ACADA: Access Control-driven Architecture with Dynamic Adaptation

Programmers of relational database applications use software solutions (Hibernate, JDBC, LINQ, ADO.NET) to ease the development process of business tiers. These software solutions were not devised to address access control policies, much less for evolving access control policies, in spite of their unavoidable relevance. Currently, access control policies, whenever implemented, are enforced by independent components leading to a separation between policies and their enforcement. This paper proposes a new approach based on an architectural model referred to here as the Access Controldriven Architecture with Dynamic Adaptation (ACADA). Solutions based on ACADA are automatically built to statically enforce access control policies based on schemas of Create, Read, Update and Delete (CRUD) expressions. Then, CRUD expressions are dynamically deployed at runtime driven by established access control policies. Any update in the policies is followed by an adaptation process to keep access control mechanisms aligned with the policies to be enforced. A proof of concept based on Java and Java Database Connectivity (JDBC) is also presented

Software Technology Maturation and Software Security

Software technology maturation, also referred to as technology transfer, is as difficult as it is rare, mostly because of the time scale involved. Software maturation is defined as the process of taking a piece of technology from conception to popularization. Frequently, software engineers and developers tend to oversimplify the problems of technology transfer. They attribute problems to management pressures that complicate the use of software-engineering practices. However, a good understanding of the processes and problems is necessary to effectively tackle the technology-transfer problem. Without that understanding, the transfer of inappropriate technology to an organization without the maturity to understand and absorb it is likely to do harm, rather than to bring benefits. This research aims to answer two research questions regarding the technology maturation. Namely, is Redwine and Riddle's "Software Technology Maturation" study the accepted and gold standard within the software engineering discipline for assessing the maturation of software technology? Secondly, can the software technology maturation study be applied to other areas of software technology? The purpose of this research is to answer these questions of interest which will serve as the basis for the second implementation; applying the Redwine and Riddle criteria to the comparatively young discipline of software security. The primary goal for the second implementation is to explore and extend the second research question and demonstrate the maturity phases for the field of software security

Uml-based modeling of non-functional requirements in telecommunication systems. In:

Abstract-Successful design of real-time embedded systems relies heavily on the successful satisfaction of their non-functional requirements. Model-driven engineering is a promising approach for coping with the design complexity of embedded systems. However, when it comes to modeling non-functional requirements and covering specific aspects of different domains and types of embedded systems, general modeling languages for real-time embedded systems may not be able to cover all of these aspects. One solution is to use a combination of modeling languages for modeling different non-functional requirements as is done in the definition of EAST-ADL modeling language for automotive domain. In this paper, we propose a UML-based solution, consisting of different modeling languages, to model non-functional requirements in telecommunication domain, and discuss different challenges and issues in the design of telecommunication systems that are related to these requirements

Requirements Engineering of Context-Aware Applications

Context-aware computing envisions a new generation of smart applications that have the ability to perpetually sense the user’s context and use these data to make adaptation decision in response to changes in the user’s context so as to provide timely and personalized services anytime and anywhere. Unlike the traditional distribution systems where the network topology is fixed and wired, context-aware computing systems are mostly based on wireless communication due to the mobility of the network nodes; hence the network topology is not fixed but changes dynamically in an unpredictable manner as nodes join and the leave network, in addition to the fact that wireless communication is unstable. These factors make the design and development of context-aware computing systems much more challenging, as the system requirements change depending on the context of use. The Unified Modelling Language (UML) is a graphical language commonly used to specify, visualize, construct, and document the artefacts of software-intensive systems. However, UML is an all-purpose modelling language and does not have notations to distinguish context-awareness requirements from other system requirements. This is critical for the specification, visualization, construction and documentation of context-aware computing systems because context-awareness requirements are highly important in these systems. This thesis proposes an extension of UML diagrams to cater for the specification, visualization, construction and documentation of context-aware computing systems where new notations are introduced to model context-awareness requirements distinctively from other system requirements. The contributions of this work can be summarized as follows: (i) A context-aware use case diagram is a new notion which merges into a single diagram the traditional use case diagram (that describes the functions of an application) and the use context diagram, which specifies the context information upon which the behaviours of these functions depend. (ii) A Novel notion known as a context-aware activity diagram is presented, which extends the traditional UML activity diagrams to enable the representation of context objects, context constraints and adaptation activities. Context constraints express conditions upon context object attributes that trigger adaptation activities; adaptation activities are activities that must be performed in response to specific changes in the system’s context. (iii) A novel notion known as the context-aware class diagram is presented, which extends the traditional UML class diagrams to enable the representation of context information that affect the behaviours of a class. A new relationship, called utilisation, between a UML class and a context class is used to model context objects; meaning that the behaviours of the UML class depend upon the context information represented by the context class. Hence a context-aware class diagram is a rich and expressive language that distinctively depicts both the structure of classes and that of the contexts upon which they depend. The pragmatics of the proposed approach are demonstrated using two real-world case studies

