Part 3: Security in Software Engineering
Security-aware Software Engineering Processes
Creation of Secure Applications
Francisco Sánchez CidProject Manager
Instituto Tecnologico de Informatica
Valencia (Spain)
“..If we can certify that we have a secure software development life-cycle we stand to increase our
overall revenue with clients from 10-20%.”
Our Chief Software Architect• Actually utilizing our methodology as a competitive advantage! WOW!
• Unit, integration, and acceptance tests and their automation mean you
can actually certify that you’re software is reasonably secure at least
for what you’re testing for
We all agree:
• Indirectly, SE has a big impact on our ability to deliver and maintain
applications
… but can a methodology be a direct revenue generator?
E.g. System for Olives classification in Spain
All right. This approach seems to work fine for 90% of applications we develop, but… what about the other 10%?
• For this 10% applications we do not only have security requirements but also:
o These requirements evolve as times goes by
o Operational context is unpredictable or uncertain
o We don’t want this app to be tightly coupled to an specific solution
o E.g. Digital Signature Applet
• Just one way out: o Identify and develop generic solutions
o Use a model to represent the solutions
o Link generic solutions to specific implementations
o Once a solution is selected, monitor its validity on time
…KindofModelDrivenEngineering?
let’shave a look at it
Security-aware
Software Engineering Processes
Current technology challenges
• Model Driven Engineering comes to help– Models
– Model Driven Architecture
– MDA and Security
• Model transformations– What is a transformation
– Example
• Conclusions
Security Aware Software Engineering Process
Current technology challenges
• Current applications are tightly coupled to underlying technologies– Investment done on their development is at risk due to this
dependence
• Many different platforms and technologies– Distributed objects, components, web services…– Not interoperable– Not reuse (at least if they are not correctly designed)
• Very fast evolution– New technologies appear every day– Old technologies disappear– How to protect the investment in business logic?
• Current technology challenges
Model Driven Engineering comes to help– Models
– Model Driven Architecture
– MDA and Security
• Model transformations– What is a transformation
– Example
• Conclusions
Security Aware Software Engineering Process
MDE as opposite to OO
Object Oriented Design Everything is a object
Model Driven EngineeringEverything is a model
cd MDE v s OO
SuperClass
Class
Instance
Meta-Model
Model
System
inheritsFrom
instanceOf
conformsTo
representedBy
Relations
in these
approaches
clearly differ
Model Driven Engineering (MDE)
• Approach to software development based in models and in model transformations– Current approaches are based in objects, programs and compilers
• MDE implies the (semi) automated generation of implementations from models
• Modelling languages are key to MDE– Model transformation languages are also modelling languages– Models conform to meta-models
• MDA is the OMG’s proposal for MDE, using OMG standards– MOF, UML, OCL, XMI, QVT– MOF and UML allow the definition of new families of languages
What is a model ?
• A description of (part of) a system written in a well-defined language (Equivalent to specification) [Kleppe, 2003]
• A description or specification of the system and its environment for some certain purpose. A model is often presented as a combination of drawings and text [MDA Guide, 2003]
sd Activ ate Pattern
Application S&D Manager Event Manager S&D Query Runtime S&D
Library
Context Manager
1: Request Class()
2: Get Context()
3: Send Context()
4: Get Available Patterns()
5: Build Query()
6: Query For Patterns()
7: Return Patterns()
8: Return Patterns()
9: Choose Pattern()
10: Update Context()
13: Send Implementation Handler
cd Metamodelo
S&DClass S&DPattern S&DImplementation
Application
S&DArtefact S&DSolutionS&DProperty
S&DRequirement
ExecutableComponent
Tiene
*
*
Securiza
RefersTo
Requiere
Proporciona
*
Representa
*
Implementa
*
Pertenece-A
*
Models in software
• “...Bubbles and arrows, as opposed to programs, never crash.” [B. Meyer, 1997]
• The problem is to maintain the link between models and source code
cd SampleApplicationIM
EmailSystem
CommunicacionSystemEmailDB
AccessControl
GUI
«S&DPattern»smartCardAuthentication.UMA.es
«Securizes»
publicclass
ActiveMonitoringManager
extends Observable{
privatestatic
MonitoringServiceIF
monitoringAccess;
private
Hashtable<String,MonitorInfo
> activeMonitors;
privatestatic
ActiveMonitoringManager
mManager = getInstance();
Limitations of models (in SE)
• Models are used only as documentation (if the system is documented at all)
• “Gap” between the model and the implementation of the system– Semantic gap between the respective languages– Changes in the model do not reflect in the code– Changes in the code do not reflect in the model (the model is thrown away after
the first implementation, and never updated or used again)
• No “merge” of models (though some tools actually help)– Unrelated views of a system (horizontal)– Unrelated towers of models (vertical)
• No model “transformations”– Few defined transformation languages– No tools
• We are still far behind more mature engineering industries, such as aerospace, automotive and electrical engineering....
