Security Pattern Assurance through Round-Trip Engineering

Slides:



Advertisements
Similar presentations
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Advertisements

DETAILED DESIGN, IMPLEMENTATIONA AND TESTING Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
1. 2 Catalogues of security patterns record object-oriented design practices that have proved to promote security. Our research project facilitates making,
Hydra (A General Framework for Formalizing UML with Formal Languages for Embedded Systems*) *from the Ph.D. thesis of William E. McUmber Software Engineering.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Modelling small programs Modelling large programs Modelling application frameworks Modelling design patterns Object-Oriented Modelling in LePUS3 and Class-Z.
Object-Oriented Analysis and Design
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
2 Object-Oriented Analysis and Design with the Unified Process Objectives  Explain how statecharts can be used to describe system behaviors  Use statecharts.
Software Testing and Quality Assurance
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
1 Objectives To introduces the concept of software Design. To introduce the concept of Object- Oriented Design (OOD). To Define various aspects about object.
21-February-2003cse Architecture © 2003 University of Washington1 Architecture CSE 403, Winter 2003 Software Engineering
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.
Using Architecture Frameworks
Satzinger, Jackson, and Burd Object-Orieneted Analysis & Design
Java Programming, 3e Concepts and Techniques Chapter 1 An Introduction to Java and Program Design.
CS 290C: Formal Models for Web Software Lecture 6: Model Driven Development for Web Software with WebML Instructor: Tevfik Bultan.
Basic Concepts The Unified Modeling Language (UML) SYSC System Analysis and Design.
UNIT-V The MVC architecture and Struts Framework.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Java Programming, 2E Introductory Concepts and Techniques Chapter 1 An Introduction to Java and Program Design.
© Drexel University Software Engineering Research Group (SERG) 1 Based on the paper by Philippe Kruchten from Rational Software.
UML Unified Markup Language Ziya Karakaya Atılım University, Computer Engineering
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
Managing Software Quality
Topics Covered: Software requirement specification(SRS) Software requirement specification(SRS) Authors of SRS Authors of SRS Need of SRS Need of SRS.
What is a life cycle model?
What is a life cycle model? Framework under which a software product is going to be developed. – Defines the phases that the product under development.
Integrating Security Design Into The Software Development Process For E-Commerce Systems By: M.T. Chan, L.F. Kwok (City University of Hong Kong)
第十四章 J2EE 入门 Introduction What is J2EE ?
Introduction to Formal Methods Based on Jeannette M. Wing. A Specifier's Introduction to Formal Methods. IEEE Computer, 23(9):8-24, September,
Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.
Software Architecture and Design Dr. Aldo Dagnino ABB, Inc. US Corporate Research Center October 23 rd, 2003.
Model Based Testing Group 7  Nishanth Chandradas ( )  George Stavrinides ( )  Jeyhan Hizli ( )  Talvinder Judge ( )  Saajan.
Systems Analysis and Design in a Changing World, 3rd Edition
Modeling Component-based Software Systems with UML 2.0 George T. Edwards Jaiganesh Balasubramanian Arvind S. Krishna Vanderbilt University Nashville, TN.
Documenting Software Architectures 1.Uses and Audiences for Architecture Documentation Architecture documentation serves as a means of education Architecture.
Verification of behavioural elements of UML models using B Truong, Ninh-Thuan and Souquieres, Jeanine In Proceedings of the 2005 ACM Symposium on.
1 Qualitative Reasoning of Distributed Object Design Nima Kaveh & Wolfgang Emmerich Software Systems Engineering Dept. Computer Science University College.
Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.
Hong Zhu Dept of Computing and Communication Technologies Oxford Brookes University Oxford, OX33 1HX, UK TOWARDS.
Computing and SE II Chapter 9: Design Methods and Design Models Er-Yu Ding Software Institute, NJU.
Formal Methods.
12 Chapter 12: Advanced Topics in Object-Oriented Design Systems Analysis and Design in a Changing World, 3 rd Edition.
Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.
HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 JSP Application Models.
Prof. Hany H. Ammar, CSEE, WVU, and
XASTRO-2 Presentation CCSDS SAWG th November 2004.
Chapter 19: Building Systems with Assurance Dr. Wayne Summers Department of Computer Science Columbus State University
Java Programming: Advanced Topics 1 Enterprise JavaBeans Chapter 14.
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
Duminda WijesekeraSWSE 623: Introduction1 Introduction to Formal and Semi- formal Methods Based on A Specifier's Introduction to Formal Methods (J. Wing)
Requirement Analysis SOFTWARE ENGINEERING. What are Requirements? Expression of desired behavior Deals with objects or entities, the states they can be.
EMEA Beat Schwegler Architect Microsoft EMEA HQ Ingo Rammer Principal Consultant thinktecture
Yu, et al.’s “A Model-Driven Development Framework for Enterprise Web Services” In proceedings of the 10 th IEEE Intl Enterprise Distributed Object Computing.
© The ATHENA Consortium. CI3 - Practices of Interoperability in SMEs Proposed Solutions.
Object Design More Design Patterns Object Constraint Language Object Design Specifying Interfaces Review Exam 2 CEN 4010 Class 18 – 11/03.
CS 501: Software Engineering Fall 1999 Lecture 15 Object-Oriented Design I.
Comparison of The Workflow Management Systems Bizagi, ProcessMaker, and Joget Mohamed Zeinelabdeen Abdelgader [1], Omer Salih Dawood [2], Mohamed Elhafiz.
Copyright 1999 G.v. Bochmann ELG 7186C ch.1 1 Course Notes ELG 7186C Formal Methods for the Development of Real-Time System Applications Gregor v. Bochmann.
UML AN OVERVIEW. Topics covered in this Session 1. Introducing UML. 2. What constitutes the UML. 3. Concepts of UML.
Building Enterprise Applications Using Visual Studio®
Introduction to Formal Methods
Introduction to Unified Modeling Language (UML)
Chapter 19: Architecture, Implementation, and Testing
Chapter 19: Building Systems with Assurance
Presentation transcript:

