[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to main content
Springer Nature Link
Log in

Architectural Optimization for Confidentiality Under Structural Uncertainty

  • Conference paper
  • First Online:
Software Architecture (ECSA 2021)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13365))

Included in the following conference series:

Abstract

More and more connected systems gather and exchange data. This allows building smarter, more efficient and overall better systems. However, the exchange of data also leads to questions regarding the confidentiality of these systems. Design notions such as Security by Design or Privacy by Design help to build secure and confidential systems by considering confidentiality already at the design-time. During the design-time, different analyses can support the architect. However, essential properties that impact confidentiality, such as the deployment, might be unknown during the design-time, leading to structural uncertainty about the architecture and its confidentiality. Structural uncertainty in the software architecture represents unknown properties about the structure of the software architecture. This can be, for instance, the deployment or the actual implementation of a component. For handling this uncertainty, we combine a design space exploration and optimization approach with a dataflow-based confidentiality analysis. This helps to estimate the confidentiality of an architecture under structural uncertainty. We evaluated our approach on four application examples. The results indicate a high accuracy regarding the found confidentiality violations.

This work was supported by the German Research Foundation (DFG) under project number 432576552, HE8596/1-1 (FluidTrust), as well as by funding from the topic Engineering Secure Systems (46.23.03) of the Helmholtz Association (HGF) and by KASTEL Security Research Labs. Additionally, it was supported by the Czech Science Foundation project 20-24814J, and also partially supported by Charles University institutional funding SVV 260451.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
GBP 19.95
Price includes VAT (United Kingdom)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
GBP 35.99
Price includes VAT (United Kingdom)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
GBP 44.99
Price includes VAT (United Kingdom)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://github.com/FluidTrust/Palladio-Addons-DataFlowConfidentiality-DSE.

References

  1. Aleti, A., Bjornander, S., Grunske, L., Meedeniya, I.: ArcheOpterix: an extendable tool for architecture optimization of AADL models. In: ICSE Workshop on Model-Based Methodologies for Pervasive and Embedded Software, pp. 61–71 (2009). https://doi.org/10.1109/MOMPES.2009.5069138

  2. Armour, P.G.: The five orders of ignorance. Commun. ACM 43(10), 17–20 (2000). https://doi.org/10.1145/352183.352194

  3. Basili, G., Caldiera, V.R., Rombach, H.D.: The goal question metric approach. Encycl. Softw. Eng. pp. 528–532 (1994)

    Google Scholar 

  4. Boehm, B., Basili, V.: Software defect reduction top 10 list. Computer 34(1), 135–137 (2001). https://doi.org/10.1109/2.962984

    Article  Google Scholar 

  5. Boltz, N., et al.: Handling environmental uncertainty in design time access control analysis. In: 2022 48th Euromicro Conference on Software Engineering and Advanced Applications (SEAA). IEEE (2022, accepted, to appear)

    Google Scholar 

  6. Bures, T., Hnetynka, P., Heinrich, R., Seifermann, S., Walter, M.: Capturing dynamicity and uncertainty in security and trust via situational patterns. In: Margaria, T., Steffen, B. (eds.) ISoLA 2020. LNCS, vol. 12477, pp. 295–310. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61470-6_18

    Chapter  Google Scholar 

  7. Bureš, T., Gerostathopoulos, I., Hnětynka, P., Seifermann, S., Walter, M., Heinrich, R.: Aspect-oriented adaptation of access control rules. In: 2021 47th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), pp. 363–370 (2021). https://doi.org/10.1109/SEAA53835.2021.00054

  8. Busch, A., Schneider, Y., Koziolek, A., Rostami, K., Kienzle, J.: Modelling the structure of reusable solutions for architecture-based quality evaluation. In: 2016 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), pp. 521–526 (2016). https://doi.org/10.1109/CloudCom.2016.0091

  9. Casola, V., Preziosi, R., Rak, M., Troiano, L.: A reference model for security level evaluation: policy and fuzzy techniques. J. Univers. Comput. Sci. 11(1), 150–174 (2005)

    Google Scholar 

  10. Council of European Union: REGULATION (EU) 2016/679. (general data protection regulation). https://eur-lex.europa.eu/eli/reg/2016/679/2016-05-04

  11. Esfahani, N., Malek, S.: Uncertainty in self-adaptive software systems. In: de Lemos, R., Giese, H., Müller, H.A., Shaw, M. (eds.) Software Engineering for Self-Adaptive Systems II. LNCS, vol. 7475, pp. 214–238. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35813-5_9

