UP and Security: Penetrate-and-patch Overview of UMLsec (aka - - PDF document

▶

Jul 26, 2023 136 likes •220 views

2 Software Engineering & Security UP and Security: Penetrate-and-patch Overview of UMLsec (aka banana strategy): Jan Jrjens insecure Competence Center for IT Security disruptive Software & Systems Engineering

SLIDE 1

2 1

UP and Security: Overview of UMLsec

Jan Jürjens

Competence Center for IT Security Software & Systems Engineering TU München http://www.umlsec.org

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 2

Software Engineering & Security

„Penetrate-and-patch“ (aka „banana strategy):

insecure
disruptive

Traditional formal methods: expensive.

training people
constructing formal specifications.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 3

Security by Design

Increase security with bounded investment in time, costs:

Weave in security aspects/concerns into

artefacts arising in industrial development and use of security-critical systems (UML models, source code, configuration data).

Tool-supported, theoretically sound,

efficient automated security synthesis.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 4

Model-based Security with Aspects

Weave in security

aspects into UMLsec models.

Generate code (or

tests) from models.

Generate models

from evolving or legacy code.

Models

Aspects

Code

Weave in Codegen. Testgen. Modelgen./ Reverse E.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 5

UMLsec: Goals

Extension for secure systems development.

evaluate UML specifications for weaknesses

in design

encapsulate established rules of prudent

secure engineering as checklist

make available to developers not specialized

in secure systems

consider security requirements from early

design phases, in system context

make certification cost-effective

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 6

UMLsec: How

Recurring security requirements, adversary scenarios, concepts offered as stereotypes with tags on component-level. Use associated constraints to verify specifications using automated theorem provers and indicate possible weaknesses. Ensures that UML specification provides desired level of security requirements. Link to code via round-trip engineering etc.

SLIDE 2

2 2

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 7

Business Process Modelling Requirements Elicitation Application Architecture Modelling Software Architecture Modelling Application Level Technical Level iterative Development Technical Risk Analysis Application Risk Analysis Security Enhancements Security Enhancements

The Security Process

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 8

Requirements with Use Case Diagrams

Capture security requirements in use case diagrams. Constraint: need to appear in corresponding activity diagram.

Sales application

Business

sells goods

Customer

buys goods

«fair exchange»

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 9

Fair Exchange

Customer buys good from a business. How can enforce fair exchange: After payment, customer is eventually either delivered good or able to reclaim payment (or vc.vs.).

Reclaim

Deliver «fair exchange» Purchase Request good Business Customer

Wait until delivery due

Pay

undelivered Pick up

{start={Pay}} {stop={Reclaim,Pick up}}

delivered

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 10

≪fair exchange≫

Ensures generic fair exchange condition. Constraint: after a {start} state in activity diagram is reached, eventually reach {stop} state. (Cannot be ensured for systems that an attacker can stop completely.)

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 11

Example

≪fair exchange≫ fulfilled if adversary cannot stop system: After payment, customer is eventually either delivered good or able to reclaim payment.

Reclaim

Deliver «fair exchange» Purchase Request good Business Customer

Wait until delivery due

Pay

undelivered Pick up

{start={Pay}} {stop={Reclaim,Pick up}}

delivered

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 12

≪Internet≫, ≪encrypted≫, … Kinds of communication links resp. system nodes. For adversary type A, stereotype s, have set Threats (s) ∊ {delete, read, insert, access}

f actions that adversaries are capable of.

Default attacker:

Internet encrypted LAN smart card {delete, read, insert} {delete} ∅ ∅ Threats () Stereotype

A

default

SLIDE 3

2 3

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 13

Secure Architecture

Architecture secure against default adversary ?

«secure links» server machine client machine get_password

browser

client apps

access control

web server

Remote access

«call» «Internet» «secrecy»

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 14

≪secure links≫

Ensures that physical layer meets security requirements on communication. Constraint: for each dependency d with stereotype s ∊ {≪secrecy≫, ≪integrity≫} between components on nodes n≠m, have a communication link l between n and m with stereotype t such that

if s = ≪secrecy≫: have read ∉ Threats (t).
if s = ≪integrity≫: have insert ∉ Threats (t).

A A

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 15

Example ≪secure links≫

Given default adversary type, constraint for stereotype ≪secure links≫ violated: According to the Threatsdefault(Internet) scenario, ≪Internet≫ link does not provide secrecy against default adversary.

«secure links» server machine client machine get_password

browser

client apps

access control

web server Remote access «call» «Internet» «secrecy»

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 16

Secure Data Structure

Data structure secure ?

Random generator seed: Real random(): Real

random(): Real Random number «interface»

newkey(): Key

«call»

Key generation

«critical»

Key generator newkey(): Key «secure dependency»

{secrecy={newkey(),random()}

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 17

≪secure dependency≫

Ensure that ≪call≫ and ≪send≫ dependencies between components respect security requirements on communicated data given by tags {secrecy}, {integrity}. Constraint: for ≪call≫ or ≪send≫ dependency from C to D (and similarly for {integrity}):

Msg in D is {secrecy} in C if and only if also in D.
If msg in D is {secrecy} in C, dependency

stereotyped ≪secrecy≫.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 18

Example ≪secure dependency≫

Violates ≪secure dependency≫: Random generator and ≪call≫ dependency do not give security level for random() to key generator.

