KEMBAR78
Security patterns and model driven architecture | PPT
Uploaded bybdemchak
PPT, PDF980 views

Security patterns and model driven architecture

This document provides an overview of security patterns and model driven architecture. It summarizes three papers on using security patterns to model security requirements. The document discusses how security patterns can be used to address the common problem of irregular and haphazard application of security measures leading to insecure systems. It describes Cheng's approach of revising the security pattern template to allow formal verification of requirements. Rosado's approach is also summarized, which presents a standardized security pattern template and evaluates several common security patterns. The document provides context on how security patterns can help capture expertise to facilitate secure systems design.

Downloaded 23 times
The Beginning
The Beginning
Security Patterns and Model Driven Architecture UC San Diego CSE 294 Fall Quarter 2006 Barry Demchak
Papers to Review  Using Security Patterns to Model and Analyze Security Requirements (Betty Cheng et al, Michigan State University) [~2000]  A Study of Security Architecture Patterns (Rosado et al, University of Castilla-La Mancha) [2006]  Integration of Security Patterns in Software Models based on Semantic Descriptions (Diego Ray, University of Malaga) [2003]
The Big Problem  Security requirements and solutions  “The application should do blah-blah, blah-blah, and blah-blah. It should do them like this: blah- blah-blah.”  And it should be fast, reliable, and secure.  Security is a value, not an engineering goal  Security is a non-functional requirement  Irregular and haphazard application of security measures leads to insecure systems
Evidence of the Problem  “Thousands of Brits fall victim to data theft” -- October 10, 2006 New York Times  “Medicare and Medicaid Security Gaps Are Found” -- October 8, 2006 New York Times  “U.S. and Europe Agree on Passenger Data” -- October 6, 2006 New York Times  Is AJAX secure? -- October, 2006 SQL Magazine
The Context
Preview – the Players and their Parts  Cheng – Pattern definition  Rosado – Pattern enumeration and evaluation  Ray – Future directions
Patterns  Patterns are a tool for managing complexity  Describe technical solutions in context of business problems  Patterns are prescriptive – tell you what to do  Each pattern represents a decision that must be made and considerations that go into that decision  Patterns facilitate communication  Form common vocabulary among experts and non- experts  Patterns are a tool to capture expertise  Patterns can increase the degree of corporate knowledge capture and transfer
What is a Pattern? A pattern for software architecture describes a particular recurring design problem that arises in specific design contexts, and presents a well-proven generic scheme for its solution. The solution scheme is specified by describing its constituent components, their responsibilities and relationships, and the ways in which they collaborate. [POSA96]
MVC  Context & Problem  Application data needs to be maintained and presented via the user interface  Multiple different output formats need to be supported  Multiple different forms of input need to be supported  How to establish consistency?
MVC  Solution:  Introduce separate components for storing and processing of data (model), data presentation (view), and for handling input (controller)  The model represents the functional core; it registers dependent components (views and controllers) and notifies them about data changes  The view retrieves data from the model and displays it  The controller translates user input into events for the model; it may also change the UI to mirror data changes
MVC: Example 0 20 40 60 80 100 120 140 160 180 200 a b c Series1 a b c a b c 60 30 10 50 30 20 80 10 10 a = 63% b = 23% c = 14% Model View Controller adapted from [M05]
MVC  Structure: Model AbstractSource Attach(Observer) Detach(Observer) Notify() GetState() SetState() service() state AbstractObserver Update() View Update() Display() Initialize() observers * model 1 Controller Update() HandleInput() Initialize()
 Behavior: MVC :View:Model:Controller Service() Update() HandleInput() Notify() GetState() Display() Update() GetState()
 Consequences:  Decoupling of application data from presentation and input mechanism  Consistency of user interface and underlying data model  Increase of structural and dynamic complexity  Potential loss of performance MVC
Pattern Information  Analysis patterns [Fowler: Analysis Patterns]  Design patterns [Gamma et al: Design Patterns]  Specification patterns [Dwyer et al: 2nd Workshop on Formal Methods in Software Engineering (1998)]
Cheng’s Approach – The Problem  Security patterns lack comprehensive structure that conveys essential information essential to security engineering  Security cannot be verified
The Solution  Investigate alternate templates for security patterns  Enable verification of requirements by adding formal constraints to patterns
Security Patterns  Capture and convey information to facilitate “security engineering”  “Security” is subjective and environment- dependent  Extending normal patterns to security comes up short: behavior, security constraints, etc  Check essential security properties
Objectives  Communication of security-specific knowledge in context of concrete application  Verification using UML formalization framework (Hydra) -> Promela (SPIN) -> Minerva
Design Patterns – a launching point  Pattern Name and Classification  Intent  Also Known As  Motivation  Applicability – altered  Consequences - altered  Structure  Participants  Collaborations
Changed Fields  Applicability – added application-level, host- level, or network-level security  Consequences – added set of consequences: accountability, confidentiality, integrity, availability, performance, cost, manageability, usability
New Fields  Behavior – illustrate behavior and interaction using UML state and sequence diagrams  Constraints – global conditions that have to apply  Related Security Patterns – how it relates to other security patterns  Supported Security Principles – how it relates to each of the ten principles identified by Viega and McGraw
Viega and McGraw Principles (aside) 1. Secure weakest link 2. Practice defense in depth 3. Fail securely 4. Principle of least privilege 5. Compartmentalize 6. Keep it simple 7. Promote privacy 8. Hiding secrets is hard 9. Be reluctant to trust 10. Use community resources
Patterns, Classifications & Principles
Process for Using Security Patterns
Example – Faulty UML State Diagram
Example - eBiz  Requirement: Unauthorized access to system should not be possible, and it triggers a counter-measure
Example - eBiz
Example – eBiz
Analysis of Security Properties  Checked Authorization, Check Point, and Single Access Point  Instantiated constraints using LTL -> SPIN  Iteratively verified/improved – errors visualized using Minerva as UML showing counterexamples
Checkpoint Properties  CHK1 – unauthorized access leads to counter- measure: □(p→(◊q))  (CP.grantaccess == 2)→(CM.triggered == 1)  CHK2 – integrity or confidentiality are uncompromised after denial: □(p→(qUr))  (CP.grantaccess == 2) →((ERG.success == 0) U (ERG.waiting == 0)  CHK3 – granted access leads to notify: □(p→(◊q)Ur)  (CP.grantaccess == 1) →((ERG.success == 1) U (ERG.waiting == 0)
UML for Check Point Pattern
Cheng Summary  Proposed revised template for security  Combine previous UML formalizations with security patterns to produce rigorous analysis  Result: Reduction of error-prone post-design security modifications
Cheng Futures  Incorporate security beliefs into templates  Investigate how application domain affects security patterns  Use of timing information in specifying security patterns
Rosado’s Approach -- The Problem  Unsecure systems are everywhere, and are especially acute with connected systems  Security should be considered at all stages of system design and at all architectural levels  There is no comprehensive methodology for designing security-sensitive systems  Requirements difficult to model  Secure development expertise is rare
