model-based security engineering - uni koblenz-landau · model-based security engineering jan...
TRANSCRIPT
![Page 1: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/1.jpg)
Model-based Security Engineering
Jan Jürjens
TU Dortmund & Fraunhofer ISST
Dortmund, Germany
![Page 2: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/2.jpg)
Secure IT-Systems
Today IT-systems pervade almost all aspects of human life. At the same time, IT-
systems become more open and therefore more vulnerable.
A lot of successful academic research has been done on foundations for secure
systems. Some milestones:
• Saltzer, Schroeder: Protection of Information in Computer Systems, 1975
• Gasser: Building a Secure Computer System, 1988
• Burrows, Abadi, Needham: A Logic for authentication, 1989
• Gasser, Goldstein, Kaufman, Lampson: The Digital Distributed System
Security Architecture, 1989
• Ross Anderson: Security Engineering, 2001
Unfortunately, despite this successful research, today’s systems still often do not
satisfy the increasing expectations on their security requirements - ...
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 2
![Page 3: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/3.jpg)
Problems
„Blind“ use of mechanisms:
• Security often compromised
by circumventing (rather than
breaking) them.
• Assumptions on system context,
physical environment.
„Those who think that their problem can be solved by simply
applying cryptography don`t understand cryptography and
don`t understand their problem“ (R. Needham).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 3
![Page 4: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/4.jpg)
Problem: Security is Elusive
• Classical weakness in old Unix systems:
“wrong password” message at first wrong
letter in password. Using timing attack,
reduce password space from 26^n
to 26*n (n = password length)
• More recent weakness on smart-card: reconstruct
secret key by timed measurement of power
consumption during crypto operations
Difficult to find such weaknesses using classical
testing.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 4
![Page 5: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/5.jpg)
Special Problem: Crypto
• Cryptography plays important role in many security-
critical applications
• By definition, needs to be secure against brute-force
attacks
Paradox: How do you get sufficient test coverage (for
inputs accessible to a given attacker) of a system that
needs to be secure against brute-force attacks on
that input ?
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 5
![Page 6: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/6.jpg)
„An expansive view of the problem is most appropriate
to help ensure that no gaps appear in the strategy“
(Saltzer, Schroeder 1975). But „no complete method
applicable to the construction of large general-
purpose systems exists yet“.
Goal: Integrate well-founded approaches for security
analysis and design into practically usable (and used)
software engineering.
This lecture: Holistic view on Security
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 6
![Page 7: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/7.jpg)
Model-based Development
Idea: Build on model-based software development.
General goal: facilitate transition
from human ideas to executed
systems.
Increase quality with bounded
time-to-market and cost.
Requirements
Models
Code
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 7
![Page 8: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/8.jpg)
Security Engineering
Increase security with bounded
investment in time, costs
(crucial for industry). Idea:
• Extract models from artefacts arising in industrial
development and use of security-critical systems (UML
models, source code, configuration data).
Tool-supported theoretically sound efficient automated
security analysis.
Model-based Security Engineering
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 8
![Page 9: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/9.jpg)
Model-based Security Engineering with UMLsec
UMLsec Models
Security Requirements
Code
Inte-
grate
Code-/
Testgen. Reverse Engin.
Analyse
Configuration Data Generate
Verify
Runtime System
Configure
Execute
Evolution
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 9
![Page 10: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/10.jpg)
Goal: Security by design
Consider security
• from early on
• within development context
• taking an expansive view
• in a seamless way.
Secure design by model analysis.
Secure implementation by test generation.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 10
![Page 11: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/11.jpg)
Critical System Lifecycle
Requirements
and use cases
Abuse
cases
Critical
requirements
Risk
analysis
External
review
Design Test
plans
Code Test
results Field
feedback
Risk-based
tests
Static
analysis
(tools) Risk
analysis
System
Monitoring
System
breaks
[McGraw 2003]
Model-based Security Engineering
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 11
![Page 12: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/12.jpg)
Requirements
and use cases Design Test
plans Code Test
results
Field
feedback
Models
Requirements
Code
Inte-
grate
Code-/
Testgen. Reverse Engin.
Analyse
Configuration Data Generate
Verify
Runtime System
Configure
Execute
Evolution
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 12
Goal: Integrated Approach
![Page 13: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/13.jpg)
Architectural Layers
Models
Configurations
Code
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 13
![Page 14: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/14.jpg)
Why UML ?
Seemingly de-facto standard in industrial modeling.
Large number of developers trained in UML.
Relatively precisely defined (given the user community).
Many tools in development (also for code-generation,
testing, reverse engineering, simulation,
transformation).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 14
![Page 15: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/15.jpg)
Using UML
Goal: transport results from formal methods to security
practice
Enable developers (not trained in formal methods) to
• check correctness of security designs
• deploy security mechanisms correctly in system
context
• allow to analyze larger system parts beyond crypto-
protocols
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 15
![Page 16: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/16.jpg)
UMLsec: Goals
Extension for secure systems development.
• evaluate UML specifications for weaknesses in
design
• encapsulate established rules of prudent
secure engineering as checklist
• make available to developers not
specialized in secure systems
• consider security requirements from early
design phases, in system context
• make certification cost-effective
Jan Jürjens: Secure systems development with UML. Springer 2005. Chines. transl. 2009
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 16
![Page 17: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/17.jpg)
UMLsec: How
Recurring security requirements, adversary scenarios,
concepts offered as stereotypes with tags on
component-level.
Use associated constraints to verify specifications using
automated theorem provers and indicate possible
weaknesses.
Ensures that UML specification provides desired level of
security requirements.
Link to code via round-trip engineering etc.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 17
![Page 18: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/18.jpg)
Security Requirements Engineering
Aims:
• Identify security requirements within the requirements elicitation.
Idea: “Requirements Mining” in security standards (e.g. Common Criteria) resp.
in the given specification document
Validation example: IPTV Standard of Eur. Telecom. Stand. Inst. (ETSI)
[CAISE '06, Requirem. Engin. Jour. '10, Journ. Softw. & Systems Modeling '10]
UML Models
Requirements
Code
Configuration
Runtime system
![Page 19: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/19.jpg)
Modeling with UMLsec
Aim:
• Documentation and automated analysis of security-relevant information (e.g.
security properties and requirements)
as part of the system specification.
Idea:
• UML for system modeling.
• Insert security-relevant information as stereotypes
provided by UML-extension UMLsec.
• Formal semantics based on stream-processing
functions as a foundation for verification.
[FASE 01, UML 02]
[Jour. Logic & Algebr. Program. '08]
UML Models
Requirements
Code
Configuration
Runtime system
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 19
![Page 20: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/20.jpg)
Model-based
Security Analysis
Aim:
• Automated analysis of the system models against the specified security
requirements.
Idea:
• Automated generation of logical formulas in first- order
logic (or LTL, ...) based on formal semantics
for security analysis. Transfer to the automatic
theorem prover (or modelchecker/...)).
[ICSE 05, ICSE 06]
UML Models
Requirements
Code
Configuration
Runtime system
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 20
![Page 21: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/21.jpg)
Model-based Security Testing
Problems with using conformance-tests for security:
• In general, complete test coverage impracticable.
• Finds only attacks which are visible on the model level.
Idea: Mutation-testing.
• Focus on critical test cases
• Finds also weaknesses which are not visible on the model level.
Validation: Common Electronic Purse Specifications.
Detected several weaknesses.
Program
Test case Program behavior
Verification
Execute Generate
test case
Model
Test execution
UML Models
Requirements
Code
Configuration
Runtime system
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 21
![Page 22: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/22.jpg)
Static Program Analysis
Problem: Correct use of cryptography is inherently difficult to
test: sufficient test coverage amounts to brute-force attack.
Idea: Automated, formal static program analysis of correct
cryptographic function calls (with ATP for FOL).
Validation: Java Secure Sockets Extension (JSSE).
Current project Csec:
C code analysis.
22
p
q g
[ICSM 05, ASE 05, ASE 06]
UML Models
Requirements
Code
Configuration
Runtime system
![Page 23: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/23.jpg)
Security Analysis of Configuration Data
Aim: Verification if security policies are enforced by user
permissions. Not feasible manually:
• Large amount of data (e.g. 60.000 permissions)
• Complex relations between permissions (e.g. delegation)
Idea: Automated analysis of business process models
against user permissions, as well as user permissions
against security policy models.
Current project (Fraunhofer Attract): Architecture for
auditable business process execution (Apex).
