Style-based modeling and refinement of service-oriented architectures

Service-oriented architectures (SOA) provide a flexible and dynamic platform for implementing business solutions. In this paper, we address the modeling of such architectures by refining business-oriented architectures, which abstract from technology aspects, into service-oriented ones, focusing on the ability of dynamic reconfiguration (binding to new services at run-time) typical for SOA.The refinement is based on conceptual models of the platforms involved as architectural styles, formalized by graph transformation systems. Based on a refinement relation between abstract and platform-specific styles we investigate how to realize business-specific scenarios on the SOA platform by automatically deriving refined, SOA-specific reconfiguration scenarios.Research partially supported by the European Research Training Network SegraVis (on Syntactic and Semantic Integration of Visual Modelling Techniques)     

移动计算中安全策略的进程表示

安全策略为移动计算的安全性提供了必要的保证,而其表达和移动计算的形式化模型往往采用不同的技术实现。该文给出安全策略的一种进程表示方法,通过安全策略的进程表示,很容易将移动计算模型及移动计算的安全性问题在统一的框架下实现。为实现移动计算及其安全性提供了一种简单、可行的方法。     

Scalable model‐based configuration management of security services in complex enterprise networks

Security administrators face the challenge of designing, deploying and maintaining a variety of configuration files related to security systems, especially in large‐scale networks. These files have heterogeneous syntaxes and follow differing semantic concepts. Nevertheless, they are interdependent due to security services having to cooperate and their configuration to be consistent with each other, so that global security policies are completely and correctly enforced. To tackle this problem, our approach supports a comfortable definition of an abstract high‐level security policy and provides an automated derivation of the desired configuration files. It is an extension of policy‐based management and policy hierarchies, combining model‐based management (MBM) with system modularization. MBM employs an object‐oriented model of the managed system to obtain the details needed for automated policy refinement. The modularization into abstract subsystems (ASs) segment the system—and the model—into units which more closely encapsulate related system components and provide focused abstract views. As a result, scalability is achieved and even comprehensive IT systems can be modelled in a unified manner. The associated tool MoBaSeC (Model‐Based‐Service‐Configuration) supports interactive graphical modelling, automated model analysis and policy refinement with the derivation of configuration files. We describe the MBM and AS approaches, outline the tool functions and exemplify their applications and results obtained. Copyright © 2010 John Wiley & Sons, Ltd.     

基于WS-BPEL的工作流系统的安全机制

通信安全是Web服务所要面对的一个重要问题.对于基于WS-BPEL的工作流系统,尚没有成熟的安全实现机制.研究基于WS-BPEL的工作流安全特点,分析适合SOA架构的安全规范,并对其实现机制进行了研究,最后给出了具体安全实现,可以有效地解决工作流系统的安全传输问题.     

An approach for modeling and analysis of security system architectures

Security system architecture governs the composition of components in security systems and interactions between them. It plays a central role in the design of software security systems that ensure secure access to distributed resources in networked environment. In particular, the composition of the systems must consistently assure security policies that it is supposed to enforce. However, there is currently no rigorous and systematic way to predict and assure such critical properties in security system design. A systematic approach is introduced to address the problem. We present a methodology for modeling security system architecture and for verifying whether required security constraints are assured by the composition of the components. We introduce the concept of security constraint patterns, which formally specify the generic form of security policies that all implementations of the system architecture must enforce. The analysis of the architecture is driven by the propagation of the global security constraints onto the components in an incremental process. We show that our methodology is both flexible and scalable. It is argued that such a methodology not only ensures the integrity of critical early design decisions, but also provides a framework to guide correct implementations of the design. We demonstrate the methodology through a case study in which we model and analyze the architecture of the Resource Access Decision (RAD) Facility, an OMG standard for application-level authorization service.     