The Solution  Security patterns encapsulate accumulated knowledge of secure systems design  Can be understood and used by non-security professionals  Degree of security in a pattern can be measured
The Security Pattern Template  Intent  Context  Problem  Description  Solution  Consequences  Known Uses  Related Patterns
The Security Pattern Template (vs Cheng et al)  Intent  Context  Problem  Description  Solution  Consequences  Known Uses  Related Patterns  Also known as  Structure  Participants  Collaborations  Supported security principles
Patterns Presented  Authorization  Role-Based Access Control  Multi-level Security  Reference Monitor  Virtual Address Space Access Control  Execution Domain  Single Access Point  Check Point  Session
Patterns Presented Authorization Role-Based Access Control Multi-level Security  Reference Monitor  Virtual Address Space Access Control  Execution Domain Single Access Point Check Point Session Limited View Full View with Errors
Authorization Pattern  Intent: Who is authorized to access resource  Context: Active entities request resources whose access must be controlled  Problem: Access to secure objects needs to be explicitly protected
Authorization Pattern – cont’d  Description: distinguish between active entities (subjects) and passive resources (protection objects)  Solution: Subject class, Object class, Rights class, and the relationship between them
Authorization Pattern – cont’d  Consequences  Solution is independent of resources to be protected  Subjects: processes, users, roles, groups  Objects: transactions, memory, devices, files …  Access: reading, writing, execution, methods
Authorization Pattern – cont’d  Known uses: access control in Unix, Windows, Oracle  Related patterns: RBAC is a specialization
Role-Based Access Control Pattern  Intent: Control access based on role  Context: Access based on job or task  Solution: Extends Authorization so users are assigned roles, and roles have rights
Multilevel Security Pattern  Intent: Access under multiple levels of security class  Solution: Each subject ∈ some class, each resource ∈ some class, instances used to add levels of security  Consequences: Facilitates admin work for classification, maintenance of classification can be costly
Reference Monitor Pattern  Intent: All authorizations are fulfilled when process needs resource  Context: Multiprocess environment petitioning resources  Consequences: If all petitions are intercepted, rules can be observed. Implementation depends on resource, and performance suffers
Virtual Address Space Access Control Pattern  Intent: Control access by processes to specific memory using predefined access types  Context: Processes must share memory in controlled way; each process executes in own address space  Solution: Divide memory into segments, assign descriptors and allowed access types
Execution Domain Pattern  Intent: Define process environment indicating accessible resources the resource access privileges  Problem: Restrict process to use specific resources to prevent destruction that could interfere with other processes  Consequences: Resource mapped into address space, domain implementation not restricted, complex and needs hardware
Session Pattern  Intent: Provide environment where user rights can be restricted and controlled  Description: Repository for global information access  Consequences: Session has privileges necessary to perform task, but insufficient to cause collateral damage
Single Access Point Pattern  Intent: Simple interface for communications with external entities  Solution: Single point of control (mediator) can coordinate policy implementation through Check Point pattern  Consequences: Can capture information, carry out authorization, and prevent undesirable data modification
Check Point Pattern  Intent: Check requests and take countermeasures  Solution: Analyze requests and messages, combines with Single Access Point pattern, applies current security policy  Consequences: Benefits confidentiality if operating properly and attacks can be detected. Complex checking slows system.
Comparing Security Criteria
Comparing Performance
Comparing Cost and Security
Rosado’s Futures  Define method to specify flexible security architectures that can be easily adapted to systems with different security requirements  Guarantee security using security patterns
Ray’s Approach – The Problem  Security and reliability not considered during initial stages of software development  Not part of standard procedures in development or maintenance of software
The Solution  Create framework for semantic description and management of security properties and patterns  Given security requirements, define mechanisms to automate analysis of security- enhanced models  Define mechanism to guarantee that subsequent changes preserve security properties and patterns
Security Awareness  25 Years Ago: What is Security??  15 Years Ago: Security is a value-added service  Lately: Security must be built in
Development Processes  Security requirements are often identified independently for each system component  Interdependencies are poorly understood  Big trouble  Pervasive computing  Ambient intelligence  Mobile services  Deploy isolated countermeasures (PKI, IDS, firewalls, symmetric encryption, etc)  No development process identifies security requirements apriori
The Causes  Security is a non-functional requirement  Security is both technical and social  Developers often lack background or interest in security  No consistent way of representing security at different levels of software description
Add-on Security  Usually a point solution  Different implementations of the add-on security cannot be compared (as to security properties)  Security mechanisms not congruent with system security requirements
Where Are We Now?  UML-based  Business process engineering  SecureUML integrates role-based access control policies into model-driven software development process  UMLsec proposes extending UML for security modeling, but addresses only a few security issues  Integrate UML into Tropos (ERP) methodology
More UML …  Use cases can describe special scenarios, but abuse cases are more instructive  UML Precise Group (PUML) investigating improving semantics  SEMPER (Secure Electronic Marketplace in Europe) studying e-commerce frameworks  COPS (Commercial Protocols and Services) studying infrastructure for market transactions  CASENET design and analysis of security protocols studying requirements specification during application development
Where Next?  Use of formal methods in software engineering process  Develop formally proven solutions  Assist software engineers regarding gathering security requirements, integrating proven solutions, and validating against requirements
Where Next?
Basic Boehm Spiral Model
Integrated Security Engineering  Security solution  Adaptation to context  Analysis of consequences  Coherence
Semantic Modeling  Security protocol as a series of semantic properties to be fulfilled  Level of security: confidential  Authentication is needed  … etc  Enables  Semantic categorization of patterns and libraries  Fitting patterns and libraries to context  Ferret out unhealthy interactions  Validate correctness of new patterns
Automated Tools Support
Comparison of Approaches  Cheng et al  Improvement of attribute classifications of security patterns  UML + security patterns = rigorous analysis  Rosado  Exposing security patterns for common use  Classifying characteristics of security patterns  Ray  Semantic description of security patterns  Full development cycle supported by automation  Guarantee that protocols are maintained across development cycle
Other Threads  Dr. Dobbs Journal  Scott Ambler on difficulty of marrying agile with security  Microsoft Systems Journal  November edition has 6 major stories  Threat modeling  Extending SDL – Documenting and Evaluating the Security Guarantees of Your Apps
Bottom Line  Are today’s security patterns sufficient to guarantee secure systems?  Is security a cross-cutting issue?  How do we create secure-by-architecture designs? “For interesting research, head towards chaos” – Ingolf Krueger, 2005
The Beginning

