A Practical Way of Testing Security Patterns 

Loukmen REGAINIA, Sébastien SALVA

Nice 15/10/2018

ICSEA 2018

  • Implementing secure software
    • ​expertise, knowledge, time consuming
  • Software security is essential and should be considered as early as possible
  • Developers are provided with a plethora of documents:

  1. Vulnerabilities, Attacks,  Weaknesses, etc
  2. Security Principles and best practices
  3. Security Patterns

Introduction

Security patterns

A                           pattern is a generic solution  to a recurrent                          problem

security

security

 SP :=  (C,P,S)

Security patterns

Context

Problem

Solution

Schumacher et al. 2001

Security patterns

A pattern is generic

Must be integrated

Difficult and error prone task

Security patterns

A security pattern is not an island  M. Schumacher et al.

K.Yskout et al.

  1.  LTL, ADTrees

  2. Knowledge base

  3. Method steps

  4. Conclusions and Perspectives

Outline

Linear Temporal Logic (LTL)

Generic :

Instantiated :

Classification Meta-model  

  • Objective :  Classify patterns w.r.t Attack steps and techniques

Attack Defense Trees

An ADTree can be expressed with : 

\wedge^{o/p} ~~~~ Conjunction
o/p    Conjunction\wedge^{o/p} ~~~~ Conjunction
\vee^{o/p}~~~~Disjunction
o/p    Disjunction\vee^{o/p}~~~~Disjunction
\vec{\wedge}^{o/p}~~~Sequential~Conjunction~(SAND)
o/p   Sequential Conjunction (SAND)\vec{\wedge}^{o/p}~~~Sequential~Conjunction~(SAND)
c^{o/p}~~~Countermeasures
co/p   Countermeasuresc^{o/p}~~~Countermeasures

Opponent "o"

Proponent"p"

Algebra (ADTerms):

Graphical:

B.Kordy et al. 2014

ADTree generation 

Meta-model

Method steps

Step 1: Initial ADTree T

  • CAPEC-66: SQL Injection
  • CAPEC-244: XSS Targeting URI Placeholders

Step 2: ADTree Generation

The form of the tree depends on the Knowledge base

Step 2: Final ADTree

Basic Attack Defence Step (BADStep)

T_f
TfT_f

st

sp

c^p(st,sp)
cp(st,sp)c^p(st,sp)

Given, When, Then (GWT) Test Case (TC)

Step 4: Test Suite Generation

SC(T_f),~ is~ the~ set~ of ~clauses~ of~ the~ disjunctive
SC(Tf), is the set of clauses of the disjunctiveSC(T_f),~ is~ the~ set~ of ~clauses~ of~ the~ disjunctive
Let ~\iota(T_f)~ be ~the ~ADTerm~ of ~T_f
Let ι(Tf) be the ADTerm of TfLet ~\iota(T_f)~ be ~the ~ADTerm~ of ~T_f
The ~set ~of ~attack ~scenarios ~of~ T_f,~ denoted
The set of attack scenarios of Tf, denotedThe ~set ~of ~attack ~scenarios ~of~ T_f,~ denoted
normal~form ~of ~\iota(T_f)~over ~BADStep(T_f) ~
normal form of ι(Tf) over BADStep(Tf) normal~form ~of ~\iota(T_f)~over ~BADStep(T_f) ~
TS = \{ TC(b) | b= c^p(st,sp) \in BADstep(s) ~and~ s \in SC(T_f)\}
TS={TC(b)b=cp(st,sp)BADstep(s) and sSC(Tf)}TS = \{ TC(b) | b= c^p(st,sp) \in BADstep(s) ~and~ s \in SC(T_f)\}

Attack Scenario

Test Suite

Test Suite Execution

Final test verdicts

s \in SC(T_f)~a~test~scenario, ~BADStep(s) = \{ b_1,..., b_n\}
sSC(Tf) a test scenario, BADStep(s)={b1,...,bn}s \in SC(T_f)~a~test~scenario, ~BADStep(s) = \{ b_1,..., b_n\}
-Vulnerable(b_i)= true~if~Verdict (TC(b_i)||AUT) \in \{VUL, VUL/VIOLATE\}
Vulnerable(bi)=true if Verdict(TC(bi)AUT){VUL,VUL/VIOLATE} -Vulnerable(b_i)= true~if~Verdict (TC(b_i)||AUT) \in \{VUL, VUL/VIOLATE\}
-\sigma : BADStep(s) \rightarrow \{true, false\}~a ~substitution~\{b_1 \rightarrow (Vulnerable(b_1),...,
σ:BADStep(s){true,false} a substitution {b1(Vulnerable(b1),..., -\sigma : BADStep(s) \rightarrow \{true, false\}~a ~substitution~\{b_1 \rightarrow (Vulnerable(b_1),...,
Vulnerable(b_i)= false~otherwise
Vulnerable(bi)=false otherwise Vulnerable(b_i)= false~otherwise
b_n \rightarrow ~Vulnerable(b_n)\}
bn Vulnerable(bn)}b_n \rightarrow ~Vulnerable(b_n)\}
-Vulnerable(T_f) = true ~~ if ~ \exists~ s ~\in SC(T_f) : eval~(s\sigma) ~ returns ~true
Vulnerable(Tf)=true  if  s SC(Tf):eval (sσ) returns true -Vulnerable(T_f) = true ~~ if ~ \exists~ s ~\in SC(T_f) : eval~(s\sigma) ~ returns ~true
Vulnerable(T_f) = false ~otherwise
Vulnerable(Tf)=false otherwiseVulnerable(T_f) = false ~otherwise

