Nobukazu Yoshioka

Classifying security patterns

Patterns combine experience and good practices to develop basic models that can be used for new designs. Security patterns join the extensive knowledge accumulated about security with the structure provided by patterns to provide guidelines for secure system design and evaluation. In addition to their value for new system design, security patterns are useful to evaluate existing systems. They are also useful to compare security standards and to verify that products comply with some standard. A variety of security patterns has been developed for the construction of secure systems and catalogs of them are appearing. However, catalogs of patterns are not enough because the designer does not know when and where to apply them, especially in a large complex system. We discuss here several ways to classify patterns. We show a way to use these classifications through pattern diagrams where a designer can navigate to perform her pattern selection.

Improving the Classification of Security Patterns

There are a large number of security patterns encapsulating reusable solutions to recurrent security problems. However, catalogs of security patterns are not enough because the designer does not know when and where to apply them, especially in a large complex system. There is a need to conduct more precise classifications of security patterns. We analyze here ways to represent security patterns using specialized models for their precise classification. We define two new types of models, one that describes how a security pattern relates to several classification dimensions (Dimension Graph), and another that describes how security patterns relate to each other (Pattern Graphs). We show these ideas with examples from security patterns.

Modeling Misuse Patterns

Security patterns are now starting to be accepted by industry. Security patterns are useful to guide the security design of systems by providing generic solutions that can stop a variety of attacks but it is not clear to an inexperienced designer what pattern should be applied to stop a specific attack. They are not useful either for forensics because they do not emphasize the modus operandi of the attack. To complement security patterns, we have proposed a new type of pattern, the misuse pattern. This pattern describes, from the point of view of the attacker, how a type of attack is performed (what units it uses and how), defines precisely the context of the attack, analyzes the ways of stopping the attack by enumerating possible security patterns that can be applied for this purpose, and describes how to trace the attack once it has happened by appropriate collection and observation of forensics data. We present here a model that characterizes the precise structure of this type of pattern.

Enforcing a security pattern in stakeholder goal models

Patterns are useful knowledge about recurring problems and solutions. Detecting a security problem using patterns in requirements models may lead to its early solution. In order to facilitate early detection and resolution of security problems, in this paper, we formally describe a role-based access control (RBAC) as a pattern that may occur in stakeholder requirements models. We also implemented in our goal-oriented modeling tool the formally described pattern using model-driven queries and transformations. Applied to a number of requirements models published in literature, the tool automates the detection and resolution of the security pattern in several goal-oriented stakeholder requirements.

Security patterns: a method for constructing secure and efficient inter-company coordination systems

As the Internet, intranets and other wide-area open networks grow, novel techniques for building distributed systems, notably mobile agents, are attracting increasing attention. This is particularly the case for inter-company system coordination applications. A key difficulty in constructing such systems is to meet the security requirements while at the same time respecting the requirements for efficient implementation. We propose a method that addresses this problem and show an application of the method to a real implemented system, the environmentally conscious product (ECP) design support system. Our approach enables developers to specify several candidate system behaviors that satisfy the security requirements. We use patterns for this purpose. Patterns are abstract templates of system behavior fragments. The patterns include agent migrations, communications between applications and security procedures. We model the performance data associated with each pattern. Developers can then select an efficient implementation using this model to compare the performance data of the candidates. We evaluate our approach with a significant real-world example, the ECP design support system that essentially requires inter-company system coordination.

Effective Security Impact Analysis with Patterns for Software Enhancement

Unlike functional implementations, it is difficult to analyze the impact software enhancements on security. One of the difficulties is identifying the range of effects by new security threats, and the other is developing proper countermeasures. This paper proposes an analysis process that uses two kinds of security pattern: security requirements patterns (SRP) for identifying threats and security design patterns (SDP) for identifying countermeasures at an action class level. With these two patterns and the conventional traceability methodology, developers can estimate and compare the amounts of modifications needed by multiple security countermeasures.

Misuse Cases + Assets + Security Goals

Security is now the most critical feature of any computing systems. Eliciting and analyzing security requirements in the early stages of the system development process is highly recommended to reduce security vulnerabilities which might be found in the later stages of the system development process. In order to address this issue, we will propose a new extension of the misuse case diagram for analyzing and eliciting security requirements with special focus on assets and security goals. We will also present the process model in which business requirements and system requirements related to security features are separately analyzed and elicited in different phases. This process model helps us to analyze the requirements related to business goals in an earlier phase and to the system goals in a later phase so that any concerns related to them are dealt with separately. We will illustrate our approach with a case study taken from an accounting software package.

Misuse patterns for cloud computing

Cloud Computing is a new computing structure that allows providers to deliver services on demand by means of virtualization. We are studying some security attacks in cloud computing by describing them in the form of misuse patterns. A misuse pattern describes how an information misuse is performed from the point of view of the attacker. It defines the environment where the attack is performed, how the attack is performed, countermeasures to stop it, and how to find forensic information to trace the attack once it happens. We are building a catalog of misuse patterns and we present here two of them: Resource Usage Monitoring (complete) and Malicious Virtual Machine Creation (partially). We discuss also the value of having such a catalog.

Model-Driven Security Patterns Application Based on Dependences among Patterns

The spread of open-software services through the Internet increases the importance of security. A security pattern is one of the techniques in which developers utilize security experts’ knowledge. Security patterns contain typical solutions about security problems. However there is a possibility that developers may apply security patterns in inappropriate ways due to a lack of consideration on dependencies among patterns. Application techniques of security patterns that consider such dependencies have not been proposed yet. In this paper, we propose an automated application technique of security patterns in model driven software development by defining applications procedures of security patterns to models as model transformation rules with consideration for pattern dependencies. Our technique prevents inappropriate applications such as the application of security patterns to wrong model elements and that in wrong orders. Therefore our technique supports developers apply security patterns to their own models automatically in appropriate ways.

Measuring the Level of Security Introduced by Security Patterns

It is possible to reasonably measure the security quality of individual security patterns. However, more interesting is to ask: Can we show that a system built using security patterns is secure in some sense? We discuss here some issues about evaluating the security of a system built using security patterns. We consider the use of threats and misuse patterns to perform this evaluation.