Model-Driven Model-Driven ArchitectureArchitecture

AndAndThe Secure Systems The Secure Systems

MethodologyMethodologyMasters Thesis DefenseMasters Thesis Defense

11/16/200711/16/2007

Patrick MorrisonPatrick Morrison

AgendaAgenda

► IntroductionIntroduction► Problem statementProblem statement► ApproachApproach► ContributionContribution► Related WorkRelated Work► What is MDA?What is MDA?► ExperimentExperiment► ResultsResults► ConclusionsConclusions► Future WorkFuture Work

The problem of SecurityThe problem of Security► ““A good percentage of the software deployed in A good percentage of the software deployed in

industrial/commercial applications is of poor industrial/commercial applications is of poor quality, it is unnecessarily complex, and contains quality, it is unnecessarily complex, and contains numerous flaws that can be exploited by numerous flaws that can be exploited by attackers.” attackers.”

► ““We believe that the solution lies in developing We believe that the solution lies in developing secure software from the beginning, applying secure software from the beginning, applying security principles along the whole life cycle…We security principles along the whole life cycle…We see the use of patterns as a fundamental way, see the use of patterns as a fundamental way, even for developers with little experience, to even for developers with little experience, to implicitly apply security principles.”implicitly apply security principles.”

► [Fer06a, EBF, et. al.][Fer06a, EBF, et. al.]

Security PatternsSecurity PatternsSecureLayers

SecureFacade

SecureReflection

ApplicationConceptual

Model

PolicyAdministration

Point

PolicyInformation

Point

PolicyDecision

Point

PolicyEnforcement

Point

Model ViewController

SecureAdapter

SecureBroker

SecureEnterprise

ComponentFramework

SecureWeb

Services

SecureProxy

AuthenticationSecure

Channel

SecureClient

DispatcherServer

SecureRelationalDatabaseMapping

SecureOperating

System

defineRules

enforceRules

decide

interact transformInterfacedistribute

objects consume/provideServicesimplement

businessmodel

mapObjects accessRemoteobjects

supportSoftware secure

Communication

establishConnection

authenticate

use

use

Secure Systems Methodology [Fer06a]Secure Systems Methodology [Fer06a]Security verification and testing

Requirements Analysis Design Implementation

Secure UCs Authorization rules in conceptual model

Rule enforcement through architecture

Language enforcement

Security test cases

StageStage TasksTasks

RequirementsRequirements Use case and activity diagram based Use case and activity diagram based role and attack analysisrole and attack analysis

AnalysisAnalysis Class and sequence diagrams, preferring Class and sequence diagrams, preferring semantic analysis patternssemantic analysis patterns

DesignDesign Application of design patterns across Application of design patterns across architectural layersarchitectural layers

ImplementationImplementation Mapping design on to selected technical Mapping design on to selected technical architecturearchitecture

Methodology Claim, Methodology Claim, paraphrasedparaphrased

►[by using] “abstract and graphical [by using] “abstract and graphical representations of patterns, the representations of patterns, the methodology allows the construction methodology allows the construction of secureof secure computing systems from computing systems from patterns which aid developers in patterns which aid developers in understanding much more quickly understanding much more quickly and deeply than programming and deeply than programming language “code” language “code”

MDA ClaimMDA Claim

►[by using] “precise but abstract and [by using] “precise but abstract and graphical representations of graphical representations of algorithms, MDA allows the algorithms, MDA allows the construction of computing systems construction of computing systems from models that can be understood from models that can be understood much more quickly and deeply than much more quickly and deeply than can programming language “code” can programming language “code” [[Mel04]. Mel04].

ProblemProblem

► Can Model-Driven Architecture (MDA) be used Can Model-Driven Architecture (MDA) be used to support the secure systems methodology?to support the secure systems methodology? To what degree is it now possible to work in terms To what degree is it now possible to work in terms

of high-level models rather than code?of high-level models rather than code? Does MDA allow for the creation and reuse of Does MDA allow for the creation and reuse of

generic models?generic models? Does MDA reduce the amount of low-level work Does MDA reduce the amount of low-level work

that needs to be done?that needs to be done?

► What would be required to gain these What would be required to gain these benefits?benefits?

ApproachApproach

►Establish an MDA tool-chainEstablish an MDA tool-chain►Select an example distributed systems Select an example distributed systems

security problemsecurity problem►Apply the advice of the secure systems Apply the advice of the secure systems

methodology to the construction of methodology to the construction of models for the example system for each models for the example system for each lifecycle phaselifecycle phase

►Evaluate MDA models against Evaluate MDA models against example’s properties and their use in example’s properties and their use in the lifecycle.the lifecycle.

ContributionContribution

►A set of models of secure shell (ssh) A set of models of secure shell (ssh) corresponding to the phases of the corresponding to the phases of the secure systems methodologysecure systems methodology

►An example MDA tool chain that An example MDA tool chain that translates UML Classes into Java translates UML Classes into Java source code.source code.

