Run-time security traceability for evolving systems

(2011). Run-time security traceability for evolving systems. Security-critical systems are challenging to design and implement correctly and securely. A lot of vulnerabilities have been found in current software systems both at the specification and the implementation levels. This paper presents a comprehensive approach for model-based security assurance. Initially, it allows one to formally verify the design models against high-level security requirements such as secrecy and authentication on the specification level, and helps to ensure that their implementation adheres to these properties, if they express a system's run-time behaviour. As such, it provides a traceability link from the design model to its implementation by which the actual system can then be verified against the model while it executes. This part of our approach relies on a technique also known as run-time verification. The extra effort for it is small as most of the computation is automated; however, additional resources at run-time may be required. If during run-time verification a security weakness is uncovered, it can be removed using aspect-oriented security hardening transformations. Therefore, this approach also supports the evolution of software since the traceability mapping is updated when refactoring operations are regressively performed using our tool-supported refactoring technique. The proposed method has been applied to the Java-based implementation JESSIE of the Internet security protocol SSL, in which a security weakness was detected and fixed using our approach. We also explain how the traceability link can be transformed to the official implementation of the Java Secure Sockets Extension (JSSE) that was recently made open source by Sun.

[1]  Bart De Win,et al.  Transforming Security Requirements into Architecture , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[2]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[3]  Ramnivas Laddad Aspect Oriented Refactoring , 2008 .

[4]  Igor Ivkovic,et al.  Tracing evolution changes of software artifacts through model synchronization , 2004, 20th IEEE International Conference on Software Maintenance, 2004. Proceedings..

[5]  Peter Y. A. Ryan,et al.  The modelling and analysis of security protocols: the csp approach , 2000 .

[6]  Brian Ritchie,et al.  Integrating Model-based Security Risk Management into eBusiness Systems Development: The CORAS Approach , 2002, I3E.

[7]  S. Stepney,et al.  The certification of the Mondex electronic purse to ITSEC Level E6 , 2007, Formal Aspects of Computing.

[8]  John Mylopoulos,et al.  Requirement Engineering Meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard , 2003, ER.

[9]  Charles W. Krueger,et al.  Software reuse , 1992, CSUR.

[10]  D. Fisman,et al.  A Practical Introduction to PSL (Series on Integrated Circuits and Systems) , 2006 .

[11]  Egon Börger,et al.  Java and the Java Virtual Machine: Definition, Verification, Validation , 2001 .

[12]  Martin Leucker,et al.  Monitoring of Real-Time Properties , 2006, FSTTCS.

[13]  Gregor Kiczales,et al.  Role-based refactoring of crosscutting concerns , 2005, AOSD '05.

[14]  Andrzej S. Murawski,et al.  Applying Game Semantics to Compositional Software Modeling and Verification , 2004, TACAS.

[15]  Jan Jürjens Formal Semantics for Interacting UML subsystems , 2002, FMOODS.

[16]  Ruth Breu,et al.  Model-Driven Security Engineering for Trust Management in SECTET , 2007, J. Softw..

[17]  Yijun Yu,et al.  Tools for Traceable Security Verification , 2008, BCS Int. Acad. Conf..

[18]  Andrew Glover,et al.  Continuous Integration: Improving Software Quality and Reducing Risk (The Addison-Wesley Signature Series) , 2007 .

[19]  Alexander Egyed,et al.  A Scenario-Driven Approach to Trace Dependency Analysis , 2003, IEEE Trans. Software Eng..

[20]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[21]  Jan Jürjens,et al.  Security protocols, properties, and their monitoring , 2008, SESS '08.

[22]  Leonardo Mariani,et al.  Run-Time Verification , 2004, Model-Based Testing of Reactive Systems.

[23]  Jan Jürjens,et al.  Model-based security analysis for mobile communications , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[24]  Yijun Yu,et al.  Run-Time Security Traceability for Evolving Systems , 2010, Comput. J..

[25]  Jean Goubault-Larrecq,et al.  Cryptographic Protocol Analysis on Real C Code , 2005, VMCAI.

[26]  Andrea Zisman,et al.  Rule-based generation of requirements traceability relations , 2004, J. Syst. Softw..

[27]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[28]  Yijun Yu,et al.  Reverse engineering goal models from legacy code , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[29]  Dirk Beyer,et al.  Efficient relational calculation for software analysis , 2005, IEEE Transactions on Software Engineering.

