1 / 72

Security Pattern Assurance through Round-Trip Engineering

Amnon H. Eden School of Computer Science & Electronic Engineering University of Essex. Security Pattern Assurance through Round-Trip Engineering. Abstract. Catalogues of security patterns record object-oriented design practices that have proved to promote security.

ide
Download Presentation

Security Pattern Assurance through Round-Trip Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Amnon H. Eden School of Computer Science & Electronic Engineering University of Essex Security Pattern Assurance through Round-Trip Engineering

  2. Abstract Catalogues of security patterns record object-oriented design practices that have proved to promote security. Our research project facilitates making, modelling and enforcing design decisions involving security patterns: • Making design decisions, by creating a guide for the transition from requirements to tactics and from tactics to patterns • Modelling design decisions, by capturing the constraints that each security pattern imposes clearly, precisely and with minimal effort • Enforcing design decisions, by developing tools for fully automated conformance checking

  3. Contents • Making design decisions • From requirements to tactics to patterns • Modelling design decisions • Structure: Codecharts • Behaviour: Temporal logic • Enforcing design decisions • Tool support • Round-trip engineering

  4. 1 Example Requirement: withstand attacks————————————— • Make design decision • Tactics: Limit Exposure • Pattern: Check Point • Codify the decision • Structure: Codecharts) • Behaviour: Temporal logic • Enforce the decision • Map pattern to implementation • Verify with the Toolkit 2 3

  5. Project • Security Pattern Assurance through Round-trip Engineering • LENS (Line-funded Exploratory New Starts) • Software Engineering Institute, Carnegie-Mellon University • $125K Rick KazmanSEI & U of Hawaii Abdullah AlzahraniU of Essex Jungwoo RyooPenn State Rob WojcikSEI Gary Chastek SEI Amnon H. EdenU of Essex

  6. Requirements  Tactics  Patterns Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Making design decisions

  7. Tactics • Fine-grained design objectives • Each contributes to one quality attribute: • Availability • Interoperability • Modifiability • Performance • Security • Testability • Usability (Bass, Clements, Kazman 2012)

  8. Tactics hierarchy (Ryoo, Kazman & Laplante 2012)

  9. Guide • Tactics • Patterns: • Single Access Point, Check Point, Roles,Session, Full View with Errors, Limited View, Security Access Layer, Intercepting Validator, Secure Logger, … http://security.altoona.psu.edu/designguide/

  10. Codecharts Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Modelling design decisions:Structure

  11. Security patterns • Check Point pattern • Intent • A component that intercepts and monitors all incoming requests. In case of violations then it is responsible for taking appropriate countermeasures • Participants • CheckPoint • Countermeasure • SecurityPolicy (Schumacher, Fernandez-Buglioni, Hybertson, Buschmann, Sommerlad 2006) (Wasserman & Cheng 2003)

  12. Security patterns: structure • Check Point pattern (cont.) • CheckPoint implements a method to check messages according to the current security policy and triggers countermeasures or allows the message to proceed to the intended recipient • Countermeasure provides actions that can be triggered in order to react to an access violation • SecurityPolicy implements the rules that determine whether a request is granted (Wasserman & Cheng 2003)

  13. Modelling structure Class Diagrams Check Point (Wasserman & Cheng 2003)

  14. Modelling structure Class Diagrams 3. Is it class “CheckPoint”? 1. Which method calls which? 2. What’s this? Check Point (Wasserman & Cheng 2003)

  15. Call(checkRequestcheckPoint,TriggercounterMeasure) Modelling structure Codecharts counterMeasure :CLASS checkPolicy :SIGNATURE Trigger :P SIGNATURE InternalEntities :P CLASS Check Point (Wasserman & Cheng 2003)

  16. Modelling structure Class Diagrams • CheckPoint encapsulates the security policy • Many policies Þ many CheckPoints Common? Unique? One concrete CP or many? Check Point (Schumacher et al. 2006)

  17. Codechart Modelling structure Schema CheckPointHierarchy :HIERARCHY CheckPoint2 CheckPointHierarchy :HIERARCHYaccess, checkRequest:SIGNATURETrigger, SecureActions:P SIGNATUREsingleAccessPoint,counterMeasure :CLASSInternalEntities :P CLASS Check Point (Schumacher et al. 2006) Call(accesssingleAccessPoint, checkRequestcheckPointHierarchy)Call(accesssingleAccessPoint, SecureActionsInternalEntities)…

  18. Modelling structure: Codecharts • Methods, sets, signatures • Precise criterion of correctness • Communication; verification; automation, … • Variations become evident Check Point (Wasserman et. al 2003) Check Point (Schumacher et al. 2006)

