Online Handbook

An interactive guide to understand and use the SERENITY tools and concepts… more

• The Serenity Vision


Antonio Maña, George Spanoudakis, Spyros Kokolakis


University of Málaga, City University London, University of the Aegean



Abstract In this chapter we present an overview of the SERENITY approach. We describe the SERENITY model of secure and dependable applications and show how it addresses the challenge of developing, integrating and dynamically maintaining security and dependabilitymechanisms in open, dynamic, distributed and heterogeneous computing systems and in particular of Ambient Intelligence scenarios.

We describe the basic concepts used in the approach and introduce the different processes supported by SERENITY, along with the tools provided.


1. A new model of secure and dependable computational ecosystems



Traditionally, Security and Dependability (S&D) Engineers have been faced with complex but static and predictable systems. Existing tools for creation and analysis of S&D solutions are designed for predictable systems, but the emergence of computing paradigms that exhibit high degrees of distribution, heterogeneity and dynamism means that systems are not predictable anymore.
In fact, because of the high degree of heterogeneity and the coexistence of many different devices, applications and users that interact and collaborate in order to achieve their goals, the term computing ecosystem is starting to be common when referring to the systems in these new paradigms.


One especially relevant example of these new paradigms is Ambient Intelligence. Defined by the EC Information Society Technologies Advisory Group (ISTAG), in the vision of Ambient Intelligence people will be surrounded by ubiquitous computers with intelligent and intuitive interfaces embedded in everyday objects around them, making the physical environments adapt and respond to users’ needs in an invisible way in order to provide anytime/anywhere access to information and services.


The most relevant features inherent to the realization of this vision are the increasing decentralization, high heterogeneity (of devices, applications, user needs, capabilities, etc.), dynamism, unpredictability, lack of predefined trust relations and context awareness. In fact, because of the high degree of heterogeneity and the coexistence of many different devices, applications and users that interact and collaborate in order to achieve their goals these systems have been defined as AmI ecosystems.


Due to the high heterogeneity, dynamism and lack of a central control of these ecosystems, it is not possible, even for the most experienced and skilled security engineers, to foresee all possible situations that may arise during the life of the applications in order to create solutions that can be used in these circumstances.

Moreover, due to the highly distributed nature of these ecosystems, applications will no longer belong to or be under the control of a single entity, which would force the software engineers to deal with incomplete system descriptions. Therefore, not only devices but also applications must be ready to participate in dynamic collaborations with heterogeneous (in terms of capabilities, functional goals, security and dependability needs, etc.) and non-trusted external elements.


The main consequence of these characteristics is that the provision of S&D in the new computing ecosystems introduces the need for the dynamic application of the expertise of S&D engineers in order to automatically react to unpredictable and ever-changing contexts. This approach takes advantage of recent developments in technologies regarding security engineering, run-time monitoring, semantic description and self-configuration.

In the research towards materialising this approach done in the SERENITY project, the concepts of S&D Patterns and Integration Schemes have proven to be very effective as tools to capture this expertise. While S&D Patterns represent independent security mechanisms, Integration Schemes represent solutions for complex S&D requirements achieved by the combination of various S&D mechanisms.


One additional aspect is that the overall security of a system not only depends on the security mechanisms used within the boundaries of a system but also on a variety of external factors including social context and human behaviour, IT environments, and even protection of the physical environment of systems (e.g. buildings).

The actual source of security and dependability requirements lies in the real world. Consequently, SERENITY aims at providing solutions to capture these requirements, to trace them and to validate solutions against these requirements. In addition to that, we took especially into account the computing context including heterogeneous communication systems, computing infrastructures and external actors and components dynamically interacting with the system.


Current methodologies and tools for engineering and development of secure applications are not well suited to be used in these new computing scenarios because they are not capable of dealing with characteristics like the heterogeneity, uncertainty and dynamism, lack of a central control, and increased needs for security and dependability.


2. Related work



The dynamic provision of appropriate S&D mechanisms for Ambient Intelligence ecosystems, supported both in the software engineering processes and during run-time has not received enough attention in the literature.


However, several approaches have been introduced in order to capture the specialized expertise of security engineers and make it available for automated processing providing the basis for automated synthesis and analysis of the security and dependability solutions of systems [5].
These approaches are supported by a wide range of technologies: components, frameworks, middleware, aspects and security patterns, being this last the most relevant from our work point of view.


The concept of security pattern was introduced to support the system engineer in selecting appropriate security or dependability solutions. However, most security patterns are expressed in textual form, as informal indications on how to solve some particular security problem [6-9]. Some of them do use more precise representations based on UML diagrams, but these patterns do not include sufficient semantic descriptions in order to automate their processing and to extend their use [10].


