information assurance in a world of model driven architecture and service oriented architecture

Information Assurance in a World of

Model Driven Architecture and Service Oriented Architecture

UC San DiegoCSE 294

May 30, 2008Barry Demchak

Motivation

Large scale applications have many stakeholders with diverse needs

MDA SOA

Application

enables

models organizes

Loose Coupling Late Binding Scalability Composition Interoperability Testability Malleability Manageability Dependability Incremental

development

Multilevel modeling (…UML)

Alignment fidelity NO GAPS

Motivation

Common concern is Information Assurance Reliable information delivery to intended parties under

appropriate circumstances

MDA SOA

Application

enables

models organizes

IA

needs

models organizes

Outline

Motivation Background Problem and Strategy Related Techniques and Analysis Potential Research Problems Conclusion

Information Assurance

Availability and integrity Confidentiality and non-repudiation Use by proper parties under proper

circumstances

Consequence A large scale system with many stakeholders

may become impaired or dangerous if IA is impaired or missing

Information Assurance (cont’d)

Subproblems Security Policy Governance Data Quality Digital Rights Management …

Parties User agents Data sources Data intermediaries

Applications e-Commerce All commerce HIPAA SOX DoD

Authentication and

Authorization

Infrastructure (AAI)

EnforcementDecision(s)

Policy

AttributesAuthentication

Enactment

Authentication Authorization Infrastructure

Allow access to a resource based on characteristics of requestor and action requested

Subject Resource

Action

Subject Resource

ActionAttributes Policy

ID Provider Repository

Virtual Organization

PKI Certificate (x.509 or SAML) Subject Resource



Subject Resource



Virtual Organization

PKI Certificate (x.509 or SAML)

Trust PDP/PEP RBAC & Administrative

Domains Policy Separation of Duties Separation of Concerns


Grid Systems – “the grid problem”

Campus/Enterprise Systems Web Services – “the web problem”

ResourcesUsers ResourcesResourcesResources

Policy

Sub-resources

PolicyPolicy

Sub-resources

Sub-resources

PolicyPolicyPolicy

delegation

evaluation

evaluation

portal w/SSO

Repository

AttributesVirtual Organizations

Groups Roles Policy

Repository


Grid Systems – “the grid problem” Campus/Enterprise Systems

Web Services – “the web problem”

ResourcesUsers ResourcesResourcesWeb Pages

Policy

Sub-resources

PolicyPolicy

Sub-resources

Resources

access

evaluation

Browser/HTTP

Shibboleth Identity Provider

Shibboleth Attribute Authority

Virtual Organizations

(Grouper)

Groups Roles Policy


Grid Systems – “the grid problem” Campus/Enterprise Systems Web Services – “the web problem”

ResourcesUsers ResourcesResources

Web Service

Policy

Sub-resources

PolicyPolicy

Sub-resources

Resources

access

evaluation

HTTP/SOAP

Identity Provider UDDI/WSDL

Access Database

Resources

delegation

Model of Hypothetical Unified AAI

ID Providers Attribute Authorities Virtual Organizations

Resources Policies

Model of AAI PEP

SOA Benefits for IA

Crosscutting Concerns Interoperability and Reuse Understandability and Maintainability Configurability at lower risk Attack detection, secure logging, QOS,

performance monitoring, alert generation … Hierarchical testability and validation Leverage standards WS-*, DoD, IBM, HP, etc

Model Driven Architecture

Approach that can produce SOAs Fidelity of alignment between

user requirements and application Multilevel modeling (…UML) Transformations between models

… bidirectional NO GAPS

CIM PIM PSM

BusinessProcesses

Requirements ExecutableApplication

Complimentary to SOA Roles Interactions Separation of logical and

deployment models Supports hierarchical

development

Computation Independent Model

Platform Independent Model

Platform Specific Model

Rich Services CIM/PIM Process

Agility Completeness Scalability

End-to-End Alignment No Gaps

Outline


The Problem

Using existing MDA approaches, it is hard to: Capture non-functional AAI requirements Model AAI in one or multiple models Validate AAI-provisioned models Understand effect on deployment models

Strategy Discover and model non-functional

requirements (NFRs) Trust relationships Attributes Security constraints Policies Credential Delegations

Validate models Generate code and deliverables (when possible)

