CN112015373A - A formal modeling method for endogenous security application software based on formal method - Google Patents

Abstract

The invention discloses a formal modeling method of endogenous safety application software based on a formal method, wherein the modeling part comprises the following parts: and (3) applying software functional modeling to support the description of system functions, wherein the system functional modeling comprises a system structure modeling part and a system behavior modeling part. The system structure modeling is to model a system architecture, and uses a class diagram to describe attributes and methods related in a system, the system behavior modeling adopts a state diagram and a sequence diagram to model the behavior of the whole system, wherein the state diagram describes control logic of processes, and the sequence diagram describes an interaction process between the processes; application software information security threat and policy modeling to support the description of system security threats and security policies. The information security threat modeling uses an attack tree to deeply analyze vulnerability correlation of each module of the system in all aspects, finds an attack path threatening network security and presents the attack path in a tree mode.

Description

A formal modeling method for endogenous security application software based on formal method

technical field

The invention belongs to the technical field of software, and relates to a formal modeling method for endogenous security application software based on a formal method, forming an endogenous security application software integrated development system.

Background technique

Endogenous security is the future development direction and evolutionary goal of network security. In the past, decentralized and independent security capabilities needed to rely on collaboration, aggregation, and integration into information systems and business applications, so as to build security capabilities that continued to grow from information systems. With the characteristics of self-adaptation, autonomy and self-growth, such protection capabilities can be improved along with the growth of the system and ensure the security of the system at all times. The current application software has the characteristics of distribution, heterogeneity, concurrency and real-time, and there are many security defects and difficulty in error correction. In the endogenous security application software modeling technology, the architecture and behavior of the application software , control logic and other aspects, and build tools that can collaboratively model the functional safety and information security properties of software, so as to obtain an endogenous security application software security model. This approach requires modeling software architecture, software behavior, security threats, and policies. Combining the application software formal modeling technology integrating state machine and sequence diagram and the application software security threat and security policy modeling technology in the open network environment, realize the fusion modeling and analysis of the behavior of concurrent/distributed systems from different perspectives The ability to mitigate security attack threats.

SUMMARY OF THE INVENTION

The main purpose of the present invention is to propose a formal modeling method for endogenous security application software based on a formal method, and to provide a modeling cross-platform desktop application tool (sbid-ava, hereinafter referred to as tool) for endogenous security application software.

In order to achieve the above-mentioned purpose, the present invention provides a method for the formal modeling of endogenous security application software based on a formal method, and the formal modeling method for endogenous security application software based on the formal method includes the following steps:

a) Use class diagrams and topology diagrams to model the architecture of the application software;

b) According to the determined application software architecture model, the concurrent and distributed behavior is modeled by fusing the state machine and the sequence diagram;

c) According to the software architecture model and behavior model, use the attack tree to model the information security threat of the software, and on the security threat model, recommend the security mitigation strategy to support the strategy modeling.

The formal modeling method of endogenous security application software provided by the present invention, by using class diagram and topology diagram to model the architecture of the application software, can first find the global attributes and participating entities of the application software, and abstract the global attributes as The class diagram data type and participating entities are abstracted into model processes, which makes the basic elements of the model clear; secondly, modeling the topology diagram of the model makes the role of the abstract process instantiated, and the specific attributes on it can ensure that the tool communicates with the application software The abstraction of the process, on which the communication cost is estimated, can provide great accuracy.

In addition, the formal modeling method for endogenous security application software based on the formal method provided by the present invention may also have the following additional technical features:

Preferably, the use of class diagrams and topology diagrams to model the architecture of the application software includes:

a1) Use the class diagram to model the attributes and methods of the process/computing node;

a2) Model the network topology using topology graphs.

Preferably, the a1) uses a class diagram to model the attributes and methods of the process/computing node, including:

a11) According to the data class diagram, determine the data type;

a12) According to the process class diagram, determine the process content;

a13) According to the channel class diagram, determine the channel relationship;

a14) According to the axiom class diagram, determine the axiom function;

a15) Determine knowledge visibility according to the initial knowledge class diagram.

Preferably, the a2) use a topology map to model the network topology, including:

According to the relationship between the topology nodes and the network of the instantiated class diagram, the links of the topology diagram are determined.

Preferably, according to the determined application software architecture model, the concurrent and distributed behavior is modeled by fusing the state machine and the sequence diagram, including:

b1) Using a state machine to describe the internal control logic of the process/computing node;

b2) Use sequence diagrams to describe the interaction between processes/computing nodes.

