=Paper=
{{Paper
|id=Vol-2978/tutorial-paper3
|storemode=property
|title=Identifying Confidentiality Violations in Architectural Design Using Palladio (short paper)
|pdfUrl=https://ceur-ws.org/Vol-2978/tutorial-paper3.pdf
|volume=Vol-2978
|authors=Stephan Seifermann,Maximilian Walter,Sebastian Hahner,Robert Heinrich,Ralf Reussner
|dblpUrl=https://dblp.org/rec/conf/ecsa/SeifermannWHHR21
}}
==Identifying Confidentiality Violations in Architectural Design Using Palladio (short paper)==
https://ceur-ws.org/Vol-2978/tutorial-paper3.pdf
Identifying Confidentiality Violations in
Architectural Design Using Palladio
Stephan Seifermanna , Maximilian Waltera , Sebastian Hahnera ,
Robert Heinricha and Ralf Reussnera
a KASTEL – Institute of Information Security and Dependability, Karlsruhe Institute of Technology (KIT), Germany
Abstract
Meeting confidentiality requirements in software systems is vital for organizations. Considering confi-
dentiality in early development phases such as the architectural design phase is beneficial compared to
late phases such as the implementation because fixing design issues is more cost-efficient in early phases.
This tutorial introduces an approach for modeling and statically analyzing confidentiality in software
architectures within the Palladio tool suite. Besides foundational knowledge, the tutorial provides a
practical hands-on session using the tool. The goal is to show that it is already possible to consider
confidentiality in the early design process and that this consideration can be integrated into existing
architectural design tools.
Keywords
Confidentiality, Architectural Design, Palladio
1. Motivation possible, because many violations trace back
to the software design [5, 6], which also in-
The importance of security in software sys- cludes early designs such as software archi-
tems continuously increases together with tectures. To avoid high effort for later fixes,
the connectedness of systems and legal obli- it is necessary to already identify and address
gations. Breaches of confidentiality, which is these issues in the software architecture [7].
an aspect of security, have a significant im- Even if this line of arguments is clear or even
pact on business because of a loss of busi- obvious to many, there is still a low adoption
ness value [1] or high fines [2, 3]. Addition- of security tools during the software design
ally, many users are willing to change a ser- or architecture [8, 9, 10, 11]. There are var-
vice provider to increase the confidentiality ious reasons to this low adoption but miss-
of their data [4]. Therefore, protecting data ing awareness and integration into existing
confidentiality is vital for organizations. workflows are two of them.
It is necessary to consider confidentiality The goal of the tutorial is to raise aware-
in all development phases and as early as ness and to make clear that approaches,
Växjö’21: European Conference on Software Architecture,
which blend into existing tools and pro-
September 13–17, 2021, Växjö, Sweden cesses, exist. We would like to show this by
" stephan.seifermann@kit.edu (S. Seifermann); presenting our confidentiality modeling and
maximilian.walter@kit.edu (M. Walter); analysis approach integrated into the Palla-
sebastian.hahner@kit.edu (S. Hahner);
robert.heinrich@kit.edu (R. Heinrich);
dio tool suite [12]. The Palladio integration
ralf.reussner@kit.edu (R. Reussner) extends the modeling language by means for
� expressing data processing. A automated
© 2021 Copyright for this paper by its authors. Use permit-
ted under Creative Commons License Attribution 4.0 Inter- transformation translates the Palladio model
national (CC BY 4.0).
CEUR
http://ceur-ws.org
CEUR Workshop Proceedings into an analysis model that determines rel-
(CEUR-WS.org)
Workshop ISSN 1613-0073
Proceedings
�evant data properties by simulating the ef- look on ideas and first results of future work.
fect of data processing on data. Eventually,
data properties are compared with expected
properties and the identified problems are re- 3. Tutorial Material
ported back to the user.
The tutorial will use slides, ready to use Palla-
dio tooling and example models. All material
2. Tutorial Overview will be published on the companion website
of the tutorial1 and in a data set [20].
