Cyber Security for Middleware System Architectures Emilia Colonese1, Jose M. Parente de Oliveira1, Edgar T. Yano1, Joni A. Amorim2, Sten F. Andler2, Per M. Gustavsson3 1Instituto Tecnológico de Aeronáutica, São José dos Campos, Brazil 2University of Skövde, Skövde, Sweden 3Swedish National Defence College, Stockholm, Sweden
[email protected] [email protected] [email protected] [email protected] [email protected] [email protected] Abstract: In most contexts, the word cyber tends to refer to the set of technologies associated with computers and communication infrastructures like the Internet. This word seems to be new and very modern to the average user of computers but it was extracted from cybernetics, which was originally coined in 1948 by U.S. mathematician Norbert Wiener. Cyber security, put simply, would be a security approach to be implemented in the cyber world to enable organizations and individuals to minimize the number of successful cyber attacks and similar problems associated with the use of technology. Cyber threats are now relevant not only to organizations and to individuals, but also to nations considering the many serious security challenges perceived in a continuously changing spectrum of possible threats. Consequently, the traditional war-fighting domains of land, air, sea and space are no longer the only ones to be considered by nations. With the increase of the use of networks like the Internet for different applications, a fifth war-fighting domain is defined: the cyber world. This work considers cyber warfare and security with a focus on the middleware system architecture. In this way, while considering that cyber security is already properly addressed in the network level and/or cryptographic algorithms, this research based work advocates that cyber security should be part of the middleware system architecture to be modeled. Therefore, the phase of requirements for the development of such systems should follow specific characteristics based in properly chosen policies that would favor a more successful development. It is expected that, once following the policy, the middleware system would act as a cyber security proxy, a new concept that suggests that the threats would be handled by a specific service. In this service, the detection of intentions of the attack and the attacker shall be included. Such inclusion is presented in the text having as a background the information fusion theory. The authors perceive as the main contribution of this work the presentation of a proposal on how to consider cyber security for the middleware system architecture. The text discusses the steps needed to incorporate cyber security aspects to the Interoperability Reference Model Architecture (IRMA). IRMA was chosen since it provides an effective communication process among Distributed Real-Time Systems components. The process reduces architectural layers and the development effort due to the formalized Reference-Model design. Also, it may be pointed that the decision for the selection of this framework benefits from a previous research in which the IRMA framework was applied in a Real-Time System prototype to test and validate it. In this research, the focus will be the incorporation of cyber security aspects to IRMA. Keywords: Architecture; Cyber Security; Interoperability; Middleware; Real-Time System. 1. Introduction Critical and distributed systems are intensely based on architectures that utilize middleware systems which rely on publish/subscribe paradigms and gateways to manage the interaction among their system components. The configuration process is excessively complex due to a growing number of operation rules that are not standardized to satisfy strict requirements of cyber security. These rules, if present, exist in several layers of these middleware systems, and employ the new requirements specification of the cyber security domain. Considering that a single component of a middleware can encompass many layers to accomplish the interoperability in different system domain, semantics, programming language and operational platforms, a solution that promotes both a lighter interoperability and security against cyber attacks is widely researched by the computer architecture community. To make the subject matter more complicated, multiple rule combinations are semantically invalid and may result in system failures, an unacceptable cost for critical systems.
As a result, security mechanisms against real-time cyber attacks of commercial off-the-shelf middleware for Real-Time Systems (RTS) adopted in their architecture require the implementation of new components developed specifically for them. It also might include a large number of existing components designed under different assumptions, with different features of security, reliability, resource allocation, real-time, fault tolerance and protocols. All those components together increase the middleware architectural layers complexity, which might lead the target critical system to undesirable performance effects, compromising the system’s reliability. The aim of this work is to introduce the security aspect in the Interoperability Reference Model Architecture – IRMA (Colonese, 2010), presented in Figure 1, for critical distributed and embedded RTS avoiding cyber attacks while achieving a robust validation of the proposed architecture.
Figure 1: Interoperability Reference Model Architecture. 2. Service-based Middleware When the middleware design is based on the specialization approach to be used in a specific domain such as critical systems, it optimizes its architecture with specialized requirements. The interoperability solution in the context of critical RTS proposed by IRMA is based on services and not on objects. IRMA CORE provides a service-based interoperability by introducing a standardized interoperability mechanism for message exchange process using ontology for interoperability, policebased functionality and a combination of architectural-pattern to provide a high-level description of a middleware system. Therefore, the interoperability is accomplished by the IRMA CORE and its interface which, in this case, is composed by a semantic protocol and a message format. Since the early phases of the development process, the design avoids unnecessary architectural layers for system interactions while improving the overall system performance. IRMA architectural approach eliminates the mandatory use of middleware, as a complex, generic and isolated component, and implements a lighter communication among the components by using: Combination of architectural patterns for computer systems (Buschmann et al., 1996; Douglass, 2003); Policy-based Development (Wohlstadter et al., 2004); Combination of software development processes (Jacobson et al., 1999; Ambler, 2002; Cockburn, 2002); Ontology specifications for computer systems interoperability (Obrst, 2003; Calero et al. 2006); Design-patterns specifications (Douglass , 2003; Gamma et al., 2005; Douglass, 1999); Common knowledge of system functionalities in a shared data model (Colonese, 2010); and Semantics for data/information for interfaces and protocols (Colonese, 2010). The architectural paradigms used in the IRMA infrastructure are extremely adaptable in their ability to support different architectural styles (roles), and realize loosely coupled system components
interoperability implementations. Components can be added and removed independently, without any change on other components. Data-flows of services can be created, used, and finished by a component according to the Event-Condition-Action (ECA) policy rules, without requiring any changes on existing components. Data paths are automatically established between components of a service, and managed by the IRMA infrastructure. 3. IRMA with cyber security aspect The development of this aspect requires the usage of security tags to all exchanged data to track and control users and data throughout the system while taking into security policies. The enhanced IRMA, in this case IRMA with the security aspect, is presented in Figure 2.
