Security for Changing Software and Systems

Similar documents
Model-based Quality Assurance of Automotive Software

Lecture 03 ( ) Quality of the Software Development Process

Secure Software Architecture Description using UML Jan Jürjens Competence Center for IT Security Software & Systems Engineering TU Munich, Germany

The Software Development Process

Lecture 03 ( ) The Software Development Process. Software Development Models. Where are we? Your Daily Menu.

The Open University s repository of research publications and other research outputs. Run-time security traceability for evolving sys-

Secure Information Systems Engineering: Experiences and Lessons Learned from two Health Care Projects

Formal Verification and Linear-time Model Checking

Traceability for Maintenance of Secure Software Systems

Model-based Security Analysis for Mobile Communications

Security and Compliance in Clouds: Challenges and Solutions

Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection

SERENITY Pattern-based Software Development Life-Cycle

Development Processes (Lecture outline)

Outline. Definitions. Course schedule

The SPES Methodology Modeling- and Analysis Techniques

TRADITIONAL VS MODERN SOFTWARE ENGINEERING MODELS: A REVIEW

Security und Compliance in Clouds

Access Control Based on Dynamic Monitoring for Detecting Software Malicious Behaviours

The Way to SOA Concept, Architectural Components and Organization

Software Active Online Monitoring Under. Anticipatory Semantics

Enabling Continuous Delivery by Leveraging the Deployment Pipeline

Information & Communication Security (SS 15)

Chap 1. Introduction to Software Architecture

Principles of Software Engineering: Software Methodologies. COSI 120b, Spring 2005

Security and Compliance in Clouds

Development of global specification for dynamically adaptive software

Component-based Development Process and Component Lifecycle Ivica Crnkovic 1, Stig Larsson 2, Michel Chaudron 3

Engineering Process Software Qualities Software Architectural Design

Adversary Modelling 1

Requirements Management

Karunya University Dept. of Information Technology

Approaches to Improve System Dependability From Formal Verification to Model-Based Testing

Testhouse Training Portfolio

Specification and Analysis of Contracts Lecture 1 Introduction

Incorporating database systems into a secure software development methodology

Software Development Life Cycle (SDLC)

GECKO Software. Introducing FACTORY SCHEMES. Adaptable software factory Patterns

The Role of CM in Agile Development of Safety-Critical Software

VDM vs. Programming Language Extensions or their Integration

Modellistica Medica. Maria Grazia Pia, INFN Genova. Scuola di Specializzazione in Fisica Sanitaria Genova Anno Accademico

Getting started with API testing

How To Improve A Test Process

Co-Presented by Mr. Bill Rinko-Gay and Dr. Constantin Stanca 9/28/2011

Peter Mileff PhD SOFTWARE ENGINEERING. The Basics of Software Engineering. University of Miskolc Department of Information Technology

Model-Based Testing of Software Product Lines

Motivations 1. What is (or should be) the essential preoccupation of computer scientists?

Seamless Method- and Model-based Software and Systems Engineering

CS 1632 SOFTWARE QUALITY ASSURANCE. 2 Marks. Sample Questions and Answers

The Impact of 21 CFR Part 11 on Product Development

A Model-Based Development Process for Embedded System

WHITE PAPER DATA GOVERNANCE ENTERPRISE MODEL MANAGEMENT

SCADE System Technical Data Sheet. System Requirements Analysis. Technical Data Sheet SCADE System

Software Engineering/Courses Description Introduction to Software Engineering Credit Hours: 3 Prerequisite: (Computer Programming 2).

Software Modeling and Verification

Software Factories: Assembling Applications with Patterns, Models, Frameworks, and Tools

The Security Development Lifecycle

Management. Project. Software. Ashfaque Ahmed. A Process-Driven Approach. CRC Press. Taylor Si Francis Group Boca Raton London New York

Co-Creation of Models and Metamodels for Enterprise. Architecture Projects.

