130118 sergio luis da silva jr. - an approach to formalise security patterns

•

0 likes•621 views

Ptidej Team

Security patterns, pattern detection,

Technology Entertainment & Humor

An Approach to Formalise Security Patterns

Luis Sergio da Silva Junior,
´
Ecole Polytechnique de Montr´al
e

March, 2013

Sergio

An Approach to Formalise Security Patterns

1/ 19

Context

Software Development
• Methods, Techniques and Tools
• Reuse
• Design Patterns
• Security Patterns

Sergio

An Approach to Formalise Security Patterns

2/ 19

Security Patterns

Properties
• Group of patterns focused on security context
• Threat, Attack, Attacker, Asset etc
• UML diagrams
• Originally, not formally speciﬁed

Sergio

An Approach to Formalise Security Patterns

3/ 19

Security Patterns

Example 1
• Single Access Point
• Guard Door

Sergio

An Approach to Formalise Security Patterns

4/ 19

Security Patterns

Sergio

An Approach to Formalise Security Patterns

5/ 19

Security Patterns

Example 2
• Roles
• Group of roles
• Restrict Access

Sergio

An Approach to Formalise Security Patterns

6/ 19

Formal Methods

Deﬁnition
Formal Methods (FM) consist of a set of techniques and tools based
on mathematical modeling and formal logic that are used to specify and verify requirements and designs for computer systems and
software
OCL and extensions
Petri Nets
ASM
others

Sergio

An Approach to Formalise Security Patterns

7/ 19

Formalizing Security Patterns

Correct implementation of restrictions and properties
Avoid Threats and bad implementation
Security Improvement

Sergio

An Approach to Formalise Security Patterns

8/ 19

Petri Nets

Places, Tokens and Arcs
Diﬀerent Types (Coloured, Temporized )
CPN-Tools
Why Petri Nets ?

Sergio

An Approach to Formalise Security Patterns

9/ 19

Study Case

Sender-Receiver example
Microarchitecture example
constraint - the size of the message cannot be longer
than 10
Structural analysis - PADL and Reﬂection structure
Behavioural analysis - Comparison between the pattern and
the Petri Net structure
Sergio

An Approach to Formalise Security Patterns

10/ 19

Structural analysis

Pattern detection through structural analysis
Class diagrams
Send its result to the next step

Sergio

An Approach to Formalise Security Patterns

11/ 19

Structural analysis

Sergio

An Approach to Formalise Security Patterns

12/ 19

Structural analysis

Create a Pattern Model using PADL
Comparison with Real objects - using Java Reﬂection API
Compare all attributes, associations
Display accuracy.

Sergio

An Approach to Formalise Security Patterns

13/ 19

Behavioural analysis

Sergio

An Approach to Formalise Security Patterns

14/ 19

Behavioural Analysis

Create Coloured Petri Net Model by CPN-Tools
Using XML extractor from the .cpn ﬁle
Using Classes, Interfaces to keep the information on Java
structure
Extract method internal structure from .java ﬁle
Compare expressions and attributions from the java source
code with the Petri net arc inscription.
Display accuracy
Sergio

An Approach to Formalise Security Patterns

15/ 19

Behavioural analysis

Expressions and Attributions

Sergio

An Approach to Formalise Security Patterns

16/ 19

Future Work

Testing with a Real System
Single Access Point, Roles, Session
Evaluate Version with Simulation of Petri Net model
More Formal Methods
Provide running analysis.

