Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model-based Security with UMLsec Software & Systems Engineering Informatics, Munich University of Technology Germany

Published byClementine Gallagher Modified over 9 years ago

Similar presentations

Presentation on theme: "Model-based Security with UMLsec Software & Systems Engineering Informatics, Munich University of Technology Germany"— Presentation transcript:

1 Model-based Security with UMLsec Software & Systems Engineering Informatics, Munich University of Technology Germany jan@jurjens.de http://www.jurjens.de/jan Jan Jürjens

2 Jan Jürjens, TU Munich: Model-based Security with UMLsec2 A Need for Security Society and economies rely on computer networks for communication, finance, energy distribution, transportation... Attacks threaten economical and physical integrity of people and organizations. Interconnected systems can be attacked anonymously and from a safe distance. Networked computers need to be secure.

3 Jan Jürjens, TU Munich: Model-based Security with UMLsec3 Problems, Causes Many flaws found in design or implementation of security-critical systems, sometimes years after publication or use. Designing secure systems is difficult. Designers often lack background in security. Security as an afterthought. Cannot use security mechanisms „blindly“.

4 Jan Jürjens, TU Munich: Model-based Security with UMLsec4 Previous approaches „Penetrate-and-patch“: insecure disruptive Traditional formal methods: expensive. training people constructing formal specifications.

5 Jan Jürjens, TU Munich: Model-based Security with UMLsec5 Goal: Security by design Consider security from early on within development context taking an expansive view in a seamless way. Secure design by model analysis. Secure implementation by test generation.

6 Jan Jürjens, TU Munich: Model-based Security with UMLsec6 Using UML UML: unprecedented opportunity for high-quality critical systems development feasible in industrial context: De-facto standard in industrial modeling: large number of developers trained in UML. Relatively precisely defined. Many tools in development.

7 Jan Jürjens, TU Munich: Model-based Security with UMLsec7 Used fragment of UML Activity diagram Class diagram Sequence diagram Statechart diagram Deployment diagram Package Stereotypes, tags, constraints Current: UML 1.5

8 Jan Jürjens, TU Munich: Model-based Security with UMLsec8 UML Extension mechanisms Stereotype: specialize model element using ¿labelÀ. Tagged value: attach {tag=value} pair to stereotyped element. Constraint: refine semantics of stereotyped element. Profile: gather above information.

9 Jan Jürjens, TU Munich: Model-based Security with UMLsec9 UMLsec UMLsec: extension for secure systems development. evaluate UML specifications for vulnerabilities encapsulate security engineering patterns also for developers not specialized in security security from early design phases, in system context make certification cost-effective

10 Jan Jürjens, TU Munich: Model-based Security with UMLsec10 The UMLsec profile Recurring security requirements as stereotypes with tags (secrecy, integrity,...). Associated constraints to evaluate model, indicate possible vulnerabilities. Ensures that stated security requirements enforce given security policy. Ensures that UML specification provides requirements.

11 Jan Jürjens, TU Munich: Model-based Security with UMLsec11 Basic Security Requirements Secrecy Information Integrity

12 Jan Jürjens, TU Munich: Model-based Security with UMLsec12 ¿InternetÀ, ¿encryptedÀ, … Kinds of communication links resp. system nodes. For adversary type A, stereotype s, have set Threats (s) ∊ {delete, read, insert, access} of actions that adversaries are capable of. Default attacker: StereotypeThreats () Internet encrypted LAN smart card {delete, read, insert} {delete} ∅

13 Jan Jürjens, TU Munich: Model-based Security with UMLsec13 Requirements with use case diagrams Capture security requirements in use case diagrams. Constraint: need to appear in corresponding activity diagram.

14 Jan Jürjens, TU Munich: Model-based Security with UMLsec14 ¿fair exchangeÀ Ensures generic fair exchange condition. Constraint: after a {buy} state in activity diagram is reached, eventually reach {sell} state. (Cannot be ensured for systems that an attacker can stop completely.)

15 Jan Jürjens, TU Munich: Model-based Security with UMLsec15 Example ¿fair exchangeÀ Customer buys a good from a business. Fair exchange means: after payment, customer is eventually either delivered good or able to reclaim payment.

16 Jan Jürjens, TU Munich: Model-based Security with UMLsec16 ¿secure linksÀ Ensures that physical layer meets security requirements on communication. Constraint: for each dependency d with stereotype s ∊ {¿secrecyÀ, ¿integrityÀ} between components on nodes n≠m, have a communication link l between n and m with stereotype t such that if s = ¿secrecyÀ: have read ∉ Threats (t). if s = ¿integrityÀ: have insert ∉ Threats (t).

