a secure mda process l.
Skip this Video
Loading SlideShow in 5 Seconds..
A Secure MDA Process PowerPoint Presentation
Download Presentation
A Secure MDA Process

Loading in 2 Seconds...

play fullscreen
1 / 35

A Secure MDA Process - PowerPoint PPT Presentation

  • Uploaded on

A Secure MDA Process. Masters Thesis Progress Report 8/24/2007 Patrick Morrison. Agenda. Thesis overview “Sampler” of work-to-date Next Steps. Thesis Abstract. Thesis evaluates the use of Model-Driven Architecture (MDA) in support of methodology lifecycle.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'A Secure MDA Process' - gavivi

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a secure mda process

A Secure MDA Process

Masters Thesis Progress Report


Patrick Morrison

  • Thesis overview
  • “Sampler” of work-to-date
  • Next Steps
thesis abstract
Thesis Abstract
  • Thesis
    • evaluates the use of Model-Driven Architecture (MDA) in support of methodology lifecycle.
    • follows the recommendations of this secure systems methodology, using MDA models to represent phase information.
    • Analyzes remote terminal access, as illustrated by the internet “secure shell”protocol, ssh
    • observes the ability of MDA models and transformations to specify remote access in each lifecycle phase. MDA’s strengths and weaknesses can be evaluated in this context.
    • aims to extract concepts that can be contained in an MDA security meta-model for use in future projects.
mda claim evaluated
MDA Claim evaluated
  • [by using] “precise but abstract and graphical representations of algorithms, MDA allows the construction of computing systems from models that can be understood much more quickly and deeply than can programming language “code” [Mel04].
thesis goals
Thesis Goals
  • Measure MDA’s utility in each phase of the development lifecycle for a well-known problem.
  • Obtain a potentially reusable MDA meta-model for security concepts.
  • Lay a foundation for MDA-related work on the secure systems methodology [Fer06a].
thesis approach
Thesis Approach
  • Establish an MDA tool-chain
  • Choose a known problem; remote access, as exemplified by SSH
  • Build MDA models for example at each lifecycle stage; requirements, analysis, design, implementation
  • Evaluate MDA models against example’s properties and their use in the lifecycle.
evaluation criteria
Evaluation criteria
  • Do the MDA models capture what is known about remote access/ssh?
  • Do the MDA models aid in reasoning about the goals of each lifecycle stage?
  • Can the MDA models for a lifecycle phase be transformed in ways useful to the next phase?
tool chain
  • UML Editor, Model creation, XMI generation – MagicDraw
  • Model-to-Model, Model-to-Text transformation – openArchitectureWare
  • Target Platform - Java
  • Integration - Eclipse
ssh secure shell
SSH: Secure Shell
  • Secure Shell (SSH) Protocol [RFC’s 4250-3]…
    • enables secure remote login and other secure network services over an insecure network.
    • interactive login sessions, and remote execution of commands.
    • Multiple sessions can be active simultaneously.
    • server authentication, client authentication, confidentiality, integrity, and perfect forward security.
    • Authentication methods include, but are not limited to, public key, password, and host-based client authentication methods.
ssh security concerns
SSH Security Concerns
  • [RFC 4251] addresses…
    • Pseudo-random number generation
    • Control character filtering
    • Confidentiality
    • Data Integrity
    • Replay attacks
    • Man-in-the-middle attacks
    • Denial of Service
    • Covert Channels
    • Forward Secrecy
    • Traffic analysis

Question: How do we define a meta-model suitable for annotating these objects with their security concerns?

