Meeting confidentiality requirements in software systems is vital for organizations. Considering confidentiality in early development phases such as the architectural design phase is beneficial compared to late phases such as the implementation because fixing design issues is more cost-eficient in early phases. This tutorial introduces an approach for modeling and statically analyzing confidentiality in software architectures within the Palladio tool suite. Besides foundational knowledge, the tutorial provides a practical hands-on session using the tool. The goal is to show that it is already possible to consider confidentiality in the early design process and that this consideration can be integrated into existing architectural design tools.
The importance of security in software
systems continuously increases together with
the connectedness of systems and legal
obligations. Breaches of confidentiality, which is
an aspect of security, have a significant
impact on business because of a loss of
business value [
It is necessary to consider confidentiality in all development phases and as early as © 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 InterCPWrEooUrckReshdoinpgs IhStpN:/c1e6u1r3-w-0s.o7r3g (nCCatEiEoUnUaRlR(C-CWBYSW4..o0o).rrgk)shop Proceedings possible, because many violations trace back to the software design [5, 6], which also includes early designs such as software architectures. To avoid high efort for later fixes, it is necessary to already identify and address these issues in the software architecture [7].
Even if this line of arguments is clear or even obvious to many, there is still a low adoption of security tools during the software design or architecture [8, 9, 10, 11]. There are various reasons to this low adoption but missing awareness and integration into existing workflows are two of them.
The goal of the tutorial is to raise awareness and to make clear that approaches, which blend into existing tools and processes, exist. We would like to show this by presenting our confidentiality modeling and analysis approach integrated into the Palladio tool suite [12]. The Palladio integration extends the modeling language by means for expressing data processing. A automated transformation translates the Palladio model into an analysis model that determines relevant data properties by simulating the ef- look on ideas and first results of future work. fect of data processing on data. Eventually, data properties are compared with expected properties and the identified problems are re- 3. Tutorial Material ported back to the user.
dio tooling and example models. All material 2. Tutorial Overview will be published on the companion website of the tutorial1 and in a data set [20].
In this tutorial, we show how static analy- The example discussed in the tutorial is the ses of software architectures can reveal vio- TravelPlanner system known from the iFlow lations of access control policies. The threats approach [21]. The interactions in the sysconsidered in the analyses are that the soft- tem are visualized by the sequence diagram ware architecture itself violates such policies in Figure 1. Simply said, a user looks for by its structure, behavior, deployment or in- a flight and books the flight by additionally tended usage. passing credit card information (ccd) to the
The tutorial is built around our modeling system. The system consists of the smartand analysis approach [13, 14]. The approach phone apps TravelPlanner and CreditCardis integrated into the Palladio tool suite [12] Center. The travel planner mediates between and makes use of recently introduced data- the user and a travel agency, as well as an airoriented interfaces [15]. The approach has line. The credit card center safely stores the already been used in various contexts, so we credit card information of the user. The Travconsider it mature enough for the presenta- elAgency supports the search for flights and tion as part of the tutorial. For instance, the receives a comission from the airline after a approach has been used to identify read and booking. The Airline provides information written data as part of an alignment process about flights and supports booking flights. In between business processes and software ar- the corresponding publication [21], the conchitectures focused on access rights [16, 17] fidentiality requirement is given by an inas well as for deriving properties of processed formation flow policy. Transmitted data has data that can speed up runtime analyses [18]. a classification level and participants have a
The tutorial consists of three parts: First, clearance level. The levels are {User, Airline, we introduce the modeling concepts to repre- TravelAgency}, {User, Airline} and {User} in assent system behavior that can be analyzed for cending order. The requirement is that no access control later. This includes a hands-on data must receive at a participant, which has session on modeling using our Palladio tool- a clearance level lower than the classificaing. Second, we explain how to formulate tion level of the data. In the example, the an access control analysis using a previously critical part is the transmission of the credit published domain-specific language [19] and card information, which is classified as User, how to interpret the results. Again, this in- to the airline, which only has a clearance cludes a hands-on session on analyzing the {User,Airline}. previously modeled system using our Palla- In the tutorial, we use a modified version dio tooling. We recap all required founda- of the scenario described before, which we tional knowledge, so no expertise on security published as part of a previous publication or Palladio is required. Third, we will briefly recap the contents of the tutorial, give an out1https://fluidtrust .github.io/tutorial-ecsa2021/ :TravelPlanner :CreditCardCenter :TravelAgency :Airline findFlights(criteria) flights findFlights(criteria) flights findFlights(query) flights getCCD()
ccd releaseCCDForAirline()
ccd bookFlight(flight, ccd) confirmation confirmation bookFlight(flight, ccd) acceptComission(commission) confirmation [13]. Instead of an information flow pol- confidentiality analyses are afected by unicy, we formulate the confidentiality require- certainty due to abstraction and lack of inments in terms of Role-based Access Con- formation at design time. Therefore, we plan trol (RBAC). Participants have roles instead to make uncertainty explicit while modeling, of clearance levels and data have associated refining and analyzing access control policies access rights in terms of roles. The roles are [22]. A considerable source of uncertainty User, TravelAgency and Airline. The require- is implied by the execution context of the ment is that the intersection between the ac- system under analysis. Therefore, it is reacess rights of data and the roles of a partic- sonable to identify and consider relevant asipant must not be empty. Again, the critical pects of the context [23]. Additional, malipart is that credit card data is only accessible cious users or attackers could exist. These to the user but it is sent to the airline during could exploit vulnerabilities or policies and the booking. therefore should be considered in the future.