Random generator seed: Real random(): Real

random(): Real Random number «interface»

newkey(): Key

«call»

Key generation

«critical»

Key generator newkey(): Key «secure dependency»

{secrecy={newkey(),random()}

SLIDE 4

2 4

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 19

Secure Use of Cryptography

Variant of TLS (INFOCOM`99). Cryptoprotocol secure against default adversary ?

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 20

≪data security≫

Security requirements of data marked ≪critical≫ enforced against threat scenario from deployment diagram. Constraints: Data marked {secrecy}, {integrity}, {authenticity}, {fresh} fulfills respective formalized security requirements.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 21

Example ≪data security≫

Variant of TLS (INFOCOM`99). Violates {secrecy}

against default adversary.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 22

What Does UMLsec Cover ?

Security requirements: ≪secrecy≫,… Threat scenarios: Use Threatsadv(ster). Security concepts: For example ≪smart card≫. Security mechanisms: E.g. ≪guarded access≫. Security primitives: Encryption built in. Physical security: Given in deployment diagrams. Security management: Use activity diagrams. Technology specific: Java, CORBA security.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 23

Model-based Security Aspects

Define abstract security aspect.
Define concretization (e.g. protocol).
If possible, give conditions under which

it is secure to weave in aspect using concretization, e.g. by simulation argument.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 24

Secure Channel Aspect

To keep d secret, must be sent encrypted.

Primary model with directives for security aspects (cf. join points in AspectJ).

SLIDE 5

2 5

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 25

Secure Channel Aspect: Weaving

Exchange certificate and send encrypted data

ver Internet.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 26

Aspect Validation

Need to prove concretization securely refines abstract aspect. Challenging problem in security. For secure channel, have generic result. Often not possible. Use translation validation on the weaving transformation, before or after code generation.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 27

Translation Validation: Model or Code ?

Model: + earlier (less work may have to be redone) + more abstract more efficient

more abstract may miss attacks
code construction not completely automatic
code generators not formally verified

Code: + „the real thing“ (which is executed) Do both ! (as far as feasible; e.g. where largely automatic). Here: look at code.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 28

Code-level Translation Validation

Logic-based program understanding of crypto protocols in C which is as

automatic and
complete

as possible. Note: can‘t be both perfectly automated and complete: Security in general undecidable. Abstract and approximate safely.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 29

Security Analysis in First-order Logic

Approximate set of possible data values flowing through system from above. Predicate knows(E) meaning that the adversary may get to know E during the execution of the protocol. E.g. secrecy: For any secret s, check whether can derive knows(s) using automated theorem prover.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 30

Generate control flow graph (e.g. with aicall (Absint)). Transform to state machine:

trans(state,inpattern,condition,action,nextstate)

where action can be outpattern or localvar:=value.

Control Flow Graph

SLIDE 6

2 6

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 31

… Translate to First Order Logic

Graph transition TR1=(in(msg_in),cond(msg_in),out(msg_out)) followed by TR2 gives predicate PRED(TR1)= ∀ msg_in. [knows(msg_in)∧ cond(msg_in) ⇒knows(msg_out) ∧ PRED(TR2)]

Abstraction (e.g. from senders, receivers): find all attacks, may have false positives. Analyze with automated prover.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 32

Tool Support

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 33

Industrial Applications: Biometry

Biometric Authentication System in development by a company in joint project. Use our design and validation methods to develop and analyze system. Discovered three significant security weaknesses against subsequently improved versions.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 34

Common Electronic Purse Specifications

Global electronic purse standard (90% of market). Smart card contains account balance. Chip performs cryptographic operations securing the transactions. More fraud protection than credit cards (transaction- bound authorisation).

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 35

Load protocol

Unlinked, cash-based load transaction (on-line). Load value onto card using cash at load device. Load device contains Load Security Application Module (LSAM): secure data processing and storage. Card account balance adjusted; transaction data logged and sent to issuer for financial settlement. Uses symmetric cryptography.

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 36

Banking application

Security analysis of web-based banking

application, to be put to commercial use (clients fill out and sign digital order forms).

In cooperation with major German bank.
Layered security protocol

– first layer: SSL protocol. – second layer: client authentication protocol

Main security requirements:

– personal data confidential. – orders not submitted in name of others.

SLIDE 7

2 7

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 37

Some Further Applications

Analysis of SAP access control configurations for German bank Telematic automobile emergency application of German car company Electronic signature architecture of German insurance company Electronic purse for Oktoberfest

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 38

Conclusions

Model-based Security Engineering using UMLsec:

formally based approach
automated tool support
industrially used notation
integrated approach (specification,

source-code, configuration data)

Jan Jürjens, TU Munich: UP and Security: Overview of UMLsec 39

Resources

Jan Jürjens, Secure Systems Deve- lopment with UML, Springer 2004 ICSE 2005 (atp’s), ICSM 2005 (code), Models 2005 (aspects) Workshop: CSDUML@ SAFECOMP05 (Norway, Sept. 05)