  19. Codecharts Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Modelling design decisions:Behaviour

  20. Security patterns: behaviour • CheckPoint checks if msg conforms to the policy. • If no, triggers a countermeasure • If yes, allows msg to proceed to the intended recipient • Countermeasure reacts to an access violation when triggered • Client receives granted/denied access message • … Check Point (Wasserman & Cheng 2003)

  21. Modelling behaviour SequenceDiagrams Limited abstractions Difficult to represent global constraints Limited tool support in verification Check Point (Wasserman & Cheng 2003)

  22. Modelling behaviour Statecharts Limited to FSAs Problematic integration Check Point (Wasserman & Cheng 2003)

  23. Modelling behaviour TemporalLogic W (CheckPoint.denyAccess Þ à CounterMeasure.triggered) W (CheckPoint.denyAccess Þ Client.fail U Client.idle) W (CheckPoint.grantAccess Þ (à Client.succeed)U Client.idle) Availability Check Point (Wassermann & Cheng 2003)

  24. Automated verification The TTP Toolkit Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Enforcing design decisions

  25. Check Point: implementation • Java Authentication & Authorization Service (JAAS) • Java implementation of Pluggable Authentication Module (PAM) • Information security framework • Originally developed for Solaris operating system • Other implementations: PAMLinux • Used: Apache Web server • validate each HTTP request according to a configured activation sequence • Implements the Check Point pattern

  26. Security patterns: structure Apparent similarity… Check Point Pattern JAAS

  27. Enforcing structure Assignment of constants to variables Assignment Check Point

  28. Enforcing structure: verification

  29. Enforcing structure: automation Result Assignment Check Point

  30. Enforcing behaviour: verification • Wasserman & Cheng (2003): • Technique: model checking • Tools: • MINERVA (Campbell et al. 2002): check consistency of UML • HYDRA (McUmber & Cheng): UML  Promela • SPIN (Holzman 1997): Model checker • Systems tested: small examples Manual Manual (Wasserman & Cheng 2003)

  31. Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Round-trip engineering

  32. Forward, reverse, & round-trip (Eden, Gasparis, Nicholson & Kazman, forthcoming)

  33. Modelling: detailed

  34. Implementation Java 3D

  35. Modelling: abstract Java 3D

  36. Code analysis Java 3D

  37. Verification Successful Java 3D

  38. Modelling patterns www.lepus.org.uk

  39. (structural conformance to) Verifying patterns Java 3D Implements Factory Method Factory Method in Java 3D

  40. Implementation: evolve Carelesschange

  41. Verification (again)

  42. Visualization Package java.util.logging

  43. Modelling: evolve

  44. Modelling formats <?xml version=”1.0” encoding=”ISO-8859-1”?> <?xml-stylesheet type="text/xsl" href="http://www.lepus.org.uk/templates/classz.xsl"?> <schema xmlns="http://www.lepus.org.uk/classz" title="Factory Method" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.lepus.org.uk/classz http://www.lepus.org.uk/templates/classz.xsd"> <description>The Factory Method design pattern</description> <declarations> <declare> <variable value="Factories" /> <variable value="Products" /> <type value="HIERARCHY" exponent="1" /> </declare> <declare> <variable value="factoryMethod" /> <type value="SIGNATURE" exponent="0" /> </declare> </declarations> <formulas> <formula> <predicatesymbol value="Isomorphic" /> <relationsymbol value="Produce" transitive="false" /> <superimposition> <variable value="factoryMethod" /> <variable value="Factories" /> </superimposition> <variable value="Products" /> </formula> </formulas> <!--Generated using the TTP Toolkit on Tue Nov 27 17:42:25 GMT 2012--> </schema> Textually(XML) Visually (Codechart) Symbolically (Schema) Factory Method pattern

  45. Sidebar: Codecharts

  46. Desiderata • Automatically verifiable • Modelling & visualization • Formal & practical • Elegant & parsimonious • Visual & symbolic • Object-oriented • Scalable • Generic LePUS3 Vocabulary (Eden & Nicholson 2011)

  47. Inspiration: blueprints

  48. Codechart Visual & symbolic Schema CheckPoint2 CheckPointHierarchy :HIERARCHYaccess, checkRequest:SIGNATURETrigger, SecureActions:P SIGNATUREsingleAccessPoint,counterMeasure :CLASSInternalEntities :P CLASS Check Point (Schumacher et al. 2006) Call(accesssingleAccessPoint, checkRequestcheckPointHierarchy)Call(accesssingleAccessPoint, SecureActionsInternalEntities)…

  49. Parsimony “Each Scene Graph State class defines a factory method that creates and returns the respective Scene Graph Object” Java 3D (Eden et al. 2013)

  50. Scalability Java 3D API

More Related