Identifying Confidentiality Violations in Architectural Design Using Palladio Stephan Seifermanna , Maximilian Waltera , Sebastian Hahnera , Robert Heinricha and Ralf Reussnera a KASTEL – Institute of Information Security and Dependability, Karlsruhe Institute of Technology (KIT), Germany Abstract Meeting confidentiality requirements in software systems is vital for organizations. Considering confi- dentiality in early development phases such as the architectural design phase is beneficial compared to late phases such as the implementation because fixing design issues is more cost-efficient in early phases. This tutorial introduces an approach for modeling and statically analyzing confidentiality in software architectures within the Palladio tool suite. Besides foundational knowledge, the tutorial provides a practical hands-on session using the tool. The goal is to show that it is already possible to consider confidentiality in the early design process and that this consideration can be integrated into existing architectural design tools. Keywords Confidentiality, Architectural Design, Palladio 1. Motivation possible, because many violations trace back to the software design [5, 6], which also in- The importance of security in software sys- cludes early designs such as software archi- tems continuously increases together with tectures. To avoid high effort for later fixes, the connectedness of systems and legal obli- it is necessary to already identify and address gations. Breaches of confidentiality, which is these issues in the software architecture [7]. an aspect of security, have a significant im- Even if this line of arguments is clear or even pact on business because of a loss of busi- obvious to many, there is still a low adoption ness value [1] or high fines [2, 3]. Addition- of security tools during the software design ally, many users are willing to change a ser- or architecture [8, 9, 10, 11]. There are var- vice provider to increase the confidentiality ious reasons to this low adoption but miss- of their data [4]. Therefore, protecting data ing awareness and integration into existing confidentiality is vital for organizations. workflows are two of them. It is necessary to consider confidentiality The goal of the tutorial is to raise aware- in all development phases and as early as ness and to make clear that approaches, Växjö’21: European Conference on Software Architecture, which blend into existing tools and pro- September 13–17, 2021, Växjö, Sweden cesses, exist. We would like to show this by " stephan.seifermann@kit.edu (S. Seifermann); presenting our confidentiality modeling and maximilian.walter@kit.edu (M. Walter); analysis approach integrated into the Palla- sebastian.hahner@kit.edu (S. Hahner); robert.heinrich@kit.edu (R. Heinrich); dio tool suite [12]. The Palladio integration ralf.reussner@kit.edu (R. Reussner) extends the modeling language by means for  expressing data processing. A automated © 2021 Copyright for this paper by its authors. Use permit- ted under Creative Commons License Attribution 4.0 Inter- transformation translates the Palladio model national (CC BY 4.0). CEUR http://ceur-ws.org CEUR Workshop Proceedings into an analysis model that determines rel- (CEUR-WS.org) Workshop ISSN 1613-0073 Proceedings evant data properties by simulating the ef- look on ideas and first results of future work. fect of data processing on data. Eventually, data properties are compared with expected properties and the identified problems are re- 3. Tutorial Material ported back to the user. The tutorial will use slides, ready to use Palla- dio tooling and example models. All material 2. Tutorial Overview will be published on the companion website of the tutorial1 and in a data set [20]. In this tutorial, we show how static analy- The example discussed in the tutorial is the ses of software architectures can reveal vio- TravelPlanner system known from the iFlow lations of access control policies. The threats approach [21]. The interactions in the sys- considered in the analyses are that the soft- tem are visualized by the sequence diagram ware architecture itself violates such policies in Figure 1. Simply said, a user looks for by its structure, behavior, deployment or in- a flight and books the flight by additionally tended usage. passing credit card information (ccd) to the The tutorial is built around our modeling system. The system consists of the smart- and analysis approach [13, 14]. The approach phone apps TravelPlanner and CreditCard- is integrated into the Palladio tool suite [12] Center. The travel planner mediates between and makes use of recently introduced data- the user and a travel agency, as well as an air- oriented interfaces [15]. The approach has line. The credit card center safely stores the already been used in various contexts, so we credit card information of the user. The Trav- consider it mature enough for the presenta- elAgency supports the search for flights and tion as part of the tutorial. For instance, the receives a comission from the airline after a approach has been used to identify read and booking. The Airline provides information written data as part of an alignment process about flights and supports booking flights. In between business processes and software ar- the corresponding publication [21], the con- chitectures focused on access rights [16, 17] fidentiality requirement is given by an in- as well as for deriving properties of processed formation flow policy. Transmitted data has data that can speed up runtime analyses [18]. a classification level and participants have a The tutorial consists of three parts: First, clearance level. The levels are {User, Airline, we introduce the modeling concepts to repre- TravelAgency}, {User, Airline} and {User} in as- sent system behavior that can be analyzed for cending order. The requirement is that no access control later. This includes a hands-on data must receive at a participant, which has session on modeling using our Palladio tool- a clearance level lower than the classifica- ing. Second, we explain how to formulate tion level of the data. In the example, the an access control analysis using a previously critical part is the transmission of the credit