Vulnerability Analysis in SOA-Based Business Processes

Business processes and services can more flexibly be combined when based upon standards. However, such flexible compositions practically always contain vulnerabilities, which imperil the security and dependability of processes. Vulnerability management tools require patterns to find or monitor vulnerabilities. Such patterns have to be derived from vulnerability types. Existing analysis methods such as attack trees and FMEA result in such types, yet require much experience and provide little guidance during the analysis. Our main contribution is ATLIST, a new vulnerability analysis method with improved transferability. Especially in service-oriented architectures, which employ a mix of established web technologies and SOA-specific standards, previously observed vulnerability types and variations thereof can be found. Therefore, we focus on the detection of known vulnerability types by leveraging previous vulnerability research. A further contribution in this respect is the, to the best of our knowledge, most comprehensive compilation of vulnerability information sources to date. We present the method to search for vulnerability types in SOA-based business processes and services. Also, we show how patterns can be derived from these types, so that tools can be employed. An additional contribution is a case study, in which we apply the new method to an SOA-based business process scenario.

[1]  Robert C. Seacord,et al.  A Structured Approach to Classifying Security Vulnerabilities , 2005 .

[2]  Rafael Accorsi,et al.  Automated Privacy Audits Based on Pruning of Log Data , 2008, 2008 12th Enterprise Distributed Object Computing Conference Workshops.

[3]  Dawson R. Engler,et al.  A few billion lines of code later , 2010, Commun. ACM.

[4]  Benjamin Livshits,et al.  Reflection Analysis for Java , 2005, APLAS.

[5]  Marvin V. Zelkowitz,et al.  Maintaining software with a security perspective , 2002, International Conference on Software Maintenance, 2002. Proceedings..

[6]  Einar Snekkenes,et al.  A classification of malicious software attacks , 2004, IEEE International Conference on Performance, Computing, and Communications, 2004.

[7]  Jeannette M. Wing,et al.  Scenario graphs and attack graphs , 2004 .

[8]  Stéphane Frénot,et al.  Classification of Component Vulnerabilities in Java Service Oriented Programming (SOP) Platforms , 2008, CBSE.

[9]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[10]  Amit M. Paradkar,et al.  A software flaw taxonomy: aiming tools at security , 2005, SOEN.

[11]  Nils Gruschka,et al.  SOA and Web Services: New Technologies, New Standards - New Attacks , 2007, ECOWS 2007.

[12]  Stéphane Frénot,et al.  Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform , 2007, ArXiv.

[13]  Fred Cohen,et al.  Information system attacks: A preliminary classification scheme , 1997, Comput. Secur..

[14]  Gonzalo Álvarez,et al.  A new taxonomy of Web attacks suitable for efficient encoding , 2003, Comput. Secur..

[15]  Carole B. Hogan Protection imperfect: the security of some computing environments , 1988, OPSR.

[16]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[17]  Wenliang Du,et al.  Categorization of Software Errors that led to Security Breaches , 1998 .

[18]  A. Church Review: A. M. Turing, On Computable Numbers, with an Application to the Entscheidungsproblem , 1937 .

[19]  A. Turing On Computable Numbers, with an Application to the Entscheidungsproblem. , 1937 .

[20]  James A. Whittaker,et al.  How to Break Software Security , 2003 .

[21]  Matt Bishop,et al.  Tree Approach to Vulnerability Classification , 2005 .

[22]  Jan Jürjens,et al.  Identification of Vulnerabilities in Web Services using Model-Based Security , 2010 .

[23]  Sushil Jajodia,et al.  Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs , 2008, Journal of Network and Systems Management.

[24]  Michel Cukier,et al.  Prioritizing Vulnerability Remediation by Determining Attacker-Targeted Vulnerabilities , 2009, IEEE Security & Privacy Magazine.

[25]  L Burkholder,et al.  The halting problem , 1987, SIGA.

[26]  S. Jajodia,et al.  Information Security: An Integrated Collection of Essays , 1994 .

