serenity project: security in software enginering

Part 3: Security in Software Engineering

Security-aware Software Engineering Processes

Creation of Secure Applications

Francisco Sánchez CidProject Manager

Instituto Tecnologico de Informatica

Valencia (Spain)

“..If we can certify that we have a secure software development life-cycle we stand to increase our

overall revenue with clients from 10-20%.”

Our Chief Software Architect• Actually utilizing our methodology as a competitive advantage! WOW!

• Unit, integration, and acceptance tests and their automation mean you

can actually certify that you’re software is reasonably secure at least

for what you’re testing for

We all agree:

• Indirectly, SE has a big impact on our ability to deliver and maintain

applications

… but can a methodology be a direct revenue generator?

E.g. System for Olives classification in Spain

All right. This approach seems to work fine for 90% of applications we develop, but… what about the other 10%?

• For this 10% applications we do not only have security requirements but also:

o These requirements evolve as times goes by

o Operational context is unpredictable or uncertain

o We don’t want this app to be tightly coupled to an specific solution

o E.g. Digital Signature Applet

• Just one way out: o Identify and develop generic solutions

o Use a model to represent the solutions

o Link generic solutions to specific implementations

o Once a solution is selected, monitor its validity on time

…KindofModelDrivenEngineering?

let’shave a look at it

Security-aware

Software Engineering Processes

Current technology challenges

• Model Driven Engineering comes to help– Models

– Model Driven Architecture

– MDA and Security

• Model transformations– What is a transformation

– Example

• Conclusions

Security Aware Software Engineering Process

Current technology challenges

• Current applications are tightly coupled to underlying technologies– Investment done on their development is at risk due to this

dependence

• Many different platforms and technologies– Distributed objects, components, web services…– Not interoperable– Not reuse (at least if they are not correctly designed)

• Very fast evolution– New technologies appear every day– Old technologies disappear– How to protect the investment in business logic?

• Current technology challenges

Model Driven Engineering comes to help– Models




– Example

• Conclusions


MDE as opposite to OO

Object Oriented Design Everything is a object

Model Driven EngineeringEverything is a model

cd MDE v s OO

SuperClass

Class

Instance

Meta-Model

Model

System

inheritsFrom

instanceOf

conformsTo

representedBy

Relations

in these

approaches

clearly differ

Model Driven Engineering (MDE)

• Approach to software development based in models and in model transformations– Current approaches are based in objects, programs and compilers

• MDE implies the (semi) automated generation of implementations from models

• Modelling languages are key to MDE– Model transformation languages are also modelling languages– Models conform to meta-models

• MDA is the OMG’s proposal for MDE, using OMG standards– MOF, UML, OCL, XMI, QVT– MOF and UML allow the definition of new families of languages

What is a model ?

• A description of (part of) a system written in a well-defined language (Equivalent to specification) [Kleppe, 2003]

• A description or specification of the system and its environment for some certain purpose. A model is often presented as a combination of drawings and text [MDA Guide, 2003]

sd Activ ate Pattern

Application S&D Manager Event Manager S&D Query Runtime S&D

Library

Context Manager

1: Request Class()

2: Get Context()

3: Send Context()

4: Get Available Patterns()

5: Build Query()

6: Query For Patterns()

7: Return Patterns()

8: Return Patterns()

9: Choose Pattern()

10: Update Context()

13: Send Implementation Handler

cd Metamodelo

S&DClass S&DPattern S&DImplementation

Application

S&DArtefact S&DSolutionS&DProperty

S&DRequirement

ExecutableComponent

Tiene

*

*

Securiza

RefersTo

Requiere

Proporciona

*

Representa

*

Implementa

*

Pertenece-A

*

Models in software

• “...Bubbles and arrows, as opposed to programs, never crash.” [B. Meyer, 1997]

• The problem is to maintain the link between models and source code

cd SampleApplicationIM

EmailSystem

CommunicacionSystemEmailDB

AccessControl

GUI

«S&DPattern»smartCardAuthentication.UMA.es

«Securizes»

publicclass

ActiveMonitoringManager

extends Observable{

privatestatic

MonitoringServiceIF

monitoringAccess;

private

Hashtable<String,MonitorInfo

> activeMonitors;

privatestatic

ActiveMonitoringManager

mManager = getInstance();

