Secure Systems Research Group - FAU A Pattern-Driven Process for Secure Service-Oriented Applications Ph.D Dissertation Defense Candidate: N. A. Delessy, Advisor: Dr E.B. Fernandez March 2008
Jan 01, 2016
Secure Systems Research Group - FAU
A Pattern-Driven Process for Secure Service-Oriented Applications
Ph.D Dissertation Defense
Candidate: N. A. Delessy, Advisor: Dr E.B. Fernandez
March 2008
Secure Systems Research Group - FAU
Agenda
• Introduction– Problem Statement– Methodology and Overview of the Solution– Summary of Contributions
• Related Work
Secure Systems Research Group - FAU
Agenda
• Contributions– The Pattern-Driven Process– Security-Enabled Metamodels for Service-
Oriented and Web Services-Based Applications– The Decision-Guiding Map of Security Patterns
and its Corresponding Catalog– The Chain of Model Transformation Definitions
• Conclusions and Future Work
Secure Systems Research Group - FAU
Introduction
• Problem Statement– Service-Oriented Architecture (SOA) considered to be
the new phase in the evolution of distributed enterprise applications
– SOA could enable the design and realization of flexible applications across multiple organizations
– Security issues associated with SOA:• trust establishment among actors in an inter-
organizational context – no central authority– users may not be known in advance
• channels of communication more vulnerable
Secure Systems Research Group - FAU
Introduction
• Problem Statement– Actual solutions:
• Production of numerous, often overlapping security standards by the industry
But there is no clear view of how to use them
• Security mechanisms and schemes proposed for SOA and web services
They are not new, they are used in current distributed systems
– A real problem hinders the widespread use of SOA: A methodology to design and build secure service-oriented applications is needed
Secure Systems Research Group - FAU
Introduction
• Methodology and Overview of the Solution– We adapt the methodology in [Fer06b],[Fer06c]
– Our process builds upon two different approaches to secure service-oriented applications:
• model-driven engineering • the use of security patterns.
Secure Systems Research Group - FAU
Introduction
• Methodology and Overview of the Solution– Security patterns are selected and applied at each
step of the development process.• We propose the use of a structured map
Their selection is rendered easier
• Their application are automated since our patterns are described using UML models
– In order to validate our process, we apply it to a real world example: a travel agency system
Secure Systems Research Group - FAU
Introduction
• Summary of Contributions– The Pattern-Driven Process:
• describes in detail the different activities and artifacts produced at each step of the development
– Security-Enabled Metamodels for Service-Oriented and Web Services-Based Applications:
• Allow the description of service-oriented and web services-based applications, with an emphasis on security, and in a flexible way, thanks to their security interfaces
Secure Systems Research Group - FAU
Introduction
• Summary of Contributions– The Decision-Guiding Map of Security Patterns and
its Corresponding Catalog• Identified patterns that covered all layers and policy
types• Wrote and publish some of them
– The Chain of Model Transformation Definitions• Described using the OMG standard QVT
Secure Systems Research Group - FAU
Related Work
• Several approaches have been presented to secure service oriented applications– Many use a formal approach, but they are applicable
in very specific cases • e.g. [Yua04] addresses low-level aspects of security at
the discovery phase of web services
– [Ala04] proposes a model-driven approach that extends OCL to define access control policies
– [Nak05] uses a MDA approach, but a low-level only
Secure Systems Research Group - FAU
Related Work
• Several approaches have been presented to secure service oriented applications– [Char05], [Ray04] are Aspect-Oriented approaches
to secure web services compositions, by resp. extending BPEL to insert pointcuts and defining model weaving operations
• the security expert would need to know resp. BPEL language or the unsecure application model
– [Gut06] presents a whole process to secure web services-based systems
• Not detailed, no mention of automatic transformations
Secure Systems Research Group - FAU
The Pattern-Driven Process
Software Lifecycle
StageActors MDA viewpoint Artifact Description of the artifact
Analysis Business analysts
Computational independent CIM Describes the problem space (customer needs, a.k.a. requirements)
Design Architects Platform independent PIM Describes how the chosen architectural style resolves the problem (i.e. in terms or components and connectors)
Refined Design
ArchitectsDevelopers
Platform specific PSM Describes how the problem is resolved using the chosen platform
Coding Developers Runtime execution Code/Configuration files
How the specific language and (virtual) machine resolves the problem
Secure Systems Research Group - FAU
The Pattern-Driven Process
Software Lifecycle
StageArtifact
Artifact for Service-oriented applications as a composition of
servicesTransformations
Analysis CIM UML conceptual class diagram, activity diagram derived from Use cases
CIM to PIM (1) is manualCIM2secCIM is a simple automated operation
Design PIM Class diagram in terms of services, activity diagram describing the service compositions
PIM2secPIM, and PIM to PSM (PIM2PSM) are automated
Refined Design
PSM Class diagram describing web services and activity diagram describing the web services interactions
PSM2secPSM is automated, PSM to code is semi-automated
Coding Code/Configuration files
WSDL files, BPEL files, XACML rules
Secure Systems Research Group - FAU
The Pattern-Driven
Process
Secure Systems Research Group - FAU
Example: Travel Agency
Secure Systems Research Group - FAU
Example: Travel
Agency
Secure Systems Research Group - FAU
The Security-Enabled Metamodel for Service-Oriented Applications
• Survey of existing SOA metamodels• A security-enabled metamodel, not a secure
metamodel– For enhanced flexibility: security patterns can be
added dynamically
• Includes a simple security interface– Designed from the security requirements for service
oriented applications
Secure Systems Research Group - FAU
The Security-Enabled Metamodel for Service-Oriented Applications
Security goals/Trust Security Requirements Policy type
Confidentiality of stored information
SR1. Access to services and their operations must be controlled Access Control policies
SR2. Service requesters must be authenticated Authentication policies
Confidentiality of information in transmission
SR3. The contents of exchanged messages must be kept confidentialMessage-level confidentiality policies
Integrity of stored informationSR1. Access to services and their operations must be controlled Access Control policies
SR2. Service requesters must be authenticated Authentication policies
Integrity of information in transmission
SR5. A service must verify that the contents of received messages have not been modified during their transit.