[ICSE '08]
[FASE '08]
UML Models
Requirements
Code
Configuration
Runtime system
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 23
![Page 24: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/24.jpg)
Run-time Security Verification
General problem: Are verified implementations still secure in the system context ?
Does the static system model consider all relevant aspects ?
Are the assumptions about the system environment correct ?
Are the necessary abstractions for a static verification valid ?
Solution: Run-time verification.
Classic approach: Fred Schneider's Security Automata (only safety properties).
New approach with 3-valued semantic for LTL: also non-safety properties.
Validation with different versions Java Secure Sockets Extension.
[Jour. Computers & Security '10, Computer Journal '10] t
Property fulfilled?
Actions
System
Property
Monitor
automatic generation of
Runtime verification in a nutshell
[Diss. A. Bauer]
UML Models
Requirements
Code
Configuration
Runtime system
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 24
![Page 25: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/25.jpg)
Tool support
[UML 04, FASE 05,
Jour. Softw. Tools &
Techn. Transf.
(STTT) 07]
UML Models
Requirements
Code
Configuration
Runtime system
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 25
![Page 26: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/26.jpg)
Tool Support (s. http://carisma.umlsec.de)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 26
![Page 27: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/27.jpg)
Example:
Biometric
authentication
system in industrial
development.
Secure ?
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 27
![Page 28: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/28.jpg)
Challenges
• Adapt UML to critical system application domains.
• Correct use of UML in the application domains.
• Conflict between flexibility and unambiguity in the meaning of a notation.
• Improving tool-support for critical systems development with UML.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 28
![Page 29: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/29.jpg)
Some Open Problems
Secure systems out of (in)secure mechanisms.
Security as pervasive property: vs. dependability, program
analysis, formal methods, software engineering, programming
languages, compilers, computer architectures, operating
systems, reactive systems, …, …
Problem: no integration / coherence.
How to put all this stuff together in a water-tight way
within security engineering approach ?
Necessary for security (attacks on boundaries between
views / aspects / levels …).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 29
![Page 30: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/30.jpg)
Roadmap
1. Motivation and Overview
2. Specifying Security with UMLsec
3. Security Architectures
4. Cryptographic Protocols
5. Formal Security Analysis, General Results
6. Models versus Code
7. Run-time Verification
8. Software Evolution
9. Electronic Purses, Biometric Authentication
10.Other Applications
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 30
![Page 31: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/31.jpg)
UML
Unified Modeling Language (UML):
• visual modelling for OO systems
• different views on a system
• high degree of abstraction possible
• de-facto industry standard (OMG)
• standard extension mechanisms
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 31
![Page 32: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/32.jpg)
A Glimpse at UML
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 32
![Page 33: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/33.jpg)
Used Fragment of UML
Use case diagram: discuss requirements of the system
Class diagram: data structure of the system
Statechart diagram: dynamic component behaviour
Activity diagram: flow of control between components
Sequence diagram: interaction by message exchange
Deployment diagram: physical environment
Package/Subsystem: collect diagrams for system part
Current: UML 2.0 (released 2004). (In this lecture use only
fragment that was conservatively included from UML1.x.)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 33
![Page 34: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/34.jpg)
UML Run-through: Use Case Diagrams
Specify intended use cases of the system: scenarios on
the functionality offered to the user or other systems.
Actors, linked to activities.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 34
![Page 35: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/35.jpg)
UML Run-through: Class diagram
Class structure of system.
Classes with attributes and operations/signals;
relationships between classes.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 35
![Page 36: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/36.jpg)
UML Run-through: Statecharts
Dynamic behaviour of individual component.
Input events cause state change and output actions.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 36
![Page 37: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/37.jpg)
UML Run–through: Activity Diagram
Specify the control flow between components within the
system, at higher degree of abstraction than
statecharts and sequence diagrams.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 37
![Page 38: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/38.jpg)
UML Run-through: Sequence Diagram
Describe interaction between objects or components via
message exchange.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 38
![Page 39: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/39.jpg)
UML Run-through: Deployment Diagram
Describe the physical layer on which the system is to be
implemented.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 39
![Page 40: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/40.jpg)
UML Run-through: Package
May be used to organize model elements into groups.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 40
![Page 41: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/41.jpg)
UML Extension Mechanisms
Stereotype: specialize model element using <<label>>.
Tagged value: attach {tag=value} pair to stereotyped
element.
Constraint: refine semantics of stereotyped element.
Profile: gather above information.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 41
![Page 42: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/42.jpg)
Requirements on UML Extension for Security
Provide basic security requirements such as secrecy, integrity,
authenticity.
Allow considering different threat scenarios depending on adversary
strengths.
Allow including important security concepts (e.g. tamper-resistant
hardware).
Allow incorporating security mechanisms
(e.g. access control).
Provide security primitives (e.g. (a)symmetric encryption).
Allow considering underlying physical security.
Allow addressing security management (e.g. secure workflow).
Also: Include domain-specific security knowledge (Java, smart cards,
CORBA, ...).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 42
![Page 43: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/43.jpg)
UMLsec: General Ideas
Activity diagram: secure control flow, coordination
Class diagram: exchange of data
preserves security levels
Sequence diagram: security-critical interaction
Statechart diagram: security preserved
within object
Deployment diagram: physical security requirements
Package: holistic view on security
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 43
![Page 44: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/44.jpg)
UMLsec Profile (excerpt)
Stereotype Base class Tags Constraints Description
Internet link Internet connection
secure links
subsystem
dependency security
matched by links
enforces secure
communication links
secrecy dependency assumes secrecy
secure
dependency
subsystem
call, send respect
data security
structural interaction
data security
no down-flow subsystem high prevents down-flow information flow
data
security
subsystem
provides secrecy,
integrity
basic datasec
requirements
fair exchange
package
start,
stop
after start eventually
reach stop
enforce fair
exchange
guarded
access
Subsystem guarded objects acc.
through guards.
access control using
guard objects
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 44
![Page 45: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/45.jpg)
UMLsec as Integrating Formal Framework
Have formalizations of major security requirements in
one integrated notation.
Want to relate / combine requirements; get modularity /
composability, hierarchical decomposition,
refinement, … :
For example:
• If system satisfies <<secure links>> and subsystems
satisfy <<data security>> then system satisfies
<<data security>>.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 45
![Page 46: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/46.jpg)
Requirements with Use Case Diagrams
Capture security requirements
in use case diagrams.
Constraint: need to appear in corresponding activity
diagram.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 46
![Page 47: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/47.jpg)
Fair Exchange
Customer buys good from a business.
How can enforce fair exchange: After payment, customer is eventually either delivered good or able to reclaim payment (or vc.vs.).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 47
![Page 48: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/48.jpg)
<<fair exchange>>
Ensures generic fair exchange condition.
Constraint: after a {start} state in activity diagram is
reached, eventually reach {stop} state.
(Cannot be ensured for systems that an attacker can
stop completely.)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 48
![Page 49: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/49.jpg)
Example
<<fair exchange>> fulfilled
if adversary cannot stop
system: After payment,
customer is eventually
either delivered good or
able to reclaim payment.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 49
![Page 50: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/50.jpg)
<<Internet>>, <<encrypted>>, …
Kinds of communication links resp. system
nodes.
For adversary type A, stereotype s, have set
Threats (s) ∊ {delete, read, insert, access} of actions
that adversaries are capable of.
Default attacker:
Stereotype Threats ()
Internet
encrypted
LAN
smart card
{delete, read, insert}
{delete}
∅
∅
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 50
![Page 51: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/51.jpg)
Secure Architecture
Architecture secure against default adversary ?
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 51
![Page 52: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/52.jpg)
<<secure links>>
Ensures that physical layer meets security requirements
on communication.
Constraint: for each dependency d with stereotype s ∊
{<<secrecy>>, <<integrity>>} between components
on nodes n≠m, have a communication link l between
n and m with stereotype t such that
if s = <<secrecy>>: have read ∉ Threats (t).
if s = <<integrity>>: have insert ∉ Threats (t).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 52
![Page 53: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/53.jpg)
Example <<secure links>>
Given default adversary type, constraint
for stereotype <<secure links>> violated:
According to the Threatsdefault(Internet)
scenario, <<Internet>> link does not provide secrecy
against default adversary.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 53
![Page 54: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/54.jpg)
Secure Data Structure
Data structure secure ?
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 54
![Page 55: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/55.jpg)
<<secure dependency>>
Ensure that <<call>> and <<send>> dependencies
between components respect security requirements
on communicated data given by tags {secrecy},
{integrity}.