Limitations of models (in SE)

• Models are used only as documentation (if the system is documented at all)

• “Gap” between the model and the implementation of the system– Semantic gap between the respective languages– Changes in the model do not reflect in the code– Changes in the code do not reflect in the model (the model is thrown away after

the first implementation, and never updated or used again)

• No “merge” of models (though some tools actually help)– Unrelated views of a system (horizontal)– Unrelated towers of models (vertical)

• No model “transformations”– Few defined transformation languages– No tools

• We are still far behind more mature engineering industries, such as aerospace, automotive and electrical engineering....

• ...Even hardware design is ahead of software design!

Kinds of SE models

• Depending on:

– The phase of the project• Analysis models, design models, ...

– The level of detail• High level models, Low level models (implementations)

– The view of the system• Business models, Software Architecture models, Deployment models,...

– The aspect they focus on• Structural models, behavioural models, QoS models, ...

– The level of technology independence• Computation Independent Models, Platform Independent

Models, Platform Specific Models

– The particular target platform• J2EE, .NET, CORBA, EDOC, ....

MDA: OMG’s Four-layer metamodel architecture

• M3, MOF (Meta Object Facility) used to describe meta-models• M2, Meta-models used to describe modelling languages• M1, models used to describe applications• M0, instances of applications

Example

MDA Models (M1)

• Computation Independent Model (CIM)– A view from a system from the Computational Independent Viewpoint– A CIM Focuses on the system and its environment; the details of the structure of the system are hidden

or as yet undetermined– A CIM is sometimes called a domain model or a business model, and is specified using a vocabulary

that is familiar to the practitioners of the domain in question– It may hide much or all information about the use of automated data processing systems

• Platform Independent Model (PIM)– A platform independent model is a view of a system from the platform independent viewpoint– A PIM exhibits platform independence and is suitable for use with a number of different platforms of

similar type

• Platform Specific Model (PSM)– A platform specific model is a view of a system from the platform specific viewpoint– A PSM combines the specifications in the PIM with the details that specify how that system uses a

particular type of platform

• Platform Model (PM)– A platform model provides a set of technical concepts, representing the different kinds of parts that

make up a platform and the services provided by that platform– It also provides, for use in a platform specific model, concepts representing the different kinds of

elements to be used in specifying the use of the platform by an application

Examples of MDA models

• CIM– Use case models capturing the system requirements

• PIM– The software architecture of the system, that describes how the functionality of

the system is decomposed into (architectural) components and connectors

• PSM– A model of the J2EE implementation of the system, expressed using the EJB

Profile that describes how the (architectural) components need to be implemented by EJBs

• Platform Model (Code)– The EJBs themselves, their configuration files, etc., ready to be deployed






– Example

• Conclusions


Model Driven Security (D. Basin)

• It is an extension of MDA

A

B

A B <<secumlRole>>

Customer

SystemModel

SystemModel+

SecurityModel

<<secumlPermission>>

ModelTransformation+

extensions

TargetSyste

m +

SecurityInfrastructure

(RBAC, assertions,

etc.)

Model Driven Security

• Three UML extensions

– ComponentUML, a class based language for data modelling

– ControllerUMLfor modelling system behaviour evolution

– SecureUML for modelling secure systems based on RBAC

• Confidentiality and Integrity are modeledusing RBAC

• They are composed in Security Languages for

modelling design and security

• Only for class, sequence and state charts diagrams






• Confidentiality and Integrity are model using RBAC




Resources






• Confidentiality and Integrity are model using RBAC




SecurityRequire

ments

• A Security Design Language glues the two languages together

• Each language is equipped with an abstract and concrete syntax, semantics, and a technology dependent translation function

• Dialect bridges design language with security language by identifying which design elements are protected resources

Security Design Language


Security Modelling Language

(SecureUML)

System Design Modelling

Language

(ComponentUML, ControllerUML)

Dialect

• Example

There is an

implementation of this in

top of the ArcStyle MDA

tool







– Example

• Conclusions


Model transformation

• Model transformation is the process of converting one model to another model of the same system

• The MDA pattern includes (at least): a PIM, a Platform Model, a Transformation, and a PSM

• Useful to – Mark models

– Transform meta-models

– Merging models

– Include information

in models

Examples of MDA transformations

Transformations are everywhere…

Examples of MDA transformations: GMF

Although not specific for security, a representative technology…

...