In this tutorial, we show how static analy- The example discussed in the tutorial is the
ses of software architectures can reveal vio- TravelPlanner system known from the iFlow
lations of access control policies. The threats approach [21]. The interactions in the sys-
considered in the analyses are that the soft- tem are visualized by the sequence diagram
ware architecture itself violates such policies in Figure 1. Simply said, a user looks for
by its structure, behavior, deployment or in- a flight and books the flight by additionally
tended usage. passing credit card information (ccd) to the
The tutorial is built around our modeling system. The system consists of the smart-
and analysis approach [13, 14]. The approach phone apps TravelPlanner and CreditCard-
is integrated into the Palladio tool suite [12] Center. The travel planner mediates between
and makes use of recently introduced data- the user and a travel agency, as well as an air-
oriented interfaces [15]. The approach has line. The credit card center safely stores the
already been used in various contexts, so we credit card information of the user. The Trav-
consider it mature enough for the presenta- elAgency supports the search for flights and
tion as part of the tutorial. For instance, the receives a comission from the airline after a
approach has been used to identify read and booking. The Airline provides information
written data as part of an alignment process about flights and supports booking flights. In
between business processes and software ar- the corresponding publication [21], the con-
chitectures focused on access rights [16, 17] fidentiality requirement is given by an in-
as well as for deriving properties of processed formation flow policy. Transmitted data has
data that can speed up runtime analyses [18]. a classification level and participants have a
The tutorial consists of three parts: First, clearance level. The levels are {User, Airline,
we introduce the modeling concepts to repre- TravelAgency}, {User, Airline} and {User} in as-
sent system behavior that can be analyzed for cending order. The requirement is that no
access control later. This includes a hands-on data must receive at a participant, which has
session on modeling using our Palladio tool- a clearance level lower than the classifica-
ing. Second, we explain how to formulate tion level of the data. In the example, the
an access control analysis using a previously critical part is the transmission of the credit
published domain-specific language [19] and card information, which is classified as User,
how to interpret the results. Again, this in- to the airline, which only has a clearance
cludes a hands-on session on analyzing the {User,Airline}.
previously modeled system using our Palla- In the tutorial, we use a modified version
dio tooling. We recap all required founda- of the scenario described before, which we
tional knowledge, so no expertise on security published as part of a previous publication
or Palladio is required. Third, we will briefly
recap the contents of the tutorial, give an out- 1 https://fluidtrust.github.io/tutorial-ecsa2021/
� :TravelPlanner :CreditCardCenter :TravelAgency :Airline
findFlights(criteria) findFlights(criteria) findFlights(query)
flights flights flights
getCCD()
ccd
releaseCCDForAirline()
ccd
bookFlight(flight, ccd) bookFlight(flight, ccd)
acceptComission(commission)
confirmation
confirmation confirmation
Figure 1: UML sequence diagram illustrating the TravelPlanner system.
[13]. Instead of an information flow pol- confidentiality analyses are affected by un-
icy, we formulate the confidentiality require- certainty due to abstraction and lack of in-
ments in terms of Role-based Access Con- formation at design time. Therefore, we plan
trol (RBAC). Participants have roles instead to make uncertainty explicit while modeling,
of clearance levels and data have associated refining and analyzing access control policies
access rights in terms of roles. The roles are [22]. A considerable source of uncertainty
User, TravelAgency and Airline. The require- is implied by the execution context of the
ment is that the intersection between the ac- system under analysis. Therefore, it is rea-
cess rights of data and the roles of a partic- sonable to identify and consider relevant as-
ipant must not be empty. Again, the critical pects of the context [23]. Additional, mali-
part is that credit card data is only accessible cious users or attackers could exist. These
to the user but it is sent to the airline during could exploit vulnerabilities or policies and
the booking. therefore should be considered in the future.
In both examples, it is possible to explicitly
release the credit card information on behalf
of the user. This action reduces the classifica- Acknowledgements
tion level or add the Airline role, respectively.
This work is funded by the DFG (Ger-
The analysis to be defined during the tutorial,
man Research Foundation) – project number
detects the violation of the access control pol-
432576552, HE8596/1-1 (FluidTrust) and also
icy if the credit card information is passed to
supported by funding of the Helmholtz Asso-
the airline without previous release. A miss-
ciation (HGF) through the Competence Cen-
ing call to the release service implies an error
ter for Applied Security Technology (KAS-
in the planned behavior of the architecture
TEL) (46.23).
and has to be fixed.