Constraint: for <<call>> or <<send>> dependency from
C to D (and similarly for {integrity}):
Msg in D is {secrecy} in C if and only if also in D.
If msg in D is {secrecy} in C, dependency stereotyped
<<secrecy>>.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 55
![Page 56: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/56.jpg)
Example <<secure dependency>>
Violates <<secure dependency>>: Random generator
and <<call>> dependency do not give security level
for random() to key generator.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 56
![Page 57: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/57.jpg)
Secure Information Flow
No partial leakage of secrets ?
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 57
![Page 58: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/58.jpg)
<<no down–flow>>
Enforce secure information flow.
Constraint:
Value of any data specified in {secrecy} may influence
only the values of data also specified in {secrecy}.
Formalize by referring to formal behavioural semantics.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 58
![Page 59: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/59.jpg)
Example <<no down-flow>>
<<no down–flow>> violated: partial information on input
of secret wm() returned by non-secret rx().
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 59
![Page 60: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/60.jpg)
Secure Use of Cryptography
Variant of TLS (INFOCOM`99).
Cryptoprotocol secure against default adversary ?
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 60
![Page 61: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/61.jpg)
<<data security>>
Security requirements of data marked <<critical>>
enforced against threat scenario from deployment
diagram.
Constraints: Data marked {secrecy}, {integrity},
{authenticity}, {fresh} fulfills respective formalized
security requirements.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 61
![Page 62: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/62.jpg)
Example <<data security>>
Variant of TLS (INFOCOM`99).
Violates {secrecy} of s against default adversary.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 62
![Page 63: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/63.jpg)
Does UMLsec Meet Requirements ?
Security requirements: <<secrecy>>,…
Threat scenarios: Use Threatsadv(ster).
Security concepts: For example <<smart card>>.
Security mechanisms: E.g. <<guarded access>>.
Security primitives: Encryption built in.
Physical security: Given in deployment diagrams.
Security management: Use activity diagrams.
Technology specific: Java, CORBA security.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 63
![Page 64: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/64.jpg)
Roadmap
1. Motivation and Overview
2. Specifying Security with UMLsec
3. Security Architectures
4. Cryptographic Protocols
5. Formal Security Analysis, General Results
6. Models versus Code
7. Run-time Verification
8. Software Evolution
9. Electronic Purses, Biometric Authentication
10.Other Applications
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 64
![Page 65: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/65.jpg)
Java Security Architecture
Originally (JDK 1.0): sandbox.
Too simplistic and restrictive.
JDK 1.2/1.3: more fine-grained security control, signing,
sealing, guarding objects, . . . )
BUT: complex, thus use is error-prone.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 65
![Page 66: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/66.jpg)
Java Security policies
Permission entries consist of:
• protection domains (i. e. URL's and keys)
• target resource (e.g. files on local machine)
• corresponding permissions (e.g. read, write,
execute)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 66
![Page 67: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/67.jpg)
Signed and Sealed Objects
Need to protect integrity of objects used as
authentication tokens or transported across JVMs.
A SignedObject contains an object and its signature.
Similarly, need confidentiality.
A SealedObject is an encrypted object.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 67
![Page 68: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/68.jpg)
Guarded Objects
java.security.GuardedObject protects access
to other objects.
• access controlled by getObject method
• invokes checkGuard method on the
java.security.Guard that is guarding
access
• If allowed: return
reference. Otherwise:
SecurityException
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 68
![Page 69: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/69.jpg)
Problem: Complexity
• Permission depends on execution context.
• In particular: multiple threads.
• Thread may cross protection domains.
• doPrivileged() overrides execution context.
• Authentication in presence of adversaries.
• Indirect granting of access with capabilities.
Which run-time objects get permission ?
Use UMLsec to find out at design time.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 69
![Page 70: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/70.jpg)
Design Process
(1) Formulate access control requirements for sensitive objects.
(2) Give guard objects with appropriate access control checks.
(3) Check that guard objects protect objects sufficiently.
(4) Check that access control is consistent with functionality.
(5) Check mobile objects are sufficiently protected.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 70
![Page 71: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/71.jpg)
Reasoning
Suppose access to resource according to Guard object
specifications granted only to objects signed with K.
Suppose all components keep secrecy of K.
Then only objects signed with K are granted access.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 71
![Page 72: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/72.jpg)
Secure Use of Java Security Arch.
Enforces security policy ?
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 72
![Page 73: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/73.jpg)
<<guarded access>>
Ensures that in Java, <<guarded>> classes only
accessed through {guard} classes.
Constraints:
• References of <<guarded>> objects remain secret.
• Each <<guarded>> class has {guard} class enforcing
security policy.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 73
![Page 74: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/74.jpg)
Example <<guarded access>>
<<guarded access>> fulfilled.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 74
![Page 75: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/75.jpg)
Example: Financial Application
Internet bank, Bankeasy, and financial advisor, Finance, offer
services to local user. Applets need certain Privileges (step1).
• Applets from and signed by bank read and write financial data between 1 pm
and 2 pm.
• Applets from and signed by Finance use micropayment key five times a week.
Financial Application
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 75
![Page 76: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/76.jpg)
Financial Application: Class Diagram
Sign and seal objects sent over Internet for integrity and
confidentiality.
GuardedObjects control access.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 76
![Page 77: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/77.jpg)
Financial App: Guard Objects (step 2)
timeslot true
between 1pm
and 2pm.
weeklimit true
until access
granted five
times;
incThisWeek
increments
counter.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 77
![Page 78: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/78.jpg)
Financial Application: Validation
Guard objects give sufficient protection (step 3):
UML specification for guard objects only grants
permissions implied by access permission
requirements.
Access control vs. functionality (step 4). E.g.:
If applet should get access to micropayment key
according to policy, access granted.
Mobile objects sufficiently protected (step 5) - objects
sent over Internet signed and sealed.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 78
![Page 79: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/79.jpg)
Roadmap
1. Motivation and Overview
2. Specifying Security with UMLsec
3. Security Architectures
4. Cryptographic Protocols
5. Formal Security Analysis, General Results
6. Models versus Code
7. Run-time Verification
8. Software Evolution
9. Electronic Purses, Biometric Authentication
10.Other Applications
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 79
![Page 80: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/80.jpg)
Cryptographic Protocols
Need to be able to securely determine identity of
communication partners. Threats:
• forge identifications
• replay old identifications
Need to manage keys, perform electronic transactions,
...
Use cryptographic protocols: Exchange of messages for
distributing session keys, authenticating principals
etc.
Notoriously hard to get right.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 80
![Page 81: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/81.jpg)
Encryption and Protocol Layers
Network level Ethernet, FDDI,
Token Ring, PPP
Netzwork level Ethernet, FDDI,
Token Ring, PPP
Switching level IP
Transport level UDP / TCP
Transport level UDP / TCP
Switching level IP
Application level HTTP, DNS,
SMTP,FTP,
SNMP,POP3, T
Telenet
Application level HTTP, DNS,
SMTP,FTP,
SNMP,POP3, T
Telenet
1
2
3
4
5
-
7
1
2
3
4
5
-
7
Application Application
Physical Transport Layer
S/MIME, PGP, PEM, SSH
Kerberos, SET, S-HTTP
SSL, TLS
IPsec
ECP, CHAP
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 81
![Page 82: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/82.jpg)
To keep
d secret,
must be sent
encrypted.
Using Protocols: Secure Channel
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 82
![Page 83: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/83.jpg)
Secure Channel Pattern: Solution
Exchange key and send encrypted data.
![Page 84: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/84.jpg)
Security Protocols
System distributed over untrusted networks.
„Adversary“ intercepts, modifies, deletes, inserts
messages.
Cryptography provides security.
Cryptographic Protocol: Exchange of messages for
distributing session keys, authenticating principals
etc. using cryptographic algorithms
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 84
![Page 85: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/85.jpg)
Security Protocols: Problems
Many protocols have vulnerabilities or subtleties for
various reasons
• weak cryptography
• core message exchange
• interfaces, prologues, epilogues
• deployment
• implementation bugs
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 85
![Page 86: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/86.jpg)
Security Analysis
Following Dolev, Yao (1982): To analyze system, verify
against attacker model from threat scenarios in
deployment diagrams who
• may participate in some protocol runs,
• knows some data in advance,
• may intercept messages on some links,
• may injects produced messages in some links
• may access certain nodes.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 86
![Page 87: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/87.jpg)
Adversaries
Model classes of adversaries.
May attack different parts of the system according to
threat scenarios.
Example: insider attacker may intercept communication
links in LAN.