More Related Content

PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
PPTX
cyber security presentation.pptx
bykishore golla
 
PPTX
Security management concepts and principles
byDivya Tiwari
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PPTX
Secure SDLC Framework
byRishi Kant
 
PPT
Information Security Principles - Access Control
byidingolay
 
PPTX
Application security
byHagar Alaa el-din
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
cyber security presentation.pptx
bykishore golla
 
Security management concepts and principles
byDivya Tiwari
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Secure SDLC Framework
byRishi Kant
 
Information Security Principles - Access Control
byidingolay
 
Application security
byHagar Alaa el-din
 

What's hot

PDF
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
PDF
Access Control Presentation
byWajahat Rajab
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PDF
Cyber Security and Cloud Computing
byKeet Sugathadasa
 
PPT
DDoS Attack PPT by Nitin Bisht
byNitin Bisht
 
DOCX
The CIA Triad - Assurance on Information Security
byBharath Rao
 
PPTX
Cloud with Cyber Security
byNiki Upadhyay
 
PDF
Threat Intelligence
byDeepak Kumar (D3)
 
PPT
intrusion detection system (IDS)
byAj Maurya
 
PPT
Information security and Attacks
bySachin Darekar
 
PPT
Intrusion detection system ppt
bySheetal Verma
 
PDF
Secure software design
byAshis Kumar Chanda
 
PPT
Email Security and Awareness
bySanjiv Arora
 
PPTX
Introduction to cyber security amos
byAmos Oyoo
 
PPTX
Domain 5 - Identity and Access Management
byMaganathin Veeraragaloo
 
PPTX
INFORMATION SECURITY
byAhmed Moussa
 
PDF
Cisco cybersecurity essentials chapter - 2
byMukesh Chinta
 
PPTX
Cloud security ppt
byVenkatesh Chary
 
PPTX
Access Controls
byprimeteacher32
 
PPT
Application Security
byflorinc
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
Access Control Presentation
byWajahat Rajab
 
Application Security - Your Success Depends on it
byWSO2
 
Cyber Security and Cloud Computing
byKeet Sugathadasa
 
DDoS Attack PPT by Nitin Bisht
byNitin Bisht
 
The CIA Triad - Assurance on Information Security
byBharath Rao
 
Cloud with Cyber Security
byNiki Upadhyay
 
Threat Intelligence
byDeepak Kumar (D3)
 
intrusion detection system (IDS)
byAj Maurya
 
Information security and Attacks
bySachin Darekar
 
Intrusion detection system ppt
bySheetal Verma
 
Secure software design
byAshis Kumar Chanda
 
Email Security and Awareness
bySanjiv Arora
 
Introduction to cyber security amos
byAmos Oyoo
 
Domain 5 - Identity and Access Management
byMaganathin Veeraragaloo
 
INFORMATION SECURITY
byAhmed Moussa
 
Cisco cybersecurity essentials chapter - 2
byMukesh Chinta
 
Cloud security ppt
byVenkatesh Chary
 
Access Controls
byprimeteacher32
 
Application Security
byflorinc
 

Viewers also liked

PDF
Security Design Patterns
byAung Khant
 
PPT
Web Security Patterns - Jazoon 2010 - Zurich
byjavagroup2006
 
PPS
Introducing Msd
byAung Khant
 
PPT
Software System Engineering - Chapter 11
byFadhil Ismail
 
PDF
SoSPa: A System of Security Patterns for engineering Secure Systems
byPhu H. Nguyen
 
PDF
Choose'10: Stephane Ducasse - Powerful DSL engineering in Smalltalk
byCHOOSE
 
PDF
Short Gamestop
bySagehenCapitalManagement
 
PDF
A Systematic Review of Model-Driven Security
byPhu H. Nguyen
 
PDF
Patterns and Antipatterns in Enterprise Security
byWSO2
 
PPT
3. security architecture and models
by7wounders
 
PDF
Integration patterns and practices for cloud and mobile computing
bySHAKIL AKHTAR
 
PPSX
2 Security Architecture+Design
byAlfred Ouyang
 
PPTX
J2ee architecture
byErencan Özkan
 
PDF
Enterprise Security Architecture
byPriyanka Aash
 
PPTX
Security models for security architecture
byVladimir Jirasek
 
PPTX
Security architecture frameworks
byJohn Arnold
 
PPT
Connected Retail Reference Architecture
byWSO2
 
PDF
Patterns of Enterprise Application Architecture (by example)
byPaulo Gandra de Sousa
 