4. Future Work References
[1] H. Weisbaum, Trust in Facebook
We already discovered several interesting ar-
has dropped by 66 percent since the
eas for further research: Architecture-level
� Cambridge Analytica scandal, 2018. Palladio Approach, MIT Press, 2016.
URL: https://www.nbcnews.com/ [13] S. Seifermann, et al., Data-Driven Soft-
business/consumer/trust-facebook- ware Architecture for Analyzing Confi-
has-dropped-51-percent-cambridge- dentiality, in: ICSA’19, IEEE, 2019, pp.
analytica-scandal-n867011, accessed 1–10.
2021-07-09. [14] S. Seifermann, et al., A Unified
[2] E. Denham, COM0783542, Penatly No- Model to Detect Information Flow
tice, UK Information Commissioner’s and Access Control Violations in Soft-
Office, 2020. ware Architectures, in: SECRYPT’21,
[3] E. Denham, COM0804337, Penatly No- SCITEPRESS, 2021, pp. 26–37.
tice, UK Information Commissioner’s [15] D. Werle, et al., Data Stream Op-
Office, 2020. erations as First-Class Entities in
[4] Cisco Systems, Inc., Con- Component-Based Performance Mod-
sumer Privacy Survey, Tech- els, in: ECSA’20, LNCS, Springer, 2020,
nical Report, Cisco, 2019. URL: pp. 148–164.
https://www.cisco.com/c/dam/global/ [16] R. Pilipchuk, et al., Aligning Business
en_uk/products/collateral/security/ Process Access Control Policies with
cybersecurity-series-2019-cps.pdf, Enterprise Architecture, in: CECC’18,
accessed 2021-07-09. 2018, pp. 17:1–17:4.
[5] R. Kuhn, et al., It Doesn’t Have to Be [17] R. Pilipchuk, et al., Challenges in
Like This: Cybersecurity Vulnerability Aligning Enterprise Application Archi-
Trends, IT Professional 19 (2017) 66–70. tectures to Business Process Access
[6] G. McGraw, Software Security - Build- Control Requirements in Evolutional
ing Security In, Addison-Wesley Profes- Changes, in: ICE-B’21, ScitePress, 2021,
sional, 2006. pp. 13–24.
[7] F. Shull, et al., What we have learned [18] R. Al-Ali, et al., Dynamic Security Rules
about fighting defects, in: METRICS, for Legacy Systems, in: ECSA’19 - Vol-
IEEE, 2002, pp. 249–258. ume 2, 2019, pp. 277–284.
[8] H. Assal, et al., Security in the software [19] S. Hahner, et al., Modeling data flow
development lifecycle, in: SOUPS’18, constraints for design-time confiden-
USENIX Association, 2018, pp. 281–296. tiality analyses, in: ICSA’21 - Compan-
[9] H. Assal, et al., ’Think secure from ion, 2021, pp. 15–21.
the beginning’: A Survey with Software [20] S. Seifermann, et al., Auxiliar material,
Developers, in: CHI’19, 2019, pp. 1–13. 2021. doi:10.5281/zenodo.5086778.
[10] J. A. Davis, et al., Study on the Barri- [21] K. Katkalov, et al., Model-Driven De-
ers to the Industrial Adoption of Formal velopment of Information Flow-Secure
Methods, in: Formal Methods for Indus- Systems with IFlow, in: SocialCom’13,
trial Critical Systems, LNCS, Springer, 2013, pp. 51–56.
2013, pp. 63–77. [22] S. Hahner, Architectural access control
[11] H. Garavel, et al., The 2020 Expert Sur- policy refinement and verification un-
vey on Formal Methods, in: Formal der uncertainty, in: ECSA’21, 2021. Ac-
Methods for Industrial Critical Systems, cepted, to appear.
LNCS, Springer, 2020, pp. 3–69. [23] N. Boltz, et al., Context-Based Con-
[12] R. H. Reussner, et al., Modeling and Sim- fidentiality Analysis for Industrial IoT,
ulating Software Architectures - The in: SEAA’20, 2020, pp. 589–596.