To evaluate security of specification, simulate jointly
with adversary model.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 87
![Page 88: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/88.jpg)
Cryptography
Keys are symbols, crypto-algorithms are abstract
operations.
• Can only decrypt with right keys.
• Can only compose with available messages.
• Cannot perform statistical attacks.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 88
![Page 89: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/89.jpg)
Cryptographic Expressions I
Exp: quotient of term algebra generated from sets Data,
Keys, Var of symbols using
• _::_ (concatenation), head(_), tail(_),
• (_)-1 (inverse keys)
• { _ }_ (encryption)
• Dec_( ) (decryption)
• Sign_( ) (signing)
• Ext_( ) (extracting from signature)
under equations …
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 89
![Page 90: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/90.jpg)
Cryptographic Expressions II
• E,K.DecK-1({E}K)=E
• E,K.ExtK(SignK-1(E))=E
• E1,E2.head(E1::E2)=E1
• E1,E2.tail(E1::E2)=E2
• Associativity for ::.
Write E1::E2::E3 for E1::(E2::E3) and fst(E1::E2) for
head(E1::E2) etc.
Can include further crypto-specific primitives and laws (XOR,
…).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 90
![Page 91: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/91.jpg)
Adversary Model
memory
logic
A B
ad
ve
rsa
ry* memorize message
* delete message
* insert message
* compose own message
* use cryptographic primitives
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 91
![Page 92: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/92.jpg)
Protocol: Attack Scenario
A B Adversary
m(x)
Adversary
knowledge: k-1, y, x
m(x)
return({z}k)
[argb,1,1 = x]
{z}k, z
return({y::x}z)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 92
![Page 93: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/93.jpg)
Proposed Variant of TLS (SSL)
IEEE Infocom
1999.
Goal: send secret
protected by
session key using
fewer server
resources.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 93
![Page 94: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/94.jpg)
Protocol
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 94
![Page 95: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/95.jpg)
Man-in-the-Middle Attack
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 95
![Page 96: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/96.jpg)
The Fix
Can prove that „secure“ (in precise sense).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 96
![Page 97: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/97.jpg)
Roadmap
1. Motivation and Overview
2. Specifying Security with UMLsec
3. Security Architectures
4. Cryptographic Protocols
5. Formal Security Analysis, General Results
6. Models versus Code
7. Run-time Verification
8. Software Evolution
9. Electronic Purses, Biometric Authentication
10.Other Applications
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 97
![Page 98: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/98.jpg)
Adversary Knowledge
Specify set of initial knowledge of an adversary of
type A. Let be the Exp-subalgebra generated
by and the expressions received after n+1st
iteration of the protocol.
Definition (Dolev, Yao 1982).
S keeps secrecy of M against attackers of type A if
there is no n with M .
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 98
![Page 99: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/99.jpg)
Security Analysis in First-order Logic
Approximate adversary knowledge set from above:
Predicate knows(E) meaning that adversary may get to know
E during the execution of the system.
E.g. secrecy requirement:
For any secret s, check whether can derive knows(s) from
model-generated formulas using automatic theorem
prover.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 99
![Page 100: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/100.jpg)
First-order Logic: Basic Rules
For initial adversary knowledge (K0): Define knows(E) for any E
initially known to the adversary (protocol-specific, e.g. KA , KA
-1).
Define above equations.
For evolving knowledge (Kn) define
E1,E2.(knows(E1) knows(E2)
knows(E1::E2) knows({E1}E2)
knows(DecE2(E1)) knows(SignE2 (E1))
knows(ExtE2 (E1)))
E.(knows(E)
knows(head(E)) knows(tail(E)))
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 100
![Page 101: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/101.jpg)
Given Sequence Diagram …
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 101
![Page 102: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/102.jpg)
… and Physical Layer Model …
Deployment diagram.
Derived adversary model: read, delete, insert data.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 102
![Page 103: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/103.jpg)
… Translate to 1st Order Logic
Connection (or statechart transition)
TR1=(in(msg_in),cond(msg_in),out(msg_out))
followed by TR2 gives predicate PRED(TR1)=
8 msg_in. [knows(msg_in)Æ cond(msg_in) ) knows(msg_out) Æ PRED(TR2)]
(Assume: order enforced (!).)
Can include senders, receivers in messages.
Abstraction: find all attacks, may have false positives.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 103
![Page 104: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/104.jpg)
Example
knows(N)Æ knows(KC)Æ knows(SignKC-1(C::KC))
Æ 8 init1,init2,init3.[knows(init1)Æ knows(init2)Æ knows(init3) Æ snd(Extinit2(init3)) = init2
) knows({SignKS-1(…)}…)Æ […] Æ […)...]…]
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 104
![Page 105: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/105.jpg)
Execute in System Context
Activity diagram.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 105
![Page 106: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/106.jpg)
Formulate Data Security Requirements
Class diagram.
Gives conjecture: knows(s) derivable ?
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 106
![Page 107: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/107.jpg)
Proposed Variant of TLS (SSL)
IEEE Infocom
1999.
Goal: send secret
protected by
session key using
fewer server
resources.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 107
![Page 108: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/108.jpg)
TLS Variant in TPTP Notation I
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 108
![Page 109: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/109.jpg)
TLS Variant in TPTP Notation II
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 109
![Page 110: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/110.jpg)
Surprise …
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 110
![Page 111: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/111.jpg)
… Which Means:
Can derive knows(s ) (!).
That is: Protocol does not preserve secrecy of s against
adversaries.
Completely insecure wrt stated goals.
But why ?
Could look at proof tree.
Or: use prolog-based attack generator.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 111
![Page 112: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/112.jpg)
Man-in-the-Middle Attack
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 112
![Page 113: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/113.jpg)
The Fix
e-Setheo: Proof that knows(s) not derivable.
Note completeness of FOL (but also undecidability).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 113
![Page 114: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/114.jpg)
Roadmap
1. Motivation and Overview
2. Specifying Security with UMLsec
3. Security Architectures
4. Cryptographic Protocols
5. Formal Security Analysis, General Results
6. Models versus Code
7. Run-time Verification
8. Software Evolution
9. Electronic Purses, Biometric Authentication
10.Other Applications
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 114
![Page 115: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/115.jpg)
Idea: The model-based foundation allows one to investigate general questions
regarding security preservation:
Security preservation vs. architectural principles:
• Horizontal layering of architectures
• Modularization / Composition of architectural components
• Service-oriented architectures
• Aspect-oriented architectures
Security preservation vs. development techniques:
• Refinement of specifications
• Refactoring of architectures
For each: Theorem providing conditions for preservation of security.
General results:
Security vs. Architecture
[Concur'00]
[ICSOC'04]
[Models'05]
[FME'01]
[Safecomp'03]
UML Models
Requirements
Code
Configuration
Runtime system
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 115
![Page 116: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/116.jpg)
Security vs. Refinement
Question: Under which conditions does refinement (i.e.
concretization of specifications) preserve security properties ?
For behavior-preserving refinement one would expect security
properties to be preserved.
„Refinement paradox“: In general not !
Observation: Problem: Mixture of nondeterminism for under-
specification resp. as a security mechanism.
Idea: Separate the two on the modeling level.
Theorem: Then refinement preserves security requirements.
UML Models
Requirements
Code
Configuration
Runtime system
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 116
![Page 117: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/117.jpg)
Security vs. Modularization
Idea: Exploit architectural modularization for modular security
verification.
Question: Under which conditions does composition of
components preserve security properties ?
Only works under suitable assumptions on other components.
Idea: Formalize as „Rely-guarantee“-condition.
Can verify components separately.
Validation: Java Secure Sockets Extension.
UML Models
Requirements
Code
Configuration
Runtime system
![Page 118: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/118.jpg)
Formal Foundation
For formal foundation, in particular for meta-level
investigation of this security analysis approach, use formal
semantics for a simplified fragment of UML, define using
the formal approach of stream-processing functions.
Consider the approach in the following.
