Azure Monitor & Application Insight to monitor Infrastructure & Application
Ppap13b.ppt
1. An Approach to Formalise Security Patterns
Luis Sergio da Silva Junior,
´
Ecole Polytechnique de Montr´al
e
March, 2013
Sergio
An Approach to Formalise Security Patterns
1/ 19
2. Context
Software Development
• Methods, Techniques and Tools
• Reuse
• Design Patterns
• Security Patterns
Sergio
An Approach to Formalise Security Patterns
2/ 19
3. Security Patterns
Properties
• Group of patterns focused on security context
• Threat, Attack, Attacker, Asset etc
• UML diagrams
• Originally, not formally specified
Sergio
An Approach to Formalise Security Patterns
3/ 19
4. Security Patterns
Example 1
• Single Access Point
• Guard Door
Sergio
An Approach to Formalise Security Patterns
4/ 19
6. Security Patterns
Example 2
• Roles
• Group of roles
• Restrict Access
Sergio
An Approach to Formalise Security Patterns
6/ 19
7. Formal Methods
Definition
Formal Methods (FM) consist of a set of techniques and tools based
on mathematical modeling and formal logic that are used to specify and verify requirements and designs for computer systems and
software
OCL and extensions
Petri Nets
ASM
others
Sergio
An Approach to Formalise Security Patterns
7/ 19
8. Formalizing Security Patterns
Correct implementation of restrictions and properties
Avoid Threats and bad implementation
Security Improvement
Sergio
An Approach to Formalise Security Patterns
8/ 19
9. Petri Nets
Places, Tokens and Arcs
Different Types (Coloured, Temporized )
CPN-Tools
Why Petri Nets ?
Sergio
An Approach to Formalise Security Patterns
9/ 19
10. Study Case
Sender-Receiver example
Microarchitecture example
constraint - the size of the message cannot be longer
than 10
Structural analysis - PADL and Reflection structure
Behavioural analysis - Comparison between the pattern and
the Petri Net structure
Sergio
An Approach to Formalise Security Patterns
10/ 19
11. Structural analysis
Pattern detection through structural analysis
Class diagrams
Send its result to the next step
Sergio
An Approach to Formalise Security Patterns
11/ 19
13. Structural analysis
Create a Pattern Model using PADL
Comparison with Real objects - using Java Reflection API
Compare all attributes, associations
Display accuracy.
Sergio
An Approach to Formalise Security Patterns
13/ 19
15. Behavioural Analysis
Create Coloured Petri Net Model by CPN-Tools
Using XML extractor from the .cpn file
Using Classes, Interfaces to keep the information on Java
structure
Extract method internal structure from .java file
Compare expressions and attributions from the java source
code with the Petri net arc inscription.
Display accuracy
Sergio
An Approach to Formalise Security Patterns
15/ 19
17. Future Work
Testing with a Real System
Single Access Point, Roles, Session
Evaluate Version with Simulation of Petri Net model
More Formal Methods
Provide running analysis.
Sergio
An Approach to Formalise Security Patterns
17/ 19
18. Future Work
Find the pattern in some complex structure
Petri Net restriction - named places and transitions
Different calls, same idea (length and size)
Sergio
An Approach to Formalise Security Patterns
18/ 19