100 research outputs found
Foundations for Designing Secure Architectures
AbstractDeveloping security-critical systems is difficult and there are many well-known examples of security weaknesses exploited in practice. In particular, so far little research has been performed on the soundly based design of secure architectures, which would be urgently needed to develop secure systems reliably and efficiently. In this abstract, we sketch some research on a sound methodology supporting secure architecture design. We give an overview over an extension of UML, called UMLsec, that allows expressing security-relevant information within the diagrams in an architectural design specification. We define foundations for secure architectural design patterns. We present tool-support which has been developed for the UMLsec secure architecture approach
Model-based Security Testing Using UMLsec A Case Study
AbstractDesigning and implementing security-critical systems correctly is very difficult. In practice, most vulnerabilities arise from bugs in implementations. We present work towards systematic specification-based testing of security-critical systems based on UMLsec models. We show how to systematically generate test sequences for security properties based on the model that can be used to test the implementation for vulnerabilities. We explain our method at the example of a part of the Common Electronic Purse Specifications (CEPS), a candidate for an international electronic purse standard
Tools for model-based security engineering: models vs. code
We present tools to support model-based security engineering on both the model and the code level. In the approach supported by these tools, one firstly specifies the security-critical part of the system (e.g. a crypto protocol) using the UML security extension UMLsec. The models are automatically verified for security properties using automated theorem provers. These are implemented within a framework that supports implementing verification routines, based on XMI output of the diagrams from UML CASE tools. Advanced users can use this open-source framework to implement verification routines for the constraints of self-defined security requirements.
In a second step, one verifies that security-critical parts of the model are correctly implemented in the code (which might be a legacy implementation), and applies security hardening transformations where is that not the case. This is supported by tools that (1) establish traceability through refactoring scripts and (2) modularize security hardening ad-vices through aspect-oriented programming. The proposed method has been applied to an open-source implementation of a cryptographic protocol implementation (Jessie)in Java to build up traceability mappings and security aspects. In that application, we found a security weakness which could be fixed using our approach. The resulting refactoring scripts and security aspects have found reusability in the Java Secure Socket Extension (JSSE) library
Model-Based Security Testing
Security testing aims at validating software system requirements related to
security properties like confidentiality, integrity, authentication,
authorization, availability, and non-repudiation. Although security testing
techniques are available for many years, there has been little approaches that
allow for specification of test cases at a higher level of abstraction, for
enabling guidance on test identification and specification as well as for
automated test generation.
Model-based security testing (MBST) is a relatively new field and especially
dedicated to the systematic and efficient specification and documentation of
security test objectives, security test cases and test suites, as well as to
their automated or semi-automated generation. In particular, the combination of
security modelling and test generation approaches is still a challenge in
research and of high interest for industrial applications. MBST includes e.g.
security functional testing, model-based fuzzing, risk- and threat-oriented
testing, and the usage of security test patterns. This paper provides a survey
on MBST techniques and the related models as well as samples of new methods and
tools that are under development in the European ITEA2-project DIAMONDS.Comment: In Proceedings MBT 2012, arXiv:1202.582
Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution
Consider the problem of verifying security properties of a cryptographic
protocol coded in C. We propose an automatic solution that needs neither a
pre-existing protocol description nor manual annotation of source code. First,
symbolically execute the C program to obtain symbolic descriptions for the
network messages sent by the protocol. Second, apply algebraic rewriting to
obtain a process calculus description. Third, run an existing protocol analyser
(ProVerif) to prove security properties or find attacks. We formalise our
algorithm and appeal to existing results for ProVerif to establish
computational soundness under suitable circumstances. We analyse only a single
execution path, so our results are limited to protocols with no significant
branching. The results in this paper provide the first computationally sound
verification of weak secrecy and authentication for (single execution paths of)
C code
Extracting Domain Ontologies from Domain Specific APIs
Abstract Domain specific APIs offer their clients ready-to-use implementations of domain concepts. Beside being interfaces between the worlds of humans and computers, domain specific APIs contain a considerable amount of domain knowledge. Due to the big abstraction gap between the real world and today's programming languages, in addition to the knowledge about their domain, these APIs are cluttered with a considerable amount of noise in form of implementation detail. Furthermore, an API offers a particular view on its domain and different APIs regard their domains from different perspectives. In this paper we propose an approach for building domain ontologies by identifying commonalities between domain specific APIs that target the same domain. Besides our ontology extraction algorithm, we present a methodology for eliminating the noise and we sketch possible usage-scenarios of the ontologies for program analysis and understanding. We evaluate our approach through a set of case-studies on extracting domain ontologies from well-known domain specific APIs
Tool support for code generation from a UMLsec property
This demo presents a tool to generate code from verified Role-Based Access Control properties defined using UMLsec. It can either generate Java code, or generate Java code for the UML model and AspectJ code for enforcing said RBAC properties. Both approaches use the Java Authentication and Authorization Service (JAAS) to enforce access control
Guiding a general-purpose C verifier to prove cryptographic protocols
We describe how to verify security properties of C code for cryptographic
protocols by using a general-purpose verifier. We prove security theorems in
the symbolic model of cryptography. Our techniques include: use of ghost state
to attach formal algebraic terms to concrete byte arrays and to detect
collisions when two distinct terms map to the same byte array; decoration of a
crypto API with contracts based on symbolic terms; and expression of the
attacker model in terms of C programs. We rely on the general-purpose verifier
VCC; we guide VCC to prove security simply by writing suitable header files and
annotations in implementation files, rather than by changing VCC itself. We
formalize the symbolic model in Coq in order to justify the addition of axioms
to VCC.Comment: To appear in Journal of Computer Securit
- …