mda and security october 12, 2006 fau secure systems group patrick morrison
TRANSCRIPT
![Page 1: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/1.jpg)
MDA and Security
October 12, 2006
FAU Secure Systems Group
Patrick Morrison
![Page 2: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/2.jpg)
Agenda
• Motivation for “MDA and Security”• Secure Systems Methodology, with patterns• A quick tour of MDA, in English this time• Example Application• MDA in the development lifecycle• Evaluation Criteria• Contributions• Next Steps
![Page 3: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/3.jpg)
The problem of Security
• “A good percentage of the software deployed in industrial/commercial applications is of poor quality, it is unnecessarily complex, and contains numerous flaws that can be exploited by attackers.”
• “We believe that the solution lies in developing secure software from the beginning, applying security principles along the whole life cycle…We see the use of patterns as a fundamental way, even for developers with little experience, to implicitly apply security principles.”
• [MDSSP, EBF, et. al.]
![Page 4: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/4.jpg)
Secure Systems Methodology [MDSSP]
Security verification and testing
Requirements Analysis Design Implementation
Secure UCs Authorization rules in conceptual model
Rule enforcement through architecture
Language enforcement
Security test cases
Stage Tasks
Requirements Use case based role and attack analysis
Analysis Authorized semantic analysis patterns
Design Coordinated application of patterns to multiple architectural layers
Implementation MDA Code Generation
![Page 5: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/5.jpg)
Methodology PatternsSecureLayers
SecureFacade
SecureReflection
ApplicationConceptual
Model
PolicyAdministration
Point
PolicyInformation
Point
PolicyDecision
Point
PolicyEnforcement
Point
Model ViewController
SecureAdapter
SecureBroker
SecureEnterprise
ComponentFramework
SecureWeb
Services
SecureProxy
AuthenticationSecure
Channel
SecureClient
DispatcherServer
SecureRelationalDatabaseMapping
SecureOperating
System
defineRules
enforceRules
decide
interact transformInterfacedistribute
objects consume/provideServicesimplement
businessmodel
mapObjects accessRemoteobjects
supportSoftware secure
Communication
establishConnection
authenticate
use
use
![Page 6: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/6.jpg)
Design (and other) patterns
• “A design pattern names, abstracts and identifies the key aspects of a common design structure that makes it useful for creating a reusable object-oriented design” [GOF, pg 3]
![Page 7: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/7.jpg)
The promise of MDA
• by using “precise but abstract and graphical representations of algorithms, MDA allows the construction of computing systems from models that can be understood much more quickly and deeply than can programming language “code” [MDAD, pg. xiv].
![Page 8: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/8.jpg)
The Question(s)
• Can MDA be applied to the design and construction of secure systems?
• To what degree is it now possible to work in terms of high-level models rather than code?
• Does MDA allow for the creation and reuse of generic models?
• Does MDA reduce the amount of low-level work that needs to be done?
![Page 9: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/9.jpg)
Combining Patterns, Security and MDA: SOUPCAN
• Secure grOUP Chat Application for Networks
• Provide invitation-only chat rooms with secure communications, allowing participants to form “cliques” in order to gossip, plan wars, etc…
• Example of using the secure systems methodology with MDA
![Page 10: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/10.jpg)
SOUPCAN
• Requirements chosen to facilitate use of existing security patterns, e.g. Reference Monitor, Authenticator, Authorizer, Credentials, Secure Broker
• (Hopefully) Small enough to be implementable• (Hopefully) Large enough to illustrate issues in
application of MDA, Secure Systems with Patterns Methodology.