    Chapter  Google Scholar 

  12. Esfahani, N., Malek, S., Razavi, K.: GuideArch: guiding the exploration of architectural solution space under uncertainty. In: 2013 35th International Conference on Software Engineering (ICSE), pp. 43–52. IEEE (2013). https://doi.org/10.1109/ICSE.2013.6606550, https://ieeexplore.ieee.org/document/6606550

  13. Famelis, M., Chechik, M.: Managing design-time uncertainty. In: MODELS, p. 179. IEEE Press (2017). https://doi.org/10.1109/MODELS.2017.24

  14. Ferraiolo, D., Cugini, J., Kuhn, D.R.: Role-based access control (RBAC): features and motivations. In: ACSAC 1995, pp. 241–248 (1995)

    Google Scholar 

  15. Frolund, S., Koistinen, J.: A language for quality of service specification. Tech. rep, HP Labs Technical Report, California, USA (1998)

    Google Scholar 

  16. Garlan, D.: Software engineering in an uncertain world. In: Proceedings of the FSE/SDP Workshop on Future of Software Engineering Research, FoSER 2010, pp. 125–128. Association for Computing Machinery, New York, NY, USA (2010). https://doi.org/10.1145/1882362.1882389

  17. Gerking, C., Schubert, D.: Component-based refinement and verification of information-flow security policies for cyber-physical microservice architectures. In: ICSA2019, pp. 61–70. IEEE, March 2019. https://doi.org/10.1109/ICSA.2019.00015, https://ieeexplore.ieee.org/document/8703909

  18. Hahner, S.: Architectural access control policy refinement and verification under uncertainty. In: Companion Proceedings of the 15th European Conference on Software Architecture. CEUR Workshop Proceedings, vol. 2978. RWTH Aachen (2021), 46.23.03; LK 01

    Google Scholar 

  19. Hahner, S.: Dealing with uncertainty in architectural confidentiality analysis. In: Proceedings of the Software Engineering 2021 Satellite Events. pp. 1–6. Gesellschaft für Informatik, Virtual (2021)

    Google Scholar 

  20. Hahner, S., Seifermann, S., Heinrich, R., Walter, M., Bures, T., Hnetynka, P.: Modeling data flow constraints for design-time confidentiality analyses. In: 2021 IEEE International Conference on Software Architecture Companion (ICSA-C), pp. 15–21. IEEE (2021). https://doi.org/10.1109/ICSA-C52384.2021.00009

  21. Heinrich, R., et al.: Dynamic access control in industry 4.0 systems. In: Digital Transformation, Chap. 6. Springer, Heidelberg (2022, accepted, to appear)

    Google Scholar 

  22. Hezavehi, S.M., Weyns, D., Avgeriou, P., Calinescu, R., Mirandola, R., Perez-Palacin, D.: Uncertainty in self-adaptive systems: a research community perspective. ACM Trans. Auton. Adapt. Syst. 15(4) (2021). https://doi.org/10.1145/3487921

  23. Hinton, A., Kwiatkowska, M., Norman, G., Parker, D.: PRISM: a tool for automatic verification of probabilistic systems. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 441–444. Springer, Heidelberg (2006). https://doi.org/10.1007/11691372_29

    Chapter  Google Scholar 

  24. ISO Central Secretary: Information technology - security techniques - information security management systems - overview and vocabulary. Standard ISO/IEC 27000:2018. International Organization for Standardization, Geneva, CH (2018). https://www.iso.org/standard/73906.html

  25. Jürjens, J.: UMLsec: extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_32

    Chapter  Google Scholar 

  26. Katkalov, K., Stenzel, K., Borek, M., Reif, W.: Model-driven development of information flow-secure systems with IFLOW. In: SOCIALCOM, pp. 51–56 (2013). https://doi.org/10.1109/SocialCom.2013.14

  27. Katkalov, K.: Ein modellgetriebener Ansatz zur Entwicklung informationsfluss-sicherer Systeme. doctoralthesis, Universität Augsburg (2017)

    Google Scholar 

  28. Konersmann, M., et al.: Evaluation methods and replicability of software architecture research objects. In: ICSA. IEEE (2022)