• ...Even hardware design is ahead of software design!
Kinds of SE models
• Depending on:
– The phase of the project• Analysis models, design models, ...
– The level of detail• High level models, Low level models (implementations)
– The view of the system• Business models, Software Architecture models, Deployment models,...
– The aspect they focus on• Structural models, behavioural models, QoS models, ...
– The level of technology independence• Computation Independent Models, Platform Independent
Models, Platform Specific Models
– The particular target platform• J2EE, .NET, CORBA, EDOC, ....
MDA: OMG’s Four-layer metamodel architecture
• M3, MOF (Meta Object Facility) used to describe meta-models• M2, Meta-models used to describe modelling languages• M1, models used to describe applications• M0, instances of applications
Example
Example
MDA Models (M1)
• Computation Independent Model (CIM)– A view from a system from the Computational Independent Viewpoint– A CIM Focuses on the system and its environment; the details of the structure of the system are hidden
or as yet undetermined– A CIM is sometimes called a domain model or a business model, and is specified using a vocabulary
that is familiar to the practitioners of the domain in question– It may hide much or all information about the use of automated data processing systems
• Platform Independent Model (PIM)– A platform independent model is a view of a system from the platform independent viewpoint– A PIM exhibits platform independence and is suitable for use with a number of different platforms of
similar type
• Platform Specific Model (PSM)– A platform specific model is a view of a system from the platform specific viewpoint– A PSM combines the specifications in the PIM with the details that specify how that system uses a
particular type of platform
• Platform Model (PM)– A platform model provides a set of technical concepts, representing the different kinds of parts that
make up a platform and the services provided by that platform– It also provides, for use in a platform specific model, concepts representing the different kinds of
elements to be used in specifying the use of the platform by an application
Examples of MDA models
• CIM– Use case models capturing the system requirements
• PIM– The software architecture of the system, that describes how the functionality of
the system is decomposed into (architectural) components and connectors
• PSM– A model of the J2EE implementation of the system, expressed using the EJB
Profile that describes how the (architectural) components need to be implemented by EJBs
• Platform Model (Code)– The EJBs themselves, their configuration files, etc., ready to be deployed
• Current technology challenges
Model Driven Engineering comes to help– Models
– Model Driven Architecture
– MDA and Security
• Model transformations– What is a transformation
– Example
• Conclusions
Security Aware Software Engineering Process
Model Driven Security (D. Basin)
• It is an extension of MDA
A
B
A B <<secumlRole>>
Customer
SystemModel
SystemModel+
SecurityModel
<<secumlPermission>>
ModelTransformation+
extensions
TargetSyste
m +
SecurityInfrastructure
(RBAC, assertions,
etc.)
