Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Model-Driven Security with Modularity and Reusability for Engineering Secure Software Systems

690 views

Published on

PhD defence

Published in: Education
  • Be the first to comment

Model-Driven Security with Modularity and Reusability for Engineering Secure Software Systems

  1. 1. Model-Driven Security with Modularity and Reusability for Engineering Secure Software Systems PhD Defence, September 10th, 2015 Candidate: Phu Hong Nguyen PhD Candidate, University of Luxembourg, Luxembourg Committee: Dr. Yves Le Traon (Supervisor) Professor, University of Luxembourg, Luxembourg Dr. Pierre Kelsen (Chair) Professor, University of Luxembourg, Luxembourg Dr. Jacques Klein (Vice-Chair) Senior Research Scientist, University of Luxembourg, Luxembourg Dr. Jörg Kienzle (External Reviewer) Professor, McGill University, Montréal, Canada Dr. Riccardo Scandariato (External Reviewer) Professor, Chalmers University of Technology and University of Gothenburg, Sweden
  2. 2. ICTSS 2010PhD DefencePhu Hong NGUYEN 2 Why do we care about the security of software systems?
  3. 3. ICTSS 2010PhD DefencePhu Hong NGUYEN 3 What a nice car! But what is scary here?
  4. 4. ICTSS 2010PhD DefencePhu Hong NGUYEN 4 Opps, a driver totally lost control of his car on the high way because someone successfully hacked the car’s software remotely…
  5. 5. ICTSS 2010PhD DefencePhu Hong NGUYEN 5 Humans in the Loop of Security-Critical Systems
  6. 6. ICTSS 2010PhD DefencePhu Hong NGUYEN 6 software complexity increases exponentially where business complexity increases linearly. (Glass, 2002) (IfM and IBM, 2008) -- www.capgemini.com dbstrat.com Challenge 1: (Software) systems are getting more complex.
  7. 7. ICTSS 2010PhD DefencePhu Hong NGUYEN 7 securesoftware.blogspot.com Challenge 2: Security concerns are not often taken into account early in the development process!
  8. 8. ICTSS 2010PhD DefencePhu Hong NGUYEN 8 http://blogs.vmware.com Challenge 3: Economic pressure reduces the development time…
  9. 9. ICTSS 2010PhD DefencePhu Hong NGUYEN 9 How to tackle these challenges?
  10. 10. ICTSS 2010PhD DefencePhu Hong NGUYEN 10 http://www.theenterprisearchitect.eu/blog/2009/08/05/a-metaphor-for-model-driven-engineering/JOHAN DEN HAAN Model-Driven Engineering (MDE)
  11. 11. ICTSS 2010PhD DefencePhu Hong NGUYEN 11 http://www.theenterprisearchitect.eu/blog/2009/08/05/a-metaphor-for-model-driven-engineering/JOHAN DEN HAAN Model-Driven Security (MDS)
  12. 12. ICTSS 2010PhD DefencePhu Hong NGUYEN 12 www.sparxsystems.com MDE & MDS: more productive, supposedly less error-prone.
  13. 13. ICTSS 2010PhD DefencePhu Hong NGUYEN 13 Model-Driven Security with SecureUML Model Driven Security, Technical Report 414, ETH Zurich, 2004 SecureUML MDS: Security concerns are dealt with from the very beginning, and throughout the development cycle.
  14. 14. ICTSS 2010PhD DefencePhu Hong NGUYEN 14 http://matt.might.net/articles/phd-school-in-pictures/ More than a decade of Model-Driven Security research: what MDS approaches been proposed, what issues are open to be researched? MDE MDS
  15. 15. ICTSS 2010PhD DefencePhu Hong NGUYEN 15 • A Systematic Literature Review of MDS Main Content • Model-Driven Security with Modularity • Model-Driven Security with Reusability
  16. 16. ICTSS 2010PhD DefencePhu Hong NGUYEN 16
  17. 17. ICTSS 2010PhD DefencePhu Hong NGUYEN 17 www.replicatedtypo.com Why an Extensive Systematic Review of MDS?
  18. 18. ICTSS 2010PhD DefencePhu Hong NGUYEN 18 Automatic Search Process & Selection of MDS papers. *Search range: 2002-2014
  19. 19. ICTSS 2010PhD DefencePhu Hong NGUYEN 19 “Snowballing” for a complete set of primary MDS papers: 108 finally selected.
  20. 20. ICTSS 2010PhD DefencePhu Hong NGUYEN 20 Classified Synthesized ComparedAnalyzed
  21. 21. ICTSS 2010PhD DefencePhu Hong NGUYEN 21 Significant MDS approaches vs. Less common or emerging MDS approaches.
  22. 22. ICTSS 2010PhD DefencePhu Hong NGUYEN 22 1. The lack of addressing multiple security concerns systematically.
