Modelling Smart Card Security Protocols in SystemC TLM

Smart cards are an example of advanced chip technology. They allow information transfer between the card holder and the system over secure networks, but they contain sensitive data related to both the card holder and the system, that has to be kept private and confidential. The objective of this work is to create an executable model of a smart card system, including the security protocols and transactions, and to examine the strengths and determine the weaknesses by running tests on the model. The security objectives have to be considered during the early stages of systems development and design, an executable model will give the designer the advantage of exploring the vulnerabilities early, and therefore enhancing the system security. The Unified Modeling Language (UML) 2.0 is used to model the smart card security protocol. The executable model is programmed in SystemC with the Transaction Level Modeling (TLM) extensions. The final model was used to examine the effectiveness of a number of authentication mechanisms with different probabilities of failure. In addition, a number of probable attacks on the current security protocol were modeled to examine the vulnerabilities. The executable model shows that the smart card system security protocols and transactions need further improvement to withstand different types of security attacks

Role-Based Access Control Using Knowledge Acquisition in Automated Specification

Turvalisust peetakse infosüsteemide üheks aspektiks. RBAC on lähenemine, mis piirab süsteemi ligipääsu ainult autoriseeritud kasutajatele infosüsteemides. Olemasolevad turvalisusmudelite keeled või lähenemised adresseerivad IS-i turvalisust, kuigi olemasolevad keeled või lähenemised tingimata ei kohandu RBAC-i vajadustele. On olemas mitmeid modelleerimiskeeli (nt SecureUML, UMLSec, jne) mis esindavad RBAC-i, kuid nad ei ole koosvõimelised (raske selgitada) ning neid ei ole lihtne võrrelda omavahel. Iga modelleerimiskeel esindab erinevaid perspektiive informatsioonisüsteemides. Pealegi on vajadus ühendada disain ja nõudestaadiumid selleks, et avastada süsteemi turvalisusprobleemid ja analüüsida seotud turvalisuskompromisse varasemates staadiumites. KAOS on eesmärgipõhine nõue tehnikavaatenurgast, et paika panna tarkvara nõuded. Sellel hetkel, KAOS on tulevikus võtmelahendus selleks, et kombineerida nõuded disainipõhimõtetega. Selles teesis me analüüsime KAOS-e võimet kohaneda RBAC-ile. Täpsemalt, me kasutame süstemaatilist lähenemist selleks, et aru saada kuidas KAOS-t on võimalik kasutada nii, et see kohanduks RBAC-ile. Meie uurimistöö põhineb transformatsioonireeglitel KAOS-SecureUML-i ja KAOS-UMLSec-i vahel. Pealegi, läbi nende muutuste näitame me kuidas sobitasime KAOS-e RBAC-ile. Selle uurimistöö esitamisel on mitmeid kasutegureid. Esiteks, see aitab potentsiaalselt mõista kuidas KAOS toimib koos RBAC-iga. Teiseks, see defineerib lähenemise välja meelitada turvanõuetele IS-i varajastes arendusfaasides RBAC-i jaoks. See rakendab meie tulemused juhtumuuringus selleks, et mõõta määratletud lähenemise õigsust. Kolmandaks, see transformatsioon KAOS-est/KAOS-eni aitaks IS arendajaid ja teistel süsteemi osanikel (nt süsteemianalüütikuid, süsteemi administraatoreid jne) mõista kui tähtsad need turvalisuslähenemised on ja millistel on rohkem eeliseid/puudusi. Me planeerime kehtestada oma tulemused selleks, et reegleid ja modeleid muuta olenevalt nende õigsust, mida mõõdetakse. Viimaseks, me oleme võimelised õigustama oma disainistaadiumit nõudmise staadiumiga.Security is considered to be an aspect of information systems. Role-based access control (RBAC) is an approach to restricting system access to authorized users in information systems. Existing security modeling languages and/or approaches address the security of the IS, however existing languages or approaches do not necessarily conforms to the needs of RBAC. There are several modeling languages (e.g. SecureUML, UMLSec, etc.) to represent RBAC but they are not interoperable and it is not easy to compare one with another. Each modeling language represents different perspectives on information systems. Besides, there is a need to merge design and requirement stages in order to discover system security concerns and analyze related security trade-offs at the earlier stages. Knowledge acquisition in automated specification (KAOS) is a goal oriented requirement engineering approach to elicit software requirements. In this point, KAOS will be a key solution in order to combine requirements with design principles. In this thesis, we will analyze KAOS to apply RBAC. More specifically, we will apply a systematic approach to understand how KAOS can be used to apply RBAC. Our research work will be based on the transformation rules between KAOS-SecureUML and KAOS-UMLSec, and vice versa. Moreover, through these transformations we will show how we aligned KAOS to RBAC. The contribution of this research has several benefits. Firstly, it will potentially help to understand how KAOS could deal with RBAC. Secondly it will define the approach to elicit security requirements for RBAC at early stages of the IS development. This will apply our results in a case study to measure the correctness of the defined approach. Thirdly, the transformations from/to the KAOS would help IS developers and the other system stakeholders (e.g. system analysts, system administrators, etc.) to understand how important these security approaches (KAOS, SecureUML and UMLSec) are and which one has more advantages/disadvantages. We plan to validate our results for transformation rules and the models regarding their correctness that will be measured. Last but not least, we will be able to justify the design stage with requirement stage