Figure 2: Enhanced Interoperability Reference Model Architecture. In order to include the cyber security aspect into IRMA, the IRMA framework will be refined and extended with new aspect. The extension includes: IRMA CORE modification: The contract that dictates the rules to exchange messages among systems components needs to be extended with new rules. This concept is an intrinsic part of the system. This characteristic leads to a controlled and secure workflow of a system IRMAbased defined by the ECA rules, embedded in the message-content, which provides the correct execution of interoperable components while avoiding cyber attacks; New Service Server to deal with the security aspect. This new service is the business model for cyber security service; and IRMA Interface modification: New attributes and classes in the shared data models and protocols class to deal with the new aspect. After finishing the refinements, IRMA formal model is represented as timed automata. The IRMA timed automata is then adapted and inserted into the UPPAAL model checker (Figure 3) to verify the model, validating the reachability, safety and liveness properties of the enhanced IRMA framework. The IRMA Framework modeled in UPPAAL is a network TA capable of interacting among them. The transitions in the semantic interpretation are either labeled with an action (if it is an instantaneous switch from the current node to another) or a positive real number, i.e. a time delay (if the automaton stays within a node letting time pass). There are rules to implement cyber security, where if a “wrong” event arrives in any node the automaton stays within the same node and triggers an action to the cyber security server along with the suspicious event data. The interactions can be achieved by means of automata parallel composition by exploiting the CCS parallel composition operator to allow interleaving of actions as well as handshake synchronization. The network of timed automata have verification capability, where the reachability analysis is a particularly desirable feature answering to the most relevant proof of no conversational deadlock situation occurs and correct conversational patterns are performed. As a result, interaction can be
modeled through timed word sequences obtained from the application of CCS parallel composition operator applied on a predefined network of timed automata.
Figure 3: Enhanced IRMA formal model verification and validation. 4. Conclusion If we consider the formal model validation and verification, we notice that the simulation outputs will allow the verification of the defined system properties and of the model analysis correctness. Consequently, the enhanced IRMA is formally validated at the conceptual and design levels, in this way assuring that the reachability, safety and liveliness properties were not violated. It also validates the avoidance of a cyber attack at service level. The main outcome of this proposal is to create a methodology for including the cyber security aspect at the conceptual and design level of safety critical systems models that have architectural features similar to the IRMA model. As an addition to the main result, future work will provide the identification of the main requirements of a cyber security component to be used in a safety critical system. Acknowledgements The authors would like to thank the following organizations for their support: Instituto Tecnológico de Aeronáutica (ITA) in Brazil, University of Skövde (HiS) in Sweden, Swedish National Defence College (SNDC) in Sweden, Saab Group in Sweden and National Council for Scientific and Technological Development (CNPq) in Brazil. References Ambler, S. W. (2002). Agile Modeling: Best Practices for the Unified Process and Extreme Programming. New York: John Wiley & Sons. Buschmann, F.; Meunier, R.; Rohnert, H.; Sommerlad, P.; and Stal, M. (1996). A System of Patterns: Pattern-Oriented Software Architecture. New York: John Wiley & Sons. Calero, C.; Ruiz, F.; Piattini, M. (2006). Ontologies for Software Engineering and Software Technology. Springer-Verlag. Cockburn, A. (2002). Agile Software Development. Addison-Wesley. Colonese, E. (2010). A new architectural approach for interoperability of real-time system components. Ph.D. Thesis. Instituto Tecnológico de Aeronáutica – ITA. Douglass, B. P. (1999). Doing Hard Time: Developing Real-Time Systems with UML, Objects, Frameworks and Patterns. Addison-Wesley. Douglass, B. P. (2003). Real-Time Design Patterns: Robust Scalable Architecture for Real-time Systems. Addison-Wesley. Gamma, E.; Helm, R.; Johnson, R.; and Vlissides, J. (2005). Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley. Jacobson, I.; Booch, G.; and Rumbaugh, J. (1999). The Unified Software Development Process. Addison-Wesley. Obrst, L. (2003). Ontologies for Semantically Interoperable Systems. In: Proceedings of the 12th ACM International Conference on Information and knowledge Management. Louisiana, USA. Wohlstadter, E.; Tai, S. ; Mikalsen, T. ; Rouvellou, I. ; and Devanbu, P. (2004) Glue QoS: Middleware to Sweeten Quality-of-Service Policy Interactions. In: Proceedings of the 26th International Conference on Software Engineering. United Kingdom.
