A Method for A Method for Validating Software Validating Software Security Constraints Security Constraints Filaret Ilas Filaret Ilas Matt Henry Matt Henry CS 527 CS 527 Dr. O.J. Pilskalns Dr. O.J. Pilskalns
Mar 26, 2015
A Method for Validating A Method for Validating Software Security Software Security
ConstraintsConstraintsFilaret IlasFilaret IlasMatt HenryMatt Henry
CS 527CS 527
Dr. O.J. PilskalnsDr. O.J. Pilskalns
MotivationMotivation
Security issues must be dealt with in Security issues must be dealt with in all phases of software developmentall phases of software development
Secure patterns/modelsSecure patterns/models Secure coding practicesSecure coding practices Secure development proceduresSecure development procedures During deployment and maintenance During deployment and maintenance
phasesphases
On the flip side…On the flip side… Is computer security possible?Is computer security possible?
Some argue that until computers can fix Some argue that until computers can fix themselves dynamically, then systems will themselves dynamically, then systems will always be vulnerable.always be vulnerable.
Furthermore, computers are incapable of Furthermore, computers are incapable of handling the infinite variety of attacks – handling the infinite variety of attacks – however, software may implement limited however, software may implement limited repairing schemes which require small repairing schemes which require small amount of programmer assistance amount of programmer assistance (debugging, etc.)(debugging, etc.)
Why it’s importantWhy it’s important
““Design-level vulnerabilities are the Design-level vulnerabilities are the hardest defect category to handle, hardest defect category to handle, but they’re also the most prevalent but they’re also the most prevalent and critical.”and critical.”
Software Security Testing, Software Security Testing, IEEE Security and Privacy Sep/Oct 2004, pgs 81-85 IEEE Security and Privacy Sep/Oct 2004, pgs 81-85
Attacks come in every level, from Attacks come in every level, from source code bugs to design flaws.source code bugs to design flaws.
Why it’s important, Why it’s important, cont’dcont’d
We need to ensure that the secure We need to ensure that the secure pattern/model is consistent with the pattern/model is consistent with the implementation. implementation.
Why OCL?Why OCL?
A standard constraint languageA standard constraint language Expressive powerExpressive power Pairs with UML Pairs with UML Accessible to developers and Accessible to developers and
programmers at each levelprogrammers at each level
Why OCL? cont’dWhy OCL? cont’d
Expressive power includes Expressive power includes existential and universal existential and universal quantificationquantification
Can provide a regulatory scheme for Can provide a regulatory scheme for securing system componentssecuring system components
Allows the designer to check Allows the designer to check violations easily (i.e., if constraints violations easily (i.e., if constraints are not followed in test cases)are not followed in test cases)
A solutionA solution
Thanks to the OCL’s expressive Thanks to the OCL’s expressive power, we can generate constraints power, we can generate constraints that consist of universal statements.that consist of universal statements.
For example, we can ensure that For example, we can ensure that only a specified number of instances only a specified number of instances are created (i.e., connections, are created (i.e., connections, clients, administrators, etc.)clients, administrators, etc.)
BackgroundBackground
Some tools/extensions that already exist:Some tools/extensions that already exist:
OCSL (Object Security Constraint Language)OCSL (Object Security Constraint Language)Allows for a security-driven development – Allows for a security-driven development – extends OCL syntax, but with a focus on securityextends OCL syntax, but with a focus on security
Medina, et.al.Medina, et.al.
USE (UML Specification Environment) USE (UML Specification Environment) implements a test/validate process that allows a implements a test/validate process that allows a “snapshot” diagram to be constructed and given “snapshot” diagram to be constructed and given properties are validatedproperties are validated
Gogolla, et.al.Gogolla, et.al.
