Security Description Summary

An extension for an architecture description language (ADL) that allows modeling vulnerabilities and access control policies.

Specurity Aspects

Name

Description

Access Control Policies

For considering access control in the attack propagation, we need to model access control policies. These policies can be used to determine whether an attacker could access an architectural element. Our access control model follows the attribute-based access control (ABAC) model.

Specification Elements

Name

Description

PolicySet

A PolicySet can contain multiple Policy elements, PolicySet elements and has an optional target for which it applies. The target is here directly the AllOff element.

Policy

A Policy contains multiple Rule elements and also an optional target.

Rule

The Rule element stores the actual access decision such as permit or deny. These decisions are then propagated upwards to the root PolicySet. Therefore, each element (Policy, PolicySet) also contains combination algorithms. These describe how the different access control decisions are combined. Additionally, the Rules contains again an optional target and the condition for the access decision, which is stored in the Expression.

Expression

The Expression is a function with arbitrary parameters, which returns a boolean value. The parameters can also be functions. For an elaborate list of the available functions, see the XACML standard. Besides the functions of the XACML standard, we also added the SimpleAttributeSelector and the XML-String.

SimpleAttributeSelector

The SimpleAttributeSelector is a wrapper for multiple XACML functions to provide a simple comparison of attributes.

XML-String

The XML-String specifies valid XACML statements. These are later embedded in the XACML file for the analysis.

AllOf

The target definition describes on which elements the PolicySet, Policy, or Rule should be applied. The AllOf consist of multiple Match elements.

EntityMatch

The EntityMatch is for selecting an architectural element of the Palladio Component Model (PCM) .

MethodMatch

The MethodMatch is for selecting a system service. We introduced a new architectural element that links a Palladio Component Model (PCM) AssemblyContext or Connector to a PCM Signature to identify called services. This was necessary because there are currently no elements on the system level in Palladio to identify called services.

GenericMatch

The GenericMatch is used to describe the regular XACML match operation.

XMLMatch

The XMLMatch is an element that enables the security experts to directly write an XACML statement

UsageSpecification

Each UsageSpecification contains a reference to an Attribute and its concrete value as AttributeValue. The UsageSpecification is always used, when we want to reference a concrete attribute in our policy model.

Attribute

An Attribute of the System in the access control model. For instance, the role of a user is the attribute role.

XMLAttribute

An XML extension that provides custom attributes. Security experts can here define custom XACML attributes and custom datatypes, which are not included in our metamodel. They are then later embedded in the XACML file.

AttributeValue

Represents a concrete value of an Attribute. For instance, the concrete role of an user, such as technician, is the attribute value.

Security Aspects
- Access Control Policies
  For considering access control in the attack propagation, we need to model access control policies. These policies can be used to determine whether an attacker could access an architectural element. Our access control model follows the attribute-based access control (ABAC) model.
  Specification Elements:
  AttributeValue
  Attribute
  XMLAttribute
  SimpleAttributeSelector
  UsageSpecification
  PolicySet
  Expression
  Rule
  Policy
  XML-String
  AllOf
  EntityMatch
  MethodMatch
  GenericMatch
  XMLMatch
  Threats:
  Information Disclosure
  Tampering with Data
Specification Elements
- PolicySet
  A PolicySet can contain multiple Policy elements, PolicySet elements and has an optional target for which it applies. The target is here directly the AllOff element.
  Applies to:
- Policy
  A Policy contains multiple Rule elements and also an optional target.
  Applies to:
- Rule
  The Rule element stores the actual access decision such as permit or deny. These decisions are then propagated upwards to the root PolicySet. Therefore, each element (Policy, PolicySet) also contains combination algorithms. These describe how the different access control decisions are combined. Additionally, the Rules contains again an optional target and the condition for the access decision, which is stored in the Expression.
  Applies to:
- Expression
  The Expression is a function with arbitrary parameters, which returns a boolean value. The parameters can also be functions. For an elaborate list of the available functions, see the XACML standard. Besides the functions of the XACML standard, we also added the SimpleAttributeSelector and the XML-String.
  Applies to:
- SimpleAttributeSelector
  The SimpleAttributeSelector is a wrapper for multiple XACML functions to provide a simple comparison of attributes.
  Applies to:
- XML-String
  The XML-String specifies valid XACML statements. These are later embedded in the XACML file for the analysis.
  Applies to:
- AllOf
  The target definition describes on which elements the PolicySet, Policy, or Rule should be applied. The AllOf consist of multiple Match elements.
  Applies to:
- EntityMatch
  The EntityMatch is for selecting an architectural element of the Palladio Component Model (PCM) .
  Applies to:
  Entity
  Component
  Node
  Connection
- MethodMatch
  The MethodMatch is for selecting a system service. We introduced a new architectural element that links a Palladio Component Model (PCM) AssemblyContext or Connector to a PCM Signature to identify called services. This was necessary because there are currently no elements on the system level in Palladio to identify called services.
  Applies to:
  Activity
- GenericMatch
  The GenericMatch is used to describe the regular XACML match operation.
  Applies to:
  Data
- XMLMatch
  The XMLMatch is an element that enables the security experts to directly write an XACML statement
  Applies to:
  Data
- UsageSpecification
  Each UsageSpecification contains a reference to an Attribute and its concrete value as AttributeValue. The UsageSpecification is always used, when we want to reference a concrete attribute in our policy model.
  Applies to:
- Attribute
  An Attribute of the System in the access control model. For instance, the role of a user is the attribute role.
  Applies to:
  Entity
  Data
  State
- XMLAttribute
  An XML extension that provides custom attributes. Security experts can here define custom XACML attributes and custom datatypes, which are not included in our metamodel. They are then later embedded in the XACML file.
  Applies to:
  Entity
  Data
- AttributeValue
  Represents a concrete value of an Attribute. For instance, the concrete role of an user, such as technician, is the attribute value.
  Applies to:
  Data
  State

Attack Propagation

Security Aspects

Access Control Policies

Specification Elements