A Domain-Specific Language for Modelling Security Objectives in a Business Process Models of SOA Applications

Transcription

1 A Domain-Specific Language for Modelling Security Objectives in a Business Process Models of SOA Applications Department of Computer and Information Sciences, Universiti Teknologi PETRONAS, 31750, Seri Iskandar, Perak Darul Ridwan, Malaysia. muhammad.qaiser.saleem@gmail.com, jafreez@petronas.com.my, mfadzil_hassan@petronas.com.my Abstract Business process modelling is very crucial for enterprises because it give an idea how the business would be operated in the real world and it is important for every stakeholder. SOA is one of the most popular architecture for building Web Information Systems. In current SOA system development practices, security is not defined at the early phases of software development and left on the developer. Properly configuring security requirements in SOA applications is quite difficult for developers because they are not security experts, furthermore SOA security is cross-domain and all required information are not available at downstream phases. The post-hoc, low-level integration of security has a negative impact on resulting SOA applications. Business process modelling is normally performed by the Business Process expert who is not a security expert. Furthermore current business process modelling languages like UML or BPMN do not support the specification of security requirements along the business process modelling. We have presented a DSL, to model the security requirements along the business process model. We are facilitating the Business Process expert to model the security in business process diagram. This security annotated business process model will facilitate the security expert in specifying concrete security implementation. As a proof of work the proposed DSL is applied to the modeling of a typical business process of on-line student information system. Keywords: Service Oriented Architecture, Business Process Modelling, Security Goals, Model Driven Security, Domain Specific Language 1. Introduction Now a day, IT-infrastructure have been evolved into an enterprise landscape which is basically a distributed and loosely coupled e.g. Service Oriented Architecture (SOA) [1-3]. In the new business scene, where companies are using intensive use of Information and Communications Technologies (ICT), they are also increasing their vulnerability. With the increase in number of attack on the system, it is probable that an intrusion can be successful [4]. The security violation defiantly cause losses, therefore it is necessary to secure the whole system. Security must be unified with the software engineering process but in practice it is considered afterthought and implemented in ad-hoc manner [4]. Security is left on to the developer and added when the functional requirements are met or at the time of integration of distributed applications. This is not a realistic approach and degrade the implementation and maintainability of security of the system [5]. SOA applications are cross-domain and coupled over various network technologies and protocols; just adding security code to software applications is not a realistic approach because all required security information are not available at the downstream phases[6, 7]. During the past few years, several security protocols, access control models and security implementations have emerged to enforce the security goals [6, 8]; however focus of the SOA security standards and protocols are towards technological level; which do not provide high level of abstraction and mastering them is also a daunting task [1, 3, 9]. The technology focus of current security standards and protocol, will leads to security vulnerabilities, which justify increasing effort in defining security in pre-development phases, where finding and removing a bug is cheaper [10]. Empirical studies shows that those who model the business process i.e. business domain expert are able to specify security requirements at high level of abstraction i.e. while designing the system [4]. Advances in information Sciences and Service Sciences(AISS) Volume4, Number1, January 2012 doi: /AISS.vol4.issue

