Top Banner
A Method for A Method for Validating Software Validating Software Security Constraints Security Constraints Filaret Ilas Filaret Ilas Matt Henry Matt Henry CS 527 CS 527 Dr. O.J. Pilskalns Dr. O.J. Pilskalns
35

A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Mar 26, 2015

Download

Documents

Makayla Jimenez
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

A Method for Validating A Method for Validating Software Security Software Security

ConstraintsConstraintsFilaret IlasFilaret IlasMatt HenryMatt Henry

CS 527CS 527

Dr. O.J. PilskalnsDr. O.J. Pilskalns

Page 2: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

MotivationMotivation

Security issues must be dealt with in Security issues must be dealt with in all phases of software developmentall phases of software development

Secure patterns/modelsSecure patterns/models Secure coding practicesSecure coding practices Secure development proceduresSecure development procedures During deployment and maintenance During deployment and maintenance

phasesphases

Page 3: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

On the flip side…On the flip side… Is computer security possible?Is computer security possible?

Some argue that until computers can fix Some argue that until computers can fix themselves dynamically, then systems will themselves dynamically, then systems will always be vulnerable.always be vulnerable.

Furthermore, computers are incapable of Furthermore, computers are incapable of handling the infinite variety of attacks – handling the infinite variety of attacks – however, software may implement limited however, software may implement limited repairing schemes which require small repairing schemes which require small amount of programmer assistance amount of programmer assistance (debugging, etc.)(debugging, etc.)

Page 4: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Why it’s importantWhy it’s important

““Design-level vulnerabilities are the Design-level vulnerabilities are the hardest defect category to handle, hardest defect category to handle, but they’re also the most prevalent but they’re also the most prevalent and critical.”and critical.”

Software Security Testing, Software Security Testing, IEEE Security and Privacy Sep/Oct 2004, pgs 81-85 IEEE Security and Privacy Sep/Oct 2004, pgs 81-85

Attacks come in every level, from Attacks come in every level, from source code bugs to design flaws.source code bugs to design flaws.

Page 5: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Why it’s important, Why it’s important, cont’dcont’d

We need to ensure that the secure We need to ensure that the secure pattern/model is consistent with the pattern/model is consistent with the implementation. implementation.

Page 6: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Why OCL?Why OCL?

A standard constraint languageA standard constraint language Expressive powerExpressive power Pairs with UML Pairs with UML Accessible to developers and Accessible to developers and

programmers at each levelprogrammers at each level

Page 7: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Why OCL? cont’dWhy OCL? cont’d

Expressive power includes Expressive power includes existential and universal existential and universal quantificationquantification

Can provide a regulatory scheme for Can provide a regulatory scheme for securing system componentssecuring system components

Allows the designer to check Allows the designer to check violations easily (i.e., if constraints violations easily (i.e., if constraints are not followed in test cases)are not followed in test cases)

Page 8: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

A solutionA solution

Thanks to the OCL’s expressive Thanks to the OCL’s expressive power, we can generate constraints power, we can generate constraints that consist of universal statements.that consist of universal statements.

For example, we can ensure that For example, we can ensure that only a specified number of instances only a specified number of instances are created (i.e., connections, are created (i.e., connections, clients, administrators, etc.)clients, administrators, etc.)

Page 9: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

BackgroundBackground

Some tools/extensions that already exist:Some tools/extensions that already exist:

OCSL (Object Security Constraint Language)OCSL (Object Security Constraint Language)Allows for a security-driven development – Allows for a security-driven development – extends OCL syntax, but with a focus on securityextends OCL syntax, but with a focus on security

Medina, et.al.Medina, et.al.

USE (UML Specification Environment) USE (UML Specification Environment) implements a test/validate process that allows a implements a test/validate process that allows a “snapshot” diagram to be constructed and given “snapshot” diagram to be constructed and given properties are validatedproperties are validated

Gogolla, et.al.Gogolla, et.al.