mda requirements summary
MDA Requirements Summary
  • Possible to capture actors, use cases
  • Security analysis depends on the skill of the analyst, as with previous approaches
  • No standard model has yet been defined for capturing, annotating security concerns in requirements models
mda requirements possibilities
MDA Requirements possibilities…
  • Given structured meta-models for requirements, transformations on models built on these meta-models can, for example, yield advice on possible analysis models for a given set of requirements.
  • One possible way to approach this would be to use the sequence and class diagrams built in the first phase of analysis as search terms against a database of patterns, selecting patterns where the context matches the input terms.
  • “Develop a description of the problem to be solved, in terms of the objects and relationships that participate”
  • Address all functional and non-functional requirements
a multitude of models
A multitude of models…
  • UMLSec [Jur05], p. 50-52, uses UML tags and stereotypes on diagrams to annotate concerns such as ‘secrecy’, ‘integrity’, ‘authenticity’, ‘fair exchange’ and ‘secure links’.
  • SecureUML defines a meta-model for RBAC using the concepts and terms ‘Role’, ‘Subject’, Permission’, ‘Action’, ‘Resource’.
  • Nagaratnam [Nag05] uses the primitives ‘audit’, ‘authenticate’, ‘authorize’, ‘confidentiality’ and ‘integrity’ to capture security constraints.
  • Microsoft’s manual security verification process uses “STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege” to classify possible security threats.
  • Solving a given analysis problem requires choosing suitable vocabulary; in MDA development, this must be translated into a meta-model which represents the semantics of this vocabulary. For the thesis work, we have ‘borrowed’ from UMLSec.
analysis further work
Analysis: Further work…
  • The current work simply represents objects as suggested by analysis in the basic UML2 meta-model, which leaves the semantic details of the objects described open to interpretation. Finding a more constrained meta-model is necessary in order for the attached security information to be precise.
  • The design phase concerns itself with the creation of a solution in response to the defined problem.
  • The principal contributions of MDA to design are the ability to record descriptions and behavior of objects and their relationships more specifically than structured natural language allows, while at a more abstract level than programming language source.
design 2
Design [2]
  • The methodology [Fer06b] discusses several generic options for translation from analysis to design, mentioning the MVC and Layers patterns as good options for cleanly structuring designs.
  • Process for consideration:
    • Copy existing analysis objects over to the design model, while adapting them for the target architecture and platform.
    • Elaborate on the model objects, creating support objects where necessary
    • Package, or re-package, classes into cohesive groups.
  • Ganymed SSH-2 for Java is an open-source implementation of the ssh specification in Java
  • Possible to reverse-engineer UML diagrams from Java source…
java source for sequence diagram
Java source for sequence diagram…

Connection conn = new Connection(hostname);


boolean isAuthenticated = conn.authenticateWithPassword(username, password);

if (isAuthenticated == false)

throw new IOException("Authentication failed.");

Session sess = conn.openSession();

sess.execCommand("uname -a && date && uptime && who");

System.out.println("Here is some information about the remote host:");

InputStream stdout = new StreamGobbler(sess.getStdout());

BufferedReader br = new BufferedReader(new InputStreamReader(stdout));

while (true)


String line = br.readLine();

if (line == null)




System.out.println("ExitCode: " + sess.getExitStatus());



summary of work to this point
Summary of work to this point…
  • It is possible to create UML models that represent requirements, analysis, design, implementation concerns, at least to some degree
  • Significant effort to create models for an appreciable fraction of even a small system
  • Identified that meta-models are required in order to unify the work products of each stage
next steps
Next Steps
  • Refine models at each stage
  • Work out suitable meta-models, in stages
    • Requirements-Analysis
    • Analysis-Design
    • Design-Implementation (solved for UML2-Java case)
  • Capture information (e.g. threats, attacks, defenses) in meta-models
  • Too large a territory?
    • MDA + Security + Software Development Lifecycle + Distributed Systems
  • Example has changed three times
    • “Soupcan” chat system -> telnet -> ssh
      • Still not sure I’m at the right level
  • Your suggestions for focus in further work would be appreciated.
  • [Mel04] S.J. Mellor, K. Scott, A. Uhl, D. Weise, MDA Distilled, Addison-Wesley
  • [Nag05] N. Nagaratnam, A. Nadalin, M. Hondo, M. McIntosh, P. Austel, “Business-driven application security: From modeling to managing secure applications”, IBM Systems Journal, Vol. 44, No. 4, 2004