1 / 35

A Secure MDA Process

A Secure MDA Process. Masters Thesis Progress Report 8/24/2007 Patrick Morrison. Agenda. Thesis overview “Sampler” of work-to-date Next Steps. Thesis Abstract. Thesis evaluates the use of Model-Driven Architecture (MDA) in support of methodology lifecycle.

gavivi
Download Presentation

A Secure MDA Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Secure MDA Process Masters Thesis Progress Report 8/24/2007 Patrick Morrison

  2. Agenda • Thesis overview • “Sampler” of work-to-date • Next Steps

  3. Thesis Abstract • Thesis • evaluates the use of Model-Driven Architecture (MDA) in support of methodology lifecycle. • follows the recommendations of this secure systems methodology, using MDA models to represent phase information. • Analyzes remote terminal access, as illustrated by the internet “secure shell”protocol, ssh • observes the ability of MDA models and transformations to specify remote access in each lifecycle phase. MDA’s strengths and weaknesses can be evaluated in this context. • aims to extract concepts that can be contained in an MDA security meta-model for use in future projects.

  4. MDA Claim evaluated • [by using] “precise but abstract and graphical representations of algorithms, MDA allows the construction of computing systems from models that can be understood much more quickly and deeply than can programming language “code” [Mel04].

  5. Thesis Goals • Measure MDA’s utility in each phase of the development lifecycle for a well-known problem. • Obtain a potentially reusable MDA meta-model for security concepts. • Lay a foundation for MDA-related work on the secure systems methodology [Fer06a].

  6. Thesis Approach • Establish an MDA tool-chain • Choose a known problem; remote access, as exemplified by SSH • Build MDA models for example at each lifecycle stage; requirements, analysis, design, implementation • Evaluate MDA models against example’s properties and their use in the lifecycle.

  7. Evaluation criteria • Do the MDA models capture what is known about remote access/ssh? • Do the MDA models aid in reasoning about the goals of each lifecycle stage? • Can the MDA models for a lifecycle phase be transformed in ways useful to the next phase?

  8. Tool-chain • UML Editor, Model creation, XMI generation – MagicDraw • Model-to-Model, Model-to-Text transformation – openArchitectureWare • Target Platform - Java • Integration - Eclipse

  9. Example Problem: Remote Access

  10. SSH: Secure Shell • Secure Shell (SSH) Protocol [RFC’s 4250-3]… • enables secure remote login and other secure network services over an insecure network. • interactive login sessions, and remote execution of commands. • Multiple sessions can be active simultaneously. • server authentication, client authentication, confidentiality, integrity, and perfect forward security. • Authentication methods include, but are not limited to, public key, password, and host-based client authentication methods.

  11. Methodology Phases Addressed

  12. Requirements: Use Case

  13. Attack Analysis

  14. SSH Security Concerns • [RFC 4251] addresses… • Pseudo-random number generation • Control character filtering • Confidentiality • Data Integrity • Replay attacks • Man-in-the-middle attacks • Denial of Service • Covert Channels • Forward Secrecy • Traffic analysis

  15. Question: How do we define a meta-model suitable for annotating these objects with their security concerns?

  16. MDA Requirements Summary • Possible to capture actors, use cases • Security analysis depends on the skill of the analyst, as with previous approaches • No standard model has yet been defined for capturing, annotating security concerns in requirements models

  17. MDA Requirements possibilities… • Given structured meta-models for requirements, transformations on models built on these meta-models can, for example, yield advice on possible analysis models for a given set of requirements. • One possible way to approach this would be to use the sequence and class diagrams built in the first phase of analysis as search terms against a database of patterns, selecting patterns where the context matches the input terms.

  18. Analysis • “Develop a description of the problem to be solved, in terms of the objects and relationships that participate” • Address all functional and non-functional requirements

  19. A multitude of models… • UMLSec [Jur05], p. 50-52, uses UML tags and stereotypes on diagrams to annotate concerns such as ‘secrecy’, ‘integrity’, ‘authenticity’, ‘fair exchange’ and ‘secure links’. • SecureUML defines a meta-model for RBAC using the concepts and terms ‘Role’, ‘Subject’, Permission’, ‘Action’, ‘Resource’. • Nagaratnam [Nag05] uses the primitives ‘audit’, ‘authenticate’, ‘authorize’, ‘confidentiality’ and ‘integrity’ to capture security constraints. • Microsoft’s manual security verification process uses “STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege” to classify possible security threats. • Solving a given analysis problem requires choosing suitable vocabulary; in MDA development, this must be translated into a meta-model which represents the semantics of this vocabulary. For the thesis work, we have ‘borrowed’ from UMLSec.

  20. Remote Access Analysis Model

  21. SSH Analysis Model

  22. Analysis: Further work… • The current work simply represents objects as suggested by analysis in the basic UML2 meta-model, which leaves the semantic details of the objects described open to interpretation. Finding a more constrained meta-model is necessary in order for the attached security information to be precise.

  23. Design • The design phase concerns itself with the creation of a solution in response to the defined problem. • The principal contributions of MDA to design are the ability to record descriptions and behavior of objects and their relationships more specifically than structured natural language allows, while at a more abstract level than programming language source.

  24. Design [2] • The methodology [Fer06b] discusses several generic options for translation from analysis to design, mentioning the MVC and Layers patterns as good options for cleanly structuring designs. • Process for consideration: • Copy existing analysis objects over to the design model, while adapting them for the target architecture and platform. • Elaborate on the model objects, creating support objects where necessary • Package, or re-package, classes into cohesive groups.

  25. SSH Transport Protocol Class Diagram

  26. SSH Transport Protocol Sequence Diagram

  27. Implementation • Ganymed SSH-2 for Java is an open-source implementation of the ssh specification in Java • Possible to reverse-engineer UML diagrams from Java source…

  28. Ganymed classes

  29. Ganymed sequence diagram…

  30. Java source for sequence diagram… Connection conn = new Connection(hostname); conn.connect(); boolean isAuthenticated = conn.authenticateWithPassword(username, password); if (isAuthenticated == false) throw new IOException("Authentication failed."); Session sess = conn.openSession(); sess.execCommand("uname -a && date && uptime && who"); System.out.println("Here is some information about the remote host:"); InputStream stdout = new StreamGobbler(sess.getStdout()); BufferedReader br = new BufferedReader(new InputStreamReader(stdout)); while (true) { String line = br.readLine(); if (line == null) break; System.out.println(line); } System.out.println("ExitCode: " + sess.getExitStatus()); sess.close(); conn.close();

  31. Summary of work to this point… • It is possible to create UML models that represent requirements, analysis, design, implementation concerns, at least to some degree • Significant effort to create models for an appreciable fraction of even a small system • Identified that meta-models are required in order to unify the work products of each stage

  32. Next Steps • Refine models at each stage • Work out suitable meta-models, in stages • Requirements-Analysis • Analysis-Design • Design-Implementation (solved for UML2-Java case) • Capture information (e.g. threats, attacks, defenses) in meta-models

  33. Help! • Too large a territory? • MDA + Security + Software Development Lifecycle + Distributed Systems • Example has changed three times • “Soupcan” chat system -> telnet -> ssh • Still not sure I’m at the right level • Your suggestions for focus in further work would be appreciated.

  34. References • [Mel04] S.J. Mellor, K. Scott, A. Uhl, D. Weise, MDA Distilled, Addison-Wesley • [Nag05] N. Nagaratnam, A. Nadalin, M. Hondo, M. McIntosh, P. Austel, “Business-driven application security: From modeling to managing secure applications”, IBM Systems Journal, Vol. 44, No. 4, 2004

More Related