A Literature Survey of the Development Processes for Secure Software

Turvalise tarkvara arendusprotsessidel on tähtis roll turvalise tarkvara kavandamisel, aga erinevate arendusprotsessidel vahel on rakse valikut teha ilma nendevahelie võrdluseta. Veel enam peale arendusprotsessi rakendamist tuleb valida meetodid, mida kasutada selle arendusprotsessi rakendamisel. Meetodite valikul tekib aga probleem, sest arendusprotsessides ei ole öeldud, milliseid meetodeid tuleks kasutada, et täita vajalikud tegevused turvalise tarkvara arendamiseks. Selle töö raames me võrdleme kolme erinevat turvalise tarkvara arendusprotsessi: Microsoft Security Development Lifecycle, OWASP CLASP ja Cigital’s Security Touchpoints. Järgmisena me keskendume valitud arendusprotsesside faasile, mis käsitleb turvariskide haldust ja viime läbi uuringu, et teada saada, mis on tänapäevased turvariski meetodid. Me anname nendest meetoditest lühikokkuvõtte ja võrdleme neid omavahel, mis loodetavasti lihtustab nende vahel valimist. Me koostame veel leitud meetoditest ühise vaate, mis aitab kaasa kõigi arendusprotsesside poolt pakutud tegevuste täitmisele selle faasis. See on vajalik, sest riskihaldus mängib suurt rolli turvalise tarkvara arendamisel ja erinevate riskihaldus meetodite kombineerimist saab kasutada, et avastada rohkem riske loodavast tarkvarast ja hiljem neid riske korrektselt leevendada.Secure software development processes are critical part of designing secure software. However, it is hard for the various stakeholders to make the decision about which software development process to choose without a comparison between them. Even further, after choosing the process, stakeholders have to decide which methods and techniques to use to fulfil activities required to develop secure software development processes. This is a problem, because there are a number of methods a stakeholder could use to fulfil these activities, but no explicit links between a method and development process. In this thesis firstly we perform comparison of three secure system development approaches namely Microsoft Security Development Lifecycle, OWASP CLASP and Cigital’s Security Touchpoints. In the next step we focus on step within these approaches, namely the security risk management and carry out an analytical survey to find out current methods for security risk management. We give a short overview and comparison between found methods, which potentially will help stakeholders to select their approach for designing secure software with the focus on security risk analysis. We also provide them with opportunity to perform all activities required in risk analysis phase of the development by giving them an aggregate view of risk management methods. This is essential, because risk analysis is a major part of developing secure software and combining different techniques can be used to discover and mitigate more risks in software under development

Foundations for Designing Secure Architectures

AbstractDeveloping security-critical systems is difficult and there are many well-known examples of security weaknesses exploited in practice. In particular, so far little research has been performed on the soundly based design of secure architectures, which would be urgently needed to develop secure systems reliably and efficiently. In this abstract, we sketch some research on a sound methodology supporting secure architecture design. We give an overview over an extension of UML, called UMLsec, that allows expressing security-relevant information within the diagrams in an architectural design specification. We define foundations for secure architectural design patterns. We present tool-support which has been developed for the UMLsec secure architecture approach