Preferably, the b1) uses a state machine to describe the internal control logic of the process/computing node, including:

b11) According to the process content, determine the corresponding state machine;

b12) According to the determined state machine, determine the content of the state node (initial state, intermediate state, transition state, acceptable state);

b13) According to the state node, determine the refinement state.

Preferably, the b2) uses a sequence diagram to describe the interaction process between the processes/computing nodes, including:

b21) According to the process class diagram, determine the object-lifeline;

b22) According to the communication method, the communication message is determined.

Preferably, according to the software architecture model and behavior model, the attack tree is used to model the information security threat of the software, and on the security threat model, a security mitigation strategy is recommended to support the strategy modeling, including:

c1) Determine the vulnerability of the software system according to the attack tree;

c2) According to the system vulnerability, determine the software security mitigation strategy.

Additional aspects and advantages of the present invention can be set forth in part from the following description, in part will be apparent from the following description, or learned by practice of the invention.

The invention discloses a formal modeling method for endogenous safety application software based on a formal method. The modeling part includes the following parts: application software function modeling to support the description of system functions, including system structure modeling and System behavior modeling in two parts. System structure modeling is to model the system architecture, use class diagrams to describe the attributes and methods involved in the system, and system behavior modeling uses state diagrams and sequence diagrams to model the behavior of the entire system, in which the state diagram describes the process. The control logic, sequence diagram describes the interaction process between processes; application software information security threat and policy modeling to support the description of system security threats and security policies. The information security threat modeling uses the attack tree to analyze the vulnerabilities of the various modules of the system in depth, and finds the attack path that threatens the network security and presents it in the form of a tree. Based on the technology of using attack tree to model information security threats, make suggestions and recommendations for possible information security mitigation strategies or measures. Attacker behavior modeling is based on security threat modeling, analyzes and summarizes the possible behaviors of attackers, and uses state diagrams to describe their behaviors in detail. In the present invention, by using tools to formally model the application software, not only the functionality of the protocol can be guaranteed through graphical modeling, but also a system model and a threat model can be provided for model verification and code generation in the integrated back-end tool, It can ensure the unity of application software architecture, control logic and security policy modeling.

Description of drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are for the purpose of illustrating preferred embodiments only and are not to be considered limiting of the invention. Also, the same components are denoted by the same reference numerals throughout the drawings. In the attached image:

1 is a schematic flowchart of a formal modeling method for endogenous security application software based on a formal method provided by an embodiment of the present invention;

2 is a schematic diagram of a formal modeling tool window for endogenous security application software based on a formal method provided by an embodiment of the present invention;

3 is a schematic diagram of attributes of an application software architecture modeling class diagram provided by an embodiment of the present invention;

4 is a schematic diagram of a class diagram process of application software architecture modeling provided by an embodiment of the present invention;

FIG. 5 is a schematic diagram of an application software architecture modeling class diagram channel provided by an embodiment of the present invention;

FIG. 6 is a schematic diagram of axioms of application software architecture modeling class diagrams provided by an embodiment of the present invention;

7 is a schematic diagram of initial knowledge of an application software architecture modeling class diagram provided by an embodiment of the present invention;

8 is a schematic diagram of a topology diagram of an application software architecture modeling class diagram according to an embodiment of the present invention;

9 is a schematic diagram of a state machine diagram of application software behavior modeling provided by an embodiment of the present invention;

10 is a schematic diagram of a sequence diagram of application software behavior modeling provided by an embodiment of the present invention;

FIG. 11 is a schematic diagram of an application software security threat and a policy modeling attack tree provided by an embodiment of the present invention.

Detailed ways

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided so that the present disclosure will be more thoroughly understood, and will fully convey the scope of the present disclosure to those skilled in the art.

FIG. 1 is a schematic flowchart of a formal modeling method for endogenous security application software based on a formal method provided by an embodiment of the present invention; as shown in FIG. 1 , the method includes the following steps:

Step 1: Use the class diagram to model the architecture of the application software:

Specifically, according to the formal method, the formal modeling method of the security application software is endogenous, and the global data type of the application software, the process of the application software model, the channel between the processes, the axioms and the initial knowledge of the model are abstracted.

Figure 3. The data class diagram describes the attributes and custom methods of the application software model. The built-in data types include: int (integer), bool (Boolean), number (natural number), byte (byte), and composite data types include: ByteVec (byte sequence), Timer (clock).