Model Driven Security
• Three UML extensions
– ComponentUML, a class based language for data modelling
– ControllerUMLfor modelling system behaviour evolution
– SecureUML for modelling secure systems based on RBAC
• Confidentiality and Integrity are modeledusing RBAC
• They are composed in Security Languages for
modelling design and security
• Only for class, sequence and state charts diagrams
Model Driven Security
• Three UML extensions
– ComponentUML, a class based language for data modelling
– ControllerUMLfor modelling system behaviour evolution
– SecureUML for modelling secure systems based on RBAC
• Confidentiality and Integrity are model using RBAC
• They are composed in Security Languages for
modelling design and security
• Only for class, sequence and state charts diagrams
Resources
Model Driven Security
• Three UML extensions
– ComponentUML, a class based language for data modelling
– ControllerUMLfor modelling system behaviour evolution
– SecureUML for modelling secure systems based on RBAC
• Confidentiality and Integrity are model using RBAC
• They are composed in Security Languages for
modelling design and security
• Only for class, sequence and state charts diagrams
SecurityRequire
ments
• A Security Design Language glues the two languages together
• Each language is equipped with an abstract and concrete syntax, semantics, and a technology dependent translation function
• Dialect bridges design language with security language by identifying which design elements are protected resources
Security Design Language
Model Driven Security
Security Modelling Language
(SecureUML)
System Design Modelling
Language
(ComponentUML, ControllerUML)
Dialect
• Example
There is an
implementation of this in
top of the ArcStyle MDA
tool
Model Driven Security
• Current technology challenges
Model Driven Engineering comes to help– Models
– Model Driven Architecture
– MDA and Security
• Model transformations– What is a transformation
– Example
• Conclusions
Security Aware Software Engineering Process
Model transformation
• Model transformation is the process of converting one model to another model of the same system
• The MDA pattern includes (at least): a PIM, a Platform Model, a Transformation, and a PSM
• Useful to – Mark models
– Transform meta-models
– Merging models
– Include information
in models
Examples of MDA transformations
Transformations are everywhere…
Examples of MDA transformations: GMF
Although not specific for security, a representative technology…
...
... ...
1
*
1
*
1
target
0..*
1
source
0..*
1
1..*
1
0..*
Diagram
Graphical Element Link
Association
Sequence
Start End Activity
FormFormItem
StaticItem DynamicItem
TextAreaTextFieldURL Label
GMF: first, the model
E.g. Design of workflowsfor public administration
GMF: then, the mapping
GMF: and eventually, generate…
• Current technology challenges
Model Driven Engineering comes to help– Models
– Model Driven Architecture
– MDA and Security
• Model transformations– What is a transformation
– Example
• Conclusions
Security Aware Software Engineering Process
Conclusions to MDA
• MDA seems to be the right way to go– Conceptually clean and well defined– Protect investment and IP by separating the business model from the supporting technologies
• But there is still a long way ahead
• There are more or less mature approaches to the development of security systems using MDA
– Based on security policies and RBAC
• Research is required
• MDD (and MDA) looks very promising
Honestly, do you really think that only drawing three boxes and
a couple of lines you will get all your application code?
• MDA isnotthe panacea
“No manual coding” isnot 100% achievable in general
Itisimportanttoidentifythedomains in which MDA can be effectivelyused,
By the time beingtools are notmature
Part 3: Security in Software Engineering
Security-aware Software Engineering Processes
Creation of Secure Applications
Francisco Sánchez CidProject Manager
Instituto Tecnologico de Informatica
Valencia (Spain)
Creationof Secure
Applications
Creation of Secure Applications
Differences between current secure software
development and the SERENITY approach
SERENITY applications life cycle
Developing SERENITY applications
Using Java to develop SERENITY applications
Run-time support
Advantages of the SERENITY approach
When Developing applications…
• Most of current approaches for software development are
based on an iterative and incremental process
Creation of Secure Applications
How does it fit in Agile Development…
Creation of Secure Applications
Security
RequirementsPlanning
Design
Development
a specific
security
engineering
activity in
every sprint?
Not really agile
Creation of Secure Applications
Security
RequirementsPlanning
Design
Development
Security Risk
Management
Check against
threat model
Identify the
properties/threats
Decide the
controls
Supposed to have a
residual risk
How does it fit in Agile Development…
Creation of Secure Applications
Sprint Review:
Approve
residual risk
Sprint Planning:
Threat analysis
for largest risks
Decide on the controls:
-Address the threat
(new sprint backlog)
- Postpone the work
(new product backlog)
How does it fit in Agile Development… in fact
Detailed threat
analysis
• For this to work:
• The Scrum team does need to be somehow aware of security
engineering and software security issues.
• Security specialists should be on call.
