Automated detection of least privilege violations in software architectures
ECSA'10 Proceedings of the 4th European conference on Software architecture
Composition of least privilege analysis results in software architectures (position paper)
Proceedings of the 7th International Workshop on Software Engineering for Secure Systems
| Hi-index | 0.00 |
An important problem is the architectural access control question: how can we describe and check access control issues at the software architecture level? We propose a connector-centric approach for software architectural access control. Our approach is based on a unified access control model incorporating the classic model, the role-based model, and the trust management model. We design a secure software architecture description language, Secure xADL, that extends the xADL language with constructs necessary to describe access control issues. Secure xADL extends descriptions of components, connectors, their types, sub-architectures, and the global architecture with subject, principal, permission, resource, privilege, safeguard, and policy. We use the XACML language as the basis for architectural security policy modeling. Four types of contexts for architectural access control are also identified: (1) the nearby constituents of components and connectors, (2) the types of components and connectors, (3) the containing sub-architecture, and (4) the global architecture. We present an algorithm to check architectural access control: given a secure software architecture description written in Secure xADL, if a component A wants to access another component B, should the access be allowed? Tool support is provided as part of the ArchStudio architecture development environment, including an editor, a checker, the secure architecture controller, and a run-time framework enabling important architectural operations: instantiating components and connectors, connecting components to connectors, and message routing. Connectors play a central role in our approach. They can propagate privileges within the architecture, decide whether architectural connections can be made, and route messages according to their security policies. Our hypotheses are: an architectural connector may serve as a suitable construct to model architectural access control; the connector-centric approach can be applied to different types of componentized and networked software systems; the access control check algorithm can check the suitability of accessing interfaces; in an architecture style based on event routing connectors, our approach can route events in accordance with the secure delivery requirements. To validate these hypotheses, we have performed an informal analysis of the algorithm, developed two applications, Secure Coalition and Impromptu, and modeled the security architecture of Firefox and DCOM.