Presentation is loading. Please wait.

Presentation is loading. Please wait.

1. 2 Catalogues of security patterns record object-oriented design practices that have proved to promote security. Our research project facilitates making,

Similar presentations


Presentation on theme: "1. 2 Catalogues of security patterns record object-oriented design practices that have proved to promote security. Our research project facilitates making,"— Presentation transcript:

1 1

2 2 Catalogues of security patterns record object-oriented design practices that have proved to promote security. Our research project facilitates making, modelling and enforcing design decisions involving security patterns: Making design decisions, by creating a guide for the transition from requirements to tactics and from tactics to patterns Modelling design decisions, by capturing the constraints that each security pattern imposes clearly, precisely and with minimal effort Enforcing design decisions, by developing tools for fully automated conformance checking We conclude with a round-trip software engineering tool supporting these activities

3 3 Making design decisions ◦ From requirements to tactics to patterns Modelling design decisions ◦ Structure: Codecharts ◦ Behaviour: Temporal logic Enforcing design decisions ◦ Verification ◦ Tool support Round-trip engineering

4 4 Requirement: withstand attacks ————————————— 1)Make design decision ◦ Tactics: Limit Exposure ◦ Pattern: Check Point 2)Model the decision ◦ Structure: Codecharts) ◦ Behaviour: Temporal logic 3)Enforce the decision ◦ Map pattern to implementation ◦ Verify with the Toolkit

5 5 Requirements  Tactics  Patterns Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering

6 6 Fine-grained design objectives Each contributes to one quality attribute: ◦ Availability ◦ Interoperability ◦ Modifiability ◦ Performance ◦ Security ◦ Testability ◦ Usability (Bass, Clements, Kazman 2012)

7 7 (Ryoo, Kazman & Laplante 2012)

8 8 Tactics Patterns: ◦ Single Access Point, Check Point, Roles, Session, Full View with Errors, Limited View, Security Access Layer, Intercepting Validator, Secure Logger, …

9 9 Security Pattern Assurance through Round-trip Engineering LENS (Line-funded Exploratory New Starts) Software Engineering Institute, Carnegie-Mellon University $125K Abdullah Alzahrani U of Essex Rick Kazman SEI & U of Hawaii Amnon H. Eden U of Essex Gary Chastek SEI Rob Wojcik SEI Jungwoo Ryoo Penn State

10 10 Codecharts Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering

11 11 Check Point pattern ◦ Intent  Intercepts and monitors all incoming requests  Takes appropriate countermeasures in case of violations ◦ Participants  CheckPoint  Countermeasure  SecurityPolicy (Wasserman & Cheng 2003) (Schumacher, Fernandez-Buglioni, Hybertson, Buschmann, Sommerlad 2006)

12 12 Check Point pattern (cont.) ◦ CheckPoint checks messages according to the current security policy; triggers countermeasures or allows the message to proceed to the intended recipient ◦ Countermeasure provides actions that can be triggered in order to react to an access violation ◦ SecurityPolicy implements the rules that determine whether a request is granted (Wasserman & Cheng 2003)

13 13 Check Point (Wasserman & Cheng 2003) Class Diagrams

14 14 Check Point (Wasserman & Cheng 2003) 2. What’s this? 3. Is it class “ CheckPoint ”? 1. Which method calls which? Class Diagrams

15 15 Check Point (Wasserman & Cheng 2003) C all (checkRequest  checkPoint, Trigger  counterMeasure ) InternalEntities : P CLASS counterMeasure : CLASS checkPolicy : SIGNATURE Trigger : P SIGNATURE Codechart

16 16 Check Point (Wasserman & Cheng 2003) singleAccessPoint, checkPoint, counterMeasure, securityPolicy : CLASS InternalEntities : P CLASS access, checkPolicy, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE Call(access  singleAccessPoint, checkRequest  checkPoint) Call + (checkRequest  checkPoint, SecureActions  InternalEntities) … CheckPoint Codechar t Schem a

17 17 CheckPoint encapsulates the security policy Many policies Þ many CheckPoints Check Point (Schumacher et al. 2006) Common? Unique? One concrete CP or many? Class Diagrams

18 18 Check Point (Schumacher et al. 2006) CheckPointHierarchy : HIERARCHY access, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE singleAccessPoint, counterMeasure : CLASS InternalEntities : P CLASS Call(access  singleAccessPoint, checkRequest  checkPointHierarchy) Call(access  singleAccessPoint, SecureActions  InternalEntities) … CheckPoint2 CheckPointHierarchy : HIERARCHY Codechar t Schem a

