LAB OF SOFTWARE ARCHITECTURESAND
INFORMATION SYSTEMS
FACULTY OF INFORMATICS
MASARYK UNIVERSITY, BRNO
Lukáš Daubner,Tomáš Pitner
Secure Software Modeling Methods for
Forensic Readiness
Content
•Security modelling
•Security Modeling Methods
•Forensic Readiness
•Security Modeling Methods for Forensic Readiness
2
SecuritybyDesign
•Defects in design
•Lack of background in cybersecurity
•Security is often considered last
•Reactive patching is not enough
3
SecurityModeling
•Model-Driven Security
•UML profiles
•Aspect-Oriented Modeling
•Domain Specific Languages
4
SecurityModeling– Model-DrivenSecurity
•Subset of Model-Driven Development
•Semi-automatic transformations between models
•Model verification
5
Requirements
Abstract
model
…
Concrete
model
Code and/or
Tests
SecurityModeling–UMLprofile
•Extension to UML
•Stereotypes
•Tagged values
•Constraints
6
SecurityModeling–Aspect-OrientedModeling
•Separation of concerns
•Security concerns (aspects)
•Independently modelled
•Encapsulated
•Weaving together
7
Business
concern
Access Control
Integrity
Confidentiality
•Security Modeling Methods
8
UMLsec
•Formulated by J. Jürjens
•UML profile – an extension for security modeling
•Considered as most mature approach
•Support for formal model verification
9
UMLsec– Concerns
•Confidentiality
•Integrity
•Authenticity
•Non-Repudiation
•Access Control
•Information Flow
•Fair Exchange
•Etc.
10
UMLsec–Example
•Threat rules:
•Internet - 𝑇ℎ𝑟𝑒𝑎𝑡𝑠 𝐴 𝑠 ∈ {𝑑𝑒𝑙𝑒𝑡𝑒, 𝑟𝑒𝑎𝑑, 𝑖𝑛𝑠𝑒𝑟𝑡}
•encrypted - 𝑇ℎ𝑟𝑒𝑎𝑡𝑠 𝐴 𝑠 ∈ {𝑑𝑒𝑙𝑒𝑡𝑒}
11
Stereotype Base class Constraints Description
secure links subsystem dependency security
matched by links
enforces secure
communication links
secrecy dependency 𝑟𝑒𝑎𝑑 ∉ 𝑇ℎ𝑟𝑒𝑎𝑡𝑠 𝐴(𝑠) assumes secrecy
Internet link Internet connection
encrypted link encrypted connection
UMLsec–Example
12
UMLsec–Example
13
«encryped»
UMLsec–ExampleII
14
Stereotype Base class Constraints Description
secure dependency subsystem «call» and «send»
respect data security
structural interaction
data security
critical object critical object
Tag Stereotype Description
secrecy critical Secrecy of data
UMLsec–ExampleII
15
UMLsec–ExampleII
16
«critical»
{secrecy={random()}}
SECTET
•UML profile
•Object Constraint Language
•Aimed at distributed, inter-organizational workflows
•Model-Driven
17
SECTET
•Workflow view
•Global workflow
•Local workflow
•Interface view
•Document model
•Interface model
•Role model
•Access model
18
SECTET–Example
•Global workflow model
19
SECTET–Example
•BPEL file for each partner-role
•Security configuration
20
UML4SOA-NFP
•UML profile
•Extension to UML4SOA
•Aimed on Service Oriented Architectures
•Non-functional requirements
21
UML4SOA-NFP
•Performance
•Dependability
•Reliable messaging
•Security
•Confidentiality
•Integrity
•Non-repudiation
•Privacy
•Access Control
22
UML4SOA-NFP–Example
23
UML4SOA-NFP–Example
24
~~~
AOMsec
•Aspect-Oriented approach
•UML profile
•Non-functional requirements
•Model-Driven
25
AOMsec– Example
26
AOMsec– Example
27
Sec@Runtime
•Aspect-Oriented approach
•UML profile
•Runtime weaving
•Platform and toolset
28
SecureDWs
•UML profile
•Aimed at Data Warehouses
•Tackles auditing concern
•Access control, privacy, integrity, etc.