PDF
Retail Industry Analysis 2013
byPropane Studio
 
PDF
Enterprise Security Architecture
byKris Kimmerle
 
Security Design Patterns
byAung Khant
 
Web Security Patterns - Jazoon 2010 - Zurich
byjavagroup2006
 
Introducing Msd
byAung Khant
 
Software System Engineering - Chapter 11
byFadhil Ismail
 
SoSPa: A System of Security Patterns for engineering Secure Systems
byPhu H. Nguyen
 
Choose'10: Stephane Ducasse - Powerful DSL engineering in Smalltalk
byCHOOSE
 
Short Gamestop
bySagehenCapitalManagement
 
A Systematic Review of Model-Driven Security
byPhu H. Nguyen
 
Patterns and Antipatterns in Enterprise Security
byWSO2
 
3. security architecture and models
by7wounders
 
Integration patterns and practices for cloud and mobile computing
bySHAKIL AKHTAR
 
2 Security Architecture+Design
byAlfred Ouyang
 
J2ee architecture
byErencan Özkan
 
Enterprise Security Architecture
byPriyanka Aash
 
Security models for security architecture
byVladimir Jirasek
 
Security architecture frameworks
byJohn Arnold
 
Connected Retail Reference Architecture
byWSO2
 
Patterns of Enterprise Application Architecture (by example)
byPaulo Gandra de Sousa
 
Retail Industry Analysis 2013
byPropane Studio
 
Enterprise Security Architecture
byKris Kimmerle
 

Similar to Security patterns and model driven architecture

PDF
Secure design best practices and design patterns
byIntopalo Digital Oy
 
PDF
SEIS 720 - Security Patterns Paper
byBrian Machart
 
PPTX
Architecting for Security Resilience
byJoel Aleburu
 
PDF
Security Patterns for Software Development
byNarudom Roongsiriwong, CISSP
 
PPTX
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
PPTX
Reinforcing Your Enterprise With Security Architectures
byUthaiyashankar
 
PPT
session on pattern oriented software architecture
bySUJOY SETT
 
PPTX
Enumerating software security design flaws throughout the ssdlc cosac - 201...
byJohn M. Willis
 
PPTX
Enumerating software security design flaws throughout the SSDLC
byJohn M. Willis
 
PPTX
Security architecture design patterns iltam 2018 - ofer rivlin
byOfer Rivlin, CISSP
 
PDF
Security Patterns: Research Direction, Metamodel, Application and Verification
byHironori Washizaki
 
PDF
DEPENDABLE WEB SERVICES SECURITY ARCHITECTURE DEVELOPMENT THEORETICAL AND PRA...
bycscpconf
 
PDF
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
PPTX
Application and Website Security -- Designer Edition: Using Formal Specificat...
byDaniel Owens
 
PDF
Designing Security Architecture Solutions 1st Edition Jay Ramachandran
bywohkwrtliu0660
 
PPT
Information assurance in a world of model driven architecture and service ori...
bybdemchak
 
ODP
CISSP Week 22
byjemtallon
 
PPTX
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
PDF
Requirements Engineering for Secure Software
byDr Sarika Jadhav
 
PPT
Software Security in the Real World
byMark Curphey
 
Secure design best practices and design patterns
byIntopalo Digital Oy
 
SEIS 720 - Security Patterns Paper
byBrian Machart
 
Architecting for Security Resilience
byJoel Aleburu
 
Security Patterns for Software Development
byNarudom Roongsiriwong, CISSP
 
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
Reinforcing Your Enterprise With Security Architectures
byUthaiyashankar
 
session on pattern oriented software architecture
bySUJOY SETT
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
byJohn M. Willis
 
Enumerating software security design flaws throughout the SSDLC
byJohn M. Willis
 
Security architecture design patterns iltam 2018 - ofer rivlin
byOfer Rivlin, CISSP
 
Security Patterns: Research Direction, Metamodel, Application and Verification
byHironori Washizaki
 
DEPENDABLE WEB SERVICES SECURITY ARCHITECTURE DEVELOPMENT THEORETICAL AND PRA...
bycscpconf
 
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
Application and Website Security -- Designer Edition: Using Formal Specificat...
byDaniel Owens
 
Designing Security Architecture Solutions 1st Edition Jay Ramachandran
bywohkwrtliu0660
 
Information assurance in a world of model driven architecture and service ori...
bybdemchak
 
CISSP Week 22
byjemtallon
 
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
Requirements Engineering for Secure Software
byDr Sarika Jadhav
 
Software Security in the Real World
byMark Curphey
 

More from bdemchak

PPTX
Cytoscape Network Visualization and Analysis
bybdemchak
 
PDF
The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...
bybdemchak
 
PDF
Cytoscape Cyberinfrastructure
bybdemchak
 
PDF
No More Silos! Cytoscape CI Enables Interoperability
bybdemchak
 
PPTX
Cytoscape CI Chapter 2
bybdemchak
 
PPT
Composable Chat Introduction
bybdemchak
 
PPT
Rich Services: Composable chat
bybdemchak
 
PPT
Ucsd tum workshop bd
bybdemchak
 
PPT
Rich Feeds for RESCUE and PALMS
bybdemchak
 
PPT
Iscram 2008 presentation
bybdemchak
 
PPT
Rich feeds policy, the cloud, and CAP
bybdemchak
 
PPT
Rich services to the Rescue
bybdemchak
 
PPTX
Hicss 2012 presentation
bybdemchak
 
PPTX
Policy 2012 presentation
bybdemchak
 
PPT
Rich feeds for rescue an integration story
bybdemchak
 
PPT
Background scenario drivers and critical issues with a focus on technology ...
bybdemchak
 
PPT
Rich feeds for rescue, palms cyberinfrastructure integration stories
bybdemchak
 
PPT
Data quality and uncertainty visualization
bybdemchak
 
PPTX
Web programming in clojure
bybdemchak
 
PPTX
Structure and interpretation of computer programs modularity, objects, and ...
bybdemchak
 
Cytoscape Network Visualization and Analysis
bybdemchak
 
The New CyREST: Economical Delivery of Complex, Reproducible Network Biology ...
bybdemchak
 