Conversion between use cases and OCL Conversion between use cases and OCL expressionsexpressions
RoussevRoussev
Where we areWhere we are
What we have:What we have: OCLOCL UMLUML Set of rules that ensure Set of rules that ensure
consistency in secure consistency in secure diagramsdiagrams
Ever-expanding corpus Ever-expanding corpus of secure coding of secure coding practices in every phase practices in every phase of software of software developmentdevelopment
A tool which generates A tool which generates a fault-revealing grapha fault-revealing graph
What we need:What we need: a tool that helps us a tool that helps us
determine whether determine whether software meets the software meets the security requirements security requirements of the original modelof the original model
What we have, part 1What we have, part 1
OCLOCL Useful for expressive powerUseful for expressive power Can formulate constraints which are Can formulate constraints which are
security-relatedsecurity-related
Object Management GroupObject Management Group
What we have, part 2What we have, part 2
UMLUML Visual expressive powerVisual expressive power Class interaction and sequences are Class interaction and sequences are
defined in a meta-modeldefined in a meta-model
Object Management GroupObject Management Group
What we have, part 3What we have, part 3
Current rulesCurrent rules Restrict operation accessRestrict operation access Define compositionsDefine compositions Maintain multiplicityMaintain multiplicity
All of these help to keep the UML model All of these help to keep the UML model consistent in terms of security consistent in terms of security
Paired with a constraint checking tool, may Paired with a constraint checking tool, may verify whether or not these rules are verify whether or not these rules are followedfollowed
Pilskalns, Williams, Aracic, AndrewsPilskalns, Williams, Aracic, Andrews
What we have, part 4What we have, part 4
Secure coding practicesSecure coding practices
As provided by both industry and As provided by both industry and academia academia
Guidelines for each phase in Guidelines for each phase in developmentdevelopment
What we have, part 5What we have, part 5
Fault-finding methodFault-finding method
After execution of successful and fault-revealing unit tests, can generate graphs that show the differences
Graphs can be transformed into UML Sequence Diagrams
Can use Sequence Diagrams to reveal faults at a higher level
Pilskalns, Wallace
Security managementSecurity management
Rather than deal with each attack Rather than deal with each attack individually, and at each level, we propose individually, and at each level, we propose a method which could effectively secure a a method which could effectively secure a system at the highest level, and system at the highest level, and (depending on the security model) reduce (depending on the security model) reduce the risk at lower levels.the risk at lower levels.
What we needWhat we need
An automated tool that helps us An automated tool that helps us effectively validate secure OCL effectively validate secure OCL constraints of a system constraints of a system
Our approachOur approach
This approach is similar to using This approach is similar to using reverse-engineered UML Sequence reverse-engineered UML Sequence Diagrams. The approach relies on Diagrams. The approach relies on visual analyses of traces of object-visual analyses of traces of object-method calls. Tests reveals if there method calls. Tests reveals if there exist any security flaws in the code exist any security flaws in the code execution. The approach verifies execution. The approach verifies whether the security constraints whether the security constraints specified in the design phase hold for a specified in the design phase hold for a set of test cases. set of test cases.
Our approach, cont’dOur approach, cont’d
The OCL is a useful middle man for both The OCL is a useful middle man for both design and testing secure systemsdesign and testing secure systems
Design Document
-Use Case
-UML Model
extractextractConstraint Constraint cc11Context Account::create()Context Account::create()Inv:oclSet={Teller}Inv:oclSet={Teller}Inv.oclSet -> includes(source.type)Inv.oclSet -> includes(source.type)
TraceTrace
Implementation
Bank.Customer.getAccount()LBank/Account;return: Customer.java:35
Bank.Account.create(I)LBank/Accountcalled: Account.java:23
Bank.BankManager.getAccount(I)LBank/Accountcalled: BankManager.java:39
Bank.BankManager.getAccount(I)LBank/Accountreturn: BankManager.java:39
Bank.Account.create(I)LBank/Accountreturn: Account.java:24
Bank.Account.add(I)Vcalled: Account.java:45
Bank.Account.add(I)Vreturn: Account.java:47
Bank.Customer.getAccount()LBank/Account;called: Customer.java:35
verifyverify
ProcessProcess
1.1. Create Unit Tests. Create Unit Tests.
2.2. Instrument the source code so message Instrument the source code so message paths (and associated objects) can be paths (and associated objects) can be traced.traced.
3.3. Execute the tests and record objects and Execute the tests and record objects and message paths.message paths.
4.4. Construct directed acyclic graphs for every Construct directed acyclic graphs for every trace.trace.
5.5. Verify that the security constraints Verify that the security constraints specified in the design phase hold for each specified in the design phase hold for each graph.graph.
1. Create Unit Tests1. Create Unit Tests
Unit tests provide coverage of the Unit tests provide coverage of the code used in a specific test case. code used in a specific test case. There will be unit tests provided for There will be unit tests provided for both secure and non-secure code both secure and non-secure code execution.execution.
