Secure Middleware (?) Patrick Morrison 3/1/2006 Secure Systems Group.
Model-Driven Architecture And The Secure Systems Methodology Masters Thesis Defense 11/16/2007...
-
Upload
rhoda-jefferson -
Category
Documents
-
view
214 -
download
0
Transcript of Model-Driven Architecture And The Secure Systems Methodology Masters Thesis Defense 11/16/2007...
Model-Driven Model-Driven ArchitectureArchitecture
AndAndThe Secure Systems The Secure Systems
MethodologyMethodologyMasters Thesis DefenseMasters Thesis Defense
11/16/200711/16/2007
Patrick MorrisonPatrick Morrison
AgendaAgenda
► IntroductionIntroduction► Problem statementProblem statement► ApproachApproach► ContributionContribution► Related WorkRelated Work► What is MDA?What is MDA?► ExperimentExperiment► ResultsResults► ConclusionsConclusions► Future WorkFuture Work
The problem of SecurityThe problem of Security► ““A good percentage of the software deployed in A good percentage of the software deployed in
industrial/commercial applications is of poor industrial/commercial applications is of poor quality, it is unnecessarily complex, and contains quality, it is unnecessarily complex, and contains numerous flaws that can be exploited by numerous flaws that can be exploited by attackers.” attackers.”
► ““We believe that the solution lies in developing We believe that the solution lies in developing secure software from the beginning, applying secure software from the beginning, applying security principles along the whole life cycle…We security principles along the whole life cycle…We see the use of patterns as a fundamental way, see the use of patterns as a fundamental way, even for developers with little experience, to even for developers with little experience, to implicitly apply security principles.”implicitly apply security principles.”
► [Fer06a, EBF, et. al.][Fer06a, EBF, et. al.]
Security PatternsSecurity PatternsSecureLayers
SecureFacade
SecureReflection
ApplicationConceptual
Model
PolicyAdministration
Point
PolicyInformation
Point
PolicyDecision
Point
PolicyEnforcement
Point
Model ViewController
SecureAdapter
SecureBroker
SecureEnterprise
ComponentFramework
SecureWeb
Services
SecureProxy
AuthenticationSecure
Channel
SecureClient
DispatcherServer
SecureRelationalDatabaseMapping
SecureOperating
System
defineRules
enforceRules
decide
interact transformInterfacedistribute
objects consume/provideServicesimplement
businessmodel
mapObjects accessRemoteobjects
supportSoftware secure
Communication
establishConnection
authenticate
use
use
Secure Systems Methodology [Fer06a]Secure Systems Methodology [Fer06a]Security verification and testing
Requirements Analysis Design Implementation
Secure UCs Authorization rules in conceptual model
Rule enforcement through architecture
Language enforcement
Security test cases
StageStage TasksTasks
RequirementsRequirements Use case and activity diagram based Use case and activity diagram based role and attack analysisrole and attack analysis
AnalysisAnalysis Class and sequence diagrams, preferring Class and sequence diagrams, preferring semantic analysis patternssemantic analysis patterns
DesignDesign Application of design patterns across Application of design patterns across architectural layersarchitectural layers
ImplementationImplementation Mapping design on to selected technical Mapping design on to selected technical architecturearchitecture
Methodology Claim, Methodology Claim, paraphrasedparaphrased
►[by using] “abstract and graphical [by using] “abstract and graphical representations of patterns, the representations of patterns, the methodology allows the construction methodology allows the construction of secureof secure computing systems from computing systems from patterns which aid developers in patterns which aid developers in understanding much more quickly understanding much more quickly and deeply than programming and deeply than programming language “code” language “code”
MDA ClaimMDA Claim
►[by using] “precise but abstract and [by using] “precise but abstract and graphical representations of graphical representations of algorithms, MDA allows the algorithms, MDA allows the construction of computing systems construction of computing systems from models that can be understood from models that can be understood much more quickly and deeply than much more quickly and deeply than can programming language “code” can programming language “code” [[Mel04]. Mel04].
ProblemProblem
► Can Model-Driven Architecture (MDA) be used Can Model-Driven Architecture (MDA) be used to support the secure systems methodology?to support the secure systems methodology? To what degree is it now possible to work in terms To what degree is it now possible to work in terms
of high-level models rather than code?of high-level models rather than code? Does MDA allow for the creation and reuse of Does MDA allow for the creation and reuse of
generic models?generic models? Does MDA reduce the amount of low-level work Does MDA reduce the amount of low-level work
that needs to be done?that needs to be done?
► What would be required to gain these What would be required to gain these benefits?benefits?
