Security analysis of COM with Alloy Presenter: AliReza Namvar

Outline Motivation Problem Review of COM Security in COM Modeling with Alloy Preliminary Conclusions References

Motivation Security aspects in SD Architectural infrastructures Network security protocols Secure applications Architectural infrastructures Security in infrastructures Component-based SD Secure component communications Secure communication of part objects of an application How to preserve secure communication of objects? Considering distributed apps,…Web application. Such infrastructures are used as de-facto-standard in industrial development so the design and validation is a major concern

Problem Formal analysis of existing component based architectural frameworks Case study: modeling security in COM Analysis Tool: Alloy Analyzer Evolution of Security model of COM Extracting Invariant abstractions Specifying the invariants in Alloy so the design and validation is a major concern Analyzing their key properties is vital for their effective and safe use.

Overview of COM What is COM? Interface negotiation Legal/outer vs. inner components An infrastructure for the creation, operation, and management of components. Language and compiler independent, binary version of type coercion Outers follows normal rules of interface negotiation.inner comps are aggregated by other components and they do not obey standard COM rules

Security in COM Two categories of security Activation Call Utilizes OS security: permissions of a user to start a code, etc Based on DCE RPC security architecture Security in cross-process, cross-network server Activation:Dictates how new objects are started , how to connect new and existing objs….Seuring public services Call:security in established connection Read only /read write So the preserving security is much more sophisticated

Security in COM(cntd) “Service Control Manager” Call Security CoRegisterClassObject, IRunningObjectTable::Register IActivationSecurity Interface Call Security DCE RPC mechanism Automatic by COM infrastructure CSS:general APIs,server-side APIs, call-context interfaces to support static and dynamic activation security 1-provides APIs that applications may use to do their own security checking 2-based on setup information..security checking for the processes Not exclusive

Alloy A first-order notation : Combines the best features of Z and UML Schema structuring and a simple set-theoretic semantics Various declaration shorthands State machines with operations over complex states. Alloy has data structures:table,tree, etc Invariant-based reasoning:Formulate assertions that claim an invariant is preserved.

Why Alloy Specification in first order logic Finite Search Atomic representation for objects Relational language Finite Search Deep semantic analysis Offers fully automatic analysis of object models Checks consistency of constraints Simulates execution of operations No Composite structures

Source: http://theory.lcs.mit.edu/~dnj/talks/ Analysis approach Alloy Analyzer is a model refuter! When an assertion is found to be false, it generates a counterexample. Incremental process Source: http://theory.lcs.mit.edu/~dnj/talks/

Preliminary Conclusions First model: Declarative model of Security in COM Extracting security patterns in COM Describes systems state and behavior by listing properties

References Box, D., Essential COM, Addison-Wesley, 1998 Jackson D. and Sullivan K., “COM Revisited: Tool Assisted Modelling of an Architectural Framework”, Proc. ACM SIGSOFT Conf. Foundations of Software Engineering. San Diego, November 2000. Jackson D., Alloy: Lightweight Modelling and Analysis with Alloy.(Alloy’s Book) Microsoft Corporation, The Component Object Model Specification,version 0.9, October 24, 1995, available at: www.microsoft.com/com/resources/comdocs.asp

specification