Cytoscape Cyberinfrastructure
bybdemchak
 
No More Silos! Cytoscape CI Enables Interoperability
bybdemchak
 
Cytoscape CI Chapter 2
bybdemchak
 
Composable Chat Introduction
bybdemchak
 
Rich Services: Composable chat
bybdemchak
 
Ucsd tum workshop bd
bybdemchak
 
Rich Feeds for RESCUE and PALMS
bybdemchak
 
Iscram 2008 presentation
bybdemchak
 
Rich feeds policy, the cloud, and CAP
bybdemchak
 
Rich services to the Rescue
bybdemchak
 
Hicss 2012 presentation
bybdemchak
 
Policy 2012 presentation
bybdemchak
 
Rich feeds for rescue an integration story
bybdemchak
 
Background scenario drivers and critical issues with a focus on technology ...
bybdemchak
 
Rich feeds for rescue, palms cyberinfrastructure integration stories
bybdemchak
 
Data quality and uncertainty visualization
bybdemchak
 
Web programming in clojure
bybdemchak
 
Structure and interpretation of computer programs modularity, objects, and ...
bybdemchak
 

Recently uploaded

DOCX
Comprehensive Guide to SharePoint Consulting Services – Benefits, Process, an...
bySharepoint Designs
 
PPTX
Safe Confined Space Entry Monitoring_ Singapore Experts.pptx
byprasadexiga0
 
PPTX
Integrated Billing, Accounting & Inventory Solution for MSMEs
byMoving Cloud
 
PDF
Making sense of AWS Serverless operations- AWS Community Day CEE 2025
byVadym Kazulkin
 
PDF
Security Architecture Views the FDA Expects — And How to Get Them Right
byICS
 
PDF
Shift Left for Inclusion: Scalable Accessibility Testing with Cypress - Cypre...
byLudovico Besana
 
PDF
ASTC Conference 2025 - Bridging the Gap!
byGareth Oakes
 
DOCX
Best Tableau Alternatives for Data Analytics and Reporting.docx
byVarsha Nayak
 
PDF
Ensuring Regulatory Excellence with Insurance Compliance Software
byInsurance Tech Services
 
PDF
The new Volto Form Block, Plone Conference 2025
byRob Gietema
 
PPTX
Financial Literacy for Software Developers
byBalanathanVirupasan
 
PDF
898975372-Leaving-Legacy-Software-Behind-a-Modern-Migration-Roadmap.pdf
byKsoft Technologies
 
PDF
Driving Stress Detection Using Multimodal CNN with Nonlinear Representation o...
byPranjal Kumar
 
PDF
Best Tableau Alternatives for Data Analytics and Reporting.pdf
byVarsha Nayak
 
PDF
Autowiring all the things! - DrupalCon Vienna 2025 - Luca Lusso, SparkFabrik
bysparkfabrik
 
PDF
The Rise of AI Agents: Powering the Next Industrial Era
byMaxim Salnikov
 
PDF
VADY Smart Data Flow – Automated Data Insights for Scalable Enterprise Decisions
byNewFangledVision
 
PDF
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
PDF
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
PDF
Privacy-first in-browser Generative AI web apps: offline-ready, future-proof,...
byMaxim Salnikov
 
Comprehensive Guide to SharePoint Consulting Services – Benefits, Process, an...
bySharepoint Designs
 
Safe Confined Space Entry Monitoring_ Singapore Experts.pptx
byprasadexiga0
 
Integrated Billing, Accounting & Inventory Solution for MSMEs
byMoving Cloud
 
Making sense of AWS Serverless operations- AWS Community Day CEE 2025
byVadym Kazulkin
 
Security Architecture Views the FDA Expects — And How to Get Them Right
byICS
 
Shift Left for Inclusion: Scalable Accessibility Testing with Cypress - Cypre...
byLudovico Besana
 
ASTC Conference 2025 - Bridging the Gap!
byGareth Oakes
 
Best Tableau Alternatives for Data Analytics and Reporting.docx
byVarsha Nayak
 
Ensuring Regulatory Excellence with Insurance Compliance Software
byInsurance Tech Services
 
The new Volto Form Block, Plone Conference 2025
byRob Gietema
 
Financial Literacy for Software Developers
byBalanathanVirupasan
 
898975372-Leaving-Legacy-Software-Behind-a-Modern-Migration-Roadmap.pdf
byKsoft Technologies
 
Driving Stress Detection Using Multimodal CNN with Nonlinear Representation o...
byPranjal Kumar
 
Best Tableau Alternatives for Data Analytics and Reporting.pdf
byVarsha Nayak
 
Autowiring all the things! - DrupalCon Vienna 2025 - Luca Lusso, SparkFabrik
bysparkfabrik
 
The Rise of AI Agents: Powering the Next Industrial Era
byMaxim Salnikov
 
VADY Smart Data Flow – Automated Data Insights for Scalable Enterprise Decisions
byNewFangledVision
 
VADY Data Analytics Solutions – Effortless AI-Powered Decision-Making for Eve...
byNewFangledVision
 
Austin Marketo User Group: Ground Control 2 MOPS: AI-Ignite your Map
bybbedford2
 
Privacy-first in-browser Generative AI web apps: offline-ready, future-proof,...
byMaxim Salnikov
 

