Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
.
PhD studentCatia Trubiani
AdvisorVittorio Cortellessa
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
Analyzing Tradeoffs betweenSoftware Security and Performance
2
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» Motivation
» Our approach
- Security Library
- Enabling Security
» Experimental validation
» Conclusions
Outline
V.Cortellessa, C.Trubiani, L.Mostarda, N.Dulay“An Architectural Framework for Analyzing Tradeoffs
between Software Performance and Security”@ISARCS – International Symposium on ARchitecting
Critical Systems, CompArch 2010
2
3
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» Trade-off analysis for critical systems
Motivation
Security Performance
4
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» How much the security solutions degrade performance?
Problem statement
Requirements:<<data confidentiality>>
…
C2
ArchitecturalModel
sendDataC1
C2
sendData Encryption*
Decryption*
C1
Throughput
Workload
initial system
addition ofsecurity solutions
λ
t1
t2
3
5
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» A process for the analysis of security/performance tradeoffs
Our approach
BasicMechanisms
Security Library
ComposedMechanisms
Performance notation
(e.g. GSPN)
Software notation
(e.g. UML)
Security-EnabledApplication Model
Performance Model
ApplicationModel
Security-AnnotatedApplication Model
Enabling
Security
6
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» Dependencies between Mechanisms
A vision of our Security Library
EncryptionDigital
SignatureGeneration
DigitalSignature
VerificationDecryption
Data Confidentiality
X X
Data Integrity X X
Peer EntityAuthentication
X X
Data OriginAuthentication
X
Basic
Composed
4
7
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» Some preliminary operations
Security Library (1/3)
“generateKeys” “getCertificate”
setKeyType()
C: Component
setKeyLength()
generatePKey(type, length)
generateSKey(type, length)
C: Component
checkCompInfo()
CA: CertificationAuthority
generateCertificate(compInfo, CAInfo,
P(C), P(CA))sendCertificate(compCertificate)
reqCertificate(compInfo, P(C))
opt
[trusted]
8
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» Basic Mechanisms
Security Library (2/3)
Encryption
S: Sender R: Receiver
alt
[asymEncrypt]
setAlgorithmType()
setKeyLength()
setPaddingScheme()
[symEncrypt] setAlgorithmMode()
EXCHANGE CERTIFICATES
encryptAlg(msg, P(R))
EXCHANGE CERTIFICATES AND KEYS
encryptAlg(msg, K(K(S), K(R)))Digital Signature
Generation
setHashFunction()
C: Component
generateDigest()
encryptAlg(digest, S(C))
5
9
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» Composed Mechanisms
Security Library (3/3)
<<component>>
data: dataType
Data Confidentiality
ClientComponent
void op(dataType dataName)
<<component>>
SupplierComponent
C: Client Component
ref
Encryption
op(data)
S: SupplierComponent
send(encryptedData)*
ref
Decryption
10
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» More details of the approach by means of a driving case study, i.e. the CUSPIS system:
- Cultural asset authentication (CAA)
�“GeoDataGeneration” scenario
- Cultural asset transportation (CAT)
Our approach at work!
