Security Pattern Assurance through Round-Trip Engineering Amnon H. Eden School of Computer Science & Electronic Engineering University of Essex
Abstract Catalogues of security patterns record object-oriented design practices that have proved to promote security. Our research project facilitates making, modelling and enforcing design decisions involving security patterns: Making design decisions, by creating a guide for the transition from requirements to tactics and from tactics to patterns Modelling design decisions, by capturing the constraints that each security pattern imposes clearly, precisely and with minimal effort Enforcing design decisions, by developing tools for fully automated conformance checking
Contents Making design decisions Modelling design decisions From requirements to tactics to patterns Modelling design decisions Structure: Codecharts Behaviour: Temporal logic Enforcing design decisions Tool support Round-trip engineering
Example Requirement: withstand attacks ————————————— 1 Example Requirement: withstand attacks ————————————— Make design decision Tactics: Limit Exposure Pattern: Check Point Codify the decision Structure: Codecharts) Behaviour: Temporal logic Enforce the decision Map pattern to implementation Verify with the Toolkit 2 3
Project Security Pattern Assurance through Round-trip Engineering LENS (Line-funded Exploratory New Starts) Software Engineering Institute, Carnegie-Mellon University $125K Rick Kazman SEI & U of Hawaii Abdullah Alzahrani U of Essex Jungwoo Ryoo Penn State Rob Wojcik SEI Amnon H. Eden U of Essex Gary Chastek SEI
Making design decisions Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Requirements Tactics Patterns Making design decisions
Tactics Fine-grained design objectives Each contributes to one quality attribute: Availability Interoperability Modifiability Performance Security Testability Usability (Bass, Clements, Kazman 2012)
Tactics hierarchy (Ryoo, Kazman & Laplante 2012)
Guide Tactics Patterns: Single Access Point, Check Point, Roles, Session, Full View with Errors, Limited View, Security Access Layer, Intercepting Validator, Secure Logger, … http://security.altoona.psu.edu/designguide/
Modelling design decisions: Structure Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Codecharts Modelling design decisions: Structure
Single Access Point (SAP) pattern Intent Defines one interface for all communication between external entities and secured components Participants External Entities Internal Entities Single Access Point (Schumacher, Fernandez-Buglioni, Hybertson, Buschmann, Sommerlad 2006) (Wasserman & Cheng 2003)
SAP: structure The class Single Access Point is the only one that interacts with external entities Single Access Point is an appropriate place for capturing an information log on the parties currently accessing the system (Wasserman & Cheng 2003)
Security patterns Check Point pattern Intent Participants A component that intercepts and monitors all incoming requests. In case of violations then it is responsible for taking appropriate countermeasures Participants CheckPoint Countermeasure SecurityPolicy (Schumacher, Fernandez-Buglioni, Hybertson, Buschmann, Sommerlad 2006) (Wasserman & Cheng 2003)
Security patterns: structure Check Point pattern (cont.) CheckPoint implements a method to check messages according to the current security policy and triggers countermeasures or allows the message to proceed to the intended recipient Countermeasure provides actions that can be triggered in order to react to an access violation SecurityPolicy implements the rules that determine whether a request is granted (Wasserman & Cheng 2003)
Modelling structure Check Point (Wasserman & Cheng 2003) Class Diagrams Check Point (Wasserman & Cheng 2003)
Modelling structure Check Point (Wasserman & Cheng 2003) Class Diagrams 3. Is it class “CheckPoint”? 1. Which method calls which? 2. What’s this? Check Point (Wasserman & Cheng 2003)
Modelling structure Check Point (Wasserman & Cheng 2003) Codecharts Call(checkRequestcheckPoint,TriggercounterMeasure) InternalEntities : P CLASS counterMeasure : CLASS checkPolicy : SIGNATURE Trigger : P SIGNATURE Check Point (Wasserman & Cheng 2003)