... ...

1

*

1

*

1

target

0..*

1

source

0..*

1

1..*

1

0..*

Diagram

Graphical Element Link

Association

Sequence

Start End Activity

FormFormItem

StaticItem DynamicItem

TextAreaTextFieldURL Label

GMF: first, the model

E.g. Design of workflowsfor public administration

GMF: then, the mapping

GMF: and eventually, generate…






– Example

• Conclusions


Conclusions to MDA

• MDA seems to be the right way to go– Conceptually clean and well defined– Protect investment and IP by separating the business model from the supporting technologies

• But there is still a long way ahead

• There are more or less mature approaches to the development of security systems using MDA

– Based on security policies and RBAC

• Research is required

• MDD (and MDA) looks very promising

Honestly, do you really think that only drawing three boxes and

a couple of lines you will get all your application code?

• MDA isnotthe panacea

“No manual coding” isnot 100% achievable in general

Itisimportanttoidentifythedomains in which MDA can be effectivelyused,

By the time beingtools are notmature

Part 3: Security in Software Engineering

Security-aware Software Engineering Processes


Francisco Sánchez CidProject Manager

Instituto Tecnologico de Informatica

Valencia (Spain)

Creationof Secure

Applications


Differences between current secure software

development and the SERENITY approach

SERENITY applications life cycle

Developing SERENITY applications

Using Java to develop SERENITY applications

Run-time support

Advantages of the SERENITY approach

When Developing applications…

• Most of current approaches for software development are

based on an iterative and incremental process


How does it fit in Agile Development…


Security

RequirementsPlanning

Design

Development

a specific

security

engineering

activity in

every sprint?

Not really agile


Security

RequirementsPlanning

Design

Development

Security Risk

Management

Check against

threat model

Identify the

properties/threats

Decide the

controls

Supposed to have a

residual risk



Sprint Review:

Approve

residual risk

Sprint Planning:

Threat analysis

for largest risks

Decide on the controls:

-Address the threat

(new sprint backlog)

- Postpone the work

(new product backlog)

How does it fit in Agile Development… in fact

Detailed threat

analysis

• For this to work:

• The Scrum team does need to be somehow aware of security

engineering and software security issues.

• Security specialists should be on call.

Security aspects of applications

• Usaually, security requirements are treated as the rest of requirements– Security is not a functional requirement

• It is difficult to implement

• It is difficult to trace during the project

• Security is always orthogonal. We may talk of perspectives for the software

• Given a good model, you have one thousand ways of making it unsecure– A parameter not correctly parsed

– A buffer not correctly managed

– …








Run-time support


Serenity Proposal for Secure Software Development

• Just a reminder: – For this to work, the team does need to be somehow aware of security

engineering and software security issues.

• Now that we are aware:– We propose not to be aware of security engineering, but security

properties the system have to comply with

– Security requirements are fulfilled by means of S&D patterns

– S&D patterns are represented at different levels of abstraction by means of different artefacts


cd PatternDetail EA

S&DPatternS&DImplementation S&DClassExecutableComponent

RefersTo

*

BelongsTo

*

Implements

*


cd PatternDetail EA

S&DPatternS&DImplementation S&DClassExecutableComponent

RefersTo

*

BelongsTo

*

Implements

*

Represents a S&D

solution

and defines an

interface and a set of

functionallities

Represents a set of

S&D solutions

Defines a general

interface

Represents the

Implementation of a

pattern

Implements a

pattern

Software Architects know these artefacts, Security Experts deeeply

know these artecfacts and Developers know and use all these

S&D artefacts and their interfaces


• Developers include references to S&D patterns in

applications by means of references to S&D artefacts

• Developers are supported by S&D patterns libraries

where they can find artefacts (called S&D Libraries)

