mda and security october 12, 2006 fau secure systems group patrick morrison
TRANSCRIPT
MDA and Security
October 12, 2006
FAU Secure Systems Group
Patrick Morrison
Agenda
• Motivation for “MDA and Security”• Secure Systems Methodology, with patterns• A quick tour of MDA, in English this time• Example Application• MDA in the development lifecycle• Evaluation Criteria• Contributions• Next Steps
The problem of Security
• “A good percentage of the software deployed in industrial/commercial applications is of poor quality, it is unnecessarily complex, and contains numerous flaws that can be exploited by attackers.”
• “We believe that the solution lies in developing secure software from the beginning, applying security principles along the whole life cycle…We see the use of patterns as a fundamental way, even for developers with little experience, to implicitly apply security principles.”
• [MDSSP, EBF, et. al.]
Secure Systems Methodology [MDSSP]
Security verification and testing
Requirements Analysis Design Implementation
Secure UCs Authorization rules in conceptual model
Rule enforcement through architecture
Language enforcement
Security test cases
Stage Tasks
Requirements Use case based role and attack analysis
Analysis Authorized semantic analysis patterns
Design Coordinated application of patterns to multiple architectural layers
Implementation MDA Code Generation
Methodology PatternsSecureLayers
SecureFacade
SecureReflection
ApplicationConceptual
Model
PolicyAdministration
Point
PolicyInformation
Point
PolicyDecision
Point
PolicyEnforcement
Point
Model ViewController
SecureAdapter
SecureBroker
SecureEnterprise
ComponentFramework
SecureWeb
Services
SecureProxy
AuthenticationSecure
Channel
SecureClient
DispatcherServer
SecureRelationalDatabaseMapping
SecureOperating
System
defineRules
enforceRules
decide
interact transformInterfacedistribute
objects consume/provideServicesimplement
businessmodel
mapObjects accessRemoteobjects
supportSoftware secure
Communication
establishConnection
authenticate
use
use
Design (and other) patterns
• “A design pattern names, abstracts and identifies the key aspects of a common design structure that makes it useful for creating a reusable object-oriented design” [GOF, pg 3]
The promise of MDA
• by using “precise but abstract and graphical representations of algorithms, MDA allows the construction of computing systems from models that can be understood much more quickly and deeply than can programming language “code” [MDAD, pg. xiv].
The Question(s)
• Can MDA be applied to the design and construction of secure systems?
• To what degree is it now possible to work in terms of high-level models rather than code?
• Does MDA allow for the creation and reuse of generic models?
• Does MDA reduce the amount of low-level work that needs to be done?
Combining Patterns, Security and MDA: SOUPCAN
• Secure grOUP Chat Application for Networks
• Provide invitation-only chat rooms with secure communications, allowing participants to form “cliques” in order to gossip, plan wars, etc…
• Example of using the secure systems methodology with MDA
SOUPCAN
• Requirements chosen to facilitate use of existing security patterns, e.g. Reference Monitor, Authenticator, Authorizer, Credentials, Secure Broker
• (Hopefully) Small enough to be implementable• (Hopefully) Large enough to illustrate issues in
application of MDA, Secure Systems with Patterns Methodology.
Lifecycle Step: Analysis
• Process: Evaluate requirements, identify use cases, high-level structure, apply patterns where appropriate
• Results: Application model containing UML Use Case and Class diagrams
SOUPCAN Use Cases
• UML Built with MagicDraw• Stored as XMI data• Excerpt: <UML:Actor xmi.id="249272_1" name="Host" /> <UML:Actor xmi.id="940417_17" name="Participant" /> <UML:Actor xmi.id="448524_33" name="Administrator" /> <UML:UseCase xmi.id="949209_49" name="Administration" /> <UML:UseCase xmi.id=“838290_60" name="Invitation" /> <UML:UseCase xmi.id="896208_71" name="Registration" /> <UML:UseCase xmi.id="428793_82" name="Chat" /><UML:Association xmi.id="975434_95"><UML:Association.connection> <UML:AssociationEnd xmi.id="250191_93" isNavigable="true"
participant="249272_1" /> <UML:AssociationEnd xmi.id="742224_94" isNavigable="true"
participant="838290_60" /> </UML:Association.connection> </UML:Association>
Lifecycle Step: Design
• Process: Develop class and sequence diagrams which implement the Use Cases, apply patterns where appropriate
• Results: Application and Security models containing UML Class and sequence diagrams
SOUPCAN Class Diagram
SOUPCAN Class Diagram
It’s (Secure) Broker!
Architectural concerns for implementing Secure Broker
SecureChannel
Broker
DigitalSignature
Client DispatcherServer
Authentication
AccessMatrix
ReferenceMonitor
RBAC
confidentiality
authentication
authorization
authorization
enforces
non-repudiation
implementAs
* Diagram from MDSSP
Lifecycle Step: Implementation
• Process: Select a platform and platform model, make connections between the design and the platform, via the platform model
• Selected: MagicDraw, androMDA, C#, ASP.NET, Visual Studio, nHibernate, …
• Results: Code generated from the models
Implementation Details… :32,997 - discovering namespaces - :34,440 found namespace --> 'aspdotnet' :34,440 + registering component 'cartridge' :34,870 + registering component 'metafacades' :35,331 + registering component 'profile' :40,628 found namespace --> 'uml-1.4' :40,628 + registering component 'metafacades' :41,960 + registering component 'profile' :42,000 found namespace --> 'validation' :42,010 + registering component 'translation-library' :53,948 - core initialization complete: 22.373[s] - :54,568 loading model --> 'file:C://TimeTracker.Model.xmi' :58,905 referenced model --> 'jar:file:/uml14/profile/profile-.xml' :59,045 referenced model --> 'profile-datatype.xml' :59,285 referenced model --> 'profile-service.xml' :59,445 referenced model --> 'profile-process.xml' :59,576 referenced model --> 'profile-presentation.xml' :59,746 referenced model --> 'profile-meta.xml' :59,866 referenced model --> 'profile-xml.xml' :59,986 referenced model --> 'andromda-profile-persistence.xml' :01,118 - loading complete: 7.13[s] - :01,118 - validating model - :06,175 - validation complete: 5.057[s] - :07,076 INFO [AndroMDA:cs] Output: 'file:/C:../TimeTracker/VO/UserVO.cs'
// Name: UserVO.cs// Attention: Generated code! Do not modify by hand! (I did anyway)// Generated by: ValueObject.vsl in andromda-cs-cartridge.using System;namespace Northwind.TimeTracker.VO{ [Serializable] public class UserVO { #region Attributes and Associations private long _id; private String _userName; private String[] _roles; #endregion #region Constructors public UserVO(long id, String userName, String[] roles) { this._id = id; this._userName = userName; this._roles = roles; }…
Mapping…
Evaluation
• Does the generated code implement the design? Can users of the system chat?
• How secure is the system? Is it correlated to the design models?
• How independent are the Application, Security and Platform models? Can, for example, the Security model be reused with a different application model? With a different platform model?
• Does MDA keep its promise? How much programming language coding needs to be done?
Contributions
• A UML Model for security, based on patterns• A worked example of the Secure Systems
Methodology, through Analysis, Design and Implementation.
• A worked example of MDA development• Description of a tool chain for building MDA
applications (MagicDraw, androMDA, Visual Studio 2005, etc)
• An example application, with requirements and design.
Next Steps…
• Complete design of SOUPCAN
• Split design into separate Application and security models, link them
• Document experiences, issues with using the current tools