The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS)...
Transcript of The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS)...
![Page 1: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/1.jpg)
Architectural Analysis for Security (AAFS)
Jungwoo Ryoo and Priya Anand, Penn State UniversityRick Kazman, SEI/University of Hawaii
To appear in IEEE Security and Privacy
![Page 2: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/2.jpg)
Architectural Analysis
• Structured way of discovering
Design decisions in softwarePresent orAbsent
Quality attribute goals of stakeholdersSecurity,Modifiability,Performance,Usability,Etc.
2
![Page 3: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/3.jpg)
Significance of Architectural Analysis
• During early design Recommended
• During maintenance After the system is built
A basis for refactoring
Disruptive Costly Risky
3
![Page 4: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/4.jpg)
Motivations and Significance
• Not too many Well established architectural analysis methods Example
Architectural Tradeoff Analysis Method (ATAM)
• Not to mention Architectural analysis method specializing in security
• Dire need for Architectural Analysis for Security (AAFS) Security: Costly and risky dominant concern
4
![Page 5: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/5.jpg)
Our Approach
• The use of design constructs Helps reason about security
• AAFS Contains
Tactic-oriented Architectural Analysis (ToAA)Pattern-oriented Architectural Analysis (PoAA)Vulnerability-oriented Architectural Analysis (VoAA)
Uses Interviews
5
![Page 6: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/6.jpg)
Tactics
• Design Technique To satisfy a single quality attribute requirement
• Aha! moment Why not for architectural analysis?
• SATURN 2014
6
![Page 7: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/7.jpg)
Security Tactics
• Useful vocabulary During architectural design and analysis
For security
• Intentionally abstract To establish a baseline
For further investigation
Security Tactics
Resist Attacks
Encrypt Data
Attack System detects, resists, reacts, or recovers
Detect Attacks
Maintain Audit Trail
Limit Exposure
Recover from Attacks
React to Attacks
Revoke Access
Lock Computer
Detect IntrustionDetect Service DenialVerify Message IntegrityDetect Message Delay
Change Default Settings
Separate Entities
Restore
See Availability
Identify Actors
Authenticate Actors
Authorize Actors
Limit AccessInform Actors
7
![Page 8: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/8.jpg)
Security Patterns
• Well-known solutions to Recurring security problems
• Refined and instantiated from Security tactics
• Closer to code
8
![Page 9: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/9.jpg)
Vulnerabilities
• Software Weaknesses Exploitation by attackers Code level
• Vulnerability databases Common Vulnerabilities and Exposures (CVE) Common Weakness Enumeration (CWE)
• Relationship with architectural solutions Missing tactic or pattern
9
![Page 10: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/10.jpg)
CVE vs. CWE
• Security scenarios or test cases
• CVE Individual incident reports More than 70,000 and still counting
• CWE Categories of the incident report 940 entries
10
![Page 11: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/11.jpg)
Our Approach Provides a Holistic View of Security
• The ultimate goalTo identifyThe absence or presence of a design decision ToAA and PoAAThe misinterpretation or violation of a design decision in the
source code VoAA
11
![Page 12: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/12.jpg)
Steps of Our Methodology
• Step 1 Tactic-oriented Architectural Analysis (ToAA)
• Step 2 Pattern-oriented Architectural Analysis (PoAA)
• Step 3 Vulnerability-oriented Architectural Analysis (VoAA)
ToAA
PoAA
VoAA
12
![Page 13: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/13.jpg)
Case Study
• OpenEMR Electronic Medical Record (EMR) System Open Source
Released in 2001531,789 LOCBig user base
• Factors in choosing a subject Access to architect and source code
13
![Page 14: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/14.jpg)
ToAA Phase
• Interview an architect Where How
• Identify design Rationale Assumptions
14
![Page 15: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/15.jpg)
PoAA Phase
• Relate ToAA results to Patterns ‘Verify message integrity’ ToAA
• Check tactic realization Intercepting Validator
Verifies user inputs before they are usedPerforms filtering to all requests or user inputs
According to validation rulesForwards full, partial, or no input to the target
Depending on the validation results
15
![Page 16: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/16.jpg)
VoAA Phase
• Relate PoAA results to CWE categories Ties the suspicion to a piece of code
• CWE entries related to ‘Verify message integrity’ tactic ‘Intercepting validator’ pattern
• CWE 89: Improper neutralization of special elements used in an SQL command
• CWE 87: Improper neutralization of alternate XSS syntax
16
![Page 17: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/17.jpg)
OpenEMR Analysis Sample Results
• ToAA ‘Verify message integrity’
Partially supported by Standard library functions for sanitizing user inputs
• PoAA No intercepting validator
• VoAA CWE 89: Ad hoc and incomplete coverage CWE 87: No coverage
17
![Page 18: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/18.jpg)
Verification
• Vulnerability analysis by IBM AppScan OpenEMR
3.1.04.1.2
• SQL injection Improving but still problematic
• XSS Highly problematic
96
65
12
61
SQL INJECTION XSS
OpenEMR Scan Results
3.1.0 4.1.2
18
![Page 19: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/19.jpg)
Future Research
• More case studies Nuxeo
• Tactic realization ontology
• Mapping between patterns and CWE entries
19
![Page 20: The Architectural Analysis for Security (AAFS) Method · Architectural Analysis for Security (AAFS) Jungwoo Ryoo and Priya Anand, Penn State University. Rick Kazman, SEI/University](https://reader031.fdocuments.in/reader031/viewer/2022022508/5acfcff17f8b9ac1478d429f/html5/thumbnails/20.jpg)
Questions?
20