![Page 11: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/11.jpg)
Lifecycle Step: Analysis
• Process: Evaluate requirements, identify use cases, high-level structure, apply patterns where appropriate
• Results: Application model containing UML Use Case and Class diagrams
![Page 12: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/12.jpg)
SOUPCAN Use Cases
• UML Built with MagicDraw• Stored as XMI data• Excerpt: <UML:Actor xmi.id="249272_1" name="Host" /> <UML:Actor xmi.id="940417_17" name="Participant" /> <UML:Actor xmi.id="448524_33" name="Administrator" /> <UML:UseCase xmi.id="949209_49" name="Administration" /> <UML:UseCase xmi.id=“838290_60" name="Invitation" /> <UML:UseCase xmi.id="896208_71" name="Registration" /> <UML:UseCase xmi.id="428793_82" name="Chat" /><UML:Association xmi.id="975434_95"><UML:Association.connection> <UML:AssociationEnd xmi.id="250191_93" isNavigable="true"
participant="249272_1" /> <UML:AssociationEnd xmi.id="742224_94" isNavigable="true"
participant="838290_60" /> </UML:Association.connection> </UML:Association>
![Page 13: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/13.jpg)
Lifecycle Step: Design
• Process: Develop class and sequence diagrams which implement the Use Cases, apply patterns where appropriate
• Results: Application and Security models containing UML Class and sequence diagrams
![Page 14: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/14.jpg)
SOUPCAN Class Diagram
![Page 15: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/15.jpg)
SOUPCAN Class Diagram
It’s (Secure) Broker!
![Page 16: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/16.jpg)
Architectural concerns for implementing Secure Broker
SecureChannel
Broker
DigitalSignature
Client DispatcherServer
Authentication
AccessMatrix
ReferenceMonitor
RBAC
confidentiality
authentication
authorization
authorization
enforces
non-repudiation
implementAs
* Diagram from MDSSP
![Page 17: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/17.jpg)
Lifecycle Step: Implementation
• Process: Select a platform and platform model, make connections between the design and the platform, via the platform model
• Selected: MagicDraw, androMDA, C#, ASP.NET, Visual Studio, nHibernate, …
• Results: Code generated from the models
![Page 18: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/18.jpg)
Implementation Details… :32,997 - discovering namespaces - :34,440 found namespace --> 'aspdotnet' :34,440 + registering component 'cartridge' :34,870 + registering component 'metafacades' :35,331 + registering component 'profile' :40,628 found namespace --> 'uml-1.4' :40,628 + registering component 'metafacades' :41,960 + registering component 'profile' :42,000 found namespace --> 'validation' :42,010 + registering component 'translation-library' :53,948 - core initialization complete: 22.373[s] - :54,568 loading model --> 'file:C://TimeTracker.Model.xmi' :58,905 referenced model --> 'jar:file:/uml14/profile/profile-.xml' :59,045 referenced model --> 'profile-datatype.xml' :59,285 referenced model --> 'profile-service.xml' :59,445 referenced model --> 'profile-process.xml' :59,576 referenced model --> 'profile-presentation.xml' :59,746 referenced model --> 'profile-meta.xml' :59,866 referenced model --> 'profile-xml.xml' :59,986 referenced model --> 'andromda-profile-persistence.xml' :01,118 - loading complete: 7.13[s] - :01,118 - validating model - :06,175 - validation complete: 5.057[s] - :07,076 INFO [AndroMDA:cs] Output: 'file:/C:../TimeTracker/VO/UserVO.cs'
// Name: UserVO.cs// Attention: Generated code! Do not modify by hand! (I did anyway)// Generated by: ValueObject.vsl in andromda-cs-cartridge.using System;namespace Northwind.TimeTracker.VO{ [Serializable] public class UserVO { #region Attributes and Associations private long _id; private String _userName; private String[] _roles; #endregion #region Constructors public UserVO(long id, String userName, String[] roles) { this._id = id; this._userName = userName; this._roles = roles; }…
Mapping…
![Page 19: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/19.jpg)
Evaluation
• Does the generated code implement the design? Can users of the system chat?
• How secure is the system? Is it correlated to the design models?
• How independent are the Application, Security and Platform models? Can, for example, the Security model be reused with a different application model? With a different platform model?
• Does MDA keep its promise? How much programming language coding needs to be done?
![Page 20: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/20.jpg)
Contributions
• A UML Model for security, based on patterns• A worked example of the Secure Systems
Methodology, through Analysis, Design and Implementation.
• A worked example of MDA development• Description of a tool chain for building MDA
applications (MagicDraw, androMDA, Visual Studio 2005, etc)
• An example application, with requirements and design.
![Page 21: MDA and Security October 12, 2006 FAU Secure Systems Group Patrick Morrison](https://reader035.vdocuments.mx/reader035/viewer/2022062720/56649efa5503460f94c0b738/html5/thumbnails/21.jpg)
Next Steps…
• Complete design of SOUPCAN
• Split design into separate Application and security models, link them
• Document experiences, issues with using the current tools