2 However in practice, business domain expert mainly focus on the functionality of the system and often neglect the security goals. It may happen due to many reasons e.g. business domain expert is not a security expert [4], and no currently available process modelling notation have ability to capture security goals[11]. Furthermore system model and security models are disjoint and expressed in different ways i.e. system model is represented in a graphical way in a modelling language like Unified Modelling Language (UML) while security model in a structured text [4]. It is evident that business domain expert must define the security requirements at business process model [11]. Business process modelling is the most appropriate layer to describe security requirements and to evaluate risks [1, 12]. Business process modelling is normally performed in a modelling language such as UML or Business Process Model and Notion (BPMN), these modelling languages do not support specification of security requirements [13]. Some security extensions are proposed in these modelling languages to annotate the business process model with security goals [14, 15] and work is still in progress. Model Driven Security (MDS) and automatically developed software having security configuration has been a topic of interest among the research community and different research groups across the globe are trying to solve the security problems for SOA based applications by presenting MDS frameworks along with the DSL definitions [6, 8, 13-17]. In our previous work [18], we have highlighted the different SOA security problems and provided a detailed study of different MDS frameworks which are trying to address these security problems. Later on, a framework is presented where it is recommended that both experts i.e. business process expert and security expert must work side by side in defining the security requirement while modeling the SOA system. [19]. In this work, meta-model of BPMN is extended with essential security objectives of SOA environment by proposing a Domain Specific Language (DSL). Model Driven Architecture (MDA) approach is used to integrate security goals in a business process model from business process expert perspective. BPMN is used as a modelling language for our work; which is an industry standard for business modelling [4]. Main reasons for the selection of BPMN is that, its modelling techniques are easily understood by all user of the business e.g. business analyst, technical people, business people etc. Furthermore it create standardization through which design of a business process is connected to implementation [4]. Our aim is to facilitate business process expert to add security goals while performing business process modelling. This security annotative business process model will facilitate the security expert while defining concrete security implementation. Rest of the paper is organized as; section 2 illustrates the related work and section 3 illustrates the different extension mechanisms for defining a DSL. After that in section 4, there is a detail discussion about the essential security objectives to be modeled for SOA application. Section 5 represents the proposed DSL followed by the real life case study for the demonstration of work in section 6. Finally section 7 concludes the whole work followed by the references in section Related Work A language is required for the modelling of security objectives while designing the system which provides syntax and semantic as provided by the UML and BPMN. To model the security objectives related to different system s aspects different security extensions are proposed by different authors. Mostly authors represent the abstract syntax of their DSL by a meta-model using Meta Object Facility (MOF) framework and concrete syntax by UML profile [4, 10, 16, 20]. Related work exists almost along all type of software development models, following is its descriptions: 2.1. System Models: Static structure of the system is represented by UML class diagram and UML state diagram. Basin David et al. in [21] presented SecureUML to model the security requirements for modeling static structure of the system. Basically it is a separate language based on protocol of Role Based Access Control (RBAC). Afterwards SecureUML can be integrated with any system modeling language like UML or BPMN to model the security in the system design. They have presented a meta-model for abstract syntax and used UML profile for concrete syntax and security constraints are added through OCL. 354

3 2.2 Interaction Diagram: UML sequence diagram is used to represent the flow of control between the object of the system. Jürjens, J. in [22] defined UMLSec by extending the UML and developed a UML profile to incorporate security to represent the secure interaction. 2.3 Deployment Diagram: UML component diagram is used for the representation of deployment of a system. UMLSec presented by Jürjens, J. in [22] also support the secure modelling of UML component diagram Work Flow Model: UML activity diagram and BPMN are used to represent the business process work flow. This is the most important aspect of a system and most of the security extensions are proposed related to this aspect. This research work is also focusing this system aspect. Rodriguez A. et al. created a meta-model for their security extensions and defined security stereotypes and developed a DSL. They also assign different symbols to these security stereotypes. They used the same DSL for extending BPMN [4] as well as UML [10]. Christian Wolter et al. [11] incorporate security stereotypes in BPMN. Ruth Brue et al. [16] also present security stereotypes in UML activity diagram Security Objectives in Related Work Different research groups are focusing on different security goals for their DSLs [4, 6, 10, 11, 23]. Michal Hafner et al. [23] defined the three security goals naming confidentiality, integrity and availability. They defined access control as confidentiality, later on availability is used in the meaning of no-repudiation. Alfonso Rodríguez et al. [4, 10] extended the UML and BPMN by defining DSLs and focusing on five security goals: access control, integrity, privacy, attack-harm detection and nonrepudiation. In [11]. Christian Wolter et al. presented a security policy model by focusing six security goals: authentication, authorization, confidentiality, integrity, availability, auditing. Michal Menzel et al. also used security policy model in their work [1] and defined security extensions to the BPMN. In [7] Yuichi Nakamura et al. defined three security intents for their work: authentication, integrity and confidentiality and defined a UML profile. In [6] Yuichi Nakamura et al. addressed four business level security intents as they are easy to be understood by business user and presentation of them is discussed in UML: Authentication, Integrity, Non-repudiation and confidentiality. Basically they picked some of the security intents defined in [24] and their names are changed according to WS- Security s terminology. 3. Extending a Modeling Language According to Specific Domain DSL is used to formalize a modelling language capable of formalizing different business domains (like e-government, e-education), system aspects (like security, real-time) or concrete technologies(such as EJB or.net) [21]. It is very clumsy to add domain-specific restrictions in large languages like UML; furthermore for formal analysis, large languages usually lack detailed formal semantics. DSLs are small and provide basis for domain-specific formal analysis; furthermore DSLs use those notions which are familiar to domain experts [20]. Extending a modelling language according to a particular domain and defining DSL is a common practice e.g. UML extensions according to specific domains like data warehousing[25], Business intelligence[26] and real-time systems[27] etc. Following are the three alternatives for defining a DSL [21, 28]. 1. DSL can be defined directly in UML in a lightweight way by using stereotypes and tagged values known as labels resulting UML profile. To introduce new language primitives (elements), stereotypes are used by extending the semantics of existing types in UML meta-model. Stereotypes are represented by double angle brackets e.g. <<stereotype>>. To formalize the properties of these new language primitive, tagged values are used which are written within curly brackets e.g. {Tag, Value} 355