Refinement-based Modeling and Formal Verification for Multiple Secure Partitions of TrustZone

As a trusted execution environment technology on ARM processors, TrustZone provides an isolated and independent execution environment for security-sensitive programs and data on the device. However, running the trusted OS and all the trusted applications in the same environment may cause problems---The exploitation of vulnerabilities on any component may affect the others in the system. Although ARM proposed the S-EL2 virtualization technology, which supports multiple isolated partitions in the secure world to alleviate this problem, there may still be security threats such as information leakage between partitions in the real-world partition manager. Current secure partition manager designs and implementations lack rigorous mathematical proofs to guarantee the security of isolated partitions. This study analyzes the multiple secure partitions architecture of ARM TrustZone in detail, proposes a refinement-based modeling and security analysis method for multiple secure partitions of TrustZone, and completes the modeling and formal verification of the secure partition manager in the theorem prover Isabelle/HOL. First, we build a multiple secure partitions model named RMTEE based on refinement: an abstract state machine is used to describe the system running process and security policy requirements, forming the abstract model. Then the abstract model is instantiated into the concrete model, in which the event specification is implemented following the FF-A specification. Second, to address the problem that the existing partition manager design cannot meet the goal of information flow security verification, we design a DAC-based inter-partition communication access control and apply it to the modeling and verification of RMTEE. Lastly, we prove the refinement between the concrete model and the abstract model, and the correctness and security of the event specification in the concrete model. The formalization and verification consist of 137 definitions and 201 lemmas (more than 11,000 lines of Isabelle/HOL code). The results show that the model satisfies confidentiality and integrity, and can effectively defend against malicious attacks on partitions.     

基于服务构件集成的安全访问业务建模方法

提出共性安全构件的概念以及基于服务构件集成的安全访问业务建模方法:从业务建模角度按照自顶向下的模式,对安全访问流程中相关的业务模块进行抽离,利用BPEL针对身份认证、访问授权和审计认定三类安全服务构件,设计了一个完整的安全业务访问控制流程;从安全开发经验角度按照自底向上的模式,搭建共性安全构件三层体系平台,并将软件工程中的AOP和D I思想引入到构件组装开发过程中,实现根据具体场景的、可定制的配置型开发。最后利用服务构件搭建安全认证系统并与CAS、OpenID进行性能测试,分析基于服务构件的安全访问业务建模方法的可用性。     

基于精化的TrustZone多安全分区建模与形式化验证

TrustZone作为ARM处理器上的可信执行环境技术,为设备上安全敏感的程序和数据提供一个隔离的独立执行环境.然而,可信操作系统与所有可信应用运行在同一个可信环境中,任意组件上的漏洞被利用都会波及系统中的其他组件.虽然ARM提出了S-EL2虚拟化技术,支持在安全世界建立多个隔离分区来缓解这个问题,但实际分区管理器中仍可能存在分区间信息泄漏等安全威胁.当前的分区管理器设计及实现缺乏严格的数学证明来保证隔离分区的安全性.详细研究了ARM TrustZone多隔离分区架构,提出一种基于精化的TrustZone多安全分区建模与安全性分析方法,并基于定理证明器Isabelle/HOL完成了分区管理器的建模和形式化验证.首先,基于逐层精化的方法构建了多安全分区模型RMTEE,使用抽象状态机描述系统运行过程和安全策略要求,建立多安全分区的抽象模型并实例化实现分区管理器的具体模型,遵循FF-A规范在具体模型中实现了事件规约;其次,针对现有分区管理器设计无法满足信息流安全性验证的不足,设计了基于DAC的分区间通信访问控制,并将其应用到TrustZone安全分区管理器的建模与验证中;再次,证明了具体模型...     

