An integrated, generic approach to pattern mining: data mining
Security Pattern Mining and Certification: An Evidence-Based Approach
description
Transcript of Security Pattern Mining and Certification: An Evidence-Based Approach
Security Pattern Mining and Certification: An Evidence-Based Approach
Jungwoo Ryoo and Phillip LaplantePenn State University
Rick KazmanUniversity of Hawaii
2
Software Patterns
• Recurring problems– Well known solutions– Example: how to build a castle
• No need to– Start from scratch
• Gang of Four– Erich Gamma et al., Design Patterns. Addison Wesley, 1994.
Background
12/18/2009 Penn State University University of Hawaii
3
Types of Patterns
12/18/2009 Penn State University University of Hawaii
Early DesignAnalysis
Implementation
Testing
Requirements ElicitationInception
Deployment
Detailed Design
Software Development Life Cycle
Architectural Patterns
Design Patterns
Background
4
Architectural vs. Design Patterns
• Architectural pattern– Addresses overarching/cross-cutting concerns such
as• Security• Performance• Usability• Modifiability• Reusability
• Design pattern– Addresses functional requirements
12/18/2009 Penn State University University of Hawaii
Background
5
Patterns Community
12/18/2009 Penn State University University of Hawaii
Background
6
Architectural Pattern Characteristics
• Community-driven– Size
• Context-bound– Problem domain-specific
• Multiple forces– Quality attributes
12/18/2009 Penn State University University of Hawaii
Motivation
7
Architectural Patterns: Shortcomings
• Community-driven– Long turn-around time
12/18/2009 Penn State University University of Hawaii
Motivation
8
Architectural Patterns: Shortcomings
• Still too– concrete and – restricting
as a starting point (not malleable)• Need for a more primitive concept
– Something that maps directly to a particular concern such as security
12/18/2009 Penn State University University of Hawaii
Motivation
9
Architectural Patterns: Shortcomings
• Already interwoven solutions
• Due to their multi-force nature– No rigorous way to verify the
• Effectiveness in addressing a particular quality attribute
• Influence on other quality attributes
12/18/2009 Penn State University University of Hawaii
Motivation
10
Introducing Tactics• More fine grained concept than
architectural patterns– Decomposition of an architectural pattern
• Identification of building blocks of an architectural pattern
– Mapping between a single quality attribute and an architectural pattern
– Establishing the traceability
12/18/2009 Penn State University University of Hawaii
Our Approach
11
Types of Patterns
12/18/2009 Penn State University University of Hawaii
Early DesignAnalysis
Implementation
Testing
Requirements ElicitationInception
Deployment
Detailed Design
Software Development Life Cycle
Architectural Patterns
Design Patterns
Our Approach
Very Early Design
Tactics
12
Tactics: Benefits
• No more guess work– Architects know exactly why they need a pattern!
• Easier verification of effectiveness– Problem: privilege escalation– Solution: privilege separationvs.– Problem: Separation of concerns in Web
applications– Solution: MVC or Model View Controller
12/18/2009 Penn State University University of Hawaii
Our Approach
13
After-the-Fact Security Solutions
• Today’s software security research mainly focuses on:– Testing
• Static code analysis using software tools
• Example– The Open Source Hardening Project
• Coverity® tool
12/18/2009 Penn State University University of Hawaii
Ongoing Research
14
Analogy: a Secure Building
12/18/2009 Penn State University University of Hawaii
vs.
Ongoing Research
15
Security Tactics Hierarchy
12/18/2009 Penn State University University of Hawaii
16
Ultimate Goal of our Research
• Proactively building a repository of high-level design strategies (referred to as tactics) whose effectiveness is verifiable, to help software architects develop their own customized structural design that is both secure and problem-specific.
12/18/2009 Penn State University University of Hawaii
Ongoing Research
17
What about a Community Process?
• Of course, this repository could be built naturally through a community process based on consensus
• Problems– Time– Verification
12/18/2009 Penn State University University of Hawaii
Ongoing Research
18
Methodology for Mining Tactics
• We propose that tactics be mined proactively from the existing – Open source code base and– Patterns.
• Currently, many tactics are misidentified as patterns.
12/18/2009 Penn State University University of Hawaii
Ongoing Research
19
Methodology for Scientific Verification
• Open source projects can serve as a proving ground for scientifically verifying the effectiveness of a tactic.
12/18/2009 Penn State University University of Hawaii
Ongoing Research
20
Evidence-Based SE through Open Source
• The methodology– Identify
• Multiple open source projects• Defect and tactic pairs
– For example, privilege escalation and separation
– Compare• The number of defects
– before and after the tactic within the same open source project by tracking the history of the defects
– With or without the tactic among multiple open source project
– Analysis• If the number of relevant defects
– Goes down– Is smaller
• The tactic is effective
12/18/2009 Penn State University University of Hawaii
Ongoing Research
21
PublicationsJungwoo Ryoo, Phil Laplanteand Rick Kazman, In Search ofArchitectural Patterns forSoftware Security, Computer,42 (6): 98-100, June 2009.
12/18/2009 Penn State University University of Hawaii
22
Questions and Answers
12/18/2009 Penn State University University of Hawaii
Penn State University University of Hawaii 23
Relationship between Tactics and Patterns
• Tactics– Help architects with an initial architectural design
process– are building blocks of a pattern– Establish direct traceability between specific
quality attributes and a pattern
12/18/2009
Penn State University University of Hawaii 24
Differences between Tactics and Patterns
• Atomicity• Force limitation• Problem specificity• Completeness• Tradeoffs between forces
12/18/2009
Penn State University University of Hawaii 25
Mining Tactics from Patterns
• Compartmentalization– “Put each part in a separate security domain.
Even when the security of one part is compromised, the other parts remain secure.”
12/18/2009
Security
Resisting Attacks
Limit Access
Compartmentalization
Ongoing Research
Penn State University University of Hawaii 26
Tactics and Patterns
12/18/2009
Example
Concrete Authenticator
+authenticate(s)()
Authenticator
+authenticate(s)()+get()
Object Factory
+create()
ConcreteObjectFactory
+create()
RemoteObjectCreates
“The authenticator pattern performs authentication of a requesting process before deciding access to distributed objects.”