Wednesday, December 7, 2011

Vulnerability Analysis in SOA-based Business Processes

95. Vulnerability Analysis in SOA-based Business Processes
Abstract:

Business processes and services can more flexibly be combined when based upon standards. However, such flexible compositions practically always contain vulnerabilities, which imperil the security and dependability of processes. Vulnerability management tools require patterns to find or monitor vulnerabilities. Such patterns have to be derived from vulnerability types. Existing analysis methods such as attack trees and FMEA result in such types yet require much experience and provide little guidance during the analysis. Our main contribution is ATLIST, a new vulnerability analysis method with improved transferability. Especially in service-oriented architectures, which employ a mix of established web technologies and SOA-specific standards, previously observed vulnerability types and variations thereof can be found. Therefore, we focus on the detection of known vulnerability types by leveraging previous vulnerability research. A further contribution in this respect is the, to the best of our knowledge, most comprehensive compilation of vulnerability information sources to date. We present the method to search for vulnerability types in SOA-based business processes and services. Also, we show how patterns can be derived from these types, so that tools can be employed. An additional contribution is a case study, in which we apply the new method to a SOA-based business process scenario.


Existing System:

Typically, vulnerability types have to be manually derived before tools can employ the corresponding vulnerability patterns for automated analyses. Fault/attack trees and FMEA are two prominent representatives of manual analysis methods. The strength of these methods is that they leave much room for the security expert to apply subjective skills and personal experience, enabling the discovery even of completely new types of vulnerabilities. Two decades ago, Neumann and Parker observed that most attacks use long-known techniques, and that the exploited vulnerabilities are reincarnated in new IT systems. One decade later, Arbaugh et al.analyzed CERT/CC incident data and found that most exploits happen through widely known vulnerabilities.


Disadvantages of Existing System:

Creativity and experience is required to find and scrutinize the relevant chains of effects. Also, the selection of components to be included in the analysis is of the same high importance and difficulty for both methods.

Proposed System:

Our recent analysis of several sources such as confirms that new types of vulnerabilities are very rare. Particularly in a SOA, where a mix of established web technologies and SOA-specific standards is employed, we expect that the majority of vulnerabilities will be of a previously observed type or a variation thereof. This presumption is maintained by, we propose ATLIST, a new vulnerability analysis method. The name stands for “attentive listener” as the method was developed during and for the analysis of SOA service orchestrations. ATLIST was designed to make use of the central SOA notions, namely re-usability, flexibility, and extensive use of standards. It facilitates the detection of known vulnerability types, and enables the derivation of vulnerability patterns for tool support. ATLIST is applicable to business processes composed of services as well as to single services.

Advantages of Proposed System:

ATLIST explicitly builds upon the vulnerability knowledge extracted from various sources, and that it focuses on known vulnerability types rather than completely new ones.

ATLIST offers better transferability than previous methods by guiding the analysis with a set of analysis elements. These elements are instantiated for the system at hand, so that an ATLIST tree can be build in a guided and repeatable manner.

Architecture:



Modules:

·       Vulnerability analysis
·       Discovering vulnerability type
·       Providing Guidance for Vulnerability

Modules Description:

Vulnerability analysis:

Vulnerability analysis supports avoiding, finding, fixing, and monitoring vulnerabilities. First, a specific attack is selected for analysis. Then, possible causes are refined until the fundamental vulnerabilities of the causal chain have been identified. The idea is that the analyst will not only be able to identify known vulnerabilities in the system, but because of creativity and experience might also find new types of vulnerabilities..

Discovering vulnerability type:

Vulnerabilities can be classified into the following types:

Access Control Vulnerabilities:

It is an error due to the lack of enforcement pertaining to users or functions that are permitted, or denied, access to an object or a resource. Files, objects, or processes can be accessed directly without authentication or routing.

Authentication Vulnerabilities

It is an error due to inadequate identification mechanisms so that a user or a process is not correctly identified. An unauthorized, or less privileged user (for example, Guest user), or a less privileged process gains higher privileges or weak password.

Boundary Condition Vulnerabilities

 Buffer overflow is a vulnerability where the boundary limits for an entity such as variables and constants are not properly defined or checked. This can be compromised by supplying data which is greater than what the entity can hold. These results in a memory spill over into other areas and thereby corrupt the instructions or code that need to be processed by the microprocessor.

Input Validation Vulnerabilities

It is an error due to a lack of verification mechanisms to validate the input data or contents. Due to poor input validation, access to system-privileged programs may be obtained.    

Providing Guidance for Vulnerability:

Providing guidance in the form of analysis elements as well as instructions and suggestions on their instantiation, they only suggest an analysis direction, either top down or bottom-up - and thereby cause a broad analysis. While this has the benefit of possibly leading to the discovery of new vulnerability types, it purely depends on the analyst’s experience whether known types are included in the analysis or not. ATLIST, on the other hand, guides the analyst towards known vulnerability types.

System Requirements:

Hardware Requirements:

Processor         :         Intel Duel Core.
Hard Disk        :         60 GB.
Floppy Drive   :         1.44 Mb.
Monitor           :         LCD Colour.
Mouse             :         Optical Mouse.
RAM               :         512 Mb.

Software Requirements:

Operating system      :         Windows XP.
Coding Language      :         ASP.Net with C#
Data Base                 :         SQL Server 2005

REFERENCE:

Lutz Lowis and Rafael Accorsi, “Vulnerability Analysis in SOA-based Business Processes”, IEEE Transactions Service Computing, Vol. 60, No.2, Aug. 2011.

No comments:

Post a Comment