Conversion between use cases and OCL Conversion between use cases and OCL expressionsexpressions

RoussevRoussev

Page 10: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Where we areWhere we are

What we have:What we have: OCLOCL UMLUML Set of rules that ensure Set of rules that ensure

consistency in secure consistency in secure diagramsdiagrams

Ever-expanding corpus Ever-expanding corpus of secure coding of secure coding practices in every phase practices in every phase of software of software developmentdevelopment

A tool which generates A tool which generates a fault-revealing grapha fault-revealing graph

What we need:What we need: a tool that helps us a tool that helps us

determine whether determine whether software meets the software meets the security requirements security requirements of the original modelof the original model

Page 11: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

What we have, part 1What we have, part 1

OCLOCL Useful for expressive powerUseful for expressive power Can formulate constraints which are Can formulate constraints which are

security-relatedsecurity-related

Object Management GroupObject Management Group

Page 12: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

What we have, part 2What we have, part 2

UMLUML Visual expressive powerVisual expressive power Class interaction and sequences are Class interaction and sequences are

defined in a meta-modeldefined in a meta-model

Object Management GroupObject Management Group

Page 13: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

What we have, part 3What we have, part 3

Current rulesCurrent rules Restrict operation accessRestrict operation access Define compositionsDefine compositions Maintain multiplicityMaintain multiplicity

All of these help to keep the UML model All of these help to keep the UML model consistent in terms of security consistent in terms of security

Paired with a constraint checking tool, may Paired with a constraint checking tool, may verify whether or not these rules are verify whether or not these rules are followedfollowed

Pilskalns, Williams, Aracic, AndrewsPilskalns, Williams, Aracic, Andrews

Page 14: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

What we have, part 4What we have, part 4

Secure coding practicesSecure coding practices

As provided by both industry and As provided by both industry and academia academia

Guidelines for each phase in Guidelines for each phase in developmentdevelopment

Page 15: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

What we have, part 5What we have, part 5

Fault-finding methodFault-finding method

After execution of successful and fault-revealing unit tests, can generate graphs that show the differences

Graphs can be transformed into UML Sequence Diagrams

Can use Sequence Diagrams to reveal faults at a higher level

Pilskalns, Wallace

Page 16: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Security managementSecurity management

Rather than deal with each attack Rather than deal with each attack individually, and at each level, we propose individually, and at each level, we propose a method which could effectively secure a a method which could effectively secure a system at the highest level, and system at the highest level, and (depending on the security model) reduce (depending on the security model) reduce the risk at lower levels.the risk at lower levels.

Page 17: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

What we needWhat we need

An automated tool that helps us An automated tool that helps us effectively validate secure OCL effectively validate secure OCL constraints of a system constraints of a system

Page 18: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Our approachOur approach

This approach is similar to using This approach is similar to using reverse-engineered UML Sequence reverse-engineered UML Sequence Diagrams. The approach relies on Diagrams. The approach relies on visual analyses of traces of object-visual analyses of traces of object-method calls. Tests reveals if there method calls. Tests reveals if there exist any security flaws in the code exist any security flaws in the code execution. The approach verifies execution. The approach verifies whether the security constraints whether the security constraints specified in the design phase hold for a specified in the design phase hold for a set of test cases. set of test cases.

Page 19: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Our approach, cont’dOur approach, cont’d

The OCL is a useful middle man for both The OCL is a useful middle man for both design and testing secure systemsdesign and testing secure systems

Design Document

-Use Case

-UML Model

extractextractConstraint Constraint cc11Context Account::create()Context Account::create()Inv:oclSet={Teller}Inv:oclSet={Teller}Inv.oclSet -> includes(source.type)Inv.oclSet -> includes(source.type)

TraceTrace

Implementation

Bank.Customer.getAccount()LBank/Account;return: Customer.java:35

Bank.Account.create(I)LBank/Accountcalled: Account.java:23

Bank.BankManager.getAccount(I)LBank/Accountcalled: BankManager.java:39

Bank.BankManager.getAccount(I)LBank/Accountreturn: BankManager.java:39

Bank.Account.create(I)LBank/Accountreturn: Account.java:24

Bank.Account.add(I)Vcalled: Account.java:45

Bank.Account.add(I)Vreturn: Account.java:47

Bank.Customer.getAccount()LBank/Account;called: Customer.java:35

verifyverify

Page 20: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

ProcessProcess

1.1. Create Unit Tests. Create Unit Tests.

2.2. Instrument the source code so message Instrument the source code so message paths (and associated objects) can be paths (and associated objects) can be traced.traced.

3.3. Execute the tests and record objects and Execute the tests and record objects and message paths.message paths.

4.4. Construct directed acyclic graphs for every Construct directed acyclic graphs for every trace.trace.

5.5. Verify that the security constraints Verify that the security constraints specified in the design phase hold for each specified in the design phase hold for each graph.graph.

Page 21: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

1. Create Unit Tests1. Create Unit Tests

Unit tests provide coverage of the Unit tests provide coverage of the code used in a specific test case. code used in a specific test case. There will be unit tests provided for There will be unit tests provided for both secure and non-secure code both secure and non-secure code execution.execution.