Maintain end-to-end alignment with no gaps

Strategy

Discover NFRs Model NFRs

Validate Models Deployment

Outline


Analysis of Related Techniques

Non-functional Requirements (NFRs) Trust Management Constraint Modeling Quality Assurance Policy Management

Non-functional Requirements Cysneiros

Notional and behavioral statements for user-determined symbols

Generate dependency graphs used to discover operational requirements

Sindre Discovers unwanted behaviors (misuse cases) Identify triggers, assumptions, preconditions,

postconditions, threats, mitigations, and risks Alexander

Augments UML use case diagrams with negative actors and relationships (threatens, mitigates, aggravates, conflicts with)

Non-functional Requirements

Pros Discover trust, entitlement, VOs, decision

points, SoAs, security goals, threats Define requirements matching risks and costs Leads to prioritization of security goals

Cons Don’t leverage collaboration techniques Highly manual Don’t leverage ontologies

Trust Management Giorgini

Creates privilege and trust model using Secure Tropos tool identifies:

Actors and goals Service exchanges between actors Actors who trust other actors or own services Actors who delegate permission to others

Validates model (completeness/consistency) Generates policies Pros

High abstraction level Produces actionable policies

Cons Not integrated with UML Isn’t aware of VOs

Constraint Modeling Alam

SECTET enables annotation of UML models with security predicates and identifies security principals

Generates policy statements directly Satoh

Like Alam, but models mechanisms and devices Juerjens

Annotates like Alam, but generates SPIN/Promela proofs directly

Burt Identifies policy-governed relationships in UML models

… separating policy authorship from functional modeling

Constraint Modeling Pros

Modeling is performed at high level of abstraction

Covers high level and low level relationships Clear separation between modeling and

deployment Cons

Limited delegation and separation of duty support

Unaware of administrative domains (VOs) Unaware of distributed systems and policy

distribution concerns

Quality Assurance Wang

Leverages threat-oriented UML sequence diagrams (SDs) to generate threat traces

Searches execution traces for threats realized Krüger

Leverages normal model Message Sequence Charts (MSCs) to monitor runtime message sequences

Pros UML models are leveraged directly for validation Wang explicitly models threat scenarios

Cons SDs and MSCs likely to be incomplete Wang threat trace searching done offline Detect flow anomalies but not unauthorized access

Policy Management Dulay

General purpose policy deployment and execution model

Agnostic to policy language or type Updates, enables, disables policies in

distributed environment

Pros Operates in distributed environment

Cons Disconnect between functional modeling (PIM)

and policy deployment

Outline


Potential Research Problems


Alignment Policy deployment based on models Automatic bidirectional model transitions (e.g.,

for use case modeling) Integrate independent systems (e.g., Secure

Tropos) with models


Large System Issues Introduce collaboration and information fusion

to requirements and logical modeling stages Introduce policy distribution into constraint

modeling Integrate VO repositories into modeling Model incomplete trust

Potential Research Problems Policy Issues

Study relationship between policy authorship and functional modeling

Policy enables exogenous application development

Policy amounts to late-bound coding How to make system guarantees and

validations? What are limits of policy and when

should/shouldn’t they be used? How does author visualize effects of policy

execution and arrange consistent deployment?

Conclusion We discussed

AAI, MDA, and SOA and related them AAI vis-à-vis large organizations with multiple

domains in a hostile environment Modeling AAI concerns end-to-end Potential research issues: alignment, large

systems, and policy We believe improvements to MDA can

facilitate delivering AAI applications as SOAs, and there are real benefits to doing so

References L. Cysneiros and J. Leite. Using UML to Reflect Non-Functional Requirements. In procedings of the

11th Annual IBM Centers for Advanced Studies Conference (CASCON), November 2001. G. Sindre and A. Opdahl. Eliciting Security Requirements with Misuse Cases. Requirements

Engineering 10(1):34-44, 2005. I. Alexander. Initial Industrial Experience of Misuse Cases in Trade-Off. In proceedings of the IEEE

Joint International Conference on Requirements Engineering, Essen, Germany, September 2002. N. Sukaviriya, V. Sinha, T. Ramachandra, and S. Mani. Model-Driven Approach for Managing Human

Interface Design Life Cycle. Model Driven Engineering Languages and Systems. Springer-Verlag Berlin Heidelberg, 2007, pp 226-240.