Perhaps the first and the most valuable contribution as pioneer in security patterns as we know them at present, is the work from Joseph Yoder and Jeffrey Barcalow proposing to adapt the object-oriented solutions to recurring problems of information security [9].
In their own words, seven patterns were presented to be used when dealing with application security. A natural evolution of this work is the proposal presented by Romanosky in [11]. It takes into consideration new questions that arise when securing a networked application.


Going one step down in the abstraction scale, Eduardo B. Fernandez in his work about authorization patterns [10] combines for the first time the idea of multiple architectural levels with the use of design patterns. In [12] they propose the decomposition of the system into hierarchical levels of abstraction.


The same author et al. offer in [13] a good source to study the historical approaches that have been appearing in the scientific literature as pattern systems for security. Wassermann and Cheng present in [14] a revision of most of the patterns from [9] and [12] and categorise them in terms of their abstraction level.

In order to facilitate the reuse of security knowledge, variations of the design pattern template given in [15] are included in order to better suit the presentation of security specific information. In the field of web application protection, [16] is the source of some patterns for Application Firewall and XML Firewall.


The special needs of secureware systems and the constantly changing context in which the systems are designed nowadays arise some new problems that have a starting solution in works like the one presented by Cheng et al in [8]. The proposal consist of a template for security patterns that takes into account essential information that has not been necessary in the general design patterns but appears as mandatory in the new security context.

On the basis of the security patterns described by Gamma et al. in [15], a new patterns library is created by the addition of new relevant information (e.g. Behaviour or Supported Principles are two new fields to describe the security pattern) and altering some existing fields (e.g. Consequences is altered to convey a new set of possible consequences including confidentiality, usability, integrity, etc.).


Some security patterns have also been proposed for multiagent and Web Services systems. Early efforts in these area were concentrating on the use of the object oriented paradigm. In [17], for instance, an object oriented access control (OOAC) was firstly introduced as a result of consequently applying the object oriented paradigm for providing access controls in object and interoperable databases.
In [18], Fernandez proposes some specific solutions oriented to web services: a pattern to provide authentication and authorization using Role-based access control (the so-called Security Assertion Coordination pattern) and a pattern for XML Firewalls.

The Security Assertion Coordination pattern takes as source the abstract security architecture defined by SAML (the main standard to provide security for web services). However, a minor work has been done in the field of agent-based systems. A good starting point is [19].


Some other authors have proposed ways to provide formal characterizations of patterns. The idea of precisely specifying a given class using class invariants and pre- and post-conditions for characterizing the behaviours of individual methods of the class is well known and provides the basis of the design by contract (DbC) approach [20]. Evolutions of that approach have appeared, notably in [21, 22]. More specifically, Eden et al. proposed to use logic formalism with an associated graphical notation to specify rich structural properties in [21].

Their approach, however, provides only limited support for specifying behavioural properties. The work in [22] had as its main goal to preserve the design integrity of a system during its maintenance and evolution phases. Also in [23] Mikkonen focused on behavioural properties. In his work, data classes model role objects, and guarded actions (in an action system) model the methods of the roles.


3. SERENITY Concepts



In SERENITY, the main pillar of building secure and dependable solutions is the enhanced concept of S&D Pattern. An S&D Pattern captures security expertise in a way that, in our view, is more appropriate than other related concepts. As explained in the previous section, components, frameworks, middleware, and patterns have been proposed as means to simplify the design of complex systems and to capture the specialized expertise of security engineers and to make it available for non-expert developers.

However, all these approaches have important drawbacks and limitations that hamper their practical use. The approach taken in SERENITY aims at integrating the best of these approaches in order to overcome the problems that have prevented them to succeed individually. Furthermore, because secure interoperability is an essential requisite for the widespread adoption of the SERENITY model, trust mechanisms are an essential aspect of S&D patterns.


In SERENITY, S&D patterns are precise specifications of validated security and dependability mechanisms (referred to as “S&D Solutions” in the SERENITY terminology) materialised as files containing models that can be described using formal or non-formal languages (e.g. XML and logic-based languages) to capture the expertise of security engineers with the objective of being used by automated means. SERENITY S&D patterns include a precise functional description of the mechanisms they represent, references to the S&D properties provided by these mechanisms, constraints about the context that is required for deployment of the mechanisms, specifications of how to adapt and monitor the mechanisms.