Security patterns and model driven architecture

  • 1.
  • 2.
  • 3.
    Security Patterns and Model DrivenArchitecture UC San Diego CSE 294 Fall Quarter 2006 Barry Demchak
  • 4.
    Papers to Review Using Security Patterns to Model and Analyze Security Requirements (Betty Cheng et al, Michigan State University) [~2000]  A Study of Security Architecture Patterns (Rosado et al, University of Castilla-La Mancha) [2006]  Integration of Security Patterns in Software Models based on Semantic Descriptions (Diego Ray, University of Malaga) [2003]
  • 5.
    The Big Problem Security requirements and solutions  “The application should do blah-blah, blah-blah, and blah-blah. It should do them like this: blah- blah-blah.”  And it should be fast, reliable, and secure.  Security is a value, not an engineering goal  Security is a non-functional requirement  Irregular and haphazard application of security measures leads to insecure systems
  • 6.
    Evidence of theProblem  “Thousands of Brits fall victim to data theft” -- October 10, 2006 New York Times  “Medicare and Medicaid Security Gaps Are Found” -- October 8, 2006 New York Times  “U.S. and Europe Agree on Passenger Data” -- October 6, 2006 New York Times  Is AJAX secure? -- October, 2006 SQL Magazine
  • 7.
  • 8.
    Preview – thePlayers and their Parts  Cheng – Pattern definition  Rosado – Pattern enumeration and evaluation  Ray – Future directions
  • 9.
    Patterns  Patterns area tool for managing complexity  Describe technical solutions in context of business problems  Patterns are prescriptive – tell you what to do  Each pattern represents a decision that must be made and considerations that go into that decision  Patterns facilitate communication  Form common vocabulary among experts and non- experts  Patterns are a tool to capture expertise  Patterns can increase the degree of corporate knowledge capture and transfer
  • 10.
    What is aPattern? A pattern for software architecture describes a particular recurring design problem that arises in specific design contexts, and presents a well-proven generic scheme for its solution. The solution scheme is specified by describing its constituent components, their responsibilities and relationships, and the ways in which they collaborate. [POSA96]
  • 11.
    MVC  Context &Problem  Application data needs to be maintained and presented via the user interface  Multiple different output formats need to be supported  Multiple different forms of input need to be supported  How to establish consistency?
  • 12.
    MVC  Solution:  Introduceseparate components for storing and processing of data (model), data presentation (view), and for handling input (controller)  The model represents the functional core; it registers dependent components (views and controllers) and notifies them about data changes  The view retrieves data from the model and displays it  The controller translates user input into events for the model; it may also change the UI to mirror data changes
  • 13.
    MVC: Example 0 20 40 60 80 100 120 140 160 180 200 a bc Series1 a b c a b c 60 30 10 50 30 20 80 10 10 a = 63% b = 23% c = 14% Model View Controller adapted from [M05]
  • 14.
  • 15.
  • 16.
     Consequences:  Decouplingof application data from presentation and input mechanism  Consistency of user interface and underlying data model  Increase of structural and dynamic complexity  Potential loss of performance MVC
  • 17.
    Pattern Information  Analysispatterns [Fowler: Analysis Patterns]  Design patterns [Gamma et al: Design Patterns]  Specification patterns [Dwyer et al: 2nd Workshop on Formal Methods in Software Engineering (1998)]
  • 18.
    Cheng’s Approach –The Problem  Security patterns lack comprehensive structure that conveys essential information essential to security engineering  Security cannot be verified
  • 19.
    The Solution  Investigatealternate templates for security patterns  Enable verification of requirements by adding formal constraints to patterns
  • 20.
    Security Patterns  Captureand convey information to facilitate “security engineering”  “Security” is subjective and environment- dependent  Extending normal patterns to security comes up short: behavior, security constraints, etc  Check essential security properties
  • 21.
    Objectives  Communication ofsecurity-specific knowledge in context of concrete application  Verification using UML formalization framework (Hydra) -> Promela (SPIN) -> Minerva
  • 22.
    Design Patterns –a launching point  Pattern Name and Classification  Intent  Also Known As  Motivation  Applicability – altered  Consequences - altered  Structure  Participants  Collaborations
  • 23.
    Changed Fields  Applicability– added application-level, host- level, or network-level security  Consequences – added set of consequences: accountability, confidentiality, integrity, availability, performance, cost, manageability, usability
  • 24.
    New Fields  Behavior– illustrate behavior and interaction using UML state and sequence diagrams  Constraints – global conditions that have to apply  Related Security Patterns – how it relates to other security patterns  Supported Security Principles – how it relates to each of the ten principles identified by Viega and McGraw
  • 25.
    Viega and McGrawPrinciples (aside) 1. Secure weakest link 2. Practice defense in depth 3. Fail securely 4. Principle of least privilege 5. Compartmentalize 6. Keep it simple 7. Promote privacy 8. Hiding secrets is hard 9. Be reluctant to trust 10. Use community resources
  • 26.
  • 27.
    Process for UsingSecurity Patterns
  • 28.
    Example – FaultyUML State Diagram
  • 29.
    Example - eBiz Requirement: Unauthorized access to system should not be possible, and it triggers a counter-measure
  • 30.
  • 31.
  • 32.
    Analysis of SecurityProperties  Checked Authorization, Check Point, and Single Access Point  Instantiated constraints using LTL -> SPIN  Iteratively verified/improved – errors visualized using Minerva as UML showing counterexamples
  • 33.
    Checkpoint Properties  CHK1– unauthorized access leads to counter- measure: □(p→(◊q))  (CP.grantaccess == 2)→(CM.triggered == 1)  CHK2 – integrity or confidentiality are uncompromised after denial: □(p→(qUr))  (CP.grantaccess == 2) →((ERG.success == 0) U (ERG.waiting == 0)  CHK3 – granted access leads to notify: □(p→(◊q)Ur)  (CP.grantaccess == 1) →((ERG.success == 1) U (ERG.waiting == 0)
  • 34.
    UML for CheckPoint Pattern
  • 35.
    Cheng Summary  Proposedrevised template for security  Combine previous UML formalizations with security patterns to produce rigorous analysis  Result: Reduction of error-prone post-design security modifications
  • 36.
    Cheng Futures  Incorporatesecurity beliefs into templates  Investigate how application domain affects security patterns  Use of timing information in specifying security patterns
  • 37.
    Rosado’s Approach --The Problem  Unsecure systems are everywhere, and are especially acute with connected systems  Security should be considered at all stages of system design and at all architectural levels  There is no comprehensive methodology for designing security-sensitive systems  Requirements difficult to model  Secure development expertise is rare
  • 38.
    The Solution  Securitypatterns encapsulate accumulated knowledge of secure systems design  Can be understood and used by non-security professionals  Degree of security in a pattern can be measured
  • 39.
    The Security PatternTemplate  Intent  Context  Problem  Description  Solution  Consequences  Known Uses  Related Patterns
  • 40.
    The Security PatternTemplate (vs Cheng et al)  Intent  Context  Problem  Description  Solution  Consequences  Known Uses  Related Patterns  Also known as  Structure  Participants  Collaborations  Supported security principles
  • 41.
