Upload
mabel-bond
View
212
Download
0
Embed Size (px)
Citation preview
Secure Systems Research Group - FAU
Classifying security patterns
E.B.Fernandez, H. Washizaki, N. Yoshioka, A. Kubo
Secure Systems Research Group - FAU
Need for classification
• A good number of security patterns have been described in the literature and two books (catalogs) have appeared
• However, these are mostly unstructured• We need guidance for the designers on
how to select appropriate patterns• A good classification of security patterns
can help
Secure Systems Research Group - FAU
Several classifications
• Types of patterns• Architectural concerns• Architectural layers• Text similarity • Pattern diagrams
Secure Systems Research Group - FAU
What type of pattern?
• An architectural pattern. They usually describe global system architecture concepts, e.g., do we need authentication between two distributed units? We consider this association to be the most convenient because security is a global property of a system.
• A design pattern. The fact that security can be considered an aspect of a software subsystem has made some groups consider them design patterns. However, design patterns are oriented towards code flexibility and do not consider global aspects, necessary for security.
• An analysis pattern. Security constraints should be defined at the highest possible level, i.e. at the conceptual model of the application. For example, we can define which users have which roles and what rights they need to perform their duties. This means that at least some security patterns are analysis patterns.
• A special type of pattern. We can add new sections or remove some sections from the standard template patterns but we don’t see a compelling reason for an entirely new type of pattern.
Secure Systems Research Group - FAU
Architectural classification
• Since we consider security patterns to be architectural patterns, we should look at software architecture classifications.
• Avgeriou and Zdun classify architectural patterns using the type of concerns they address, e.g. Layered Structure, Data Flow, Adaptation, User Interaction, Distribution.
• This means we should classify security patterns according to their concerns, e.g. patterns for access control, cryptography, file control, identity, firewalling, etc.
• For example, authentication in distributed systems is considered in: Authenticator, Remote Authenticator /Authorizer, and Credential.
• Chapters 7 and 8 of [Sch06] are organized this way. • Another type of concern is the general structuring of a system
into core (host), perimeter, and external [Hafiz06]. Too coarse.
Secure Systems Research Group - FAU
Levels of abstraction
• Patterns can be defined at several levels of abstraction.
• The highest level is typically a principle or a very fundamental concept, e.g. the concept of Reference Monitor, which indicates that every access must be intercepted and checked
• Another example shows that firewalls, database authorization systems, and operating system access control systems are special cases of access control systems
Secure Systems Research Group - FAU
Firewall abstractions
R eferenceM onitor
Firew all
ProxyFirew all
Packet FilterFirew all
A pplication (U ser)Firew all
StatefulProxy Firew all
S tatefulFirew all
X M L Firew all
Secure Systems Research Group - FAU
Architectural layers
• We can think of a computer system as a hierarchy of layers, where the application layer uses the services of the database and operating system layers, which in turn, execute on a hardware layer. These layers provide another dimension for classification.
• Two basic principles of security are: Security constraints should be defined at the highest layer, where their semantics are clear, and propagated to the lower levels, which enforce them. All the layers of the architecture must be secure.
Secure Systems Research Group - FAU
Classification using archit. levels
Authorization
Reference Monitor
XML Firewall
Proxy Firewall
Packet Filter Firewall
Secure Process
Authentication
Controlled VAS
XACML
Application level
OS level
Distribution level
TCP
IP
ABAC
Application Firewall
WSPLL
Comm. level
Secure Systems Research Group - FAU
Levels and concerns
Application Firewall AuthenticatorReference Monitor
OS AuthenticatorOS Ref Monitor
XML Firewall SAML AuthenticatorXACML Access Control Evaluator
Remote AuthenticatorProxy Firewall
Packet Filter Firewall
Secure Systems Research Group - FAU
Automated similarity relationships
• Kubo et al. have proposed an automated relation analysis technique for patterns. This technique utilizes existing text processing techniques (such as TF-IDF and vector space model) to extract patterns from documents and to calculate the strength of pattern relations based on document similarity.
Secure Systems Research Group - FAU
Automated analysis results
LimitedView
FullViewWithErrors
SimilarResult
Session CheckpointSimilarResult
SimilarResult
SingleAccessPoint
Roles
SubInResulting
Secure Handling Of Legal Cases
Packet Filter Firewall
SimilarForce
SimilarResult
SimilarForce
SimilarResult
Pattern in [Yod97]
Pattern in [Shu06]
Secure Systems Research Group - FAU
Pattern diagrams
• A pattern diagram uses these classifications to help the designer navigate in the design space. For example, an operating system designer can start from a Secure Process and use a Controlled Process Creator to create new processes in a secure way (controlling their initial rights). These processes can then execute in a Controlled Virtual Address Space (with controlled rights). The general structure of the virtual address space is defined through a Virtual Address Space Structure Selection.
Secure Systems Research Group - FAU
Patterns for operating systems
Secure Process
Controlled ProcessCreator
ControlledVirtual Address Space
Secure Thread
Authorization
RBAC(Role Based Access Control)
AdministratorHierarchy
executes indefines access
faster context switch
authorized by
specializes
define rights
created by
ReferenceMonitor enforced by
Virtual Address SpaceStructure Selection
uses
Secure Systems Research Group - FAU
Conclusions
• Patterns can be classified according to many viewpoints. A good classification can make their selection easier and more precise
• We have shown three possibilities: using as reference the architectural/functional objectives of the patterns, using as reference the architectural layers of a system, and looking at linguistic similarities in their descriptions
• Combining these classifications and expressing them as pattern diagrams which summarize the relevant patterns at a given stage or for a given concern, can guide designers in the selection of appropriate patterns
• Future work will include the development of further patterns and refining these classifications and incorporate them in our methodology and in a MDD approach