L. Wang, E. Wong, and D. Xu. A Threat Model Driven Approach for Security Testing. In procedings of the Third International Workshop on Software Engineering for Secure Systems (SESS’07), Minneapolis, MN, May 2007.

I. H. Krüger, M. Meisinger, and M. Menarini. Runtime Verification of Interactions: From MSCs to Aspects. in RV 2007, O. Sokolsky and S. Tasiran (Eds.), vol. LNCS, no. 4839, Vancouver, Canada. Springer-Verlag Berlin Heidelberg, Mar. 2007, pp. 63-74.

M. Alam, R. Breu, and M. Hafner. Model-Driven Security Engineering for Trust Management in SECTET. Journal of Software, 2(1), 2007.

F. Satoh, Y. Nakamura, and K. Ono. Adding Authentication to Model Driven Security. In proceedings of the IEEE International Conference on Web Services, Salt Lake City, UT, July 2006.

J. Juerjens. Secure Systems Development with UML. Springer-Verlag Berlin Heidelberg, 2003. C. Burt, B. Bryant, R. Raje, A. Olson, and M. Auguston. Model Driven Security: Unification of

Authorization Models for Fine-Grain Access Control. In proceedings of the 7th IEEE International Enterprise Distributed Object Computing Conference, Brisbane, Australia, Sept. 2003.

N. Dulay, E. Lupu, M. Sloman, and N. Damianou. A Policy Deployment Model for the Ponder Language. In proceedings of the 7th IEEE/IFIP International Symposium on Integrated Network Management, Seattle, WA, May 2001.

Backup Slides

<go back>

Non-functional Requirements Cysneiros

User-generated symbol (word) system Notional and behavioral statements for each symbol Generate dependency graphs Organize graphs NFR-centric to discover operational

requirements Pros

Discover trust, entitlement, VOs, decision points, SoAs Improve use cases and logical models

Cons Highly manual, doesn’t leverage ontologies, doesn’t

scale to large collaborations

Non-functional Requirements Sindre

Discovers unwanted behaviors (misuse cases) Identify triggers, assumptions, preconditions,

postconditions, threats, mitigations, and risks Pros

Identifies critical assets, security goals, threats Stimulates analysis Define requirements matching risks and costs Leads to prioritization of security goals

Cons Can be very recursive – analysis paralysis Doesn’t leverage elicitation or collaboration techniques

Non-functional Requirements

Alexander Adds negative actors to UML use case

diagrams Adds relationships: threatens, mitigates,

aggravates, conflicts with Pros

Compliments Sindre Enables less-technical contributors

Non-functional Requirements (Alexander)

Rich Services Architectural Pattern

Messenger

Router/Interceptor

Policy

Ser

vice

/Dat

aC

onne

ctor

Messenger

Router/Interceptor

Failure Manager

...

<<Rich Service>> S

Ser

vice

/Dat

aC

onne

ctor

...

<<Rich Service>> S.n

Service/DataConnector }<<

Rich Infrastructure

Services>>

EncryptionService/Data

Connector

LoggingService/Data

Connector

Failure Manager

Service/DataConnector

...


S.1


S.2


}<<

Rich Application Services

>>

S.n.2


S.n.m


}

<<Rich

Application Services

>>

S.n.1



Logging


Encryption


Policy ...



<<Rich

Infrastructure Services

>>}

From tightly to l o o s e l y coupled systems

a hierarchically decomposed structure supporting“horizontal” and “vertical” service integration

Rich Services – from UCSD

Messenger

Router/Interceptor

Policy

Ser

vice

/Dat

aC

onne

ctor

Messenger

Router/Interceptor

Failure Manager

...

<<Rich Service>> S

Ser

vice

/Dat

aC

onne

ctor

...<<Rich Service>> S.n

Service/DataConnector }<<

Rich Infrastructure

Services>>

EncryptionService/DataConnector

LoggingService/Data

Connector

Failure Manager


...


S.1


S.2


}<<

Rich Application Services

>>

S.n.2


S.n.m


}

<<Rich

Application Services

>>

S.n.1



Logging


Encryption


Policy ...