[J. Jurjens: A domain-specific language for cryptographic protocols
based on streams. J. Log. Algebr. Program. 78(2): 54-73 (2009)]
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 118
![Page 119: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/119.jpg)
Cryptographic Expressions
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 119
![Page 120: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/120.jpg)
Executable Specifications
Jan Jürjens: Models vs Secure Change (WP4) 120
Motivation for system model:
as generic as possible.
cf. [Broy, Stolen 2001]
![Page 121: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/121.jpg)
Semantics: stream-processing functions
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 121
![Page 122: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/122.jpg)
Security Analysis using FOL
Knowledge enlargement by constructing expressions:
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 122
![Page 123: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/123.jpg)
Security Analysis using FOL (2)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 123
![Page 124: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/124.jpg)
Example: TLS Variant
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 124
![Page 125: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/125.jpg)
Executable Specification
![Page 126: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/126.jpg)
Translation to FOL
Can derive knows(s)
does not preserve
secrecy of s.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 126
![Page 127: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/127.jpg)
Refinement
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 127
![Page 128: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/128.jpg)
Restriction of Interface
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 128
![Page 129: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/129.jpg)
Refactoring
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 129
![Page 130: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/130.jpg)
Change up to Set of Behaviours
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 130
![Page 131: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/131.jpg)
Rely-Guarantee
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 131
![Page 132: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/132.jpg)
Example: Introducing Secure Channel
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 132
![Page 133: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/133.jpg)
Secure Channel (overview)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 133
![Page 134: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/134.jpg)
Secure Channel: abstraction
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 134
![Page 135: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/135.jpg)
Secure Channel: concretization (1)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 135
![Page 136: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/136.jpg)
Secure Channel: concretization (2)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 136
![Page 137: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/137.jpg)
Secure Channel: refinement
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 137
![Page 138: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/138.jpg)
Roadmap
1. Motivation and Overview
2. Specifying Security with UMLsec
3. Security Architectures
4. Cryptographic Protocols
5. Formal Security Analysis, General Results
6. Models versus Code
7. Run-time Verification
8. Software Evolution
9. Electronic Purses, Biometric Authentication
10.Other Applications
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 138
![Page 139: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/139.jpg)
Security Analysis: Model or Code ?
How do I know a crypto-protocol implementation (as opposed to
specification) is secure ?
Model:
+ earlier (less expensive to fix flaws)
+ more abstract more efficient
- more abstract may miss attacks
- programmers may introduce security flaws
- even code generators, if not formally verified
Code:
+ „the real thing“ (which is executed)
Do both where feasible !
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 139
![Page 140: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/140.jpg)
Solution
Possible solutions in the context of model-based security engineering :
1. Verify specification, write code generator, verify code generator. Problems:
• very challenging to verify code generator
• generated code satisfactory for given requirements (maintainability,
performance, size, …) ?
• not applicable to existing implementations
2. Generate models from code and verify these.
• Advantages:
-- Seems more automatic.
-- Users in practice can work on familiar artifact (code),
don t need to otherwise change development process (!).
• Challenges: Currently possible for restricted code or using significant
annotations. Need to verify model generator.
3. Create models and code manually and verify code against models. Advantages:
• Split heavy verification burden (Model-level analysis more efficient).
• Get some verification result already in design phase (for non-legacy
implementations) => cheaper to fix.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 140
![Page 141: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/141.jpg)
Just an Exercise in Code Verification ?
State of the art in code verification in practice: execution exploration by testing. Limitations:
• For highly interactive systems usually only partial test coverage due to test-space explosion.
• Cryptography inherently un-testable since resilient to brute-force attack.
Interactive formal software verification (Isabelle et al): assumes specialist users.
Automated … (Bandera, Soot et al.): scalability wrt. code size / complexity; sophistication of properties (security).
NB: There are specialized approaches in development to formally verify crypto-protocol implementations independently from models (e.g. Aizatulin, Dupressoir, Gordon, Jürjens @ CSF‘11, CCS‘11, CCS‘12) => not in scope of this lecture.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 141
![Page 142: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/142.jpg)
Model-Code Traceability Mapping
142 142
Implement
-ation
.java
Elements of connections Sent and received data
„meaning“ „meaning“
compare meaning!
Backtrace
assignments
Defined during
model creation
Find Has
Abstract model
Implements?
![Page 143: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/143.jpg)
Models from Code
Generate control flow graph (e.g. aicall (Absint)).
Transform to state machine:
trans(state,inpattern,
condition,action,
nextstate)
where action can be
outpattern or
localvar:=value.
[ASE05,ASE06]
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 143
![Page 144: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/144.jpg)
Experiences
Can generate behavioral models from code (e.g.
CFGs). Problem: too concrete
understanding + automated verification
hard (even with annotations).
Constructing abstract specifications from practical
software is manually intensive.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 144
![Page 145: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/145.jpg)
Verify Code against Models
Assumption: Have textual specification. Then:
• construct interface spec from textual spec
• analyze interface spec for security
• verify that software satisfies interface spec (using
run-time verification)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 145
![Page 146: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/146.jpg)
JSSE / Jessie
• Java Secure Sockets Extension (JSSE) contains
implementation of SSL.
• Open-source clean-room reimplementation Jessie.
• Applied our approach to fragment of Jessie (SSL
handshake using RSA, verifying secrecy of
exchanged secret).
• Currently extending the work to JSSE recently made
open-source by Sun.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 146
![Page 147: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/147.jpg)
• Identify program points:
value (r), receive (p), guard (g), send (q)
II. Check guards enforced
p
q g
Interface
spec of SSL
r
[ICSM 05]
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 147
![Page 148: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/148.jpg)
Implementation
(Jessie):
Identify Values
Currently do
this manually
using code
assertions
Parameter of the cryptographic
Client-hello Message
Transferred data of the Client-Hello Message of the
Jessie implementation
![Page 149: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/149.jpg)
public void write(OutputStream out) throws IOException
{ ... out.write(randomBytes); … }
public void write(OutputStream out)
throws IOException
{ ... random.write(out); ... }
ClientHello(… , Random random, )
{ ... this.random = random; ... }
ClientHello clientHello = new ClientHello(...,clientRandom,...);
Random clientRandom =
new Random(...,session.random.generateSeed(28));
class SecureRandom (specified in: FIPS
140-2,RFC 1750) of package java.security
Function: generateSeed
Identify: randomBytes 2nd parameter of Random constructor
called by ClientHello.write()
2nd parameter of ClientHello constructor
initialized in SSLSocket.doClientHandshake()
initialization of the used Random object
via Handshake.write()
„meaning“
(in message ClientHello)
![Page 150: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/150.jpg)
Input / Output
To extract input/output labels for state machine transitions,
analyze input / output mechanism used in the
implementation.
Many implementations (e.g. Jessie and JSSE) use buffered
communication where the message objects implement
read and write methods. Translate these method calls to
input / output labels (need to track successive subcalls).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 150
![Page 151: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/151.jpg)
Sending Messages
SSLSocket.doClientHandshake() ClientHello.write()
Random.write()
traverse CFG
call of
OutputStream.
write()
Handshake.write()
Automate this using
patterns
ProtocolVersion.write()
![Page 152: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/152.jpg)
Checking Guards
Guard g enforced by code?
• Generate runtime check
for g at q from diagram:
simple + effective, but performance penalty.
• Testing against checks (symbolic crypto for
inequalities).
• Automated formal local verification: conditionals
between p and q logically imply g (using ATP for
FOL).
p
q g
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 152
![Page 153: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/153.jpg)
private void checkTrusted(X509Certificate[] chain,
String authType) throws CertificateException
{ ... }
public void verify(PublicKey key, String provider)
throws CertificateException, ...
{ ... }
private void doVerify(Signature sig,PublicKey key)
throws CertificateException, ...
{ ... sig.initVerify(key);
sig.update(tbsCertBytes);
if (!sig.verify(signature))
{… throw new CertificateException
("signature not validated"); … } }
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {… checkTrusted(chain, authType); }
Guard:
checkServerTrusted()
calls checkTrusted()
calls verify() for every member of certificate chain
calls doVerify()
java.security.Signature
• Initializatize
• Update
• Verify
„verifies the signature“
„meaning
“
![Page 154: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/154.jpg)
msg = Handshake.read(din, certType);
session.trustManager.checkServerTrusted
(peerCerts,suite.getAuthType());
msg = new Handshake(Handshake.Type.CLIENT_KEY_EXCHANGE, ckex);
msg.write (dout, version);
p
q
g
try
catch
only possible way
without throwing
exception
p
q g
![Page 155: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/155.jpg)
Tool Support
[UML04,
FASE05,ICSE06]
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 155
![Page 156: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/156.jpg)
Roadmap
1. Motivation and Overview
2. Specifying Security with UMLsec
3. Security Architectures
4. Cryptographic Protocols
5. Formal Security Analysis, General Results
6. Models versus Code
7. Run-time Verification
8. Software Evolution
9. Electronic Purses, Biometric Authentication
10.Other Applications
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 156
![Page 157: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/157.jpg)
Model-Runtime Traceability
How do I know the running implementation is still secure after deployment ?