ApproachApproach
►Establish an MDA tool-chainEstablish an MDA tool-chain►Select an example distributed systems Select an example distributed systems
security problemsecurity problem►Apply the advice of the secure systems Apply the advice of the secure systems
methodology to the construction of methodology to the construction of models for the example system for each models for the example system for each lifecycle phaselifecycle phase
►Evaluate MDA models against Evaluate MDA models against example’s properties and their use in example’s properties and their use in the lifecycle.the lifecycle.
ContributionContribution
►A set of models of secure shell (ssh) A set of models of secure shell (ssh) corresponding to the phases of the corresponding to the phases of the secure systems methodologysecure systems methodology
►An example MDA tool chain that An example MDA tool chain that translates UML Classes into Java translates UML Classes into Java source code.source code.
►A set of considerations for applying A set of considerations for applying MDAMDA
Related WorkRelated Work
► SecureUML – Models RBAC for web applicationsSecureUML – Models RBAC for web applications► UMLSec – Models security analysis for existing UMLSec – Models security analysis for existing
systemssystems► Executable UML – automated code generation Executable UML – automated code generation
from UML models, no explicit focus on securityfrom UML models, no explicit focus on security► SysML- modeling notation for systems SysML- modeling notation for systems
engineeringengineering► UML Profile for RM-ODP – distributed systems UML Profile for RM-ODP – distributed systems
standard, including security considerationsstandard, including security considerations► RSML – process control requirements RSML – process control requirements
specification languagespecification language► Tropos – Agent-oriented methodologyTropos – Agent-oriented methodology
What is MDA?What is MDA?
► A set of technologies: A set of technologies: UML, MOF, XMI, OCLUML, MOF, XMI, OCL
► A model-centric A model-centric framework for framework for systems systems developmentdevelopment
► A set of viewpointsA set of viewpoints► A scheme for A scheme for
transforming models transforming models to to other models, to to other models, and to text (code)and to text (code)
MDA TechnologiesMDA Technologies
► UML2 – a language and notation for building UML2 – a language and notation for building modelsmodels
► MOF – a language for building modeling MOF – a language for building modeling languages, beginning with UML2languages, beginning with UML2
► XMI – a persistence mechanism for MOF, XMI – a persistence mechanism for MOF, allowing exchange between toolsallowing exchange between tools
► QVT – a transformation language for MOF QVT – a transformation language for MOF modelsmodels
► OCL – a language for expressing logical OCL – a language for expressing logical assertions on MOF models, e.g. UML2assertions on MOF models, e.g. UML2
MDA ViewpointsMDA Viewpoints
► Computation-Independent Models (CIM) Computation-Independent Models (CIM) contain domain conceptscontain domain concepts
► Platform-Independent Models (PIM) define a Platform-Independent Models (PIM) define a technology-independent view of the systemtechnology-independent view of the system
► Platform-Specific Models (PSM) contain Platform-Specific Models (PSM) contain system descriptions including technology system descriptions including technology aspectsaspects
► Platform – the technical architecture of a Platform – the technical architecture of a given systemgiven system
MDA Transformations, MDA Transformations, exampleexample
publicpublic classclass Subject { Subject {publicpublic String id; String id;
}}publicpublic classclass Object { Object { publicpublic String id; String id;}}publicpublic classclass Right { Right { publicpublic String id; String id; publicpublic String access_type; String access_type; publicpublic Boolean copy_flag; Boolean copy_flag; publicpublic Subject s; Subject s; publicpublic Object o; Object o;} }
«IMPORT metamodel»«DEFINE javaClass FOR Entity»«FILE name+".java"»public class «name» {
«FOREACH attributes AS attr» public «attr.type» «attr.name»;«ENDFOREACH»«FOREACH references AS ref» public «ref.type.name» «ref.name»;«ENDFOREACH»
}«ENDFILE»«ENDDEFINE»
MDA Tool-chainMDA Tool-chain
► UML Editor, Model creation, XMI generationUML Editor, Model creation, XMI generation MagicDrawMagicDraw
► Model-to-Model, Model-to-Text Model-to-Model, Model-to-Text transformation transformation openArchitectureWareopenArchitectureWare
► Target PlatformTarget Platform JavaJava
► Integration Integration EclipseEclipse
ExperimentExperiment
► Apply secure systems methodology to building Apply secure systems methodology to building models for abstract version of remote accessmodels for abstract version of remote access
► Reverse-engineer SSH design models from Reverse-engineer SSH design models from architecture documents and source codearchitecture documents and source code
► Compare analysis results to SSH architectureCompare analysis results to SSH architecture► Evaluate ability of MDA to assist in translation Evaluate ability of MDA to assist in translation
of models from phase N to phase N+1:of models from phase N to phase N+1: Requirements -> AnalysisRequirements -> Analysis Analysis -> DesignAnalysis -> Design
Example(2): Secure Shell Example(2): Secure Shell (SSH)(SSH)
► Widely used network protocol providing security for Widely used network protocol providing security for remote access to user accounts and similar servicesremote access to user accounts and similar services
► [SSH] “enables secure remote login and other secure [SSH] “enables secure remote login and other secure network services over an insecure network”network services over an insecure network” server authentication server authentication client authentication (public key, password, host-based)client authentication (public key, password, host-based) confidentialityconfidentiality IntegrityIntegrity perfect forward security. perfect forward security.