Security Pattern Assurance through Round-Trip Engineering Amnon H. Eden School of Computer Science & Electronic Engineering University of Essex

Abstract Catalogues of security patterns record object-oriented design practices that have proved to promote security. Our research project facilitates making, modelling and enforcing design decisions involving security patterns: Making design decisions, by creating a guide for the transition from requirements to tactics and from tactics to patterns Modelling design decisions, by capturing the constraints that each security pattern imposes clearly, precisely and with minimal effort Enforcing design decisions, by developing tools for fully automated conformance checking

Contents Making design decisions Modelling design decisions From requirements to tactics to patterns Modelling design decisions Structure: Codecharts Behaviour: Temporal logic Enforcing design decisions Tool support Round-trip engineering

Example Requirement: withstand attacks ————————————— 1 Example Requirement: withstand attacks ————————————— Make design decision Tactics: Limit Exposure Pattern: Check Point Codify the decision Structure: Codecharts) Behaviour: Temporal logic Enforce the decision Map pattern to implementation Verify with the Toolkit 2 3

Project Security Pattern Assurance through Round-trip Engineering LENS (Line-funded Exploratory New Starts) Software Engineering Institute, Carnegie-Mellon University $125K Rick Kazman SEI & U of Hawaii Abdullah Alzahrani U of Essex Jungwoo Ryoo Penn State Rob Wojcik SEI Amnon H. Eden U of Essex Gary Chastek SEI

Making design decisions Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Requirements  Tactics  Patterns Making design decisions

Tactics Fine-grained design objectives Each contributes to one quality attribute: Availability Interoperability Modifiability Performance Security Testability Usability (Bass, Clements, Kazman 2012)

Tactics hierarchy (Ryoo, Kazman & Laplante 2012)

Guide Tactics Patterns: Single Access Point, Check Point, Roles, Session, Full View with Errors, Limited View, Security Access Layer, Intercepting Validator, Secure Logger, … http://security.altoona.psu.edu/designguide/

Modelling design decisions: Structure Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Codecharts Modelling design decisions: Structure

Single Access Point (SAP) pattern Intent Defines one interface for all communication between external entities and secured components Participants External Entities Internal Entities Single Access Point (Schumacher, Fernandez-Buglioni, Hybertson, Buschmann, Sommerlad 2006) (Wasserman & Cheng 2003)

SAP: structure The class Single Access Point is the only one that interacts with external entities Single Access Point is an appropriate place for capturing an information log on the parties currently accessing the system (Wasserman & Cheng 2003)

Security patterns Check Point pattern Intent Participants A component that intercepts and monitors all incoming requests. In case of violations then it is responsible for taking appropriate countermeasures Participants CheckPoint Countermeasure SecurityPolicy (Schumacher, Fernandez-Buglioni, Hybertson, Buschmann, Sommerlad 2006) (Wasserman & Cheng 2003)

