Introduction to TOIF. Dr. Nikolai Mansourov CTO, KDM Analytics Liaison to OASIS. November 8, 2017 Copyright 2017 OMG. All rights reserved.

Transcription

1 Introduction to TOIF Dr. Nikolai Mansourov CTO, KDM Analytics Liaison to OASIS November 8, 2017 Copyright 2017 OMG. All rights reserved. 1

2 Who Is OMG? Object Management Group (OMG) factlets: Founded in member organizations worldwide One of the largest and longest-standing not-for-profit, open-membership consortia developing and maintaining computer industry specifications. Continuously evolving to remain current while retaining a position of thought leadership. November 8, 2017 Copyright 2017 OMG. All rights reserved. 2

3 Developing Standards in: Standards are developed using OMG s mature, worldwide, open development process. With over 25 years of standards work, OMG s one-organization, one-vote policy ensures that every vendor and end-user, large and small, has an effective voice in the process. November 8, 2017 Copyright 2017 OMG. All rights reserved. 3

4 Best-Known Successes Unified Modeling Language Ø UML, Ubiquitous visual modelling language applicable to designing any software system Business Process Model and Notation Ø BPMN TM provides businesses with the capability of understanding their internal business procedures. Systems Modeling Language Ø SysML supports the specification, analysis, design, and verification and validation of a broad range of complex systems. Data Distribution Service Ø DDS TM, Real-time, data-centric, publish-subscribe OMG specification for data distribution Meta Object Facility Ø MOF TM, the repository standard XML Metadata Interchange Ø XMI, the standard for interchanging models Knowledge Discovery Metamodel Ø KDM, supports platform-independent, vendor-neutral representation of code and software systems November 8, 2017 Copyright 2017 OMG. All rights reserved. 4

5 Who Are OMGers? Here is a sample of some of the hundreds of organizations OMG works with: ACORD CA Technologies GE No Magic RTI Adaptive Collibra Georgia Tech Northrop Grumman SAP SE Airbus Group Deere & Company igrafx Oracle Seiko Epson AIST Dell Technologies IBM Perry Ellis Software AG Appian DSTO InterPARES Trust PNA Group Sparx Systems ASMG eprosima KDM Analytics PrismTech State Street AT&T FICO Lockheed Martin ProSTEP ivip THALES Benchmark Consulting Fraunhofer FOKUS MEGA International PTC The Aerospace Corporation Boeing Fujitsu Microsoft QualiWare Thematix Carnegie Mellon Univ. General Dynamics MITRE Real Time Logic Twin Oaks November 8, 2017 Copyright 2017 OMG. All rights reserved. 5

6 Liaison Relationships November 8, 2017 Copyright 2017 OMG. All rights reserved. 6

7 Organizational Structure Architecture Board Platform TC Domain TC Business Architecture SIG Liaison SC Model Interchange SIG Object & Reference Model SC Spec Mgmt. SC Agent PSIG A & D PTF ADM PTF Data Distribution PSIG Methods & Related Tools PSIG MARS PTF Ontology PSIG SysA PTF BMI DTF C4I DTF Finance DTF Government Information Sharing & Services DTF Healthcare DTF Mfg. Tech & Ind. Systems DTF Mathematical Formalisms DSIG Retail DTF Robotics DTF Space DTF Sys Eng DSIG November 8, 2017 Copyright 2017 OMG. All rights reserved. 7

8 Systems Assurance TF Mission: Establish a common framework for analysis and exchange of information related to system assurance and trustworthiness. This framework, called Systems Assurance Ecosystem, focuses at software-based systems, and facilitates assessments for cyber security and safety. Strategy: Leverage and connect existing OMG/ISO and other standards, identify gaps and develop specifications to establish end-to-end protocols Unique group of experts: specialists in cybersecurity, safety, enterprise architectures, software analysis, security scientists, ontologists (clients, government, tool vendors and academia) Lockheed Martin, Toyota, Fujitsu, US AirForce, MACE (Multi-Agency Collaboration Environment), Mitre, University of York, AIST, NoMagic, Model-Driven Solutions, KDM Analytics November 8, 2017 Copyright 2017 OMG. All rights reserved. 8