    Patterns Presented  Authorization Role-Based Access Control  Multi-level Security  Reference Monitor  Virtual Address Space Access Control  Execution Domain  Single Access Point  Check Point  Session
  • 42.
    Patterns Presented Authorization Role-Based AccessControl Multi-level Security  Reference Monitor  Virtual Address Space Access Control  Execution Domain Single Access Point Check Point Session Limited View Full View with Errors
  • 43.
    Authorization Pattern  Intent:Who is authorized to access resource  Context: Active entities request resources whose access must be controlled  Problem: Access to secure objects needs to be explicitly protected
  • 44.
    Authorization Pattern –cont’d  Description: distinguish between active entities (subjects) and passive resources (protection objects)  Solution: Subject class, Object class, Rights class, and the relationship between them
  • 45.
    Authorization Pattern –cont’d  Consequences  Solution is independent of resources to be protected  Subjects: processes, users, roles, groups  Objects: transactions, memory, devices, files …  Access: reading, writing, execution, methods
  • 46.
    Authorization Pattern –cont’d  Known uses: access control in Unix, Windows, Oracle  Related patterns: RBAC is a specialization
  • 47.
    Role-Based Access ControlPattern  Intent: Control access based on role  Context: Access based on job or task  Solution: Extends Authorization so users are assigned roles, and roles have rights
  • 48.
    Multilevel Security Pattern Intent: Access under multiple levels of security class  Solution: Each subject ∈ some class, each resource ∈ some class, instances used to add levels of security  Consequences: Facilitates admin work for classification, maintenance of classification can be costly
  • 49.
    Reference Monitor Pattern Intent: All authorizations are fulfilled when process needs resource  Context: Multiprocess environment petitioning resources  Consequences: If all petitions are intercepted, rules can be observed. Implementation depends on resource, and performance suffers
  • 50.
    Virtual Address SpaceAccess Control Pattern  Intent: Control access by processes to specific memory using predefined access types  Context: Processes must share memory in controlled way; each process executes in own address space  Solution: Divide memory into segments, assign descriptors and allowed access types
  • 51.
    Execution Domain Pattern Intent: Define process environment indicating accessible resources the resource access privileges  Problem: Restrict process to use specific resources to prevent destruction that could interfere with other processes  Consequences: Resource mapped into address space, domain implementation not restricted, complex and needs hardware
  • 52.
    Session Pattern  Intent:Provide environment where user rights can be restricted and controlled  Description: Repository for global information access  Consequences: Session has privileges necessary to perform task, but insufficient to cause collateral damage
  • 53.
    Single Access PointPattern  Intent: Simple interface for communications with external entities  Solution: Single point of control (mediator) can coordinate policy implementation through Check Point pattern  Consequences: Can capture information, carry out authorization, and prevent undesirable data modification
  • 54.
    Check Point Pattern Intent: Check requests and take countermeasures  Solution: Analyze requests and messages, combines with Single Access Point pattern, applies current security policy  Consequences: Benefits confidentiality if operating properly and attacks can be detected. Complex checking slows system.
  • 55.
  • 56.
  • 57.
  • 58.
    Rosado’s Futures  Definemethod to specify flexible security architectures that can be easily adapted to systems with different security requirements  Guarantee security using security patterns
  • 59.
    Ray’s Approach –The Problem  Security and reliability not considered during initial stages of software development  Not part of standard procedures in development or maintenance of software
  • 60.
    The Solution  Createframework for semantic description and management of security properties and patterns  Given security requirements, define mechanisms to automate analysis of security- enhanced models  Define mechanism to guarantee that subsequent changes preserve security properties and patterns
  • 61.
    Security Awareness  25Years Ago: What is Security??  15 Years Ago: Security is a value-added service  Lately: Security must be built in
  • 62.
    Development Processes  Securityrequirements are often identified independently for each system component  Interdependencies are poorly understood  Big trouble  Pervasive computing  Ambient intelligence  Mobile services  Deploy isolated countermeasures (PKI, IDS, firewalls, symmetric encryption, etc)  No development process identifies security requirements apriori
  • 63.
    The Causes  Securityis a non-functional requirement  Security is both technical and social  Developers often lack background or interest in security  No consistent way of representing security at different levels of software description
  • 64.
    Add-on Security  Usuallya point solution  Different implementations of the add-on security cannot be compared (as to security properties)  Security mechanisms not congruent with system security requirements
  • 65.
    Where Are WeNow?  UML-based  Business process engineering  SecureUML integrates role-based access control policies into model-driven software development process  UMLsec proposes extending UML for security modeling, but addresses only a few security issues  Integrate UML into Tropos (ERP) methodology
  • 66.
    More UML … Use cases can describe special scenarios, but abuse cases are more instructive  UML Precise Group (PUML) investigating improving semantics  SEMPER (Secure Electronic Marketplace in Europe) studying e-commerce frameworks  COPS (Commercial Protocols and Services) studying infrastructure for market transactions  CASENET design and analysis of security protocols studying requirements specification during application development
  • 67.
    Where Next?  Useof formal methods in software engineering process  Develop formally proven solutions  Assist software engineers regarding gathering security requirements, integrating proven solutions, and validating against requirements
  • 68.
  • 69.
  • 70.
    Integrated Security Engineering Security solution  Adaptation to context  Analysis of consequences  Coherence
  • 71.
    Semantic Modeling  Securityprotocol as a series of semantic properties to be fulfilled  Level of security: confidential  Authentication is needed  … etc  Enables  Semantic categorization of patterns and libraries  Fitting patterns and libraries to context  Ferret out unhealthy interactions  Validate correctness of new patterns
  • 72.
  • 73.
    Comparison of Approaches Cheng et al  Improvement of attribute classifications of security patterns  UML + security patterns = rigorous analysis  Rosado  Exposing security patterns for common use  Classifying characteristics of security patterns  Ray  Semantic description of security patterns  Full development cycle supported by automation  Guarantee that protocols are maintained across development cycle
  • 74.
    Other Threads  Dr.Dobbs Journal  Scott Ambler on difficulty of marrying agile with security  Microsoft Systems Journal  November edition has 6 major stories  Threat modeling  Extending SDL – Documenting and Evaluating the Security Guarantees of Your Apps
  • 75.
    Bottom Line  Aretoday’s security patterns sufficient to guarantee secure systems?  Is security a cross-cutting issue?  How do we create secure-by-architecture designs? “For interesting research, head towards chaos” – Ingolf Krueger, 2005
  • 76.