4 [18], which associate data with model elements. Model elements are assigned to these new language primitives and labeled them with corresponding stereotype. If some additional restrictions are required on the syntax of these new language primitives; Object Constraints Language (OCL) constraints is used. Normally OCL expressions are used for various purposes such as invariant for classes, pre and post conditions for methods and guards for state diagram. Set of such definitions i.e. stereotype, tagged values and OCL constitutes the UML profile. Most of the current UML modelling tools can readily be used because they support the definition of custom stereotypes and tagged value. Because of having tool support this approach is widely used [20-22]. Normally DSLs are defined by UML-Profiles when the domain may be combined with other domains, in an unpredictable way and the model defined under the domain may be interchanged with other domains [20]. The remaining two techniques of language definition are meta-model based techniques. The metamodel based technique of defining DSL is mostly used when the domain is well defined and has accepted set of concepts; there is no need to combine the domain with other domains and the model defined under the domain is not transferred into other domains [20]. To gain the benefits of DSL and general purpose modelling language, DSLs are defined in terms of general purpose modelling language like BPMN or UML [20]. 2. DSL can be defined by using MOF by extending the meta-model of existing modelling languages like UML or BPMN etc. Concept of stereotype is used to formally extend the meta-model of an existing modelling language. At modelling level, these stereotypes are manipulated as annotation on model elements. In this way of DSL definition, an existing meta-model is reused and specialized. The extended and customized meta-model is based on the entire meta-model of existing modelling languages and may be complex. Furthermore to support the DSL; CASE (Computer Aided Software Engineering) tool may also require extension to accommodate these new language primitives; in particular storage component (repository) and visualization component. In the context of UML, this lightweight way of extension is called profile [20, 21, 27]. 3. A new DSL for modelling the domain of interest or particular problem is created by a fully dedicated meta-model using MOF having no dependency on existing modelling languages. The resulting DSL have much more concise vocabulary than the vocabulary of existing modelling languages. For querying and manipulating meta-data of these DSL, interface would be more simple then the UML Interfaces. Example of such a language is CWM (Common Warehouse Metamodel) [20]. In this way every discipline may have its own DSL which optimally suited for that particular domain or problem. The limitation is to interface these domains or problems specific DSLs to understand test and verify the whole system. Tool support for such DSLs would be very difficult [27]. This work used the second type of DSL definition and a DSL by extending the meta-model of BPMN; afterwards stereotypes are defined to represent the security objectives. 4. Security Goals for SOA environment. Security is an abstract concept which can be defined by specifying a set of security goals and these security goals can be further subdivided, specialized or combined [11]. Among the security objectives mentioned in section 2.5, we believe following are the essential security objectives which should be modeled in a business process model of SOA applications; which are focused by different authors either as it is or with some different name or by merging them. 1. Confidentiality: It specifies the system s state where only authorized entities can access the information. Access control is maintained by authentication and authorization mechanism. Authentication is a mechanism to verify the identity of an entity, whereas authorization is based on some specific security model i.e. how to grant various privileges to various entities on different resources [23]. Many authors treat confidentiality, authentication and authorization as a separate security goals [1, 4, 10, 11]. However; Ruth Brue and Michal Hafner in their work [23] keep authentication and authorization under the umbrella of confidentiality and we agree with their work because by enforcement of these access control mechanism one can achieve confidentiality. 2. Integrity: It identifies an authorized subject to alter information in authorized ways. It ensures the integrity of data (properness of information) as well as integrity of origin[23]. It ensure that the transferred, processed or stored data can only be modified with proper rights [11]. Basically it 356