Page 22: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

2. Instrument the source 2. Instrument the source codecode

The instrumentation process inserts The instrumentation process inserts tracking code that records the tracking code that records the method execution calls between method execution calls between objects, so message paths (and objects, so message paths (and associated objects) can be traced.associated objects) can be traced.

Page 23: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

3. Execute the tests and 3. Execute the tests and record objects and message record objects and message

paths.paths.

During the execution, the During the execution, the instrumented byte code is instrumented byte code is traversed using the unit tests. Each traversed using the unit tests. Each unit test generates an object-unit test generates an object-method trace through the code.method trace through the code.

Page 24: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

4. 4. Create graphsCreate graphs

Construct directed acyclic graphs Construct directed acyclic graphs for every tracefor every trace

Page 25: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

5. 5. Verify consistencyVerify consistency

Make sure the security constraints Make sure the security constraints specified in the design phase hold specified in the design phase hold for each graph.for each graph.

Page 26: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

What we can do What we can do

Our tool allows assessing the following types of Our tool allows assessing the following types of security constraints:security constraints:

Operation access: check if an object is allowed Operation access: check if an object is allowed to use operations provided by another object;to use operations provided by another object;

Composition: check if the life span of an object Composition: check if the life span of an object doesn’t exceed the life span of the container doesn’t exceed the life span of the container object;object;

Multiplicity: checks if the number of instances Multiplicity: checks if the number of instances of an object doesn’t exceed the maximum of an object doesn’t exceed the maximum number of instances allowed to complete a number of instances allowed to complete a task.task.

This is a good place to startThis is a good place to start

Page 27: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Experimental resultsExperimental results

The assessing module was tested The assessing module was tested successfully on simplified version of successfully on simplified version of Banking System. The Banking System. The communication between the system communication between the system and its components Teller and and its components Teller and Customer is done using messages. Customer is done using messages. Any request for a certain service is Any request for a certain service is managed by the Transaction managed by the Transaction Manager. Manager.

Page 28: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Experimental FactorsExperimental Factors

The purpose of using the Banking example The purpose of using the Banking example is not to implement a fully functional is not to implement a fully functional banking system, but to check if the security banking system, but to check if the security constraints specified in the design phase constraints specified in the design phase hold. Therefore we will focus on the object hold. Therefore we will focus on the object interaction rather than purely coding the interaction rather than purely coding the tasks specific for any component. tasks specific for any component.

Our approach will trace object-method Our approach will trace object-method calls, therefore we will focus on the calls, therefore we will focus on the interaction between components.interaction between components.

Page 29: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

+addCustomer(in customer : Customer)+getAcount(in idx : int) : Account+getCustomer(in idx : int) : Customer+transfer(in id : int, in amount : int)

-clients : Customer

Bank::BankManager

Bank

+getID() : int+getAccount() : Account

-bm : BankManager-myacc : Account-name : String-myID : int-tmode : bool

Bank::Customer-contains

1

*

+create(in ID : int) : Account+activate() : bool+deactivate() : bool+transfer(in msg : String) : bool

-isActive : bool-bm : BankManager-balance : int

Bank::Account

+startTx() : bool+endTx() : bool+SendMessage() : bool

-isActive : bool

Bank::TransactionManager

*

*

1

*

+transfer(in amount : int, in tm : TransactionManager) : bool

Bank::Local

+transfer(in amount : int, in tm : TransactionManager) : bool

Bank::Remote

+transfer(in amount : int, in tm : TransactionManager) : bool

-tm : TransactionManager

Bank::Teller

1

1

*

*

+create()

Bank::Message

*

-1*

+encrypt(in message : String) : String+decrypt(in message : String) : String+addSignature(in message : String) : String

Bank::RSA

1

*

Page 30: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Bank

: Bank::Teller : Bank::Account : Bank::Message : Bank::TransactionManager

create(ID:int)

activate()

msg:=create()

transfer(msg)

startTx()

SendMessage(msg)

endTx()

: Bank::BankManager

transfer(id, amount)

Page 31: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Bank

: Bank::Remote : Bank::Account : Bank::Message : Bank::TransactionManager

activate()

create(message)

transfer(message)

startTx()

SendMessage(msg)

endTx()

: Bank::BankManager

transfer(id, amount)

: Bank::RSA

encrypt(message)

addSignature(message)

message

Page 32: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Validating Operation Validating Operation AccessAccess

First of all we will check for the operation First of all we will check for the operation access constraints. In the paper “Security access constraints. In the paper “Security Consistency in UML Designs” the author is Consistency in UML Designs” the author is proposing a few operation access constraints proposing a few operation access constraints which we will test in the following use cases.which we will test in the following use cases.

