380 likes | 554 Views
Model-Driven Architecture And The Secure Systems Methodology. Masters Thesis Defense 11/16/2007 Patrick Morrison. Agenda. Introduction Problem statement Approach Contribution Related Work What is MDA? Experiment Results Conclusions Future Work. The problem of Security.
E N D
Model-Driven ArchitectureAndThe Secure Systems Methodology Masters Thesis Defense 11/16/2007 Patrick Morrison
Agenda • Introduction • Problem statement • Approach • Contribution • Related Work • What is MDA? • Experiment • Results • Conclusions • Future Work
The problem of Security • “A good percentage of the software deployed in industrial/commercial applications is of poor quality, it is unnecessarily complex, and contains numerous flaws that can be exploited by attackers.” • “We believe that the solution lies in developing secure software from the beginning, applying security principles along the whole life cycle…We see the use of patterns as a fundamental way, even for developers with little experience, to implicitly apply security principles.” • [Fer06a, EBF, et. al.]
Methodology Claim, paraphrased • [by using] “abstract and graphical representations of patterns, the methodology allows the construction of securecomputing systems from patterns which aid developers in understanding much more quickly and deeply than programming language “code”
MDA Claim • [by using] “precise but abstract and graphical representations of algorithms, MDA allows the construction of computing systems from models that can be understood much more quickly and deeply than can programming language “code” [Mel04].
Problem • Can Model-Driven Architecture (MDA) be used to support the secure systems methodology? • To what degree is it now possible to work in terms of high-level models rather than code? • Does MDA allow for the creation and reuse of generic models? • Does MDA reduce the amount of low-level work that needs to be done? • What would be required to gain these benefits?
Approach • Establish an MDA tool-chain • Select an example distributed systems security problem • Apply the advice of the secure systems methodology to the construction of models for the example system for each lifecycle phase • Evaluate MDA models against example’s properties and their use in the lifecycle.
Contribution • A set of models of secure shell (ssh) corresponding to the phases of the secure systems methodology • An example MDA tool chain that translates UML Classes into Java source code. • A set of considerations for applying MDA
Related Work • SecureUML – Models RBAC for web applications • UMLSec – Models security analysis for existing systems • Executable UML – automated code generation from UML models, no explicit focus on security • SysML- modeling notation for systems engineering • UML Profile for RM-ODP – distributed systems standard, including security considerations • RSML – process control requirements specification language • Tropos – Agent-oriented methodology
A set of technologies: UML, MOF, XMI, OCL A model-centric framework for systems development A set of viewpoints A scheme for transforming models to to other models, and to text (code) What is MDA?
MDA Technologies • UML2 – a language and notation for building models • MOF – a language for building modeling languages, beginning with UML2 • XMI – a persistence mechanism for MOF, allowing exchange between tools • QVT – a transformation language for MOF models • OCL – a language for expressing logical assertions on MOF models, e.g. UML2
MDA Viewpoints • Computation-Independent Models (CIM) contain domain concepts • Platform-Independent Models (PIM) define a technology-independent view of the system • Platform-Specific Models (PSM) contain system descriptions including technology aspects • Platform – the technical architecture of a given system
MDA Transformations, example «IMPORT metamodel» «DEFINE javaClass FOR Entity» «FILE name+".java"» public class «name» { «FOREACH attributes AS attr» public «attr.type» «attr.name»; «ENDFOREACH» «FOREACH references AS ref» public «ref.type.name» «ref.name»; «ENDFOREACH» } «ENDFILE» «ENDDEFINE» publicclass Subject { public String id; } publicclass Object { public String id; } publicclass Right { public String id; public String access_type; public Boolean copy_flag; public Subject s; public Object o; }
MDA Tool-chain • UML Editor, Model creation, XMI generation • MagicDraw • Model-to-Model, Model-to-Text transformation • openArchitectureWare • Target Platform • Java • Integration • Eclipse
Experiment • Apply secure systems methodology to building models for abstract version of remote access • Reverse-engineer SSH design models from architecture documents and source code • Compare analysis results to SSH architecture • Evaluate ability of MDA to assist in translation of models from phase N to phase N+1: • Requirements -> Analysis • Analysis -> Design
Example(2): Secure Shell (SSH) • Widely used network protocol providing security for remote access to user accounts and similar services • [SSH] “enables secure remote login and other secure network services over an insecure network” • server authentication • client authentication (public key, password, host-based) • confidentiality • Integrity • perfect forward security. • Well-documented: • Internet standard: RFC’s 4250-6 describe goals, architecture • Open source client implementation: Ganymed SSH-2 for Java
Patterns applied during Analysis • Authenticator • Known Partners • Single Access Point • Checkpoint • Security Session • Information Obscurity • Secure Channels
Compare: SSH Transport Protocol (reverse engineered from RFC)
Analysis Result • Application of standard security patterns to the abstract case of remote access yielded a reasonably comprehensive model of the entities and relationships that participate in the SSH architecture.
Results • Application of the methodology to a generic version of the example problem yielded a model that corresponds well to an existing solution of the problem • Models captured fragments of the system from a given viewpoint, in this case depending on the lifecycle phase • The ability to connect entities between phases depends on a shared metamodel • No such metamodel exists for the presented models
Results(2), Questions revisited • To what degree is it now possible to work in terms of high-level models rather than code? • Within constraints, there are opportunities to work with models rather than code • Does MDA allow for the creation and reuse of generic models? • Insufficient evidence collected to support answering this question. • Does MDA reduce the amount of low-level work that needs to be done? • MDA increases the amount of work required to build the first application.
Conclusions • Requirements, Analysis and Design are fundamentally about deciding what you want, while MDA excels in describing what you have. • Conclusion: MDA can be useful when working with a known domain and a known architecture. • Metamodels, and transformations on them, are MDA’s driving force. Where they exist or their creation is justified, they can assist in the development process
Conclusions(2) • MDA is not a good fit for a methodology; but it could be a good fit for an instance of a methodology. • MDA can capture the details of domain and architecture, allowing systems designers to concentrate on variations within an established framework. • This does suggest that software alteration and maintenance may be enhanced by the use of MDA
Future Work • Develop Java platform model to support code generation from existing analysis models • Choose second, third example applications • Map examples on to suitable metamodel(s) • Unify lifecycle phase models • Factor out application, secuirty, platform dependencies • Evaluate existing metamodels: SysML, RM-ODP • Encode security pattern knowledge in the metamodel
Committee • Dr. E.B. Fernandez • Dr. Shihong Huang • Dr. Maria Petrie