5 ensures that the transferred data between parties must be guaranteed to reach the recipient in the same form and with the same content [6]. 3. Availability: It is an important aspect of reliability and in SOA environment, it is interpreted as non-repudiation. A user may use a resource or call a service and this usage or service call must not deniable. Basically it is a system state where provision of a specific resource is guaranteed[23]. Basically it ensures that the information must include the digital signatures of the parties related to the document [6]. 4. Traceability and Auditing: It is a process of verification of all actions performed in an information processing system [11]. It underlies each security requirement and will automatically be understood when a security requirement is specified in a model [4]. Therefore there is no need to model it separately in a business process model. 5. Proposed Security Domain Specific Language The process of defining a DSL is described in Figure 1; which is based on MOF [29] framework presented by the OMG for the definition of modelling languages. The domain which is focused in this work is security-critical, inter-organizational workflow for SOA system. Figure 1: Process of defining a DSL For this work, second type of DSL definition mechanism is used, as discussed in section 3. Abstract syntax of the DSL is defined by extending the meta-model of BPMN and concrete syntax is defined by providing stereotypes. Detailed discussion about the security goals focused in our work is presented in the section 4; which are confidentiality, integrity and availability. 5.1 Abstract Syntax Security enhanced meta-model of BPMN is represented in Figure 2. Shaded classes show our security enhancements in the meta-model and un-shaded classes are the basic meta-model of BPMN language. Among the symbols used to model a Business Process Diagram (BPD) in BPMN, we have used artifacts to extend the BPMN and introduce security stereotypes. Artifacts are designed with the possibility of extending the modelling basic notion to represents the specific situation [4]. 357

6 Figure: 2: Security Enhanced Meta-Model of BPMN (Abstract Syntax of Proposed DSL) 5.2 Concrete Syntax For concrete syntax we have presented three stereotypes naming <<Confidentiality>>, <<Integrity>> and <<Availability>>. Notions used to represent these stereotypes are presented in Table

7 Table 1: Concrete Syntax (Notions) of Proposed Domain Specific Language S/No Security Stereotype Symbol Description 1. <<Confidentiality>> Idea behind the symbol is that, initially information are inaccessible to user and will only be access able to him/her when he/she provides the desired security credentials. In BPD it can be specified in Pool, Lane, Activity or Group. Idea is to restrict the access to authorized user only. 2 <<Integrity>> Idea behind the symbol is that before. transformation, information contents are in particular form; during transformation it may change its form however it must be in the same form on its receipt. In BPD it is specified over the Message Flow 3 <<Availability>> Basically it is based on the idea of norepudiation. i.e. whenever a user uses some resource or service then his/her signature will be stored with the document along with date and time information. In BPD it can be specified over the message flow, it means it means the interactions cannot be denied. 6. Case Study To demonstrate the work, a case study of Online Student Information System is presented. It describes the web services based interaction between the participants and enables them to work through the Internet. The whole process has to be realized in a peer-to-peer fashion and should integrate security requirements. 6.1 Business Scenario Universities normally have semester based education system, and normally have two semesters in a year. During the whole working of the system, normally interaction takes place between three stakeholders naming Student, University Administration and Teacher. Normally university administration is composed of three departments naming registration, accounts and examination. A student has to register for each semester by filling the registration form and submit it to the registration department, which verify three things: first; student s dues information from the accounts department, which calculate the dues of the student for the semester after consulting his/her accounts information and send it to student as well as registration office. Second; previous result of the students are verified from examination department, which prepare the student result. Third; university rules for registration are consulted and ensured. After getting verified these three things, registration department informed student about his/her registration status and registered students lists for the offered courses are prepared. Faculty member who is teaching the course get the list of registered student from registration department for a particular course. He/she is responsible for the student s evaluation and assigning him/her marks and grads. Whenever a teacher evaluates a student, he/she enters his/her marks in the student result file which is maintained at examination department. At the end of the semester student is notify about his result information by exam department. 359

