The Secure Systems
Masters Thesis Defense
Patrick Morrison
► Introduction
► Problem statement
► Approach
► Contribution
► Related Work
► What is MDA?
► Experiment
► Results
► Conclusions
► Future Work
The problem of Security
“A good percentage of the software deployed in
industrial/commercial applications is of poor quality, it is
unnecessarily complex, and contains numerous flaws
that can be exploited by attackers.”
“We believe that the solution lies in developing secure
software from the beginning, applying security principles
along the whole life cycle…We see the use of patterns as
a fundamental way, even for developers with little
experience, to implicitly apply security principles.”
[Fer06a, EBF, et. al.]
Security Patterns
S ecure
L a yers
S ecure
F acade
defin eR ules
A pplication
C onceptu al
M odel
S ecure
R eflection
P olicy
A dm inistration
P oint
P olicy
In form ation
P oint
enforceR ules
P olicy
E nforcem ent
P oint
P olicy
D ecision
P oint
transform Interface
M odel V iew
C ontroller
S ecure
A dapter
S ecure
E nterprise
C om ponent
F ram ew ork
S ecure
B rok er
m apO bjects
S ecure
R elational
D atabase
M apping
consum e/p rovid eS ervices
im plem ent
m odel
S ecure
W eb
S ervices
accessR em ote
S ecure
P rox y
S ecure
C lient
C onnection D ispatch er
S erver
auth enticate
S oftw are
S ecure
O peratin g
S ystem
C om m unication
S ecure
C hannel
A uthentication
Secure Systems Methodology [Fer06a]
S ecurity verification and testing
R equirem ents
S ecure U C s
A naly sis
D esign
Im plem entation
A uthorization rules in R ule enforcem ent L an gua ge en forcem ent
conceptual m odel
through architecture
S ecurity test cases
Use case and activity diagram based role and
attack analysis
Class and sequence diagrams, preferring
semantic analysis patterns
Application of design patterns across
architectural layers
Mapping design on to selected technical
Methodology Claim,
► [by
using] “abstract and graphical
representations of patterns, the
methodology allows the construction of
secure computing systems from patterns
which aid developers in understanding
much more quickly and deeply than
programming language “code”
MDA Claim
► [by
using] “precise but abstract and
graphical representations of algorithms,
MDA allows the construction of computing
systems from models that can be
understood much more quickly and deeply
than can programming language “code”
► Can
Model-Driven Architecture (MDA) be used to
support the secure systems methodology?
 To what degree is it now possible to work in terms of
high-level models rather than code?
 Does MDA allow for the creation and reuse of generic
 Does MDA reduce the amount of low-level work that
needs to be done?
► What
would be required to gain these benefits?
► Establish
an MDA tool-chain
► Select an example distributed systems
security problem
► Apply the advice of the secure systems
methodology to the construction of models
for the example system for each lifecycle
► Evaluate MDA models against example’s
properties and their use in the lifecycle.
set of models of secure shell (ssh)
corresponding to the phases of the secure
systems methodology
► An example MDA tool chain that translates
UML Classes into Java source code.
► A set of considerations for applying MDA
Related Work
► SecureUML – Models RBAC for web applications
► UMLSec – Models security analysis for existing
► Executable UML – automated code generation
from UML models, no explicit focus on security
► SysML- modeling notation for systems engineering
► UML Profile for RM-ODP – distributed systems
standard, including security considerations
► RSML – process control requirements specification
► Tropos – Agent-oriented methodology
What is MDA?
