Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Securing Service-Oriented Architectures using a Model-driven Approach Nelly A Delessy Secure Systems Research Group - FAU Agenda • • • • • • • • Introduction Background Problem statement The methodology – Overview – Detailed Steps and Running Example Related work Anticipated contributions Conclusions Questions Secure Systems Research Group - FAU Introduction • Service-Oriented Architecture (SOA): – considered to be the new phase in the evolution of distributed enterprise applications – In our more and more competitive business world, in which business needs and partnerships are changing constantly, the rapid evolution of business applications is a key factor in the success of an organization. Secure Systems Research Group - FAU Introduction • Service-Oriented Architecture (SOA): – SOA has promised to provide enterprises with flexible and extensible architectures that would enable them to adapt their applications easily so that they remain competitive and compliant. – Most of the major software vendors sell SOA products such as Enterprise Service Buses (ESBs). – Even though there is a common acceptance of this concept, a real problem hinders the widespread use of SOA: A methodology to design and build secure SOAbased applications is still needed Secure Systems Research Group - FAU Background: SOA • There is no official definition for SOA. The Open Group, the Object Management Group (which proposed MDA), and OASIS proposed their definition, and many books concerning SOA are available. • We summarized the principal characteristic of SOA: – Service-Oriented Architecture (SOA) is an architectural style in which a system is composed from a series of loosely coupled services that interact with each other by sending messages. In order to be independent from each other, each service publishes its description, which defines its interface and expresses constraints and policies that must be respected in order to interact with it. A service is thus a building block for SOA applications. Secure Systems Research Group - FAU Background: SOA – This architectural style implements some principles [Erl05]: • • • • • • • • Loose coupling between services Service contract Autonomy Abstraction Reusability Composability Statelessness Discoverability – An implementation platform for SOA is the Web Services technology. Secure Systems Research Group - FAU Background: MDA • Model-Driven Architecture (MDA) is a modeldriven approach defined by the OMG. • It specifies three views in order to describe a system’s architecture • It proposes a process for software development. • MDA is based on a set of specifications (MOF, XMI, etc) in order to achieve interoperability and portability. Secure Systems Research Group - FAU Background: MDA • MDA proposes three views (or viewpoints) to describe the architecture of a system: – The computation independent viewpoint focuses on the environment of the system and the requirements for the system. The details of the structure and processing of the system are hidden. – The platform independent viewpoint focuses on the structure and the operation of the system while hiding the details necessary for a particular platform. – The platform specific viewpoint combines the platform independent viewpoint with an additional focus on the detail of the use of a specific platform by a system. Secure Systems Research Group - FAU Background: MDA • The MDA process – consists in a series of model transformations prior to obtaining the final implementation of a system. – First, a model of the system viewed from the computation independent viewpoint is created from the requirements for the system. This is the Computational Independent Model (CIM), also called the domain model or business model. A CIM shows the system in the environment in which it will operate and thus presents what the system is expected to do. Secure Systems Research Group - FAU Background: MDA • The MDA process – Then a Platform Independent Model (PIM) is produced, it is a model of the system from the platform independent viewpoint. The requirements described by the CIM should be traceable to the PIM. – Then, a specific platform is chosen that enables implementation of the system with the desired architectural qualities. A model for that platform should also be available. Finally, the Platform Specific Model (PSM) is produced; it is a model of the system from the platform specific viewpoint. Secure Systems Research Group - FAU Background: MDA • The MDA process – Transforming a PIM to a PSM is referred to as the ‘MDA pattern’ or ‘MDA mapping’. Secure Systems Research Group - FAU Background: MDA • Meta-models – A meta-model (also referred to as a language) is the definition of a model. • The Four-layer metamodel Hierarchy – Each layer contains elements that are instances of the underlying layer Meta Level Description Example 1 Example 2 M0 Run-time instances Objects “Nelly Delessy”’s record in Employee table M1 Model User model (with concrete classes, etc) Employee table with name, address columns, etc M2 Meta-model UML Relational model: Relations, rows, columns, etc M3 Meta-metamodel MOF Secure Systems Research Group - FAU MOF Background: MDA • MDA transformations – Meta-model mapping: • gives rules and/or algorithms expressed in terms of all instances of types in the metamodel specifying the PIM language resulting in the generation of instances of types in the meta-model specifying the PSM language. • it requires models to be instances of MOF metamodels. Secure Systems Research Group - FAU Background: MDA • MDA transformations – Model marking: • An architect identifies model elements in the PIM which should be transformed in a particular way, given the choice of a specific platform for the PSM by marking those elements. • Marks