8 Figure.3: Security annotated Business Process Model of Online Student Information System 6.2 Security Requirements of the System In Online Student Information System, a student needs to perform different tasks i.e. filling the registration form, viewing registration status and result information etc. Necessary permissions are assigned to student on different objects to perform his/her tasks i.e. student require update permission on registration form and read permission on registration status and result information etc. These are personal information of a student therefore confidentiality is required i.e. proper access control mechanism with authentication and authorization is required to access these information. Furthermore student has to submit the registration form to the registration department. Student must sign the submitted form with his/her signature so he/she may not be able to deny that he/she has not submitted the registration form. Availability (Non-repudiation) is required in this use-case between the student and registration department. 360

9 As the registration form is submitted online, therefore secure information flow i.e. Integrity is required to successfully perform this use-case. These three security requirements i.e. Confidentiality, Availability, and Integrity can be identified and modeled for other users of the case-study like teacher and clerks from different departments i.e. registration, accounts and examination. Figure 3 shows the security enhanced business process model of the above mentioned scenario. 7 Conclusion We have investigated the SOA security scenarios and found that security is not incorporating in the early stages of SOA application development because of two main reasons. Firstly; current general purpose modeling languages, like UML, lack the modeling of QoS attributes, security is among the most important QoS attribute. Secondly there is not clear identification of security objectives to be modeled during the business process modeling of SOA application. There should be some formal means through which security would be modeled for secure SOA application development. Having this very essential aspect in mind we have developed a DSL. We have identified the essential security objectives of SOA applications and among them picked the most essential security objectives which are necessary for modeling along the business process modeling. Abstract syntax of the DSL is defined by extending the meta-model of BPMN with the security objectives of the SOA applications. Afterwards, concrete syntax of the DSL is represented by stereotypes. At the moment we are just showing security symbols in the business process diagram, CASE tool can be specialized and these domain specific stereotypes are made available at the modelling level in the form of annotation. Business process expert is not a security expert, will only model the security objectives along the business process modeling of SOA application. Later on architectural team will implement the security mechanisms based on the security objectives present in the business process model. Now architectural team has flexibility, they get idea what security objective business expert want, and they have flexibility to implement potentially better security solution. 8 References [1] Michael Menzel, Ivonne Thomas, Christoph Meinel, "Security Requirements Specification in Service-Oriented Business Process Management," in International Conference on Availability, Reliability and Security, ARES '09., 2009, pp [2] Qusay F. Hassan, "Aspects of SOA: An Entry Point for Starters," Annals. Computer Science Series, Mirton Publishing House, Timisoara, Vol- VII, Phase 2,, [3] Chung C. Chang, Kou-Chan Hsiao,"A SOA-Based e-learning System for Teaching Fundamental Information Management Courses," JCIT, Vol. 6, No. 4, pp. 298 ~ 305, [4] Rodríguez Alfonso, Fernández-Medina Eduardo, Piattini Mario, "A BPMN Extension for the Modeling of Security Requirements in Business Processes," IEICE - Trans. Inf. Syst., vol. E90-D, pp , [5] David Basin, Jurgen Doser, Torsten Lodderstedt, "Model driven security: From UML models to access control infrastructures," ACM Trans. Softw. Eng. Methodol., vol. 15, pp , [6] Yuichi Nakamura, Michiaki Tatsubori, Takeshi Imamura, and Koichi Ono, "Model-driven security based on a Web services security architecture," in IEEE International Conference on Services Computing, 2005, 2005, pp vol.1. [7] Fumiko Satoh, Yuichi Nakamura, Nirmal K. Mukhi, Michiaki Tatsubori, Kouichi Ono, "Methodology and Tools for End-to-End SOA Security Configurations," in IEEE Congress on Services - Part I, 2008., 2008, pp [8] Christian Wolter, Michael Menzel, Christoph Meinel, Andreas Schaad, Philip Miseldine, "Modeldriven business process security requirement specification," J. Syst. Archit., vol. 55, pp , [9] Muhammad Alam, "Model Driven Security Engineering for the Realization of Dynamic Security Requirements in Collaborative Systems," in Models in Software Engineering, ed, 2007, pp

