Classifying security patterns
Download
Report
Transcript Classifying security patterns
Classifying security patterns
E.B.Fernandez, H. Washizaki, N.
Yoshioka, A. Kubo
Secure Systems Research Group - FAU
Need for classification
• A good number of security patterns have
been described in the literature and two
books (catalogs) have appeared
• However, these are mostly unstructured
• We need guidance for the designers on
how to select appropriate patterns
• A good classification of security patterns
can help
Secure Systems Research Group - FAU
Several classifications
•
•
•
•
•
Types of patterns
Architectural concerns
Architectural layers
Text similarity
Pattern diagrams
Secure Systems Research Group - FAU
What type of pattern?
•
•
•
•
An architectural pattern. They usually describe global system
architecture concepts, e.g., do we need authentication between
two distributed units? We consider this association to be the most
convenient because security is a global property of a system.
A design pattern. The fact that security can be considered an
aspect of a software subsystem has made some groups consider
them design patterns. However, design patterns are oriented
towards code flexibility and do not consider global aspects,
necessary for security.
An analysis pattern. Security constraints should be defined at the
highest possible level, i.e. at the conceptual model of the
application. For example, we can define which users have which
roles and what rights they need to perform their duties. This
means that at least some security patterns are analysis patterns.
A special type of pattern. We can add new sections or remove
some sections from the standard template patterns but we don’t
see a compelling reason for an entirely new type of pattern.
Secure Systems Research Group - FAU
Architectural classification
•
•
•
•
•
•
Since we consider security patterns to be architectural patterns,
we should look at software architecture classifications.
Avgeriou and Zdun classify architectural patterns using the type
of concerns they address, e.g. Layered Structure, Data Flow,
Adaptation, User Interaction, Distribution.
This means we should classify security patterns according to their
concerns, e.g. patterns for access control, cryptography, file
control, identity, firewalling, etc.
For example, authentication in distributed systems is considered
in: Authenticator, Remote Authenticator /Authorizer, and Credential.
Chapters 7 and 8 of [Sch06] are organized this way.
Another type of concern is the general structuring of a system
into core (host), perimeter, and external [Hafiz06]. Too coarse.
Secure Systems Research Group - FAU
Levels of abstraction
• Patterns can be defined at several levels of
abstraction.
• The highest level is typically a principle or a very
fundamental concept, e.g. the concept of
Reference Monitor, which indicates that every
access must be intercepted and checked
• Another example shows that firewalls, database
authorization systems, and operating system
access control systems are special cases of
access control systems
Secure Systems Research Group - FAU
Firewall abstractions
R eferen ce
M on ito r
Firew all
A pplication (U ser)
Firew all
Prox y
Firew all
X M L Firew all
Stateful
Prox y Firew all
Secure Systems Research Group - FAU
P ack et Filter
Firew all
S tatefu l
Firew all
Architectural layers
• We can think of a computer system as a hierarchy of layers,
where the application layer uses the services of the
database and operating system layers, which in turn,
execute on a hardware layer. These layers provide another
dimension for classification.
• Two basic principles of security are:
Security constraints should be defined at the
highest layer, where their semantics are clear, and
propagated to the lower levels, which enforce them.
All the layers of the architecture must be secure.
Secure Systems Research Group - FAU
Classification using archit. levels
Authentication
Authorization
Reference Monitor
Application level
ABAC
Application Firewall
Secure Process
OS level
Controlled VAS
XML Firewall
XACML
Distribution level
WSPLL
Proxy Firewall
TCP
Packet Filter Firewall
IP
Secure Systems Research Group - FAU
Comm. level
Levels and concerns
Application Firewall
XML Firewall
Proxy Firewall
Packet Filter Firewall
Secure Systems Research Group - FAU
Reference Monitor
Authenticator
OS Ref Monitor
OS Authenticator
XACML Access
Control Evaluator
SAML Authenticator
Remote Authenticator
Automated similarity relationships
• Kubo et al. have proposed an automated
relation analysis technique for patterns.
This technique utilizes existing text
processing techniques (such as TF-IDF
and vector space model) to extract
patterns from documents and to calculate
the strength of pattern relations based on
document similarity.
Secure Systems Research Group - FAU
Automated analysis results
SimilarResult
FullViewWithErrors
Checkpoint
Session
SimilarResult
SimilarResult
SimilarResult
SimilarResult
SingleAccessPoint
LimitedView
SimilarForce
Roles
SimilarForce
Secure Handling Of Legal Cases
SubInResulting
Packet Filter Firewall
Secure Systems Research Group - FAU
Pattern in [Yod97]
Pattern in [Shu06]
Pattern diagrams
• A pattern diagram uses these classifications to
help the designer navigate in the design space.
For example, an operating system designer can
start from a Secure Process and use a Controlled
Process Creator to create new processes in a
secure way (controlling their initial rights). These
processes can then execute in a Controlled
Virtual Address Space (with controlled rights).
The general structure of the virtual address space
is defined through a Virtual Address Space
Structure Selection.
Secure Systems Research Group - FAU
Patterns for operating systems
Virtual Address Space
Structure Selection
uses
executes in
Controlled
Virtual Address Space
defines access
Secure Process
Administrator
Hierarchy
faster context switch
authorized by
Secure Thread
created by
RBAC
Controlled Process
Creator
Reference
Monitor
Secure Systems Research Group - FAU
(Role BasedAccess Control)
define rights
specializes
Authorization
enforced by
Conclusions
• Patterns can be classified according to many viewpoints. A
good classification can make their selection easier and
more precise
• We have shown three possibilities: using as reference the
architectural/functional objectives of the patterns, using as
reference the architectural layers of a system, and looking
at linguistic similarities in their descriptions
• Combining these classifications and expressing them as
pattern diagrams which summarize the relevant patterns at
a given stage or for a given concern, can guide designers in
the selection of appropriate patterns
• Future work will include the development of further patterns
and refining these classifications and incorporate them in
our methodology and in a MDD approach
Secure Systems Research Group - FAU