Model-Driven Architecture And The Secure Systems Methodology Masters Thesis Defense 11/16/2007 Patrick Morrison

Agenda ► Introduction ► Problem statement ► Approach ► Contribution ► Related Work ► What is MDA? ► Experiment ► Results ► Conclusions ► Future Work

The problem of Security ► “A good percentage of the software deployed in industrial/commercial applications is of poor quality, it is unnecessarily complex, and contains numerous flaws that can be exploited by attackers.” ► “We believe that the solution lies in developing secure software from the beginning, applying security principles along the whole life cycle…We see the use of patterns as a fundamental way, even for developers with little experience, to implicitly apply security principles.” ► [Fer06a, EBF, et. al.]

Security Patterns

Secure Systems Methodology [Fer06a] StageTasksRequirements Use case and activity diagram based role and attack analysis Analysis Class and sequence diagrams, preferring semantic analysis patterns Design Application of design patterns across architectural layers Implementation Mapping design on to selected technical architecture

Methodology Claim, paraphrased ► [by using] “abstract and graphical representations of patterns, the methodology allows the construction of secure computing systems from patterns which aid developers in understanding much more quickly and deeply than programming language “code”

MDA Claim ► [by using] “precise but abstract and graphical representations of algorithms, MDA allows the construction of computing systems from models that can be understood much more quickly and deeply than can programming language “code” [Mel04]. [

Problem ► Can Model-Driven Architecture (MDA) be used to support the secure systems methodology?  To what degree is it now possible to work in terms of high-level models rather than code?  Does MDA allow for the creation and reuse of generic models?  Does MDA reduce the amount of low-level work that needs to be done? ► What would be required to gain these benefits?

Approach ► Establish an MDA tool-chain ► Select an example distributed systems security problem ► Apply the advice of the secure systems methodology to the construction of models for the example system for each lifecycle phase ► Evaluate MDA models against example’s properties and their use in the lifecycle.

Contribution ► A set of models of secure shell (ssh) corresponding to the phases of the secure systems methodology ► An example MDA tool chain that translates UML Classes into Java source code. ► A set of considerations for applying MDA

Related Work ► SecureUML – Models RBAC for web applications ► UMLSec – Models security analysis for existing systems ► Executable UML – automated code generation from UML models, no explicit focus on security ► SysML- modeling notation for systems engineering ► UML Profile for RM-ODP – distributed systems standard, including security considerations ► RSML – process control requirements specification language ► Tropos – Agent-oriented methodology

What is MDA? ► A set of technologies: UML, MOF, XMI, OCL ► A model-centric framework for systems development ► A set of viewpoints ► A scheme for transforming models to to other models, and to text (code)

MDA Technologies ► UML2 – a language and notation for building models ► MOF – a language for building modeling languages, beginning with UML2 ► XMI – a persistence mechanism for MOF, allowing exchange between tools ► QVT – a transformation language for MOF models ► OCL – a language for expressing logical assertions on MOF models, e.g. UML2

MDA Models and Metamodels

MDA Viewpoints ► Computation-Independent Models (CIM) contain domain concepts ► Platform-Independent Models (PIM) define a technology-independent view of the system ► Platform-Specific Models (PSM) contain system descriptions including technology aspects ► Platform – the technical architecture of a given system

MDA Transformations

MDA Transformations, example public class Subject { public String id; } public class Object { public String id; public String id;} public class Right { public String id; public String id; public String access_type; public String access_type; public Boolean copy_flag; public Boolean copy_flag; public Subject s; public Subject s; public Object o; public Object o;} «IMPORT metamodel» «DEFINE javaClass FOR Entity» «FILE name+".java"» public class «name» { «FOREACH attributes AS attr» public «attr.type» «attr.name»; «ENDFOREACH» «FOREACH references AS ref» public «ref.type.name» «ref.name»; «ENDFOREACH» } «ENDFILE» «ENDDEFINE»

MDA Concepts, in UML

MDA Tool-chain ► UML Editor, Model creation, XMI generation  MagicDraw ► Model-to-Model, Model-to-Text transformation  openArchitectureWare ► Target Platform  Java ► Integration  Eclipse

Experiment ► Apply secure systems methodology to building models for abstract version of remote access ► Reverse-engineer SSH design models from architecture documents and source code ► Compare analysis results to SSH architecture ► Evaluate ability of MDA to assist in translation of models from phase N to phase N+1:  Requirements -> Analysis  Analysis -> Design

Example: Remote Access

Example(2): Secure Shell (SSH) ► Widely used network protocol providing security for remote access to user accounts and similar services ► [SSH] “enables secure remote login and other secure network services over an insecure network”  server authentication  client authentication (public key, password, host-based)  confidentiality  Integrity  perfect forward security. ► Well-documented:  Internet standard: RFC’s describe goals, architecture  Open source client implementation: Ganymed SSH-2 for Java

Requirements: Use Cases

Requirements: Sequence Diagram

Requirements: Activity Diagram

Analysis: Initial Class Diagram

Patterns applied during Analysis ► Authenticator ► Known Partners ► Single Access Point ► Checkpoint ► Security Session ► Information Obscurity ► Secure Channels

Analysis: Final Class Diagram

Compare: SSH Transport Protocol (reverse engineered from RFC)

Analysis Result ► Application of standard security patterns to the abstract case of remote access yielded a reasonably comprehensive model of the entities and relationships that participate in the SSH architecture.

Results ► Application of the methodology to a generic version of the example problem yielded a model that corresponds well to an existing solution of the problem ► Models captured fragments of the system from a given viewpoint, in this case depending on the lifecycle phase ► The ability to connect entities between phases depends on a shared metamodel ► No such metamodel exists for the presented models

Results(2), Questions revisited ► To what degree is it now possible to work in terms of high-level models rather than code?  Within constraints, there are opportunities to work with models rather than code ► Does MDA allow for the creation and reuse of generic models?  Insufficient evidence collected to support answering this question. ► Does MDA reduce the amount of low-level work that needs to be done?  MDA increases the amount of work required to build the first application.

Conclusions ► Requirements, Analysis and Design are fundamentally about deciding what you want, while MDA excels in describing what you have. ► Conclusion: MDA can be useful when working with a known domain and a known architecture. ► Metamodels, and transformations on them, are MDA’s driving force. Where they exist or their creation is justified, they can assist in the development process

Conclusions(2) ► MDA is not a good fit for a methodology; but it could be a good fit for an instance of a methodology. ► MDA can capture the details of domain and architecture, allowing systems designers to concentrate on variations within an established framework. ► This does suggest that software alteration and maintenance may be enhanced by the use of MDA

Future Work ► Develop Java platform model to support code generation from existing analysis models ► Choose second, third example applications ► Map examples on to suitable metamodel(s)  Unify lifecycle phase models  Factor out application, secuirty, platform dependencies  Evaluate existing metamodels: SysML, RM-ODP ► Encode security pattern knowledge in the metamodel

Committee ► Dr. E.B. Fernandez ► Dr. Shihong Huang ► Dr. Maria Petrie