<<Rich

Infrastructure Services

>>}

RESCUE Logical Architecture

Policy System

RESCUE

ODBC Adapter

Dat

a Fe

ed

Pro

duce

r

Aut

hent

icat

ion

S/D Connector

Vis

ualiz

atoi

n To

ol

Aut

hent

icat

ion

S/D Connector

Dat

abas

e

Obl

igat

ion

Pro

cess

ing

S/D Connector

Request + Identity Certificate (X.509 or SAML)Request + Obligations

(Identity => Attributes) x Policy = [Decision, Obligations]Logging

System

Logging System

RESCUE

ODBC Adapter

Visualization Tool

Research Data FeedDatabase

Identity Federation

N

S

EW Web Server

Web Server

Web Server

Web Server

Web Server

Web Server

Identification Provider

Identification Provider

Trust Relationship

Authenticated on one server trusted on others Standards-based information exchange (SSL, HTTP, SAML, …) Result: portable identity

Security Attribute Markup Language

XML framework for marshaling security and identity information Wraps existing security technologies (e.g.,

XACML) Describes assertions about subjects

Bindings for SOAP, HTTP redirect, HTTP POST, HTTP artifact, URI

Is not a crypto technology, assertion maintenance protocol, data format, etc.

SAML Assertion

Example: Alice can read finance database

SAML Assertion (Query Response)<SAMLQueryResponse> <RequestID>urn:random:32q4schaw983y5982q35yh98q324== <Assertion>

<AssertionID>http://www.bizexchange.test/assertion/AE0221 <Issuer>URN:dns-date:www.bizexchange.test:2001-01-03:19283 <ValidityInterval> <NotBefore> <NotOnOrAfter> <Conditions> <Audience>http://www.bizexchange.test/rule_book.html <Claims> <Subject> <NameID>mailto:[email protected] <Object> <Authority> <Permission>Read <Resource>http://store.carol.test/finance <Role>URN:dns-date:www.bizexchange.test:2001-01-04:right:finance

SAML Assertion (XACML embedded)

<TBS-POLICY-QueryResponse> <RequestID>urn:random:zwos43i55098w4tawo3i5j09q== <Assertion> <AssertionID>http://policy.carol.test/assertion/ <Issuer>URN:dns-date:policy.carol.test:2001-03-03:1204 <ValidityInterval> <NotBefore> <NotOnOrAfter> <Claim> <Policy> <Resources> <string>http://store.carol.test/finance <ACL> <ACE> <Subject> <Role>URN:dns-date:www.bizexchange.test:2001-01-04:right:finance <Permit>RWED <ACE> <Deny>ED <Subject> <Right>URN:dns-date:www.bizexchange.test:2001-01-04:right:ops <Permit>R <ACE>

Web Browser Password Access

PrincipalP

Credentials Collector

CC

Authentication Authority (Verifier)

AuA.v

Authentication Authority

(Assertions)AuA.a

Authorization Authority

AtA

Policy Decision PointPDP

Policy Enforcement

PointPEP

Alice Alice BizEx BizEx StoreSite StoreSite

get()

credentials

authenticate(c:credentials)

Assertion Storedt:ticket, r:redirect

get(t:ticket, x:resource)

queryAssertion(t.i:assertionID)

assertion

check(a:assertion, x:resource)

decision

resource

ED

ED

redirect

��

��

��

pull

Bind Roles {

Encrypt {

} Establish Identity

Enforce Policy {

Shibboleth Application

PolicyDecision/

EnforcementPoint

Existing Kerberos, AD, etc

Java on Tomcat/Apache

C++ on Apache or IIS

HTTP headers

PatternsComposite Pattern – Hierarchy (Vertical Integration)

Interceptor Pattern

Service 1

Service 1.2Service 1.1 Service 1.3

Service 1.3.1 Service 1.3.2

Service 2

Service 2.2Service 2.1

Interceptor Service

Message Pattern – Loose Coupling (Horizontal Integration)

Rich Services (UCSD)

Services and SOA

Loose Coupling Late Binding Scalability Composition Interoperability Testability

Producer Database

OK

StoreData(xxx)

Tim

e

Producer Database

Message Bus

Sto

reD

ata(

xxx)

OK

Network Implementation

Single Server, Multiple Processes

Single Application, Linked Modules

Logical Deployment

Malleability Manageability Dependability Incremental

development