A Formal Engineering Approach for Interweaving Functional and Security Requirements of RESTful Web APIs

RESTful Web API adoption has become ubiquitous with the proliferation of REST APIs in almost all domains with modern web applications embracing the micro-service architecture. This vibrant and expanding adoption of APIs, has made an increasing amount of data to be funneled through systems which require proper access management to ensure that web assets are secured. A RESTful API provides data using the HTTP protocol over the network, interacting with databases and other services and must preserve its security properties. Currently, practitioners are facing two major challenges for developing high quality secure RESTful APIs. One, REST is not a protocol. Instead, it is a set of guidelines that define how web resources can be designed and accessed over HTTP endpoints. There are a set of guidelines which stipulate how related resources should be structured using hierarchical URIs as well as how specific well-defined actions on those resources should be represented using different HTTP verbs. Whereas security has always been critical in the design of RESTful APIs, there are no clear formal models utilizing a secure-by-design approach that interweaves both the functional and security requirements. The other challenge is how to effectively utilize a model driven approach for constructing precise requirements and design specifications so that the security of a RESTFul API is considered as a concern that transcends across functionality rather than individual isolated operations.This thesis proposes a novel technique that encourages a model driven approach to specifying and verifying APIs functional and security requirements with the practical formal method SOFL (Structured-Object-Oriented Formal Language). Our proposed approach provides a generic 6 step model driven approach for designing security aware APIs by utilizing concepts of domain models, domain primitives, Ecore metamodel and SOFL. The first step involves generating a flat file with APIs resource listings. In this step, we extract resource definitions from an input RESTful API documentation written in RAML using an existing RAML parser. The output of this step is a flat file representing API resources as defined in the RAML input file. This step is fully automated. The second step involves automatic construction of an API resource graph that will work as a blue print for creating the target API domain model. The input for this step is the flat file generated from step 1 and the output is a directed graph (digraph) of API resource. We leverage on an algorithm which we created that takes a list of lists of API resource nodes and the defined API root resource node as an input, and constructs a digraph highlighting all the API resources as an output. In step 3, we use the generated digraph as a guide to manually define the API’s initial domain model as the target output with an aggregate root corresponding to the root node of the input digraph and the rest of the nodes corresponding to domain model entities. In actual sense, the generated digraph in step 2 is a barebone representation of the target domain model, but what is missing in the domain model at this stage in the distinction between containment and reference relationship between entities. The resulting domain model describes the entire ecosystem of the modeled API in the form of Domain Driven Design Concepts of aggregates, aggregate root, entities, entity relationships, value objects and aggregate boundaries. The fourth step, which takes our newly defined domain model as input, involves a threat modeling process using Attack Defense Trees (ADTrees) to identify potential security vulnerabilities in our API domain model and their countermeasures. aCountermeasures that can enforce secure constructs on the attributes and behavior of their associated domain entities are modeled as domain primitives. Domain primitives are distilled versions of value objects with proper invariants. These invariants enforce security constraints on the behavior of their associated entities in our API domain model. The output of this step is a complete refined domain model with additional security invariants from the threat modeling process defined as domain primitives in the refined domain model. This fourth step achieves our first interweaving of functional and security requirements in an implicit manner. The fifth step involves creating an Ecore metamodel that describes the structure of our API domain model. In this step, we rely on the refined domain model as input and create an Ecore metamodel that our refined domain model corresponds to, as an output. Specifically, this step encompasses structural modeling of our target RESTful API. The structural model describes the possible resource types, their attributes, and relations as well as their interface and representations. The sixth and the final step involves behavioral modeling. The input for this step is an Ecore metamodel from step 5 and the output is formal security aware RESTful API specifications in SOFL language. Our goal here is to define RESTful API behaviors that consist of actions corresponding to their respective HTTP verbs i.e., GET, POST, PUT, DELETE and PATCH. For example, CreateAction creates a new resource, an UpdateAction provides the capability to change the value of attributes and ReturnAction allows for response definition including the Representation and all metadata. To achieve behavioral modelling, we transform our API methods into SOFL processes. We take advantage of the expressive nature of SOFL processes to define our modeled API behaviors. We achieve the interweaving of functional and security requirements by injecting boolean formulas in post condition of SOFL processes. To verify whether the interweaved functional and security requirements implement all expected functions correctly and satisfy the desired security constraints, we can optionally perform specification testing. Since implicit specifications do not indicate algorithms for implementation but are rather expressed with predicate expressions involving pre and post conditions for any given specification, we can substitute all the variables involved a process with concrete values of their types with results and evaluate their results in the form of truth values true or false. When conducting specification testing, we apply SOFL process animation technique to obtain the set of concrete values of output variables for each process functional scenario. We analyse test results by comparing the evaluation results with an analysis criteria. An analysis criteria is a predicate expression representing the properties to be verified. If the evaluation results are consistent with the predicate expression, the analysis show consistency between the process specification and its associated requirement. We generate the test cases for both input and output variables based on the user requirements. The test cases generated are usually based on test targets which are predicate expressions, such as the pre and post conditions of a process. when testing for conformance of a process specification to its associated service operation, we only need to observe the execution results of the process by providing concrete input values to all of its functional scenarios and analyze their defining conditions relative to user requirements. We present an empirical case study for validating the practicality and usability of our model driven formal engineering approach by applying it in developing a Salon Booking System. A total of 32 services covering functionalities provided by the Salon Booking System API were developed. We defined process specifications for the API services with their respective security requirements. The security requirements were injected in the threat modeling and behavioral modeling phase of our approach. We test for the interweaving of functional and security requirements in the specifications generated by our approach by conducting tests relative to original RAML specifications. Failed tests were exhibited in cases where injected security measure like requirement of an object level access control is not respected i.e., object level access control is not checked. Our generated SOFL specification correctly rejects such case by returning an appropriate error message while the original RAML specification incorrectly dictates to accept such request, because it is not aware of such measure. We further demonstrate a technique for generating SOFL specifications from a domain model via model to text transformation. The model to text transformation technique semi-automates the generation of SOFL formal specification in step 6 of our proposed approach. The technique allows for isolation of dynamic and static sections of the generated specifications. This enables our technique to have the capability of preserving the static sections of the target specifications while updating the dynamic sections in response to the changes of the underlying domain model representing the RESTful API in design. Specifically, our contribution is provision of a systemic model driven formal engineering approach for design and development of secure RESTful web APIs. The proposed approach offers a six-step methodology covering both structural and behavioral modelling of APIs with a focus on security. The most distinguished merit of the model to text transformation is the utilization of the API’s domain model as well as a metamodel that the domain model corresponds to as the foundation for generation of formal SOFL specifications that is a representation of API’s functional and security requirements.博士(理学)法政大学 (Hosei University