A Literature Survey of the Development Processes for Secure Software

Turvalise tarkvara arendusprotsessidel on tähtis roll turvalise tarkvara kavandamisel, aga erinevate arendusprotsessidel vahel on rakse valikut teha ilma nendevahelise võrdluseta. Veel enam peale arendusprotsessi rakendamist tuleb valida meetodid, mida kasutada selle arendusprotsessi rakendamisel. Meetodite valikul tekib aga probleem, sest arendusprotsessides ei ole öeldud, milliseid meetodeid tuleks kasutada, et täita vajalikud tegevused turvalise tarkvara arendamiseks. Selle töö raames me võrdleme kolme erinevat turvalise tarkvara arendusprotsessi: Microsoft Security Development Lifecycle, OWASP CLASP ja Cigital’s Security Touchpoints. Järgmisena me keskendume valitud arendusprotsesside faasile, mis käsitleb turvariskide haldust ja viime läbi uuringu, et teada saada, mis on tänapäevased turvariski meetodid. Me anname nendest meetoditest lühikokkuvõtte ja võrdleme neid omavahel, mis loodetavasti lihtsustab nende vahel valimist. Me koostame veel leitud meetoditest ühise vaate, mis aitab kaasa kõigi arendusprotsesside poolt pakutud tegevuste täitmisele selle faasis. See on vajalik, sest riskihaldus mängib suurt rolli turvalise tarkvara arendamisel ja erinevate riskihaldus meetodite kombineerimist saab kasutada, et avastada rohkem riske loodavast tarkvarast ja hiljem neid riske korrektselt leevendada.Secure software development processes are critical part of designing secure software. However, it is hard for the various stakeholders to make the decision about which software development process to choose without a comparison between them. Even further, after choosing the process, stakeholders have to decide which methods and techniques to use to fulfil activities required to develop secure software development processes. This is a problem, because there are a number of methods a stakeholder could use to fulfil these activities, but no explicit links between a method and development process. In this thesis firstly we perform comparison of three secure system development approaches namely Microsoft Security Development Lifecycle, OWASP CLASP and Cigital’s Security Touchpoints. In the next step we focus on step within these approaches, namely the security risk management and carry out an analytical survey to find out current methods for security risk management. We give a short overview and comparison between found methods, which potentially will help stakeholders to select their approach for designing secure software with the focus on security risk analysis. We also provide them with opportunity to perform all activities required in risk analysis phase of the development by giving them an aggregate view of risk management methods. This is essential, because risk analysis is a major part of developing secure software and combining different techniques can be used to discover and mitigate more risks in software under development

Visual Model-Driven Design, Verification and Implementation of Security Protocols

A novel visual model-driven approach to security protocol design, verification, and implementation is presented in this paper. User-friendly graphical models are combined with rigorous formal methods to enable protocol verification and sound automatic code generation. Domain-specific abstractions keep the graphical models simple, yet powerful enough to represent complex, realistic protocols such as SSH. The main contribution is to bring together aspects that were only partially available or not available at all in previous proposal

