A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Slides:



Advertisements
Similar presentations
Object Oriented Analysis And Design-IT0207 iiI Semester
Advertisements

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Chapter 4 Quality Assurance in Context
The “Lifecycle” of Software. Chapter 5. Alternatives to the Waterfall Model The “Waterfall” model can mislead: boundaries between phases are not always.
Use Case Modeling SJTU. Unified Modeling Language (UML) l Standardized notation for object-oriented development l Needs to be used with an analysis and.
Software Design Deriving a solution which satisfies software requirements.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Object-Oriented Analysis and Design
Modeling Process-Oriented Integration of Services Using Patterns and Pattern Primitives Uwe Zdun and Schahram Dustdar Distributed Systems Group Institute.
Chapter 14 Maintaining Information Systems Modern Systems Analysis and Design Seventh Edition Jeffrey A. Hoffer Joey F. George Joseph S. Valacich.
NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.
Fall 2007CS 225 Introduction to Software Design Chapter 1.
Chapter 15 Design, Coding, and Testing. Copyright © 2005 Pearson Addison-Wesley. All rights reserved Design Document The next step in the Software.
Requirements Analysis 5. 1 CASE b505.ppt © Copyright De Montfort University 2000 All Rights Reserved INFO2005 Requirements Analysis CASE Computer.
Introduction to Software Design Chapter 1. Chapter 1: Introduction to Software Design2 Chapter Objectives To become familiar with the software challenge.
Creating Architectural Descriptions. Outline Standardizing architectural descriptions: The IEEE has published, “Recommended Practice for Architectural.
©TheMcGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 1 Introduction to Object-Oriented Programming and Software Development.
Supplement 02CASE Tools1 Supplement 02 - Case Tools And Franchise Colleges By MANSHA NAWAZ.
©TheMcGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 1 Introduction to Object-Oriented Programming and Software Development.
CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.
 QUALITY ASSURANCE:  QA is defined as a procedure or set of procedures intended to ensure that a product or service under development (before work is.
Introduction to Software Design Chapter 1. Chapter 1: Introduction to Software Design2 Chapter Objectives To become familiar with the software challenge.
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 11 System Test Design
OOSE 01/17 Institute of Computer Science and Information Engineering, National Cheng Kung University Member:Q 薛弘志 P 蔡文豪 F 周詩御.
Complete and Integrated Lifecycle Management. Challenges 1.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Practical Object-Oriented Design with UML 2e Slide 1/1 ©The McGraw-Hill Companies, 2004 PRACTICAL OBJECT-ORIENTED DESIGN WITH UML 2e Chapter 2: Modelling.
1 Yolanda Gil Information Sciences InstituteJanuary 10, 2010 Requirements for caBIG Infrastructure to Support Semantic Workflows Yolanda.
1 IBM Software Group ® Mastering Object-Oriented Analysis and Design with UML 2.0 Module 1: Best Practices of Software Engineering.
System Analysis and Design
Maintaining Information Systems Modern Systems Analysis and Design.
1 BTEC HNC Systems Support Castle College 2007/8 Systems Analysis Lecture 9 Introduction to Design.
SOFTWARE ENGINEERING BIT-8 APRIL, 16,2008 Introduction to UML.
 Copyright 2005 Digital Enterprise Research Institute. All rights reserved. Towards Translating between XML and WSML based on mappings between.
Topics Covered: Software requirement specification(SRS) Software requirement specification(SRS) Authors of SRS Authors of SRS Need of SRS Need of SRS.
An Introduction to Software Architecture
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 6 Slide 1 Requirements Engineering Processes l Processes used to discover, analyse and.
Introduction to Software Design Chapter 1. Chapter Objectives  To become familiar with the software challenge and the software life cycle  To understand.
Faculty of Computer & Information Software Engineering Third year
Lecture 3 Software Engineering Models (Cont.)
Aspect Oriented Programming Sumathie Sundaresan CS590 :: Summer 2007 June 30, 2007.
(Business) Process Centric Exchanges
© 2006 ITT Educational Services Inc. System Analysis for Software Engineers: Unit 3 Slide 1 Chapter 16 Maintaining Information Systems.
Verification and Validation in the Context of Domain-Specific Modelling Janne Merilinna.
June 05 David A. Gaitros Jean Muhammad Introduction to OOD and UML Dr. Jean Muhammad.
Chapter 13: Regression Testing Omar Meqdadi SE 3860 Lecture 13 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
1 Introduction to Software Engineering Lecture 1.
Software Engineering Prof. Ing. Ivo Vondrak, CSc. Dept. of Computer Science Technical University of Ostrava
© 2012 Václav Rajlich Software Engineering: The Current Practice Ch Software models Software is complex –often more than what people can handle –not.
Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.
1 System Analysis and Design Using UML INSTRUCTOR: Jesmin Akhter Lecturer, IIT, JU.
Object-Oriented Modeling: Static Models. Object-Oriented Modeling Model the system as interacting objects Model the system as interacting objects Match.
Connecting with Computer Science2 Objectives Learn how software engineering is used to create applications Learn some of the different software engineering.
CS212: Object Oriented Analysis and Design Lecture 32: Use case and Class diagrams.
© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.
Software Quality Assurance and Testing Fazal Rehman Shamil.
Chapter 16 Maintaining Information Systems. Objectives:  Explain and contrast four types of system maintenance.  Describe factors affecting maintenance.
Introduction to Software Engineering 1. Software Engineering Failures – Complexity – Change 2. What is Software Engineering? – Using engineering approaches.
Introduction to UML and Rational Rose UML - Unified Modeling Language Rational Rose 98 - a GUI tool to systematically develop software through the following.
Advanced Higher Computing Science
Chapter 14 Maintaining Information Systems
Engineering Processes
An Introduction to Software Architecture
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
Applying Use Cases (Chapters 25,26)
Applying Use Cases (Chapters 25,26)
Uml diagrams In ooad.
Presentation transcript:

A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns

Motivation Security issues must be dealt with in all phases of software development Security issues must be dealt with in all phases of software development Secure patterns/models Secure patterns/models Secure coding practices Secure coding practices Secure development procedures Secure development procedures During deployment and maintenance phases During deployment and maintenance phases

On the flip side… Is computer security possible? Is computer security possible? Some argue that until computers can fix themselves dynamically, then systems will always be vulnerable. Furthermore, computers are incapable of handling the infinite variety of attacks – however, software may implement limited repairing schemes which require small amount of programmer assistance (debugging, etc.)

Why its important Design-level vulnerabilities are the hardest defect category to handle, but theyre also the most prevalent and critical. Software Security Testing, IEEE Security and Privacy Sep/Oct 2004, pgs Attacks come in every level, from source code bugs to design flaws. Attacks come in every level, from source code bugs to design flaws.

Why its important, contd We need to ensure that the secure pattern/model is consistent with the implementation.

Why OCL? A standard constraint language A standard constraint language Expressive power Expressive power Pairs with UML Pairs with UML Accessible to developers and programmers at each level Accessible to developers and programmers at each level

Why OCL? contd Expressive power includes existential and universal quantification Can provide a regulatory scheme for securing system components Can provide a regulatory scheme for securing system components Allows the designer to check violations easily (i.e., if constraints are not followed in test cases) Allows the designer to check violations easily (i.e., if constraints are not followed in test cases)

A solution Thanks to the OCLs expressive power, we can generate constraints that consist of universal statements. For example, we can ensure that only a specified number of instances are created (i.e., connections, clients, administrators, etc.)

Background Some tools/extensions that already exist: OCSL (Object Security Constraint Language) OCSL (Object Security Constraint Language) Allows for a security-driven development – extends OCL syntax, but with a focus on security Medina, et.al. USE (UML Specification Environment) implements a test/validate process that allows a snapshot diagram to be constructed and given properties are validated USE (UML Specification Environment) implements a test/validate process that allows a snapshot diagram to be constructed and given properties are validated Gogolla, et.al. Conversion between use cases and OCL expressions Conversion between use cases and OCL expressionsRoussev

Where we are What we have: OCL OCL UML UML Set of rules that ensure consistency in secure diagrams Set of rules that ensure consistency in secure diagrams Ever-expanding corpus of secure coding practices in every phase of software development Ever-expanding corpus of secure coding practices in every phase of software development A tool which generates a fault-revealing graph A tool which generates a fault-revealing graph What we need: a tool that helps us determine whether software meets the security requirements of the original model

What we have, part 1 OCL Useful for expressive power Useful for expressive power Can formulate constraints which are security- related Can formulate constraints which are security- related Object Management Group

What we have, part 2 UML Visual expressive power Visual expressive power Class interaction and sequences are defined in a meta-model Class interaction and sequences are defined in a meta-model Object Management Group

What we have, part 3 Current rules Restrict operation access Restrict operation access Define compositions Define compositions Maintain multiplicity Maintain multiplicity All of these help to keep the UML model consistent in terms of security Paired with a constraint checking tool, may verify whether or not these rules are followed Pilskalns, Williams, Aracic, Andrews

What we have, part 4 Secure coding practices As provided by both industry and academia As provided by both industry and academia Guidelines for each phase in development Guidelines for each phase in development

What we have, part 5 Fault-finding method After execution of successful and fault-revealing unit tests, can generate graphs that show the differences Graphs can be transformed into UML Sequence Diagrams Can use Sequence Diagrams to reveal faultsat a higher level Pilskalns, Wallace

Security management Rather than deal with each attack individually, and at each level, we propose a method which could effectively secure a system at the highest level, and (depending on the security model) reduce the risk at lower levels.

What we need An automated tool that helps us effectively validate secure OCL constraints of a system

Our approach This approach is similar to using reverse- engineered UML Sequence Diagrams. The approach relies on visual analyses of traces of object-method calls. Tests reveals if there exist any security flaws in the code execution. The approach verifies whether the security constraints specified in the design phase hold for a set of test cases.