19 19 JAAS Java Authentication & Authorization Service (JAAS) Java implementation of Pluggable Authentication Module (PAM) ◦ Information security framework ◦ Other implementations: PAMLinux Used: Apache Web server ◦ validate each HTTP request according to a configured activation sequence Codechar t

20 20 Methods, sets, signatures Precise criterion of correctness ◦ Communication; verification; automation, … Variations become evident Check Point (Wasserman et. al 2003) Check Point (Schumacher et al. 2006)

21 21 Codecharts Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering

22 22 CheckPoint checks if msg conforms to the policy. ◦ If no, triggers a countermeasure ◦ If yes, allows msg to proceed to the intended recipient Countermeasure reacts to an access violation when triggered Client receives granted/denied access message … Check Point (Wasserman & Cheng 2003)

23 23 Check Point (Wasserman & Cheng 2003) Difficult to represent global constraints Limited abstractions Limited tool support in verification Sequenc e Diagrams

24 24 Check Point (Wasserman & Cheng 2003) Limited to FSAs Problematic integration Statecharts

25 25 W (CheckPoint.denyAccess Þ à CounterMeasure.triggered) W (CheckPoint.denyAccess Þ Client.accessFail U Client.idle) W (CheckPoint.grantAccess Þ (à Client.succeed) U Client.idle) Check Point (Wassermann & Cheng 2003) Availability Temporal Logic

26 26 Automated verification The TTP Toolkit Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering

27 27 Java 3D Successf ul

28 28 Apparent similarity… Check Point Pattern JAAS

29 29 Assignment of constants to variables Check Point Assignment

30 30

31 31 Check Point Assignment Result

32 32 Wasserman & Cheng (2003): ◦ Technique: model checking ◦ Tools:  MINERVA (Campbell et al. 2002): check consistency of UML  HYDRA (McUmber & Cheng): UML  Promela  SPIN (Holzman 1997): Model checker ◦ Systems tested: small examples (Wasserman & Cheng 2003) Manual

33 33 JUnit example: ArrayList JUnit ArrayList “ArrayList Satisfies JUnit” Assignment

34 34 Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering

35 35 (Eden, Gasparis, Nicholson & Kazman, forthcoming)

36 36

37 37 Java 3D

38 38 Java 3D

39 39 Java 3D

40 40 Java 3D Successf ul

41 41

42 42 Factory Method in Java 3D (structural conformance to) Java 3D Implements Factory Method Map design to implementation

43 43 Careless change

44 44

45 45 Package java.util.logging

46 46

47 47

48 48

49 49 Automatically verifiable Modelling & visualization Elegant & parsimonious Formal & practical Visual & symbolic Object-oriented Scalable Generic LePUS3 Vocabulary (Eden & Nicholson 2011)

50 50

51 51 Check Point (Schumacher et al. 2006) CheckPointHierarchy : HIERARCHY access, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE singleAccessPoint, counterMeasure : CLASS InternalEntities : P CLASS Call(access  singleAccessPoint, checkRequest  checkPointHierarchy) Call(access  singleAccessPoint, SecureActions  InternalEntities) … CheckPoint2 Codechar t Schem a

52 52 “Each Scene Graph State class defines a factory method that creates and returns the respective Scene Graph Object” Java 3D (Eden et al. 2013)

53 53 Java 3D API

54 54  “Every bean [class] obtains an EJBContext object, which is a reference to the container  “The home interface extends the...javax.ejb.EJBHome interface  “A home [interface] may have many create() methods, …, each of which must have corresponding ejbCreate() and ejbPostCreate() methods in the bean class. The number and datatype of the arguments of each create() are left up to the bean developer”  “When a create() method is invoked on the home interface, the container delegates the invocation to the corresponding ejbCreate() and ejbPostCreate() methods on the bean class  An implementation for the bean’s home interface is generated by the container.” (Monson-Haefel, 2001, Enterprise JavaBeans) Constants Variables

55 55 A method is formal if it has a sound mathematical basis which provides the means of precisely defining— ◦ Specification ◦ Implementation ◦ correctness A (formal) specification language: ◦ Set Syn (syntactic domain) ◦ Set Sem (semantic domain) ◦ Relation Sat between them (Guttag, Horning & Wing 1982; Wing 1990)

56 56 (Wing 1990)