一种基于BDI的网络安全管理模型

针对计算机网络系统结构组织日趋复杂的特点,提出一种基于BDI理论的智能Agent网络安全管理模型,有效地对信念、期望及意图等概念进行建模,详细阐述了基于安全策略、智能Agent、安全事件等三个子模型的内涵及功能,并研究了它们之间的相互关系。     

Exploring the security landscape: NoC-based MPSoC to Cloud-of-Chips

In this paper, we present a detailed and systematic overview of communication security aspects of Multi-Processor Systems-on-Chip (MPSoC) and the emerging potential threats on the novel Cloud-of-Chips (CoC) paradigm. The CoC concept refers to highly scalable and composable systems, assembled not only at system design-time using RTL, like traditional SoC, but also at integrated circuit (IC) packaging time thanks to 3D-IC integration technology. Practical implementation of CoC systems needs to solve the problem of scalable, configurable and secure communication not only between different functional blocks in a single ICs, but also between different ICs in a single package, and between different packages on the same or different PCBs and even between different systems. To boost such extremely flexible communication infrastructure CoC system relies on Software-Defined Network-on-Chip (SDNoC) paradigm that combines design-time configurability of on-chip systems (NoC) and highly configurable communication of macroscopic systems (SDN). This study first explores security threats and existing solutions for traditional MPSoC platforms. Afterwards, we propose SDNoC as an alternative to MPSoC communication security, and we further extend our discussion to CoC systems to identify additional security concerns. Moreover, we present a comparison of SDNoC based approach over existing approaches and discuss its potential advantages.     

安全政策格及一个格的修正

对安全政策灵活性的支持是现代安全操作系统追求的重要目标，安全政策格为安全政策灵活性的研究提供了一个很好的手段。本文通过分析DTOS项目的研究成果讨论安全政策格的基本思想，介绍DTOS项目中设计的一个安全政策格，并针对该安全政策格中存在的问题给出一个修正结果。     

安全协议的进程代数规约到逻辑程序的自动转换

安全协议用于实现开放互连网络的安全通讯，它本质上是分布式并发程序，使用进程代数可以将其描述为角色进程的并发合成系统。使用抽象方法，安全协议角色进程并发合成模型可以转化为逻辑程序；通过计算逻辑程序的不动点，能够对安全协议无穷会话的并发交叠运行进行验证。本文基于Objective Caml语言，实现了安全协议进程代数描述述到安全协议逻辑程序的自动转化。     

Derivation of trust federation for collaborative business processes

Service Oriented Architecture (SOA) is considered to be an important enabler of Internet of Services. By adopting SOA in development, business services can be offered, mediated, and traded as web services, so as to support agile and dynamic business collaborations on the Internet. Business collaboration is often implemented as cross-enterprise processes and involves more than one business entity which agrees to join the collaboration. To enable trustworthy and secure provision of services and service composition across enterprise boundaries, trust between business participants must be established, that is, user identities and access rights must be federated, to support business functions defined in the business processes. This paper proposes an approach which derives trust federation from formally described business process models, such as BPMN and WS-CDL processes, to automate security configuration of business collaborations. The result of the derivation is trust policies which identify trust relationships between business participants and can be enforced in enterprises’ service runtimes with support of a policy deployment infrastructure.     

一种防火墙系统安全模型的形式描述

文中提出了一种防火墙系统的安全模型，该模型构筑在防火墙系统的安全服务基础之上，将安全模型抽象为若干安全服务的集合并用形式化的方法进行了描述，着重描述了安全服务的动态特性，安全模型的动态特性以及安全模型和防火墙系统之间的相互关系，提出了安全服务的双向性及关键服务集的概念，该模型在已实现的分布式动态防火墙原型系统中得到了验证。     

Formal validation of automated policy refinement in the management of network security systems

Policy hierarchies and automated policy refinement are powerful approaches to simplify administration of security services in complex network environments. A crucial issue for the practical use of these approaches is to ensure the validity of the policy hierarchy, i.e. since the policy sets for the lower levels are automatically derived from the abstract policies (defined by the modeller), we must be sure that the derived policies uphold the high-level ones. This paper builds upon previous work on Model-based Management, particularly on the Diagram of Abstract Subsystems approach, and goes further to propose a formal validation approach for the policy hierarchies yielded by the automated policy refinement process. We establish general validation conditions for a multi-layered policy model, i.e. necessary and sufficient conditions that a policy hierarchy must satisfy so that the lower-level policy sets are valid refinements of the higher-level policies according to the criteria of consistency and completeness. Relying upon the validation conditions and upon axioms about the model representativeness, two theorems are proved to ensure compliance between the resulting system behaviour and the abstract policies that are modelled.     