Model-to-model transformation approach for systematic integration of security aspects into UML 2.0 design models

Security is a challenging task in software engineering. Traditionally, security concerns are considered as an afterthought to the development process and thus are fitted into pre-existing software without the consideration of whether this would jeopardize the main functionality of the software or even produce additional vulnerabilities. Enforcing security policies should be taken care of during early phases of the software development life cycle in order to decrease the development costs and reduce the maintenance time. In addition to cost saving, this way of development will produce more reliable software since security related concepts will be considered in each step of the design. Similarly, the implications of inserting such mechanisms into the existing system's requirements will be considered as well. Since security is a crosscutting concern that pervades the entire software, integrating security solutions at the software design level may result in the scattering and tangling of security features throughout the entire design. Additionally, traditional hardening approaches are tedious and error-prone as they involve manual modifications. In this context, the need for a systematic way to integrate security concerns into the process of developing software becomes crucial. In this thesis, we define an aspect-oriented modeling approach for specifying and integrating security concerns into UML design models. The proposed approach makes use of the expertise of the software security specialist by providing him with the means to specify generic UML aspects that are going to be incorporated "weaved" into the developers' models. Model transformation mechanisms are instrumented in order to have an efficient and a fully automatic weaving process

Modeling of Security Measurement (Metrics) in an Information System

Security metrics and measurement is a sub-field of broader information security field. This field is not new but it got very least and sporadic attention as a result of which it is still in its early stages. The measurement and evaluation of security now became a long standing challenge to the research community. Much of the focus remained towards devising and the application of new and updated protection mechanisms. Measurements in general act as a driving force in decision making. As stated by Lord Kelvin “if you cannot measure it then you cannot improve it”. This principle is also applicable to security measurement of information systems. Even if the necessary and required protection mechanisms are in place still the level of security remains unknown, which limits the decision making capabilities to improve the security of a system. With the increasing reliance on these information systems in general and software systems in particular security measurement has become the most pressing requirement in order to promote and develop the security critical systems in the current networked environment. The resultant indicators of security measurement preferably the quantative indicators act as a basis for the decision making to enhance the security of overall system. The information systems are comprised of various components such as people, hardware, data, network and software. With the fast growing reliance on the software systems, the research reported in this thesis aims to provide a framework using mathematical modeling techniques for evaluation of security of the software systems at the architectural and design phase of the system lifecycle and the derived security metrics on a controlled scale from the proposed framework. The proposed security evaluation framework is independent of the programing language and the platform used in developing the system and also is applicable from small desktop application to large complex distributed software. The validation process of security metrics is the most challenging part of the security metrics field. In this thesis we have conducted the exploratory empirical evaluation on a running system to validate the derived security metrics and the measurement results. To make the task easy we have transformed the proposed security evaluation into algorithmic form which increased the applicability of the proposed framework without requiring any expert security knowledge. The motivation of the research is to provide the software development team with a tool to evaluate the level of security of each of the element of the system and the overall system at the early development stages of the system life cycle. In this regard three question “What is to be measured?”, “where (in the system life cycle) to measure?” and “how to measure?” have been answered in the thesis. Since the field of security metrics and measurements is still in the its early stages, the first part of the thesis investigates and analyzes the basic terminologies , taxonomies and major efforts made towards security metrics based on the literature survey. Answering the second question “Where (in the system life cycle) to measure security”, the second part of the thesis analyzes the secure software development processes (SSDPs) followed and identifies the key stages of the system’s life cycle where the evaluation of security is necessary. Answering the question 1 and 2, “What is to be measured “and “How to measure”, third part of the thesis presents a security evaluation framework aimed at the software architecture and design phase using mathematical modeling techniques. In the proposed framework, the component based architecture and design (CBAD) using UML 2.0 component modeling techniques has been adopted. Further in part 3 of the thesis present the empirical evaluation of the proposed framework to validate and analyze the applicability and feasibility of the proposed security metrics. Our effort is to get the focus of the software development community to focus on the security evaluation in the software development process in order to take the early decisions regarding the security of the overall system

