Issues Affecting Security Design Pattern Engineering

Security Design Patterns present the tried and tested design decisions made by security engineers within a well documented format. Patterns allow for complex security concepts, and mechanisms, to be expressed such that non domain experts can make use of them. Our research is concerned with the development of pattern languages for advanced crypto-systems. From our experience developing pattern languages we have encountered several recurring issues within security design pattern engineering. These issues, if not addressed, will affect the adoption of security design patterns. This paper describes these issues and discusses how they could be addressed

A Typing Discipline for Hardware Interfaces (Artifact)

Modern Systems-on-a-Chip (SoC) are constructed by composition of IP (Intellectual Property) Cores with the communication between these IP Cores being governed by well described interaction protocols. However, there is a disconnect between the machine readable specification of these protocols and the verification of their implementation in known hardware description languages. Although tools can be written to address such a separation of concerns, such tooling is often hand written and used to check hardware designs a posteriori. We have developed a dependent type-system and proof-of-concept modelling language to reason about the physical structure of hardware interfaces respective to user provided descriptions. Our type-system provides correct-by-construction guarantees that the interfaces on an IP Core will be well-typed if they adhere to a specified standard

Well-Typed Models are Correct Models: Applying State-of-the-Art Advances in Programming Language Theory to Systems-on-a-Chip

Modern Systems-on-a-Chip (SoC) are constructed by composition of IP (Intellectual Property) Cores with the communication between these IP Cores being governed by well described interaction protocols. However, there is a disconnect between the machine readable specification of these protocols and the verification of their implementation in known hardware description languages. Although tools can be written to address such separation of concerns, the tooling is often hand written and used to check hardware designs a posteriori. Further, it is important when connecting components together that only one signal can flow along a channel. Dependent type-systems present a rich and expressive setting that supports the precises specifi- cation of our programs properties to be stated and verified directly in the language’s type-system. Such type-systems also support reasoning about a programs substructural properties in the style of substructural typing. We can use these concepts to express model invarients directly within our model’s types and provide correctness-by-construction guarantees that our models adhere to external specifications, and are thus well-formed, at design-time using type checking. In this talk I will present my ongoing work as part of the Border Patrol project to construct a modelling languague for designing Systems-on-a-Chip. Our framework, Cordial, is designed to enrich existing Hardware Description Languages, and development environments, with static design-time mechanisms that reason about the (sub)structural properties of SoC Designs using Dependent, Session, and Quantitative Typing. Cordial’s type-system provides guarantees that the interfaces on an IP Core will be well-typed if they adhere to an external specification, and that we can guarantee that components are connected in a safe way by tracking the number of times a port is used within a design and comparing the interconnections ports. With Cordial mismatches between SoC specification and implementation become impossible thereby reducing errors, increasing designer productivity and enhancing safety and security of SoC designs

A Typing Discipline for Hardware Interfaces

Modern Systems-on-a-Chip (SoC) are constructed by composition of IP (Intellectual Property) Cores with the communication between these IP Cores being governed by well described interaction protocols. However, there is a disconnect between the machine readable specification of these protocols and the verification of their implementation in known hardware description languages. Although tools can be written to address such separation of concerns, the tooling is often hand written and used to check hardware designs a posteriori. We have developed a dependent type-system and proof-of-concept modelling language to reason about the physical structure of hardware interfaces using user provided descriptions. Our type-system provides correct-by-construction guarantees that the interfaces on an IP Core will be well-typed if they adhere to a specified standard

Machine checkable design patterns using dependent types and domain specific goal-oriented modelling languages

Goal-Oriented Modelling Languages such as the Goal Requirements Language (GRL) have been used to reason about Design Patterns. However, the GRL is a general purpose modelling language that does not support concepts bespoke to the pattern domain. This thesis has investigated how advanced programming language techniques, namely Dependent Types and Domain Specific Languages, can be used to enhance the design and construction of Domain Specific Modelling languages (DSMLs), and apply the results to Design Pattern Engineering. This thesis presents Sif, a DSML for reasoning about design patterns as goal-oriented requirements problems. Sif presents modellers with a modelling language tailored to the pattern domain but leverages the GRL for realisation of the modelling constructs. Dependent types have influenced the design and implementation of Sif to provide correctness guarantees, and have led to the development of NovoGRL a novel extension of the GRL. A technique for DSML implementation called Types as (Meta) Modellers was developed in which the interpretation between a DSML and its host language is implemented directly within the type-system of the DSML. This provides correctness guarantees of DSML model instances during model construction. Models can only be constructed if and only if the DSML’s type-system can build a valid representation of the model in the host language. This thesis also investigated design pattern evaluation, developing PREMES an evaluation framework that uses tailorable testing techniques to provide demonstrable reporting on pattern quality. Linking PREMES with Sif are: Freyja - an active pattern document schema in which Sif models are embedded within pattern documents; and Frigg - a tool for interacting with pattern documents. The proof-of-concept tools in this thesis demonstrate: machine enhanced interactions with design patterns; reproducible automation in the PREMES framework; and machine checking of pattern documents as Sif models. With the tooling and techniques presented, design pattern engineering can become a more rigorous, demonstrable, and machine checkable process

Issues affecting Security Design Pattern engineering

Security Design Patterns present the tried and tested design decisions made by security engineers within a well documented format. Patterns allow for complex security concepts, and mechanisms, to be expressed such that non domain experts can make use of them. Our research is concerned with the development of pattern languages for advanced crypto-systems. From our experience developing pattern languages we have encountered several recurring issues within security design pattern engineering. These issues, if not addressed, will affect the adoption of security design patterns. This paper describes these issues and discusses how they could be addressed.Publisher PD

Security pattern evaluation

Current Security Pattern evaluation techniques are demonstrated to be incomplete with respect to quantitative measurement and comparison. A proposal for a dynamic testbed system is presented as a potential mechanism for evaluating patterns within a constrained environment.Postprin

What's the PREMES behind your pattern?

Design patterns are supposed to be the well documented, tried and tested solutions to recurrent problems. Current evaluation techniques do not provide a demonstrable and holistic means to evaluate pattern quality. This paper introduces Pattern Report Cards an evaluation process for software design patterns that is demonstrable, measurable, and reproducible. A set of quality indicators for determining pattern quality has been identified, and a set of qualitative and quantitative evaluation techniques assembled to determine the quality of adherence to these indicators. Further, management and execution of the evaluation process is controlled by the PREMES framework. This framework describes a management cycle that facilitates the construction of bespoke evaluation systems for design patterns. Process tailoring is achieved by providing guidance over the selection and construction of the techniques used to assess pattern quality. Use of these techniques will help bolster existing evaluation processes, and lead to the improvement of design pattern evaluation techniques.Postprin

A Framework for Resource Dependent EDSLs in a Dependently Typed Language (Pearl)

Idris' Effects library demonstrates how to embed resource dependent algebraic effect handlers into a dependently typed host language, providing run-time and compile-time based reasoning on type-level resources. Building upon this work, Resources is a framework for realising Embedded Domain Specific Languages (EDSLs) with type systems that contain domain specific substructural properties. Differing from Effects, Resources allows a language’s substructural properties to be encoded within type-level resources that are associated with language variables. Such an association allows for multiple effect instances to be reasoned about autonomically and without explicit type-level declaration. Type-level predicates are used as proof that the language’s substructural properties hold. Several exemplar EDSLs are presented that illustrates our framework’s operation and how dependent types provide correctness-by-construction guarantees that substructural properties of written programs hold