Security Pattern Mining and Certification: An Evidence-Based Approach

Security Pattern Mining and Certification: An Evidence-Based Approach

Jungwoo Ryoo and Phillip LaplantePenn State University

Rick KazmanUniversity of Hawaii

2

Software Patterns

• Recurring problems– Well known solutions– Example: how to build a castle

• No need to– Start from scratch

• Gang of Four– Erich Gamma et al., Design Patterns. Addison Wesley, 1994.

Background

12/18/2009 Penn State University University of Hawaii

3

Types of Patterns


Early DesignAnalysis

Implementation

Testing

Requirements ElicitationInception

Deployment

Detailed Design

Software Development Life Cycle

Architectural Patterns

Design Patterns

Background

4

Architectural vs. Design Patterns

• Architectural pattern– Addresses overarching/cross-cutting concerns such

as• Security• Performance• Usability• Modifiability• Reusability

• Design pattern– Addresses functional requirements


Background

5

Patterns Community


Background

6

Architectural Pattern Characteristics

• Community-driven– Size

• Context-bound– Problem domain-specific

• Multiple forces– Quality attributes


Motivation

7

Architectural Patterns: Shortcomings

• Community-driven– Long turn-around time


Motivation

8


• Still too– concrete and – restricting

as a starting point (not malleable)• Need for a more primitive concept

– Something that maps directly to a particular concern such as security


Motivation

9


• Already interwoven solutions

• Due to their multi-force nature– No rigorous way to verify the

• Effectiveness in addressing a particular quality attribute

• Influence on other quality attributes


Motivation

10

Introducing Tactics• More fine grained concept than

architectural patterns– Decomposition of an architectural pattern

• Identification of building blocks of an architectural pattern

– Mapping between a single quality attribute and an architectural pattern

– Establishing the traceability


Our Approach

11

Types of Patterns


Early DesignAnalysis

Implementation

Testing

Requirements ElicitationInception

Deployment

Detailed Design

Software Development Life Cycle

Architectural Patterns

Design Patterns

Our Approach

Very Early Design

Tactics

12

Tactics: Benefits

• No more guess work– Architects know exactly why they need a pattern!

• Easier verification of effectiveness– Problem: privilege escalation– Solution: privilege separationvs.– Problem: Separation of concerns in Web

applications– Solution: MVC or Model View Controller


Our Approach

13

After-the-Fact Security Solutions

• Today’s software security research mainly focuses on:– Testing

• Static code analysis using software tools

• Example– The Open Source Hardening Project

• Coverity® tool


Ongoing Research

14

Analogy: a Secure Building


vs.

Ongoing Research

15

Security Tactics Hierarchy


16

Ultimate Goal of our Research

• Proactively building a repository of high-level design strategies (referred to as tactics) whose effectiveness is verifiable, to help software architects develop their own customized structural design that is both secure and problem-specific.


Ongoing Research

17

What about a Community Process?

• Of course, this repository could be built naturally through a community process based on consensus

• Problems– Time– Verification


Ongoing Research

18

Methodology for Mining Tactics

• We propose that tactics be mined proactively from the existing – Open source code base and– Patterns.

• Currently, many tactics are misidentified as patterns.


Ongoing Research

19

Methodology for Scientific Verification

• Open source projects can serve as a proving ground for scientifically verifying the effectiveness of a tactic.


Ongoing Research

20

Evidence-Based SE through Open Source

• The methodology– Identify

• Multiple open source projects• Defect and tactic pairs

– For example, privilege escalation and separation

– Compare• The number of defects

– before and after the tactic within the same open source project by tracking the history of the defects

– With or without the tactic among multiple open source project

– Analysis• If the number of relevant defects

– Goes down– Is smaller

• The tactic is effective


Ongoing Research

21

PublicationsJungwoo Ryoo, Phil Laplanteand Rick Kazman, In Search ofArchitectural Patterns forSoftware Security, Computer,42 (6): 98-100, June 2009.


22

Questions and Answers


Penn State University University of Hawaii 23

Relationship between Tactics and Patterns

• Tactics– Help architects with an initial architectural design

process– are building blocks of a pattern– Establish direct traceability between specific

quality attributes and a pattern

12/18/2009


Differences between Tactics and Patterns

• Atomicity• Force limitation• Problem specificity• Completeness• Tradeoffs between forces

12/18/2009


Mining Tactics from Patterns

• Compartmentalization– “Put each part in a separate security domain.

Even when the security of one part is compromised, the other parts remain secure.”

12/18/2009

Security

Resisting Attacks

Limit Access

Compartmentalization

Ongoing Research


Tactics and Patterns

12/18/2009

Example

Concrete Authenticator

+authenticate(s)()

Authenticator

+authenticate(s)()+get()

Object Factory

+create()

ConcreteObjectFactory

+create()

RemoteObjectCreates

“The authenticator pattern performs authentication of a requesting process before deciding access to distributed objects.”

Security Pattern Mining and Certification: An Evidence-Based Approach

Documents

Transcript of Security Pattern Mining and Certification: An Evidence-Based Approach