Friday October 28, 2005 SoBeNeT workshop The role of Security in software processes (UP, XP) and software architecture

Friday October 28, SoBeNeT in a nutshell IWT SBO project ( ) Context: availability of security components Goal: to enable the development of secure application software 4 Research tracks:  Programming and Composition  Software engineering  Tamper and analysis resistance  Shielding and interception

Friday October 28, Agenda 13:30hOverview of research results in using UML for security (Bart De Win) 14:00hUP and security: overview of UMLSec (Jan Jürjens) 15:00hBreak 15:15hXP and security: writing abuser stories -- interactive session (Johan Peeters) 16:45hSecurity in software architectures -- interactive session (Wouter Joosen) 17:20hWorkshop wrap-up

Friday October 28, 2005 Overview of research results in using UML for security Bart De Win, Koen Yskout

Friday October 28, Introduction Importance of security in the software development process UML as industrial standard  Covers significant part of development lifecycle  UML 2.0 (support for behavioral semantics, components)  No formalization Overview of what support is available/being proposed to address security within UML  Only one, but an important vehicle  Selection is world-wide, not SoBeNeT-restricted  Part of survey effort Different goals:  Representation  Realization (automatic)  Verification  Traceability In this presentation we identify rather than assess

Friday October 28, Overview Techniques  Misuse cases (A)  Policy modeling (D)  Security patterns (D) Methods  CORAS  Model based security  CLASP Conclusion

Friday October 28, Misuse cases

Friday October 28, Misuse cases (ctd.) Textual representation of misuse case details Modifications to std. use case template:  Reinterpretation: actor, basic and alternative paths  Introduction: exception paths, capture points, triggers, related business rules, prevention and detection guarantee, stakeholders and threats  Although different template proposals are similar, no standard template yet

Friday October 28, Policy modeling

Friday October 28, Policy Modeling (ctd.) Support for constraint specification using OCL, e.g.  Separation of Duty: context User inv: let M : Set = {{accounts_mgr,purchase_mgr}, } in M->select{m|self.role->intersection(m)-> size->1)->isEmpty

Friday October 28, Policy Modeling (ctd.) Verification  Detection of conflicting constraints and identification of missing constraints  Prior to deployment  By means of USE tool Test scenarios are automatically generated Can be used to analyze modifications on the fly Authorization editor

Friday October 28, Security patterns Application of the idea of design patterns to security  A security pattern represents a proven design solution to a security problem  Usefulness of design patterns has been well established  Relevant for architectural as well as for detailed design Opportunities and challenges  Can have a huge impact on SSE  Watch application area  Quality control is essential

Friday October 28, Security Patterns (ctd.)

Friday October 28, Overview Techniques  Misuse cases (A)  Policy modeling (D)  Security patterns (D) Methods  CORAS  Model based security  CLASP Conclusion

Friday October 28, CORAS Risk Analysis of Security Critical Systems Consists of:  Integrated methodology  UML profile  Knowledge base  Tool Five step methodology (iterative)  Identify context  Identify risks  Analyze risks  Evaluate risks  Treat risks Designed for heavy analysis

Friday October 28, CORAS (ctd.)

Friday October 28, CORAS (ctd.)

Friday October 28, Model based security Goals:  Take security into account during the whole development process  Separation of concerns security should be separated from application design Specification using security metamodels or templates, or inline Realization: binding and generation  Transformation to code/deployment descriptor  Template instantiation  enriched model Verification: formal foundation needed Examples: SecureUML, AOM, UMLsec

Friday October 28, Model based security (ctd.) SecureUML e.g. secureUML e.g. componentUML

Friday October 28, Model based security (ctd.) SecureUML (ctd.)  Modeling the policy  Transformation from modeling language to code, deployment descriptors, … E.g. generate an EJB system, a.NET system, …