• SERENITY includes tools supporting developers for

managing on-line S&D libraries (e.g. plugin for Eclipse)



S&D Pattern Development


Security Community

S&D pattern

development

Addition to

S&D library

S&D library



Security Community

S&D pattern

development

Addition to

S&D library

S&D library

Application Development

S&D pattern

search and

selection

Inclusion of

references in

application

Application

deploymentDevelopment Team



Security Community

S&D pattern

development

Addition to

S&D library

S&D library


S&D pattern

search and

selection

Inclusion of

references in

application

Application


Runtime Support

Runtime

S&D pattern

assembling

Application execution

Runtime monitoringRunning app



Security Community

S&D pattern

development

Addition to

S&D library

S&D library


S&D pattern

search and

selection

Inclusion of

references in

application

Application


Runtime Support

Runtime

S&D pattern

assembling



Serenity Development

Framework



Security Community

S&D pattern

development

Addition to

S&D library

S&D library


S&D pattern

search and

selection

Inclusion of

references in

application

Application


Runtime Support

Runtime

S&D pattern

assembling



Serenity Runtime Framework

• One of SERENITY main features is the run-time

support:

– Dynamic substitution of S&D Patterns at run-time

– The more abstract level of the artefact selected at

development-time is, the more flexible selecting the

S&D Pattern the SRF is

– At run-time S&D Patterns are monitored


• SERENITY approach can be integrated in most

of current development processes

• Let us see how does it fit…


SERENITY

development

time

framework

SERENITY

runtime

framework


And if we go to Agile Development…



Sprint Review:

Approve

residual riskSprint Planning:

Threat analysis

based on

properties for

largest risks


-Address the threat


- Postpone the work


Detailed threat

analysis



Sprint Review:

Approve

residual risk

Sprint Planning:

Threat analysis

for largest risks


-Address the threat


- Postpone the work


Detailed threat

analysis

SERENITY

runtime

framework

SERENITY

development

time

framework

• The integration of SERENITY is achieved by means of new paths in security engineering techniques: S&D properties, formal proofs, and a library.

• Application developers profit of expertise of security experts by using SERENITY patterns








Run-time support


Developing applications in Serenity

• Application Developer: Our client needs a secure and reliable online application… 1) Identify S&D Requirements

• Properties vs. threats• Usually expressed as S&DProperties• Looking for the appropriate S&DProperties in

S&DProperties repositories

2) Develop applications• Search into development time S&DLibrary for the

appropriate S&D solutions• Developing the code including references to the S&D

Solutions functionalities


The whole process

SRF

Executable

Component

implementing

an S&D Pattern

Serenity-aware

Application

Monitoring

Service

S&D Pattern

reference

Activation

Access to

S&D Pattern

functionallities

Run-time

Support

Monitorization

and events

Creation of Secure ApplicationsInformation from context

Runtime

selection

Monitoring

rules

An example: runtime selectioncd Object model1

SimpleTransmisionConfidentiality.iso.org :

S&DClass

ConfidentialityByDES_Encryption.iso.org :S&DPatternConfidentialityBySecureChannel.ieee.org :

S&DPattern

NokiaDES :

S&DImplementation

SAPDES :

S&DImplementation

ThalesDES :

S&DImplementation ATCSecureChannel :

S&DImplementation

SetcceSecureChannel :

S&DImplementation

ThalesDES :

ExecutableComponent

SAPDES :

ExecutableComponent

NokiaDES :

ExecutableComponent

ATCSecureChannel :

ExecutableComponent

SetcceSecureChannel :

ExecutableComponent


From developer’s perspective

1. I launch my favourite programming IDE

2. I start coding my application

3. I import the SERENITY API

4. I launch the SERENITY search tool

5. I look for the pattern I want to use in my application

6. I add calls to the pattern using

a. the semantic information retrieved from the pattern description

b. and, the SERENITY API











I do not need

to include the

pattern itself

I just need a

reference

to the pattern











7. I finish and compile my application

8. I deploy my application in a SERENITY enabled device

That’s all, now my app is ready to run!