29
SecureDWs–Example
30
Tag Stereotype Description Type
LogType class Specifies if access
should be recorded
Attempt
LogCond class Specifies condition
when is access
recorded
OCLExpression
ExceptSign class Allow/deny access
if constraint
applies
{+,-}
InvolvedClasses class Constraint
applicable if query
contains given
classes
Set(OCLType)
SecureDWs–Example
31
•Forensic Readiness
32
What is ForensicReadiness?
•Definition by J.Tan (2001)
•Maximizing the usefulness of incident evidence data
•Minimizing the cost of forensics during an incident response
•Systematic preparation for forensic investigation
•Proactive measures
•Opposed to actual investigation, which is reactive
•Increases likelihood of successful investigation
33
ForensicReadiness inSoftwareEngineering
•Formulated by Pasquale et al. (2018)
•Prepare software system during its development
•Forensic-by-design
•Support for:
•Proactive evidence securing
•Data provenance
•Ensuring chain of custody
•Non-functional requirement
34
ForensicReadinessConcerns
•Availability
•Relevance
•Minimality
•Linkability
•Completeness
•Non-repudiation
•Data provenance
•Legal compliance
35
ForensicReadinessConcernsMeetsSecurity
•Partial overlap with security concerns
•Typically specialized applications of concerns
•Difference between technical and legal understanding
•Both needs to be addressed
36
ForensicReadinessConcernsMeetsSecurity
•Availability
•Relevance
•Minimality
•Linkability
•Completeness
•Non-repudiation
•Data provenance
•Legal compliance
37
RelevantSecurityModelingMethods
Method Domain Approach Security concerns
UMLsec General UML profile Integrity, Non-repudiation
SECTET Distributed workflows UML profile Integrity, Non-repudiation
AOMsec General AOM, UML profile Integrity
Sec@Runtime General AOM, UML Integrity
SecureDWs Data Warehouses UML profile Integrity, Non-repudiation,
Auditing
UML4SOA-NFP SOA UML profile General non-functional
requirements
38
RelevantSecurityModelingMethods
•UMLsec
•Most promising basis
•AOMsec
•Lower overhead for designer
•Patterns
•SecureDWs
•Auditing description
39
Conclusion
•Security-by-design is important to avoid defects
•Similar motivation for forensic readiness
•Secure modeling methods are promising
in forensic readiness
•There are overlaps in concerns
•Although they are not directly applicable
•They can be used as a basis for forensic readiness modeling
40
References
• Jürjens J. (2002) UMLsec: Extending UML for Secure Systems Development. In: Jézéquel JM.,
Hussmann H., Cook S. (eds) ≪UML≫ 2002 —The Unified Modeling Language. UML 2002.
Lecture Notes in Computer Science, vol 2460. Springer, Berlin, Heidelberg
• Hafner, Michael, Ruth Breu, Berthold Agreiter and Andrea Nowak. “SECTET - An Extensible
Framework for the Realization of Secure Inter-Organizational Workflows.” WOSIS (2006).
• Gilmore, Stephen & Gönczy, László & Koch, Nora & Mayer, Philip &Tribastone, Mirco &Varro,
Daniel. (2010). Non-functional properties in the model-driven development of service-oriented
systems. Software and System Modeling. 10. 287-311. 10.1007/s10270-010-0155-y.
• Sánchez, Pablo & Moreira, Ana & Fuentes, Lidia & Araújo, João & Magno, José. (2010). Modeldriven
development for early aspects. Information & SoftwareTechnology. 52. 249-273.
10.1016/j.infsof.2009.09.001.
• Eduardo Fernández-Medina, Juan Trujillo, Rodolfo Villarroel, and Mario Piattini. 2007.
Developing secure data warehouses with a UML extension. Inf. Syst. 32, 6 (September 2007),
826-856. DOI=http://dx.doi.org/10.1016/j.is.2006.07.003
41