set of technologies:
► A model-centric
framework for systems
► A set of viewpoints
► A scheme for
transforming models to
to other models, and
to text (code)
MDA Technologies
► UML2
– a language and notation for building
► MOF – a language for building modeling
languages, beginning with UML2
► XMI – a persistence mechanism for MOF, allowing
exchange between tools
► QVT – a transformation language for MOF models
► OCL – a language for expressing logical assertions
on MOF models, e.g. UML2
MDA Models and Metamodels
MDA Viewpoints
► Computation-Independent
Models (CIM) contain
domain concepts
► Platform-Independent Models (PIM) define a
technology-independent view of the system
► Platform-Specific Models (PSM) contain system
descriptions including technology aspects
► Platform – the technical architecture of a given
MDA Transformations
MDA Transformations, example
«IMPORT metamodel»
«DEFINE javaClass FOR Entity»
«FILE name+".java"»
public class «name» {
«FOREACH attributes AS attr»
public «attr.type» «»;
«FOREACH references AS ref»
public «» «»;
public class Subject {
public String id;
public class Object {
public String id;
public class Right {
public String id;
public String access_type;
public Boolean copy_flag;
public Subject s;
public Object o;
MDA Concepts, in UML
MDA Tool-chain
Editor, Model creation, XMI generation
 MagicDraw
► Model-to-Model, Model-to-Text transformation
 openArchitectureWare
► Target Platform
 Java
► Integration
 Eclipse
► Apply
secure systems methodology to building
models for abstract version of remote access
► Reverse-engineer SSH design models from
architecture documents and source code
► Compare analysis results to SSH architecture
► Evaluate ability of MDA to assist in translation of
models from phase N to phase N+1:
 Requirements -> Analysis
 Analysis -> Design
Example: Remote Access
Example(2): Secure Shell (SSH)
Widely used network protocol providing security for remote
access to user accounts and similar services
[SSH] “enables secure remote login and other secure
network services over an insecure network”
server authentication
client authentication (public key, password, host-based)
perfect forward security.
 Internet standard: RFC’s 4250-6 describe goals, architecture
 Open source client implementation: Ganymed SSH-2 for Java
Requirements: Use Cases
Requirements: Sequence Diagram
Requirements: Activity Diagram
Analysis: Initial Class Diagram
Patterns applied during Analysis
► Authenticator
► Known
► Single Access Point
► Checkpoint
► Security Session
► Information Obscurity
► Secure Channels
Analysis: Final Class Diagram
Compare: SSH Transport Protocol
(reverse engineered from RFC)
Analysis Result
► Application
of standard security patterns to
the abstract case of remote access yielded a
reasonably comprehensive model of the
entities and relationships that participate in
the SSH architecture.
► Application
of the methodology to a generic
version of the example problem yielded a model
that corresponds well to an existing solution of the
► Models captured fragments of the system from a
given viewpoint, in this case depending on the
lifecycle phase
► The ability to connect entities between phases
depends on a shared metamodel
► No such metamodel exists for the presented
Results(2), Questions revisited
► To
what degree is it now possible to work in terms
of high-level models rather than code?
 Within constraints, there are opportunities to work with
models rather than code
► Does
MDA allow for the creation and reuse of
generic models?
 Insufficient evidence collected to support answering this
► Does
MDA reduce the amount of low-level work
that needs to be done?
 MDA increases the amount of work required to build the
first application.
► Requirements,
Analysis and Design are
fundamentally about deciding what you want,
while MDA excels in describing what you have.
► Conclusion: MDA can be useful when working with
a known domain and a known architecture.
► Metamodels, and transformations on them, are
MDA’s driving force. Where they exist or their
creation is justified, they can assist in the
development process
is not a good fit for a methodology; but it
could be a good fit for an instance of a
► MDA can capture the details of domain and
architecture, allowing systems designers to
concentrate on variations within an established
► This does suggest that software alteration and
maintenance may be enhanced by the use of MDA
Future Work
► Develop
Java platform model to support code
generation from existing analysis models
► Choose second, third example applications
► Map examples on to suitable metamodel(s)
 Unify lifecycle phase models
 Factor out application, secuirty, platform dependencies
 Evaluate existing metamodels: SysML, RM-ODP
► Encode
security pattern knowledge in the
► Dr.
E.B. Fernandez
► Dr. Shihong Huang
► Dr. Maria Petrie
Security verification and testing
Secure UCs
Authorization rules in Rule enforcement Language enforcement
conceptual model through architecture
Security test cases

Slide 1