Data security services,solutions and standards for outsourcing

Globalization has resulted in outsourcing data, software, hardware and various services. However, outsourcing introduces new security vulnerabilities due to the corporation's limited knowledge and control of external providers operating in foreign countries. Security of operation is therefore critical for effectively introducing and maintaining these business relationships without sacrificing product quality. This paper discusses some of these security concerns for outsourcing. In particular, it discusses security issues pertaining to data-as-a-service and software-as-a-service models as well as supply chain security issues. Relevant standards for data outsourcing are also presented. The goal is for the composite system to be secure even if the individual components that are developed by multiple organizations might be compromised.     

Service oriented architectures: approaches,technologies and research issues

Service-oriented architectures (SOA) is an emerging approach that addresses the requirements of loosely coupled, standards-based, and protocol- independent distributed computing. Typically business operations running in an SOA comprise a number of invocations of these different components, often in an event-driven or asynchronous fashion that reflects the underlying business process needs. To build an SOA a highly distributable communications and integration backbone is required. This functionality is provided by the Enterprise Service Bus (ESB) that is an integration platform that utilizes Web services standards to support a wide variety of communications patterns over multiple transport protocols and deliver value-added capabilities for SOA applications. This paper reviews technologies and approaches that unify the principles and concepts of SOA with those of event-based programing. The paper also focuses on the ESB and describes a range of functions that are designed to offer a manageable, standards-based SOA backbone that extends middleware functionality throughout by connecting heterogeneous components and systems and offers integration services. Finally, the paper proposes an approach to extend the conventional SOA to cater for essential ESB requirements that include capabilities such as service orchestration, “intelligent” routing, provisioning, integrity and security of message as well as service management. The layers in this extended SOA, in short xSOA, are used to classify research issues and current research activities.     

Refinement patterns for ASTDs

This paper introduces three refinement patterns for algebraic state-transition diagrams (astds): state refinement, transition refinement and loop-transition refinement. These refinement patterns are derived from practice in using astds for specifying information systems and security policies in two industrial research projects. Two refinement relations used in these patterns are formally defined. For each pattern, proof obligations are proposed to ensure preservation of behaviour through refinement. The proposed refinement relations essentially consist in preserving scenarios by replacing abstract events with concrete events, or by introducing new events. Deadlocks cannot be introduced; divergence over new events is allowed in one of the refinement relation. We prove congruence-like properties for these three patterns, in order to show that they can be applied to a subpart of a specification while preserving global properties. These three refinement patterns are illustrated with a simple case study of a complaint management system.     

一个基于Java的Mobile Agent安全体系结构模型

与早期分布式计算的范例比较Mobile Agent变得日益流行,但是阻碍其广泛应用的主要原因是与移动代码相伴而来的安全问题.这就要求Mobile agent系统提供一种机制,来完成对服务器资源的访问控制以及保证通信的安全性,并对Mobile Agent自身的进行保护.文章提出了一个基于Java的安全体系结构模型,该模型通过创建资源代理来实现安全策略,为基于Java的Mobile Agent系统提供了一个统一的安全服务接口.     

Post 9-11 security, few changes, business as usual rules

The author looks at the security measures the companies have taken in the wake of the 11 September tragedy. She found that little has changed in the past 10 months. If anything, "business as usual" seems to be the rule; for example, the majority of network administrators still have no comprehensive network security plan. This and other security fundamentals continue to be sorely lacking. Security is not a product, it itself is a process; and to make the digital systems secure, one has to start building processes.