Role-Based Access-Control for Databases

Liikudes üha enam paberivaba ari suunas, hoitakse üha enam tundlikku informatsiooni andmebaasides. Sellest tulenevalt on andmebaasid ründajatele väärtuslik sihtmärk. Levinud meetod andmete kaitseks on rollipõhine ligipääsu kontroll (role-based access control), mis piirab süsteemi kasutajate õiguseid vastavalt neile omistatud rollidele. Samas on turvameetmete realiseerimine arendajate jaoks aeganõudev käsitöö, mida teostatakse samaaegselt rakenduse toimeloogika realiseerimisega. Sellest tulenevalt on raskendatud turva vajaduste osas kliendiga läbirääkimine projekti algfaasides. See omakorda suurendab projekti reaalsete arenduskulude kasvamise riski, eriti kui ilmnevad turvalisuse puudujäägid realisatsioonis. Tänapäeva veebirakendustes andmebaasi ühenduste puulimine (connec-tion pooling ), kus kasutatakse üht ja sama ühendust erinevate kasutajate teenindamiseks, rikub vähima vajaliku õiguse printsiipi. Kõikidel ühendunud kasutajatel on ligipääs täpselt samale hulgale andmetele, mille tulemusena võib lekkida tundlik informatsioon (näiteks SQLi süstimine (SQL injection ) või vead rakenduses). Lahenduseks probleemile pakume välja vahendid rollipõhise ligipääsu kontorolli disainimiseks tarkvara projekteerimise faasis. Rollipõhise ligipääsu kontorolli modelleerimiseks kasutame UML'i laiendust SecureUML. Antud mudelist on võimalik antud töö raames valminud vahenditega genereerida koodi, mis kontrollib ligipääsu õiguseid andmebaasi tasemel. Antud madaltasemekontroll vähendab riski, et kasutajad näevad andmeid, millele neil ligipääsu õigused puuduvad. Antud töös läbiviidud uuring näitas, et mudelipõhine turvalisuse arendamise kvaliteet on kõrgem võrreldes programmeerijate poolt kirjutatud koodiga. Kuna turvamudel on loodud projekteerimise faasis on selle semantiline täielikkus ja korrektsus kõrge, millest tulenevalt on seda kerge lugeda ja muuta ning seda on lihtsam kasutada arendajate ja klientide vahelises suhtluses.With the constant march towards a paperless business environment, database systems are increasingly being used to hold more and more sensitive information. This means they present an increasingly valuable target for attackers. A mainstream method for information system security is Role-based Access Control (RBAC), which restricts system access to authorised users. However the implementation of the RBAC policy remains a human intensive activity, typically, performed at the implementation stage of the system development. This makes it difficult to communicate security solutions to the stakeholders earlier and raises the system development cost, especially if security implementation errors are detected. The use of connection pooling in web applications, where all the application users connect to the database via the web server with the same database connection, violates the the principle of minimal privilege. Every connected user has, in principle, access to the same data. This may leave the sensitive data vulnerable to SQL injection attacks or bugs in the application. As a solution we propose the application of the model-driven development to define RBAC mechanism for data access at the design stages of the system development. The RBAC model created using the SecureUML approach is automatically translated to source code, which implements the modelled security rules at the database level. Enforcing access-control at this low level limits the risk of leaking sensitive data to unauthorised users. In out case study we compared SecureUML and the traditional security model, written as a source code, mixed with business logic and user-interface statements. The case study showed that the model-driven security development results in significantly better quality for the security model. Hence the security model created at the design stage contains higher semantic completeness and correctness, it is easier to modify and understand, and it facilitates a better communication of security solutions to the system stakeholders than the security model created at the implementation stage

Modeling Security Risks at the System Design Stage Alignment of Mal Activity Diagrams and SecureUML to the ISSRM Domain Model

Turvatehnika disain on üks olulisi süsteemiarenduse komponente. Ta peaks läbima tervet süsteemiarendusprotsessi. Kahjuks pööratakse talle paljudel juhtudel tähelepanu ainult süsteemi arendamise ja haldamise ajal. Paljud turvalise modelleerimise keeled (näiteks Misuse Case, Secure Tropos) aitavad turvariskejuba nõuete analüüsi etapil hallata. Käesolevas magistritöös vaatleme modelleerimisvahendeid (pahateoskeemid ja SecureUML), mida kasutatakse süsteemi disainil. Täpsemalt, me uurime, kuivõrd need vahendid toetavad infosüsteemide turvariskide haldust (Information Systems Security Risks Management, ISSRM). Töö tulemuseks on tabel, mis seab pahateoskeemid ning SecureUML-keele konstruktsioonid ISSRM domeeni mõistetega omavahel vastavusse. Me põhjendame oma analüüsi ning valideerime saadud tulemusi mitmel illustratiivsel näitel. Me loodame, et saadud tulemused aitavad arendajatel paremini aru saada, kuidas turvariske süsteemi disainietapil arvesse võtta. Peale selle, nende keelte analüüs ühisel kontseptuaalsel taustal annab tulevikus võimaluse neid keeli korraga kasutada ning loodud mudeleid ühest keelest teise teisendada.Security engineering is one of the important concerns during system development. It should be addressed throughout the whole system development process; however in many cases it is often dealt only during system development and maintenance. There are several security modeling languages (e.g, Misuse case, Secure Tropos) that help dealing with security risk management at the requirements stage. In this thesis, we are focusing on the modeling languages (e.g. Mal activity diagrams and SecureUML) that are used to design the system. More specifically we investigate how these languages support information systems security risks management (ISSRM). The outcome of this work is an alignment table between the Mal activity diagrams and SecureUML language constructs to the ISSRM domain model concepts. We ground our analysis and validate the received results on the number of illustrative examples. We hope that our results will help developers to understand how they can consider security risks at the system design stage. In addition we open the way for the interoperability between different modeling languages that are analysed using the same conceptual background, thus, potentially leading to the transformation between these modeling approaches