    Google Scholar 

  29. Koziolek, A.: Automated improvement of software architecture models for performance and other quality attributes. Ph.D. thesis, Karlsruher Institut für Technologie (KIT) (2011). https://doi.org/10.5445/IR/1000024955

  30. Koziolek, A., Koziolek, H., Reussner, R.: PerOpteryx: automated application of tactics in multi-objective software architecture optimization. In: Proceedings of the joint ACM SIGSOFT Conference-QoSA and ACM SIGSOFT Symposium-ISARCS on Quality of Software Architectures-QoSA and Architecting Critical Systems - ISARCS, pp. 33–42 (2011)

    Google Scholar 

  31. Kramer, M., Hecker, M., Greiner, S., Bao, K., Yurchenko, K.: Model-driven specification and analysis of confidentiality in component-based systems. Tech. Rep. 12, KIT-Department of Informatics (2017). https://doi.org/10.5445/IR/1000076957

  32. Liu, O.: Design space evaluation for confidentiality under architectural uncertainty (2021). https://doi.org/10.5445/IR/1000139590

    Article  Google Scholar 

  33. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: a UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_33

    Chapter  MATH  Google Scholar 

  34. Lytra, I., Zdun, U.: Supporting architectural decision making for systems-of-systems design under uncertainty. In: Proceedings of the First International Workshop on Software Engineering for Systems-of-Systems, SESoS 2013, pp. 43–46. Association for Computing Machinery, July 2013. https://doi.org/10.1145/2489850.2489859

  35. Monschein, D., Mazkatli, M., Heinrich, R., Koziolek, A.: Enabling consistency between software artefacts for software adaption and evolution. In: ICSA, pp. 1–12 (2021). https://doi.org/10.1109/ICSA51549.2021.00009

  36. Noorshams, Q., Martens, A., Reussner, R.: Using quality of service bounds for effective multi-objective software architecture optimization. In: Proceedings of the 2nd International Workshop on the Quality of Service-Oriented Software Systems. QUASOSS 2010, Association for Computing Machinery, New York, NY, USA (2010). https://doi.org/10.1145/1858263.1858265

  37. OWASP: A04:2021 - insecure design. https://owasp.org/Top10/A04_2021-Insecure_Design/

  38. OWASP: Top ten web application security risks, https://owasp.org/www-project-top-ten/

  39. Perez-Palacin, D., Mirandola, R.: Uncertainties in the modeling of self- adaptive systems: a taxonomy and an example of availability evaluation. pp. 3–14. In: Proceedings of the 5th ACM/SPEC International Conference on Performance Engineering, ICPE 2014, pp. 3–14. Association for Computing Machinery, New York, NY, USA (2014). https://doi.org/10.1145/2568088.2568095

  40. Piper, D.: DLA Piper GDPR fines and data breach survey: January GDPR fines and data breach survey: January 2022. www.dlapiper.com/de/germany/insights/publications/2022/1/dla-piper-gdpr-fines-and-data-breach-survey-2022

  41. Ramirez, A.J., Jensen, A.C., Cheng, B.H.C.: A taxonomy of uncertainty for dynamically adaptive systems. In: 2012 7th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS), pp. 99–108 (June 2012). https://doi.org/10.1109/SEAMS.2012.6224396

  42. Reiche, F., Schiffl, J., Weigl, A., Heinrich, R., Beckert, B., Reussner, R.: Model-driven quantification of correctness with palladio and key. Tech. rep., Karlsruher Institut für Technologie (KIT) (2021). https://doi.org/10.5445/IR/1000128855

  43. Reussner, R., et al.: Modeling and Simulating Software Architecture - The Palladio Approach. MIT Press, Cambridge. October 2016. http://mitpress.mit.edu/books/modeling-and-simulating-software-architectures

  44. Runeson, P., Höst, M.: Guidelines for conducting and reporting case study research in software engineering. Emp. Softw. Eng. 14(2), 131 (2008). https://doi.org/10.1007/s10664-008-9102-8

    Article  Google Scholar 

  45. Schulz, S., Reiche, F., Hahner, S., Schiffl, J.: Continuous secure software development and analysis. In: Proceedings of Symposium on Software Performance 2021. Leipzig, Germany, November 2021

    Google Scholar 

  46. Seifermann, S., Heinrich, R., Werle, D., Reussner, R.: A unified model to detect information flow and access control violations in software architectures. In: Proceedings of the 18th International Conference on Security and Cryptography, SECRYPT 2021, Virtual, Online, 6 July 2021–8 July 2021. pp. 26–37. SciTePress (2021). https://doi.org/10.5220/0010515300260037