Security patterns: structure Check Point pattern (cont.) CheckPoint implements a method to check messages according to the current security policy and triggers countermeasures or allows the message to proceed to the intended recipient Countermeasure provides actions that can be triggered in order to react to an access violation SecurityPolicy implements the rules that determine whether a request is granted (Wasserman & Cheng 2003)

Modelling structure Check Point (Wasserman & Cheng 2003) Class Diagrams Check Point (Wasserman & Cheng 2003)

Modelling structure Check Point (Wasserman & Cheng 2003) Class Diagrams 3. Is it class “CheckPoint”? 1. Which method calls which? 2. What’s this? Check Point (Wasserman & Cheng 2003)

Modelling structure Check Point (Wasserman & Cheng 2003) Codecharts Call(checkRequestcheckPoint,TriggercounterMeasure) InternalEntities : P CLASS counterMeasure : CLASS checkPolicy : SIGNATURE Trigger : P SIGNATURE Check Point (Wasserman & Cheng 2003)

Modelling structure CheckPoint Codechart Modelling structure Schema singleAccessPoint, checkPoint, counterMeasure, securityPolicy : CLASS InternalEntities : P CLASS access, checkPolicy, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE Call(accesssingleAccessPoint, checkRequestcheckPoint) Call+(checkRequestcheckPoint, SecureActionsInternalEntities) … CheckPoint Check Point (Wasserman & Cheng 2003)

Modelling structure CheckPoint encapsulates the security policy Class Diagrams CheckPoint encapsulates the security policy Many policies Þ many CheckPoints Common? Unique? One concrete CP or many? Check Point (Schumacher et al. 2006)

CheckPointHierarchy : HIERARCHY Codechart Modelling structure Schema CheckPointHierarchy : HIERARCHY CheckPointHierarchy : HIERARCHY access, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE singleAccessPoint, counterMeasure : CLASS InternalEntities : P CLASS Call(accesssingleAccessPoint, checkRequestcheckPointHierarchy) Call(accesssingleAccessPoint, SecureActionsInternalEntities) … CheckPoint2 Check Point (Schumacher et al. 2006)

Modelling structure: Codecharts Methods, sets, signatures Precise criterion of correctness Communication; verification; automation, … Variations become evident Check Point (Wasserman et. al 2003) Check Point (Schumacher et al. 2006)

Modelling design decisions: Behaviour Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Codecharts Modelling design decisions: Behaviour

Security patterns: behaviour CheckPoint checks if msg conforms to the policy. If no, triggers a countermeasure If yes, allows msg to proceed to the intended recipient Countermeasure reacts to an access violation when triggered Client receives granted/denied access message … Check Point (Wasserman & Cheng 2003)

Modelling behaviour Check Point (Wasserman & Cheng 2003) Sequence Diagrams Limited abstractions Difficult to represent global constraints Limited tool support in verification Check Point (Wasserman & Cheng 2003)

Problematic integration Modelling behaviour Statecharts Limited to FSAs Problematic integration Check Point (Wasserman & Cheng 2003)

Modelling behaviour Temporal Logic W (CheckPoint.denyAccess Þ à CounterMeasure.triggered) W (CheckPoint.denyAccess Þ Client.fail U Client.idle) W (CheckPoint.grantAccess Þ (à Client.succeed) U Client.idle) Availability Check Point (Wassermann & Cheng 2003)

Enforcing design decisions Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Automated verification The TTP Toolkit Enforcing design decisions

Check Point: implementation Java Authentication & Authorization Service (JAAS) Java implementation of Pluggable Authentication Module (PAM) Information security framework Originally developed for Solaris operating system Other implementations: PAMLinux Used: Apache Web server validate each HTTP request according to a configured activation sequence Implements the Check Point pattern

Security patterns: structure Apparent similarity… Check Point Pattern JAAS

Enforcing structure Assignment of constants to variables Check Point

Enforcing structure: verification  

Enforcing structure: automation Result Assignment Check Point

Enforcing behaviour: verification Wasserman & Cheng (2003): Technique: model checking Tools: MINERVA (Campbell et al. 2002): check consistency of UML HYDRA (McUmber & Cheng): UML  Promela SPIN (Holzman 1997): Model checker Systems tested: small examples Manual Manual (Wasserman & Cheng 2003)

Enforcing structure: Verification JUnit “ArrayList Satisfies JUnit” Assignment ArrayList JUnit example: ArrayList

Round-trip engineering Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Round-trip engineering

Forward, reverse, & round-trip (Eden, Gasparis, Nicholson & Kazman, forthcoming)