CREDENTIALS & CERTIFICATIONS 2015

Software Engineering Reference Framework

Mastering increasing product complexity with Collaborative Systems Engineering and PLM

Software Engineering. Software Processes. Based on Software Engineering, 7 th Edition by Ian Sommerville

Towards Modeling and Transformation of Security Requirements for Service-oriented Architectures

Software Production. Industrialized integration and validation of TargetLink models for series production

Software Engineering. An Introduction. Fakhar Lodhi

Classical Software Life Cycle Models

Formal Methods in Security Protocols Analysis

Quality Management. Lecture 12 Software quality management

Identification and Analysis of Combined Quality Assurance Approaches

Developing SOA solutions using IBM SOA Foundation

Architectural Risk Analysis for Android Applications

IndustrialIT System 800xA AC 870P/Melody Engineering

Towards a Comprehensive Design-time Compliance Management: A Roadmap

Coverability for Parallel Programs

An Aspect-Oriented Product Line Framework to Support the Development of Software Product Lines of Web Applications

Elite: A New Component-Based Software Development Model

To Comply Software and IT System Development with Related Laws Abstract. Keywords: 1. PROBLEM STATEMENT

CSC408H Lecture Notes

Secure Software Programming and Vulnerability Analysis

How To Write Software

Lecture 2 Software Re-engineering

Custom Web Development Guidelines

Advanced Topics in model-based Software Development

Pattern Insight Clone Detection

Static Program Transformations for Efficient Software Model Checking

A Comprehensive Safety Engineering Approach for Software Intensive Systems based on STPA

Realizing business flexibility through integrated SOA policy management.

ProGUM-Web: Tool Support for Model-Based Development of Web Applications

BCS HIGHER EDUCATION QUALIFICATIONS Level 6 Professional Graduate Diploma in IT. March 2013 EXAMINERS REPORT. Software Engineering 2

Chapter 4 Software Lifecycle and Performance Analysis

Security Requirements Analysis of Web Applications using UML

ZQL. a cryptographic compiler for processing private data. George Danezis. Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo

Formal Software Testing. Terri Grenda, CSTE IV&V Testing Solutions, LLC

21 CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES CFR Part 11 Compliance PLA 2.1

Evolutionary Approach to Coverage Testing of IEC Function Block Applications

Design of automatic testing tool for railway signalling systems software safety assessment

Introduction to Software Configuration Management. CprE 556 Electrical and Computer Engineering Department Iowa State University

zen Platform technical white paper

Foundations of Model-Driven Software Engineering

Transcription:

Security for Changing Software and Systems Jan Jürjens TU Dortmund & Fraunhofer ISST http://jan.jurjens.de

The Forgotten End of the System Life-cycle Challenges: Software lifetime often longer than intended (cf. Year-2000-Bug). Systems evolve during their lifetime. In practice evolution is difficult to handle. Problem: Critical requirements (e.g. security) preserved? Jan Jürjens: Security for Changing Software and Systems 2/19

Model-based Security Engineering with UMLsec Security Requirements Integrate UMLsec Models Code-/ Testgen. Code Analyse Reverse Engin. Generate Verify Execute Evolution Configuration Data Configure Runtime System Jan Jürjens: Security for Changing Software and Systems 3/19

Challenge: Evolution Each artifact may evolve. To reduce costs, reuse verification results as far as possible. Under which conditions does evolution preserve security? Even better: examine possible future evolution for effects on security. Check beforehand whether potential evolution will preserve security. Choose an architecture during the design phase which will support future evolution best wrt. security. Jan Jürjens: Security for Changing Software and Systems 4/19

Model Formalization Formalize model execution. For transition t=(source,msg,cond[msg],action[msg],target) and message m, execution formalized as: Exec(t,m) = [state current =source m=msg cond[m]=true action[m] state current.t(m) =target ]. (where state current current state; state current.t(m) state after executing t). Example: Transition t 0 : Exec(t 0,m)= [ state current =NoExtraService m=wm(x) money current +x>=1000 money current.t0 (m)=money current +x state current.t0 (m)=extraservice ]. t 0 [money+x>=1000] [money+x<1000] Jan Jürjens: Security for Changing Software and Systems 5/19

