An extensible pattern-based library and taxonomy of security threats for distributed systems
Introduction
Over the last decade distribution has become one of the main characteristic features of software systems, prompted in large measure by the expanding needs of businesses, scientific organizations and individuals who wish to collaborate across geographical distances, share data and resources or simply perform computations remotely. To support such features, however, the corresponding systems must often span untrusted networks – with the Internet being a prime example – making them susceptible to a wide range of attacks both at the individual host and network levels. Security attributes, therefore, are among the most important quality attributes for distributed systems operating in untrusted environments, and have consequently received much attention over the years [1], [2], [3], [4]. To incorporate these attributes during the development of a distributed system, whether using a systematic approach (i.e. a methodology [5]) or in some ad-hoc fashion, requires the introduction of a number of security measures, which, in turn, are the result of analyzing the potential attacks or threats to a system in a given context. This analysis process is often termed threat modeling [6], [7], and is performed during the requirements analysis stage, the design stage, or both. In all cases the process generally requires developers to conjecture possible attacks to different assets or parts of a system, to assess their risk and likelihood, and to determine at a high level how they could potentially be mitigated.
Conducting threat modeling usually requires a sound knowledge of a system's technical domain and sufficient security expertise to consider both generic and specific attacks for various system- and/or technology-specific contexts. These security knowledge requirements can leave most “off-the-street” developers estranged (cf. [8]), with the net result that threat modeling is not performed or, when performed, is performed sub-optimally or with significant effort involved (cf. [9]). As Dhillon [9] points out, a threat library that collects common threats to a given system-/technology-specific context can greatly enhance the efficacy of the threat modeling process and hence put it back, so to speak, on the project map. A threat library such as the one used at EMC [9], or even by Microsoft for web applications [10], can also go a long way in educating developers about common threats, rendering future threat modeling tasks easier.
Despite their value, threat libraries encompass only a set of specific, pre-defined threats, making the discovery of new threats or the same threats in different architectural contexts more difficult. In this respect the use of threat or attack taxonomies such as Microsoft's STRIDE [7] (an acronym for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Escalation of privileges), can be more useful, since they allow an arbitrary number of threats to be considered that fall within one or more categories. However, most taxonomies are either at a very high level of abstraction and hence require significant security expertise to identify appropriate threats (cf. [9] for STRIDE), or, in general, are simply not appropriate for threat modeling or indeed any form of security assessment in the first place [11]. Those that are appropriate for security assessment and at the right level of abstraction are not necessarily useful during the earlier stages of the SDLC (e.g. they consider post-design vulnerabilities), do not provide appropriate categories for threat modeling, or are relevant only to specific contexts (see [11] for a broad overview and references). Finally, the taxonomies referred to above – excepting STRIDE – are for vulnerabilities and attacks, not threats, which is a subtle but important difference (e.g. unsafe code execution is a threat realized by multiple attacks in different contexts).
In this paper we combine the values of threat libraries and threat taxonomies and propose what we term (with some risk of using terminology loosely) a pattern-based threat taxonomy for (general) distributed systems. In our approach, each threat is encapsulated in a new type of pattern (see [12]) called a threat pattern, which can be customized and instantiated in particular architectural contexts to define specific threats to a system. This allows developers to quickly consider a range of relevant threats in various architectural contexts as befits a threat library, increasing the efficacy of, and reducing the expertise required for, threat modeling. Threat patterns can also be related to corresponding misuse patterns [13], which can detail the attacks realizing a particular threat and educate developers. The (base) taxonomy aims to classify a wide variety of more abstract, system- and technology-independent threats, which keeps the number of threats requiring consideration during a threat modeling process manageable, increases the taxonomy's applicability, and makes it both more practical and more useful for security novices and experts alike. Employing patterns also helps to establish a common domain vocabulary, promoting the use of consistent threat names and concepts by developers in their everyday security-related work.
Despite the breadth of our taxonomy, each distributed system type, and even the technologies employed to realize a system, can create a variety of specific threats, which may not be explicitly present among our proposed threat patterns, or, more precisely, may not be present at the base level of abstraction. To solve this problem, we propose a simple and effective method to extend threat taxonomies by specializing one or more threat patterns to new system-/technology-specific contexts. This allows for the construction of application-specific taxonomies by taking the union of the set of relevant system-/technology-specific taxonomies, which in turn allows developers to consider the widest range of applicable threats in any given architectural context. We demonstrate our approach to specialization by constructing a threat taxonomy for peer-to-peer systems.
The latter example also demonstrates the purely “taxonomic” feature of our proposal, where each pattern in the taxonomy for distributed systems acts as a “category” for more specialized patterns and pattern instances. This feature allows known threats to be classified in a way that has value during system development, i.e. specific attacks such as CodeRed worm, SQL slammer exploit and, indeed, thousands of others, can be seen more abstractly as collections of individual threats (scanning, probing, injection, etc.), which require mitigation irrelevant of whether they are launched against a system automatically (malicious software) or manually (malicious hackers).
The rest of this paper is structured as follows. In Section 2 we introduce the concept of a threat pattern, relate it to the existing misuse patterns of Fernandez and colleagues [13], and discuss threat taxonomies (Section 2.1); we also define the architectural contexts of the threat patterns (Section 2.2). In Section 3 we present our (base) threat taxonomy for distributed systems and discuss pattern specialization and instantiation. In Section 4 we specialize a number of (base) threat patterns to construct a taxonomy for peer-to-peer systems. In Section 5 we consider related work; and in Section 6 we conclude and discuss future research directions.
Section snippets
Background and definitions
In this section we provide the necessary background for the rest of the paper by defining threat patterns and pattern-based threat taxonomies (Section 2.1) as well as architectural contexts (Section 2.2).