[27]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[28]  Benjamin Livshits,et al.  Improving software insecurity with precise static and runtime analysis , 2006 .

[29]  Herbert H. Thompson Application Penetration Testing , 2005, IEEE Secur. Priv..

[30]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[31]  Andrew P. Moore,et al.  Attack Modeling for Information Security and Survivability , 2001 .

[32]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[33]  Weider D. Yu,et al.  Software Vulnerability Analysis for Web Services Software Systems , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[34]  Mario Piattini,et al.  Web Services Security Development and Architecture: Theoretical and Practical Issues , 2010 .

[35]  Herbert H. Thompson,et al.  The Software Vulnerability Guide , 2007 .

[36]  Erland Jonsson,et al.  How to systematically classify computer security intrusions , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[37]  M. Bouaziz,et al.  An Introduction to Computer Security , 2012 .

[38]  Nils Gruschka,et al.  SOA and Web Services: New Technologies, New Standards - New Attacks , 2007, Fifth European Conference on Web Services (ECOWS'07).

[39]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[40]  Helayne T. Ray,et al.  Toward an automated attack model for red teams , 2005, IEEE Security & Privacy Magazine.

[41]  John Viega,et al.  19 Deadly Sins of Software Security , 2005 .

[42]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[43]  R. P. Abbott,et al.  Security Analysis and Enhancements of Computer Operating Systems , 1976 .

[44]  Eugene H. Spafford,et al.  Use of A Taxonomy of Security Faults , 1996 .

[45]  Bart De Decker,et al.  Developing secure software. A survey and classification of common software vulnerabilities , 2001, IICIS.

[46]  Gertrude Neuman Levine Defining defects, errors, and service degradations , 2009, SOEN.

[47]  Dennis Hollingworth,et al.  Protection Analysis: Final Report , 1978 .

[48]  Frank Piessens,et al.  A Vulnerability Taxonomy Methodology applied to the Web Services , 2005 .

[49]  Christian Hammer Experiences with PDG-Based IFC , 2010, ESSoS.

[50]  John Viega,et al.  19 deadly sins of software security : programming flaws and how to fix them , 2005 .

[51]  Gary McGraw,et al.  Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors , 2005, IEEE Secur. Priv..

[52]  Lutz Lowis,et al.  A Risk Based Approach for Selecting Services in Business Process Execution , 2009, Wirtschaftsinformatik.

[53]  M. Merkow,et al.  2010 CWE/SANS Top 25 Most Dangerous Programming Errors , 2010 .

[54]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[55]  Daniel Plakosh,et al.  Vulnerability Detection in ActiveX Controls through Automated Fuzz Testing , 2007 .

[56]  Gerardo Canfora,et al.  Service-Oriented Architectures Testing: A Survey , 2009, ISSSE.

[57]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[58]  Jeannette M. Wing,et al.  Report: Measuring the Attack Surfaces of Enterprise Software , 2009, ESSoS.

[59]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[60]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[61]  W E Vesely,et al.  Fault Tree Handbook , 1987 .

[62]  Ryan Cunningham,et al.  Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[63]  Lutz Lowis,et al.  On a Classification Approach for SOA Vulnerabilities , 2009, 2009 33rd Annual IEEE International Computer Software and Applications Conference.

[64]  Common Attack Pattern Enumeration and Classification — CAPEC TM A Community Knowledge Resource for Building Secure Software , 2013 .

[65]  Sung-Yong H. Yoon Newsletter , 1964, Forest History Newsletter.

[66]  Vlad Gorelik,et al.  One Step Ahead , 2007, ACM Queue.

[67]  James Stevens,et al.  Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process , 2007 .

[68]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[69]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[70]  Roger R. Schell,et al.  Essay 1 What Is There to Worry About ? An Introduction to the Computer Security Problem , 2006 .

[71]  Rafael Accorsi,et al.  Auditing Workflow Executions against Dataflow Policies , 2010, BIS.