Friday October 28, Model based security (ctd.) Aspect-Oriented Modeling (AOM)  primary model + aspect models (e.g. security)  Specification: using templates class diagram, sequence diagram, OCL constraints  Realization: instantiation of the templates + composition with primary model Add new classes, extend existing classes, …  Verification: After composition During composition: evolving proof obligations

Friday October 28, Model based security (ctd.) Aspect-Oriented Modeling (ctd.) (BankUser, |User) (BankRole, |Role) … Primary model Template RBAC Aspect model Composed model

Friday October 28, Model based security (ctd.) UMLsec  Extension of UML for recurring security requirements Stereotypes, tags and constraints Superimposed on functional diagrams  Formal foundations support verification and generation  Specification details are hidden from the developer  Tool support is available  More details: see next presentation

Friday October 28, CLASP Comprehensive Lightweight Application Security Process Designed by Secure Software, IBM, WebMethods Set of security-related activities (24) to be included in the software development process Role-based approach Tools: vulnerability root-causes, template sheets, RUP plug-in

Friday October 28, CLASP (ctd.) Institute security awareness program Monitor security metrics Specify operational environment Identify global security policy Identify resources and trust boundaries Identify user roles and resource capabilities Document security-relevant requirements Detail misuse cases Identify attack surface Apply security principles to design Research and assess security posture of technology solutions Annotate class designs with security properties Specify database security configuration Perform security analysis of system requirements and design Integrate security analysis into source management process Implement interface contracts Implement and elaborate resource policies and security technologies Address reported security issues Perform source-level security review Identify, implement and perform security tests Verify security attributes of resources Perform code signing Build operational security guide Manage security issue disclosure process

Friday October 28, Conclusion Spectrum of results is available Main challenges:  Improving the application scope  Industrial validation of results  Quality control of point solutions  Formalization to enable verification and automatisation  Integration of results In summary, need for a secure SW development methodology & process Our future focus:  Integration of SoBeNeT results  Point solutions for architecture and detailed design  Coherent set of activities

Friday October 28, References Misuse cases  G. Sindre and A. Opdahl, Eliciting security requirements with misuse cases, Requirements Engineering, 10, pp , Policy Modeling  P. Epstein and R. Sandhu, Towards a UML based approach to Role Engineering  E. Shin and G.-J. Ahn, UML-based representation of RBAC  G.-J. Ahn and E. Shin, RBAC contraint specification using OCL  K. Sohr, G.-J. Ahn and L. Migge, Articulating and enforcing Authorization policies with UML and OCL, Workshop on Software Engineering for Secure Systems 2005, May 2005.

Friday October 28, References Security patterns  J. Yoder, J. Barcalow, Architectural patterns for Enabling Application Security, Workshop on Programming Languages for Patterns (PLoP),  The Open Group, Security Design Patterns, Technical Guide,  Security pattern website,  D. Kienzle and M. Elder, Security Patterns for Web Application Development, Technical Report, Model based security  J. Jürjens, Secure Systems Development with UML, Springer,  T. Lodderstedt, D. Basin, J. Doser, SecureUML: A UML-Based Modeling Language for Model-Driven Security, UML  D. Basin, J. Doser, T. Lodderstedt, Model Driven Security: from UML Models to Access Control Infrastructures, ACM Transactions on Software Engineering and Methodology, to appear.  E. Song, R. Reddy et al, Verifiable Composition of Access Control and Application Features, 10th ACM Symposium on Access Control Models and Technologies, June 2005.

Friday October 28, References CORAS  R. Fredriksen, M. Kristiansen, B. Gran, K. Stølen, T. Arthur Opperud, T.Dimitrakos. The CORAS framework for a model-based risk management process. In Proc. Computer Safety, Reliability and Security (Safecomp 2002), LNCS 2434, pages , Springer,  CORAS project homepage: CLASP  J. Viega, Security in the software development lifecycle, ibm.com/developerworks/rational/library/content/RationalEdge/o ct04/viega/.  Secure Software Inc. The CLASP Application Security Process, Technical report, 2005.