► Well-documented:Well-documented: Internet standard: RFC’s 4250-6 describe goals, architectureInternet standard: RFC’s 4250-6 describe goals, architecture Open source client implementation: Ganymed SSH-2 for JavaOpen source client implementation: Ganymed SSH-2 for Java
Patterns applied during Patterns applied during AnalysisAnalysis
►AuthenticatorAuthenticator►Known PartnersKnown Partners►Single Access PointSingle Access Point►CheckpointCheckpoint►Security SessionSecurity Session► Information ObscurityInformation Obscurity►Secure ChannelsSecure Channels
Compare: SSH Transport Compare: SSH Transport Protocol (reverse engineered Protocol (reverse engineered
from RFC)from RFC)
Analysis ResultAnalysis Result
►Application of standard security Application of standard security patterns to the abstract case of patterns to the abstract case of remote access yielded a reasonably remote access yielded a reasonably comprehensive model of the entities comprehensive model of the entities and relationships that participate in and relationships that participate in the SSH architecture.the SSH architecture.
ResultsResults
► Application of the methodology to a generic Application of the methodology to a generic version of the example problem yielded a version of the example problem yielded a model that corresponds well to an existing model that corresponds well to an existing solution of the problemsolution of the problem
► Models captured fragments of the system Models captured fragments of the system from a given viewpoint, in this case from a given viewpoint, in this case depending on the lifecycle phasedepending on the lifecycle phase
► The ability to connect entities between The ability to connect entities between phases depends on a shared metamodelphases depends on a shared metamodel
► No such metamodel exists for the presented No such metamodel exists for the presented modelsmodels
Results(2), Questions Results(2), Questions revisitedrevisited
► To what degree is it now possible to work in To what degree is it now possible to work in terms of high-level models rather than terms of high-level models rather than code?code? Within constraints, there are opportunities to Within constraints, there are opportunities to
work with models rather than codework with models rather than code► Does MDA allow for the creation and reuse Does MDA allow for the creation and reuse
of generic models?of generic models? Insufficient evidence collected to support Insufficient evidence collected to support
answering this question.answering this question.► Does MDA reduce the amount of low-level Does MDA reduce the amount of low-level
work that needs to be done?work that needs to be done? MDA increases the amount of work required to MDA increases the amount of work required to
build the first application. build the first application.
ConclusionsConclusions
► Requirements, Analysis and Design are Requirements, Analysis and Design are fundamentally about deciding what you want, fundamentally about deciding what you want, while MDA excels in describing what you have.while MDA excels in describing what you have.
► Conclusion: MDA can be useful when working Conclusion: MDA can be useful when working with a known domain and a known with a known domain and a known architecture. architecture.
► Metamodels, and transformations on them, are Metamodels, and transformations on them, are MDA’s driving force. Where they exist or their MDA’s driving force. Where they exist or their creation is justified, they can assist in the creation is justified, they can assist in the development processdevelopment process
Conclusions(2)Conclusions(2)
► MDA is not a good fit for a methodology; but MDA is not a good fit for a methodology; but it could be a good fit for an instance of a it could be a good fit for an instance of a methodology.methodology.
► MDA can capture the details of domain and MDA can capture the details of domain and architecture, allowing systems designers to architecture, allowing systems designers to concentrate on variations within an concentrate on variations within an established framework.established framework.
► This does suggest that software alteration This does suggest that software alteration and maintenance may be enhanced by the and maintenance may be enhanced by the use of MDAuse of MDA
Future WorkFuture Work
► Develop Java platform model to support code Develop Java platform model to support code generation from existing analysis modelsgeneration from existing analysis models
► Choose second, third example applicationsChoose second, third example applications► Map examples on to suitable metamodel(s)Map examples on to suitable metamodel(s)
Unify lifecycle phase modelsUnify lifecycle phase models Factor out application, secuirty, platform Factor out application, secuirty, platform
dependenciesdependencies Evaluate existing metamodels: SysML, RM-ODPEvaluate existing metamodels: SysML, RM-ODP
► Encode security pattern knowledge in the Encode security pattern knowledge in the metamodelmetamodel
CommitteeCommittee
►Dr. E.B. FernandezDr. E.B. Fernandez►Dr. Shihong HuangDr. Shihong Huang►Dr. Maria PetrieDr. Maria Petrie