Multi Domain-Specific Modeling of the Security Concerns of Service-Oriented Architectures

Service-Oriented Architectures (SOA), and Web Services (WS), the technology generally used to implement them, achieve the integration of heterogeneous technologies, providing interoperability, and yielding the reutilization of pre-existent systems. Model-driven development methodologies provide inherent benefits such as increased productivity, greater reuse, and better maintainability, to name a few. Efforts on achieving model-driven development of SOAs already exist, but there is currently no standard solution that addresses non-functional aspects of these services as well. This paper presents an approach to integrate these non-functional aspects in the development of web services, with an emphasis on security

A Model-Driven Strategy for Including Security Aspects in Web Services-Based Embedded Services

[EN] In modern distributed systems, such as in the Internet or Web of Things, security plays a fundamental role. Special atention must be placed, then, in considering these aspects in the first stages of development. In this context, the model-driven development of non functional (NF) requirements is of great interest, as it addresses those NF characteristics in the design stage, when analyses can be performed, and there is room for changes while they are still not too costly. The use of modeldriven methodologies brings with them some intrinsic benefits, such as the increase in productivity, a greater reuse of design elements, or an improved maintainability of the system. This paper presents a development strategy that allows integrating non-functional security aspects (such as as confidentiality, integrity, or access control) in embedded systems design.[ES] En los sistemas distribuidos modernos, como la Internet o Web de las Cosas, la seguridad juega un papel preponderante. Debe prestarse especial atención a la consideración de estos aspectos en las primeras etapas de desarrollo. En este contexto, el desarrollo guiado por modelos de requisitos no funcionales (NF) presenta especial interés, ya que aborda dichas características NF en la etapa de diseño, cuando todavía se pueden realizar análisis, y aún hay margen para modificaciones antes de que éstas sean muy costosas. El uso de estas metodologías guiadas por modelos ofrece beneficios tales como el aumento de la productividad, una mayor reutilización de los elementos de diseño, o una mejor mantenibilidad del sistema. Este artículo presenta una estrategia de desarrollo que permite integrar aspectos NF de seguridad (confidencialidad, integridad, y control de acceso) en los sistemas de software empotrado.Este trabajo ha sido financiado en parte por el Centro Español de Desarrollo Tecnológico (CDTI, Ministerio de Industria, Comercio y Turismo), por medio del proyecto ITECBAN (Infraestructura Tecnológica y Metodológica de Soporte para un Core Bancario), del programa INGENIO 2010, y por el Ministerio Español de Educación y Ciencia, por medio del proyecto RT-MODEL (Plataformas de tiempo real para diseño de sistemas empotrados basado en modelos, TIN2008-06766-C03- 03) del Plan Nacional de I+D+I.Silva Gallino, JP.; De Miguel, M.; Briones, JF.; Alonso, A. (2014). Estrategia Guiada por Modelos para incluir Aspectos de Seguridad en Sistemas Empotrados Basados en Servicios Web. Revista Iberoamericana de Automática e Informática industrial. 11(1):86-97. https://doi.org/10.1016/j.riai.2013.11.006OJS8697111Asnar, Y., Felici, M., Kokolakis, S., Li, K., Saidane, A., Yautsiukhin, A. 2009. Serenity Project Deliverable A1.D5.1 - Preliminary version of S&D Metrics.Blet, N. S., Simo’n, J. L. 2011. SOA en automatizacio’n de pymes manufacture-ras. Iberoamericana de Engenharia Industrial [2175-8018] 3 (2), 190.CDTI, 2006. ITECBAN, Infraestructura Tecnolo’gica y Metodolo’gica de Soporte para un Core Bancario. URL: http://www.daedalus.es/i-d-i/proyectos-nacionales/itecban/.De Miguel, M. A., Briones, J. F., Silva, J. P., & Alonso, A. (2008). Integration of safety analysis in model-driven software development. IET Software, 2(3), 260. doi:10.1049/iet-sen:20070050Dodd, J., Allen, P., Butler, J., Olding, S., Veryard, R., Wilkes, L., 2007. Cbdi- sae meta model for soa version 2. Tech. rep., Everware-CBDI. URL: http://www.cbdiforum.com/public/meta_model_v2.php.Eby, M., Apr. 2007. Integrating Security Modeling into Embedded System Design. Masterthesis, Vanderbilt University. URL: http://etd.library.vanderbilt.edu/available/etd-04022007-092035/.Illner, S., Krumm, H., Lück, I., Pohl, A., Bobek, A., Bohn, H., Golatowski, F. 2006. Model-based management of embedded service systems - an applied approach. En: AINA (2). IEEE Computer Society, pp. 519-523.Illner, S., Pohl, A., Krumm, H., nov. 2005. Model-driven security management of embedded service systems. En: Industrial Electronics Society, 2005. IE- CON 2005. 