Step 3: Sequence Diagrams

Step 5: LTL Properties Generation

Step 5: LTL Properties Generation

Step 6: Test Verdicts

Traces

Declare2LTL

LTL Properties

Verdicts (Unsat(Sp))

Instrumented Application

Generated TCs

Verdicts (Fail/Pass(St))

TCs Execution

Conclusions 

  • A knowledge  base associating  weaknesses, attacks, security principles, ...
  • Security test cases generation and execution
  • Security patterns behavioral properties (LTL) generation and verification
  • Test Verdicts about vulnerability to attacks and satisfiability of patterns properties

Work In Progress

  • Address Inter patterns relationships
  • Text mining instantiate patterns

Thank you for your attention 

ADTree generation method 1 

ADTree generation method 1 

  1. POS Tagger and stop words definition
  2. Distance matrix with “Jaccard”
  3. Hierarchical clustering with “Ward”

ASSPC

ADTree generation method 2 

Step 3: Security pattern choice

A~BADStep~ b ~is ~an ~ADTerm ~of ~the ~from ~c^p(st,sp),
A BADStep b is an ADTerm of the from cp(st,sp),A~BADStep~ b ~is ~an ~ADTerm ~of ~the ~from ~c^p(st,sp),
defense(b) = \{sp_1~|~b=c^p(st,sp_1)\}\cup
defense(b)={sp1  b=cp(st,sp1)}defense(b) = \{sp_1~|~b=c^p(st,sp_1)\}\cup
\{sp_1,...,sp_m~|b=c^p(st,\wedge^o(sp_1,...,sp_m))\}
{sp1,...,spm b=cp(st,o(sp1,...,spm))}\{sp_1,...,sp_m~|b=c^p(st,\wedge^o(sp_1,...,sp_m))\}

Basic Attack Defence Step (BADStep)

Keep security pattern conjunctions

Step 5: Test suite generation

Test case (TC) example :

Pass_{st}/Fail_{st}
Passst/FailstPass_{st}/Fail_{st}
Pass_{sp}/Fail_{sp}
Passsp/FailspPass_{sp}/Fail_{sp}

Step 5: Test suite generation

A~test~case~TC(b)~is~generated~for~each~b~\in~BADStep(s)
A test case TC(b) is generated for each b  BADStep(s)A~test~case~TC(b)~is~generated~for~each~b~\in~BADStep(s)
\vec{\wedge}^{p}~(c^p~(\vee^p(tech1,tech2,tech3),~\wedge^o(Audit~Interceptor,~Secure~Logger)),
p (cp (p(tech1,tech2,tech3), o(Audit Interceptor, Secure Logger)),\vec{\wedge}^{p}~(c^p~(\vee^p(tech1,tech2,tech3),~\wedge^o(Audit~Interceptor,~Secure~Logger)),
(c^p~(\vee^p(tech1,tech2,tech3,tech4),~\wedge^o(Secure~Logger,~Input~Guard,~Output~Guard)),
(cp (p(tech1,tech2,tech3,tech4), o(Secure Logger, Input Guard, Output Guard)),(c^p~(\vee^p(tech1,tech2,tech3,tech4),~\wedge^o(Secure~Logger,~Input~Guard,~Output~Guard)),
...)
...)...)
SC(T_f)~has~the~form~:~\vec{\wedge}^{p}~(st_1,...,st_n)
SC(Tf) has the form : p (st1,...,stn)SC(T_f)~has~the~form~:~\vec{\wedge}^{p}~(st_1,...,st_n)

BADStep

Test scenario extraction from ADTree using ADTerms

Step 5: Test suite generation

Step 6: Test case completion

Methodology Evaluation results

  • C1: Comprehensibility

Methodology Evaluation results

  • C2: Effectiveness

Methodology Evaluation results

  • C2: Effectiveness

Methodology Evaluation results

  • C3: Efficiency
Made with Slides.com