2. Instrument the source 2. Instrument the source codecode
The instrumentation process inserts The instrumentation process inserts tracking code that records the tracking code that records the method execution calls between method execution calls between objects, so message paths (and objects, so message paths (and associated objects) can be traced.associated objects) can be traced.
3. Execute the tests and 3. Execute the tests and record objects and message record objects and message
paths.paths.
During the execution, the During the execution, the instrumented byte code is instrumented byte code is traversed using the unit tests. Each traversed using the unit tests. Each unit test generates an object-unit test generates an object-method trace through the code.method trace through the code.
4. 4. Create graphsCreate graphs
Construct directed acyclic graphs Construct directed acyclic graphs for every tracefor every trace
5. 5. Verify consistencyVerify consistency
Make sure the security constraints Make sure the security constraints specified in the design phase hold specified in the design phase hold for each graph.for each graph.
What we can do What we can do
Our tool allows assessing the following types of Our tool allows assessing the following types of security constraints:security constraints:
Operation access: check if an object is allowed Operation access: check if an object is allowed to use operations provided by another object;to use operations provided by another object;
Composition: check if the life span of an object Composition: check if the life span of an object doesn’t exceed the life span of the container doesn’t exceed the life span of the container object;object;
Multiplicity: checks if the number of instances Multiplicity: checks if the number of instances of an object doesn’t exceed the maximum of an object doesn’t exceed the maximum number of instances allowed to complete a number of instances allowed to complete a task.task.
This is a good place to startThis is a good place to start
Experimental resultsExperimental results
The assessing module was tested The assessing module was tested successfully on simplified version of successfully on simplified version of Banking System. The Banking System. The communication between the system communication between the system and its components Teller and and its components Teller and Customer is done using messages. Customer is done using messages. Any request for a certain service is Any request for a certain service is managed by the Transaction managed by the Transaction Manager. Manager.
Experimental FactorsExperimental Factors
The purpose of using the Banking example The purpose of using the Banking example is not to implement a fully functional is not to implement a fully functional banking system, but to check if the security banking system, but to check if the security constraints specified in the design phase constraints specified in the design phase hold. Therefore we will focus on the object hold. Therefore we will focus on the object interaction rather than purely coding the interaction rather than purely coding the tasks specific for any component. tasks specific for any component.
Our approach will trace object-method Our approach will trace object-method calls, therefore we will focus on the calls, therefore we will focus on the interaction between components.interaction between components.
+addCustomer(in customer : Customer)+getAcount(in idx : int) : Account+getCustomer(in idx : int) : Customer+transfer(in id : int, in amount : int)
-clients : Customer
Bank::BankManager
Bank
+getID() : int+getAccount() : Account
-bm : BankManager-myacc : Account-name : String-myID : int-tmode : bool
Bank::Customer-contains
1
*
+create(in ID : int) : Account+activate() : bool+deactivate() : bool+transfer(in msg : String) : bool
-isActive : bool-bm : BankManager-balance : int
Bank::Account
+startTx() : bool+endTx() : bool+SendMessage() : bool
-isActive : bool
Bank::TransactionManager
*
*
1
*
+transfer(in amount : int, in tm : TransactionManager) : bool
Bank::Local
+transfer(in amount : int, in tm : TransactionManager) : bool
Bank::Remote
+transfer(in amount : int, in tm : TransactionManager) : bool
-tm : TransactionManager
Bank::Teller
1
1
*
*
+create()
Bank::Message
*
-1*
+encrypt(in message : String) : String+decrypt(in message : String) : String+addSignature(in message : String) : String
Bank::RSA
1
*
Bank
: Bank::Teller : Bank::Account : Bank::Message : Bank::TransactionManager
create(ID:int)
activate()
msg:=create()
transfer(msg)
startTx()
SendMessage(msg)
endTx()
: Bank::BankManager
transfer(id, amount)
Bank
: Bank::Remote : Bank::Account : Bank::Message : Bank::TransactionManager
activate()
create(message)
transfer(message)
startTx()
SendMessage(msg)
endTx()
: Bank::BankManager
transfer(id, amount)
: Bank::RSA
encrypt(message)
addSignature(message)
message
Validating Operation Validating Operation AccessAccess
First of all we will check for the operation First of all we will check for the operation access constraints. In the paper “Security access constraints. In the paper “Security Consistency in UML Designs” the author is Consistency in UML Designs” the author is proposing a few operation access constraints proposing a few operation access constraints which we will test in the following use cases.which we will test in the following use cases.