A Prototype for Transforming Role-Based Access Control Models

Rollipõhine juurdepääsukontroll on arvutisüsteemides laialtkasutatav mehhanism – see tagab turvalisuse, lubades ligipääsu ressurssidele vaid nendele kasutajatele, kel on selleks vastavad õigused. Rollipõhise juurdepääsukontrolli lahendusi on võimalik välja töötada selliste modelleerimiskeelte abil, nagu SecureUML ning UMLsec, mis mõlemad esitavad süsteemi disaini erinevatest vaatepunktidest. Mitme kooskõlalise mudeli koostamine võib aga osutuda keeruliseks ning aeganõudvaks ülesandeks. See võib omakorda vähendada rollipõhise juurdepääsukontrolli mudelite loomise motivatsiooni. Ühe lahendusena võib pakkuda arendajale tööriista, mis kasutaks ühes keeles loodud mudelit, et selle põhjal automaatselt konstrueerida mudel teises keeles. Teisendatud mudel aga ei oleks täielik, kuna eelmainitud keeli kasutatakse osalt erineva informatsiooni kandmiseks. Tööriista eesmärk oleks vähendada vajadust teist mudelit koostades käsitsi informatsiooni kopeerida. Selle töö raames arendatakse tööriista prototüüp, mis teisendab SecureUML mudeli UMLsec mudeliks ning vastupidi. See teostatakse Java programmeerimiskeeles ning pistikprogrammina professionaalsele UML modelleerimistööriistale MagicDraw. Rakendusele lisatakse menüüpunktid, millele vajutades käivitatakse teisendused: SecureUML keelest UMLsec keelde või vastupidi. Lisafunktsioonina arendatakse ka mõlema mudeli täielikkuse kontrollid, mille abil antakse kasutajale teada, kas kõik vajalikud elemendid on olemas. Need annavad kasutajale juhtnööre, kuidas teisendatud mudelit täiendada, kuna on teada, et pärast teisendust on teatud info uuelt mudelilt puudu. Teine lisakomponent võimaldab töödelda UMLsec märgendeid (ingl. k. association tags), mis on SecureUML ning UMLsec vaheliste teisenduste tähtis osa. Käesoleva töö raames on koostatud ka pistikprogrammi dokumentatsioon – nõuete analüüs, koodi dokumentatsioon ning kasutusjuhend – mille eesmärk on tagada prototüübi mõistmine ning aidata kaasa selle edasiarendamisele tulevikus.Role-based access control is a widely-used mechanism in computer systems – it ensures security by restricting resource access to only the system users with respective rights. The RBAC solutions can be engineered with the aid of modelling languages, such as SecureUML and UMLsec, which both present the system design from different viewpoints. Creating multiple coherent models, however, may turn out to be a non-trivial and time-consuming task. This, in turn, may dramatically lessen the motivation to create role-based access control models altogether. As a solution to the problem above, developers could be provided a software tool, which inputs a model in one language and transforms it into the model of another. The transformed model, however, would not be complete, since the two languages are used to represent somewhat different information. The aim of such a tool would be to diminish the necessity to manually copy information, when creating a second model. With this thesis, a prototype tool is developed, which enables the transformation of a SecureUML model to a UMLsec model and vice versa. The tool is implemented in the Java programming language, as a plug-in to the professional UML modelling tool MagicDraw. Menu items are added to the application, which trigger transformations: information is collected from a model in the UMLsec or SecureUML language and, based on that, a new model in the other language is created. As an additional function, completion checks are developed for both models to inform the user of whether all necessary language elements are present. They should act as guides for the user on how to improve the transformed model, since after transformations some information is known to be absent from the new model. Another additional component is the support for manipulating UMLsec association tags, which are an integral part of transformations between the SecureUML and UMLsec languages. The documentation – requirements, code documentation and user manual – is also provided in this paper and are supposed to contribute to the further development as well as understanding of the prototype