[30]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[31]  Dov M. Gabbay,et al.  From Runtime Verification to Evolvable Systems , 2007, RV.

[32]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[33]  Grigore Rosu,et al.  Synthesizing Monitors for Safety Properties , 2002, TACAS.

[34]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[35]  Jüri Vain,et al.  Model-Based Testing of Reactive Systems , 2009 .

[36]  C. A. R. Hoare,et al.  How Did Software Get So Reliable Without Proof? , 1996, FME.

[37]  Jan Jürjens,et al.  Automated Verification of UMLsec Models for Security Requirements , 2004, UML.

[38]  Jan Jürjens,et al.  Secure Information Flow for Concurrent Processes , 2000, CONCUR.

[39]  Avner Landver,et al.  The ForSpec Temporal Logic: A New Temporal Property-Specification Language , 2002, TACAS.

[40]  Hsinyi Jiang,et al.  Incremental Latent Semantic Indexing for Effective , Automatic Traceability Link Evolution Management , 2008 .

[41]  Bashar Nuseibeh,et al.  Model-Based Security Engineering of Distributed Information Systems Using UMLsec , 2007, 29th International Conference on Software Engineering (ICSE'07).

[42]  Patrice Godefroid,et al.  Software Model Checking: The VeriSoft Approach , 2005, Formal Methods Syst. Des..

[43]  Giuliano Antoniol,et al.  Recovering Traceability Links between Code and Documentation , 2002, IEEE Trans. Software Eng..

[44]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[45]  Tom Mens,et al.  A survey of software refactoring , 2004, IEEE Transactions on Software Engineering.

[46]  Jan Jürjens,et al.  Code security analysis with assertions , 2005, ASE '05.

[47]  Muffy Calder,et al.  What Use are Formal Design and Analysis Methods to Telecommunications Services? , 1998, FIW.

[48]  Alfredo Pironti,et al.  An Experiment in Interoperable Cryptographic Protocol Implementation Using Automatic Code Generation , 2007, 2007 12th IEEE Symposium on Computers and Communications.

[49]  George Spanoudakis,et al.  Towards security monitoring patterns , 2007, SAC '07.

[50]  Jan Jürjens Sound methods and effective tools for model-based security engineering with UML , 2005, ICSE '05.

[51]  Jacob West,et al.  Secure Programming with Static Analysis , 2007 .

[52]  C. Q. Lee,et al.  The Computer Journal , 1958, Nature.

[53]  Yijun Yu,et al.  From goals to aspects: discovering aspects from requirements goal models , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[54]  Ralph E. Johnson,et al.  Automated Detection of Refactorings in Evolving Components , 2006, ECOOP.

[55]  Martín Abadi,et al.  Prudent engineering practice for cryptographic protocols , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[56]  Grigore Rosu,et al.  Efficient monitoring of safety properties , 2004, International Journal on Software Tools for Technology Transfer.

[57]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[58]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[59]  Mark Harman,et al.  Tool-Supported Refactoring of Existing Object-Oriented Code into Aspects , 2006, IEEE Transactions on Software Engineering.

[60]  Yijun Yu,et al.  Tools for model-based security engineering: models vs. code , 2007, ASE '07.

[61]  Stanley M. Sutton,et al.  N degrees of separation: multi-dimensional separation of concerns , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[62]  David Notkin,et al.  Software Reflexion Models: Bridging the Gap between Design and Implementation , 2001, IEEE Trans. Software Eng..

[63]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[64]  Martyn Thomas,et al.  Engineering judgement , 2004, Architectural Research Quarterly.

[65]  Ralph E. Johnson,et al.  Refactoring-Aware Configuration Management for Object-Oriented Programs , 2007, 29th International Conference on Software Engineering (ICSE'07).

[66]  Jonathan Streit,et al.  SALT - Structured Assertion Language for Temporal Logic , 2006, ICFEM.

[67]  Ruth Breu,et al.  Key Issues of a Formally Based Process Model for Security Engineer-ing , 2003 .

[68]  Martin Leucker,et al.  A brief account of runtime verification , 2009, J. Log. Algebraic Methods Program..

[69]  Martin Peschke,et al.  Design and Validation of Computer Protocols , 2003 .