Editor's Notes

  • #4 Define Model Driven Architecture: software design approach officially launched by the OMG in 2001 structures specifications as models define model as platform-independent Tie to a specific platform model to achieve a particular implementation OMG hopes it will be used for “forward engineering” Implies tools like UML, creation, analysis, transformations, testing, etc.
  • #8 Today’s problem is secure software …. IE?? … Firefox??? … Operating Systems??
  • #10 Give credit to Ingolf … refer to his Pattern lecture
  • #11 Give credit to Ingolf
  • #12 <number>
  • #13 <number>
  • #14 <number>
  • #15 <number>
  • #16 <number>
  • #17 <number>
  • #23 ² Applicability (Altered) : The Applicability field is important in determining if a pattern is applicable to a system; it describes circumstances and identifies assumptions under which the pattern should be applied or when an application is not beneficial. This field also indicates whether it addresses application-level, host-level, or network-level security. ² Behavior (Added) : To illustrate behavior and interaction more rigorously, UML state and sequence diagrams depict the behavioral aspects of a pattern. ² Constraints (Added) : The Constraints field contains global conditions that have to apply in order for the security pattern to achieve its intended goal. For example, the Single Access Point Pattern constraints describe that access to internal entities must be only possible through the single access points. If those constraints are violated, such as by a user using a dial-up connection from within the system to external entities, then the Single Access Point Pattern can no longer achieve its intended functionality, and therefore security. Additionally, it contains LTL constraints in the spirit of the specification patterns by Dwyer et al. [3] that should be satisfied after a pattern was applied. ² Consequences (Altered) : Altered to convey a set of possible consequences, defined in terms of security properties, including accountability, confidentiality, integrity, availability, performance, cost, manageability, and usability. (The identification of these properties were based on a set of properties identified by Kienzle [8]. For each security pattern, we describe how the pattern affects these properties.) ² Related Security Patterns (Added) : Describes a pattern’s relationships to other security patterns. ² Supported Principles (Added) : The Supported Principles field refers to the ten principles identified by Viega and McGraw [12] as being fundamental to the development of secure systems.1 Therefore, as a guide to the developer, we include a list of principles that are supported for each security pattern. Sample principles include, “secure the weakest link,” “practice defense in depth,” “fail securely,” etc.
  • #25 An example of a constraint: Single Access Point should fail if accessor is dialup
  • #27 To be noted: Pattern list, 10 principles, Purpose category, Abstraction level
  • #28 A: Construct a basic foundation in UML B: Use Hydra to perform consistency checks E: Specify Constraints for security patterns in LTL. Determine which parts of the system are relevant and should be checked. C: Generate Promela code and put it through SPIN D: Use Minerva to visualize counterexamples E: Specify Constraints for security patterns in LTL. Determine which parts of the system are relevant and should be checked.
  • #29 This is the Authorization class, run through SPIN, then visualized using Minerva. The fault was fixed, then class was rerun. Diagram shows that they inadvertently defined the wrong recipient (see highlighted transitions). Sender 3 should have specified recipient ==2 and recipient != 2. Instead it specified “1”, which had the effect of granting unauthorized access if sender 3 requested read access to recipient 1 … and sender 3 was not able to read from recipient 2 even though it had authorization.
  • #30 Single Point Access is protecting some particular resource Requests are generated and sent to Single Access Point class Single Access Point sends the request to the log and forwards the request to Checkpoint class Checkpoint class authorizes the request and accesses internal entity If authorization fails, it takes some countermeasure
  • #31 Checkpoint state machine in UML
  • #32 Explain equivalence classes and how they play into analysis
  • #34 Chk1: p then eventually q Chk2: p infers q until r Chk3: p infers eventually q until r
  • #44 The Authorization Pattern slides show all of the attributes. Subsequent slides show just a few.
  • #52 Danger in creating pattern descriptions: limiting it (hardware support), contradicting (Known uses: Java VM)
  • #53 Danger in creating pattern descriptions: limiting it (hardware support), contradicting (Known uses: Java VM)
  • #54 Danger in creating pattern descriptions: limiting it (hardware support), contradicting (Known uses: Java VM)
  • #56 Get crib notes showing each property meaning The patterns are good at access control, confidentiality. Some are OK at integrity and reliability. Fall down on error management, flexibility, and maintenance
  • #61 This is a manifesto Still requires semantic description of security properties
  • #63 Pile on top of that the issues of social context, IT environments, physical protection Ad-hoc approaches cannot support complete and rigorous treatment of security beginning from elicitation to implementation to maintenance It’s easy to see why system have security holes
  • #64 Hard to capture security with standard software design techniques
  • #65 Efficacy of point solution can’t be confirmed since the system isn’t fully described in the first place
  • #66 No comprehensive methodology in existence
  • #67 No winners … no consensus … not converging
  • #69 Provide methodologies and tools for a generation of systems with fully configured security infrastructures … starting as early as possible in the business process model Reusability is promoted through libraries and security service repositories Consistent with model-driven development
  • #71 Automated tools will support selection of a security solution, adaptation of solution to context, analysis of consequences of change, verification of coherence up and down the architecture stack Sees existing pattern descriptions as un-rigorous … wants to develop a rigorous pattern language
  • #72 Rich and precise semantic descriptions of patterns The result would be a library of security patterns … better than “best practices” Well-defined, automated-processing-enabled repository of security mechanisms
  • #74 Cheng is trying to reduce post-design errors by preventing them in the first place