Sergio

An Approach to Formalise Security Patterns

17/ 19

Future Work

Find the pattern in some complex structure
Petri Net restriction - named places and transitions
Diﬀerent calls, same idea (length and size)

Sergio

An Approach to Formalise Security Patterns

18/ 19

Acknowledgment

Sergio

An Approach to Formalise Security Patterns

19/ 19

Similar to 130118 sergio luis da silva jr. - an approach to formalise security patterns

Because software developers are not necessarily security experts, identifying potential threats and vulnerabilities in the early stage of the development process is often insufficient. Even if these issues are addressed at an early stage, it does not guarantee that the final software product actually satisfies security requirements. To realize secure design and implementation, we propose extended security patterns, which include requirement- and design-level patterns as well as a new model testing and model-based code testing process. Our approach is implemented in a tool called TESEM, Test Driven Secure Modeling Tool, which supports pattern applications by creating a script to execute model testing automatically (ARES'13, IJSSE'14, ICST'15). Moreover we recently extended the tool to support testing of security design patterns implementation by preparing testcase templates (ARES'14). By using the tool, developers can specify threats and vulnerabilities in the target design and implementation according to security design patterns, verify whether the security patterns are properly applied, and assesses whether these vulnerabilities are resolved.

TESEM: A Tool for Verifying Security Design Pattern Applications

Hironori Washizaki

CNSM 2022 - An Online Framework for Adapting Security Policies in Dynamic IT ...

Kim Hammar

Network simulator survey

Wei Lin

AMI Security 101 - Smart Grid Security East 2011

dma1965

Self-Learning Systems for Cyber Security

Kim Hammar

INTERFACE by apidays 2023 APIs for a “Smart” economy. Embedding AI to deliver Smart APIs and turn into an exponential organization June 28 & 29, 2023 Security Exposure Management in API First World Sandeep Nain, VP Security and Trust at Carta ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

INTERFACE by apidays 2023 - Security Exposure Management in API First World, ...

apidays

Hack2Secure Assists Organization in Secure Application Development Through BS...

hack2s

Course overview Cybersecurity and its applications

Sanket Shikhar

GridWise 2010 Cyber Security Update

Andy Bochman

Security in Machine Learning

Flavio Clesio

Application Security - Dont leave your AppSec for the last moment Meetup 2104...

lior mazor

Architecture centric support for security orchestration and automation

Chadni Islam

#1 formal methods – introduction for software engineering

Sharif Omar Salem

CrAlSim: A Cryptography Algorithm Simulator

IRJET Journal

our project presentation on online trading

Bindiya syed

—We present a novel emulation system for creating high-fidelity digital twins of IT infrastructures. The digital twins replicate key functionality of the corresponding infrastructures and allow to play out security scenarios in a safe environment. We show that this capability can be used to automate the process of finding effective security policies for a target infrastructure. In our approach, a digital twin of the target infrastructure is used to run security scenarios and collect data. The collected data is then used to instantiate simulations of Markov decision processes and learn effective policies through reinforcement learning, whose performances are validated in the digital twin. This closed-loop learning process executes iteratively and provides continuously evolving and improving security policies. We apply our approach to an intrusion response scenario. Our results show that the digital twin provides the necessary evaluative feedback to learn near-optimal intrusion response policies.

Digital Twins for Security Automation

Kim Hammar

Recently, many research studies have suggested the integration of safety engineering at an early stage of modeling and system development using Model-Driven Architecture (MDA). This concept consists in deploying the UML (Unified Modeling Language) standard as aprincipal metamodel for the abstractions of different systems. To our knowledge, most of this work has focused on integrating security requirements after the implementation phase without taking them into account when designing systems. In this work, we focused our efforts on non-functional aspects such as the business logic layer, data flow monitoring, and high-quality service delivery. Practically, we have proposed a new UML profile for security integration and code generation for the Java platform. Therefore, the security properties will be described by a UML profile and the OCL language to verify the requirements of confidentiality, authorization, availability, data integrity, and data encryption. Finally, the source code such as the application security configuration, the method signatures and their bodies, the persistent entities and the security controllers generated from sequence diagram of system’s internal behavior after its extension with this profile and applying a set of transformations.

