identifying security aspects in early development stages · 38 copyright 2008 fujitsu limited...
TRANSCRIPT
Copyright 2008 FUJITSU LIMITED
Identifying Security Aspects in Early Development Stages
March 5th, 2008*Takao OKUBO†‡ Hidehiko TANAKA‡
†Fujitsu Laboratories ltd.‡Institute of Information Security
Japan
Copyright 2008 FUJITSU LIMITED1
Table of ContentsTable of Contents1. Motivation
Why aspect?
2. Related works3. Proposed approach
Identifying security aspects in early stages
4. Evaluation5. Summary
Copyright 2008 FUJITSU LIMITED2
1.Motivation1.Motivation
Copyright 2008 FUJITSU LIMITED3
BackgroundsBackgroundsProblems with software security
Insufficient security expertiseThe root of all evil
Low Security coverage⇒ Vulnerability
Low maintainability/reusability⇒ Development cost escalation
Copyright 2008 FUJITSU LIMITED4
–AOSD- A Possible Solution–AOSD- A Possible Solution
AOSD (Aspect-Oriented Software Development) -Suitable for Non-functional Requirements (NFR)⇒Silver bullet?
Our research: Attempts to verify the assumption
Copyright 2008 FUJITSU LIMITED5
Aspect-Oriented Programming (AOP)Aspect-Oriented Programming (AOP)
Program(Concern A)
Aspect(Concern B)
•Crosscutting concern/Dependency Injection (DI)A concern (aspect) is injected into other concerns (programs)
•Modularity, Coverage, Reusability
dependency
Copyright 2008 FUJITSU LIMITED6
Ideal World with Aspects(1)Ideal World with Aspects(1)
Programs (except Security)
General Developer Security Experts
Aspects (Security)
dependency
Solution for Security Expertise Issues
Implements Functions
except Security
Implements Only
Security
Copyright 2008 FUJITSU LIMITED7
Issues with AOPIssues with AOPAdd Security Aspects for Completed Web Server
Programs Forceful BrowsingSession Attacks
Issues with Coverage and ReusabilityLow Detection Accuracy
←ad-hoc, implementation Low Reusability
←dependent on specific codes
Copyright 2008 FUJITSU LIMITED8
Our GoalOur GoalAspects should be analyzed, and designed in
earlier development stages
Today’s presentationAnalysis methods
How to identify security requirementsHow to achieve sufficient security coverage• For finding pointcut-candidate
Copyright 2008 FUJITSU LIMITED9
2.Related Works2.Related Works
Copyright 2008 FUJITSU LIMITED10
Eliciting Security RequirementsEliciting Security Requirements
Threat modeling (Microsoft)A famous threat analysis methodPrecise analysis with DFD
Much cost neededArchitecture must be detailed
Unexpressed attackersDifficult to identify threats caused by various types of attackers
Copyright 2008 FUJITSU LIMITED11
Analyzing AspectsAnalyzing AspectsI.Jacobson and P.Ng, ”Aspect-oriented software development with UML”, Addison-Wesley, 2004.S.Clarke and E.Baniassad, ”Aspect-oriented analysis and design”, Addison-Wesley, 2005.
Methods for identifying aspectsInsufficient reference to:
How to identify enough security concernsSecurity coverage of aspects (All the threats must be covered)
Copyright 2008 FUJITSU LIMITED12
Misuse Case ([Sindre00])Misuse Case ([Sindre00])
Security Measure
Mis-actor
Misuse Case
Figure from [Sindre00]
Copyright 2008 FUJITSU LIMITED13
Advantages of Misuse CasesAdvantages of Misuse Cases
Visualized analysisUML-style diagramEasy to understand
Correspondence between threats and measuresSecurity measures for aspect-candidates
Copyright 2008 FUJITSU LIMITED14
Issues of Misuse CasesIssues of Misuse CasesSecurity expertise required for eliciting mis-actors & misuse cases
Data assets unexpressedDifferent types of mis-actor unexpressed
Difficulty for designing aspectsSpecifying crosscutting points (Pointcuts)Coverage
Copyright 2008 FUJITSU LIMITED15
3.Proposed Approach3.Proposed Approach
Copyright 2008 FUJITSU LIMITED16
Proposed ApproachProposed ApproachExtension of misuse cases
Mis-actor type extension Data asset extensionMisuse case endpoint extension
Procedure of identifying aspects and pointcuts
Copyright 2008 FUJITSU LIMITED17
Mis-actor Type ExtensionMis-actor Type Extension
(c) Mis-Actor(same person as the actor)
(b) Authorized Mis-actor (another person)(a) Unauthorized
Mis-actor
Actor
Use cases
Copyright 2008 FUJITSU LIMITED18
Data Asset ExtensionData Asset ExtensionData asset description⇒Data-oriented threat analysis
<<A>>Use Case
<<C>>Data Asset
Data Flow Direction
CIA attributes can be set to assets
Copyright 2008 FUJITSU LIMITED19
Endpoint ExtensionEndpoint Extension3 Types of Endpoint
Use caseActor(client)Channel(ex. network)
Use Case
Misuse case
Channel
Actor
Use case
Copyright 2008 FUJITSU LIMITED20
Procedure in an Analysis StageProcedure in an Analysis Stage
1. Describe use cases2. Add data assets3. Identify threats
Adding mis-actors and misuse cases4. Identify security measures
Adding measure use cases5. Identify aspects and pointcuts
Copyright 2008 FUJITSU LIMITED21
Identifying AspectsIdentifying Aspects1. Integrate the same kind of threats2. Integrate the same kind of measures
⇒Aspects3. Identify pointcuts
Copyright 2008 FUJITSU LIMITED22
Integration of Misuse CasesIntegration of Misuse Cases
Search Products
Buy Products
Refer User Info.