Petroleum Reservoir Simulation Using 3-D Finite Element Method With Parallel Implementation.

Modeling fluid flow around wellbores with conventional reservoir simulators is inaccurate because radial flow occurs in the vicinity of the wellbore and these simulators use cartesian coordinates. In this research, we present a more accurate wellbore simulation by incorporating the finite element method (FEM) to simulate the radial flow in the vicinity of the wellbore and interfacing this finite element wellbore model with an existing finite difference method (FDM) reservoir simulator. Although this technique was developed for a vertical well, it could also be used to accurately model a horizontal wellbore. This hybrid solution is for three dimensional---triphasic fluid flow and allows a more rigorous treatment of the near-well flow. The reservoir region, where flow geometry is linear, is simulated with the cartesian grid using finite differences. The reservoir simulator used for this research was the US Department of Energy\u27s Black Oil Applied Simulation Tool (BOAST II). Two problems furnished by the Department of Energy were used to test the effectiveness of our solution. The first was a single stratum three phase system. The second was a three strata three phase gas injection problem. Finally, our stand alone model could actually be interfaced with almost any other finite difference fluid flow simulator; whether it is for petroleum reservoirs, underground water, or hazardous waste management

Employment Models of Platform Companies in Norway: A Distinctive Approach?

The past decade has seen an increase in ‘platform companies’ functioning as the intermediary between workers and customers.The way these companies structure the labour process has significant implications for working conditions. In this article, we ask: In what ways does platform work in Norway differ from standard employment relationships? And do different employment strategies of platform companies put workers in precarious situations? The article builds on qualitative interviews with CEOs of platform companies in Norway, and aims to contribute to the literature by formulating a typology of the employment models of platform companies emerging in the Nordic countries. The platforms’ employment models are compared to the standard employment relationship and precariousness. Finally, the article suggests that institutions matter for why some platform companies adopt elements of the standard employment relationships as they appear in the Nordic labour market models, and discusses the implications of this

Integrating Functional and Security Requirements Analysis using SOFL for Software Security Assurance