31st Annual Conference of IEEE. p. 6 pp. DOI: 10.1109/IECON.2005.1569326.ISO/IEC, 2011. ISO/IEC 25010 Systems and software engineering – Systems and software Quality Requirements and Evaluation (SQuaRE) – System and software quality models. ISO, Geneva, Switzerland.Kim, A., Luo, J., Kang, M., 2007. Security Ontology to Facilitate Web Service Description and Discovery. En: Journal on Data Semantics IX. Vol. 4601 of Lecture Notes in Computer Science. Springer Berlin, pp. 167-195.Langer, P., Wieland, K., Wimmer, M., Cabot, J. 2011. From uml profiles to emf profiles and beyond. En: Bishop, J., Vallecillo, A., (Eds.), Objects, Models, Components, Patterns. Vol. 6705 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, pp. 52-67.Microsoft, 2012a. Micro Framework Web Page. URL: http://www.microsoft.com/en-us/netmf/default.aspx.Microsoft, 2012b. WSDAPI. URL: http://msdn.microsoft.com/en-us/library/windows/desktop/aa826001%28v=vs.85%29.aspx.Nabil, S., Mohamed, B. 2012. Security ontology for semantic scada. En: Malki, M., Benbernou, S., Benslimane, S.M., Lehireche, A., (Eds.), ICWIT. Vol. 867 of CEUR Workshop Proceedings. CEUR-WS.org, pp. 179-192.OASIS, 2006. Web services security: Soap message security 1.1 (ws-security 2004). Security 2003 (February), 76. URL: http://docs.oasis-open.org/wss/v1.1/wss-v1. 1-spec-os-SOAPMessageSecurity.pdf.OASIS, 2009. Devices Profile for Web Services Version 1.1. OASIS (July). URL: http://docs.oasis-open.org/ws-dd/dpws/1.1/pr-01/wsdd-dpws-1.1-spec-pr-01.html.OMG, 2007. Specification. A UML Profile for MARTE.OMG, 2008. UML Profile for Modeling QoS and Fault Tolerance Characteris- tics and Mechanisms Version 1.1.OMG, 2009. Service oriented architecture Modeling Language (SoaML)- Specification for the UML Profile and Metamodel for Services.(UPMS).OMG, 2011. Business Process Model and Notation (BPMN). DOI: 10.1007/s11576-008-0096-z.Satoh, F., Nakamura, Y., Mukhi, N., Tatsubori, M., Ono, K., 2008. Methodo- logy and Tools for End-to-End SOA Security Configurations. En: 2008 IEEE Congress on Services, SERVICES I. IEEE Computer Society, Honolulu, Ha- waii, USA, pp. 307-314.Shopov, M., Matev, H., Spasov, G., 2007. Evaluation of Web Services Imple- mentation for ARM-based Embedded System. En: Proceedings of ELEC- TRONICS’07. Sozopol, Bulgaria, pp. 79-84.Silva Gallino, J.P., de Miguel, M.A., Briones, J.F., Alonso, A., 2010. Model-Driven Development of a Web Service-Oriented Architecture and Security Policies. En: 2010 13th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing. IEEE Computer Society, Los Alamitos, CA, USA, Carmona, Spain, pp. 92-96.Silva Gallino, J.P., de Miguel, M.A., Briones, J.F., Alonso, A., 2011b. Domain-Specific Multi-Modeling of Security Concerns in Service-Oriented Architectures. LNCS - 8th International Workshop on Web Services and For- mal Methods, WS-FM’11.Silva Gallino, J.P. and de Miguel, M.A. and Briones, J.F. and Alonso, A., 2011a. Multi Domain-Specific Modeling of the Security Concerns of Service-Oriented Architectures. Services Computing, IEEE International Conference on 0, 761-762. DOI: 10.1109/SCC. 2011.102.SOA4D, 2007. Web Page. URL: https://forge.soa4d.org/.Tarr, P., Ossher, H., Harrison, W., Sutton Jr., S.M., 1999. N degrees of separa- tion: multi-dimensional separation of concerns. International Conference on Software Engineering, 107-119.Theorin, A., Ollinger, L., Johnsson, C., May 2012. Service-oriented process control with grafchart and the devices profile for web services. En: 14th IFAC Symposium on Information Control Problems in Manufacturing (IN- COM). Bucharest, Romania.Unger, S., Pfeiffer, S., Timmermann, D. may 2012. Dethroning transport layer security in the embedded world. En: New Technologies, Mobility and Secu- rity (NTMS), 2012 5th International Conference on. pp. 1-5. DOI: 10.1109/NTMS. 2012.6208685.Wada, H., Suzuki, J., Oba, K., 2008. Early Aspects for Non-Functional Proper- ties in Service Oriented Business Processes. Services, IEEE Congress on 0, 231-238. DOI: 10.1109/SERVICES-1.2008.76.WS4D, 2007. Web Page. URL: http://www.ws4d.org/