Foundations for Designing Secure Architectures

AbstractDeveloping security-critical systems is difficult and there are many well-known examples of security weaknesses exploited in practice. In particular, so far little research has been performed on the soundly based design of secure architectures, which would be urgently needed to develop secure systems reliably and efficiently. In this abstract, we sketch some research on a sound methodology supporting secure architecture design. We give an overview over an extension of UML, called UMLsec, that allows expressing security-relevant information within the diagrams in an architectural design specification. We define foundations for secure architectural design patterns. We present tool-support which has been developed for the UMLsec secure architecture approach

Model-based Security Testing Using UMLsec A Case Study

AbstractDesigning and implementing security-critical systems correctly is very difficult. In practice, most vulnerabilities arise from bugs in implementations. We present work towards systematic specification-based testing of security-critical systems based on UMLsec models. We show how to systematically generate test sequences for security properties based on the model that can be used to test the implementation for vulnerabilities. We explain our method at the example of a part of the Common Electronic Purse Specifications (CEPS), a candidate for an international electronic purse standard

Tools for model-based security engineering: models vs. code

We present tools to support model-based security engineering on both the model and the code level. In the approach supported by these tools, one firstly specifies the security-critical part of the system (e.g. a crypto protocol) using the UML security extension UMLsec. The models are automatically verified for security properties using automated theorem provers. These are implemented within a framework that supports implementing verification routines, based on XMI output of the diagrams from UML CASE tools. Advanced users can use this open-source framework to implement verification routines for the constraints of self-defined security requirements. In a second step, one verifies that security-critical parts of the model are correctly implemented in the code (which might be a legacy implementation), and applies security hardening transformations where is that not the case. This is supported by tools that (1) establish traceability through refactoring scripts and (2) modularize security hardening ad-vices through aspect-oriented programming. The proposed method has been applied to an open-source implementation of a cryptographic protocol implementation (Jessie)in Java to build up traceability mappings and security aspects. In that application, we found a security weakness which could be fixed using our approach. The resulting refactoring scripts and security aspects have found reusability in the Java Secure Socket Extension (JSSE) library

UMLsec4UML2 - Adopting UMLsec to Support UML2

In this paper, we present an approach to adopt UMLsec, which is defined for UML 1.5, to support the current UML version 2.3. The new profile UMLsec4UML2 is technically constructed as a UML profile diagram, which is equipped with a number of integrity conditions expressed using OCL. Consequently, the UMLsec4UML2-profile can be loaded in any Eclipse-based EMF- and MDT-compatible UML editing tool to develop and analyze different kinds of security models. The OCL constraints replace the static checks of the tool support for the old UMLsec defined for UML 1.5. Thus, the UMLsec4UML2-profile not only provides the whole expresiveness of UML2.3 for security modeling, it also brings considerably more freedom in selecting a basic UML editing tool, and it integrates modeling and analyzing security models. Since UML2.3 comprises new diagram types, as well as new model elements and new semantics of diagram types already contained in UML1.5, we consider a number of these changes in detail. More specifically, we consider composite structure and sequence diagrams with respect to modeling security properties according to the original version of UMLsec. The goal is to use UMLsec4UML2 to specify architectural security patterns

Model-Based Security Testing

Security testing aims at validating software system requirements related to security properties like confidentiality, integrity, authentication, authorization, availability, and non-repudiation. Although security testing techniques are available for many years, there has been little approaches that allow for specification of test cases at a higher level of abstraction, for enabling guidance on test identification and specification as well as for automated test generation. Model-based security testing (MBST) is a relatively new field and especially dedicated to the systematic and efficient specification and documentation of security test objectives, security test cases and test suites, as well as to their automated or semi-automated generation. In particular, the combination of security modelling and test generation approaches is still a challenge in research and of high interest for industrial applications. MBST includes e.g. security functional testing, model-based fuzzing, risk- and threat-oriented testing, and the usage of security test patterns. This paper provides a survey on MBST techniques and the related models as well as samples of new methods and tools that are under development in the European ITEA2-project DIAMONDS.Comment: In Proceedings MBT 2012, arXiv:1202.582

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution

Consider the problem of verifying security properties of a cryptographic protocol coded in C. We propose an automatic solution that needs neither a pre-existing protocol description nor manual annotation of source code. First, symbolically execute the C program to obtain symbolic descriptions for the network messages sent by the protocol. Second, apply algebraic rewriting to obtain a process calculus description. Third, run an existing protocol analyser (ProVerif) to prove security properties or find attacks. We formalise our algorithm and appeal to existing results for ProVerif to establish computational soundness under suitable circumstances. We analyse only a single execution path, so our results are limited to protocols with no significant branching. The results in this paper provide the first computationally sound verification of weak secrecy and authentication for (single execution paths of) C code

Reconstruction as a service: a data space for off-site image reconstruction in magnetic particle imaging

Magnetic particle imaging (MPI) is an emerging medical imaging modality which offers a unique combination of high temporal and spatial resolution, sensitivity and biocompatibility. For system-matrix (SM) based image reconstruction in MPI, a huge amount of calibration data needs to be acquired prior to reconstruction in a time-consuming procedure. Conventionally, the data is recorded on-site inside the scanning device, which significantly limits the time that the scanning device is available for patient care in a clinical setting. Due to its size, handling the calibration data can be challenging. To solve these issues of recording and handling the data, data spaces could be used, as it has been shown that the calibration data can be measured in dedicated devices off-site. We propose a data space aimed at improving the efficiency of SM-based image reconstruction in MPI. The data space consists of imaging facilities, calibration data providers and reconstruction experts. Its specifications follow the reference architecture model of international data spaces (IDS). Use-cases of image reconstruction in MPI are formulated. The stakeholders and tasks are listed and mapped to the terminology of IDS. The signal chain in MPI is analysed to identify a minimum information model which is used by the data space

Data Trading and Monetization: Challenges and Open Research Directions

Traditional data monetization approaches face challenges related to data protection and logistics. In response, digital data marketplaces have emerged as intermediaries simplifying data transactions. Despite the growing establishment and acceptance of digital data marketplaces, significant challenges hinder efficient data trading. As a result, few companies can derive tangible value from their data, leading to missed opportunities in understanding customers, pricing decisions, and fraud prevention. In this paper, we explore both technical and organizational challenges affecting data monetization. Moreover, we identify areas in need of further research, aiming to expand the boundaries of current knowledge by emphasizing where research is currently limited or lacking.Comment: Paper accepted by the International Conference on Future Networks and Distributed Systems (ICFNDS 2023

Extracting Domain Ontologies from Domain Specific APIs

Abstract Domain specific APIs offer their clients ready-to-use implementations of domain concepts. Beside being interfaces between the worlds of humans and computers, domain specific APIs contain a considerable amount of domain knowledge. Due to the big abstraction gap between the real world and today's programming languages, in addition to the knowledge about their domain, these APIs are cluttered with a considerable amount of noise in form of implementation detail. Furthermore, an API offers a particular view on its domain and different APIs regard their domains from different perspectives. In this paper we propose an approach for building domain ontologies by identifying commonalities between domain specific APIs that target the same domain. Besides our ontology extraction algorithm, we present a methodology for eliminating the noise and we sketch possible usage-scenarios of the ontologies for program analysis and understanding. We evaluate our approach through a set of case-studies on extracting domain ontologies from well-known domain specific APIs