represent a concept in the PSM, and are not intrusive to the PIM. Secure Systems Research Group - FAU Problem Statement • The trust issue is more complex in interorganizational context than it is in traditional fields of computing: – For example, the “hardware” or some “trusted computing base” is blindly trusted when designing an operating system. In the same way, one can easily establish a trust relationship with the “enterprise directory” in the case of a single organization’s system. Comparatively, it is much more complicated to establish trust dynamically across principals from different organizations. Secure Systems Research Group - FAU Problem Statement • Furthermore the channels of communication between the participating entities in a SOA application are much more vulnerable: – Compared to operating systems or within the boundaries of an organization’s computer network Secure Systems Research Group - FAU Problem Statement • Many efforts have been made to alleviate the security vulnerabilities that were introduced in the complex context of SOA applications. • They principally consisted in the production of numerous, often overlapping security standards by the industry actors. • But there is still no clear view of how to use them in order to produce secure SOA applications. • In this dissertation, we investigate the production of secure SOA applications. In particular, we provide an approach to build secure SOA applications that takes into account the new security issues introduced by the complexity of SOA-based applications. Secure Systems Research Group - FAU The methodology: Overview • We build upon two different approaches to secure SOA applications: – model-driven development – The use of security patterns. • Since the basic security mechanisms are not new, we use security patterns to describe their structure and behavior. • Then we can derive more complex security solutions that are adapted to the SOA context. The result is a map of layered security patterns. Secure Systems Research Group - FAU The methodology: Overview • Finally, since we use a particular format for our patterns that includes semi-formal UML models, we leverage on the model-driven architecture approach, which allows us to semiautomatically produce a secure design for a particular SOA application. Secure Systems Research Group - FAU The methodology: Overview • The main benefit of this approach: – it decouples the application domain expertise from the security expertise that are both needed to build a secure application – It is usually difficult for non-security specialists to design a secure application. – On the other hand, a security expert would have to become an expert in an application’s domain model in order to understand where to apply security mechanisms and what security mechanisms are adequate. • Secure Systems Research Group - FAU The methodology: Overview • With our approach, the security expertise is embodied in the security patterns, and the model-driven engineering approach facilitates the integration of those patterns’ solution into the application design and implementation. • Thus, the application designers/developers can add security to their applications easily. Secure Systems Research Group - FAU The methodology: Detailed Steps and Running Example • A key idea in our dissertation is to describe the SOA architectural style from the MDA viewpoints. • We propose the following framework to secure SOA applications. Secure Systems Research Group - FAU The methodology: Detailed Steps and Running Example Secure Systems Research Group - FAU The methodology: Detailed Steps and Running Example 1. A SOA metamodel has been defined using the standardized MOF language (, or a UML Profile? work in progress): – An application architect can then use any UML tool that has charged the SOA metamodel as a library to design its application. The result is a SOA application platform independent model, which can be easily understood by our tool. At this point, it is not yet secure. Secure Systems Research Group - FAU The SOA metamodel (work in progress): Secure Systems Research Group - FAU Use Case diagram the travel agency: (work in progress) Secure Systems Research Group - FAU Conceptual model (CIM) for the travel agency: (work in progress) Secure Systems Research Group - FAU Activity Diagram for the travel agency, for the use case Reserve Hotel: (work in progress) Secure Systems Research Group - FAU Detailed Class Diagram (PIM) for the travel agency: (work in progress) Secure Systems Research Group - FAU The methodology: Detailed Steps and Running Example 2. A security-aware application architect (who is not necessarily a security expert) uses the map of abstract patterns to select which security pattern to apply. He uses the human-only understandable part of the patterns (consequences, context, etc) to make relevant decisions. Secure Systems Research Group - FAU Map of abstract security patterns for SOA : Secure Systems Research Group - FAU The methodology: Detailed Steps and Running Example 3. The abstract security patterns solutions are automatically incorporated into the SOA application platform independent model, according to our rules for incorporating security patterns’ solutions to models. Secure Systems Research Group - FAU The methodology: Detailed Steps and Running Example 3. We need: – The SOA security pattern metamodel: • The OMG proposed a metamodel for business pattern: we want to add to that: – – The notion of pattern “realization” (they do have pattern inheritance and pattern composition) The transformation specification from unsecure SOA PIM to secure SOA PIM, using the security patterns Secure Systems Research Group - FAU SOA security pattern metamodel (in progress): Secure Systems Research Group - FAU The methodology: Detailed