Formalization of Requirements Example secure information flow : No information flow from confidential to public data. Analysis: If states state current, state current differ only in confidential attributes, then publically observable behaviour should be same: state current pub state current state current.t(m) pub state current.t(m) (state current pub state current : same publically observable behaviour; state current.t(m) : next state after executing t(m)). Example: Insecure: confidential attribute money influences return value of public method rx(). ExtraService pub NoExtraService aber nicht: ExtraService.rx() pub NoExtraService.rx() [money+x>=1000] [money+x>=1000] [money+x<1000] [money+x<1000] Jan Jürjens: Security for Changing Software and Systems 6/19

Evolution vs. Design- / Architectural Principles Consider design- / architectural principles supporting evolution. Under which conditions are requirements preserved? Design technique: Refinement of specifications. Supports evolution between refinements of an abstract specification. Architectural principle: Modularization supports evolution by restricting impact of change to modules. Different dimensions: Architectural layers Component-oriented architectures Service-oriented architectures Aspect-oriented architectures For each discovered conditions under which requirements are preserved. Explain this at the hand of security requirements. Ochoa, Jürjens, Warzecha: A Sound Decision Procedure for the Compositionality of Secrecy. ESSoS 12 Ruhroth, Jürjens. Supporting Security Assurance in the Context of Evolution: Modular Modeling and Analysis with UMLsec. HASE 12 Schmidt, Jürjens: Connecting Security Requirements Analysis and Secure Design Using Patterns and UMLsec. CAiSE 11 Hatebur, Heisel, Jürjens, Schmidt: Systematic Development of UMLsec Design Models Based on Security Requirements. FASE 11 Jan Jürjens: Security for Changing Software and Systems 7/19

Refinement: Problem For behaviour preserving refinement, one would expect preservation of behavioural requirements. Refinement Paradox : Surprisingly, in general not true [Roscoe 96]. Example: In above example, transition rx()/return(true) (resp. false) is refinement of secure transition rx()/return(random_bool). [money+x>=1000] [money+x<1000] Problem: Mixing non-determinism as under-specification resp. as security mechanism. Jan Jürjens: Security for Changing Software and Systems 8/19

Refinement: Solution Our specification approach separates non-determinism as under-specification resp. as security mechanism. Result: Refinement now preserves behavioural requirements. Proof: using formal semantics. Above example: with our approach: not a refinement. Jan Jürjens: Security for Changing Software and Systems 9/19

Modularization: Problem Problem: Behavioural requirements in general not compositional. Above example: States ExtraService and NoExtraService each secure (only one return value for rx), but composition in statechart not. [money+x>=1000] [money+x<1000] Under which condition are requirements preserved? Jan Jürjens: Security for Changing Software and Systems 10/19

Modularization: (A) Solution Solution: Formalize requirement as rely-guarantee -property. Result: Using this formalization, get conditions for compositionality. Proof: using formal semantics. Above example: Rely-guarantee formalization shows that secure composition impossible. [money+x>=1000] [money+x<1000] Jan Jürjens: Security for Changing Software and Systems 11/19

Evolution-based Verification Evolution-based Verification Idea: Initial verification: Tool registers which model elements relevant for verification of given requirement. Store in verified model, together with partial results ( proof-carrying models ). Discovered conditions on changes such that requirement preserved. Compute difference between old and new model (e.g. using SiDiff [Kelter]). Only need to re-verify model parts which 1) were relevant in the initial verification, 2) have changed, and 3) which don t satisfy the above-mentioned conditions. Significant verification speed-up compared to simple re-verification. Wenzel, Warzecha, Jürjens, Ochoa: UMLchange Specifying Model Changes to Support Security Verification of Potential Evolution. Journal of Computer Standards & Interfaces, 2013.... Jan Jürjens: Security for Changing Software and Systems 12/19

Evolution-based Verification: Example Preservation condition for secure information flow at evolution M M : Only consider states s, s for which: s pub s in M but not in M, or s.t(m) pub s.t(m) in M but not in M. M M [money+x>=1000] [money+x>=1000] [money+x<1000] [money+x<1000] Example: wm(0).rx() pub wm(1000).rx() in M but not in M. Shows that M violates secure information flow (confidential data 0 and 1000 distinguishable). Jan Jürjens: Security for Changing Software and Systems 13/19