Security aspects of applications
• Usaually, security requirements are treated as the rest of requirements– Security is not a functional requirement
• It is difficult to implement
• It is difficult to trace during the project
• Security is always orthogonal. We may talk of perspectives for the software
• Given a good model, you have one thousand ways of making it unsecure– A parameter not correctly parsed
– A buffer not correctly managed
– …
Creation of Secure Applications
Creation of Secure Applications
Differences between current secure software
development and the SERENITY approach
SERENITY applications life cycle
Developing SERENITY applications
Using Java to develop SERENITY applications
Run-time support
Advantages of the SERENITY approach
Serenity Proposal for Secure Software Development
• Just a reminder: – For this to work, the team does need to be somehow aware of security
engineering and software security issues.
• Now that we are aware:– We propose not to be aware of security engineering, but security
properties the system have to comply with
– Security requirements are fulfilled by means of S&D patterns
– S&D patterns are represented at different levels of abstraction by means of different artefacts
Creation of Secure Applications
cd PatternDetail EA
S&DPatternS&DImplementation S&DClassExecutableComponent
RefersTo
*
BelongsTo
*
Implements
*
Serenity Proposal for Secure Software Development
cd PatternDetail EA
S&DPatternS&DImplementation S&DClassExecutableComponent
RefersTo
*
BelongsTo
*
Implements
*
Represents a S&D
solution
and defines an
interface and a set of
functionallities
Represents a set of
S&D solutions
Defines a general
interface
Represents the
Implementation of a
pattern
Implements a
pattern
Software Architects know these artefacts, Security Experts deeeply
know these artecfacts and Developers know and use all these
S&D artefacts and their interfaces
Creation of Secure Applications
• Developers include references to S&D patterns in
applications by means of references to S&D artefacts
• Developers are supported by S&D patterns libraries
where they can find artefacts (called S&D Libraries)
• SERENITY includes tools supporting developers for
managing on-line S&D libraries (e.g. plugin for Eclipse)
Creation of Secure Applications
Serenity Proposal for Secure Software Development
S&D Pattern Development
Creation of Secure Applications
Security Community
S&D pattern
development
Addition to
S&D library
S&D library
S&D Pattern Development
Creation of Secure Applications
Security Community
S&D pattern
development
Addition to
S&D library
S&D library
Application Development
S&D pattern
search and
selection
Inclusion of
references in
application
Application
deploymentDevelopment Team
S&D Pattern Development
Creation of Secure Applications
Security Community
S&D pattern
development
Addition to
S&D library
S&D library
Application Development
S&D pattern
search and
selection
Inclusion of
references in
application
Application
deploymentDevelopment Team
Runtime Support
Runtime
S&D pattern
assembling
Application execution
Runtime monitoringRunning app
S&D Pattern Development
Creation of Secure Applications
Security Community
S&D pattern
development
Addition to
S&D library
S&D library
Application Development
S&D pattern
search and
selection
Inclusion of
references in
application
Application
deploymentDevelopment Team
Runtime Support
Runtime
S&D pattern
assembling
Application execution
Runtime monitoringRunning app
Serenity Development
Framework
S&D Pattern Development
Creation of Secure Applications
Security Community
S&D pattern
development
Addition to
S&D library
S&D library
Application Development
S&D pattern
search and
selection
Inclusion of
references in
application
Application
deploymentDevelopment Team
Runtime Support
Runtime
S&D pattern
assembling
Application execution
Runtime monitoringRunning app
Serenity Runtime Framework
• One of SERENITY main features is the run-time
support:
– Dynamic substitution of S&D Patterns at run-time
– The more abstract level of the artefact selected at
development-time is, the more flexible selecting the
S&D Pattern the SRF is
– At run-time S&D Patterns are monitored
Creation of Secure Applications
• SERENITY approach can be integrated in most
of current development processes
• Let us see how does it fit…
Creation of Secure Applications
SERENITY
development
time
framework
SERENITY
runtime
framework
Creation of Secure Applications
And if we go to Agile Development…
Creation of Secure Applications
How does it fit in Agile Development…
Sprint Review:
Approve
residual riskSprint Planning:
Threat analysis
based on
properties for
largest risks
Decide on the controls:
-Address the threat
(new sprint backlog)
- Postpone the work
(new product backlog)
Detailed threat
analysis
Creation of Secure Applications
How does it fit in Agile Development…
Sprint Review:
Approve
residual risk
Sprint Planning:
Threat analysis
for largest risks
Decide on the controls:
-Address the threat
(new sprint backlog)
- Postpone the work
(new product backlog)
Detailed threat
analysis
SERENITY
runtime
framework
SERENITY
development
time
framework
• The integration of SERENITY is achieved by means of new paths in security engineering techniques: S&D properties, formal proofs, and a library.