Our approach, contd The OCL is a useful middle man for both design and testing secure systems The OCL is a useful middle man for both design and testing secure systems Design Document - Use Case - UML Model extract Constraint c 1 Context Account::create() Inv:oclSet={Teller} Inv.oclSet -> includes(source.type) Trace Implementation verify

Process 1. Create Unit Tests. 2. Instrument the source code so message paths (and associated objects) can be traced. 3. Execute the tests and record objects and message paths. 4. Construct directed acyclic graphs for every trace. 5. Verify that the security constraints specified in the design phase hold for each graph.

1. Create Unit Tests Unit tests provide coverage of the code used in a specific test case. There will be unit tests provided for both secure and non-secure code execution. Unit tests provide coverage of the code used in a specific test case. There will be unit tests provided for both secure and non-secure code execution.

2. Instrument the source code The instrumentation process inserts tracking code that records the method execution calls between objects, so message paths (and associated objects) can be traced. The instrumentation process inserts tracking code that records the method execution calls between objects, so message paths (and associated objects) can be traced.

3. Execute the tests and record objects and message paths. 3. Execute the tests and record objects and message paths. During the execution, the instrumented byte code is traversed using the unit tests. Each unit test generates an object-method trace through the code. During the execution, the instrumented byte code is traversed using the unit tests. Each unit test generates an object-method trace through the code.

4. Create graphs Construct directed acyclic graphs for every trace Construct directed acyclic graphs for every trace

5. Verify consistency Make sure the security constraints specified in the design phase hold for each graph. Make sure the security constraints specified in the design phase hold for each graph.

What we can do Our tool allows assessing the following types of security constraints: Operation access: check if an object is allowed to use operations provided by another object; Operation access: check if an object is allowed to use operations provided by another object; Composition: check if the life span of an object doesnt exceed the life span of the container object; Composition: check if the life span of an object doesnt exceed the life span of the container object; Multiplicity: checks if the number of instances of an object doesnt exceed the maximum number of instances allowed to complete a task. Multiplicity: checks if the number of instances of an object doesnt exceed the maximum number of instances allowed to complete a task. This is a good place to start

Experimental results The assessing module was tested successfully on simplified version of Banking System. The communication between the system and its components Teller and Customer is done using messages. Any request for a certain service is managed by the Transaction Manager. The assessing module was tested successfully on simplified version of Banking System. The communication between the system and its components Teller and Customer is done using messages. Any request for a certain service is managed by the Transaction Manager.

Experimental Factors The purpose of using the Banking example is not to implement a fully functional banking system, but to check if the security constraints specified in the design phase hold. Therefore we will focus on the object interaction rather than purely coding the tasks specific for any component. The purpose of using the Banking example is not to implement a fully functional banking system, but to check if the security constraints specified in the design phase hold. Therefore we will focus on the object interaction rather than purely coding the tasks specific for any component. Our approach will trace object-method calls, therefore we will focus on the interaction between components. Our approach will trace object-method calls, therefore we will focus on the interaction between components.

Validating Operation Access First of all we will check for the operation access constraints. In the paper Security Consistency in UML Designs the author is proposing a few operation access constraints which we will test in the following use cases. First of all we will check for the operation access constraints. In the paper Security Consistency in UML Designs the author is proposing a few operation access constraints which we will test in the following use cases. We have the following constraint: Context Account::create() Inv:oclSet={Teller} Inv:oclSet={Teller} Inv.oclSet -> includes(source.type) Inv.oclSet -> includes(source.type) It will grant access to the Account.create() method only for instances of the Teller object.

Graph Representation Every object-method call will be represented in the direct acyclic graph with two vertices corresponding to the entry point and return. The links between vertices correspond to the order of the method calls. Each vertex contains the following information: id, location and method. We can easily point out the vertices corresponding to the create() method call. The order the methods are called is preserved in the graph, therefore we can search backward in the graph to see if there is any instance of the Teller object responsible to make the create() call. We find out that the create() method is called by the Teller.transfer() method. In this situation we conclude that the system might be secure regarding this operation access constraint.

Graph Representation, part 2 Every object-method call will be represented in the direct acyclic graph with two vertices corresponding to the entry point and return. The links between vertices correspond to the order of the method calls. Each vertex contains the following information: id, location and method. We can easily point out the vertices corresponding to the create() method call. The order the methods are called is preserved in the graph, therefore we can search backward in the graph to see if there is any instance of the Teller object responsible to make the create() call. We find out that the create() method is called by the Teller.transfer() method. In this situation we conclude that the system might be secure regarding this operation access constraint.

Conclusion: Putting it all together The OCL is a useful component in secure system design The OCL is a useful component in secure system design The OCL is flexible, available, and powerful The OCL is flexible, available, and powerful Constraints can be validated Constraints can be validated A debugging utility that allows us to trace execution A debugging utility that allows us to trace execution Build a graph for inspection Build a graph for inspection Check the graph for constraint inconsistencies Check the graph for constraint inconsistencies

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.