Identification of Vulnerabilities in Web Services using Model-Based Security

In a service-oriented architecture, business processes are executed as composition of services, which can suffer from vulnerabilities. These vulnerabilities in services and the underlying software applications put at risk computer systems in general and business processes in particular. Current vulnerability analysis approaches involve several manual tasks and, hence, are error-prone and costly. Serviceoriented architectures impose additional analysis complexity as they provide much flexibility and frequent changes within orchestrated processes and services. Therefore, it is inevitable to provide tools and mechanisms that enable efficient and effective management of vulnerabilities within these complex systems. Model-based security engineering is a promising approach that can help to fill the gap between vulnerabilities on the one hand, and concrete protection mechanisms on the other. The authors present an approach that integrates model-based engineering and vulnerability analysis in order to cope with the security challenges of a service-oriented architecture.

[1]  Louise Yngström,et al.  Proceedings of the IFIP TC11 13 international conference on Information Security (SEC '97) on Information security in research and business , 1997 .

[2]  David A. Basin,et al.  A metamodel-based approach for analyzing security-design models , 2007, MODELS'07.

[3]  Manfred Reichert,et al.  ADEPT Next Generation Process Management Technology - Tool Demonstration , 2006 .

[4]  Rafael Accorsi Automated counterexample-driven audits of authentic system records , 2008 .

[5]  Bernd Blobel,et al.  Modelling privilege management and access control , 2006, Int. J. Medical Informatics.

[6]  Eduardo B. Fernandez,et al.  A Methodology to Develop Secure Systems Using Patterns , 2006 .

[7]  Indrakshi Ray,et al.  An aspect-based approach to modeling access control concerns , 2004, Inf. Softw. Technol..

[8]  Jan Jürjens,et al.  Secure Information Flow for Concurrent Processes , 2000, CONCUR.

[9]  Jing Xu,et al.  Performance analysis of security aspects by weaving scenarios extracted from UML models , 2009, J. Syst. Softw..

[10]  Duminda Wijesekera,et al.  Executable misuse cases for modeling security concerns , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[11]  Indrakshi Ray,et al.  Proceedings of the eleventh ACM symposium on Access control models and technologies , 2006 .

[12]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[13]  George Spanoudakis,et al.  Towards security monitoring patterns , 2007, SAC '07.

[14]  Sotirios Koussouris,et al.  Provision of Web 2.0 Services by Interoperable GIS-Powered Local Administration Portal Systems , 2011 .

[15]  John Mylopoulos,et al.  Computer-aided Support for Secure Tropos , 2007, Automated Software Engineering.

[16]  Bernd Blobel,et al.  A model driven approach for the German health telematics architectural framework and security infrastructure , 2007, Int. J. Medical Informatics.

[17]  Calin Gurau Self-Service Systems: Investigating the Perceived Importance of Various Quality Dimensions , 2009, Int. J. E Serv. Mob. Appl..

[18]  John Wang,et al.  Innovations in Information Systems for Business Functionality and Operations Management , 2012 .

[19]  Jan Jürjens,et al.  Secrecy-Preserving Refinement , 2001, FME.

[20]  Jan Jürjens,et al.  Specification-Based Test Generation for Security-Critical Systems Using Mutations , 2002, ICFEM.

[21]  Jan Jürjens,et al.  Security protocols, properties, and their monitoring , 2008, SESS '08.

[22]  Jan Jürjens,et al.  Automated Verification of UMLsec Models for Security Requirements , 2004, UML.

[23]  Igor Siveroni,et al.  Property Specification and Static Verification of UML Models , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[24]  Benjamin Livshits,et al.  Improving software insecurity with precise static and runtime analysis , 2006 .

[25]  Jan Jürjens,et al.  Security Modelling for Electronic Commerce: The Common Electronic Purse Specifications , 2001, I3E.

[26]  Wolfgang Reif,et al.  A Modeling Framework for the Development of Provably Secure E-Commerce Applications , 2007, International Conference on Software Engineering Advances (ICSEA 2007).

[27]  Francesco Parisi-Presicce,et al.  UML specification of access control policies and their formal verification , 2006, Software & Systems Modeling.

[28]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[29]  Kurt Stenzel,et al.  A Method for Secure Smartcard Applications , 2002, AMAST.

[30]  Stephen Gilmore,et al.  End-to-End Integrated Security and Performance Analysis on the DEGAS Choreographer Platform , 2005, FM.

[31]  Haralambos Mouratidis,et al.  Integrating Security and Systems Engineering: Towards the Modelling of Secure Information Systems , 2003, CAiSE.

[32]  Al Bento,et al.  Cloud Computing Service and Deployment Models: Layers and Management , 2012 .

[33]  Matthew K. Franklin,et al.  A survey of key evolving cryptosystems , 2006, Int. J. Secur. Networks.