• Application developers profit of expertise of security experts by using SERENITY patterns
Creation of Secure Applications
Creation of Secure Applications
Differences between current secure software
development and the SERENITY approach
SERENITY applications life cycle
Developing SERENITY applications
Using Java to develop SERENITY applications
Run-time support
Advantages of the SERENITY approach
Developing applications in Serenity
• Application Developer: Our client needs a secure and reliable online application… 1) Identify S&D Requirements
• Properties vs. threats• Usually expressed as S&DProperties• Looking for the appropriate S&DProperties in
S&DProperties repositories
2) Develop applications• Search into development time S&DLibrary for the
appropriate S&D solutions• Developing the code including references to the S&D
Solutions functionalities
Creation of Secure Applications
The whole process
SRF
Executable
Component
implementing
an S&D Pattern
Serenity-aware
Application
Monitoring
Service
S&D Pattern
reference
Activation
Access to
S&D Pattern
functionallities
Run-time
Support
Monitorization
and events
Creation of Secure ApplicationsInformation from context
Runtime
selection
Monitoring
rules
An example: runtime selectioncd Object model1
SimpleTransmisionConfidentiality.iso.org :
S&DClass
ConfidentialityByDES_Encryption.iso.org :S&DPatternConfidentialityBySecureChannel.ieee.org :
S&DPattern
NokiaDES :
S&DImplementation
SAPDES :
S&DImplementation
ThalesDES :
S&DImplementation ATCSecureChannel :
S&DImplementation
SetcceSecureChannel :
S&DImplementation
ThalesDES :
ExecutableComponent
SAPDES :
ExecutableComponent
NokiaDES :
ExecutableComponent
ATCSecureChannel :
ExecutableComponent
SetcceSecureChannel :
ExecutableComponent
Creation of Secure Applications
From developer’s perspective
1. I launch my favourite programming IDE
2. I start coding my application
3. I import the SERENITY API
4. I launch the SERENITY search tool
5. I look for the pattern I want to use in my application
6. I add calls to the pattern using
a. the semantic information retrieved from the pattern description
b. and, the SERENITY API
Creation of Secure Applications
From developer’s perspective
1. I launch my favourite programming IDE
2. I start coding my application
3. I import the SERENITY API
4. I launch the SERENITY search tool
5. I look for the pattern I want to use in my application
6. I add calls to the pattern using
a. the semantic information retrieved from the pattern description
b. and, the SERENITY API
I do not need
to include the
pattern itself
I just need a
reference
to the pattern
Creation of Secure Applications
From developer’s perspective
1. I launch my favourite programming IDE
2. I start coding my application
3. I import the SERENITY API
4. I launch the SERENITY search tool
5. I look for the pattern I want to use in my application
6. I add calls to the pattern using
a. the semantic information retrieved from the pattern description
b. and, the SERENITY API
7. I finish and compile my application
8. I deploy my application in a SERENITY enabled device
That’s all, now my app is ready to run!
Creation of Secure Applications
SERENITY Tools• Currently SERENITY provides an Eclipse plugin to navigate through a library of artefacts
Creation of Secure Applications
SERENITY Tools
• You can connect to remote S&D artefacts repositories
Creation of Secure Applications
SERENITY Tools• You can navigate through solutions for specific S&D properties
Creation of Secure Applications
SERENITY Tools• And you can search for specific S&D patterns, classes…
Creation of Secure Applications
SERENITY Tools• And security experts can edit S&D artefacts
Creation of Secure Applications
The whole process. Revisited
SRF
Executable
Component
implementing
an S&D Pattern
Serenity-aware
Application
Monitoring
Service
Creation of Secure Applications
¿?