Model-code Traceability under Evolution Goal: Preserve model-code traceability during evolution. Idea: Reduce evolution to: Adding / deleting model elements. Supporting refactoring operations. => Approach for automated model-code traceability based on refactoring scripts in Eclipse. [Bauer, Jürjens, Yu: Run-Time Security Traceability for Evolving Systems. Computer Journal 11] Jan Jürjens: Security for Changing Software and Systems 14/19

Code Verification subject to Evolution Use evolution-based model verification and modelcode traceability for evolution-aware code verification using static analysis. Example: Condition in sequence diagram correctly checked in implementation. Project Csec (with Microsoft Research Cambridge): Implemented static analysis, found several weaknesses. p g All paths from p to q check g. q Aizatulin, Gordon, Jürjens: Computational Verification of C Protocol Implementations by Symbolic Execution. CCS 12 Aizatulin, Gordon, Jürjens: Extracting and verifying cryptographic models from C protocol code by symbolic execution. CCS 11 g Jan Jürjens: Security for Changing Software and Systems 15/19 p q 15

Run-time Verification subject to Evolution Relevant versions of source code not always available => run-time monitoring. Relevant approach in the literature: Security Automata [F.B. Schneider 2000]. Problem: no evolution and only safety -properties supported (too restrictive e.g. for secure information flow). So: New approach, based on runtime verification (based on techniques from model-checking and testing). Formalize requirement to be monitored in LTL. Continuous monitoring of system events through monitors generated from the models, with evolution-based traceability. Including non-safety-properties (using 3-valued LTL-semantics). Example results: Bauer, Jürjens. Runtime Verification of Crypto-graphic Protocols. Computers & Security 10 Pironti, Jürjens. Formally-Based Black-Box Monitoring of Security Protocols. ESSOS 10 Runtime verification in a nutshell Property automatic generation of System Actions Monitor Property fulfilled? t Jan Jürjens: Security for Changing Software and Systems 16/19

Technical Validation Correctness: based on formal semantics. Completeness: view model transformation as sequence of deletions, modifications and additions of model elements. Performance gain maximal where difference << software. Example result: Evolution-based verification: Performance linear in software size (given constant size of differences) Complete Re-Verification: Performance exponential in software size. This condition is satisfied e.g. for: Maintenance of stabile software QA tightly integrated with evolution (e.g. nightly builds) Jan Jürjens: Security for Changing Software and Systems 17/19 [Robles et al.: Evolution and Growth in Large Libre Software Projects]

Practical Validation Application of UMLsec in practice (examples): Global Platform (smartcard software updates, Gemalto) Mobile software architecture (Telefonica O2 Germany) Biometric authentication system German Health Card Health information systems Detected signification weaknesses for some of these. Jürjens et al.: Incremental Security Verification for Evolving UMLsec models. ECMFA 11 Jürjens et al.: Model-based Security Analysis for Mobile Communications. ICSE 08 Lloyd, J. Jürjens, Security Analysis of a Biometric Authentication System using UMLsec and JML. Models 09 Jürjens, Rumm: Model-based Security Analysis of the German Health Card Architecture. Methods of Information in Medicine 08 Mouratidis, Sunyaev, Jürjens: Secure Information Systems Engineering: Experiences and Lessons Learned from Two Health Care Projects. CAiSE 09 Empirical comparison model-based vs. traditional QA (testing): Example: Model-checking vs. simulation / testen: Door control unit (coop. w. BMW). Model-checking: Additional effort (1-2 days / LTL formula), but detects also obscure bugs. Jürjens, Trachtenherz, Reiss: Model-based Quality Assurance of Automotive Software. Models 08 Jan Jürjens: Security for Changing Software and Systems 18/19

Conclusion: Security for Changing Software and Systems Evolution: challenging for QA. Question: Can reuse QA results after evolution? Result: Conditions for requirements preservation in context of design-/architectural techniques for evolution (e.g. refinement, modularization). under model evolution ( evolution-based verification ). evolution-based static analysis and run-time verification. Tool-implementation: significant performance and scability gains wrt. simple re-verification. Validation: Successful use in practice. Current work: SecVolution @ DFG-PP Design for Future Jan Jürjens: Security for Changing Software and Systems 19/19

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information