9 Interrelations of Assurance UPDM, UAF modeling enterprise architecture, mission and system level, security controls Mission Assurance SACM representing the structured argument CRAF Unified Cyber Risk Assessment Framework CWE informal enumeration of weaknesses Systems Assurance (*The -ilities ) Cyber Assurance Safety Assurance (*The -ilities ) SysML model-based systems engineering *The -ilities Reliability, Schedulability, Maintainability, Dependability, etc. SFP formal CAPEC cyber representation of attack patterns discernable software weaknesses and patterns Software Assurance TOIF representing weakness findings KDM representing software systems November 8, 2017 Copyright 2017 OMG. All rights reserved. 9

10 Tools Output Integration Framework (TOIF) Problem: Effective and systematic measurement of the cybersecurity risks posed by software vulnerabilities Challenge One of the key challenges is that analysis solution consists of multiple tools, information sources and services that are currently fragmented lacking intuitive and efficient integration due to Inconsistency in the nomenclature of reported weaknesses caused by ambiguity of weakness definitions inconsistency in interpretation of Common Weakness Enumeration (CWE) instances Lack of agreement on what are the parts of weakness to report what constitutes weakness report Lack of interoperability that is based on common definition of system artifacts November 8, 2017 Copyright 2017 OMG. All rights reserved. 10

11 TOIF producers Tools Output Integration Framework (TOIF) protocol TOIF adaptors TOIF integration Code SCA tools TOIF repository TOIF browser Non-intrusive, Contributions from both for vendors and clients KDM tool TOIF orchestration TOIF consumers November 8, 2017 Copyright 2017 OMG. All rights reserved. 11

12 TOIF specification In SBVR (non-normative) systematic transformation In MOF/UML (normative) TOIF Conceptual Model TOIF Logical Model transformation defined by XMI TOIF XMI XSD SCA tool TOIF adaptor TOIF Segment XMI instance November 8, 2017 Copyright 2017 OMG. All rights reserved. 12

13 TOIF Conceptual and Logical Models November 8, 2017 Copyright 2017 OMG. All rights reserved. 13

14 TOIF XMI XSD and XMI Instance TOIF XMI XSD (fragment) TOIF XMI instance (fragment) November 8, 2017 Copyright 2017 OMG. All rights reserved. 14

15 Overview of TOIF Noun Concepts TOIF Conceptual Model TOIF Basic Concepts TOIF Housekeeping Concepts TOIF Fact-Oriented Concepts Finding Code Location Weakness Type Identifier CWE Identifier SFP Identifier SFP Cluster Weakness Description File Build Tool Generator Adaptor Tool Project Organization Vendor Build Record Compile Record Generator Record TOIFSegment Fact Entity Attribute Record Basic Entity Housekeeping Entity Finding Fact Location Fact Semantic Fact Build Fact Project Fact Tool Fact Directory Person Statement Role Data Element November 8, 2017 Copyright 2017 OMG. All rights reserved. 15

16 TOIF XMI Example November 8, 2017 Copyright 2017 OMG. All rights reserved. 16

17 Knowledge Discovery Metamodel (KDM) SCA tool TOIF facts KDM tool KDM facts ISO/IEC 19506:2012 Source code Executable Code November 8, 2017 Copyright 2017 OMG. All rights reserved. 17

18 Followup Topics Full presentation of the TOIF Abstract Structure Full presentation of the TOIF Basic Entities and Facts Full presentation of the TOIF Housekeeping Entities and Facts Orchestration of TOIF builds Normalizing weakness types through CWE and SFP: lessons learned TOIF and KDM as a foundation for deep integration of findings and code facts TOIF and SFP: toward checkers parameterized with standard formal weakness descriptions November 8, 2017 Copyright 2017 OMG. All rights reserved. 18

19 Questions November 8, 2017 Copyright 2017 OMG. All rights reserved. 19