Multilevel security : systemer med gradert informasjonsflyt

Masteroppgave i informasjons- og kommunikasjonsteknologi 2005 - Høgskolen i Agder, GrimstadI forbindelse med utviklingen og innføringen av et Felles Integrert Forvaltningssystem (FIF), trenger Forsvaret en løsning for sikker gradert informasjonsflyt. Et begrep som omhandler denne problematikken er Multilevel Security, som har vært et viktig tema i forsvarssammenheng siden begynnelsen på syttitallet. Til tross for at Multilevel Security har vært et tema i snart førti år, foreligger det fortsatt ingen fullverdig løsning for bruk i forsvarssammenheng. Med bakgrunn i dette har vi kartlagt situasjonen innen Multilevel Security, og redegjort for ulike teorier og strategier på området. Oppgaven er videre delt inn i tre delproblemer. Det første dreier seg om hvilke sikkerhetskrav som vedrører Multilevel Security, det andre tar for seg kartlegging av teorier, strategier og realiserte systemer innen Multilevel Security, og det siste dreier seg om konsekvenser ved en eventuell implementering av Multilevel Security i Forsvaret. Selv om oppgaven primært er skrevet for Forsvaret, kan mange av funnene være av interesse for andre. Det kan for eksempel være private eller offentlige bedrifter som har behov for informasjonsflyt med sensitive opplysninger. Resultatene fra det første delproblemet viser at Sikkerhetsloven og NATOs sikkerhetsbestemmelser setter grenser for, og stiller krav til, sammenkoblinger av systemer med forskjellige graderingsnivåer. Dette er trolig den største utfordringen med tanke på en eventuell innføring av Multilevel Security i Forsvaret. Videre må Multilevel Securitysystemer tilfredsstille evaluerings- og sertifiseringskrav i Common Criteria. Dette er etter vår mening med på å dempe viljen til å utvikle og innføre nye Multilevel Security-systemer. Vi konkluderer med at gjeldende krav og evalueringskriterier må endres, for at Multilevel Security noensinne skal kunne innføres i Forsvaret. I det andre delproblemet har vi har valgt ut seks modeller, en strategi og en metode. Disse representerer et historisk snitt fra den første Multilevel Security-modellen fra 1973, til en aktuell metodisk prosess fra slutten av nittitallet. Vi har sammenliknet modellene, strategien og metoden i et rammeverk, der vi har sett på hvilke egenskaper som vedrører modellene. Videre har vi presentert et utvalg av realiserte Multilevel Security-systemer. Mange av disse systemene er bygd på den klassiske Bell-LaPadula-modellen. Det finnes imidlertid få nye systemer, og vi etterlyser derfor en ny formell modell. Denne må tilpasses dagens teknologi og krav, og veilede utviklingen av fremtidige Multilevel Systemer. I det tredje delproblemet har vi kommet frem til at Multilevel Security trolig vil forenkle og effektivisere arbeidsdagen til de ansatte. De ansatte vil sannsynligvis få mer tid til å utføre sine primærfunksjoner, i stedet for å bruke tid på å skifte mellom systemer. Samtidig vil en innføring av et Multilevel Security-system sette høye krav til brukerne, siden et slikt system ikke innehar noen fysisk sperring mellom graderingsnivåene. En eventuell innføring av Multilevel Security i Forsvaret vil bli svært kostbart, med tanke på implementering og opplæring. Vi mener imidlertid en slik investering vil bli lønnsom over tid

