A connector-centric approach to architectural access control

An important problem is the architectural access control question: how can we describe and check access control issues at the software architecture level? We propose a connector-centric approach for software architectural access control. Our approach is based on a unified access control model incorporating the classic model, the role-based model, and the trust management model. We design a secure software architecture description language, Secure xADL, that extends the xADL language with constructs necessary to describe access control issues. Secure xADL extends descriptions of components, connectors, their types, sub-architectures, and the global architecture with subject, principal, permission, resource, privilege, safeguard, and policy. We use the XACML language as the basis for architectural security policy modeling. Four types of contexts for architectural access control are also identified: (1) the nearby constituents of components and connectors, (2) the types of components and connectors, (3) the containing sub-architecture, and (4) the global architecture. We present an algorithm to check architectural access control: given a secure software architecture description written in Secure xADL, if a component A wants to access another component B, should the access be allowed? Tool support is provided as part of the ArchStudio architecture development environment, including an editor, a checker, the secure architecture controller, and a run-time framework enabling important architectural operations: instantiating components and connectors, connecting components to connectors, and message routing. Connectors play a central role in our approach. They can propagate privileges within the architecture, decide whether architectural connections can be made, and route messages according to their security policies. Our hypotheses are: an architectural connector may serve as a suitable construct to model architectural access control; the connector-centric approach can be applied to different types of componentized and networked software systems; the access control check algorithm can check the suitability of accessing interfaces; in an architecture style based on event routing connectors, our approach can route events in accordance with the secure delivery requirements. To validate these hypotheses, we have performed an informal analysis of the algorithm, developed two applications, Secure Coalition and Impromptu, and modeled the security architecture of Firefox and DCOM.

[1]  E. James Whitehead,et al.  Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol , 2004, RFC.

[2]  Elisa Bertino,et al.  An analysis of expressiveness and design issues for the generalized temporal role-based access control model , 2005, IEEE Transactions on Dependable and Secure Computing.

[3]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[4]  B. Dutertre,et al.  Intrusion tolerant software architectures , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[5]  Paul Dourish,et al.  In the eye of the beholder: A visualization-based approach to information system security , 2005, Int. J. Hum. Comput. Stud..

[6]  Bart De Win,et al.  Engineering application-level security through aspect-oriented software development , 2004 .

[7]  Sushil Jajodia,et al.  A propositional policy algebra for access control , 2003, TSEC.

[8]  Khaled M. Khan,et al.  A security characterisation framework for trustworthy component based software systems , 2003, Proceedings 27th Annual International Computer Software and Applications Conference. COMPAC 2003.

[9]  Peter Y. A. Ryan,et al.  Mathematical Models of Computer Security , 2000, FOSAD.

[10]  Giovanni Vigna,et al.  Detecting malicious JavaScript code in Mozilla , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[11]  C. A. R. Hoare,et al.  Communicating Sequential Processes (Reprint) , 1983, Commun. ACM.

[12]  Hal Berghel,et al.  The Code Red Worm , 2001, CACM.

[13]  Richard N. Taylor,et al.  A Component- and Message-Based Architectural Style for GUI Software , 1995, 1995 17th International Conference on Software Engineering.

[14]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[15]  David Garlan,et al.  A formal basis for architectural connection , 1997, TSEM.

[16]  Peter Herrmann,et al.  Formal Security Policy Verification of Distributed Component-Structured Software , 2003, FORTE.

[17]  Clemens A. Szyperski,et al.  Component software - beyond object-oriented programming , 2002 .

[18]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[19]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[20]  Karl N. Levitt,et al.  Applying the composition principle to verify a hierarchy of security servers , 1998, Proceedings of the Thirty-First Hawaii International Conference on System Sciences.

[21]  Richard N. Taylor,et al.  An approach for tracing and understanding asynchronous architectures , 2003, 18th IEEE International Conference on Automated Software Engineering, 2003. Proceedings..

[22]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[23]  Nenad Medvidovic,et al.  Modeling software architectures in the Unified Modeling Language , 2002, TSEM.

[24]  Francesco Tisato,et al.  Architectural Reflection: Realising Software Architectures via Reflective Activities , 2000, EDO.

[25]  Valérie Issarny,et al.  Security Benefits from Software Architecture , 1997, COORDINATION.

[26]  David Garlan,et al.  A compositional formalization of connector wrappers , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[27]  Sabrina De Capitani di Vimercati,et al.  Access Control: Policies, Models, and Mechanisms , 2000, FOSAD.