  23. 23. ICTSS 2010PhD DefencePhu Hong NGUYEN 23 2. Aspect-Oriented Modelling (AOM) should be promoted more.
  24. 24. ICTSS 2010PhD DefencePhu Hong NGUYEN 24 Model transformations & Code generation => 3. MDS tool chain based on automated model transformations is rare.
  25. 25. ICTSS 2010PhD DefencePhu Hong NGUYEN 25 Next Goal 1: Towards an MDS tool chain from modelling to testing. Next Goal 2: How to address multiple security concerns more systematically? Next Goal 3: How to leverage AOM techniques to better enhance separation-of-concern in the MDS development process?
  26. 26. ICTSS 2010PhD DefencePhu Hong NGUYEN 26
  27. 27. ICTSS 2010PhD DefencePhu Hong NGUYEN 27 Towards an MDS tool chain: from modelling to testing.
  28. 28. ICTSS 2010PhD DefencePhu Hong NGUYEN 28 Access Control (AC): Administering access to resources by enforcing AC policy. www.redsandz.com
  29. 29. ICTSS 2010PhD DefencePhu Hong NGUYEN 29 Delegation of right(s) allows a user (delegator) to delegate her/his access right(s) to another user (delegatee). www.jjdigeronimo.com
  30. 30. ICTSS 2010PhD DefencePhu Hong NGUYEN 30 Yves (Professor) delegates his signature for using budget to Jacques (Senior Research Scientist) while Yves is on vacation. www.loxton.com.sg
  31. 31. ICTSS 2010PhD DefencePhu Hong NGUYEN 31 http://www.masterminditservices.com http://www.techcommandos.com Another delegation instance: File Sharing
  32. 32. ICTSS 2010PhD DefencePhu Hong NGUYEN 32 Yves (Professor) delegates his signature for using budget to Jacques (Senior Research Scientist) while Yves is on vacation and automatically gets it back after his vacation. www.loxton.com.sgTemporary Delegation
  33. 33. ICTSS 2010PhD DefencePhu Hong NGUYEN 33 www.loxton.com.sg Transfer Delegation Yves (Professor) delegates his signature to Jacques (Senior Research Scientist) AND Yves is not allowed to use his signature while delegating it.
  34. 34. ICTSS 2010PhD DefencePhu Hong NGUYEN 34 Yves (Professor) delegates his signature to Jacques (Senior Research Scientist) BUT Jacques is not allowed to delegate it to anyone else. www.loxton.com.sg Multi-Step Delegation
  35. 35. ICTSS 2010PhD DefencePhu Hong NGUYEN 35 Yves (Professor) is not allowed to delegate his signature to any PhD student. www.loxton.com.sg Non-Delegable
  36. 36. ICTSS 2010PhD DefencePhu Hong NGUYEN 36
  37. 37. ICTSS 2010PhD DefencePhu Hong NGUYEN 37 Hidden Mechanism Problems
  38. 38. ICTSS 2010PhD DefencePhu Hong NGUYEN 38 Proposed Solution: Separation of concerns among Business Logic / Access Control / Delegation
  39. 39. ICTSS 2010PhD DefencePhu Hong NGUYEN 39 Access control metamodel Access policy Architecture metamodel Base model Model composition Security- enforced architecture model Self adaptation 000 Running system Proxy ComponentsProxy components Adaptive execution platform validation change/evolution evolution evolution M2 M1 M0 test Proxy componentsProxy componentsBusiness logic components Delegation metamodel Delegation policy Active security policy Model transformation test conforms to (cft) cft cft cft cft Modelling Security Concerns and Business Logic
  40. 40. ICTSS 2010PhD DefencePhu Hong NGUYEN 40 Access control metamodel Access policy Architecture metamodel Base model Model composition Security- enforced architecture model Self adaptation 000 Running system Proxy ComponentsProxy components Adaptive execution platform validation change/evolution evolution evolution M2 M1 M0 test Proxy componentsProxy componentsBusiness logic components Delegation metamodel Delegation policy Active security policy Model transformation test conforms to (cft) cft cft cft cft Composing
  41. 41. ICTSS 2010PhD DefencePhu Hong NGUYEN 41 Access control metamodel Access policy Architecture metamodel Base model Model composition Security- enforced architecture model Self adaptation 000 Running system Proxy ComponentsProxy components Adaptive execution platform validation change/evolution evolution evolution M2 M1 M0 test Proxy componentsProxy componentsBusiness logic components Delegation metamodel Delegation policy Active security policy Model transformation test conforms to (cft) cft cft cft cft Code Generation (and Adaptation)
  42. 42. ICTSS 2010PhD DefencePhu Hong NGUYEN 42 Bill is transferring his rights to Bob
  43. 43. ICTSS 2010PhD DefencePhu Hong NGUYEN 43 Transform & adapt Resource Proxy Components Role Proxy Components User Proxy Components Business Components Access Control policy Business Logic model Authenticate Component Adaptive Execution Platform Business Components Business Logic Components Resource Proxy Components Role Proxy Component s User Proxy Components Delegation policy Test cases Access Control policy Mutants Mutants Mutants Mutate Compose Testing Delegation Policy Enforcement via Mutation Analysis
  44. 44. ICTSS 2010PhD DefencePhu Hong NGUYEN 44 Recap MDS with Modularity: Model-Driven Adaptive Delegation and Mutation Testing.
  45. 45. ICTSS 2010PhD DefencePhu Hong NGUYEN 45
  46. 46. ICTSS 2010PhD DefencePhu Hong NGUYEN 46 How to address multiple security concerns more systematically? How to leverage AOM techniques to better enhance separation-of-concern in the MDS development process? www.enterprisearchitects.com
  47. 47. ICTSS 2010PhD DefencePhu Hong NGUYEN 47 Kienzle et al., Crisis management systems: a case study for aspect-oriented modeling, TAOSD VII, pages 1-22, 2010 How to systematically design the security of Crisis Management Systems (CMS)?
  48. 48. ICTSS 2010PhD DefencePhu Hong NGUYEN 48 Kienzle et al., Crisis management systems: a case study for aspect- oriented modeling, TAOSD VII, pages 1-22, 2010 CMS - A complex, distributed system but must be secure.
  49. 49. ICTSS 2010PhD DefencePhu Hong NGUYEN 49 Security Patterns could be the solution but…
  50. 50. ICTSS 2010PhD DefencePhu Hong NGUYEN 50 Using a catalog of security patterns improves neither the productivity of the software designer, nor the security of the design.
  51. 51. ICTSS 2010PhD DefencePhu Hong NGUYEN 51 We need more: bridge the gap of abstract security patterns with their detailed designs, their application, especially their interrelations. Authentication Enforcer pattern
  52. 52. ICTSS 2010PhD DefencePhu Hong NGUYEN 52 • Security design patterns are specified as reusable aspect models. • A refinement process from abstract design patterns to detailed security design patterns. • Inter-pattern guides in systematically selecting the right security design patterns for the job. SOLUTION: An MDS approach based on a library- like System of Security design Patterns (shortly called SoSPa).
  53. 53. ICTSS 2010PhD DefencePhu Hong NGUYEN 53 Aspect Session pattern SOLUTION: Security Patterns are specified as Reusable Aspect Models.
  54. 54. ICTSS 2010PhD DefencePhu Hong NGUYEN 54 Extended RAM metamodel to support SoSPa
  55. 55. ICTSS 2010PhD DefencePhu Hong NGUYEN 55 Feature model for specifying the interrelations among security patterns.
  56. 56. ICTSS 2010PhD DefencePhu Hong NGUYEN 56 Interrelations among the security patterns
  57. 57. ICTSS 2010PhD DefencePhu Hong NGUYEN 57 A partial feature model of Authentication.
  58. 58. ICTSS 2010PhD DefencePhu Hong NGUYEN 58
  59. 59. ICTSS 2010PhD DefencePhu Hong NGUYEN 59
  60. 60. ICTSS 2010PhD DefencePhu Hong NGUYEN 60 • Security threats identification & analysis • Security design patterns selection and application – Step 1: Constructing security solutions from the security patterns in SoSPa – Step 2: Defining mappings to integrate the newly built security solutions to a base system model – Step 3: Weaving the security solutions into the base system model • Verification & validation of security patterns application Pattern-Driven Secure Systems Development Process
  61. 61. ICTSS 2010PhD DefencePhu Hong NGUYEN 61 A partial view of CMS with part of the createMission function.
  62. 62. ICTSS 2010PhD DefencePhu Hong NGUYEN 62 Selected security design patterns for building the security solution for CMS.
  63. 63. ICTSS 2010PhD DefencePhu Hong NGUYEN 63 Woven model: The woven class diagram of CMS including security patterns’ classes. Woven Model
  64. 64. ICTSS 2010PhD DefencePhu Hong NGUYEN 64 Woven Model
  65. 65. ICTSS 2010PhD DefencePhu Hong NGUYEN 65 Recap MDS with Reusability: SoSPa – a System of Security Design Patterns for Systematically Engineering Security Systems.
  66. 66. ICTSS 2010PhD DefencePhu Hong NGUYEN 66
  67. 67. ICTSS 2010PhD DefencePhu Hong NGUYEN 67 Summary 1: An Extensive Systematic Review on the Model-Driven Development of Secure Systems.
  68. 68. ICTSS 2010PhD DefencePhu Hong NGUYEN 68 Summary 2: MDS with Modularity for Dynamic Adaptation of Secure Systems.
  69. 69. ICTSS 2010PhD DefencePhu Hong NGUYEN 69 Summary 3: MDS with Reusability – a System of Security design Patterns for Systematically Engineering Secure Systems.
  70. 70. ICTSS 2010PhD DefencePhu Hong NGUYEN 70
  71. 71. ICTSS 2010PhD DefencePhu Hong NGUYEN 71 • Develop MDS Tool Chains. • Extend SoSPa: Impact Model, Testing. • Combining SoSPa approach with Delegation?
  72. 72. ICTSS 2010PhD DefencePhu Hong NGUYEN 72 http://www.u-test.eu Another direction: Security Modelling and Model- Based Security Testing of Cyber-Physical Systems under Uncertainty.
  73. 73. ICTSS 2010PhD DefencePhu Hong NGUYEN 73 Publications: Systematic Review and Advanced in MDS 1. Phu Hong Nguyen, Max E. Kramer, Jacques Klein, and Yves Le Traon. ``An Extensive Systematic Review on the Model-Driven Development of Secure Systems." In Information and Software Technology, 2015. 2. Phu Hong Nguyen, Jacques Klein, Yves Le Traon, and Max E. Kramer. ``A Systematic Review of Model-Driven Security." In Software Engineering Conference (APSEC, 2013 20th Asia-Pacific, vol. 1, pp. 432-441. IEEE, 2013. 3. Levi Lucio, Qin Zhang, Phu Hong Nguyen, Moussa Amrani, Jacques Klein, Hans Vangheluwe, and Yves Le Traon. ``Advances in Model- Driven Security." Advances in Computers 93 (2014): 103-152.
  74. 74. ICTSS 2010PhD DefencePhu Hong NGUYEN 74 Publications: MDS with Modularity 4. Phu Hong Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon. ``Modularity and Dynamic Adaptation of Flexibly Secure Systems: Model-Driven Adaptive Delegation in Access Control Management." In Transactions on Aspect-Oriented Software Development XI, pp. 109-144. Springer Berlin Heidelberg, 2014. 5. Phu Hong Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon. ``Model-driven adaptive delegation." In Proceedings of the 12th annual international conference on Aspect- oriented software development, pp. 61-72. ACM, 2013. 6. Phu Hong Nguyen, Mike Papadakis, and Iram Rubab. ``Testing Delegation Policy Enforcement via Mutation Analysis." In Software Testing, Verification and Validation Workshops (ICSTW), 2013 IEEE Sixth International Conference on, pp. 34-42. IEEE, 2013.
  75. 75. ICTSS 2010PhD DefencePhu Hong NGUYEN 75 Publications: MDS with Reusability 7. Phu Hong Nguyen, Koen Yskout, Thomas Heyman, Jacques Klein, Riccardo Scandariato, and Yves Le Traon. “SoSPa: A System of Security Design Patterns for Systematically Engineering Secure Systems.” In ACM/IEEE 18th International Conference on Model Driven Engineering Languages and Systems. 2015. 8. Phu Hong Nguyen, Jacques Klein, and Yves Le Traon. ``Model- Driven Security with A System of Aspect-Oriented Security Design Patterns." In 2nd Workshop on View-Based, Aspect-Oriented and Orthographic Software Modelling. 2014.
  76. 76. ICTSS 2010PhD DefencePhu Hong NGUYEN 76
  77. 77. Model-Driven Security with Modularity and Reusability for Engineering Secure Software Systems PhD Defence, September 10th, 2015 Candidate: Phu Hong Nguyen PhD Candidate, University of Luxembourg, Luxembourg Committee: Dr. Yves Le Traon (Supervisor) Professor, University of Luxembourg, Luxembourg Dr. Pierre Kelsen (Chair) Professor, University of Luxembourg, Luxembourg Dr. Jacques Klein (Vice-Chair) Senior Research Scientist, University of Luxembourg, Luxembourg Dr. Jörg Kienzle (External Reviewer) Professor, McGill University, Montréal, Canada Dr. Riccardo Scandariato (External Reviewer) Professor, Chalmers University of Technology and University of Gothenburg, Sweden

×