Message-level integrity policies
SR6. The contents of the received message must be authenticatedMessage-level authenticity policies
SR7. A service must verify that the received messages have not been replayed. Message freshness policies
Trusted participants
SR8. Services and principals must be trusted only in a determined wayTrust establishment and trust propagation policies
SR9. Identity management and identity propagation must be clearly defined Identification policies
Non repudiation
SR10. Service requester cannot deny having sent a messageMessage-level non-repudiation policies
SR11. Accesses to a service must be loggedLogging policiesAudit policiesNon repudiation policies
Secure Systems Research Group - FAU
The Security-Enabled
Metamodel for Service-
Oriented Applications
Secure Systems Research Group - FAU
The Security-Enabled Metamodel for Service-Oriented Applications
• Using the metamodel
Secure Systems Research Group - FAU
The Security-Enabled Metamodel for
Service-Oriented Applications
• Using the metamodel
Secure Systems Research Group - FAU
The Security-Enabled
Metamodel for Web
Services-Based
Applications
Secure Systems Research Group - FAU
The Decision-Guiding Map of Security Patterns
Secure Systems Research Group - FAU
The Corresponding Catalog of Security Patterns
• Examples– The Identity Provider Pattern
• allows the formation of a dynamically created identity within an identity federation consisting of several service providers. Therefore, identity and security information about a subject can be transmitted in a transparent way for the user among service providers from different security domains.
– The Policy-Based Access Control Pattern • decides if a subject is authorized to access an object
according to policies defined in a central policy repository.
Secure Systems Research Group - FAU
The Identity Provider Pattern
context FederatedIdentity
inv: forall(p | self.federatedAttributes->includes(p) implies
self.subject.localIdentity.localAttributes->includes(p))
inv: self.federatedAttributes->excludes(
self.subject.localIdentity.localAttributes.oclAsType(
PrivateAttribute))
Secure Systems Research Group - FAU
Policy-Based Access Control Pattern
Secure Systems Research Group - FAU
The Chain of Transformation Definitions
• PIM2PSM– Simple QVT Relations
• CIM2secCIM, PIM2secPIM and PSM2secPSM– Relations between models are not static Model weaving operation
Secure Systems Research Group - FAU
PIM2PSM Transformation Definition
• Example: Relation InvRec2All
Secure Systems Research Group - FAU
PIM2PSM
• Travel Agency Example: Generated PSM
Secure Systems Research Group - FAU
PIM2secPIM Transformation Definition
• Travel Agency example:
• Produced relation
Secure Systems Research Group - FAU
PIM2secPIM Transformation Definition
• Travel Agency example:
• Produced PIM
Secure Systems Research Group - FAU
Conclusions
• Benefits:– The process decouples the application domain
expertise from the security expertise that are both needed to build a secure application. The inclusion of security during the software
development process becomes more convenient for the architects/designers.
Understanding security patterns from their human-readable description and knowing how to use the security-enabled metamodels are sufficient skills to use our process.
• .
Secure Systems Research Group - FAU
Conclusions
• Benefits:– The insertion of security is semi-automated and
traceable. The process is flexible and can easily adapt to
changing requirements.
– Given that SOA was developed in order to provide enterprises with modular, reusable and adaptable architectures, but that security was the principal factor that hindered its use, we believe that our process can act as an enabler for service-oriented applications.
Secure Systems Research Group - FAU
Future Work
• Identification and writing of more security patterns at all levels, in order to ‘cover’ all security policies.
• Implementation into a tool. It should be able to make accurate suggestions of security patterns during the development of an application using all relationship types. Additionally, many MDA frameworks exist. The model transformation specifications should be implementable easily using one of those.
Secure Systems Research Group - FAU
Future Work
• Our results consist in the design of a software development process for secure service-oriented applications. However, it would be valuable to abstract this process so that it could be architectural-style-independent, not only applicable to service-oriented applications.
• Finally, we need to investigate ways to validate our process. In particular, this leads to the problem of security patterns validation, which is resolved using methods in [Jur02]. But how can we verify that their application produces a secure design?
Secure Systems Research Group - FAU
Thank You!