Rudolf Schreiner

Model Driven Development of Security Aspects

The development of security-critical large-scale distributed software systems is a difficult and error prone process. As we learnt from practical experiences, it is especially difficult to manually define security policies, for example for access control. A human security administrator is not able to cope with the high complexity of the interactions of the application and the low level, platform specific security policy. Therefore, a new approach is needed to ease the definition of appropriate security policies. This paper shows how realisation of security aspects of a system can be automated to a great extend by applying model-driven software development techniques not only on functional properties. In the presented approach, UML models of the applications functional properties are flexibly augmented with security relevant information. Together with a high level security policy defined by the security administrator, this augmented functional model is then used in an automatic model transformation to generate the platform specific security policy. With this approach, which supports the separation of concerns in model based software engineering, we can automatically generate security-critical applications for different middleware platforms like SecureMiddleware, which is an extended implementation of the CORBA Component Model with improved support for non functional properties like security. The concepts, platforms and tools presented in the paper are currently used for the development of several large-scale and secure applications, for example for building a Virtual Air-Space Management System with strong security requirements.

The Challenges of CORBA Security

Large, distributed applications play an increasingly central role in today’s IT environment. The diversity and openness of these systems have given rise to questions of trust and security. It is the aim of the project Secure TINA to examine exactly these questions and try to find possible solutions. The focus lies on OMG’s Common Object Request Broker Architecture (CORBA) as a basis technology for developing distributed systems and on the Security Service specified for it, since this seems to be the most promising technology in the field. The followed approach is thereby twofold. At first, a thorough analysis of the specification itself and known implementations thereof is performed, based also on experiences in the broader area of distributed systems security. At a second, more practical stage, the attempt to develop an own, prototypical implementation of CORBA Security is undertaken, with the main objective of gaining as much practical experience as possible and experimenting with possible alternatives to find a solution to the problems encountered.

Protection of complex distributed systems

Today, the challenge in security of complex distributed systems does not anymore lie in encryption or access control of a single middleware platform, but in the protection of the system as a whole. This includes the definition of correct security policies at various abstraction layers, and also the unified and correct management and enforcement of the correct security policy at all relevant places in the system. As the authors have learned in the development of even comparatively simple distributed systems, e.g. an Air Traffic Control simulation system, this is not possible anymore by a manual definition of encryption properties and access control rules. Human security administrators are not able to define all the fine grained rules with sufficient assurance, to distribute them to all Policy Enforcement Points and to check many log files or admin consoles. This is especially impossible in highly distributed and agile service oriented or data driven systems. In this paper, the authors describe an integrated approach to protect such complex and heterogeneous systems. It is based on Model Driven Security to generate high assurance security policies, rules and configurations from the systems functional model and a high level security policy, and the OpenPMF Policy Management Framework to manage and to correctly enforce the security policy in the system. As a proof of concept, the protection of a prototypical implementation of System Wide Information Management (SWIM) in Air Traffic Management is briefly described.

Integrating Security Policies via Container Portable Interceptors

Enforcing appropriate security policies in distributed, component-based applications is difficult. A generic framework to define and evaluate security policies is necessary, and that framework must be integrated with the middleware platform. The middleware must provide the necessary hooks to intercept calls and obtain the information required for security enforcement. We designed and developed a security framework, integrated it into the CORBA component model middleware platform, and evaluated it in a real-world project

OpenPMF: A Model-Driven Security Framework for Distributed Systems

The wide-spread use of different distributed systems platforms and security technologies today makes the integration of distributed applications and the migration of existing applications to new technologies increasingly difficult. Model driven software development approaches try to tackle this problem by first modelling the application logic independent of technologies, and then by mapping this model to the technology. Security in distributed systems faces a similar problem because there are many different platforms and security technologies that need to be integrated. This paper illustrates how the concepts of model driven software engineering can be applied to security, and we present OpenPMF, our flexible, model-driven security framework in which a technology-independent abstract representation of the security policy is stored in a technology-independent policy repository, which is integrated with the underlying platform and security technology in a well-defined and flexible manner. Our architecture takes into account the separation of functional and non-functional properties of distributed applications. We also discuss the integration of our system with CORBA and CORBA Components.