published domain-specific language [19] and card information, which is classified as User, how to interpret the results. Again, this in- to the airline, which only has a clearance cludes a hands-on session on analyzing the {User,Airline}. previously modeled system using our Palla- In the tutorial, we use a modified version dio tooling. We recap all required founda- of the scenario described before, which we tional knowledge, so no expertise on security published as part of a previous publication or Palladio is required. Third, we will briefly recap the contents of the tutorial, give an out- 1 https://fluidtrust.github.io/tutorial-ecsa2021/ :TravelPlanner :CreditCardCenter :TravelAgency :Airline findFlights(criteria) findFlights(criteria) findFlights(query) flights flights flights getCCD() ccd releaseCCDForAirline() ccd bookFlight(flight, ccd) bookFlight(flight, ccd) acceptComission(commission) confirmation confirmation confirmation Figure 1: UML sequence diagram illustrating the TravelPlanner system. [13]. Instead of an information flow pol- confidentiality analyses are affected by un- icy, we formulate the confidentiality require- certainty due to abstraction and lack of in- ments in terms of Role-based Access Con- formation at design time. Therefore, we plan trol (RBAC). Participants have roles instead to make uncertainty explicit while modeling, of clearance levels and data have associated refining and analyzing access control policies access rights in terms of roles. The roles are [22]. A considerable source of uncertainty User, TravelAgency and Airline. The require- is implied by the execution context of the ment is that the intersection between the ac- system under analysis. Therefore, it is rea- cess rights of data and the roles of a partic- sonable to identify and consider relevant as- ipant must not be empty. Again, the critical pects of the context [23]. Additional, mali- part is that credit card data is only accessible cious users or attackers could exist. These to the user but it is sent to the airline during could exploit vulnerabilities or policies and the booking. therefore should be considered in the future. In both examples, it is possible to explicitly release the credit card information on behalf of the user. This action reduces the classifica- Acknowledgements tion level or add the Airline role, respectively. This work is funded by the DFG (Ger- The analysis to be defined during the tutorial, man Research Foundation) – project number detects the violation of the access control pol- 432576552, HE8596/1-1 (FluidTrust) and also icy if the credit card information is passed to supported by funding of the Helmholtz Asso- the airline without previous release. A miss- ciation (HGF) through the Competence Cen- ing call to the release service implies an error ter for Applied Security Technology (KAS- in the planned behavior of the architecture TEL) (46.23). and has to be fixed. 4. Future Work References [1] H. Weisbaum, Trust in Facebook We already discovered several interesting ar- has dropped by 66 percent since the eas for further research: Architecture-level Cambridge Analytica scandal, 2018. Palladio Approach, MIT Press, 2016. URL: https://www.nbcnews.com/ [13] S. Seifermann, et al., Data-Driven Soft- business/consumer/trust-facebook- ware Architecture for Analyzing Confi- has-dropped-51-percent-cambridge- dentiality, in: ICSA’19, IEEE, 2019, pp. analytica-scandal-n867011, accessed 1–10. 2021-07-09. [14] S. Seifermann, et al., A Unified [2] E. Denham, COM0783542, Penatly No- Model to Detect Information Flow tice, UK Information Commissioner’s and Access Control Violations in Soft- Office, 2020. ware Architectures, in: SECRYPT’21, [3] E. Denham, COM0804337, Penatly No- SCITEPRESS, 2021, pp. 26–37. tice, UK Information Commissioner’s [15] D. Werle, et al., Data Stream Op- Office, 2020. erations as First-Class Entities in [4] Cisco Systems, Inc., Con- Component-Based Performance Mod- sumer Privacy Survey, Tech- els, in: ECSA’20, LNCS, Springer, 2020, nical Report, Cisco, 2019. URL: pp. 148–164. https://www.cisco.com/c/dam/global/ [16] R. Pilipchuk, et al., Aligning Business en_uk/products/collateral/security/ Process Access Control Policies with cybersecurity-series-2019-cps.pdf, Enterprise Architecture, in: CECC’18, accessed 2021-07-09. 2018, pp. 17:1–17:4. [5] R. Kuhn, et al., It Doesn’t Have to Be [17] R. Pilipchuk, et al., Challenges in Like This: Cybersecurity Vulnerability Aligning Enterprise Application Archi- Trends, IT Professional 19 (2017) 66–70. tectures to Business Process Access [6] G. McGraw, Software Security - Build- Control Requirements in Evolutional ing Security In, Addison-Wesley Profes- Changes, in: ICE-B’21, ScitePress, 2021, sional, 2006. pp. 13–24. [7] F. Shull, et al., What we have learned [18] R. Al-Ali, et al., Dynamic Security Rules about fighting defects, in: METRICS, for Legacy Systems, in: ECSA’19 - Vol- IEEE, 2002, pp. 249–258. ume 2, 2019, pp. 277–284. [8] H. Assal, et al., Security in the software [19] S. Hahner, et al., Modeling data flow development lifecycle, in: SOUPS’18, constraints for design-time confiden- USENIX Association, 2018, pp. 281–296. tiality analyses, in: ICSA’21 - Compan- [9] H. Assal, et al., ’Think secure from ion, 2021, pp. 15–21. the beginning’: A Survey with Software [20] S. Seifermann, et al., Auxiliar material, Developers, in: CHI’19, 2019, pp. 1–13. 2021. doi:10.5281/zenodo.5086778. [10] J. A. Davis, et al., Study on the Barri- [21] K. Katkalov, et al., Model-Driven De- ers to the Industrial Adoption of Formal velopment of Information Flow-Secure Methods, in: Formal Methods for Indus- Systems with IFlow, in: SocialCom’13, trial Critical Systems, LNCS, Springer, 2013, pp. 51–56. 2013, pp. 63–77. [22] S. Hahner, Architectural access control [11] H. Garavel, et al., The 2020 Expert Sur- policy refinement and verification un- vey on Formal Methods, in: Formal der uncertainty, in: ECSA’21, 2021. Ac- Methods for Industrial Critical Systems, cepted, to appear. LNCS, Springer, 2020, pp. 3–69. [23] N. Boltz, et al., Context-Based Con- [12] R. H. Reussner, et al., Modeling and Sim- fidentiality Analysis for Industrial IoT, ulating Software Architectures - The in: SEAA’20, 2020, pp. 589–596.