• Does system model capture all relevant aspects about a system ?
• Are assumptions about influences from a system's operational
environment reflected adequately ?
• Are the abstractions that need to be made to enable automated static
verification of non-trivial systems faithful wrt the verification result ?
Run-time verification.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 157
![Page 158: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/158.jpg)
Runtime Verification using Monitors
Dynamic verification technique on the actual system.
Essentially a symbiosis of model-checking and testing.
“Lazy model-checking”: only check the system traces which are executed, when they are executed.
t
Property fulfilled?
Actions
System
Property
Monitor
automatic generation of
Runtime verification in a nutshell
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 158
![Page 159: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/159.jpg)
Formal underpinnings
• System (safety) property, , specified in terms of linear time temporal logic [Pnu77]:
• Continuous interpretation of over sequence of system events (behaviours),
• Automatic monitor
generation: “Inspired” by
translation of LTL to Büchi-automata p q p q
Monitor
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 159
![Page 160: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/160.jpg)
Semantics
Write F phi for true U phi (“eventually phi”); G phi for not F
not phi (“globally phi”); phi1 W phi2 for G phi1 or (phi1 U
phi2) (weak-until)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 160
![Page 161: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/161.jpg)
Monitoring-friendly LTL semantics
3-valued semantics:
Gives finite-state machines for detecting minimal bad prefixes:
0
l
j
1
i inconclusive false k
inconclusive
... true
Predictiveness
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 161
![Page 162: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/162.jpg)
ClientKeyExchange
Client will not send out ClientKeyExchange message until
has received Certificate message and check is positive,
and then sends it out.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 162
![Page 163: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/163.jpg)
Client Transport Data
Client will not send any transport data before has
checked that MD5 hash received in Server`s Finished
message is equal to MD5 created by Client (and
correspondingly for SHA hash).
not co-safety but safety
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 163
![Page 164: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/164.jpg)
Server Finished
Server will not send Finished message before MD5 received in Client`s
Finished message equal to MD5 created by server. Then sends out
eventually.
NB: Improves on Schneider’s security automata.
not safety nor co-safety
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 164
![Page 165: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/165.jpg)
Roadmap
1. Motivation and Overview
2. Specifying Security with UMLsec
3. Security Architectures
4. Cryptographic Protocols
5. Formal Security Analysis, General Results
6. Models versus Code
7. Run-time Verification
8. Software Evolution
9. Electronic Purses, Biometric Authentication
10.Other Applications
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 165
![Page 166: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/166.jpg)
Challenges:
• Software lifetime often longer than intended (cf. Year-2000-Bug).
• Systems evolve during their lifetime.
• In practice evolution is difficult to handle [cf. HVB example].
Problem: Critical requirements (e.g. security) preserved ?
The Forgotten End of
the System Life-cycle UML Models
Requirements
Code
Configuration
Runtime system
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 166
![Page 167: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/167.jpg)
Each artifact may evolve.
To reduce costs, reuse verifi-
cation results as far as possible.
=> Under which conditions does evolution preserve security?
Even better: examine possible future evolution for effects on security.
• Check beforehand whether potential evolution will preserve security.
• Choose an architecture during the design phase which will support future
evolution best wrt. security.
=> Evolution as first-class modeling concept in UMLsec.
Trade-off: flexibility of evolution vs. preservation of security.
[NB: analogous problem: Software-product lines.]
Evolution
UML Models
Requirements
Code
Insert
Code-/
Testgen. Reverse Engin.
Analyse
Configuration Generate
Verify
Runtime System
Confi-gure
Execute
Challenge: Evolution
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 167
![Page 168: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/168.jpg)
Types of Change
Change can arise from
• Need to update, tailor, delete or introduce new security feature(s) (security-driven changes)
• System evolution
• Updates, modifications, deletions and additions to existing functional features
• Introduction of new functional features
• Changes in environment, attacker models etc.
Change may arise in any of the life-cycle phases
UMLsec can be used to model security relevant changes in all life-cycle phases
Particular interesting instance: the evolution mechanism itself (e.g. Software versioning, software update (cf GP)) – is it itself functioning securely ?
Practical example: different SSL versions in HVB architecture.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 168
![Page 169: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/169.jpg)
How to deal with change?
All artefacts on our overview picture can change.
Want to reuse assurance results as much as possible.
=> 1) Preservation of security under change ?
Need mapping between old and new artefact for this.
Also: Want to take into consideration possible future changes at
development stage. Certain security analyses before allowing the
future change to happen:
Existing security property destroyed due to the change?
Other security-related artefacts affected by the change?
=> 2) Change as first order citizen in modelling and analysis.
Again need 1) for that (and also provides above mapping).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 169
![Page 170: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/170.jpg)
Changing the Model vs. Modeling Changes
What If…
• You want to change all things of a type?
Tedious search for every instance
• You want to describe different variants?
Multiply the model files
• Very little has actually changed, but the model is huge?
Complete analysis takes time
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 170
![Page 171: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/171.jpg)
Initial creation of a model
171
UML Model
Requirements
Requirements engineer
3
Model with security annotations
<<sec>>
<<encrypted>>
Security Expert
4 2 System architect
UMLsec Tool
1 2
171
Test engineer
7 public class calculator implements ActionListener { JTextArea display; public calculator() { JFrame all = new JFrame(« Calculator" ); …
Java code
Verification expert
6
Test model
Validated model
<<sec>>
<<encrypted>>
3
4
5
4a
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 171
![Page 172: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/172.jpg)
Changing a model
Security Expert
4
?
172
UML Model with
evolution information
<<sec>>
<<encrypted>>
<<add>>
<<subst>> New or changed
requirement
Requirements engineer
3
Correction of the model
<<sec>>
<<encrypted>>
Test engineer
7 public class calculator implements ActionListener { JTextArea display; public calculator() { JFrame all = new JFrame(« Calculator" ); …
Java code
Verification expert
6
2 System architect
UMLsec Tool
Test model
Validated model
<<sec>>
<<encrypted>>
!
2a
5
2
1
2b
2c
Interaction of security expert is
only needed if the validation fails.
3 4
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 172
![Page 173: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/173.jpg)
Change of specification models
• small-step (atomic) changes: identified atomic changes
that span the complete space of possible changes,
determine preconditions under which security properties
are preserved
• big-step (refactoring) changes: consider several generally
applicable big-steps changes
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 173
![Page 174: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/174.jpg)
p>p': p leaks
more know-
ledge than p'
p preserves
secrecy of s
assuming C:
Atomic Change:
Deletion
![Page 175: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/175.jpg)
Atomic Change:
Insertion
175
![Page 176: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/176.jpg)
Big-step Change: Refinement
One way to explicitly specify possibilities for future change is
by underspecification: Change by one instantiation to the
other.
Ideally refinement should preserve security: Verify abstract
spec, extends to instantiations.
Unfortunately doesn't work with all approaches in the
literature.
Our notion of model refinement preserves security
requirements (cf. earlier theorem).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 176
![Page 177: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/177.jpg)
Other big-Step Changes
• Restriction of interface
• Refactoring using additional components
• Change up to set of input/output behaviours
In each case: Theorem which identifies pre-conditions on
when this preserves security (cf. earlier).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 177
![Page 178: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/178.jpg)
Modular Change via Rely-Guarantee
Can permit future changes in a modular way by formulating
rely-guarantee conditions on components and showing
that these imply the security requirements.
Then components can be changed arbitrarily as long as the
changed component still satisfies the rely-guarantee
condition.
Have general results showing when this is admissible.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 178
![Page 179: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/179.jpg)
Generating Rely-Guarantee Conditions
For program fragment p, generate set of statements derive(L,C,E) such
that adversary knowledge is contained in every set K such that:
– for every list l of values for the variables in L
that satisfy the conditions in C:
K contains the value constructed by instantiating the variables in
the expression E with the values from l
Can then change components as long as still satisfy these rely-
guarantee conditions.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 179
![Page 180: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/180.jpg)
Change of the Attacker Model
Change of attacker / threat model results in changes in the
formula on the previous slide.
Have different attacker models (default, internal, ...).
Investigate to which extent security verification results can
be reused between different attacker models.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 180
![Page 181: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/181.jpg)
Tool Support:
System-Evolution
• Implemented evolution-based
analysis within tool-support.
• Resulting performance gain
Jan Jürjens. 2011. Automated
security hardening for evolving
UML models. 33rd Int. Conf.
on Software Engineering
(ICSE '11). ACM.
