Automated Verification of UMLsec Models for Security Requirements

Transcription

1 Automated Verification of UMLsec Models for Security Requirements Jan Jürjens and Pasha Shabalin Software & Systems Engineering TU Munich, Germany

2 Secure Systems Development High quality development of securitycritical systems is difficult. Many systems developed, deployed, used that do not satisfy their criticality requirements, sometimes with spectacular attacks. Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 2

3 Quality vs. Cost Correctness in conflict with cost. Thorough methods of system design not used if too expensive. Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 3

4 Towards Solution Increase quality with bounded investment in time, costs. Idea: Extract models from artefacts arising in industrial development and use of critical systems (UML models, source code, configuration data). Tool-supported theoretically sound efficient automated critical analysis. Model-based Security Engineering Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 4

5 Model-based Development Combined strategy: Verify models against requirements Generate code from models where reasonable Write code and generate testsequences otherwise. Requirements Verify Models Codegen. Testgen. Code Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 5

6 The UMLsec Profile [Jur02] Recurring security requirements, adversary scenarios, concepts offered as stereotypes with tags on component-level. Use associated constraints to evaluate specifications and indicate possible weaknesses. Ensures that UML specification provides desired level of critical requirements. Link to code via test-sequence generation. Challenge: Automated verification! Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 6

7 Tool-support: Pragmatics Commercial modelling tools: so far mainly syntactic checks and code-generation. Goal: sophisticated analysis. Solution: Draw UML models with editor. Save UML models as XMI (XML dialect). Connect to verification tools (automated theorem prover, model-checker ), e.g. using XMI Data Binding. Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 7

8 UML Processing M y A p p J M I M O F D R 3: generate [U M L.4 ] U M L.4 2 : in s ta n tia te M y U m l 4: M yu m l.xm i : xm l (U M L.4 M etam o del) Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 8

9 CSDUML Framework: Features Framework for analysis plug-ins to access UML models on conceptual level over various UI s. Exposes a set of commands. Has internal state (preserved between command calls). Framework and analysis tools accessible and available at Upload UML model (as.xmi file) on website. Analyse model for included critical requirements. Download report and UML model with highlighted weaknesses. Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 9

10 Usage Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 0

11 Tool Interfaces Jan Jürjens, TU Munich: Automated Verification of UMLsec Models

12 Exposing Commands collect parameters call Initialise call getcommands Framework call executecommand Tool can create the command list system change Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 2

13 Formal semantics for UML Diagrams in context (using subsystems). Model actions and internal activities explicitly. Message exchange between objects or components (incl. event dispatching). For UMLsec: include adversary model arising from threat scenario in deployment diagram. Use Abstract State Machines (pseudo-code; extending [BorCavRic00]). Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 3

14 Automated Security Analysis Following Dolev, Yao (982): To analyze system, verify against attacker model from threat scenarios in deployment diagrams who may participate in some protocol runs, knows some data in advance, may intercept messages on some links, injects messages that it can produce in some links may access certain nodes. Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 4

15 Cryptographic Expressions Exp: term algebra generated by Var U Keys U Data and _ :: _ (concatenation) and empty expression ℇ, { _ } _ (encryption) Dec ( ) (decryption) Sign ( ) (signing) Ext_( ) (extracting from signature) Hash( _ ) (hashing) by factoring out the equations and (for K Keys). Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 5

16 Adversary: Example Scenario A Adversary m(x) m(x) return({y::x} z ) return({z} k ) B [arg b,, = x] Adversary knowledge: k -, y, x {z} k, z Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 6

17 Translation to Model-Checker Spin (Holzmann): automated verification of finite-state reactive systems given as state transition systems (Promela code) against properties in Linear Time Logic (LTL). For complex cryptographic data types: use dynamic types (defined by building type graph from diagram). Behavioral specification, adversary model translated to Promela, security requirement to Never-claim. Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 7

18 Example {adversary= default} {secrecy=s} Variant of TLS (SSL) proposed at IEEE Infocom 999. Goal: send secret protected by session key using fewer server resources. data security Internet Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 8

19 Man-in-the-Middle Attack Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 9

20 Applications Common Electronic Purse Specification Security architecture for German bank Biometric authentication protocol for German Telekom Analysis of SAP access control configurations for German bank Telematic automobile emergency application of German car company Electronic signature architecture of German insurance company Electronic purse for Oktoberfest Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 20

21 Conclusions Tool-supported Model-based Security Engineering using UML: formally based approach to secure software engineering automated tool support integrated approach (source-code, configuration data) increase quality with bounded costs, timeto-market. Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 2

22 Resources Jan Jürjens, Secure Systems Development with UML, Springer 04 Tutorials: Nov.: SISBD (Malaga), ISSRE (Rennes). Spring School: May 2005, Carlos IV Univ. Madrid Workshops: CSDUML05 More information (papers, slides, tool etc.): Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 22