We have the following constraint:We have the following constraint:Context Account::create()Context Account::create()
Inv:oclSet={Teller}Inv:oclSet={Teller} Inv.oclSet -> includes(source.type)Inv.oclSet -> includes(source.type)
It will grant access to the It will grant access to the Account.create()Account.create() method only for instances of the Teller object.method only for instances of the Teller object.
Graph Representation
Every object-method call will be represented in the direct acyclic graph with two vertices corresponding to the entry point and return. The links between vertices correspond to the order of the method calls. Each vertex contains the following information: id, location and method.
We can easily point out the vertices corresponding to the create() method call. The order the methods are called is preserved in the graph, therefore we can search backward in the graph to see if there is any instance of the Teller object responsible to make the create() call. We find out that the create() method is called by the Teller.transfer() method. In this situation we conclude that the system might be secure regarding this operation access constraint.
Bank.Teller.transfer(II)Zcalled: Teller.java:23
Bank.Account.create(I)LBank/Accountcalled: Account.java:23
Bank.BankManager.getAccount(I)LBank/Accountcalled: BankManager.java:39
Bank.BankManager.getAccount(I)LBank/Accountreturn: BankManager.java:39
Bank.Account.create(I)LBank/Accountreturn: Account.java:24
Bank.Account.activate()Zcalled: Account.java:28
Bank.TransactionManager.sendMessage(String;)Zcalled: TransactionManager.java:32
Bank.Account.activate()Zreturn: Account.java:30
Bank.TransactionManager.startTx()Zcalled: TransactionManager.java:22
Bank.TransactionManager.endTx()Zcalled: TransactionManager.java:27
Bank.Account.transfer(String;TransactionManager;)called: Account.java:38
Bank.Message.create(ZILjava/lang/String;I)String;called: Message.java:19
Bank.Message.create(ZILjava/lang/String;I)String;return: Message.java:27
Bank.TransactionManager.startTx()Zreturn: TransactionManager.java:24
Bank.TransactionManager.sendMessage(String;)Zreturn: TransactionManager.java:41
Bank.TransactionManager.endTx()Zreturn: TransactionManager.java:29
Bank.Account.transfer(String;TransactionManager;)return: Account.java:42
Bank.Account.deactivate()Zcalled: Account.java:33
Bank.Account.deactivate()Zreturn: Account.java:35
Bank.Teller.transfer(II)Zreturn: Teller.java:30
Graph Representation,part 2
Every object-method call will be represented in the direct acyclic graph with two vertices corresponding to the entry point and return. The links between vertices correspond to the order of the method calls. Each vertex contains the following information: id, location and method.
We can easily point out the vertices corresponding to the create() method call. The order the methods are called is preserved in the graph, therefore we can search backward in the graph to see if there is any instance of the Teller object responsible to make the create() call. We find out that the create() method is called by the Teller.transfer() method. In this situation we conclude that the system might be secure regarding this operation access constraint.
Bank.Customer.getAccount()LBank/Account;return: Customer.java:35
Bank.Account.create(I)LBank/Accountcalled: Account.java:23
Bank.BankManager.getAccount(I)LBank/Accountcalled: BankManager.java:39
Bank.BankManager.getAccount(I)LBank/Accountreturn: BankManager.java:39
Bank.Account.create(I)LBank/Accountreturn: Account.java:24
Bank.Account.add(I)Vcalled: Account.java:45
Bank.Account.add(I)Vreturn: Account.java:47
Bank.Customer.getAccount()LBank/Account;called: Customer.java:35
Conclusion:Conclusion:Putting it all togetherPutting it all together
The OCL is a useful component in secure The OCL is a useful component in secure system designsystem design The OCL is flexible, available, and powerfulThe OCL is flexible, available, and powerful Constraints can be validatedConstraints can be validated
A debugging utility that allows us to trace A debugging utility that allows us to trace executionexecution Build a graph for inspectionBuild a graph for inspection Check the graph for constraint inconsistenciesCheck the graph for constraint inconsistencies