Formal methods have been applied to define requirements for safety and/or security critical software systems in some industrial sectors, but the challenge is the lack of a systematic way to take security issues into account in specifying the functional behaviors. In this paper, we propose a formal approach to expressing and explicitly interweaving security and functional requirements. With this approach, the functional behaviors of the system are precisely specified using the Structured Object Oriented Formal Language (SOFL), the security rules are systematically explored, and the result is properly incorporated into the functional specification as constraints. The resultant specification then defines the system functionality that implies the conformance to the security rules. Such a specification can be used as a firm foundation for implementation and testing of the implementation. We discuss the principle of interweaving security rules with functional specifications and present a case study to demonstrate the feasibility of our approac

Design and Implementation of an Agile-SOFL GUI-Aided Tool

Agile-SOFL is a newly developed method for software development that results from an integration of agile method and the SOFL formal engineering method. It advocates the importance of comprehensible communication between the user and the developer, but the tool support of this idea remains unavailable. In this research, we have developed a prototype software tool to support the user-developer communication in defining the interface of functions to be constructed in a system. The functions that are offered by our tool include: moving graphical elements, making system templates, constructing GUI pages, animating GUI pages, writing formal specifications, supporting test case generation, and aiding the design of basic graphical elements necessary for constructing GUI pages. A simple experiment is conducted in order to evaluate the performance of the tool, and the result shows that the tool is useful in strengthening the user-developer communications

Automated Visualization of Input / Output for Processes in SOFL Formal Specifications

While formal specification is regarded as an effective means to capture accurate requirements and design, validation of the specifications remains a challenge. Specification animation has been proposed to tackle the challenge, but lacking an effective representation of the input / output data in the animation can considerably limit the understanding of the animation by clients. In this paper, we put forward a tool supported technique for visualization of the input / output data of processes in SOFL formal specifications. After discussing the motives of our work, we describe how data of each kind of data type available in the SOFL language can be visualized to facilitate the representation and understanding of input / output data. We also present a supporting tool for the technique and a case study to demonstrate the usability and effectiveness of our proposed technique

Lean object-oriented software development

Software failures can be dramatic, exp3ensive and catastrophic. The London Stock Exchange was developed eleven years late and 13,200% over budget (Corr 2002). A catastro0phic software failure in February 1998 interrupted the New York Mercantile Exchange and phone service in several East Coast cities (NIST 2002). All industries need software development process improvement. Of 800 business technology managers responding to an InformationWeek survey, 97% reported problems with software bugs in the past year and nine out of 10 reported higher costs, lost revenue, or both as a result (Hayes 2002, p. 40

A Review of Software Reliability Testing Techniques

In the era of intelligent systems, the safety and reliability of software have received more attention. Software reliability testing is a significant method to ensure reliability, safety and quality of software. The intelligent software technology has not only offered new opportunities but also posed challenges to software reliability technology. The focus of this paper is to explore the software reliability testing technology under the impact of intelligent software technology. In this study, the basic theories of traditional software and intelligent software reliability testing were investigated via related previous works, and a general software reliability testing framework was established. Then, the technologies of software reliability testing were analyzed, including reliability modeling, test case generation, reliability evaluation, testing criteria and testing methods. Finally, the challenges and opportunities of software reliability testing technology were discussed at the end of this paper

AMADEUS: Towards the AutoMAteD secUrity teSting

The proper configuration of systems has become a fundamental factor to avoid cybersecurity risks. Thereby, the analysis of cyber security vulnerabilities is a mandatory task, but the number of vul nerabilities and system configurations that can be threatened is ex tremely high. In this paper, we propose a method that uses software product line techniques to analyse the vulnerable configuration of the systems. We propose a solution, entitled AMADEUS, to enable and support the automatic analysis and testing of cybersecurity vulnerabilities of configuration systems based on feature models. AMADEUS is a holistic solution that is able to automate the analy sis of the specific infrastructures in the organisations, the existing vulnerabilities, and the possible configurations extracted from the vulnerability repositories. By using this information, AMADEUS generates automatically the feature models, that are used for rea soning capabilities to extract knowledge, such as to determine attack vectors with certain features. AMADEUS has been validated by demonstrating the capacities of feature models to support the threat scenario, in which a wide variety of vulnerabilities extracted from a real repository are involved. Furthermore, we open the door to new applications where software product line engineering and cybersecurity can be empowered.Ministerio de Ciencia, Innovación y Universidades RTI2018-094283-B-C33 (ECLIPSE)Junta de Andalucía P20-01224 (COPERNICA)Junta de Andalucía US-1381375 (METAMORFOSIS