A UML Profile for Security and Code Generation

IJECEIAES

2015 03-04 presentation1

ifi8106tlu

Security issues often neglected until coding step in software development process, and changing in this step leads to maximize time and cost consuming depending on the size of the project. Applying security on design phase can fix vulnerabilities of the software earlier in the project and minimize the time and cost of the software by identifying security flaws earlier in the software life cycle. This work concerns with discussing security metrics for object oriented class design, and implementing these metrics from Enterprise Architect class diagram using a proposed CASE tool.

Conducting Security Metrics for Object-Oriented Class Design

IJCSIS Research Publications

UMLassure: An approach to model software security

manishthaper

Similar to 130118 sergio luis da silva jr. - an approach to formalise security patterns (20)

TESEM: A Tool for Verifying Security Design Pattern Applications

CNSM 2022 - An Online Framework for Adapting Security Policies in Dynamic IT ...

Network simulator survey

AMI Security 101 - Smart Grid Security East 2011

Self-Learning Systems for Cyber Security

INTERFACE by apidays 2023 - Security Exposure Management in API First World, ...

Hack2Secure Assists Organization in Secure Application Development Through BS...

Course overview Cybersecurity and its applications

GridWise 2010 Cyber Security Update

Security in Machine Learning

Application Security - Dont leave your AppSec for the last moment Meetup 2104...

Architecture centric support for security orchestration and automation

#1 formal methods – introduction for software engineering

CrAlSim: A Cryptography Algorithm Simulator

our project presentation on online trading

Digital Twins for Security Automation

A UML Profile for Security and Code Generation

2015 03-04 presentation1

Conducting Security Metrics for Object-Oriented Class Design

UMLassure: An approach to model software security

Recently uploaded

Microsoft CSP Briefing Pre-Engagement - Questionnaire

Exakis Nelite

Ruby has a lot of standard libraries from Ruby 1.8. I promote them democratically with GitHub today via default and bundled gems. So, I'm working to extract them for Ruby 3.4 continuously and future versions. It's long journey for me. After that, some versions may suddenly happen LoadError at require when running bundle exec or bin/rails, for example matrix or net-smtp. We need to learn what's difference default/bundled gems with standard libraries. In this presentation, I will introduce what's the difficult to extract bundled gems from default gems and the details of the functionality that Ruby's require and bundle exec with default/bundled gems. You can learn how handle your issue about standard libraries.

Long journey of Ruby Standard library at RubyKaigi 2024

Hiroshi SHIBATA

WebAssembly is Key to Better LLM Performance

Samy Fodil

Oauth 2.0 Introduction and Flows with MuleSoft

shyamraj55

Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf

FIDO Alliance

WebRTC and SIP not just audio and video @ OpenSIPS 2024

Lorenzo Miniero

Portal Kombat : extension du réseau de propagande russe

中央社

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...

FIDO Alliance

The Metaverse: Are We There Yet?