Flexibility and Interoperability in CORBA Security

Abstract This paper will discuss the fundamental clash between flexibility and interoperability in CORBA security and in distributed object systems security in general. Also, the impact of flexibility and interoperability issues on the security of such systems will be covered. By presenting various relevant technical issues in CORBA security, this paper tries to identify where a reasonable trade-off between flexibility and interoperability is achieved and where CORBA security has unnecessary flexibility or interoperability limitations.

Integrating security policies via Container Portable Interceptors

Enforcing appropriate security policies in distributed, component-based applications is difficult. A generic framework to define and evaluate security policies is necessary, and that framework must be integrated with the middleware platform. The middleware must provide the necessary hooks to intercept calls and obtain the information required for security enforcement. We designed and developed a security framework, integrated it into the CORBA component model middleware platform, and evaluated it in a real-world project

Proximity-Based Access Control (PBAC) using Model-Driven Security

Unfortunately, well-established classic security models for access control are often not sufficient anymore for many of today’s use cases and IT landscapes, including for example Internet of Things (IoT) and big data analytics. Access control (and security/privacy in general) requirements and implementations have frequently become very different, and more challenging, compared to conventional enterprise or internet-facing IT environments. More sophisticated approaches based on fine-grained, contextual, dynamic access control are required. This paper focuses on “Proximity Based Access Control” (PBAC), a particularly advanced access control approach that can implement flexible, proximity-based, dynamic, contextual access. PBAC, together with Attribute Based Access Control (ABAC) and Model Driven Security (MDS) is used to express and enforce such security and privacy requirements. Section 1 motivates the need for advanced access control for many of today’s environments. Section 2 first introduces ABAC, then section 3 discusses PBAC within the context of ABAC. Section 4 introduces MDS. Finally, section 5 presents a detailed Intelligent Transport Systems (ITS) example of PBAC, implemented using MDS and an extension of ABAC).

Managing business compliance using model-driven security management

Compliance with regulatory and governance standards is rapidly becoming one of the hot topics of information security today. This is because, especially with regulatory compliance, both business and government have to expect large financial and reputational losses if compliance cannot be ensured and demonstrated. One major difficulty of implementing such regulations is caused the fact that they are captured at a high level of abstraction that is business-centric and not IT centric. This means that the abstract intent needs to be translated in a trustworthy, traceable way into compliance and security policies that the IT security infrastructure can enforce. Carrying out this mapping process manually is time consuming, maintenance-intensive, costly, and error-prone. Compliance monitoring is also critical in order to be able to demonstrate compliance at any given point in time. The problem is further complicated because of the need for business-driven IT agility, where IT policies and enforcement can change frequently, e.g. Business Process Modelling (BPM) driven Service Oriented Architecture (SOA). Model Driven Security (MDS) is an innovative technology approach that can solve these problems as an extension of identity and access management (IAM) and authorization management (also called entitlement management). In this paper we will illustrate the theory behind Model Driven Security for compliance, provide an improved and extended architecture, as well as a case study in the healthcare industry using our OpenPMF 2.0 technology.

Model Driven Security for Agile SOA-Style Environments

There is evidence that many IT security vulnerabilities are caused by incorrect security policies and configurations (i.e. human errors) rather than by inherent weaknesses in the attacked IT systems. Security administrators need to have an in-depth understanding of the security features and vulnerabilities of a multitude of ever-changing and different IT “silos”. Moreover, in complex, large, networked IT environments such policies quickly become confusing and error-prone because administrators cannot specify and maintain the correct policy anymore. Agile service oriented architecture (SOA) style environments further complicate this scenario for a number of reasons, including: security policies may need to be reconfigured whenever the IT infrastructure gets re-orchestrated; security at the business process management layer is at a different semantic level than in the infrastructure; semantic mappings between the layers and well-adopted standardised notations are not available. This paper explores how the concepts of security policy management at a high, more intuitive (graphical) level of abstraction and model-driven security (tied in with model driven software engineering) can be used for more effective and simplified security management/enforcement for the agile IT environments that organisations are faced with today. In this paper, we illustrate in SecureMDA™ how model driven security can be applied to automatically generate security policies from abstract models. Using this approach, human errors are minimised and policy updates can be automatically generated whenever the underlying infrastructure gets re-orchestrated, updated etc. The generated security policies are consistent across the entire distributed environment using the OpenPMF policy management framework. This approach is better than having administrators go from IT system to IT system and change policies for many reasons (including security, cost, effort, error-proneness, and consistency). The paper also outlines why meta-modelling and a flexible enforcement plug-in model are useful concepts for security model flexibility.