Ar Arch chitectu tural An Analysi sis f s for or Security ( - - PowerPoint PPT Presentation

ar arch chitectu tural an analysi sis f s for or security
SMART_READER_LITE
LIVE PREVIEW

Ar Arch chitectu tural An Analysi sis f s for or Security ( - - PowerPoint PPT Presentation

Nov 19, 2023 191 likes •398 views

Ar Arch chitectu tural An Analysi sis f s for or Security ( y (AAF AAFS) S) Jungwoo Ryoo and Priya Anand, Penn State University Rick Kazman, SEI/University of Hawaii To appear in IEEE Security and Privacy Arch chitectu ctural al

slide-1
SLIDE 1

Ar Arch chitectu tural An Analysi sis f s for

  • r

Security ( y (AAF AAFS) S)

Jungwoo Ryoo and Priya Anand, Penn State University Rick Kazman, SEI/University of Hawaii

To appear in IEEE Security and Privacy

slide-2
SLIDE 2

Arch chitectu ctural al Anal nalysi sis

  • Structured way of discovering
  • Design decisions in software
  • Present or
  • Absent
  • Quality attribute goals of stakeholders
  • Security,
  • Modifiability,
  • Performance,
  • Usability,
  • Etc.

2

slide-3
SLIDE 3

Significance of Architectural Analysis

  • During early design
  • Recommended
  • During maintenance
  • After the system is built
  • A basis for refactoring
  • Disruptive
  • Costly
  • Risky

3

slide-4
SLIDE 4

Motivations and S Significance

  • Not too many
  • Well established architectural analysis methods
  • Example
  • Architectural Tradeoff Analysis Method (ATAM)
  • Not to mention
  • Architectural analysis method specializing in security
  • Dire need for Architectural Analysis for Security (AAFS)
  • Security: Costly and risky  dominant concern

4

slide-5
SLIDE 5

Our Ap r Approach

  • The use of design constructs
  • Helps reason about security
  • AAFS
  • Contains
  • Tactic-oriented Architectural Analysis (ToAA)
  • Pattern-oriented Architectural Analysis (PoAA)
  • Vulnerability-oriented Architectural Analysis (VoAA)
  • Uses
  • Interviews

5

slide-6
SLIDE 6

Tactics

  • Design Technique
  • To satisfy a single quality attribute requirement
  • Aha! moment
  • Why not for architectural analysis?
  • SATURN 2014

6

slide-7
SLIDE 7

Secu curity T y Tac actics cs

  • Useful vocabulary
  • During architectural design and analysis
  • For security
  • Intentionally abstract
  • To establish a baseline
  • For further investigation

Security Tactics

Resist Attacks Encrypt Data Attack System detects, resists, reacts,

  • r recovers

Detect Attacks Maintain Audit Trail Limit Exposure Recover from Attacks React to Attacks Revoke Access Lock Computer Detect Intrustion Detect Service Denial Verify Message Integrity Detect Message Delay Change Default Settings Separate Entities Restore See Availability Identify Actors Authenticate Actors Authorize Actors Limit Access Inform Actors

7

slide-8
SLIDE 8

Securi rity P Pattern rns

  • Well-known solutions to
  • Recurring security problems
  • Refined and instantiated from
  • Security tactics
  • Closer to code

8

slide-9
SLIDE 9

Vulnerabilities

  • Software Weaknesses
  • Exploitation by attackers
  • Code level
  • Vulnerability databases
  • Common Vulnerabilities and Exposures (CVE)
  • Common Weakness Enumeration (CWE)
  • Relationship with architectural solutions
  • Missing tactic or pattern

9

slide-10
SLIDE 10

CVE vs. CWE

  • Security scenarios or test cases
  • CVE
  • Individual incident reports
  • More than 70,000 and still counting
  • CWE
  • Categories of the incident report
  • 940 entries

10

slide-11
SLIDE 11

Our Ap r Approach P Provi vides a Holistic V View of Securi rity ty

  • The ultimate goal
  • To identify
  • The absence or presence of a design decision

 ToAA and PoAA

  • The misinterpretation or violation of a design decision in the

source code  VoAA

11

slide-12
SLIDE 12

Steps o

  • f Our M

r Methodology

  • Step 1
  • Tactic-oriented Architectural Analysis (ToAA)
  • Step 2
  • Pattern-oriented Architectural Analysis (PoAA)
  • Step 3
  • Vulnerability-oriented Architectural Analysis (VoAA)

ToAA PoAA VoAA

12

slide-13
SLIDE 13

Case Study

  • OpenEMR
  • Electronic Medical Record (EMR) System
  • Open Source
  • Released in 2001
  • 531,789 LOC
  • Big user base
  • Factors in choosing a subject
  • Access to architect and source code

13

slide-14
SLIDE 14

To ToAA Phase

  • Interview an architect
  • Where
  • How
  • Identify design
  • Rationale
  • Assumptions

14

slide-15
SLIDE 15

Po PoAA Ph Phase

  • Relate ToAA results to Patterns
  • ‘Verify message integrity’  ToAA
  • Check tactic realization
  • Intercepting Validator
  • Verifies user inputs before they are used
  • Performs filtering to all requests or user inputs

 According to validation rules

  • Forwards full, partial, or no input to the target

 Depending on the validation results

15

slide-16
SLIDE 16

Vo VoAA Phase

  • Relate PoAA results to CWE categories
  • Ties the suspicion to a piece of code
  • CWE entries related to
  • ‘Verify message integrity’ tactic
  • ‘Intercepting validator’ pattern
  • CWE 89: Improper neutralization of special elements used in an SQL

command

  • CWE 87: Improper neutralization of alternate XSS syntax

16

slide-17
SLIDE 17

OpenEMR A Analysis S Sample Results ts

  • ToAA
  • ‘Verify message integrity’
  • Partially supported by

 Standard library functions for sanitizing user inputs

  • PoAA
  • No intercepting validator
  • VoAA
  • CWE 89: Ad hoc and incomplete coverage
  • CWE 87: No coverage

17

slide-18
SLIDE 18

Verifi ficati tion

  • Vulnerability analysis by IBM AppScan
  • OpenEMR
  • 3.1.0
  • 4.1.2
  • SQL injection
  • Improving but still problematic
  • XSS
  • Highly problematic

96 65 12 61 SQL INJECTION XSS

OpenEMR Scan Results

3.1.0 4.1.2 18

slide-19
SLIDE 19

Future Research

  • More case studies
  • Nuxeo
  • Tactic realization ontology
  • Mapping between patterns and CWE entries

19

slide-20
SLIDE 20

Qu Ques estion

  • ns?

20