Properties are represented as data types and identifiers:

attr≡Type Identifier|Type[]Identifier

Methods are represented as data types, identifiers, and parameters:

method≡Type Identifier(parameters)

The process class diagram of Figure 4 describes the content of the abstract process of the application software model, including attributes, methods and communication methods. The process attributes and methods are consistent with the definition of the data class diagram. There are four built-in methods including encryption and decryption methods with specific algorithms, symmetric encryption, symmetric decryption, signature and verification. Symmetric encryption and decryption provide AES and DES algorithms, and signature verification methods provide RSA, ECC, MD5, SHA1, and SHA256 algorithms.

|ByteVec SymDec(ByteVec msg, int key)

|ByteVec Sign(ByteVec msg, int skey)

|bool Verify(ByteVec msg, int pkey)

The process class diagram also provides communication methods, which are used to describe the means by which the process abstracted by the process template communicates with other processes. The communication method is defined as follows:

method _{communication} ≡Identifier(parameters)[IN/OUT][CommType]

Among them, IN and OUT indicate that the communication method is used for receiving or sending; the communication method CommType includes NativeEthernetFrame and UDP, which are respectively expressed as native Ethernet frame and UDP communication.

Figure 5 The channel class diagram is used to describe the sending and receiving relationship of the communication method of the process class diagram. Usually involves two processes and a send-receive communication method on the process, while indicating whether the channel is public or private, defined as follows:

channel≡Process1.method _{communication} -(public/private)-Process2.method _{communication}

Among them, Process1 and Process2 are two processes, and public and private represent public channels and private channels.

Figure 6 The axiom class diagram is used to describe the axioms in the application software model. The tool has two built-in axioms, which are

SymDec(SymEnc(m, k), k)=m

Verify(Sign(m,sk),pk)=True

Encryption-decryption pairing with private key signing and public key verification represented as built-in functions.

The initial knowledge class diagram in Fig. 7 is used to describe the initial knowledge of the application software model. A single knowledge defines the visibility of the attributes of the process class diagram and can be used to clearly define the category of known information of each process. The public-private key pair defines the public-private key pairing relationship.

Single knowledge means that the initial knowledge includes this property:

Knowledgement _single ≡Process.Process _attr

A public-private key pair is defined as:

Process.Process _attr | Process.Process _attr

Among them, indicates that asymmetric encryption is paired with asymmetric decryption or signature verification.

Step 2: Use the topology diagram to model the architecture of the application software:

Specifically, according to the formal modeling method of endogenous security application software, each node in the topology diagram represents a specific role of a certain process class diagram in the network environment, and all attributes of the process class diagram are instantiated. In the instance, expand all composite types (the attributes of their inherited ancestor types will be materialized), and when an array is encountered, it will be treated as a variable-length array. Each element is expanded independently, until it encounters a basic type, it will be treated as a leaf node directly setting the value. The nodes of the topology graph can be connected with directed edges, which represent simplex communication from one party to the other, and the communication method sequence pair and communication cost can be set on the edge. An optional communication method pair must be an item defined in the channel class diagram that conforms to the sender and receiver process class diagrams.

Figure 8 Topological graph edges are defined as:

Among them, it is expressed as the communication method between two processes, public channel or private channel.

Step 3: Model the concurrent and distributed behavior by fusing the state machine and the sequence diagram according to the determined application software architecture model.

Specifically, system behavior modeling uses state diagrams and sequence diagrams to model the behavior of the entire system. The state machine describes the control logic of each process, and the sequence diagram describes the interaction between the processes.

Figure 9 is a state machine diagram to describe the internal control logic of the process/computing node. When the process class diagram is created in the class diagram, the corresponding state machine panel is automatically created under the state machine tab. When the state machine panel is created, it provides a unique and unchangeable initial state (black solid circle in the figure), which is connected to an initial normal state. The user can create several normal states or termination states (double circles in the figure) through the right-click menu on the panel. Provide some anchor points on each state node, you can click on the anchor point to connect the state, indicating the state transition. On the transition edge of the state, guard conditions and several transition actions can be set to complete the behavior modeling of the state machine.

Among them, the guard condition is a logical expression of C-like language, which can be evaluated to determine the true or false expression (the default is true). Logical expressions can be joined by the binary operators && and || to support more complex guard conditions.

A transfer action is a C-like assignment statement or a method call.

StateMachine _action ≡Type Identifier|Type Identifier:=Expression|

Identifier:=Expression|Identifier(parameters)

Among them, the first two are declaration statements, the third is an assignment statement, and the last is a method call.