Mark Billinghurst

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf

FIDO Alliance

Are you wondering why everyone is talking about the Flutterwave scandal? You’re not alone! It’s been in the news a lot. We’re going to tell you all about the Flutterwave Scandal in a way that’s easy to get. Keep reading, because we’re going to share the whole story with you. The company Flutterwave is headquartered in San Francisco, California, United States. In 2016, Iyinoluwa Aboyeji, Olugbenga Agboola, and Adeleke Adekoya established Flutterwave. It offers a payment infrastructure to international merchants and payment service providers throughout Africa. The company operates in various African countries including Nigeria, Kenya, Uganda, Ghana, South Africa, and others. They focus on digital payments, helping businesses accept and process payments on various channels like the web, mobile, ATM, and POS. Recently, they’ve been in the news due to allegations of misconduct within the company, which has affected their reputation and value. Flutterwave is an essential player in the African fintech landscape, aiming to drive growth for banks and businesses through digital payment solutions. The Flutterwave scandal involves allegations of misconduct and inappropriate behaviour towards female employees by the company’s co-founder and CEO, Olugbenga Agboola. Reports have surfaced from both current and former employees about bullying, intimidation, and sexual harassment at work. The allegations of inappropriate behaviour towards female employees at Flutterwave, specifically involving the CEO Olugbenga Agboola, were brought to public attention in April 2022.This was when Clara Wanjiku Odero, an ex-employee and current CEO of Credrails, published a Medium post and a series of tweets on April 4, 2022, accusing Flutterwave and Agboola of bullying. These allegations were part of a broader range of misconduct claims that surfaced around the same time The reasons behind the scandal are rooted in accusations of unethical behavior within the company. The allegations suggest a workplace culture that allowed for misconduct and failed to protect employees from harassment and intimidation. Specifically, the Flutterwave scandal refers to the series of events where the CEO was accused of engaging in improper conduct with female colleagues. This led to a broader investigation into the company’s practices and raised serious concerns about the fintech’s corporate governance. The scandal had significant repercussions, including a drop in the company’s stock price and a loss of trust among customers and partners. The trust that customers and investors had in Flutterwave was greatly damaged. People started to doubt the company’s integrity and whether their money and personal information were safe. Market Impact The scandal shook the entire fintech market. Flutterwave’s competitors saw this as an opportunity and started to attract customers who were leaving Flutterwave.

Breaking Down the Flutterwave Scandal What You Need to Know.pdf

UK Journal

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...

FIDO Alliance

This talk offers actionable insights at an executive level for enhancing productivity and refining your portfolio management approach to propel your organization to greater heights. Key Points Covered: 1. Experience Transformation: - The core challenge remains consistent across organizations: converting budget into user-centric designs. - Strategies for deploying design resources effectively in both startups and large enterprises. 2. Strategic Frameworks: - Introduction to the "Ziggurat of Impact" model, detailing layers from basic system interactions to comprehensive customer experiences. - Practical insights on creating frameworks that scale with organizational complexity. 3. Organizational Impact: - Real-world examples of navigating design in large settings, focusing on the synthesis of consumer products and customer experiences. - Emphasis on the importance of designing systems that directly influence customer interactions. 4. Design Execution: - Detailed walkthrough of organizational layers affecting design execution, from touchpoints and customer activities to shared capabilities. - How to ensure design influences both the micro and macro aspects of customer interactions. 5. Measurement and Adaptation: - Techniques for measuring the impact of design decisions and adapting strategies based on data-driven insights. - The critical role of continuous improvement and feedback in refining customer experiences.

Structuring Teams and Portfolios for Success

UXDXConf

Using IESVE for Room Loads Analysis - UK & Ireland

IES VE

Working together SRE & Platform Engineering

Marcus Vechiato

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

FIDO Alliance

Hyatt driving innovation and exceptional customer experiences with FIDO passw...

FIDO Alliance

Google I/O Extended 2024 Warsaw

GDSC PJATK

Intro to Passkeys and the State of Passwordless.pptx

FIDO Alliance

Event-Driven Architecture Masterclass: Challenges in Stream Processing

ScyllaDB

Recently uploaded (20)

Microsoft CSP Briefing Pre-Engagement - Questionnaire

Long journey of Ruby Standard library at RubyKaigi 2024

WebAssembly is Key to Better LLM Performance

Oauth 2.0 Introduction and Flows with MuleSoft

Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf

WebRTC and SIP not just audio and video @ OpenSIPS 2024

Portal Kombat : extension du réseau de propagande russe

FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...

The Metaverse: Are We There Yet?

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf

Breaking Down the Flutterwave Scandal What You Need to Know.pdf

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...

Structuring Teams and Portfolios for Success

Using IESVE for Room Loads Analysis - UK & Ireland

Working together SRE & Platform Engineering

Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf

Hyatt driving innovation and exceptional customer experiences with FIDO passw...