[34]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[35]  Maritta Heisel,et al.  Confidentiality-Preserving Refinement is Compositional - Sometimes , 2002, ESORICS.

[36]  Ghalem Belalem,et al.  Fault Tolerant Architecture to Cloud Computing Using Adaptive Checkpoint , 2011, Int. J. Cloud Appl. Comput..

[37]  H. B. Williams,et al.  A Survey , 1992 .

[38]  Shadi Aljawarneh Cloud Computing Advancements in Design, Implementation, and Technologies , 2012 .

[39]  Claudia Eckert,et al.  Developing secure applications: a systematic approach , 1997, SEC.

[40]  Jan Jürjens,et al.  Rubacon: automated support for model-based compliance engineering , 2008, ICSE '08.

[41]  Mario Piattini,et al.  A study of security architectural patterns , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[42]  Thomas Santen,et al.  Stepwise Development of Secure Systems , 2006, SAFECOMP.

[43]  Jan Jürjens A domain-specific language for cryptographic protocols based on streams , 2009, J. Log. Algebraic Methods Program..

[44]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[45]  Dieter Gollmann On the Verification of Cryptographic Protocols - A Tale of Two Committees , 2000, Electron. Notes Theor. Comput. Sci..

[46]  M. Hafner,et al.  Model Driven Configuration of Secure Operating Systems for Mobile Applications in Healthcare , 2007 .

[47]  Jonathan Lee,et al.  Service Life Cycle Tools and Technologies: Methods, Trends, and Advances , 2011 .

[48]  Brian Ritchie,et al.  Integrating Model-based Security Risk Management into eBusiness Systems Development: The CORAS Approach , 2002, I3E.

[49]  Carsten Rudolph,et al.  Security Engineering for Ambient Intelligence: A Manifesto , 2006 .

[50]  Mario Piattini,et al.  Extending OCL for Secure Database Development , 2004, UML.

[51]  John Mylopoulos,et al.  Requirement Engineering Meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard , 2003, ER.

[52]  Nils Gruschka,et al.  SOA and Web Services: New Technologies, New Standards - New Attacks , 2007, ECOWS 2007.

[53]  Michael Weis,et al.  Modeling Method for Assessing Privacy Technologies , 2008 .

[54]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[55]  Carleen Maitland,et al.  Trust in cyberspace , 2000 .

[56]  Fredrik Hultin,et al.  Bridging Model-Based and Language-Based Security , 2003, ESORICS.

[57]  Rafael Accorsi,et al.  On the Relationship of Privacy and Secure Remote Logging in Dynamic Systems , 2006, SEC.

[58]  Shinichi Honiden,et al.  Security patterns: a method for constructing secure and efficient inter-company coordination systems , 2004, Proceedings. Eighth IEEE International Enterprise Distributed Object Computing Conference, 2004. EDOC 2004..

[59]  Andrew D. Gordon,et al.  Verified Interoperable Implementations of Security Protocols , 2006, CSFW.

[60]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[61]  Jean Goubault-Larrecq,et al.  Cryptographic Protocol Analysis on Real C Code , 2005, VMCAI.

[62]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[63]  Paul Oude Luttighuis,et al.  Equipping the Enterprise Interoperability Problem Solver , 2010 .

[64]  Axelle Apvrille,et al.  Secure software development by example , 2005, IEEE Security & Privacy Magazine.

[65]  Achim D. Brucker,et al.  A model transformation semantics and analysis methodology for SecureUML , 2006, MoDELS'06.

[66]  Paul Kearney,et al.  A risk-driven security analysis method and modelling language , 2007 .

[67]  Weider D. Yu,et al.  Software Vulnerability Analysis for Web Services Software Systems , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[68]  Jan Jürjens,et al.  Towards Development of Secure Systems Using UMLsec , 2001, FASE.

[69]  Nicole B. Koppel,et al.  InformatIon SyStemS In the ServIce Sector , 2010 .

[70]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[71]  Dirk Krafzig,et al.  Enterprise SOA: Service-Oriented Architecture Best Practices , 2004 .

[72]  Jan Jürjens,et al.  Tools for secure systems development with UML , 2007, International Journal on Software Tools for Technology Transfer.

[73]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[74]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[75]  Herbert H. Thompson Application Penetration Testing , 2005, IEEE Secur. Priv..

[76]  Paul Kearney,et al.  A model-based approach to trust, security and assurance , 2006 .

[77]  Bradley Malin,et al.  Implementing a Model-Based Design Environment for Clinical Information Systems , 2007 .

[78]  Jan Jürjens,et al.  Security Analysis of Crypto-based Java Programs using Automated Theorem Provers , 2006, 21st IEEE/ACM International Conference on Automated Software Engineering (ASE'06).

[79]  Bart De Win,et al.  Transforming Security Requirements into Architecture , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[80]  Cecilia Mascolo,et al.  Integrating security and usability into the requirements and design process , 2007, Int. J. Electron. Secur. Digit. Forensics.