SERENITY Tools• Currently SERENITY provides an Eclipse plugin to navigate through a library of artefacts


SERENITY Tools

• You can connect to remote S&D artefacts repositories


SERENITY Tools• You can navigate through solutions for specific S&D properties


SERENITY Tools• And you can search for specific S&D patterns, classes…


SERENITY Tools• And security experts can edit S&D artefacts


The whole process. Revisited

SRF

Executable

Component

implementing

an S&D Pattern

Serenity-aware

Application

Monitoring

Service


¿?

The whole process. Revisited

SRF

Executable

Component

implementing

an S&D Pattern

Serenity-aware

Application

Monitoring

Service


SERENITY

API

for

application

developers

Currently

developed

for JAVA







Run-time support


An simplified example• This test application just requests a S&D pattern for authentication and uses it

My Serenity

Applicationconfidentiality.uma.esmyEC

sendConf()

mySRF SRF

myEC = New SerenityExecutableComponent_AP(

mySRF,

“P:confidentiality.uma.es”,

parameters

);

mySRF = SRF_AP_AccessPoint(localhost);


An simplified example• This test application just requests a S&D pattern for authentication and uses it

My Serenity

Applicationconfidentiality.uma.esmyEC

sendConf()

mySRF SRF

myEC = New SerenityExecutableComponent_AP(

mySRF,

“P:confidentiality.uma.es”,

parameters

);

mySRF = SRF_AP_AccessPoint(localhost);

myEC.callOperation(“sendConf”, parameters);


Java package for applicationsid SERENITY-application Support Library

SERENITY-application Support Library

Application AEcHandler

SRF_AP_AccessPoint

+ requestSolution() : EcHandler

SerenityExecutableComponent_AP

+ callOperation(oper, inParam, outParam) : void

SRF

S&DManagerSRFRequests

Executable

Component A

process

ECaccessPoint

«Use»

«use»

PointsTo

Create


An example: the codepackage SERENITY-application;

importserenity.app.*;

public class mySERENITYapplication{// I connect to a SRF hosted on localhostSRF_AP_AccessPointmySRF = newSRF_AP_AccessPoint(localhost);

// I am going to use an executableComponentSerenityExecutableComponent_APconfidentialitySolution;

// Param for the SDRequestSerenitySolutionParametersListsParametersList = new SerenitySolutionParametersList();// Param for the pattern functionallitySerenityOperationParametersListoperationParameters= new SerenityOperationParametersList();// C: for a S&DClass// P: for a S&DPattern// I: for a S&DImplementationString solutionName = “P:confidentiality.uma.es” public static void main() {

...// I am going to create the executableComponent access point object

sParametertsList.addParam(“target_IP”,”127.0.0.1”);confidentialitySolution = newSerenityExecutableComponent_AP(mySRF, solutionName, sParametersList);

...// I am going to access one of the S&DClass interface operationsoperationParameters.addParam(“Message”,”Hello world”);confidentialitySolution.callOperation(“sendConfidential”, operationParameters);

...}}


Considerations

• The API encapsulates the use of ECHandlers– The ECHandler is used by the executableComponent_AP

– It is possible to use directly ECHandlers

• How do developers know the S&Dpatterns interface?– This information is part of the pattern definition retrieved from the development

time library

– Using a Serenity enabled IDE, it will help to develop the application presenting the list of appropriate calls (kind of auto completion) given the fact that S&D artefacts are machine readable.

Tools and documentation available at:http://www.serenity-project.org/








Run-time support



• Applications become independent of the implementation of the security solutions they need

• Applications become responsive to the changes of the context

• The library of solutions is ever growing and continuously reviewed, without the need of revising the application

• It is possible to verify that applications comply with security policies applicable

• It enhances the process of security engineering, by promoting the separation of duties between security specialists and application developers

• It helps managing threats, since the focus is in the properties, not in the threats themselves

• Property + Context => Threats (it allows non security experts to identify new threats)


Thank you

Francisco Sanchez Cid

[email protected]

serenity project: security in software enginering

Technology

security model transformations

youre software

languages models

chief software architect

security requirements

metamodels mda

compilers mde

technologies investment