In both examples, it is possible to explicitly release the credit card information on behalf of the user. This action reduces the classifica- Acknowledgements tion level or add the Airline role, respectively.
The analysis to be defined during the tutorial, This work is funded by the DFG (Gerdetects the violation of the access control pol- man Research Foundation) – project number icy if the credit card information is passed to 432576552, HE8596/1-1 (FluidTrust) and also the airline without previous release. A miss- supported by funding of the Helmholtz Assoing call to the release service implies an error ciation (HGF) through the Competence Cenin the planned behavior of the architecture ter for Applied Security Technology (KASand has to be fixed. TEL) (46.23).
Cambridge Analytica scandal, 2018. Palladio Approach, MIT Press, 2016. URL: https://www.nbcnews.com/ [13] S. Seifermann, et al., Data-Driven Softbusiness/consumer/trust-facebook- ware Architecture for Analyzing Confihas-dropped-51-percent-cambridge- dentiality, in: ICSA’19, IEEE, 2019, pp. analytica-scandal-n867011, accessed 1–10.
2021-07-09. [14] S. Seifermann, et al., A Unified [2] E. Denham, COM0783542, Penatly No- Model to Detect Information Flow tice, UK Information Commissioner’s and Access Control Violations in SoftOfice, 2020. ware Architectures, in: SECRYPT’21, [3] E. Denham, COM0804337, Penatly No- SCITEPRESS, 2021, pp. 26–37. tice, UK Information Commissioner’s [15] D. Werle, et al., Data Stream OpOfice, 2020. erations as First-Class Entities in [4] Cisco Systems, Inc., Con- Component-Based Performance Modsumer Privacy Survey, Tech- els, in: ECSA’20, LNCS, Springer, 2020, nical Report, Cisco, 2019. URL: pp. 148–164. https://www.cisco.com/c/dam/global/ [16] R. Pilipchuk, et al., Aligning Business en_uk/products/collateral/security/ Process Access Control Policies with cybersecurity-series-2019-cps.pdf, Enterprise Architecture, in: CECC’18, accessed 2021-07-09. 2018, pp. 17:1–17:4. [5] R. Kuhn, et al., It Doesn’t Have to Be [17] R. Pilipchuk, et al., Challenges in Like This: Cybersecurity Vulnerability Aligning Enterprise Application ArchiTrends, IT Professional 19 (2017) 66–70. tectures to Business Process Access [6] G. McGraw, Software Security - Build- Control Requirements in Evolutional ing Security In, Addison-Wesley Profes- Changes, in: ICE-B’21, ScitePress, 2021, sional, 2006. pp. 13–24. [7] F. Shull, et al., What we have learned [18] R. Al-Ali, et al., Dynamic Security Rules about fighting defects, in: METRICS, for Legacy Systems, in: ECSA’19 - VolIEEE, 2002, pp. 249–258. ume 2, 2019, pp. 277–284. [8] H. Assal, et al., Security in the software [19] S. Hahner, et al., Modeling data flow development lifecycle, in: SOUPS’18, constraints for design-time confidenUSENIX Association, 2018, pp. 281–296. tiality analyses, in: ICSA’21 - Compan[9] H. Assal, et al., ’Think secure from ion, 2021, pp. 15–21.
the beginning’: A Survey with Software [20] S. Seifermann, et al., Auxiliar material, Developers, in: CHI’19, 2019, pp. 1–13. 2021. doi:10.5281/zenodo.5086778. [10] J. A. Davis, et al., Study on the Barri- [21] K. Katkalov, et al., Model-Driven Deers to the Industrial Adoption of Formal velopment of Information Flow-Secure Methods, in: Formal Methods for Indus- Systems with IFlow, in: SocialCom’13, trial Critical Systems, LNCS, Springer, 2013, pp. 51–56.
2013, pp. 63–77. [22] S. Hahner, Architectural access control [11] H. Garavel, et al., The 2020 Expert Sur- policy refinement and verification unvey on Formal Methods, in: Formal der uncertainty, in: ECSA’21, 2021. AcMethods for Industrial Critical Systems, cepted, to appear.
LNCS, Springer, 2020, pp. 3–69. [23] N. Boltz, et al., Context-Based Con[12] R. H. Reussner, et al., Modeling and Sim- ifdentiality Analysis for Industrial IoT, ulating Software Architectures - The in: SEAA’20, 2020, pp. 589–596.