►A set of considerations for applying A set of considerations for applying MDAMDA

Related WorkRelated Work

► SecureUML – Models RBAC for web applicationsSecureUML – Models RBAC for web applications► UMLSec – Models security analysis for existing UMLSec – Models security analysis for existing

systemssystems► Executable UML – automated code generation Executable UML – automated code generation

from UML models, no explicit focus on securityfrom UML models, no explicit focus on security► SysML- modeling notation for systems SysML- modeling notation for systems

engineeringengineering► UML Profile for RM-ODP – distributed systems UML Profile for RM-ODP – distributed systems

standard, including security considerationsstandard, including security considerations► RSML – process control requirements RSML – process control requirements

specification languagespecification language► Tropos – Agent-oriented methodologyTropos – Agent-oriented methodology

What is MDA?What is MDA?

► A set of technologies: A set of technologies: UML, MOF, XMI, OCLUML, MOF, XMI, OCL

► A model-centric A model-centric framework for framework for systems systems developmentdevelopment

► A set of viewpointsA set of viewpoints► A scheme for A scheme for

transforming models transforming models to to other models, to to other models, and to text (code)and to text (code)

MDA TechnologiesMDA Technologies

► UML2 – a language and notation for building UML2 – a language and notation for building modelsmodels

► MOF – a language for building modeling MOF – a language for building modeling languages, beginning with UML2languages, beginning with UML2

► XMI – a persistence mechanism for MOF, XMI – a persistence mechanism for MOF, allowing exchange between toolsallowing exchange between tools

► QVT – a transformation language for MOF QVT – a transformation language for MOF modelsmodels

► OCL – a language for expressing logical OCL – a language for expressing logical assertions on MOF models, e.g. UML2assertions on MOF models, e.g. UML2

MDA Models and MetamodelsMDA Models and Metamodels

MDA ViewpointsMDA Viewpoints

► Computation-Independent Models (CIM) Computation-Independent Models (CIM) contain domain conceptscontain domain concepts

► Platform-Independent Models (PIM) define a Platform-Independent Models (PIM) define a technology-independent view of the systemtechnology-independent view of the system

► Platform-Specific Models (PSM) contain Platform-Specific Models (PSM) contain system descriptions including technology system descriptions including technology aspectsaspects

► Platform – the technical architecture of a Platform – the technical architecture of a given systemgiven system

MDA TransformationsMDA Transformations

MDA Transformations, MDA Transformations, exampleexample

publicpublic classclass Subject { Subject {publicpublic String id; String id;

}}publicpublic classclass Object { Object { publicpublic String id; String id;}}publicpublic classclass Right { Right { publicpublic String id; String id; publicpublic String access_type; String access_type; publicpublic Boolean copy_flag; Boolean copy_flag; publicpublic Subject s; Subject s; publicpublic Object o; Object o;} }

«IMPORT metamodel»«DEFINE javaClass FOR Entity»«FILE name+".java"»public class «name» {

«FOREACH attributes AS attr» public «attr.type» «attr.name»;«ENDFOREACH»«FOREACH references AS ref» public «ref.type.name» «ref.name»;«ENDFOREACH»

}«ENDFILE»«ENDDEFINE»

MDA Concepts, in UMLMDA Concepts, in UML

MDA Tool-chainMDA Tool-chain

► UML Editor, Model creation, XMI generationUML Editor, Model creation, XMI generation MagicDrawMagicDraw

► Model-to-Model, Model-to-Text Model-to-Model, Model-to-Text transformation transformation openArchitectureWareopenArchitectureWare

► Target PlatformTarget Platform JavaJava

► Integration Integration EclipseEclipse

ExperimentExperiment

► Apply secure systems methodology to building Apply secure systems methodology to building models for abstract version of remote accessmodels for abstract version of remote access

► Reverse-engineer SSH design models from Reverse-engineer SSH design models from architecture documents and source codearchitecture documents and source code

► Compare analysis results to SSH architectureCompare analysis results to SSH architecture► Evaluate ability of MDA to assist in translation Evaluate ability of MDA to assist in translation

of models from phase N to phase N+1:of models from phase N to phase N+1: Requirements -> AnalysisRequirements -> Analysis Analysis -> DesignAnalysis -> Design

Example: Remote AccessExample: Remote Access

Example(2): Secure Shell Example(2): Secure Shell (SSH)(SSH)

► Widely used network protocol providing security for Widely used network protocol providing security for remote access to user accounts and similar servicesremote access to user accounts and similar services

► [SSH] “enables secure remote login and other secure [SSH] “enables secure remote login and other secure network services over an insecure network”network services over an insecure network” server authentication server authentication client authentication (public key, password, host-based)client authentication (public key, password, host-based) confidentialityconfidentiality IntegrityIntegrity perfect forward security. perfect forward security.