Abuse
Abuse
Authentication
Integrate Misuse cases
Integrate Measures
prevents
prevents
Copyright 2008 FUJITSU LIMITED23
Identifying PointcutsIdentifying Pointcuts
Search Products
Buy Products
Refer User Info.
Authentication
Pointcut
Copyright 2008 FUJITSU LIMITED24
Specifying PointcutsSpecifying PointcutsSpecify the timing that the measure must be injected
Before (the use case is executed)• Authentication
Around• Encryption
After• Logoff
Not specified
Copyright 2008 FUJITSU LIMITED25
4.Evaluation4.Evaluation
Copyright 2008 FUJITSU LIMITED26
Use Case
Actor
Tamper MITMenables
Expressiveness(1)Expressiveness(1)
Original Misuse Cases
Copyright 2008 FUJITSU LIMITED27
Use Case
Actor <<C>><<I>>Data
TamperTamper
Tamper
Spoofenables
XSSenables
MITMenables
CSRF
enables
Expressiveness(2)Expressiveness(2)Extended
Misuse Cases
Copyright 2008 FUJITSU LIMITED28
CoverageCoverageApplication to web systems
Typical threats & measures can be identified (Including Vulnerability with Programming)
Injection attacksXSSCSRF
Aspects & pointcuts can be specified(at the use case level)
Copyright 2008 FUJITSU LIMITED29
5.Conclusion5.Conclusion
Copyright 2008 FUJITSU LIMITED30
ConclusionConclusionAspect may be good for security
not ad-hoc AOP.Analysis in early stages needed
Security requirements (aspects) identification with extending misuse cases
For easier threat-identificationClarified correspondence between threats and measuresMethods for identifying crosscutting points
Application to the web domainThreats at programming are predictableAble to patterning in the web domain
Copyright 2008 FUJITSU LIMITED31
Future WorksFuture WorksSecurity framework with aspects
UML+Java+AspectJ
Developing security patternsSecurity analysis patternsSecurity design patterns
Copyright 2008 FUJITSU LIMITED32
Copyright 2008 FUJITSU LIMITED33
Ideal World with Aspects(2)Ideal World with Aspects(2)
Programs
Security Aspects
dependency
Coverage
Security is Injected into All the Places where it is needed
Copyright 2008 FUJITSU LIMITED34
Ideal World with Aspects(3)Ideal World with Aspects(3)
Program A(existing)
Aspect A(existing)
Reusability
Program B (new)
Aspect can be reused for building a new
program
Copyright 2008 FUJITSU LIMITED35
Requirements in the Analysis StageRequirements in the Analysis Stage
All the potential threats must be identifiedSecurity measures (aspects) must be identified for all the threatsPointcut-candidates must be specified
Copyright 2008 FUJITSU LIMITED36
Designing Security Aspects(1)Designing Security Aspects(1)
•Designing and Maintain Crosscutting Points(for Coverage and Reusability)
Authentication
Handle Confidential data
Copyright 2008 FUJITSU LIMITED37
Designing Security Aspects(2)Designing Security Aspects(2)
Automatic Code Generationfor More Coverage & ReusabilityDeveloping Security Design Pattern
Copyright 2008 FUJITSU LIMITED38
Backgrounds of BackgroundsBackgrounds of Backgrounds
Need for Programming Control
“Only necessary to use that library?”“Only to program in that manner?”
Why Analysis/Design/Testing is important?Persons Make ProgramsProgrammers obtain freedom and powerMost users are not the programmers