A system designer faces several challenges when specifying security for distributed computing environments or migrating systems to a new execution platform. Business stakeholders impose constraints due to cost, time-to-market requirements, productivity impact, customer satisfaction concerns, and the like. And users exercise power at the desktop over computing resources and data availability.
So, a system designer needs to understand requirements regarding protected resources (e.g., data), confidentiality, and integrity. And, a designer needs to predict the effect that security measures will have on other runtime quality attributes such as resource consumption, availability, and real-time performance.
Despite that, security is often studied only in isolation and late in the process. However, the SEI has developed model-based engineering tools, methods, and analytical techniques to validate security according to flow-based approaches and standard security protocols such as Bell-LaPadula, Chinese Wall, and role-based access control.
The SEI approach also allows a designer to identify how security choices affect other quality attributes. For example, a designer can visualize and analyze, for battery-powered devices in embedded systems, the tradeoff between increased execution time and latency that supports the required security levels—to take advantage, for instance, of the multiple independent levels of security (MILS) paradigm.
|Security Analysis Concern||SEI Approach||Answer|
|Sanitization (i.e., controlled lowering of security levels)||YES||Provides metrics on the number of sanitized flows in a system|
|Security effectiveness applied using minimum security clearances||YES||Derives the minimum security clearance on components in the model (By pointing out differences between actual security clearances and the minimum security clearance required, a system designer can evaluate security effectiveness.)|
|Integration of security at multiple system levels||YES||Provides system-level solution by checking that secure information is associated with components that have appropriate security clearance and is communicated by secure connections|
The SEI uses the Architecture Analysis and Design Language (AADL) to document a system architecture and provide a platform for multiple analyses. AADL, an international industry standard, supports multiple analyses from a single architectural model, enables modeling and analysis throughout the life cycle, and provides analysis of runtime behavior such as availability, performance, and security.
The SEI offers the Open Source AADL Tool Environment (OSATE) set of analysis plug-ins. The OSATE security analysis plug-in checks the security levels and flow completeness of components. It includes
AADL also can be used with