6
11
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» The Application Model is a static and dynamic representation of a software architecture
Application Model
<<component>>
geoData: gdType
Qualified Organization
void store(gdType geoDataName)
<<component>>
Database
Q: QualifiedOrganization
store(geoData)
D: Database
send(geoData)
gdType genGeoData () {return this.geoData;}genGeoData()
12
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» A Security-Annotated model is obtained by introducing security annotations
Security-Annotated App.Model(s)
<<component>>
geoData: gdType
Qualified Organization
void store(gdType geoDataName)
<<component>>
Database
gdType genGeoData () {return this.geoData;}
Data OriginAuthentication
System Configuration SC1,i.e. the required security settings (e.g. Data Origin Authentication)
7
13
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» A Security-Annotated model is obtained by introducing security annotations
Security-Annotated App.Model(s)
<<component>>
geoData: gdType
Qualified Organization
void store(gdType geoDataName)
<<component>>
Database
gdType genGeoData () {return this.geoData;}
Data Confidentiality
Data OriginAuthentication
System Configuration SC2,i.e. the required security settings (e.g. Data Origin Authentication
and Data Confidentiality)
14
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» Operational steps:
1. Interpretation of security annotations
- Key-aspect: composability of models
(i) Entry points unambiguosly defined
(ii) Security models easily composable
2. Evaluation of security mechanisms at the application level
- Key-aspect: application-independent parameters are specifiedin the Security Library
(i) Implementation options unambiguosly defined
(ii) Estimation of application-dependent Security Mechanisms
Enabling Security
8
15
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» A Security-Enabled model is obtained by embedding the appropriate security mechanisms
Security-Enabled App. Model(s)
<<component>>
geoData: gdType
Qualified Organization
void store(gdType geoDataName)
<<component>>
Database
gdType genGeoData () {return this.geoData;}
Data OriginAuthentication
Q: QualifiedOrganization
store(geoData)
D: Database
send(geoData)
genGeoData()
ref DigitalSignatureGeneration
System Configuration SC1
16
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» A Security-Enabled model is obtained by embedding the appropriate security mechanisms
Security-Enabled App. Model(s)
<<component>>
geoData: gdType
Qualified Organization
void store(gdType geoDataName)
<<component>>
Database
gdType genGeoData () {return this.geoData;}
Data OriginAuthentication
Q: QualifiedOrganization
store(geoData)
D: Database
send(geoData)
genGeoData()
ref DigitalSignatureGeneration
refEncryption
ref Decryption
Data Confidentiality
System Configuration SC2
9
17
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
Performance Model(s)
» A Performance model is obtained by transforming a software model into a performance model
System Configuration SC1
setHashFunction()
C: Component
…
{HashAlgorithm={SHAwithRSA, MD5, …},KeySize={1024, 2048, 4096, …}}
18
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
Performance Model(s)
» A Performance model is obtained by transforming a software model into a performance model
System Configuration SC2
S: Sender
setAlgorithmType()
setKeyLength()
{Algorithm={AES, 3DES, RSA, …}, Mode = {CBC, ECB, …}}
{KeyLength={256, 512, …}}
10
19
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» Experimental results (1/2)
Validation of the case study
System Configuration SC1
Platform 1 -Intel(R) Core2,
2.0GHz with 2GB RAM,
Windows VistaPlatform 2 -
Intel Pentium4, 3.4Ghz with 2GB RAM,
Windows XP
0
2
4
6
8
10
12
14
16
18
20
Model Solution
Results
Implementation
Monitoring Data
20
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» Experimental results (2/2)
Validation of the case study
System Configuration SC2
Platform 1 -Intel(R) Core2,
2.0GHz with 2GB RAM,
Windows VistaPlatform 2 -
Intel Pentium4, 3.4Ghz with 2GB RAM,
Windows XP
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
Model Solution
Results
Implementation
Monitoring Data
11
21
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» What happens while varying the system workload across the SC1 and SC2 configurations?
A broader analysis
SC1
SC2
Workload
Throughput
λ1 = 23 reqs/sec
t1 = 17.45 tags/second
t2 = 3.43 tags/second
λ2 = 7 reqs/sec
22
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» Experimentation:
- Our models provide promising results (i.e. the worst model prediction error is 4.08%)
- The analysis of the workload provides interesting insights
» Limitations:
- Security Mechanisms: encryption and digital signature
- Enabling security implies the usage of the mechanisms at the application level, thus they can be influenced by application-dependent characteristics
Afterthougths
12
23
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
» Contributions:
- A framework to support the analysis of software architecture (i.e., performance degradation while varyingsecurity solutions)
- Introduction of models for basic security mechanisms
» Future works:
- Introduction of costs for security solutions
- Trade-off analysis between security and other non-functionalattributes, e.g. availability
Conclusions
24
Project PRIN PaCo (Performability-aware Computing)Camerino, 15th September 2010
Thank you!
Questions