17 Jan Jürjens, TU Munich: Model-based Security with UMLsec17 Example ¿secure linksÀ Given default adversary type, constraint for stereotype ¿secure linksÀ violated: According to the Threats default (Internet) scenario, ¿InternetÀ link does not provide secrecy against default adversary.

18 Jan Jürjens, TU Munich: Model-based Security with UMLsec18 ¿secure dependencyÀ Ensure that ¿callÀ and ¿sendÀ dependencies between components respect security requirements on communicated data given by tags {secrecy}, {integrity}. Constraint: for ¿callÀ or ¿sendÀ dependency from C to D (and similarly for {secrecy}): Msg in D is {secrecy} in C if and only if also in D. If msg in D is {secrecy} in C, dependency stereotyped ¿secrecyÀ.

19 Jan Jürjens, TU Munich: Model-based Security with UMLsec19 Example ¿secure dependencyÀ Violates ¿secure dependencyÀ: Random generator and ¿callÀ dependency do not give security level for random() to key generator.

20 Jan Jürjens, TU Munich: Model-based Security with UMLsec20 ¿no down–flowÀ Enforce secure information flow. Constraint: Value of any data specified in {secrecy} may influence only the values of data also specified in {secrecy}. Formalize by referring to formal behavioural semantics.

21 Jan Jürjens, TU Munich: Model-based Security with UMLsec21 Example ¿no down-flowÀ ¿no down–flowÀ violated: partial information on input of high wm() returned by non-high rx().

22 Jan Jürjens, TU Munich: Model-based Security with UMLsec22 ¿data securityÀ Security requirements of data marked ¿criticalÀ enforced against threat scenario from deployment diagram. Constraints: Secrecy of {secrecy} data preserved. Integrity of {integrity} data preserved.

23 Jan Jürjens, TU Munich: Model-based Security with UMLsec23 Example ¿data securityÀ Variant of TLS (INFOCOM`99). Violates {secrecy} of s against default adversary.

24 Jan Jürjens, TU Munich: Model-based Security with UMLsec24 ¿guarded accessÀ Ensures that in Java, ¿guardedÀ classes only accessed through {guard} classes. Constraints: References of ¿guardedÀ objects remain secret. Each ¿guardedÀ class has {guard} class.

25 Jan Jürjens, TU Munich: Model-based Security with UMLsec25 Example ¿guarded accessÀ Provides ¿guarded accessÀ: Access to MicSi protected by MicGd.

26 Jan Jürjens, TU Munich: Model-based Security with UMLsec26 Concepts covered by UMLsec Security requirements: ¿secrecyÀ,… Threat scenarios: Use Threats adv (ster). Security concepts: For example ¿smart cardÀ. Security mechanisms: E.g. ¿guarded accessÀ. Security primitives: Encryption built in. Physical security: Given in deployment diagrams. Security management: Use activity diagrams. Technology specific: Java, CORBA security.

27 Jan Jürjens, TU Munich: Model-based Security with UMLsec27 Security Analysis Model classes of adversaries. May attack different parts of the system according to threat scenarios. Example: insider attacker may intercept communication links in LAN. To evaluate security of specification, simulate jointly with adversary model.

28 Jan Jürjens, TU Munich: Model-based Security with UMLsec28 Tool-support: Concepts Meaning of diagrams stated informally in (OMG 2001). Possible ambiguities problem for tool support analysis of behavioral properties (such as security) Use precise semantics for part of UML defined as pseudo-code. Include adversary model for simulation.

29 Jan Jürjens, TU Munich: Model-based Security with UMLsec29 Tool-support: Technology Commercial modelling tools: so far mainly syntactic checks and code-generation. Goal: more sophisticated analysis; connection to analysis tools. Several possibilities: General purpose language with integrated XML parser (Perl, …) Special purpose XML parsing language (XSLT, …) Data Binding (Castor; XMI: e.g. MDR)

30 Jan Jürjens, TU Munich: Model-based Security with UMLsec30 Data-binding with MDR Extracts data from XMI file into Java Objects, following UML 1.4 meta-model. Access data via methods. Advantage: No need to worry about XML.

31 Jan Jürjens, TU Munich: Model-based Security with UMLsec31 Connection with analysis tool Industrial CASE tool with UML-like notation: AUTOFOCUS (http://autofocus.informatik.tu-muenchen.de) verification code generation test-sequence generation Connect UML tool to underlying analysis engine.