We have the following constraint:We have the following constraint:Context Account::create()Context Account::create()

Inv:oclSet={Teller}Inv:oclSet={Teller} Inv.oclSet -> includes(source.type)Inv.oclSet -> includes(source.type)

It will grant access to the It will grant access to the Account.create()Account.create() method only for instances of the Teller object.method only for instances of the Teller object.

Page 33: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Graph Representation

Every object-method call will be represented in the direct acyclic graph with two vertices corresponding to the entry point and return. The links between vertices correspond to the order of the method calls. Each vertex contains the following information: id, location and method.

We can easily point out the vertices corresponding to the create() method call. The order the methods are called is preserved in the graph, therefore we can search backward in the graph to see if there is any instance of the Teller object responsible to make the create() call. We find out that the create() method is called by the Teller.transfer() method. In this situation we conclude that the system might be secure regarding this operation access constraint.

Bank.Teller.transfer(II)Zcalled: Teller.java:23

Bank.Account.create(I)LBank/Accountcalled: Account.java:23

Bank.BankManager.getAccount(I)LBank/Accountcalled: BankManager.java:39

Bank.BankManager.getAccount(I)LBank/Accountreturn: BankManager.java:39

Bank.Account.create(I)LBank/Accountreturn: Account.java:24

Bank.Account.activate()Zcalled: Account.java:28

Bank.TransactionManager.sendMessage(String;)Zcalled: TransactionManager.java:32

Bank.Account.activate()Zreturn: Account.java:30

Bank.TransactionManager.startTx()Zcalled: TransactionManager.java:22

Bank.TransactionManager.endTx()Zcalled: TransactionManager.java:27

Bank.Account.transfer(String;TransactionManager;)called: Account.java:38

Bank.Message.create(ZILjava/lang/String;I)String;called: Message.java:19

Bank.Message.create(ZILjava/lang/String;I)String;return: Message.java:27

Bank.TransactionManager.startTx()Zreturn: TransactionManager.java:24

Bank.TransactionManager.sendMessage(String;)Zreturn: TransactionManager.java:41

Bank.TransactionManager.endTx()Zreturn: TransactionManager.java:29

Bank.Account.transfer(String;TransactionManager;)return: Account.java:42

Bank.Account.deactivate()Zcalled: Account.java:33

Bank.Account.deactivate()Zreturn: Account.java:35

Bank.Teller.transfer(II)Zreturn: Teller.java:30

Page 34: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Graph Representation,part 2

Every object-method call will be represented in the direct acyclic graph with two vertices corresponding to the entry point and return. The links between vertices correspond to the order of the method calls. Each vertex contains the following information: id, location and method.

We can easily point out the vertices corresponding to the create() method call. The order the methods are called is preserved in the graph, therefore we can search backward in the graph to see if there is any instance of the Teller object responsible to make the create() call. We find out that the create() method is called by the Teller.transfer() method. In this situation we conclude that the system might be secure regarding this operation access constraint.

Bank.Customer.getAccount()LBank/Account;return: Customer.java:35

Bank.Account.create(I)LBank/Accountcalled: Account.java:23

Bank.BankManager.getAccount(I)LBank/Accountcalled: BankManager.java:39

Bank.BankManager.getAccount(I)LBank/Accountreturn: BankManager.java:39

Bank.Account.create(I)LBank/Accountreturn: Account.java:24

Bank.Account.add(I)Vcalled: Account.java:45

Bank.Account.add(I)Vreturn: Account.java:47

Bank.Customer.getAccount()LBank/Account;called: Customer.java:35

Page 35: A Method for Validating Software Security Constraints Filaret Ilas Matt Henry CS 527 Dr. O.J. Pilskalns.

Conclusion:Conclusion:Putting it all togetherPutting it all together

The OCL is a useful component in secure The OCL is a useful component in secure system designsystem design The OCL is flexible, available, and powerfulThe OCL is flexible, available, and powerful Constraints can be validatedConstraints can be validated

A debugging utility that allows us to trace A debugging utility that allows us to trace executionexecution Build a graph for inspectionBuild a graph for inspection Check the graph for constraint inconsistenciesCheck the graph for constraint inconsistencies