Figure 10 is a sequence diagram to describe the interaction between processes/computing nodes. In the sequence diagram panel, you can add several objects - lifelines, in which you can organize a process template, and then connect various types of messages between them, including synchronous messages, asynchronous messages, and return messages. The outgoing communication method from this process template can be selected on the message wire.

Step 4: According to the software architecture model and behavior model, use the attack tree to model the information security threat of the software. On the security threat model, recommend the security mitigation strategy to support the strategy modeling.

Figure 11 uses the attack tree to model the information security threat modeling of the application software, and uses the attack tree to correlate the vulnerabilities of each module of the system in various aspects to conduct in-depth analysis, find the attack path that threatens network security, and use the tree way presented. Moreover, in the technology of using attack tree to model information security threats, a possible information security mitigation strategy library is collected and sorted, and corresponding security mitigation strategies are recommended according to the attack methods in the attack tree.

Based on the modeling of security threats using the attack tree, the attacker's behavior is analyzed and summarized, and the state machine is used to describe the attacker's behavior in detail. After the attacker is taken into account, the behavior of each process in the distributed system will correspond to the new state machine obtained after the process functional state machine and the attacker state machine are synchronized.

Therefore, through formal modeling of the application software, that is, the application software is modeled using the formal method endogenous security application software formal modeling method. In this process, on the one hand, the formal modeling of the application software based on the formal method of endogenous security application software is helpful to describe the application software model architecture, the details of the internal state change process and the communication process. On the other hand, systematically analyze the architecture, design and deployment of the software system, find out the potential threats it may face, and improve the security of the software system as a whole. Guide developers to write secure code, assist penetration testers to carry out security tests, identify threats, reduce threats and avoid risks.

From the description of the above embodiments, those skilled in the art can clearly understand that the methods of the above embodiments can be implemented by means of software. The present invention uses the Avalonia cross-platform desktop application tool based on .Net Core 3.0. Based on this understanding, the technical solution of the present invention or the part that contributes to the prior art can be embodied in the form of software products.

The above description is only a preferred embodiment of the present invention, but the protection scope of the present invention is not limited to this. Substitutions should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.

Claims (8)

1. A formal modeling method based on a formalization method endogenous security application software is characterized by comprising the following steps:

a) modeling the architecture of the application software by using a class diagram and a topological diagram;

b) according to the determined application software architecture model, modeling the concurrent distributed behaviors by fusing a state machine and a sequence diagram;

c) and modeling the information security threat of the software by utilizing the attack tree according to the software architecture model and the behavior model, and adopting a security relief strategy to support strategy modeling on the security threat model.

2. The method according to claim 1, wherein the modeling the architecture of the application software by using the class diagram and the topological graph comprises:

a1) modeling the attribute and method of the process/computing node by using the class diagram;

a2) and modeling the network topology by using the topological graph.

3. The method of claim 2, wherein modeling attributes, methods of a process/compute node using a class graph comprises:

a11) determining the data type according to the data class diagram;

a12) determining process content according to the process class diagram;

a13) determining a channel relation according to the channel class diagram;

a14) determining an axiom function according to the axiom class diagram;

a15) knowledge visibility is determined based on the initial knowledge class diagram.

4. The method of claim 2, wherein modeling the network topology using the topology map comprises: and determining the link of the topological graph according to the relation between the topological node of the instantiated class graph and the network.

5. The method of claim 1, wherein modeling the concurrent distributed behavior by fusing a state machine and a sequence diagram according to the determined application software architecture model comprises:

b1) describing the internal control logic of the process/computation node by using a state machine;

b2) sequence diagrams are used to describe the interaction process between processes/compute nodes.

6. The method of claim 5, wherein said using a state machine to describe internal control logic of a process/compute node comprises:

b11) determining a corresponding state machine according to the process class diagram;

b12) determining the content of the state node according to the determined state machine, comprising: initial state, intermediate state, transition state, acceptable state;

b13) and determining the refinement state according to the state node.

7. The method according to claim 5, wherein the describing the interaction process between the processes/computation nodes by using the sequence diagram comprises:

b21) determining an object-life line according to the process template;

b22) according to the communication method, a communication message is determined.

8. The method of claim 1, wherein the modeling of the information security threat of the software using the attack tree according to the software architecture model and the behavior model, and wherein the recommending of the security mitigation policy to support policy modeling on the security threat model comprises:

c1) determining the vulnerability of the software system according to the attack tree;

c2) and determining a software safety relieving strategy according to the vulnerability of the system.

Images