[28]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[29]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[30]  Stephen Weeks,et al.  Understanding trust management systems , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[31]  Gary McGraw,et al.  An Approach for Certifying Security in Software Components , 1998 .

[32]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[33]  John McLean,et al.  A General Theory of Composition for a Class of "Possibilistic'' Properties , 1996, IEEE Trans. Software Eng..

[34]  David Flanagan,et al.  JavaScript: The Definitive Guide , 1996 .

[35]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[36]  Fred B. Schneider,et al.  A Language-Based Approach to Security , 2001, Informatics.

[37]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[38]  Lea Kutvonen,et al.  Trust Management Survey , 2005, iTrust.

[39]  Roberto Gorrieri,et al.  Foundations of Security Analysis and Design - Tutorial Lectures , 2000 .

[40]  Richard N. Taylor,et al.  A Secure Software Architecture Description Language , 2005 .

[41]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[42]  Roberto Gorrieri,et al.  Classification of Security Properties (Part I: Information Flow) , 2000, FOSAD.

[43]  Ninghui Li,et al.  Comparing the expressive power of access control models , 2004, CCS '04.

[44]  Jeff Magee,et al.  Dynamic structure in software architectures , 1996, SIGSOFT '96.

[45]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[46]  Victoria Stavridou,et al.  Secure Interoperation of Secure Distributed Databases , 1999, World Congress on Formal Methods.

[47]  Sushil Jajodia,et al.  Revocations - A classification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[48]  Stéphane Ducasse,et al.  Executable connectors: towards reusable design elements , 1997, ESEC '97/FSE-5.

[49]  Joan Feigenbaum,et al.  Delegation logic: A logic-based approach to distributed authorization , 2003, TSEC.

[50]  Khaled M. Khan,et al.  A framework for an active interface to characterise compositional security contracts of software components , 2001, Proceedings 2001 Australian Software Engineering Conference.

[51]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[52]  Jan Vitek,et al.  Secure composition of untrusted code: box π, wrappers, and causality types , 2003 .

[53]  Nigel McFarlane Rapid Application Development with Mozilla , 2003 .

[54]  Michel Wermelinger,et al.  Higher-order architectural connectors , 2003, TSEM.

[55]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[56]  Trent Jaeger,et al.  Policy management using access control spaces , 2003, TSEC.

[57]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[58]  Richard A. Falk,et al.  Who Needs It , 1975 .

[59]  Bhavani M. Thuraisingham,et al.  MOMT: A Multilevel Object Modeling Technique for Designing Secure Database Applications , 1996, J. Object Oriented Program..

[60]  David Garlan,et al.  A compositional approach for constructing connectors , 2001, Proceedings Working IEEE/IFIP Conference on Software Architecture.

[61]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[62]  Jonathan K. Millen,et al.  Non-interference, who needs it? , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[63]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[64]  Joseph Y. Halpern,et al.  Using first-order logic to reason about policies , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[65]  Maritta Heisel,et al.  Confidentiality-Preserving Refinement is Compositional - Sometimes , 2002, ESORICS.

[66]  Richard N. Taylor,et al.  A comprehensive approach for the development of modular software architecture description languages , 2005, TSEM.

[67]  Aris Zakinthinos,et al.  On the composition of security properties , 1997 .

[68]  Ravi S. Sandhu,et al.  How to do discretionary access control using roles , 1998, RBAC '98.

[69]  Paul Dourish,et al.  Towards an architectural treatment of software security , 2005 .

[70]  Li Gong,et al.  Secure software architectures , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[71]  Paola Inverardi,et al.  Deadlock-free software architectures for COM/DCOM Applications , 2003, J. Syst. Softw..

[72]  Frédéric Cuppens,et al.  A stratification-based approach for handling conflicts in access control , 2003, SACMAT '03.

[73]  Robert DeLine,et al.  Avoiding packaging mismatch with flexible packaging , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[74]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[75]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[76]  F. Javier Thayer,et al.  Security and the Composition of Machines , 1988, CSFW.

[77]  Don Coppersmith,et al.  The Data Encryption Standard (DES) and its strength against attacks , 1994, IBM J. Res. Dev..

[78]  Jeannette M. Wing A call to action look beyond the horizon , 2003, IEEE Security & Privacy Magazine.

[79]  Heather M. Hinton Under-specification, composition and emergent properties , 1998, NSPW '97.

[80]  Ninghui Li,et al.  RT: a Role-based Trust-management framework , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[81]  Peter Herrmann Information flow analysis of component-structured applications , 2001, Seventeenth Annual Computer Security Applications Conference.