A. Bauer, J. Jürjens, Y. Yu:
Run-Time Security Traceability
for Evolving Systems.
Computer Journal 54(1): 58-87
(2011)
![Page 182: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/182.jpg)
Maintaining Model-Code Traceability under Evolution
Code evolution can potentially multiply testing effort.
Need to re-verify code parts that changed, re-do
integration testing etc.
Particular problem when testing for sophisticated
properties (such as security) since requires particular
effort.
Want to automatically trace code evolution to model
level so can automatically reuse earlier tests.
[Bauer, Jurjens, Yu 09]
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 182
![Page 183: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/183.jpg)
Model-Code Co-Evolution
Basic observation: Most system changes
can be reduced to two kinds:
• Adding / removing parts of the system.
• Basic refactoring operations to hold
system parts together despite changes.
When adding / removing code parts we need to assume that the
corresponding models are also added / removed.
For evolution by refactoring can achieve automated model-code
traceability e.g. using Eclipse Refactoring Language Toolkit (LTK) /
XML based refactoring scripts.
Maintain model-code synchrony using continuous integration scripts
(with CruiseControl / Apache Ant).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 183
![Page 184: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/184.jpg)
Secure Evolution: Tool support
Preserving requirements-code traceability by refactoring.
[ASE'07,
ICSM'08,
ASE'08,
Computer
Journal '10]
UML Models
Requirements
Code
Configuration
Runtime system
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 184
![Page 185: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/185.jpg)
Java Secure Sockets Extension
Applied our approach to a series of implementations of the
Java Secure Sockets Extension library:
Jessie 1.0.0 - Jessie 1.0.1 - JSSE 1.6
Demonstrated that our model-code co-evolution approach is
robust even across major software changes.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 185
![Page 186: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/186.jpg)
Roadmap
1. Motivation and Overview
2. Specifying Security with UMLsec
3. Security Architectures
4. Cryptographic Protocols
5. Formal Security Analysis, General Results
6. Models versus Code
7. Run-time Verification
8. Software Evolution
9. Electronic Purses, Biometric Authentication
10.Other Applications
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 186
![Page 187: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/187.jpg)
Common Electronic Purse Specifications
Global electronic purse standard (90% of market).
Smart card contains account balance. Chip secures
transactions with crypto.
More fraud protection than credit cards (transaction-bound
authorization).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 187
![Page 188: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/188.jpg)
Load Protocol
Unlinked, cash-based load transaction (on-line).
Load value onto card using cash at load device.
Load device contains Load Security Application Module
(LSAM): secure data processing and storage.
Card account balance adjusted; transaction data logged
and sent to issuer for financial settlement.
Uses symmetric cryptography.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 188
![Page 189: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/189.jpg)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 189
![Page 190: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/190.jpg)
Load Protocol: Physical View
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 190
![Page 191: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/191.jpg)
Load Protocol: Structural View
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 191
![Page 192: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/192.jpg)
Load Protocol: Coordination View
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 192
![Page 193: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/193.jpg)
Load Protocol: Interaction View
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 193
![Page 194: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/194.jpg)
Security Threat Model
Card, LSAM, issuer security module assumed tamper-
resistant.
Intercept communication links, replace components.
Possible attack motivations:
• Cardholder: charge without pay
• Load acquirer: keep cardholder's money
• Card issuer: demand money from load acquirer
May coincide or collude.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 194
![Page 195: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/195.jpg)
Audit Security
No direct communication between card and cardholder.
Manipulate load device display.
Use post-transaction settlement scheme.
Relies on secure auditing.
Verify this here (only executions completed without
exception).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 195
![Page 196: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/196.jpg)
Security Conditions (informal)
Cardholder security: If card appears to have been
loaded with m according to its logs, cardholder can
prove to card Issuer that a load acquirer owes m to
card issuer.
Load acquirer security: Load acquirer has to pay m to
card issuer only if load acquirer has received m from
cardholder.
Card issuer security: Sum of balances of cardholder
and load acquirer remains unchanged by transaction.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 196
![Page 197: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/197.jpg)
Load Acquirer Security
Suppose card issuer I possesses mln=Signrn(cep::nt::lda::mn::s1::hcnt::hln::h2ln) and card C possesses rln, where hln = Hash (lda::cep::nt::rln).
Then after execution either of following hold:
Llog(cep,lda,mn,nt) has been sent to l:LLog (so load acquirer L has received and retains mn in cash) or
Llog (cep, lda, 0, nt) has been sent to l : LLog (so L returns mn to cardholder) and L has received rcnt with hcnt=Hash(lda::cep::nt::rcnt) (negating mln).
"mln provides guarantee that load acquirer owes transaction amount to card issuer" (CEPS)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 197
![Page 198: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/198.jpg)
Flaw
L does not provide load acquirer security against
adversaries of type insider.
Why ?
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 198
![Page 199: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/199.jpg)
Flaw
mln: „Proof“
for bank that
load machine
received
money.
But: rn shared
between bank and
load machine.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 199
![Page 200: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/200.jpg)
Correction
Modification: use asymmetric key in , include
signature certifying .
Verify this version wrt. above conditions.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 200
![Page 201: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/201.jpg)
Roadmap
1. Motivation and Overview
2. Specifying Security with UMLsec
3. Security Architectures
4. Cryptographic Protocols
5. Formal Security Analysis, General Results
6. Models versus Code
7. Run-time Verification
8. Software Evolution
9. Electronic Purses, Biometric Authentication
10.Other Applications
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 201
![Page 202: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/202.jpg)
Biometric Authentication System
In development by large German
telecommunication company.
In joint project, use presented security
analysis tools at given UML
specification.
So far, have discovered three major attacks against
subsequently improved versions (misuse counter
circumvented by dropping / replaying messages,
smart-card insufficiently authenticated by recombing
sessions).
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 202
![Page 203: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/203.jpg)
Architecture
Threatsinsider(connection)
= Threatsinsider (wire)
= {read, write, delete}
Threatsinsider(smartcard)
= Threatsinsider (tamper-proof)
= Ø
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 203
![Page 204: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/204.jpg)
Class diagram
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 204
![Page 205: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/205.jpg)
Use case:
Biometric
verification
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 205
![Page 206: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/206.jpg)
Protocol
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 206
![Page 207: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/207.jpg)
Authentic. Protocol Part 1
Mutual authentication with
challenge & response
Generate shared key
![Page 208: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/208.jpg)
Authentication Protocol Part 2
Send reference template
and signature to host system
Decrease misuse
counter
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 208
![Page 209: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/209.jpg)
Authentication Protocol Part 3
Compare biodata
and reference template
-> access decision
Send biodata to
host system
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 209
![Page 210: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/210.jpg)
Big Picture
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 210
![Page 211: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/211.jpg)
Translation to First-order Logic II
Message order not enforced by smart card (!).
Connection from smart card
TR1=(in(msg_in),cond(msg_in),out(msg_out))
followed by TR2 gives predicate
PRED(TR1)=
8 msg_in. [knows(msg_in)Æ cond(msg_in)
) knows(msg_out)]
Æ PRED(TR2)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 211
![Page 212: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/212.jpg)
Authent. Protocol Pt. 2: Problem ?
Decrease misuse
counter
Message order ?
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 212
![Page 213: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/213.jpg)
Authent. Protocol Pt. 2: Problem.
Drop
message
11 …
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 213
![Page 214: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/214.jpg)
Authent. Protocol Pt. 2: Improvement
Check
whether
FBZ
decreased
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 214
![Page 215: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/215.jpg)
Authent. Prot. Pt. 2: Improvement ?
Note:
skh=sksc
FBZ2=FBZ2‘
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 215
![Page 216: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/216.jpg)
Authent. Prot. Pt. 2: Problem
Replay
MACskh
(FBZ2‘)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 216
![Page 217: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/217.jpg)
Authent. Prot. Pt. 2: Improvement (?)
Subst.
MACskh(FBZ2‘)
by
MACskh
(„write“::FBZ2‘)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 217
![Page 218: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/218.jpg)
Authentic. Protocol Part 1: Problem ?
Mutual authentication with
challenge & response
Generate shared key
Authentic. vs. key gen. ?
![Page 219: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/219.jpg)
Authentic. Protocol Part 1: Problem.
Forged smart-card after
authentic.;replay old session key
Mutual authentication with
challenge & response
Generate shared key
![Page 220: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/220.jpg)
Authentic. Protocol Part 1: Improvement (?)