57 57 (Eden & Nicholson 2011)

58 58 (Eden & Nicholson 2011)

59 59

60 60 London, England

61 61 (Ducasse & Lanza 2005; Story et al. 2002; Muller & Klashinski 1988) Class Blueprints SHriMP Rigi

62 62 Microsoft Foundation Classes (Booch Notation) (Odenthal & Quibeldey-Cirkel 1997)

63 63 Package java.util (Gasparis 2010) JBuilder 7

64 64 Package Java3D 1.5 (Maniati 2008) Fujaba Tool Suite 5

65 65 Package java.util (Gasparis 2010) NetBean s 6.1

66 66 Package Java3D 1.5 (about 1,200 classes) (Maniati 2008) NetBean s 6.1

67 67 Package JGraph (Eden & Nicholson 2011)

68 68 Package java.io

69 69 Package java.awt

70 70 java.util.logging Set Relations JGraph

71 71 Package java.jgraph

72 72 Java Authentication & Authorization (JAAS)

73 73

74 74 Enforce behavioural design decisions ◦ Specified in LTL, Statecharts, sequence diagrams, … A.k.a. runtime monitoring Technique: ◦ Monitor program’s execution / read execution trace ◦ Determine conformance to specifications ◦ Violations trigger actions Languages & tools ◦ E AGLE (Barringer, Goldberg, Havelund & Sen 2003) ◦ Parameterized RuleR (Barringer, Rydeheard & Havelund 2010) ◦ PathExplorer (Havelund & Roşu 2001) ◦ MOP (Chen & Roşu 2007)

75 75

76 Codecharts A.H. Eden, J. Nicholson. Codecharts: Roadmaps and Blueprints for Object-Oriented Programs. Wiley-Blackwell, 2011Codecharts: Roadmaps and Blueprints for Object-Oriented Programs A.H. Eden, E. Gasparis, J. Nicholson, R. Kazman (2013). “Modeling and Visualizing Object-Oriented Programs with Codecharts”. Formal Methods in System Design, 43(1), 1–28 A.H. Eden, E. Gasparis, J. Nicholson. “LePUS3 and Class-Z Reference Manual”. University of Essex, Tech. Rep. CSM-474 (2007).LePUS3 and Class-Z Reference Manual Toolkit A.H. Eden, E. Gasparis, J. Nicholson, R. Kazman.“Round-Trip Engineering with the TTP Toolkit”. Forthcoming

77 Research project J. Ryoo, R. Kazman, A.A.H. Alzahrani, A.H. Eden. “Designing for Security Using Tactics, Patterns, and Automated Verification”, in preparation Tactics Bass, L., Clements, P., & Kazman, R. (2012). Software Architecture in Practice, 3rd ed. (3rd ed.). Addison-Wesley Professional. J. Ryoo, R. Kazman, and P. Laplante, “Revising a Security Tactics Hierarchy through Decomposition, Reclassification, and Derivation”, The 6th Int’l Conf. Software Security & Reliability, Wash. D.C., 2012“Revising a Security Tactics Hierarchy through Decomposition, Reclassification, and Derivation” Catalogues Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P. (2006). Security Patterns: Integrating Security and Systems Engineering. Wiley Wassermann, R., Cheng, B. H. C. (2003). “Security Patterns.” Presented at the Pattern Languages of Programs—PLoP 2003

78 Runtime verification Barringer, H., Goldberg, A., Havelund, K., & Sen, K. (2003). Eagle monitors by collecting facts and generating obligations. Tec. Rep. CSPP-26, U. of Manchester, Dept. of Computer Science. Barringer H, Rydeheard D, Havelund K. Rule systems for run-time monitoring: from EAGLE to RULER. J. of Logic & Comp. 2010, 20(3) Havelund K, Roşu G. Monitoring java programs with java PathExplorer. ENTCS. 2001, 55(2) Chen F, Roşu G. Mop: an efficient and generic runtime verification framework. SIGPLAN Not. 2007, 42(10) Formal methods Guttag J., Horning J., Wing J. “Some Notes on Putting Formal Specifications to Productive Use.” Science of Computer Programming 2, no. 1 (October 1982): 53–68. Wing, Jeannette M. “A Specifier’s Introduction to Formal Methods.” Computer 23, no. 9 (1990): 8–23.


Download ppt "1. 2 Catalogues of security patterns record object-oriented design practices that have proved to promote security. Our research project facilitates making,"

Similar presentations


Ads by Google