Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate

Secure Systems Research Group - FAU SW Development Methodology Domain Analysis Requirements Analysis Design Implementation

Secure Systems Research Group - FAU SW Development Methodology Domain Analysis –Conceptual model –Legacy systems identified –Security implications analyzed –Domain and regulatory constraints identified –Institution security policies defined

Secure Systems Research Group - FAU SW Development Methodology Requirements –Use case based role identification and attack analysis –Use cases defining the required interactions with the system –Relate attacks to use cases. –Study each activity within a use case and see which threats are possible –Determine which policies would stop these attacks –Determine the needed rights for each actor and thus apply a need-to-know policy –Set of all use cases defines all the uses of the system and from all the use cases all the rights for each actor can be determined –Define security test cases for the complete system

Secure Systems Research Group - FAU SW Development Methodology Analysis –Authorized semantic analysis patterns –Analysis patterns used to build the conceptual model in a more reliable and efficient way –Conceptual model built where repeated applications of a security model pattern realize the rights determined from use cases –Analysis patterns can be built with predefined authorizations according to the roles in their use cases –Specify the rights for those parts not covered by patterns

Secure Systems Research Group - FAU SW Development Methodology Design –Coordinated application of patterns to multiple architectural layers –Design mechanisms selected to stop the attacks identified earlier and realize the required policies –User interfaces corresponding to use cases and used to enforce the authorizations defined in the analysis stage –Secure interfaces enforce authorizations when users interact with the system. –Components can be secured by using authorization rules for Java or.NET components for example –Distribution provides another dimension where security restrictions can be applied (e.g. web services can be secured using some of the standards and corresponding mechanisms) –Deployment diagrams define secure configurations to be used by security administrators. –A multilayer architecture needed to enforce the security constraints defined at the application level –In each level patterns are used to represent appropriate security mechanisms. –Security constraints must be mapped between levels

Secure Systems Research Group - FAU SW Development Methodology Implementation –Security rules defined in the design stage are reflected in the code. –Rules are expressed as classes, associations, and constraints, they can be implemented as classes in object- oriented languages –Select specific security packages or COTS, e.g., a firewall product, a cryptographic package –Some of the patterns identified earlier in the cycle can be replaced by COTS (these can be tested to see if they include a similar pattern) –Incorporate COTS (commercial off the shelf) security applications

Secure Systems Research Group - FAU Model Checking Model checking –Model checking can be applied during analysis stage and design stage Analysis stage –To check the properties of security patterns –Verify that the analysis model is compliant with the requirements (Use cases, sequence diagrams) Design stage –To check properties on the system designed –To check security constraints »Security constraints become at this stage the properties to validate

Secure Systems Research Group - FAU Model-based Security Engineering Patterns Use Cases Design

Secure Systems Research Group - FAU MetaSearch – Case Study MetaSearch Engine –Simple point of access to search in all relevant information sources with a single query –Personalization capabilities Storage of sources Password for restricted sources –Source range Non confidential such as general company announcements Confidential documents such as protocols, development specifications … –Each employee has access depending on his/her level of access Focus on security critical –Login –Store Login Information functionality of storing the users’ credentials for access to restricted information sources. –Search searching the selected sources with a specific query

Secure Systems Research Group - FAU MetaSearch – Case Study DataBase access Password restricted access Different level of access Sources Search Engine Source Restricted Source Employee Level of Access Need to finalize identification of all the class entities of the domain and construct the conceptual model using UML

Secure Systems Research Group - FAU Security-critical use cases of Metasearch (Requirements)

Secure Systems Research Group - FAU Analysis & Design Analysis Patterns –Help model security requirements –Provide solution for domain specific analysis Design Patterns –Provide solutions in term of complete subsystems, layers, packages –Describe structure and behavior Authentication pattern & Authorization pattern Where can I find already defined patterns? SSL Pattern

Secure Systems Research Group - FAU Secure communication using SSL –Node A: Client PC –Node B: Server

Secure Systems Research Group - FAU Class Structure of Use Case LOGIN EndUser – Central Class Represents user who wants to login using AuthenticateUser() method Invocation of this method is indicated by the dependency with the stereotype > Invocation requires secrecy, use of Stereotype > with tag value {secrecy = (authenticateUser())} Integrity required for returned session cookie cs, protection indicated by tagged value {Integrity = ( sc )} AuthService – Central authentication server validate user session, authenticate user via interface AuthenticationService

Secure Systems Research Group - FAU Feedback