Modelling structure CheckPoint Codechart Modelling structure Schema singleAccessPoint, checkPoint, counterMeasure, securityPolicy : CLASS InternalEntities : P CLASS access, checkPolicy, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE Call(accesssingleAccessPoint, checkRequestcheckPoint) Call+(checkRequestcheckPoint, SecureActionsInternalEntities) … CheckPoint Check Point (Wasserman & Cheng 2003)
Modelling structure CheckPoint encapsulates the security policy Class Diagrams CheckPoint encapsulates the security policy Many policies Þ many CheckPoints Common? Unique? One concrete CP or many? Check Point (Schumacher et al. 2006)
CheckPointHierarchy : HIERARCHY Codechart Modelling structure Schema CheckPointHierarchy : HIERARCHY CheckPointHierarchy : HIERARCHY access, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE singleAccessPoint, counterMeasure : CLASS InternalEntities : P CLASS Call(accesssingleAccessPoint, checkRequestcheckPointHierarchy) Call(accesssingleAccessPoint, SecureActionsInternalEntities) … CheckPoint2 Check Point (Schumacher et al. 2006)
Modelling structure: Codecharts Methods, sets, signatures Precise criterion of correctness Communication; verification; automation, … Variations become evident Check Point (Wasserman et. al 2003) Check Point (Schumacher et al. 2006)
Modelling design decisions: Behaviour Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Codecharts Modelling design decisions: Behaviour
Security patterns: behaviour CheckPoint checks if msg conforms to the policy. If no, triggers a countermeasure If yes, allows msg to proceed to the intended recipient Countermeasure reacts to an access violation when triggered Client receives granted/denied access message … Check Point (Wasserman & Cheng 2003)
Modelling behaviour Check Point (Wasserman & Cheng 2003) Sequence Diagrams Limited abstractions Difficult to represent global constraints Limited tool support in verification Check Point (Wasserman & Cheng 2003)
Problematic integration Modelling behaviour Statecharts Limited to FSAs Problematic integration Check Point (Wasserman & Cheng 2003)
Modelling behaviour Temporal Logic W (CheckPoint.denyAccess Þ à CounterMeasure.triggered) W (CheckPoint.denyAccess Þ Client.fail U Client.idle) W (CheckPoint.grantAccess Þ (à Client.succeed) U Client.idle) Availability Check Point (Wassermann & Cheng 2003)
Enforcing design decisions Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Automated verification The TTP Toolkit Enforcing design decisions
Check Point: implementation Java Authentication & Authorization Service (JAAS) Java implementation of Pluggable Authentication Module (PAM) Information security framework Originally developed for Solaris operating system Other implementations: PAMLinux Used: Apache Web server validate each HTTP request according to a configured activation sequence Implements the Check Point pattern
Security patterns: structure Apparent similarity… Check Point Pattern JAAS
Enforcing structure Assignment of constants to variables Check Point
Enforcing structure: verification
Enforcing structure: automation Result Assignment Check Point
Enforcing behaviour: verification Wasserman & Cheng (2003): Technique: model checking Tools: MINERVA (Campbell et al. 2002): check consistency of UML HYDRA (McUmber & Cheng): UML Promela SPIN (Holzman 1997): Model checker Systems tested: small examples Manual Manual (Wasserman & Cheng 2003)
Enforcing structure: Verification JUnit “ArrayList Satisfies JUnit” Assignment ArrayList JUnit example: ArrayList
Round-trip engineering Making design decisions Modelling design decisions Enforcing design decisions Round-trip engineering Round-trip engineering
Forward, reverse, & round-trip (Eden, Gasparis, Nicholson & Kazman, forthcoming)
Modelling: detailed
Implementation Java 3D
Modelling: abstract Java 3D
Code analysis Java 3D
Verification Successful Java 3D
Modelling patterns www.lepus.org.uk
Verifying patterns (structural conformance to) Java 3D Implements Factory Method Factory Method in Java 3D
Implementation: evolve Careless change
Verification (again)
Visualization Package java.util.logging
Modelling: evolve
Modelling formats Textually(XML) Visually (Codechart) Symbolically <?xml version=”1.0” encoding=”ISO-8859-1”?> <?xml-stylesheet type="text/xsl" href="http://www.lepus.org.uk/templates/classz.xsl"?> <schema xmlns="http://www.lepus.org.uk/classz" title="Factory Method" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.lepus.org.uk/classz http://www.lepus.org.uk/templates/classz.xsd"> <description>The Factory Method design pattern</description> <declarations> <declare> <variable value="Factories" /> <variable value="Products" /> <type value="HIERARCHY" exponent="1" /> </declare> <variable value="factoryMethod" /> <type value="SIGNATURE" exponent="0" /> </declarations> <formulas> <formula> <predicatesymbol value="Isomorphic" /> <relationsymbol value="Produce" transitive="false" /> <superimposition> </superimposition> </formula> </formulas> <!--Generated using the TTP Toolkit on Tue Nov 27 17:42:25 GMT 2012--> </schema> Textually(XML) Visually (Codechart) Symbolically (Schema) Factory Method pattern
Sidebar: Codecharts
Desiderata Automatically verifiable Modelling & visualization Formal & practical Elegant & parsimonious Visual & symbolic Object-oriented Scalable Generic LePUS3 Vocabulary (Eden & Nicholson 2011)
Inspiration: blueprints
Visual & symbolic CheckPoint2 Codechart Visual & symbolic Schema CheckPointHierarchy : HIERARCHY access, checkRequest : SIGNATURE Trigger, SecureActions : P SIGNATURE singleAccessPoint, counterMeasure : CLASS InternalEntities : P CLASS Call(accesssingleAccessPoint, checkRequestcheckPointHierarchy) Call(accesssingleAccessPoint, SecureActionsInternalEntities) … CheckPoint2 Check Point (Schumacher et al. 2006)
Parsimony “Each Scene Graph State class defines a factory method that creates and returns the respective Scene Graph Object” Java 3D (Eden et al. 2013)
Scalability Java 3D API
Genericity (Monson-Haefel, 2001, Enterprise JavaBeans) Implemented “Every bean [class] obtains an EJBContext object, which is a reference to the container “The home interface extends the ...javax.ejb.EJBHome interface “A home [interface] may have many create() methods, … , each of which must have corresponding ejbCreate() and ejbPostCreate() methods in the bean class. The number and datatype of the arguments of each create() are left up to the bean developer” “When a create() method is invoked on the home interface, the container delegates the invocation to the corresponding ejbCreate() and ejbPostCreate() methods on the bean class An implementation for the bean’s home interface is generated by the container.” Implemented User-defined (Monson-Haefel, 2001, Enterprise JavaBeans)
Formal method A method is formal if it has a sound mathematical basis which provides the means of precisely defining— Specification Implementation correctness A (formal) specification language: Set Syn (syntactic domain) Set Sem (semantic domain) Relation Sat between them (Guttag, Horning & Wing 1982; Wing 1990)
Definitions (Wing 1990)
Definitions (Eden & Nicholson 2011)
Semantics (Eden & Nicholson 2011)
Sidebar: Visualization
Inspiration: maps London, England
Visualization: Tools SHriMP Class Blueprints Rigi (Ducasse & Lanza 2005; Story et al. 2002; Muller & Klashinski 1988)
CC 439: Software Design and Architecture, Autumn term 2006/7 Visualization: Tools Microsoft Foundation Classes (Booch Notation) (Odenthal & Quibeldey-Cirkel 1997) Dr Amnon H Eden, Department of Computer Science, University of Essex
CC 439: Software Design and Architecture, Autumn term 2006/7 JBuilder 7 Visualization: Tools Package java.util (Gasparis 2010) Dr Amnon H Eden, Department of Computer Science, University of Essex
CC 439: Software Design and Architecture, Autumn term 2006/7 Fujaba Tool Suite 5 Visualization: Tools Package Java3D 1.5 (Maniati 2008) Dr Amnon H Eden, Department of Computer Science, University of Essex
CC 439: Software Design and Architecture, Autumn term 2006/7 NetBeans 6.1 Visualization: Tools Package java.util (Gasparis 2010) Dr Amnon H Eden, Department of Computer Science, University of Essex
CC 439: Software Design and Architecture, Autumn term 2006/7 NetBeans 6.1 Visualization: Tools Package Java3D 1.5 (about 1,200 classes) (Maniati 2008) Dr Amnon H Eden, Department of Computer Science, University of Essex
Visualization: Toolkit CC 439: Software Design and Architecture, Autumn term 2006/7 Visualization: Toolkit Package JGraph (Eden & Nicholson 2011) Dr Amnon H Eden, Department of Computer Science, University of Essex
Visualization: Toolkit Package java.io
Visualization: Toolkit Package java.awt
Visualization: Toolkit Set Relations JGraph java.util.logging
Visualization: Toolkit Package java.jgraph
Visualization: Toolkit Java Authentication & Authorization (JAAS)
Future directions
Runtime verification Enforce behavioural design decisions Specified in LTL, Statecharts, sequence diagrams, … A.k.a. runtime monitoring Technique: Monitor program’s execution / read execution trace Determine conformance to specifications Violations trigger actions Languages & tools Eagle (Barringer, Goldberg, Havelund & Sen 2003) Parameterized RuleR (Barringer, Rydeheard & Havelund 2010) PathExplorer (Havelund & Roşu 2001) MOP (Chen & Roşu 2007)
Thank you
Bibliography Codecharts www.lepus.org.uk Software engineering state-of-the-art: An introduction to the not-so-innocent 9-Feb-2005 Bibliography Codecharts www.lepus.org.uk A.H. Eden, J. Nicholson. Codecharts: Roadmaps and Blueprints for Object-Oriented Programs. Wiley-Blackwell, 2011 A.H. Eden, E. Gasparis, J. Nicholson, R. Kazman (2013). “Modeling and Visualizing Object-Oriented Programs with Codecharts”. Formal Methods in System Design, 43(1), 1–28 A.H. Eden, E. Gasparis, J. Nicholson. “LePUS3 and Class-Z Reference Manual”. University of Essex, Tech. Rep. CSM-474 (2007). Toolkit www.ttp.essex.ac.uk A.H. Eden, E. Gasparis, J. Nicholson, R. Kazman.“Round-Trip Engineering with the TTP Toolkit”. Forthcoming Amnon H Eden, Department of Computer Science, University of Essex
Bibliography Research project Software engineering state-of-the-art: An introduction to the not-so-innocent 9-Feb-2005 Bibliography Research project http://security.altoona.psu.edu/designguide J. Ryoo, R. Kazman, A.A.H. Alzahrani, A.H. Eden. “Designing for Security Using Tactics, Patterns, and Automated Verification”, in preparation Tactics Bass, L., Clements, P., & Kazman, R. (2012). Software Architecture in Practice, 3rd ed. (3rd ed.). Addison-Wesley Professional. J. Ryoo, R. Kazman, and P. Laplante, “Revising a Security Tactics Hierarchy through Decomposition, Reclassification, and Derivation”, The 6th Int’l Conf. Software Security & Reliability, Wash. D.C., 2012 Catalogues Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P. (2006). Security Patterns: Integrating Security and Systems Engineering. Wiley Wassermann, R., Cheng, B. H. C. (2003). “Security Patterns.” Presented at the Pattern Languages of Programs—PLoP 2003 Amnon H Eden, Department of Computer Science, University of Essex
Bibliography Runtime verification Software engineering state-of-the-art: An introduction to the not-so-innocent 9-Feb-2005 Bibliography Runtime verification Barringer, H., Goldberg, A., Havelund, K., & Sen, K. (2003). Eagle monitors by collecting facts and generating obligations. Tec. Rep. CSPP-26, U. of Manchester, Dept. of Computer Science. Barringer H, Rydeheard D, Havelund K. Rule systems for run-time monitoring: from EAGLE to RULER. J. of Logic & Comp. 2010, 20(3) Havelund K, Roşu G. Monitoring java programs with java PathExplorer. ENTCS. 2001, 55(2) Chen F, Roşu G. Mop: an efficient and generic runtime verification framework. SIGPLAN Not. 2007, 42(10) Formal methods Guttag J., Horning J., Wing J. “Some Notes on Putting Formal Specifications to Productive Use.” Science of Computer Programming 2, no. 1 (October 1982): 53–68. Wing, Jeannette M. “A Specifier’s Introduction to Formal Methods.” Computer 23, no. 9 (1990): 8–23. Amnon H Eden, Department of Computer Science, University of Essex