A Graphical Approach to Security Risk Analysis

"The CORAS language is a graphical modeling language used to support the security analysis process with its customized diagrams. The language has been developed within the research project "SECURIS" (SINTEF ICT/University of Oslo), where it has been applied and evaluated in seven major industrial field trials. Experiences from the field trials show that the CORAS language has contributed to a more actively involvement of the participants, and it has eased the communication within the analysis group. The language has been found easy to understand and suitable for presentation purposes. With time we have become more and more dependent on various kinds of computerized systems. When the complexity of the systems increases, the number of security risks is likely to increase. Security analyses are often considered complicated and time consuming. A well developed security analysis method should support the analysis process by simplifying communication, interaction and understanding between the participants in the analysis. This thesis describes the development of the CORAS language that is particularly suited for security analyses where "structured brainstorming" is part of the process. Important design decisions are based on empirical investigations. The thesis has resulted in the following artifacts: - A modeling guideline that explains how to draw the different kind of diagrams for each step of the analysis. - Rules for translation which enables consistent translation from graphical diagrams to text. - Concept definitions that contributes to a consistent use of security analysis terms. - An evaluation framework to evaluate and compare the quality of security analysis modeling languages.

Foundations of Security Analysis and Design III, FOSAD 2004/2005- Tutorial Lectures

he increasing relevance of security to real-life applications, such as electronic commerce and Internet banking, is attested by the fast-growing number of research groups, events, conferences, and summer schools that address the study of foundations for the analysis and the design of security aspects. This book presents thoroughly revised versions of eight tutorial lectures given by leading researchers during two International Schools on Foundations of Security Analysis and Design, FOSAD 2004/2005, held in Bertinoro, Italy, in September 2004 and September 2005. The lectures are devoted to: Justifying a Dolev-Yao Model under Active Attacks, Model-based Security Engineering with UML, Physical Security and Side-Channel Attacks, Static Analysis of Authentication, Formal Methods for Smartcard Security, Privacy-Preserving Database Systems, Intrusion Detection, Security and Trust Requirements Engineering

MAC and UML for secure software design

Security must be a first class citizen in the design of large scale, interacting, software applications, at early and all stages of the lifecycle, for accurate and precise policy definition, authorization, authentication, enforcement, and assurance. One of the dominant players in software design is the unified modeling language, UML, a language for specifying, visualizing, constructing and documenting software artifacts. In UML, diagrams provide alternate perspectives for different stakeholders, e.g.: use case diagrams for the interaction of users with system components, class diagrams for the static classes and relationships among them, and sequence diagrams for the dynamic behavior of instances of the class diagram. However, UML's support for the definition of security requirements for these diagrams and their constituent elements (e.g., actors, systems, use cases, classes, instances, include/extend/generalize relationships, methods, data, etc.) is lacking. In this paper, we address this issue by incorporating mandatory access control (MAC) into use case, class, and sequence diagrams, providing support for the definition of clearances and classifications for relevant UML elements. In addition, we provide a framework for security assurance as users are defining and evolving use case, class, and sequence diagrams, bridging the gap between software engineers and an organization's security personnel in support of secure software design. To demonstrate the feasibility and utility of our work on secure software design, our MAC enhancements for UML have been integrated into Borland's Together Control Center Environment