► Well-documented:Well-documented: Internet standard: RFC’s 4250-6 describe goals, architectureInternet standard: RFC’s 4250-6 describe goals, architecture Open source client implementation: Ganymed SSH-2 for JavaOpen source client implementation: Ganymed SSH-2 for Java

Requirements: Use CasesRequirements: Use Cases

Requirements: Sequence Requirements: Sequence DiagramDiagram

Requirements: Activity Requirements: Activity DiagramDiagram

Analysis: Initial Class Analysis: Initial Class DiagramDiagram

Patterns applied during Patterns applied during AnalysisAnalysis

►AuthenticatorAuthenticator►Known PartnersKnown Partners►Single Access PointSingle Access Point►CheckpointCheckpoint►Security SessionSecurity Session► Information ObscurityInformation Obscurity►Secure ChannelsSecure Channels

Analysis: Final Class DiagramAnalysis: Final Class Diagram

Compare: SSH Transport Compare: SSH Transport Protocol (reverse engineered Protocol (reverse engineered

from RFC)from RFC)

Analysis ResultAnalysis Result

►Application of standard security Application of standard security patterns to the abstract case of patterns to the abstract case of remote access yielded a reasonably remote access yielded a reasonably comprehensive model of the entities comprehensive model of the entities and relationships that participate in and relationships that participate in the SSH architecture.the SSH architecture.

ResultsResults

► Application of the methodology to a generic Application of the methodology to a generic version of the example problem yielded a version of the example problem yielded a model that corresponds well to an existing model that corresponds well to an existing solution of the problemsolution of the problem

► Models captured fragments of the system Models captured fragments of the system from a given viewpoint, in this case from a given viewpoint, in this case depending on the lifecycle phasedepending on the lifecycle phase

► The ability to connect entities between The ability to connect entities between phases depends on a shared metamodelphases depends on a shared metamodel

► No such metamodel exists for the presented No such metamodel exists for the presented modelsmodels

Results(2), Questions Results(2), Questions revisitedrevisited

► To what degree is it now possible to work in To what degree is it now possible to work in terms of high-level models rather than terms of high-level models rather than code?code? Within constraints, there are opportunities to Within constraints, there are opportunities to

work with models rather than codework with models rather than code► Does MDA allow for the creation and reuse Does MDA allow for the creation and reuse

of generic models?of generic models? Insufficient evidence collected to support Insufficient evidence collected to support

answering this question.answering this question.► Does MDA reduce the amount of low-level Does MDA reduce the amount of low-level

work that needs to be done?work that needs to be done? MDA increases the amount of work required to MDA increases the amount of work required to

build the first application. build the first application.

ConclusionsConclusions

► Requirements, Analysis and Design are Requirements, Analysis and Design are fundamentally about deciding what you want, fundamentally about deciding what you want, while MDA excels in describing what you have.while MDA excels in describing what you have.

► Conclusion: MDA can be useful when working Conclusion: MDA can be useful when working with a known domain and a known with a known domain and a known architecture. architecture.

► Metamodels, and transformations on them, are Metamodels, and transformations on them, are MDA’s driving force. Where they exist or their MDA’s driving force. Where they exist or their creation is justified, they can assist in the creation is justified, they can assist in the development processdevelopment process

Conclusions(2)Conclusions(2)

► MDA is not a good fit for a methodology; but MDA is not a good fit for a methodology; but it could be a good fit for an instance of a it could be a good fit for an instance of a methodology.methodology.

► MDA can capture the details of domain and MDA can capture the details of domain and architecture, allowing systems designers to architecture, allowing systems designers to concentrate on variations within an concentrate on variations within an established framework.established framework.

► This does suggest that software alteration This does suggest that software alteration and maintenance may be enhanced by the and maintenance may be enhanced by the use of MDAuse of MDA

Future WorkFuture Work

► Develop Java platform model to support code Develop Java platform model to support code generation from existing analysis modelsgeneration from existing analysis models

► Choose second, third example applicationsChoose second, third example applications► Map examples on to suitable metamodel(s)Map examples on to suitable metamodel(s)

Unify lifecycle phase modelsUnify lifecycle phase models Factor out application, secuirty, platform Factor out application, secuirty, platform

dependenciesdependencies Evaluate existing metamodels: SysML, RM-ODPEvaluate existing metamodels: SysML, RM-ODP

► Encode security pattern knowledge in the Encode security pattern knowledge in the metamodelmetamodel

CommitteeCommittee

►Dr. E.B. FernandezDr. E.B. Fernandez►Dr. Shihong HuangDr. Shihong Huang►Dr. Maria PetrieDr. Maria Petrie

Security verification and testing

Requirements Analysis Design Implementation

Secure UCs Authorization rules in conceptual model

Rule enforcement through architecture

Language enforcement

Security test cases