Serenity Project: Security in Software Enginering

Part 3: Security in Software Engineering
 Security-aware Software Engineering Processes
 Creation of Secure Applications

Francisco Sánchez Cid
Project Manager
Instituto Tecnologico de Informatica
Valencia (Spain)

We all agree:
• Indirectly, SE has a big impact on our ability to deliver and maintain
applications
… but can a methodology be a direct revenue generator?
E.g. System for Olives classification in Spain
“..If we can certify that we have a secure software
development life-cycle we stand to increase our
overall revenue with clients from 10-20%.”
Our Chief Software Architect
• Actually utilizing our methodology as a competitive advantage! WOW!
• Unit, integration, and acceptance tests and their automation mean you
can actually certify that you’re software is reasonably secure at least
for what you’re testing for

All right. This approach seems to work fine for 90% of
applications we develop, but… what about the other 10%?
• For this 10% applications we do not only have security
requirements but also:
o These requirements evolve as times goes by
o Operational context is unpredictable or uncertain
o We don’t want this app to be tightly coupled to an specific solution
o E.g. Digital Signature Applet

• Just one way out:
o Identify and develop generic solutions
o Use a model to represent the solutions
o Link generic solutions to specific implementations
o Once a solution is selected, monitor its validity on time
…KindofModelDrivenEngineering?
let’shave a look at it

Security-aware
Software Engineering Processes

Security Aware Software Engineering Process
 Current technology challenges
• Model Driven Engineering comes to help
– Models
– Model Driven Architecture
– MDA and Security
• Model transformations
– What is a transformation
– Example
• Conclusions

Current technology challenges
• Current applications are tightly coupled to underlying
technologies
– Investment done on their development is at risk due to this
dependence

• Many different platforms and technologies
– Distributed objects, components, web services…
– Not interoperable
– Not reuse (at least if they are not correctly designed)

• Very fast evolution
– New technologies appear every day
– Old technologies disappear
– How to protect the investment in business logic?

Security Aware Software Engineering Process
• Current technology challenges
 Model Driven Engineering comes to help
– Models
– Model Driven Architecture
– MDA and Security
• Model transformations
– What is a transformation
– Example
• Conclusions

MDE as opposite to OO
Object Oriented Design Everything is a object
Model Driven EngineeringEverything is a model

cd MDE v s OO

SuperClass Meta-Model

inheritsFrom conformsTo
Relations
in these
approaches
clearly differ Class Model

instanceOf representedBy

Instance System

Model Driven Engineering (MDE)
• Approach to software development based in models and in
model transformations
– Current approaches are based in objects, programs and compilers
• MDE implies the (semi) automated generation of implementations
from models
• Modelling languages are key to MDE
– Model transformation languages are also modelling languages
– Models conform to meta-models
• MDA is the OMG’s proposal for MDE, using OMG standards
– MOF, UML, OCL, XMI, QVT
– MOF and UML allow the definition of new families of languages

What is a model ?
• A description of (part of) a system written in a well-defined
language (Equivalent to specification) [Kleppe, 2003]
• A description or specification of the system and its
environment for some certain purpose. A model is often
presented as a combination of drawings and text [MDA Guide,
2003]

Models in software
• “...Bubbles and arrows, as opposed to programs, never crash.” [B.
Meyer, 1997]
• The problem is to maintain the link between models and source code

sd Activ ate Pattern

Application S&D Manager Event Manager S&D Query Runtime S&D Context Manager
Library

1: Request Class()
publicclass
2: Get Context() ActiveMonitoringManager
extends Observable{
3: Send Context()
cd Metamodelo
privatestatic
4: Get Available Patterns()
MonitoringServiceIF
ExecutableComponent 5: Build Query()
monitoringAccess;
cd SampleApplicationIM
RefersTo
private
6: Query For Patterns()
Pertenece-A Implementa
EmailDB CommunicacionSystem Hashtable<String,MonitorInfo
S&DClass
* *
S&DPattern
*
S&DImplementation 7: Return Patterns()
> activeMonitors;

8: Return Patterns()
privatestatic
EmailSystem GUI ActiveMonitoringManager
Proporciona Representa
9: Choose Pattern() mManager = getInstance();
*
S&DProperty S&DArtefact S&DSolution
*
10: Update Context()

Requiere Securiza
13: Send Implementation Handler AccessControl
Tiene
* «Securizes»

S&DRequirement Application
«S&DPattern»
smartCardAuthentication.UMA.es

Limitations of models (in SE)
• Models are used only as documentation (if the system is documented at all)
• “Gap” between the model and the implementation of the system
– Semantic gap between the respective languages
– Changes in the model do not reflect in the code
– Changes in the code do not reflect in the model (the model is thrown away after
the first implementation, and never updated or used again)
• No “merge” of models (though some tools actually help)
– Unrelated views of a system (horizontal)
– Unrelated towers of models (vertical)
• No model “transformations”
– Few defined transformation languages
– No tools
• We are still far behind more mature engineering industries, such as
aerospace, automotive and electrical engineering....
• ...Even hardware design is ahead of software design!

Kinds of SE models
• Depending on:

– The phase of the project
• Analysis models, design models, ...
– The level of detail
• High level models, Low level models (implementations)
– The view of the system
• Business models, Software Architecture models, Deployment models,...
– The aspect they focus on
• Structural models, behavioural models, QoS models, ...
– The level of technology independence
• Computation Independent Models, Platform Independent
Models, Platform Specific Models
– The particular target platform
• J2EE, .NET, CORBA, EDOC, ....

MDA: OMG’s Four-layer metamodel architecture

• M3, MOF (Meta Object Facility) used to describe meta-models
• M2, Meta-models used to describe modelling languages
• M1, models used to describe applications
• M0, instances of applications

MDA Models (M1)
• Computation Independent Model (CIM)
– A view from a system from the Computational Independent Viewpoint
– A CIM Focuses on the system and its environment; the details of the structure of the system are hidden
or as yet undetermined
– A CIM is sometimes called a domain model or a business model, and is specified using a vocabulary
that is familiar to the practitioners of the domain in question
– It may hide much or all information about the use of automated data processing systems

• Platform Independent Model (PIM)
– A platform independent model is a view of a system from the platform independent viewpoint
– A PIM exhibits platform independence and is suitable for use with a number of different platforms of
similar type

• Platform Specific Model (PSM)
– A platform specific model is a view of a system from the platform specific viewpoint
– A PSM combines the specifications in the PIM with the details that specify how that system uses a
particular type of platform

• Platform Model (PM)
– A platform model provides a set of technical concepts, representing the different kinds of parts that
make up a platform and the services provided by that platform
– It also provides, for use in a platform specific model, concepts representing the different kinds of
elements to be used in specifying the use of the platform by an application

Examples of MDA models

• CIM
– Use case models capturing the system requirements

• PIM
– The software architecture of the system, that describes how the functionality of
the system is decomposed into (architectural) components and connectors

• PSM
– A model of the J2EE implementation of the system, expressed using the EJB
Profile that describes how the (architectural) components need to be
implemented by EJBs

• Platform Model (Code)
– The EJBs themselves, their configuration files, etc., ready to be deployed

Model Driven Security (D. Basin)
• It is an extension of MDA
SystemModel

A SystemModel+
SecurityModel
A B <<secumlPermission>>
<<secumlRole>>
Customer

B
ModelTransformation+
extensions

TargetSyste
m +
SecurityInfrastructure
(RBAC, assertions,
etc.)

Model Driven Security
• Three UML extensions
– ComponentUML, a class based language for data modelling
– ControllerUMLfor modelling system behaviour evolution
– SecureUML for modelling secure systems based on RBAC
• Confidentiality and Integrity are modeledusing RBAC

• They are composed in Security Languages for
modelling design and security

• Only for class, sequence and state charts diagrams


Resources
• Confidentiality and Integrity are model using RBAC

• They are composed in Security Languages for



• Confidentiality and Integrity are model using RBAC

SecurityRequire
• They are composed inments
Security Languages for



• A Security Design Language glues the two languages together
• Each language is equipped with an abstract and concrete
syntax, semantics, and a technology dependent translation
function
• Dialect bridges design language with security language by
identifying which design elements are protected resources
Security Design Language

Security Modelling Language
(SecureUML)

Dialect

System Design Modelling
Language
(ComponentUML, ControllerUML)

• Example

There is an
implementation of this in
top of the ArcStyle MDA
tool

Model transformation
• Model transformation is the process of converting one
model to another model of the same system
• The MDA pattern includes (at least): a PIM, a Platform
Model, a Transformation, and a PSM
• Useful to
– Mark models
– Transform meta-models
– Merging models
– Include information
in models

Examples of MDA transformations
Transformations are everywhere…

Examples of MDA transformations: GMF
Although not specific for security, a representative technology…

GMF: first, the model
E.g. Design of workflowsfor public administration

Diagram
1
1
Association

* *

Graphical Element Link
1 0..*
target

1 0..*
source Sequence

Start End Activity

...
1

0..*
FormItem
Form
1

GMF: and eventually, generate…

Conclusions to MDA
• MDA seems to be the right way to go
– Conceptually clean and well defined
– Protect investment and IP by separating the business model from the supporting technologies
• But there is still a long way ahead
• There are more or less mature approaches to the development of security systems
using MDA
– Based on security policies and RBAC
• Research is required
• MDD (and MDA) looks very promising
• MDA isnotthe panacea
“No manual coding” isnot 100% achievable in general
Itisimportanttoidentifythedomains in which MDA can be effectivelyused,
By the time beingtools are notmature

Honestly, do you really think that
only drawing three boxes and
a couple of lines you will get all
your application code?

Creationof Secure
Applications

Creation of Secure Applications

 Differences between current secure software
development and the SERENITY approach
 SERENITY applications life cycle
 Developing SERENITY applications
 Using Java to develop SERENITY applications
 Run-time support
 Advantages of the SERENITY approach

When Developing applications…
• Most of current approaches for software development are
based on an iterative and incremental process

How does it fit in Agile Development…
Not really agile

Security Planning a specific
Requirements Design security
Development engineering
activity in
every sprint?

Identify the Decide the Check against
properties/threats controls threat model

Security Planning Security Risk
Requirements Design Management
Development

Supposed to have a
residual risk

How does it fit in Agile Development… in fact
Detailed threat
Sprint Review: analysis
Approve
residual risk

Decide on the controls:
Sprint Planning: -Address the threat
Threat analysis (new sprint backlog)
for largest risks - Postpone the work
(new product backlog)

• For this to work:
• The Scrum team does need to be somehow aware of security
engineering and software security issues.
• Security specialists should be on call.

Security aspects of applications
• Usaually, security requirements are treated as the rest of requirements
– Security is not a functional requirement
• It is difficult to implement
• It is difficult to trace during the project

• Security is always orthogonal. We may talk of perspectives for the
software

• Given a good model, you have one thousand ways of making it
unsecure
– A parameter not correctly parsed
– A buffer not correctly managed
– …

Serenity Proposal for Secure Software Development
• Just a reminder:
– For this to work, the team does need to be somehow aware of security
engineering and software security issues.
• Now that we are aware:
– We propose not to be aware of security engineering, but security
properties the system have to comply with
– Security requirements are fulfilled by means of S&D patterns
– S&D patterns are represented at different levels of abstraction by means
of different artefacts

cd PatternDetail EA

RefersTo Implements BelongsTo
* *
*
ExecutableComponent S&DImplementation S&DPattern S&DClass

Represents the Represents a set of
Implementation of a Represents a S&D S&D solutions
pattern solution Defines a general
Implements a and defines an interface
pattern interface and a set of
functionallities

cd PatternDetail EA

RefersTo Implements BelongsTo
* *
*
ExecutableComponent S&DImplementation S&DPattern S&DClass

Software Architects know these artefacts, Security Experts deeeply
know these artecfacts and Developers know and use all these
S&D artefacts and their interfaces


• Developers include references to S&D patterns in
applications by means of references to S&D artefacts
• Developers are supported by S&D patterns libraries
where they can find artefacts (called S&D Libraries)
• SERENITY includes tools supporting developers for
managing on-line S&D libraries (e.g. plugin for Eclipse)


S&D Pattern Development

S&D pattern Addition to S&D
development S&D library library
Security Community



Security Community

Application Development
Inclusion of S&D pattern
Application
references in search and
deployment
Development Team application selection



Security Community

Application
deployment

Runtime Support
Runtime Application execution
S&D pattern
assembling Runtime monitoring
Running app




Serenity Development
Security Community

Framework Application Development

Application
Inclusion of
references in
S&D pattern
search and
deployment

Runtime Support
Runtime Application execution
S&D pattern
assembling Runtime monitoring
Running app



Security Community

Application
deployment

Runtime Support

Serenity Runtime Framework
Runtime
S&D pattern
assembling
Application execution

Runtime monitoring
Running app

• One of SERENITY main features is the run-time
support:
– Dynamic substitution of S&D Patterns at run-time
– The more abstract level of the artefact selected at
development-time is, the more flexible selecting the
S&D Pattern the SRF is
– At run-time S&D Patterns are monitored

• SERENITY approach can be integrated in most
of current development processes
• Let us see how does it fit…

SERENITY
SERENITY development
runtime time
framework framework

And if we go to Agile Development…

Sprint Review:
Approve Detailed threat Decide on the controls:
Sprint Planning: residual risk analysis -Address the threat
Threat analysis (new sprint backlog)
based on - Postpone the work
properties for (new product backlog)
largest risks

Sprint Review:
Approve Detailed threat Decide on the controls:
residual risk analysis -Address the threat
Sprint Planning: (new sprint backlog)
Threat analysis - Postpone the work
for largest risks (new product backlog)

SERENITY
SERENITY
development
runtime
time
framework
framework


• The integration of
SERENITY is achieved by
means of new paths in
security engineering
techniques: S&D
properties, formal
proofs, and a library.
• Application developers profit
of expertise of security
experts by using SERENITY
patterns

Developing applications in Serenity
• Application Developer: Our client needs a secure and
reliable online application…
1) Identify S&D Requirements
• Properties vs. threats
• Usually expressed as S&DProperties
• Looking for the appropriate S&DProperties in
S&DProperties repositories
2) Develop applications
• Search into development time S&DLibrary for the
appropriate S&D solutions
• Developing the code including references to the S&D
Solutions functionalities

The whole process Information
from context

S&D Pattern Runtime
reference selection

Serenity-aware
Application
SRF
Run-time
Support
Access to
S&D Pattern
functionallities

Monitoring
Activation
rules

Executable
Monitoring
Component
Service
implementing
an S&D Pattern Monitorization
and events

An example: runtime selection
cd Obj ect model1

SimpleTransmisionConfidentiality.iso.org :
S&DClass

ConfidentialityByDES_Encryption.iso.org :S&DPattern
ConfidentialityBySecureChannel.ieee.org :
S&DPattern

NokiaDES : SAPDES : ThalesDES :
S&DImplementation S&DImplementation S&DImplementation ATCSecureChannel : SetcceSecureChannel :
S&DImplementation S&DImplementation

SAPDES :
ExecutableComponent ATCSecureChannel :
ExecutableComponent

NokiaDES : ThalesDES :
ExecutableComponent ExecutableComponent SetcceSecureChannel :
ExecutableComponent

From developer’s perspective
1. I launch my favourite programming IDE
2. I start coding my application
3. I import the SERENITY API
4. I launch the SERENITY search tool
5. I look for the pattern I want to use in my application
6. I add calls to the pattern using
a. the semantic information retrieved from the pattern description
b. and, the SERENITY API

I just need a
I do not need reference
to include the to the pattern
pattern itself

7. I finish and compile my application
8. I deploy my application in a SERENITY enabled device

That’s all, now my app is ready to run!

SERENITY Tools
• Currently SERENITY provides an Eclipse plugin to navigate through a library of artefacts

SERENITY Tools
• You can connect to remote S&D artefacts repositories

SERENITY Tools
• You can navigate through solutions for specific S&D properties

SERENITY Tools
• And you can search for specific S&D patterns, classes…

SERENITY Tools
• And security experts can edit S&D artefacts

The whole process. Revisited

Serenity-aware
Application
SRF

¿?
Executable
Component Monitoring
implementing Service
an S&D Pattern

The whole process. Revisited

Serenity-aware
Application
SRF

SERENITY
API
for
application
developers

Executable
Component Monitoring
implementing Service
Currently
an S&D Pattern
developed
for JAVA


 Differences between current secure software
development and the SERENITY approach
 SERENITY applications life cycle
 Developing SERENITY applications
Using Java to develop SERENITY applications
 Run-time support
 Advantages of the SERENITY approach

An simplified example
• This test application just requests a S&D pattern for authentication and uses it

My Serenity myEC confidentiality.uma.es
Application sendConf()

mySRF SRF

mySRF = SRF_AP_AccessPoint(localhost);
myEC = New SerenityExecutableComponent_AP(
mySRF,
“P:confidentiality.uma.es”,
parameters
);

An simplified example
• This test application just requests a S&D pattern for authentication and uses it

My Serenity myEC confidentiality.uma.es
Application sendConf()

mySRF SRF

mySRF = SRF_AP_AccessPoint(localhost);
myEC = New SerenityExecutableComponent_AP(
mySRF,
“P:confidentiality.uma.es”,
parameters
);
myEC.callOperation(“sendConf”, parameters);

Java package for applications
id SERENITY-application Support Library

SERENITY-application Support Library
SRF
SRF_AP_AccessPoint

+ requestSolution() : EcHandler SRFRequests S&DManager

Create
EcHandler
Application A

«use»

«Use» PointsTo

SerenityExecutableComponent_AP Executable
ECaccessPoint
Component A
+ callOperation(oper, inParam, outParam) : void process

An example: the code
package SERENITY-application;
importserenity.app.*;
public class mySERENITYapplication{
// I connect to a SRF hosted on localhost
SRF_AP_AccessPointmySRF = newSRF_AP_AccessPoint(localhost);
// I am going to use an executableComponent
SerenityExecutableComponent_APconfidentialitySolution;
// Param for the SDRequest
SerenitySolutionParametersListsParametersList = new SerenitySolutionParametersList();
// Param for the pattern functionallity
SerenityOperationParametersListoperationParameters= new SerenityOperationParametersList();
// C: for a S&DClass
// P: for a S&DPattern
// I: for a S&DImplementation
String solutionName = “P:confidentiality.uma.es”
public static void main() {
...
// I am going to create the executableComponent access point object
sParametertsList.addParam(“target_IP”,”127.0.0.1”);
confidentialitySolution = newSerenityExecutableComponent_AP(mySRF, solutionName, sParametersList);
...
// I am going to access one of the S&DClass interface operations
operationParameters.addParam(“Message”,”Hello world”);
confidentialitySolution.callOperation(“sendConfidential”, operationParameters);
...
}
}

Considerations
• The API encapsulates the use of ECHandlers
– The ECHandler is used by the executableComponent_AP
– It is possible to use directly ECHandlers
• How do developers know the S&Dpatterns interface?
– This information is part of the pattern definition retrieved from the development
time library
– Using a Serenity enabled IDE, it will help to develop the application presenting
the list of appropriate calls (kind of auto completion) given the fact that S&D
artefacts are machine readable.

Tools and documentation available at:
http://www.serenity-project.org/

Advantages of the SERENITY approach
• Applications become independent of the implementation of
the security solutions they need
• Applications become responsive to the changes of the
context
• The library of solutions is ever growing and continuously
reviewed, without the need of revising the application
• It is possible to verify that applications comply with security
policies applicable
• It enhances the process of security engineering, by promoting
the separation of duties between security specialists and
application developers
• It helps managing threats, since the focus is in the
properties, not in the threats themselves
• Property + Context => Threats (it allows non security experts to
identify new threats)

Thank you
Francisco Sanchez Cid
cid@iti.upv.es

Serenity Project: Security in Software Enginering

Serenity Project: Security in Software Enginering

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (12)

Similar to Serenity Project: Security in Software Enginering

Similar to Serenity Project: Security in Software Enginering (20)

Recently uploaded

Recently uploaded (20)

Serenity Project: Security in Software Enginering