Google I/O Extended 2024 Warsaw

Intro to Passkeys and the State of Passwordless.pptx

Event-Driven Architecture Masterclass: Challenges in Stream Processing

130118 sergio luis da silva jr. - an approach to formalise security patterns

1. An Approach to Formalise Security Patterns Luis Sergio da Silva Junior, ´ Ecole Polytechnique de Montr´al e March, 2013 Sergio An Approach to Formalise Security Patterns 1/ 19

2. Context Software Development • Methods, Techniques and Tools • Reuse • Design Patterns • Security Patterns Sergio An Approach to Formalise Security Patterns 2/ 19

3. Security Patterns Properties • Group of patterns focused on security context • Threat, Attack, Attacker, Asset etc • UML diagrams • Originally, not formally speciﬁed Sergio An Approach to Formalise Security Patterns 3/ 19

4. Security Patterns Example 1 • Single Access Point • Guard Door Sergio An Approach to Formalise Security Patterns 4/ 19

5. Security Patterns Sergio An Approach to Formalise Security Patterns 5/ 19

6. Security Patterns Example 2 • Roles • Group of roles • Restrict Access Sergio An Approach to Formalise Security Patterns 6/ 19

7. Formal Methods Deﬁnition Formal Methods (FM) consist of a set of techniques and tools based on mathematical modeling and formal logic that are used to specify and verify requirements and designs for computer systems and software OCL and extensions Petri Nets ASM others Sergio An Approach to Formalise Security Patterns 7/ 19

8. Formalizing Security Patterns Correct implementation of restrictions and properties Avoid Threats and bad implementation Security Improvement Sergio An Approach to Formalise Security Patterns 8/ 19

9. Petri Nets Places, Tokens and Arcs Diﬀerent Types (Coloured, Temporized ) CPN-Tools Why Petri Nets ? Sergio An Approach to Formalise Security Patterns 9/ 19

10. Study Case Sender-Receiver example Microarchitecture example constraint - the size of the message cannot be longer than 10 Structural analysis - PADL and Reﬂection structure Behavioural analysis - Comparison between the pattern and the Petri Net structure Sergio An Approach to Formalise Security Patterns 10/ 19

11. Structural analysis Pattern detection through structural analysis Class diagrams Send its result to the next step Sergio An Approach to Formalise Security Patterns 11/ 19

12. Structural analysis Sergio An Approach to Formalise Security Patterns 12/ 19

13. Structural analysis Create a Pattern Model using PADL Comparison with Real objects - using Java Reﬂection API Compare all attributes, associations Display accuracy. Sergio An Approach to Formalise Security Patterns 13/ 19

14. Behavioural analysis Sergio An Approach to Formalise Security Patterns 14/ 19

15. Behavioural Analysis Create Coloured Petri Net Model by CPN-Tools Using XML extractor from the .cpn ﬁle Using Classes, Interfaces to keep the information on Java structure Extract method internal structure from .java ﬁle Compare expressions and attributions from the java source code with the Petri net arc inscription. Display accuracy Sergio An Approach to Formalise Security Patterns 15/ 19

16. Behavioural analysis Expressions and Attributions Sergio An Approach to Formalise Security Patterns 16/ 19

17. Future Work Testing with a Real System Single Access Point, Roles, Session Evaluate Version with Simulation of Petri Net model More Formal Methods Provide running analysis. Sergio An Approach to Formalise Security Patterns 17/ 19

18. Future Work Find the pattern in some complex structure Petri Net restriction - named places and transitions Diﬀerent calls, same idea (length and size) Sergio An Approach to Formalise Security Patterns 18/ 19

19. Acknowledgment Sergio An Approach to Formalise Security Patterns 19/ 19

130118 sergio luis da silva jr. - an approach to formalise security patterns

Recommended

Recommended

More Related Content

Similar to 130118 sergio luis da silva jr. - an approach to formalise security patterns

Similar to 130118 sergio luis da silva jr. - an approach to formalise security patterns (20)

More from Ptidej Team

More from Ptidej Team (20)

Recently uploaded

Recently uploaded (20)

130118 sergio luis da silva jr. - an approach to formalise security patterns