The whole process. Revisited
SRF
Executable
Component
implementing
an S&D Pattern
Serenity-aware
Application
Monitoring
Service
Creation of Secure Applications
SERENITY
API
for
application
developers
Currently
developed
for JAVA
Creation of Secure Applications
Differences between current secure software
development and the SERENITY approach
SERENITY applications life cycle
Developing SERENITY applications
Using Java to develop SERENITY applications
Run-time support
Advantages of the SERENITY approach
An simplified example• This test application just requests a S&D pattern for authentication and uses it
My Serenity
Applicationconfidentiality.uma.esmyEC
sendConf()
mySRF SRF
myEC = New SerenityExecutableComponent_AP(
mySRF,
“P:confidentiality.uma.es”,
parameters
);
mySRF = SRF_AP_AccessPoint(localhost);
Creation of Secure Applications
An simplified example• This test application just requests a S&D pattern for authentication and uses it
My Serenity
Applicationconfidentiality.uma.esmyEC
sendConf()
mySRF SRF
myEC = New SerenityExecutableComponent_AP(
mySRF,
“P:confidentiality.uma.es”,
parameters
);
mySRF = SRF_AP_AccessPoint(localhost);
myEC.callOperation(“sendConf”, parameters);
Creation of Secure Applications
Java package for applicationsid SERENITY-application Support Library
SERENITY-application Support Library
Application AEcHandler
SRF_AP_AccessPoint
+ requestSolution() : EcHandler
SerenityExecutableComponent_AP
+ callOperation(oper, inParam, outParam) : void
SRF
S&DManagerSRFRequests
Executable
Component A
process
ECaccessPoint
«Use»
«use»
PointsTo
Create
Creation of Secure Applications
An example: the codepackage SERENITY-application;
importserenity.app.*;
public class mySERENITYapplication{// I connect to a SRF hosted on localhostSRF_AP_AccessPointmySRF = newSRF_AP_AccessPoint(localhost);
// I am going to use an executableComponentSerenityExecutableComponent_APconfidentialitySolution;
// Param for the SDRequestSerenitySolutionParametersListsParametersList = new SerenitySolutionParametersList();// Param for the pattern functionallitySerenityOperationParametersListoperationParameters= new SerenityOperationParametersList();// C: for a S&DClass// P: for a S&DPattern// I: for a S&DImplementationString solutionName = “P:confidentiality.uma.es” public static void main() {
...// I am going to create the executableComponent access point object
sParametertsList.addParam(“target_IP”,”127.0.0.1”);confidentialitySolution = newSerenityExecutableComponent_AP(mySRF, solutionName, sParametersList);
...// I am going to access one of the S&DClass interface operationsoperationParameters.addParam(“Message”,”Hello world”);confidentialitySolution.callOperation(“sendConfidential”, operationParameters);
...}}
Creation of Secure Applications
Considerations
• The API encapsulates the use of ECHandlers– The ECHandler is used by the executableComponent_AP
– It is possible to use directly ECHandlers
• How do developers know the S&Dpatterns interface?– This information is part of the pattern definition retrieved from the development
time library
– Using a Serenity enabled IDE, it will help to develop the application presenting the list of appropriate calls (kind of auto completion) given the fact that S&D artefacts are machine readable.
Tools and documentation available at:http://www.serenity-project.org/
Creation of Secure Applications
Creation of Secure Applications
Differences between current secure software
development and the SERENITY approach
SERENITY applications life cycle
Developing SERENITY applications
Using Java to develop SERENITY applications
Run-time support
Advantages of the SERENITY approach
Advantages of the SERENITY approach
• Applications become independent of the implementation of the security solutions they need
• Applications become responsive to the changes of the context
• The library of solutions is ever growing and continuously reviewed, without the need of revising the application
• It is possible to verify that applications comply with security policies applicable
• It enhances the process of security engineering, by promoting the separation of duties between security specialists and application developers
• It helps managing threats, since the focus is in the properties, not in the threats themselves
• Property + Context => Threats (it allows non security experts to identify new threats)
Creation of Secure Applications