[81]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[82]  Carsten Rudolph,et al.  A business process-driven approach to security engineering , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[83]  Sigrid Gürgens,et al.  Validation of Cryptographic Protocols by Efficient Automated Testing , 2000, FLAIRS Conference.

[84]  Samuel T. Redwine Introduction to Modeling Tools for Software Security , 2007 .

[85]  Álvaro Enrique Arenas,et al.  Modelling Security Properties in a Grid-based Operating System with Anti-Goals , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[86]  Bruce Schneier,et al.  Secure audit logs to support computer forensics , 1999, TSEC.

[87]  Bashar Nuseibeh,et al.  Security requirements engineering: when anti-requirements hit the fan , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[88]  Ruth Breu,et al.  Model-Driven Security Engineering for Trust Management in SECTET , 2007, J. Softw..

[89]  George Yee Privacy Protection for E-Services , 2006 .

[90]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[91]  Jan Jürjens,et al.  Sound development of secure service-based systems , 2004, ICSOC '04.

[92]  Jan Jürjens Sound methods and effective tools for model-based security engineering with UML , 2005, ICSE '05.

[93]  Dominique Méry,et al.  Specification and Refinement of Access Control , 2007, J. Univers. Comput. Sci..

[94]  S. K. Maharana,et al.  Cloud Computing Applied for Numerical Study of Thermal Characteristics of SIP , 2011, Int. J. Cloud Appl. Comput..

[95]  E. B. Fernandez,et al.  Determining role rights from use cases , 1997, RBAC '97.

[96]  Klaus-Peter Löhr,et al.  SecTOOL - Supporting Requirements Engineering for Access Control , 2006, ETRICS.

[97]  Ketil Stølen,et al.  Information flow property preserving transformation of UML interaction diagrams , 2006, SACMAT '06.

[98]  Mario Bravetti,et al.  Formal Techniques for Computer Systems and Business Processes, European Performance Engineering Workshop, EPEW 2005 and International Workshop on Web Services and Formal Methods, WS-FM 2005, Versailles, France, September 1-3, 2005, Proceedings , 2005, EPEW/WS-FM.

[99]  Eric S. K. Yu,et al.  A Goal Oriented Approach for Modeling and Analyzing Security Trade-Offs , 2007, ER.

[100]  Mohammad Bsoul,et al.  Technology Fears: A Study of e-Commerce Loyalty Perception by Jordanian Customers , 2010, Int. J. Inf. Syst. Serv. Sect..

[101]  Yijun Yu,et al.  Traceability for the maintenance of secure software , 2008, 2008 IEEE International Conference on Software Maintenance.

[102]  Bashar Nuseibeh,et al.  Model-Based Security Engineering of Distributed Information Systems Using UMLsec , 2007, 29th International Conference on Software Engineering (ICSE'07).

[103]  Gad Vitner,et al.  Service Management of Special Care Units: Lessons Learned in Manufacturing , 2011, Int. J. Inf. Syst. Serv. Sect..

[104]  Yannis Charalabidis,et al.  Interoperability in Digital Public Services and Administration: Bridging E-Government and E-Business , 2010 .

[105]  Francis G. McCabe,et al.  Reference Model for Service Oriented Architecture 1.0 , 2006 .

[106]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[107]  Karen A. Scarfone,et al.  The Common Vulnerability Scoring System (CVSS) and its Applicability to Federal Agency Systems , 2007 .

[108]  Jan Jürjens,et al.  Towards a Comprehensive Framework for Secure Systems Development , 2006, CAiSE.

[109]  Michael Hafner,et al.  Modeling and Enforcing Advanced Access Control Policies in Healthcare Systems with Sectet , 2008, MoDELS.

[110]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[111]  Nora Koch,et al.  Aspect-Oriented Modeling of Access Control in Web Applications , 2005 .

[112]  M. Bouaziz,et al.  An Introduction to Computer Security , 2012 .

[113]  Jan Jürjens,et al.  Cost-benefit trade-off analysis using BBN for aspect-oriented risk-driven development , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[114]  Nils Gruschka,et al.  SOA and Web Services: New Technologies, New Standards - New Attacks , 2007, Fifth European Conference on Web Services (ECOWS'07).

[115]  J Jürjens,et al.  Model-based Security Analysis of the German Health Card Architecture , 2008, Methods of Information in Medicine.

[116]  Rafael Accorsi,et al.  Automated Privacy Audits Based on Pruning of Log Data , 2008, 2008 12th Enterprise Distributed Object Computing Conference Workshops.

[117]  Alfredo Pironti,et al.  Soundness Conditions for Message Encoding Abstractions in Formal Security Protocol Models , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[118]  Jan Jürjens,et al.  Code security analysis with assertions , 2005, ASE '05.

[119]  Leslie Lamport,et al.  The ``Hoare Logic'' of CSP, and All That , 1984, TOPL.