Modelling: detailed

Implementation Java 3D

Modelling: abstract Java 3D

Code analysis Java 3D

Verification Successful Java 3D

Modelling patterns www.lepus.org.uk

Verifying patterns (structural conformance to) Java 3D Implements Factory Method Factory Method in Java 3D

Implementation: evolve Careless change

Verification (again)

Visualization Package java.util.logging

Modelling: evolve

Modelling formats Textually(XML) Visually (Codechart) Symbolically <?xml version=”1.0” encoding=”ISO-8859-1”?> <?xml-stylesheet type="text/xsl" href="http://www.lepus.org.uk/templates/classz.xsl"?> <schema xmlns="http://www.lepus.org.uk/classz" title="Factory Method" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.lepus.org.uk/classz http://www.lepus.org.uk/templates/classz.xsd"> <description>The Factory Method design pattern</description> <declarations> <declare> <variable value="Factories" /> <variable value="Products" /> <type value="HIERARCHY" exponent="1" /> </declare> <variable value="factoryMethod" /> <type value="SIGNATURE" exponent="0" /> </declarations> <formulas> <formula> <predicatesymbol value="Isomorphic" /> <relationsymbol value="Produce" transitive="false" /> <superimposition> </superimposition> </formula> </formulas> <!--Generated using the TTP Toolkit on Tue Nov 27 17:42:25 GMT 2012--> </schema> Textually(XML) Visually (Codechart) Symbolically (Schema) Factory Method pattern

Sidebar: Codecharts

Desiderata Automatically verifiable Modelling & visualization Formal & practical Elegant & parsimonious Visual & symbolic Object-oriented Scalable Generic LePUS3 Vocabulary (Eden & Nicholson 2011)

Inspiration: blueprints

Visual & symbolic CheckPoint2 Codechart Visual & symbolic Schema CheckPointHierarchy : HIERARCHY access, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE singleAccessPoint, counterMeasure : CLASS InternalEntities : P CLASS Call(accesssingleAccessPoint, checkRequestcheckPointHierarchy) Call(accesssingleAccessPoint, SecureActionsInternalEntities) … CheckPoint2 Check Point (Schumacher et al. 2006)

Parsimony “Each Scene Graph State class defines a factory method that creates and returns the respective Scene Graph Object” Java 3D (Eden et al. 2013)

Scalability Java 3D API

Genericity (Monson-Haefel, 2001, Enterprise JavaBeans) Implemented “Every bean [class] obtains an EJBContext object, which is a reference to the container “The home interface extends the ...javax.ejb.EJBHome interface “A home [interface] may have many create() methods, … , each of which must have corresponding ejbCreate() and ejbPostCreate() methods in the bean class. The number and datatype of the arguments of each create() are left up to the bean developer” “When a create() method is invoked on the home interface, the container delegates the invocation to the corresponding ejbCreate() and ejbPostCreate() methods on the bean class An implementation for the bean’s home interface is generated by the container.” Implemented User-defined (Monson-Haefel, 2001, Enterprise JavaBeans)

Formal method A method is formal if it has a sound mathematical basis which provides the means of precisely defining— Specification Implementation correctness A (formal) specification language: Set Syn (syntactic domain) Set Sem (semantic domain) Relation Sat between them (Guttag, Horning & Wing 1982; Wing 1990)

Definitions   (Wing 1990)

Definitions   (Eden & Nicholson 2011)

Semantics   (Eden & Nicholson 2011)

Sidebar: Visualization

Inspiration: maps London, England

Visualization: Tools SHriMP Class Blueprints Rigi (Ducasse & Lanza 2005; Story et al. 2002; Muller & Klashinski 1988)

CC 439: Software Design and Architecture, Autumn term 2006/7 Visualization: Tools Microsoft Foundation Classes (Booch Notation) (Odenthal & Quibeldey-Cirkel 1997) Dr Amnon H Eden, Department of Computer Science, University of Essex

CC 439: Software Design and Architecture, Autumn term 2006/7 JBuilder 7 Visualization: Tools Package java.util (Gasparis 2010) Dr Amnon H Eden, Department of Computer Science, University of Essex

CC 439: Software Design and Architecture, Autumn term 2006/7 Fujaba Tool Suite 5 Visualization: Tools Package Java3D 1.5 (Maniati 2008) Dr Amnon H Eden, Department of Computer Science, University of Essex

CC 439: Software Design and Architecture, Autumn term 2006/7 NetBeans 6.1 Visualization: Tools Package java.util (Gasparis 2010) Dr Amnon H Eden, Department of Computer Science, University of Essex