Base threat taxonomy for distributed systems
In this section we present the threat patterns in the two levels of the base taxonomy for distributed systems (3.1 First level (security) threat patterns, 3.2 Second level (meta-security) threat patterns respectively).
The patterns constituting the taxonomy are the result of selectively synthesizing, generalizing and condensing in abstract form the relevant security knowledge contained in a number of existing attack and vulnerability taxonomies [24], [25], [26], [27], [28], [29], [30], [31],
Constructing a threat taxonomy for peer-to-peer systems
In previous sections we have referred to the fact that different taxonomies can be derived from the base taxonomy by specialization of individual threat patterns for more specific architectural contexts. In this section we construct such a (derived) taxonomy for peer-to-peer architectures. Before this, we present some background on peer-to-peer systems in Section 4.1, outlining some of their general system-specific characteristics. This will be used in Section 4.2 to set the architectural
Related work
The literature contains a large number of proposals for attack and vulnerability taxonomies, many of which have already been surveyed in [11]. Many of these taxonomies, including more recent ones such as AVOIDIT [31], strive towards the goals set out by Hansman and Hunt [26], namely, to provide a taxonomy useful for classifying existing attacks in the broadest sense of the term. This can be useful for penetration testing or security evaluation when a system has already been implemented, or at
Conclusion and future work
In this paper we presented an extensible, two-level pattern-based taxonomy of security threats for distributed systems, encompassing both threats to a system (first taxonomy level, Section 3.1) and threats to corresponding countermeasure realizations (meta-security threats) (second taxonomy level, Section 3.2). Each threat in our taxonomy is encapsulated as an abstract software pattern that can be specialized for different system types and/or technologies, increasing the flexibility and
Mr. Anton V. Uzunov works as a software engineer and researcher for a large Australian Science and Technology organization. He holds an Honors degree in Pure Mathematics (2006) and a Bachelor degree in Maths and Computer Science (2004), both from the University of Adelaide. He is currently undertaking full-time studies towards a PhD in Computer Science. His research interests span the fields of software architecture, computer security, operating systems and parallel and distributed computing.
References (65)
- et al.
Securing distributed systems using patterns: a survey
Comp. Secur.
(2012) - et al.
A taxonomy of network and computer attacks
Comp. Secur.
(2005) - et al.
Security issues in SCADA networks
Comp. Secur.
(2006) - et al.
A new taxonomy of Web attacks suitable for efficient encoding
Comp. Secur.
(2003) Security Engineering: A Guide to Building Dependable Distributed Systems
(2008)- et al.
Distributed Systems Security: Issues, Processes and Solutions
(2009) - et al.
Security concerns for distributed systems
- et al.
Clusters and security: distributed security for distributed systems
- et al.
Engineering security into distributed systems: a survey of methodologies
J. Univers. Comput. Sci. (J.UCS)
(2012) - et al.
Threat modeling as a basis for security requirements
Threat Modeling
Secure software design in practice
Developer-driven threat modeling: lessons learned in the trenches
IEEE Secur. Priv.
Improving Web Application Security: Threats and Countermeasures
Taxonomies of attacks and vulnerabilities in computer systems
IEEE Commun. Surv. Tutorials
Understanding and using patterns in software development
Modeling misuse patterns
Design Patterns: Elements of Reusable Object-Oriented Software
Exploiting Software: How to Break Code
Three misuse patterns for cloud computing
Misuse patterns in VoIP
Secur. Commun. Netw.
Software Architecture: Foundations, Theory, and Practice
Software Architecture in Practice
Abstract security patterns
A generic metamodel for IT security attack modeling for distributed systems
Decomposing Distributed Software Architectures for the Determination and Incorporation of Security and Other Non-Functional Requirements
NIMS Information Security Threat Methodology
Internet infrastructure security: a taxonomy
IEEE Netw.
An ontology of information security
Int. J. Inf. Secur. Priv.
How to systematically classify computer security intrusions
A taxonomy of DDoS attack and DDoS defense mechanisms
SIGCOMM Comput. Commun. Rev.
A vulnerability taxonomy for network protocols: corresponding engineering best practice countermeasures
Cited by (69)
A critical analysis of Zero Trust Architecture (ZTA)
2024, Computer Standards and InterfacesThreat modeling of industrial control systems: A systematic literature review
2024, Computers and SecurityA privacy threat model for identity verification based on facial recognition
2023, Computers and SecuritySDN-based cyber defense: A survey
2021, Future Generation Computer SystemsImplementing Data Exfiltration Defense in Situ: A Survey of Countermeasures and Human Involvement
2023, ACM Computing Surveys
Mr. Anton V. Uzunov works as a software engineer and researcher for a large Australian Science and Technology organization. He holds an Honors degree in Pure Mathematics (2006) and a Bachelor degree in Maths and Computer Science (2004), both from the University of Adelaide. He is currently undertaking full-time studies towards a PhD in Computer Science. His research interests span the fields of software architecture, computer security, operating systems and parallel and distributed computing. Other, related interests include the application of software engineering principles for the improvement of software security, software protection and analysis and software design (OOA & OOD).
Prof. Eduardo B. Fernandez (Eduardo Fernandez-Buglioni) is a professor in the Department of Computer Science and Engineering at Florida Atlantic University in Boca Raton, Florida, USA. He has published numerous papers on authorization models, object-oriented analysis and design, and security patterns. He has written four books on these subjects, the most recent being a book on security patterns. His current interests include software architecture, security and reliability patterns, web services and cloud computing security and fault tolerance. He holds a MS degree in Electrical Engineering from Purdue University and a PhD in Computer Science from UCLA.
- 1
Currently visiting professor at Universidad Técnica Federico Santa María, Valparaíso, Chile.