Generate shared key
Mutual authentication with
challenge & response
Use (both) random
numbers in Macs
![Page 221: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/221.jpg)
Roadmap
1. Motivation and Overview
2. Specifying Security with UMLsec
3. Security Architectures
4. Cryptographic Protocols
5. Formal Security Analysis, General Results
6. Models versus Code
7. Run-time Verification
8. Software Evolution
9. Electronic Purses, Biometric Authentication
10.Other Applications
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 221
![Page 222: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/222.jpg)
Bank Application
Security analysis of web-based banking application, to be
put to commercial use (clients fill out and sign digital order
forms).
Layered security protocol (first layer: SSL protocol, second
layer: client authentication protocol)
Security requirements:
• confidentiality
• authenticity
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 222
![Page 223: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/223.jpg)
Layered Security Architectures
Layer on top uses security below.
Security properties additive ?
confidentiality, integrity, server authenticity
client authenticity
confidentiality, … + client authenticity
= ?
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 223
![Page 224: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/224.jpg)
The Application II
• Two layer architecture.
• When user logs on, an SSL-connection is established
(first layer).
• Provides secrecy, integrity, server authentication but
no client authentication (this version).
• Custom-made protocol on top of SSL for client
authentication.
• Session key generated by SSL used to encrypt messages
on second layer.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 224
![Page 225: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/225.jpg)
Authentication
protocol
Auth
entication
T
ran
sa
ctio
n
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 225
![Page 226: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/226.jpg)
Layered Security Protocol
• Adjust adversary model to account for SSL security
properties.
• Justify that specialized adversary model wrt. top-level
protocol is as powerful as generic adversary wrt.
protocol composition.
• Verify top-level protocol wrt. specialized adversary.
• Implies verification of protocol composition.
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 226
![Page 227: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/227.jpg)
Insight
Layered Security Architectures indeed additive wrt.
security properties in this particular case.
Generalize to classes of systems and security
requirements !?
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 227
![Page 228: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/228.jpg)
Further Applications
• German Health-card: Architecture analyzed with UMLsec, some weaknesses found [Jour.
Meth. Inform. Medicine 08]
• Internal information system [ICSE 07]
• Internet bank architecture at HypoVereinsbank [SAFECOMP 03]
• Common Electronic Purse Specifications (Global standard for electronic purses):
several weaknesses found [IFIPSEC 01, ASE 01]
• Biometric authentication systems: several weaknesses found [ACSAC 05, Models 09]
• Health information systems [Caise 09]
• Return-on-Security Investment Analysis
• Analysis of digital signature architecture
• IT security risk modelling
• Smart-card software update platform
Ongoing:
• Cloud-user security analysis
• Cloud-provider security analysis
• Security economics analysis
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 228
![Page 229: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/229.jpg)
German Health Card Architecture
• Analyzed
architecture against
security
requirements using
UMLsec
• Detected several
security
weaknesses in the
architecture
[Meth. Inform. Medicine 08]
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 229
![Page 230: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/230.jpg)
Application: Mobile Communikation at O2
UMLsec-based security analysis of regulations for the use of mobile devices at O2
(Germany)
Extracted 62 security requirements from the security policy.
21 business-process relevant requirements, modelled in 8 activity diagrams, using the UMLsec-stereotypes <<fair
exchange>> and <<provable>>.
10 data security requirements (confidentiality, integrity), modelled in deployment diagrams.
3 requirements on role-based access control (RBAC).
15 requirements regarding the protection of network
services and use of firewalls and antivirus-software
(modelled using extension of UMLsec)
13 requirements could not be modelled directly in UMLsec.
J. Jürjens, J. Schreck, P. Bartmann. 2008. Model-based security
analysis for mobile communications. 30th International Conference
on Software engineering (ICSE '08). ACM
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 230
![Page 231: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/231.jpg)
MetaSearch Engine: personalized search in corporate
intranet (password-protected).
Some documents are very security-critical.
Over 1.000 potential users, 280.000 documents, 20.000
requests per day.
Seamlessly integrated into enterprise security architecture.
Provides security services for applications (user
authentication, role-based access, global single-sign-on),
starting point for further security services.
Successfully analyzed with UMLsec.
Validation Example:
Internal information system at BMW
[ICSE 07]
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 231
![Page 232: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/232.jpg)
Some Empirical Results
Is model-based quality assurance worthwhile compared to classical QA
techniques (e.g. testing)?
1) Static Analysis vs. Code Review: Industrial software at
O2 (Germany) examined for errors. Result:
• Static-analysis only finds certain error classes, but very reliably.
• Most important aim: reduce “false positive”-rate.
2) Model-checking vs. Simulation / Tests: door control
(in coop. w. BMW). Typical error classes:
• Simulation / testing finds many “simple” errors fast and effectively (e.g.
incorrect transition priority: few min.)
• Model-checking also finds obscure errors (e.g. race conditions), but with
additional effort (1-2 days for LTL formula).
[Models '08]
[Testcom '05]
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 232
![Page 233: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/233.jpg)
Model-based Security: Some Milestones
2001: UMLsec: UML profile for security modelling (Jürjens)
Model-based security testing with AutoFocus (Wimmel, Jürjens)
2002: Secure UML: Modelling RBAC with UML (Basin et al.)
Hypermedia security modeling with Ariadne (Aedo, Diaz et al.)
Aspect-oriented Security Modelling (France et al.)
Model-based IT security risk assessment (Stølen et al.)
Interactive theorem proving of UML models for security (Haneberg, Reif et al.)
2003: Formal verification for UML models of access control (Koch, Parisi-Presicce)
2004: Automated verification tools for UMLsec (Shabalin et al.)
Actor-centric modeling of user rights with UML (Breu et al.)
Extending OCL for secure database development (Fernández-Medina et al.)
2005: First book on model-based security published (in English)
2007: Security monitors for UML policy models (Massacci et al.)
2008: Executable misuse cases for security concerns (Whittle et al.)
2009: Model-based security vs performance evaluation (Woodside et al.)
First book on model-based security in Chinese
2010: From requirements to UMLsec models (Houmb et al.; Islam et al.; Mouratidis et al.)
Security monitoring for UMLsec models (Bauer et al.; Pironti et al.)
… : Model-based security monitor generation for embedded systems (Schürr et al.)
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 233
![Page 234: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/234.jpg)
Model-based Security: Where are we today?
Companies are increasingly active in Model-based Security (e.g. Interactive Objects, ObjectSecurity, Thales (Security DSML), Foundstone (McAfee), …)
2005: Model-based Security is part of the “Build Security In” body of
knowledge of US Dep. Homeland Security.
2007: “Model-Driven Security: Enabling a Real-Time, Adaptive Security
Infrastructure” (Gartner, 21 September 2007):
“Model-driven security is embryonic, but it will have a significant impact
as information security infrastructures become increasingly real time,
automated, and adaptive to changes in organizations and their
environments.” [http://www.gartner.com/DisplayDocument?id=525109]
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 234
![Page 235: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/235.jpg)
Some current projects
![Page 236: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/236.jpg)
Model-based Security: Open Problems
• Secure evolution: first steps under way, more needs be done.
• Sound integration and pervasive verification:
• between system abstraction hierarchies (applications down to hardware)
• between system lifecycles phases
• General challenges in model-based development (general problems, but
instantiated to security particularly interesting / challenging / important):
• Scientific work: model repositories ?
• Industrial usage: RoI of modelling ?
• Usability and scalability of the modelling notations and associated tools ?
• How to represent complex information (such as security information) within
visual diagrams in an understandable and usable way ?
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 236
![Page 237: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/237.jpg)
UMLsec: Summary
Model based security
engineering with UMLsec:
• Model-based development with UML
• Automatic security analysis of software artifacts:
• UML Models, Java / C programs, configuration data
• Successful applications in industry.
Evolution
UML Models
Requirements
Code
Insert
Code-/
Testgen. Reverse Engin.
Analyse
Configuration Generate
Verify
Runtime System
Confi-gure
Execute
Overview – UMLsec – Architecture – Protocol – Analysis – Code –
Run-time – Evolution – e-Purses – Biometrics – Wrap-up 237
![Page 238: Model-based Security Engineering - Uni Koblenz-Landau · Model-based Security Engineering Jan Jürjens TU Dortmund & Fraunhofer ISST Dortmund, Germany . ... Protocol – Analysis](https://reader034.vdocuments.us/reader034/viewer/2022042221/5ec7e48ae396e9508e214805/html5/thumbnails/238.jpg)
Questions? More information (papers, slides,
tools etc.): http://jan.jurjens.de