ABSTRACT
Design and management of networked systems, such as Information Technology/Network (IT/NW) or IoT systems, are inherently complex. Moreover, the need to adhere to security requirements adds even more complexity, as the manual audit and security mitigation of system design are time, skill, and labour intensive. In this paper, we present SecureWeaver, a secure system designer that generates a system design which meets functional, quantitative and security service requirements. SecureWeaver is based on the intent-based designer for IT/NW services named Weaver, and security support was implemented by improving the Weaver design stage via a threat mitigation knowledge base, specific refinement rules, and a security verification mechanism. A case study on video surveillance service requirements is used to illustrate the security threats and their mitigation during the automatic design process. Our results show that SecureWeaver is able to mitigate and verify the solutions from a security perspective without incurring a significant overhead: in our experiments, average overhead is 0.04% for systems with more than 100 elements. We also present a feature comparison with three other related systems that emphasizes the practical advantages of SecureWeaver.
Supplemental Material
- Flora Amato, Nicola Mazzocca, and Francesco Moscato. 2018. Model driven design and evaluation of security level in orchestrated cloud services. Journal of Network and Computer Applications 106 (2018), 78--89.Google ScholarCross Ref
- James DesLauriers, Tamas Kiss, Gabriele Pierantoni, Gregoire Gesmier, and Gabor Terstyanszky. 2021. Enabling modular design of an application-level auto-scaling and orchestration framework using tosca-based application description templates. In 11th International Workshop on Science Gateways, IWSG 2019. CEURWorkshop Proceedings.Google Scholar
- Charafeddine El Houssaini, Mahmoud Nassar, and Abdelaziz Kriouile. 2015. A cloud service template for enabling accurate cloud adoption and migration. In 2015 International Conference on Cloud Technologies and Applications (CloudTech). IEEE, 1--6.Google ScholarCross Ref
- Lukas Gressl, Christian Steger, and Ulrich Neffe. 2021. Design Space Exploration for Secure IoT Devices and Cyber-Physical Systems. ACM Transactions on Embedded Computing Systems (TECS) 20, 4 (2021), 1--24.Google ScholarDigital Library
- S Hernan, S Lambert, T Ostwald, and A Shostack. 2006. Uncover Security Design Flaws Using The STRIDE Approach.Google Scholar
- Arthur S Jacobs, Ricardo J Pfitscher, Rafael H Ribeiro, Ronaldo A Ferreira, Lisandro Z Granville, Walter Willinger, and Sanjay G Rao. 2021. Hey, Lumi! Using Natural Language for {Intent-Based} Network Management. In 2021 USENIX Annual Technical Conference (USENIX ATC 21). 625--639.Google Scholar
- Peter E Kaloroumakis and Michael J Smith. 2021. Toward a Knowledge Graph of Cybersecurity Countermeasures. Technical Report. Technical report.Google Scholar
- Eunsuk Kang. 2016. Design space exploration for security. In 2016 IEEE Cybersecurity Development (SecDev). IEEE, 30--36.Google Scholar
- Jinyong Kim, Eunsoo Kim, Jinhyuk Yang, Jaehoon Jeong, Hyoungshick Kim, Sangwon Hyun, Hyunsik Yang, Jaewook Oh, Younghan Kim, Susan Hares, et al. 2020. IBCS: intent-based cloud Services for Security Applications. IEEE Communications Magazine 58, 4 (2020), 45--51.Google ScholarCross Ref
- Takayuki Kuroda, Takuya Kuwahara, Takashi Maruyama, Kozo Satoda, Hideyuki Shimonishi, Takao Osaki, and Katsushi Matsuda. 2019. Weaver: A Novel Configuration Designer for IT/NW Services in Heterogeneous Environments. In 2019 IEEE Global Communications Conference (GLOBECOM). IEEE, 1--6.Google Scholar
- Takuya Kuwahara, Takayuki Kuroda, Takao Osaki, and Kozo Satoda. 2021. An intent-based system configuration design for IT/NW services with functional and quantitative constraints. IEICE Transactions on Communications E104.B, 7 (2021), 791--804.Google Scholar
- Lockheed Martin. 2014. Cyber kill chain. http://cyber.lockheedmartin.com/ hubfs/GainingtheAdvantageCyberKillChain.pdfGoogle Scholar
- Nicolae Paladi, Antonis Michalas, and Hai-Van Dang. 2018. Towards secure cloud orchestration for multi-cloud deployments. In Proceedings of the 5th Workshop on CrossCloud Infrastructures & Platforms. 1--6.Google ScholarDigital Library
- Minh Pham and Doan B Hoang. 2016. SDN applications-The intent-based Northbound Interface realisation for extended applications. In 2016 IEEE NetSoft Conference and Workshops (NetSoft). IEEE, 372--377.Google ScholarCross Ref
- Andy D Pimentel. 2020. A case for security-aware design-space exploration of embedded systems. Journal of Low Power Electronics and Applications 10, 3 (2020), 22.Google ScholarCross Ref
- Adeel Rafiq, Asif Mehmood, Talha Ahmed Khan, Khizar Abbas, Muhammad Afaq, and Wang-Cheol Song. 2020. Intent-based end-to-end network service orchestration system for multi-platforms. Sustainability 12, 7 (2020), 2782.Google ScholarCross Ref
- Matt Rutkowski, CN Chris Lauwers, and C Curescu. 2020. TOSCA Simple Profile in YAML Version 1.3. https://docs.oasis-open.org/tosca/TOSCA-Simple-Profile- YAML/v1.3/TOSCA-Simple-Profile-YAML-v1.3.pdfGoogle Scholar
- Eder J Scheid, Cristian C Machado, Muriel F Franco, Ricardo L dos Santos, Ricardo P Pfitscher, Alberto E Schaeffer-Filho, and Lisandro Z Granville. 2017. INSpIRE: Integrated NFV-based intent refinement environment. In 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM). IEEE, 186--194.Google ScholarDigital Library
- BE Strom, A Applebaum, DP Miller, KC Nickels, AG Pennington, and CB Thomas. 2018. MITRE ATT&CK: Design and Philosophy. The Mitre Corporation, McLean. Technical Report. VA, Technical report.Google Scholar
- Chao Wu, Shingo Horiuchi, Kenji Murase, Hiroaki Kikushima, and Kenichi Tayama. 2021. Intent-driven cloud resource design framework to meet cloud performance requirements and its application to a cloud-sensor system. Journal of Cloud Computing 10, 1 (2021), 1--22.Google Scholar
Index Terms
- SecureWeaver: Intent-Driven Secure System Designer
Recommendations
Intent-Driven Secure System Design: Methodology and Implementation
AbstractGiven the typical complexity of networked systems in terms of number of components and their interconnections, manually designing their architecture is inherently difficult, and the design process requires expert knowledge and skills. ...
Secure software architectures
SP '97: Proceedings of the 1997 IEEE Symposium on Security and PrivacyAbstract: The computer industry is increasingly dependent on open architectural standards for their competitive success. This paper describes a new approach to secure system design in which the various representations of the architecture of a software ...
Secure Computing Systems Design Through Formal Micro-Contracts
GLSVLSI '19: Proceedings of the 2019 on Great Lakes Symposium on VLSITwo enduring concepts in computer system design are abstraction levels and layered composition. The design generally takes a layered approach where each layer implements a different abstraction of the system. The layers communicate through interfaces ...
Comments