23 Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 23

24 Challenge Advanced tool support. For example: consistency checks mechanical analysis of complicated requirements on model level (bindings to model-checkers, constraint solvers, automated theorem provers, ) code generation test-sequence generation configuration data analysis against UML. Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 24

25 Implementing Tools Define the set of commands have parameters Tool State preserved between commands Commands are not interactive receive parameters execute deliver output Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 25

26 Tool-support: Concepts Meaning of diagrams stated informally in (OMG 2003). Ambiguities problem for tool support establishing behavioral properties (safety, security) Need precise semantics for used part of UML, especially to ensure security requirements. Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 26

27 Using UML UML: unprecedented opportunity for high-quality and cost- and time-efficient critical systems development: De-facto standard in industrial modeling: large number of developers trained in UML. Relatively precisely defined (given the user community). Many tools (drawing specifications, simulation, ). Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 27

28 Tool-support: Tool Binding Several possibilities: General purpose language with integrated XML parser (Perl, ) Special purpose XML parsing language (XSLT, ) Data Binding (Castor; XMI: e.g. MDR) Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 28

29 Default Wrappers Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 29

30 Command Parameters Media-independent functionality But each mode can have own list of commands Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 30

31 The Class Diagram -attributes Attribute -stereotypes Stereotype * name : string initialvalue : string * name : string Class -operations Operation -parameters OperationParameter name : string * name : string * name : string -class AssociationEnd Association -associationends name : string -associationend * -associationend2 Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 3

32 The Statechart Diagram initialstate states InitialState SimpleState 0.. outgoing source outgoing Transition effect 0.. Effect expression : string StateMachine * * guard Guard target incoming 0.. expression : string finalstate FinalState * incoming * trigger 0.. Trigger name : string * * parameters State name : string TriggerParameter name : string Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 32

33 The Deployment Diagram LinkEnd Link N odeinstance * linkend nodeinstance linkends linkend * Com ponentinstance Stereotype * nam e : string -stereotypes * A ssociationend A ssociation O bject nam e : string identifier : int ob ject associationends * associationend «instance» associationend2 C lassdiagram ::C lass nam e : string Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 33

34 Relevant UMLsec Fragment Class Diagrams Classes with Attributes and Operations Logical Associations between Classes Statechart Diagrams Dynamic behaviour of each class Deployment Diagram Objects as Class instances Connections and their physical properties Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 34

35 Cryptography primitives Cover Guards Effects Expressions, including Initial Values Use only plain ASCII text Keep complexity down where possible Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 35

36 Message parameters How to represent various data types? Without additional work for the model developer Avoiding the type flaw attacks Dynamic types Each message carries its type Message processing based on runtime type, no on static type specified in the UML model Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 36

37 Encoding UML Model Class Diagram Variables, messages, logical links Statechart Diagram Promela procedure proctype construction following UMLsec semantics Deployment Diagram Instantiate Class procedures Create communication channels Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 37

38 Encoding Adversary Additional Promela procedure Accesses all communication channels Generic functionality in a loop Read Delete Write Restrict accordingly to the model Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 38

39 Encoding security requirement <<secrecy>> marked variable The initial value shall not be recovered by the intruder Promela never claim construction Invariant for the whole execution time Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 39

40 Example: TLS Variant Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 40

41 Vision Simple independent tools Media-independent Easy to use Simple developer interface Easy to maintain Simple architecture [joint work with TUM UMLsec group, in part. Pasha Shabalin] Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 4

42 Concept Set of plug-in tools Tool exposes predefined interfaces Tool can use framework interfaces Tool implements a set of commands Each command has parameters Framework = common code UML model management Other services Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 42

43 viki Tool Works in GUI and/or Text mode Implements interfaces IVikiToolCommandLine Text output only IVikiToolGui Output to JPanel + menu, buttons, etc Exposes set of commands Automatically imported by the framework Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 43

44 Framework Interfaces IMdrContainer use and control the MDR repository ITextOutput, ILogOutput render textual information IAppSettings store / retrieve tool settings Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 44

45 Adversaries Model classes of adversaries. May attack different parts of the system according to threat scenarios. Example: insider attacker may intercept communication links in LAN. To evaluate security of specification, simulate jointly with adversary model. Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 45

46 Cryptography Keys are symbols, crypto-algorithms are abstract operations. Can only decrypt with right keys. Can only compose with available messages. Cannot perform statistical attacks. Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 46

47 Execution Semantics Behavioral interpretation of a UML subsystem: () Takes input events. (2) Events distributed from input and link queues between subcomponents to intended recipients where they are processed. (3) Output distributed to link or output queues. (4) Apply adversary model. Jan Jürjens, TU Munich: Automated Verification of UMLsec Models 47