Steps and Running Example 3. Before the transformation, the architect marks its unsecure SOA PIM. This is done through a dialog from the tool to the architect: – For each selected pattern: • For each SOAElement in the pattern – – • – Ask to which specific instance(s) of a SOAElement the pattern should be applied to Mark those specific instances selected by the architect End For End For Secure Systems Research Group - FAU The methodology: Detailed Steps and Running Example 3. We need: – The transformation specification from unsecure SOA PIM to secure SOA PIM, using the security patterns (work in progress): • • Source model : unsecure SOA PIM For each selected security pattern – – – • – Insert all SOASecurityElements to the SOA PIM Insert all Associations from the pattern for which all ends are SOASecurityElements Insert those Associations from the pattern for which one end is an SOAElement between the corresponding SOAsecurityElement(s) and each marked SOAElement from the SOA PIM End For This transformation could be described using the QVT standard? Secure Systems Research Group - FAU example of the security pattern selected by the architect: Secure Systems Research Group - FAU resulting model (secure SOA PIM) Work in progress: Secure Systems Research Group - FAU The methodology: Detailed Steps and Running Example 4. A MDA mapping is then automatically realized, according to two sets of rules: – 1) a MDA mapping between the SOA metamodel and the web-services metamodel, – 2) the set of relationships between patterns of our map that are of the “implements” type. – Since platform security solutions evolve constantly, our approach provides flexibility to add/remove patterns from our tool. Also, since the patterns’ solutions are written in the UML language and using our SOA metamodel, they can be easily exportable/distributable (using XMI) by different entities and still remain interoperable. The result of this step is a secure model for a particular web service application. Secure Systems - FAU Research Group The web services metamodel (work in progress) Secure Systems Research Group - FAU The methodology: Detailed Steps and Running Example 4. sets of rules: – 1) a MDA mapping between the SOA metamodel and the web-services metamodel: • • • – – Service Web Service Message InputMessage, OutputMessage,… depending on the role of the service (consumer or provider) … The result is the insertion of a corresponding security pattern for web services (Liberty Alliance Identity Federation) to the model A final transformation could have generated more concrete artifacts: WSDL, BPEL, WS-policies, XACML rules, but this is not in the scope of our work Secure Systems Research Group - FAU Related Work • Securing SOA applications or web services: – Based on a formal model ([10]) – Based on AOP ([11]): They propose to extend BPEL to insert pointcuts. – A whole process using patterns [13], but not detailed, and does not take advantage of the MDA approach. • Addressing non-functional aspects in SOA using a metamodel, ([15]) but it does not address high-level security issues Secure Systems Research Group - FAU Related Work • Using MDA to secure SOA: – In [1], a model driven approach to secure web services is proposed, but it focuses on access control, and by extending OCL (Object Constraint Language) to define access control policies that are later transformed into XACML policies. In our approach, we use a standardized MOF language to achieve interoperability. – [2] uses an MDA approach to include security during the whole design process. They define UML security intentions that are later transformed into platform specific security mechanisms. But they do not take advantage of the SOA nature of the application to be secured, their approach could be applied to any type of application. Secure Systems Research Group - FAU Related Work • Using patterns and MDA to secure SOA applications: – In [9], they present low-levels patterns that can be used at the message exchange level, but do not secure higher levels (at the business process levels,..), so that they do not address such security issues such as trust establishment between partners, propagation of identities. They use concepts from Model-driven development to propose refined views for SOA applications but do not take advantage of the MDA standards to detail how to do the model transformations. Secure Systems Research Group - FAU Anticipated Contributions • Our approach to secure SOA applications builds upon two independent approaches, so the contributions of this research have value of their own and could be used in other methodologies or for different purposes. Those contributions include: – A MOF metamodel for SOA applications (SOA PIM): work in progress – A MOF metamodel for web services-based applications (WS PSM): work in progress – A map of security patterns for SOA and web servicesbased applications, and a corresponding catalog of security patterns: done Secure Systems Research Group - FAU Anticipated Contributions – A marking strategy for including security patterns into SOA applications: work in progress – A MDA mapping from the SOA PIM to the WS PSM: work in progress – The methodology itself: it can be abstracted and be applied to different architectural styles: done Secure Systems Research Group - FAU Conclusions • In this presentation, we presented a novel approach to secure SOA applications. • Since security must not be considered as an isolated aspect, but as an aspect present in all stages of a system development, we rely on the MDA approach. • At the same time, we address the nonfunctional requirements separately from the functional requirements by embodying the security knowledge from security experts in the domain, in the form of security patterns. Secure Systems Research Group - FAU