CC 439: Software Design and Architecture, Autumn term 2006/7 NetBeans 6.1 Visualization: Tools Package Java3D 1.5 (about 1,200 classes) (Maniati 2008) Dr Amnon H Eden, Department of Computer Science, University of Essex

Visualization: Toolkit CC 439: Software Design and Architecture, Autumn term 2006/7 Visualization: Toolkit Package JGraph (Eden & Nicholson 2011) Dr Amnon H Eden, Department of Computer Science, University of Essex

Visualization: Toolkit Package java.io

Visualization: Toolkit Package java.awt

Visualization: Toolkit Set Relations JGraph java.util.logging

Visualization: Toolkit Package java.jgraph

Visualization: Toolkit Java Authentication & Authorization (JAAS)

Future directions

Runtime verification Enforce behavioural design decisions Specified in LTL, Statecharts, sequence diagrams, … A.k.a. runtime monitoring Technique: Monitor program’s execution / read execution trace Determine conformance to specifications Violations trigger actions Languages & tools Eagle (Barringer, Goldberg, Havelund & Sen 2003) Parameterized RuleR (Barringer, Rydeheard & Havelund 2010) PathExplorer (Havelund & Roşu 2001) MOP (Chen & Roşu 2007)

Thank you

Bibliography Codecharts www.lepus.org.uk Software engineering state-of-the-art: An introduction to the not-so-innocent 9-Feb-2005 Bibliography Codecharts www.lepus.org.uk A.H. Eden, J. Nicholson. Codecharts: Roadmaps and Blueprints for Object-Oriented Programs. Wiley-Blackwell, 2011 A.H. Eden, E. Gasparis, J. Nicholson, R. Kazman (2013). “Modeling and Visualizing Object-Oriented Programs with Codecharts”. Formal Methods in System Design, 43(1), 1–28 A.H. Eden, E. Gasparis, J. Nicholson. “LePUS3 and Class-Z Reference Manual”. University of Essex, Tech. Rep. CSM-474 (2007). Toolkit www.ttp.essex.ac.uk A.H. Eden, E. Gasparis, J. Nicholson, R. Kazman.“Round-Trip Engineering with the TTP Toolkit”. Forthcoming Amnon H Eden, Department of Computer Science, University of Essex

Bibliography Research project Software engineering state-of-the-art: An introduction to the not-so-innocent 9-Feb-2005 Bibliography Research project http://security.altoona.psu.edu/designguide J. Ryoo, R. Kazman, A.A.H. Alzahrani, A.H. Eden. “Designing for Security Using Tactics, Patterns, and Automated Verification”, in preparation Tactics Bass, L., Clements, P., & Kazman, R. (2012). Software Architecture in Practice, 3rd ed. (3rd ed.). Addison-Wesley Professional. J. Ryoo, R. Kazman, and P. Laplante, “Revising a Security Tactics Hierarchy through Decomposition, Reclassification, and Derivation”, The 6th Int’l Conf. Software Security & Reliability, Wash. D.C., 2012 Catalogues Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P. (2006). Security Patterns: Integrating Security and Systems Engineering. Wiley Wassermann, R., Cheng, B. H. C. (2003). “Security Patterns.” Presented at the Pattern Languages of Programs—PLoP 2003 Amnon H Eden, Department of Computer Science, University of Essex

Bibliography Runtime verification Software engineering state-of-the-art: An introduction to the not-so-innocent 9-Feb-2005 Bibliography Runtime verification Barringer, H., Goldberg, A., Havelund, K., & Sen, K. (2003). Eagle monitors by collecting facts and generating obligations. Tec. Rep. CSPP-26, U. of Manchester, Dept. of Computer Science. Barringer H, Rydeheard D, Havelund K. Rule systems for run-time monitoring: from EAGLE to RULER. J. of Logic & Comp. 2010, 20(3) Havelund K, Roşu G. Monitoring java programs with java PathExplorer. ENTCS. 2001, 55(2) Chen F, Roşu G. Mop: an efficient and generic runtime verification framework. SIGPLAN Not. 2007, 42(10) Formal methods Guttag J., Horning J., Wing J. “Some Notes on Putting Formal Specifications to Productive Use.” Science of Computer Programming 2, no. 1 (October 1982): 53–68. Wing, Jeannette M. “A Specifier’s Introduction to Formal Methods.” Computer 23, no. 9 (1990): 8–23. Amnon H Eden, Department of Computer Science, University of Essex

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.