  47. Seifermann, S., Walter, M., Hahner, S., Heinrich, R., Reussner, R.: Identifying confidentiality violations in architectural design using palladio. In: ECSA-C202021, vol. 2978. CEUR-WS.org (2021). 46.23.03; LK 01

    Google Scholar 

  48. Seifermann, S., Heinrich, R., Reussner, R.: Data-driven software architecture for analyzing confidentiality. In: ICSA, pp. 1–10. IEEE (2019). https://doi.org/10.1109/ICSA.2019.00009, https://ieeexplore.ieee.org/document/8703910

  49. Seifermann, S., Heinrich, R., Werle, D., Reussner, R.: Detecting violations of access control and information flow policies in data flow diagrams. JSS 184 (2021)

    Google Scholar 

  50. Sobhy, D., Bahsoon, R., Minku, L., Kazman, R.: Evaluation of software architectures under Uncertainty: a systematic literature review. ACM Trans. Softw. Eng. Methodol. 1(1), 50 (2021)

    Google Scholar 

  51. Troya, J., Moreno, N., Bertoa, M.F., Vallecillo, A.: Uncertainty representation in software models: a survey. Softw. Syst. Model. 20(4), 1183–1213 (2021). https://doi.org/10.1007/s10270-020-00842-1

    Article  Google Scholar 

  52. Tuma, K., Scandariato, R., Balliu, M.: Flaws in flows: unveiling design flaws via information flow analysis. In: ICSA, pp. 191–200 (2019). https://doi.org/10.1109/ICSA.2019.00028

  53. Qian, M., Wang, J., Lin, H., Zhao, D., Zhang, Y., Tang, W., Yang, Z.: Auto-learning convolution-based graph convolutional network for medical relation extraction. In: Lin, H., Zhang, M., Pang, L. (eds.) CCIR 2021. LNCS, vol. 13026, pp. 195–207. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88189-4_15

    Chapter  Google Scholar 

  54. Walker, W., et al.: Defining uncertainty: a conceptual basis for uncertainty management in model-based decision support. Integr. Assess. 4 (2003). https://doi.org/10.1076/iaij.4.1.5.16466

  55. Walter, M., et al.: Dataset: architectural optimization for confidentiality under structural uncertainty. https://doi.org/10.5281/zenodo.6569353

  56. Walter, M., Heinrich, R., Reussner, R.: Architectural attack propagation analysis for identifying confidentiality issues. In: ICSA (2022)

    Google Scholar 

  57. Yurchenko, K., et al.: Architecture-driven reduction of specification overhead for verifying confidentiality in component-based software systems. In: MODELS (Satellite Events), pp. 321–323 (2017)

    Google Scholar 

Download references

Acknowledgement

We like to thank Oliver Liu, who helped in developing this approach during his Bachelor thesis.

Author information

Authors and Affiliations

  1. KASTEL – Institute of Information Security and Dependability, Karlsruhe Institute of Technology (KIT), Karlsruhe, Germany

    Maximilian Walter, Sebastian Hahner, Stephan Seifermann & Robert Heinrich

  2. Charles University, Prague, Czech Republic

    Tomas Bures, Petr Hnetynka & Jan Pacovský

Authors
  1. Maximilian Walter
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sebastian Hahner
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stephan Seifermann
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tomas Bures
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Petr Hnetynka
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Jan Pacovský
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Robert Heinrich
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Maximilian Walter .

Editor information

Editors and Affiliations

  1. Università di Bergamo, Dalmine, Italy

    Patrizia Scandurra

  2. University of Canterbury, Christchurch, New Zealand

    Matthias Galster

  3. Politecnico di Milano, Milan, Italy

    Raffaela Mirandola

  4. KU Leuven, Kortrijk, Belgium

    Danny Weyns

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Walter, M. et al. (2022). Architectural Optimization for Confidentiality Under Structural Uncertainty. In: Scandurra, P., Galster, M., Mirandola, R., Weyns, D. (eds) Software Architecture. ECSA 2021. Lecture Notes in Computer Science, vol 13365. Springer, Cham. https://doi.org/10.1007/978-3-031-15116-3_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-15116-3_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-15115-6

  • Online ISBN: 978-3-031-15116-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation