Serenity Project: Security in Software Enginering
Upcoming SlideShare
Loading in...5
×
 

Serenity Project: Security in Software Enginering

on

  • 377 views

Based on the results of Serenity project (Framework Programme, from EU), these slides present a security-aware software engineering process. It presents how security must be taken into account in the ...

Based on the results of Serenity project (Framework Programme, from EU), these slides present a security-aware software engineering process. It presents how security must be taken into account in the different phases of software development, including agile development approaches.

Statistics

Views

Total Views
377
Views on SlideShare
377
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Serenity Project: Security in Software Enginering Serenity Project: Security in Software Enginering Presentation Transcript

  • Part 3: Security in Software Engineering  Security-aware Software Engineering Processes  Creation of Secure Applications Francisco Sánchez Cid Project Manager Instituto Tecnologico de Informatica Valencia (Spain)
  • We all agree: • Indirectly, SE has a big impact on our ability to deliver and maintain applications … but can a methodology be a direct revenue generator? E.g. System for Olives classification in Spain “..If we can certify that we have a secure software development life-cycle we stand to increase our overall revenue with clients from 10-20%.” Our Chief Software Architect• Actually utilizing our methodology as a competitive advantage! WOW!• Unit, integration, and acceptance tests and their automation mean you can actually certify that you’re software is reasonably secure at least for what you’re testing for
  • All right. This approach seems to work fine for 90% ofapplications we develop, but… what about the other 10%?• For this 10% applications we do not only have securityrequirements but also: o These requirements evolve as times goes by o Operational context is unpredictable or uncertain o We don’t want this app to be tightly coupled to an specific solution o E.g. Digital Signature Applet• Just one way out: o Identify and develop generic solutions o Use a model to represent the solutions o Link generic solutions to specific implementations o Once a solution is selected, monitor its validity on time …KindofModelDrivenEngineering? let’shave a look at it
  • Security-awareSoftware Engineering Processes
  • Security Aware Software Engineering Process Current technology challenges• Model Driven Engineering comes to help – Models – Model Driven Architecture – MDA and Security• Model transformations – What is a transformation – Example• Conclusions
  • Current technology challenges• Current applications are tightly coupled to underlying technologies – Investment done on their development is at risk due to this dependence• Many different platforms and technologies – Distributed objects, components, web services… – Not interoperable – Not reuse (at least if they are not correctly designed)• Very fast evolution – New technologies appear every day – Old technologies disappear – How to protect the investment in business logic?
  • Security Aware Software Engineering Process• Current technology challenges Model Driven Engineering comes to help – Models – Model Driven Architecture – MDA and Security• Model transformations – What is a transformation – Example• Conclusions
  • MDE as opposite to OOObject Oriented Design Everything is a objectModel Driven EngineeringEverything is a model cd MDE v s OO SuperClass Meta-Model inheritsFrom conformsTo Relations in these approaches clearly differ Class Model instanceOf representedBy Instance System
  • Model Driven Engineering (MDE)• Approach to software development based in models and in model transformations – Current approaches are based in objects, programs and compilers• MDE implies the (semi) automated generation of implementations from models• Modelling languages are key to MDE – Model transformation languages are also modelling languages – Models conform to meta-models• MDA is the OMG’s proposal for MDE, using OMG standards – MOF, UML, OCL, XMI, QVT – MOF and UML allow the definition of new families of languages
  • What is a model ?• A description of (part of) a system written in a well-defined language (Equivalent to specification) [Kleppe, 2003]• A description or specification of the system and its environment for some certain purpose. A model is often presented as a combination of drawings and text [MDA Guide, 2003]
  • Models in software • “...Bubbles and arrows, as opposed to programs, never crash.” [B. Meyer, 1997] • The problem is to maintain the link between models and source code sd Activ ate Pattern Application S&D Manager Event Manager S&D Query Runtime S&D Context Manager Library 1: Request Class() publicclass 2: Get Context() ActiveMonitoringManager extends Observable{ 3: Send Context()cd Metamodelo privatestatic 4: Get Available Patterns() MonitoringServiceIF ExecutableComponent 5: Build Query() monitoringAccess; cd SampleApplicationIM RefersTo private 6: Query For Patterns() Pertenece-A Implementa EmailDB CommunicacionSystem Hashtable<String,MonitorInfo S&DClass * * S&DPattern * S&DImplementation 7: Return Patterns() > activeMonitors; 8: Return Patterns() privatestatic EmailSystem GUI ActiveMonitoringManager Proporciona Representa 9: Choose Pattern() mManager = getInstance(); * S&DProperty S&DArtefact S&DSolution * 10: Update Context() Requiere Securiza 13: Send Implementation Handler AccessControl Tiene * «Securizes»S&DRequirement Application «S&DPattern» smartCardAuthentication.UMA.es
  • Limitations of models (in SE)• Models are used only as documentation (if the system is documented at all)• “Gap” between the model and the implementation of the system – Semantic gap between the respective languages – Changes in the model do not reflect in the code – Changes in the code do not reflect in the model (the model is thrown away after the first implementation, and never updated or used again)• No “merge” of models (though some tools actually help) – Unrelated views of a system (horizontal) – Unrelated towers of models (vertical)• No model “transformations” – Few defined transformation languages – No tools• We are still far behind more mature engineering industries, such as aerospace, automotive and electrical engineering....• ...Even hardware design is ahead of software design!
  • Kinds of SE models• Depending on: – The phase of the project • Analysis models, design models, ... – The level of detail • High level models, Low level models (implementations) – The view of the system • Business models, Software Architecture models, Deployment models,... – The aspect they focus on • Structural models, behavioural models, QoS models, ... – The level of technology independence • Computation Independent Models, Platform Independent Models, Platform Specific Models – The particular target platform • J2EE, .NET, CORBA, EDOC, ....
  • MDA: OMG’s Four-layer metamodel architecture • M3, MOF (Meta Object Facility) used to describe meta-models • M2, Meta-models used to describe modelling languages • M1, models used to describe applications • M0, instances of applications
  • Example
  • Example
  • MDA Models (M1)• Computation Independent Model (CIM) – A view from a system from the Computational Independent Viewpoint – A CIM Focuses on the system and its environment; the details of the structure of the system are hidden or as yet undetermined – A CIM is sometimes called a domain model or a business model, and is specified using a vocabulary that is familiar to the practitioners of the domain in question – It may hide much or all information about the use of automated data processing systems• Platform Independent Model (PIM) – A platform independent model is a view of a system from the platform independent viewpoint – A PIM exhibits platform independence and is suitable for use with a number of different platforms of similar type• Platform Specific Model (PSM) – A platform specific model is a view of a system from the platform specific viewpoint – A PSM combines the specifications in the PIM with the details that specify how that system uses a particular type of platform• Platform Model (PM) – A platform model provides a set of technical concepts, representing the different kinds of parts that make up a platform and the services provided by that platform – It also provides, for use in a platform specific model, concepts representing the different kinds of elements to be used in specifying the use of the platform by an application
  • Examples of MDA models• CIM – Use case models capturing the system requirements• PIM – The software architecture of the system, that describes how the functionality of the system is decomposed into (architectural) components and connectors• PSM – A model of the J2EE implementation of the system, expressed using the EJB Profile that describes how the (architectural) components need to be implemented by EJBs• Platform Model (Code) – The EJBs themselves, their configuration files, etc., ready to be deployed
  • Security Aware Software Engineering Process• Current technology challenges Model Driven Engineering comes to help – Models – Model Driven Architecture – MDA and Security• Model transformations – What is a transformation – Example• Conclusions
  • Model Driven Security (D. Basin)• It is an extension of MDA SystemModel A SystemModel+ SecurityModel A B <<secumlPermission>> <<secumlRole>> Customer B ModelTransformation+ extensions TargetSyste m + SecurityInfrastructure (RBAC, assertions, etc.)
  • Model Driven Security• Three UML extensions – ComponentUML, a class based language for data modelling – ControllerUMLfor modelling system behaviour evolution – SecureUML for modelling secure systems based on RBAC • Confidentiality and Integrity are modeledusing RBAC• They are composed in Security Languages for modelling design and security• Only for class, sequence and state charts diagrams
  • Model Driven Security Resources• Three UML extensions – ComponentUML, a class based language for data modelling – ControllerUMLfor modelling system behaviour evolution – SecureUML for modelling secure systems based on RBAC • Confidentiality and Integrity are model using RBAC• They are composed in Security Languages for modelling design and security• Only for class, sequence and state charts diagrams
  • Model Driven Security• Three UML extensions – ComponentUML, a class based language for data modelling – ControllerUMLfor modelling system behaviour evolution – SecureUML for modelling secure systems based on RBAC • Confidentiality and Integrity are model using RBAC SecurityRequire• They are composed inments Security Languages for modelling design and security• Only for class, sequence and state charts diagrams
  • Model Driven Security• A Security Design Language glues the two languages together• Each language is equipped with an abstract and concrete syntax, semantics, and a technology dependent translation function• Dialect bridges design language with security language by identifying which design elements are protected resources Security Design Language Security Modelling Language (SecureUML) Dialect System Design Modelling Language (ComponentUML, ControllerUML)
  • Model Driven Security• Example There is an implementation of this in top of the ArcStyle MDA tool
  • Security Aware Software Engineering Process• Current technology challenges Model Driven Engineering comes to help – Models – Model Driven Architecture – MDA and Security• Model transformations – What is a transformation – Example• Conclusions
  • Model transformation• Model transformation is the process of converting one model to another model of the same system• The MDA pattern includes (at least): a PIM, a Platform Model, a Transformation, and a PSM• Useful to – Mark models – Transform meta-models – Merging models – Include information in models
  • Examples of MDA transformationsTransformations are everywhere…
  • Examples of MDA transformations: GMFAlthough not specific for security, a representative technology…
  • GMF: first, the modelE.g. Design of workflowsfor public administration Diagram 1 1 Association * * Graphical Element Link 1 0..* target 1 0..* source Sequence Start End Activity ... 1 0..* FormItem Form 1
  • GMF: then, the mapping
  • GMF: and eventually, generate…
  • Security Aware Software Engineering Process• Current technology challenges Model Driven Engineering comes to help – Models – Model Driven Architecture – MDA and Security• Model transformations – What is a transformation – Example• Conclusions
  • Conclusions to MDA• MDA seems to be the right way to go – Conceptually clean and well defined – Protect investment and IP by separating the business model from the supporting technologies• But there is still a long way ahead• There are more or less mature approaches to the development of security systems using MDA – Based on security policies and RBAC• Research is required• MDD (and MDA) looks very promising• MDA isnotthe panacea “No manual coding” isnot 100% achievable in generalItisimportanttoidentifythedomains in which MDA can be effectivelyused, By the time beingtools are notmature Honestly, do you really think that only drawing three boxes and a couple of lines you will get all your application code?
  • Part 3: Security in Software Engineering  Security-aware Software Engineering Processes  Creation of Secure Applications Francisco Sánchez Cid Project Manager Instituto Tecnologico de Informatica Valencia (Spain)
  • Creationof Secure Applications
  • Creation of Secure Applications Differences between current secure softwaredevelopment and the SERENITY approach SERENITY applications life cycle Developing SERENITY applications Using Java to develop SERENITY applications Run-time support Advantages of the SERENITY approach
  • Creation of Secure ApplicationsWhen Developing applications…• Most of current approaches for software development are based on an iterative and incremental process
  • Creation of Secure ApplicationsHow does it fit in Agile Development… Not really agile Security Planning a specific Requirements Design security Development engineering activity in every sprint?
  • Creation of Secure ApplicationsHow does it fit in Agile Development… Identify the Decide the Check against properties/threats controls threat model Security Planning Security Risk Requirements Design Management Development Supposed to have a residual risk
  • Creation of Secure ApplicationsHow does it fit in Agile Development… in fact Detailed threat Sprint Review: analysis Approve residual risk Decide on the controls: Sprint Planning: -Address the threat Threat analysis (new sprint backlog) for largest risks - Postpone the work (new product backlog) • For this to work: • The Scrum team does need to be somehow aware of security engineering and software security issues. • Security specialists should be on call.
  • Creation of Secure ApplicationsSecurity aspects of applications• Usaually, security requirements are treated as the rest of requirements – Security is not a functional requirement • It is difficult to implement • It is difficult to trace during the project• Security is always orthogonal. We may talk of perspectives for the software• Given a good model, you have one thousand ways of making it unsecure – A parameter not correctly parsed – A buffer not correctly managed – …
  • Creation of Secure Applications Differences between current secure softwaredevelopment and the SERENITY approach SERENITY applications life cycle Developing SERENITY applications Using Java to develop SERENITY applications Run-time support Advantages of the SERENITY approach
  • Creation of Secure Applications Serenity Proposal for Secure Software Development • Just a reminder: – For this to work, the team does need to be somehow aware of security engineering and software security issues. • Now that we are aware: – We propose not to be aware of security engineering, but security properties the system have to comply with – Security requirements are fulfilled by means of S&D patterns – S&D patterns are represented at different levels of abstraction by means of different artefactscd PatternDetail EA RefersTo Implements BelongsTo * * * ExecutableComponent S&DImplementation S&DPattern S&DClass
  • Creation of Secure Applications Serenity Proposal for Secure Software Development Represents the Represents a set of Implementation of a Represents a S&D S&D solutions pattern solution Defines a general Implements a and defines an interface pattern interface and a set of functionallitiescd PatternDetail EA RefersTo Implements BelongsTo * * * ExecutableComponent S&DImplementation S&DPattern S&DClass Software Architects know these artefacts, Security Experts deeeply know these artecfacts and Developers know and use all these S&D artefacts and their interfaces
  • Creation of Secure ApplicationsSerenity Proposal for Secure Software Development• Developers include references to S&D patterns in applications by means of references to S&D artefacts• Developers are supported by S&D patterns libraries where they can find artefacts (called S&D Libraries)• SERENITY includes tools supporting developers for managing on-line S&D libraries (e.g. plugin for Eclipse)
  • Creation of Secure Applications S&D Pattern Development S&D pattern Addition to S&D development S&D library librarySecurity Community
  • Creation of Secure Applications S&D Pattern Development S&D pattern Addition to S&D development S&D library librarySecurity Community Application Development Inclusion of S&D pattern Application references in search and deploymentDevelopment Team application selection
  • Creation of Secure Applications S&D Pattern Development S&D pattern Addition to S&D development S&D library librarySecurity Community Application Development Inclusion of S&D pattern Application references in search and deploymentDevelopment Team application selection Runtime Support Runtime Application execution S&D pattern assembling Runtime monitoring Running app
  • Creation of Secure Applications S&D Pattern Development S&D pattern Addition to S&D Serenity Development development S&D library librarySecurity Community Framework Application Development Application Inclusion of references in S&D pattern search and deploymentDevelopment Team application selection Runtime Support Runtime Application execution S&D pattern assembling Runtime monitoring Running app
  • Creation of Secure Applications S&D Pattern Development S&D pattern Addition to S&D development S&D library librarySecurity Community Application Development Inclusion of S&D pattern Application references in search and deploymentDevelopment Team application selection Runtime Support Serenity Runtime Framework Runtime S&D pattern assembling Application execution Runtime monitoring Running app
  • Creation of Secure Applications• One of SERENITY main features is the run-time support: – Dynamic substitution of S&D Patterns at run-time – The more abstract level of the artefact selected at development-time is, the more flexible selecting the S&D Pattern the SRF is – At run-time S&D Patterns are monitored
  • Creation of Secure Applications• SERENITY approach can be integrated in most of current development processes• Let us see how does it fit… SERENITY SERENITY development runtime time framework framework
  • Creation of Secure ApplicationsAnd if we go to Agile Development…
  • Creation of Secure ApplicationsHow does it fit in Agile Development… Sprint Review: Approve Detailed threat Decide on the controls: Sprint Planning: residual risk analysis -Address the threat Threat analysis (new sprint backlog) based on - Postpone the work properties for (new product backlog) largest risks
  • Creation of Secure ApplicationsHow does it fit in Agile Development… Sprint Review: Approve Detailed threat Decide on the controls: residual risk analysis -Address the threat Sprint Planning: (new sprint backlog) Threat analysis - Postpone the work for largest risks (new product backlog) SERENITY SERENITY development runtime time framework framework
  • Creation of Secure Applications• The integration of SERENITY is achieved by means of new paths in security engineering techniques: S&D properties, formal proofs, and a library.• Application developers profit of expertise of security experts by using SERENITY patterns
  • Creation of Secure Applications Differences between current secure softwaredevelopment and the SERENITY approach SERENITY applications life cycle Developing SERENITY applications Using Java to develop SERENITY applications Run-time support Advantages of the SERENITY approach
  • Creation of Secure ApplicationsDeveloping applications in Serenity• Application Developer: Our client needs a secure and reliable online application… 1) Identify S&D Requirements • Properties vs. threats • Usually expressed as S&DProperties • Looking for the appropriate S&DProperties in S&DProperties repositories 2) Develop applications • Search into development time S&DLibrary for the appropriate S&D solutions • Developing the code including references to the S&D Solutions functionalities
  • Creation of Secure ApplicationsThe whole process Information from context S&D Pattern Runtime reference selectionSerenity-aware Application SRF Run-time Support Access to S&D Pattern functionallities Monitoring Activation rules Executable Monitoring Component Service implementing an S&D Pattern Monitorization and events
  • Creation of Secure ApplicationsAn example: runtime selection cd Obj ect model1 SimpleTransmisionConfidentiality.iso.org : S&DClass ConfidentialityByDES_Encryption.iso.org :S&DPattern ConfidentialityBySecureChannel.ieee.org : S&DPattern NokiaDES : SAPDES : ThalesDES : S&DImplementation S&DImplementation S&DImplementation ATCSecureChannel : SetcceSecureChannel : S&DImplementation S&DImplementation SAPDES : ExecutableComponent ATCSecureChannel : ExecutableComponent NokiaDES : ThalesDES : ExecutableComponent ExecutableComponent SetcceSecureChannel : ExecutableComponent
  • Creation of Secure ApplicationsFrom developer’s perspective1. I launch my favourite programming IDE2. I start coding my application3. I import the SERENITY API4. I launch the SERENITY search tool5. I look for the pattern I want to use in my application6. I add calls to the pattern using a. the semantic information retrieved from the pattern description b. and, the SERENITY API
  • Creation of Secure ApplicationsFrom developer’s perspective1. I launch my favourite programming IDE2. I start coding my application3. I import the SERENITY API4. I launch the SERENITY search tool5. I look for the pattern I want to use in my application6. I add calls to the pattern using a. the semantic information retrieved from the pattern description b. and, the SERENITY API I just need a I do not need reference to include the to the pattern pattern itself
  • Creation of Secure ApplicationsFrom developer’s perspective1. I launch my favourite programming IDE2. I start coding my application3. I import the SERENITY API4. I launch the SERENITY search tool5. I look for the pattern I want to use in my application6. I add calls to the pattern using a. the semantic information retrieved from the pattern description b. and, the SERENITY API7. I finish and compile my application8. I deploy my application in a SERENITY enabled device That’s all, now my app is ready to run!
  • Creation of Secure ApplicationsSERENITY Tools• Currently SERENITY provides an Eclipse plugin to navigate through a library of artefacts
  • Creation of Secure ApplicationsSERENITY Tools• You can connect to remote S&D artefacts repositories
  • Creation of Secure ApplicationsSERENITY Tools• You can navigate through solutions for specific S&D properties
  • Creation of Secure ApplicationsSERENITY Tools• And you can search for specific S&D patterns, classes…
  • Creation of Secure ApplicationsSERENITY Tools• And security experts can edit S&D artefacts
  • Creation of Secure ApplicationsThe whole process. RevisitedSerenity-aware Application SRF ¿? Executable Component Monitoring implementing Service an S&D Pattern
  • Creation of Secure ApplicationsThe whole process. RevisitedSerenity-aware Application SRF SERENITY API for application developers Executable Component Monitoring implementing Service Currently an S&D Pattern developed for JAVA
  • Creation of Secure Applications Differences between current secure softwaredevelopment and the SERENITY approach SERENITY applications life cycle Developing SERENITY applicationsUsing Java to develop SERENITY applications Run-time support Advantages of the SERENITY approach
  • Creation of Secure ApplicationsAn simplified example• This test application just requests a S&D pattern for authentication and uses it My Serenity myEC confidentiality.uma.es Application sendConf() mySRF SRF mySRF = SRF_AP_AccessPoint(localhost); myEC = New SerenityExecutableComponent_AP( mySRF, “P:confidentiality.uma.es”, parameters );
  • Creation of Secure ApplicationsAn simplified example• This test application just requests a S&D pattern for authentication and uses it My Serenity myEC confidentiality.uma.es Application sendConf() mySRF SRF mySRF = SRF_AP_AccessPoint(localhost); myEC = New SerenityExecutableComponent_AP( mySRF, “P:confidentiality.uma.es”, parameters ); myEC.callOperation(“sendConf”, parameters);
  • Creation of Secure Applications Java package for applicationsid SERENITY-application Support Library SERENITY-application Support Library SRF SRF_AP_AccessPoint + requestSolution() : EcHandler SRFRequests S&DManager Create EcHandler Application A «use» «Use» PointsTo SerenityExecutableComponent_AP Executable ECaccessPoint Component A + callOperation(oper, inParam, outParam) : void process
  • Creation of Secure ApplicationsAn example: the codepackage SERENITY-application;importserenity.app.*;public class mySERENITYapplication{// I connect to a SRF hosted on localhostSRF_AP_AccessPointmySRF = newSRF_AP_AccessPoint(localhost);// I am going to use an executableComponentSerenityExecutableComponent_APconfidentialitySolution;// Param for the SDRequestSerenitySolutionParametersListsParametersList = new SerenitySolutionParametersList();// Param for the pattern functionallitySerenityOperationParametersListoperationParameters= new SerenityOperationParametersList();// C: for a S&DClass// P: for a S&DPattern// I: for a S&DImplementation String solutionName = “P:confidentiality.uma.es” public static void main() { ...// I am going to create the executableComponent access point object sParametertsList.addParam(“target_IP”,”127.0.0.1”);confidentialitySolution = newSerenityExecutableComponent_AP(mySRF, solutionName, sParametersList); ...// I am going to access one of the S&DClass interface operationsoperationParameters.addParam(“Message”,”Hello world”);confidentialitySolution.callOperation(“sendConfidential”, operationParameters); ...}}
  • Creation of Secure ApplicationsConsiderations• The API encapsulates the use of ECHandlers – The ECHandler is used by the executableComponent_AP – It is possible to use directly ECHandlers• How do developers know the S&Dpatterns interface? – This information is part of the pattern definition retrieved from the development time library – Using a Serenity enabled IDE, it will help to develop the application presenting the list of appropriate calls (kind of auto completion) given the fact that S&D artefacts are machine readable. Tools and documentation available at: http://www.serenity-project.org/
  • Creation of Secure Applications Differences between current secure softwaredevelopment and the SERENITY approach SERENITY applications life cycle Developing SERENITY applications Using Java to develop SERENITY applications Run-time support Advantages of the SERENITY approach
  • Creation of Secure Applications Advantages of the SERENITY approach• Applications become independent of the implementation of the security solutions they need• Applications become responsive to the changes of the context• The library of solutions is ever growing and continuously reviewed, without the need of revising the application• It is possible to verify that applications comply with security policies applicable• It enhances the process of security engineering, by promoting the separation of duties between security specialists and application developers• It helps managing threats, since the focus is in the properties, not in the threats themselves• Property + Context => Threats (it allows non security experts to identify new threats)
  • Thank youFrancisco Sanchez Cid cid@iti.upv.es