10 [10] Rodríguez Alfonso, Fernández-Medina Eduardo, Piattini Mario, "Towards a UML 2.0 Extension for the Modeling of Security Requirements in Business Processes," in Trust and Privacy in Digital Business, ed, 2006, pp [11] Christian Wolter, Michael Menzel, Christoph Meinel, "Modelling Security Goals in Business Processes," Proc. GI Modellierung 2008, GI LNI 127, Berlin, Germany, vol. pp , March [12] Yih-Jiun Lee, Yuh-Chang Wei, Kai-Wen Lien, "Making the Internet Search as a Smarter Service: based on Taiwanese Searching Preferences," AISS, Vol. 3, No. 3, pp. 147 ~ 153, [13] Michael Menzel, Christoph Meinel, "A Security Meta-model for Service-Oriented Architectures," in IEEE International Conference on Services Computing, SCC '09'., 2009, pp [14] Jürjens, Jan, "UMLsec: Extending UML for Secure Systems Development- Tutorial," presented at the Proceedings of the 5th International Conference on The Unified Modeling Language, [15] Torsten Lodderstedt, David A. Basin, Jürgen Doser, "SecureUML: A UML-Based Modeling Language for Model-Driven Security," presented at the Proceedings of the 5th International Conference on The Unified Modeling Language, [16] Michal Hafner, Ruth Breu, Berthold Agreiter, "SECTET: an extensible framework for the realization of secure inter-organizational workflows," Emeral, Internet Research, vol. Vol.16 No. 5, Pag: , pp. pp , [17] Mukhtiar Memom, Michael Hafner, Ruth Breu, "SECTISSIMO: A Platform-independent Framework for Security Services," MODSEC08 Modeling Security Workshop, [18] Saleem, Muhammad. Qaiser., JAfreezal. Jaafar, M. Fadzil Hassan., "Model Driven Security Frameworks for Addressing Security Problems of Service Oriented Architecture," IEEE Conference, International Symposium in Information Technology ITSim 2010, [19] Saleem, Muhammad. Qaiser., Jafreezal. Jaafar, M. Fadzil Hassan.., "Model Driven Security Framework for Definition of Security Requirements for SOA systems," IEEE International Conference on Computer Applications and Industrial Electronics (ICCAIE 2010), Kuala Lumpure, Malaysia., [20] Achim D. Brucker, Jurgen Doser, "Metamodel-based UML Notations for Domain-specific Languages," 4th International Workshop on Language Engineering (atem 2007), pp. 1-{??}, [21] David Basin, Jurgen Doser, Torsten Lodderstedt, "Model driven security: From UML models to access control infrastructures," ACM Trans. Softw. Eng. Methodol., vol. 15, pp , [22] Jürjens, Jan "UMLsec: Extending UML for Secure Systems Development," in «UML» 2002 The Unified Modeling Language, Springer-Verlag Berlin Heidelberg ed, 2002, pp [23] Ruth Breu, Michal Hafner, "Security Engineering for Service-Oriented Architectures," Springer- Verlag Berlin Heidelberg, 2009,. [24] Simon Johnston, "Modeling security concerns in service-oriented architectures," IBM developerworks, [25] Luján-Mora, Sergio, Trujillo, Juan, Song, Il-Yeol, "Extending the UML for Multidimensional Modeling," in UML 2002, LNCS 2460, pp , 2002, ed: Springer-Verlag Berlin Heidelberg 2002, 2002, pp [26] Stefanov, Veronika List, Beate Korherr, Birgit, "Extending UML 2 Activity Diagrams with Business Intelligence Objects," in Data Warehousing and Knowledge Discovery, ed, 2005, pp [27] Passerone, R. Damm, W. Ben Hafaiedh, I. Graf, S. Ferrari, A. Mangeruca, L. Benveniste, A. Josko, B. Peikenkamp, T. Cancila, D. Cuccuru, A. Gerard, S. Terrier, F. Sangiovanni-Vincentelli "Metamodels in Europe: Languages, Tools, and Applications," Copublished by the IEEE CS and the IEEE CASS, vol. 26, pp , [28] Michael Menzel, Christoph Meinel "SecureSOA Modelling Security Requirements for Service- Oriented Architectures," in Services Computing (SCC), 2010 IEEE International Conference on, 2010, pp [29] The OMG., "Meta Object Facility (MOF) 2.0 Core Specification," OMG Available Specification,,