32 Jan Jürjens, TU Munich: Model-based Security with UMLsec32 Applications Common Electronic Purse Specifications Analysis of multi-layer security protocol for web application of major German bank Analysis of SAP access control configurations for major German bank Risk analysis of critical business processes (for Basel II / KontraG) …

33 Jan Jürjens, TU Munich: Model-based Security with UMLsec33 Some resources Book: Jan Jürjens, Secure Systems Development with UML, Springer- Verlag, due 2003 Tutorial @ CSS’03, Cancun (Mexico), 19-21 May. More information: http://www.jurjens.de/jan

34 Jan Jürjens, TU Munich: Model-based Security with UMLsec34 Finally We are always interested in industrial challenges for our tools, methods, and ideas to solve practical problems. More info: http://www.jurjens.de/jan Contact me here or via Internet. Thanks for your attention !

Download ppt "Model-based Security with UMLsec Software & Systems Engineering Informatics, Munich University of Technology Germany"

Similar presentations

Kellan Hilscher. Definition Different perspectives on the components, behavioral specifications, and interactions that make up a software system Importance.

Kellan Hilscher. Definition Different perspectives on the components, behavioral specifications, and interactions that make up a software system Importance.
A Brief Introduction. Acknowledgements  The material in this tutorial is based in part on: Concurrency: State Models & Java Programming, by Jeff Magee.

A Brief Introduction. Acknowledgements  The material in this tutorial is based in part on: Concurrency: State Models & Java Programming, by Jeff Magee.
Playing the Devil ’ s Advocate: Verifying Real-Time Systems Jan Jürjens Software & Systems Engineering TU Munich, Germany

Playing the Devil ’ s Advocate: Verifying Real-Time Systems Jan Jürjens Software & Systems Engineering TU Munich, Germany
L4-1-S1 UML Overview © M.E. Fayad 2000 -- 2005 SJSU -- CmpE Software Architectures Dr. M.E. Fayad, Professor Computer Engineering Department, Room #283I.

L4-1-S1 UML Overview © M.E. Fayad SJSU -- CmpE Software Architectures Dr. M.E. Fayad, Professor Computer Engineering Department, Room #283I.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.

UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.
CS 5150 1 CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.

CS CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.
1/31 CS 426 Senior Projects Chapter 1: What is UML? Chapter 2: What is UP? [Arlow and Neustadt, 2005] January 22, 2009.

1/31 CS 426 Senior Projects Chapter 1: What is UML? Chapter 2: What is UP? [Arlow and Neustadt, 2005] January 22, 2009.
(c) 2007 Mauro Pezzè & Michal Young Ch 1, slide 1 Software Test and Analysis in a Nutshell.

(c) 2007 Mauro Pezzè & Michal Young Ch 1, slide 1 Software Test and Analysis in a Nutshell.
William Stallings Data and Computer Communications 7 th Edition Chapter 2 Protocols and Architecture.

William Stallings Data and Computer Communications 7 th Edition Chapter 2 Protocols and Architecture.
Common Mechanisms in UML

Common Mechanisms in UML
1 CS 426 Senior Projects Chapter 1: What is UML? Chapter 2: What is UP? [Arlow and Neustadt, 2002] January 26, 2006.

1 CS 426 Senior Projects Chapter 1: What is UML? Chapter 2: What is UP? [Arlow and Neustadt, 2002] January 26, 2006.
COE 342: Data & Computer Communications (T042) Dr. Marwan Abu-Amara Chapter 2: Protocols and Architecture.

COE 342: Data & Computer Communications (T042) Dr. Marwan Abu-Amara Chapter 2: Protocols and Architecture.
Www.sparxsystems.com The Role of Modeling in Systems Integration and Business Process Analysis © Sparx Systems Pty Ltd 2011 Ben Constable Sparx Systems.

The Role of Modeling in Systems Integration and Business Process Analysis © Sparx Systems Pty Ltd 2011 Ben Constable Sparx Systems.
Incorporating database systems into a secure software development methodology Eduardo B. Fernandez, Jan Jurjens, Nobukazu Yoshioka, and Hironori Washizaki.

Incorporating database systems into a secure software development methodology Eduardo B. Fernandez, Jan Jurjens, Nobukazu Yoshioka, and Hironori Washizaki.
The Design Discipline.

The Design Discipline.
UMLSec IS 2935: Developing Secure Systems Courtesy of Jan Jürjens, who developed UMLsec Lecture 10.

UMLSec IS 2935: Developing Secure Systems Courtesy of Jan Jürjens, who developed UMLsec Lecture 10.
What is UML? What is UP? [Arlow and Neustadt, 2005] January 23, 2014

What is UML? What is UP? [Arlow and Neustadt, 2005] January 23, 2014
UML - Development Process 1 Software Development Process Using UML (2)

UML - Development Process 1 Software Development Process Using UML (2)
SEG4110 – Advanced Software Design and Reengineering

SEG4110 – Advanced Software Design and Reengineering

Similar presentations

Ads by Google