[82]  Pierre Bieber Security function interactions , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[83]  Victoria Stavridou,et al.  SDTP: a verified architecture for secure distributed transaction processing , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[84]  John McLean Twenty years of formal methods , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[85]  Todd Fine,et al.  Using composition to design secure, fault-tolerant systems , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[86]  Nenad Medvidovic,et al.  Towards a taxonomy of software connectors , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[87]  Yi Deng,et al.  An Approach for Modeling and Analysis of Security System Architectures , 2003, IEEE Trans. Knowl. Data Eng..

[88]  Joseph Y. Halpern,et al.  Secrecy in multiagent systems , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[89]  Angelos D. Keromytis,et al.  Experience with the KeyNote Trust Management System: Applications and Future Directions , 2003, iTrust.

[90]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[91]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[92]  Victoria Ungureanu,et al.  Unified Support for Heterogeneous Security Policies in Distributed Systems , 1998, USENIX Security Symposium.

[93]  Xiaoyun Wang,et al.  Efficient Collision Search Attacks on SHA-0 , 2005, CRYPTO.

[94]  Khaled M. Khan,et al.  Composing Security-Aware Software , 2002, IEEE Softw..

[95]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[96]  Thomas H. Cormen,et al.  Introduction to algorithms [2nd ed.] , 2001 .

[97]  David F. Redmiles,et al.  The design of a configurable, extensible and dynamic notification service , 2003, DEBS '03.

[98]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[99]  C. N. Payne Using composition and refinement to support security architecture trade-off analysis , 1999 .

[100]  Shmuel Katz,et al.  Architectural views of aspects , 2003, AOSD '03.

[101]  Naftaly H. Minsky,et al.  Should architectural principles be enforced? , 1998, Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358).

[102]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[103]  William A. Wulf,et al.  A logic of composition for information flow predicates , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[104]  Judith A. Hemenway,et al.  Applying the Abadi-Lamport composition theorem in real-world secure system integration environments , 1994, Tenth Annual Computer Security Applications Conference.

[105]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[106]  Jonathan K. Millen 20 years of covert channel modeling and analysis , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[107]  K. Caplan,et al.  Building an international security standard , 1999 .

[108]  Jan Vitek,et al.  Secure composition of untrusted code: wrappers and causality types , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[109]  John E. Dobson,et al.  Building Reliable Secure Computing Systems Out Of Unreliable Insecure Components , 1986, 1986 IEEE Symposium on Security and Privacy.

[110]  Gregor Kiczales,et al.  Aspect-oriented programming , 1996, CSUR.

[111]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[112]  Trevor Jim,et al.  SD3: a trust management system with certified evaluation , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[113]  Angelos D. Keromytis,et al.  Key note: Trust management for public-key infrastructures , 1999 .

[114]  Roberto Gorrieri,et al.  The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties , 1997, IEEE Trans. Software Eng..

[115]  Martín Abadi,et al.  Composing specifications , 1989, TOPL.

[116]  Henry Eddon,et al.  Inside COM+ Base Services , 1999 .

[117]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[118]  Riccardo Focardi Analysis and Automatic Detection of Information Flows in Systems and Networks , 1999 .

[119]  Roberto Gorrieri,et al.  A Classification of Security Properties , 1993 .

[120]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[121]  Richard J. Feiertag,et al.  A framework for building composable replaceable security services , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[122]  Polar Humenn,et al.  The Formal Semantics of XACML , 2003 .

[123]  E. Stewart Lee,et al.  Composing secure systems that have emergent properties , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[124]  Roberto Gorrieri,et al.  A Taxonomy of Security Properties for Process Algebras , 1995, J. Comput. Secur..

[125]  Indrakshi Ray,et al.  An aspect-based approach to modeling access control concerns , 2004, Inf. Softw. Technol..

[126]  Heiko Mantel,et al.  On the composition of secure systems , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[127]  Xiaolei Qian,et al.  Correct Architecture Refinement , 1995, IEEE Trans. Software Eng..

[128]  Jeannette M. Wing,et al.  Specification matching of software components , 1997 .

[129]  Richard N. Taylor,et al.  A Classification and Comparison Framework for Software Architecture Description Languages , 2000, IEEE Trans. Software Eng..

[130]  Khaled M. Khan,et al.  Security characterisation of software components and their composition , 2000, Proceedings 36th International Conference on Technology of Object-Oriented Languages and Systems. TOOLS-Asia 2000.