and Bankes 2002). An example toolkit is the Multi-Agent Simulator of Neighbourhoods (MASON) (Balan et al. 2003; Luke et al. 2004). MASON provides some of the core elements needed for ABMS: modelling and visualisation. It allows a modeller to define agents as entities. These can be scheduled to perform some action inside a continuous

virtual environment. Visualisation can occur in a three-dimensional viewport which

animates agent interactions. MASON is an extensible toolkit allowing a modeller to make customised simulations. For these reasons, MASON has been used for a wide range of multi-agent simulations, ranging from swarm robotics to social complexity. The relationship of developing a simulation to using a methodology is now considered. The procedures to develop a simulator, have been discussed in Robinson (2004) and Law (2005). Robinson (2004) has proposed that simulators have modes; ranging from highly accurate representations of systems for predicting outcomes in real systems (Mode One), to less formal representations, which facilitate a group of

individuals through discussions which take place during the modelling process (Mode Three). These modes give direction to the approach one may take in developing a simulation for the purpose of system analysis.

For RFID simulation, one assumes that there would usually be a single security proponent involved in an analysis task. Thus, for a ‘whole of system’ approach,

Mode Two simulators appear to be the most relevant method.

A Mode Two simulator is developed for problem understanding and problem solving by a single modeller. These are seen as a process of ‘social change’ as learning occurs through the process of development, as well as through experimentation with the simulator. Model users are highly involved during the modelling process, gaining benefits from all stages in terms of an improved understanding as well as the solutions that could be derived from experimentation with the model. These users are the direct beneficiaries of the modelling process. Consequently, validation is considered in terms of whether the model is sufficiently accurate for its purpose and is performed by the modeller in conjunction with the users.

For a ‘whole of system’ approach to RFID security, the main benefit ABMS would offer is the ability to simplify systems into their constituent components. This could allow an analyst to examine tags individually, or the ‘whole system’, depending on analysis goals. In implementing an ABMS, one would be providing a mechanism for the analysis of solutions prior to actual system investigation.

4.4

SUMMARY

This chapter has reviewed existing methods that will be used in the coming chapters to derive an alternative security model which makes possible a ‘whole of system’ approach to security analysis.

The reference model method will be used to derive an alternative representation of security in RFID systems to facilitate the ‘whole of system’ approach. This method offers an overarching approach to defining a system’s architecture. The principle of quality ensures that a suitable representation would be derived. Another benefit is the means of evaluation to compare a derived model to existing work. Using this approach, a more robust model of RFID could be derived when compared to existing

models, and thus, such a model may be more suitable to facilitating the ‘whole of system’ approach.

Moreover, a variety of methods which will be applied to a reference model were reviewed for the specific purpose of identifying how these would contribute systems information. These came from a variety of domains but if integrated in a reference model, would be made to work for the specific goal of analysing security on a ‘whole of system’ basis. It is important to make this requirement clear, as without a representational basis, the results which would be derived from each analysis method may not be integrated across the whole RFID system nor related to one another. In using these methods this concept of integration is a perceived necessity as what is proposed is that threats and solutions are considered in relation to a domain context. This chapter ends with the thought that a ‘whole of system’ approach can be facilitated by a reference model, and individual methods, which have systematic qualities, can then be applied to the model, in order to achieve specific security analysis information. Consequently, the next chapter introduces an alternative model for the ‘whole of system’ approach and successive chapters illustrate how ‘whole of system’ analysis achieves specific analysis outcomes by integrating the methods reviewed above in the model.

5

An Integrated