They also include trust mechanisms, which are designed to guarantee the origin and integrity of the artefacts, but also to support evolution. S&D patterns, along with the formal characterisation of their behaviour and semantics, are the basic building blocks of S&D solutions that will enable the provision of S&D over a wide range of heterogeneous AmI ecosystems. SERENITY’s integration schemes represent ways for systematically combining S&D patterns into systems composed of dynamically collaborating elements that operate in mobile, heterogeneous, and highly dynamic ICT infrastructures.


As will be described in other chapters along the book, the concept of S&D Pattern has been materialized in a series of modelling elements that we call S&D Artefacts. The main reason for having different modelling artefacts is that they correspond to different abstraction levels and serve different purposes. Consequently, the representation of S&D Solutions in SERENITY is supported by three main artefacts: S&D Classes, S&D Patterns and S&D Implementations. A fourth element, called ExecutableComponent is part of the SERENITY artefacts, but in this case it is not a modelling artefact but an operational one. Let’s briefly describe each of them now:



• S&D Patterns represent abstract S&D solutions. These solutions are well-defined mechanisms that provide one or moreS&D Properties. There is a special type of S&D Pattern that represents the combination of several S&D Patterns. This type of S&D Patterns is called Integration Schemes. The popular Needham-Schroeder public key protocol is an example of an S&D solution that can be represented as an S&D Pattern. A special type of S&D Pattern that is used to represent complex S&D Solutions that are realized by combining other S&D Solutions is called Integration Scheme.

Although, the concepts are slightly different, the modelling artefact used for both types is the S&D Pattern. One important aspect of the solutions represented as S&D Patterns and Integration Schemes is that they can be statically analysed using S&D Engineering Tools. However, the limitations of the static analysis tools and the assumption that perfect security is not achievable, introduce the need to support the dynamic validation of the behaviour of the described solutions by means of monitoring mechanisms.


• S&D Classes represent S&D services (abstractions of a set of S&D Patterns characterized for providing the same S&D Properties and being compatible with a common interface). This artefact is mainly used at development time by the SERENITY Development Tools. An example of an S&D Pattern Class could be a Confidentiality Class, which would define an interface including for instance, an abstract method SendConfidential(Data, Recipient). S&D Patterns that belong to an S&D Class can have different interfaces, but they must describe how these specific interfaces map into the S&D Class interface.

The main purpose of introducing this artefact is to facilitate the dynamic substitution of the S&D solutions at runtime. This is a basic pillar to support the idea of the SERENITY model: first, select an abstract definition at development time (i.e. abstract methods from S&D Classes); second, have several patterns complying to this definition (by means of their Class Adaptor); and third, at run-time, the patterns will be selectable and interchangeable because (though having different interfaces) they all comply with the same abstract one.

Given that interoperability is a key issue in the scenarios that are the focus of SERENITY, with this approach it is possible to create an application bound to S&D Class, as this artefact defines the high-level interface (i.e. the set of functions, calls, or methods that form the functionality offered by an artefact).

Thus, given that S&D artefacts have a reference to the higher level artefact they belong to, it is always possible to track back from an Executable Component to its S&D Class. In conclusion, all S&D Patterns (and their respective S&D Implementations) belonging to an S&D Class will be selectable by the framework at runtime.


• S&D Implementations are the representation of operational S&D Solutions, which are in turn called ExecutableComponents. It is important to note that the expression “operational solutions” refers here to any final solution (e.g. component, web service, library, etc.) that has been implemented and tested.

These solutions are made accessible to applications thanks to the SERENITY Run-time Framework (SRF). The description of either a specific dynamic library providing encryption services or a web service providing timestamping services (both including a reference to its corresponding Executable Component), are examples of S&D Implementations. At this stage, it is important to note that the physical implementation (either software or hardware) of an S&D Patterns corresponds to an Executable Component pointed by an S&D Implementation, and not to the S&D Implementation itself.

In fact, an S&D Implementation describes not just an implementation of the S&D Solution, but describes an implementation of an S&D Pattern. This means that all S&D Implementations of an S&D Pattern must conform directly to the interface, monitoring capabilities, and any other characteristic described in the S&D Pattern.

However, they may have differences, such as the specific context conditions that must be met before applying one specific S&D Implementation, their performance, target platform, programming language or any other feature not fixed at pattern’s level.



The rationale for introducing these three modelling artefacts is based on the following reasons:



• S&D Patterns can be verified using the SERENITY S&D Engineering Tools, while S&D Classes and S&D Implementations cannot. Therefore, it is wise to separate their definitions, since all information referring to the provided properties and the available proofs concern only the abstract solution (i.e. the S&D Pattern) and not the interface (i.e. S&D Class) or the specific implementation (i.e. S&D Implementation).


• S&D Patterns are verified by S&D experts (usually by means of formal methods) while the S&D Implementations are tested by their producers. In constrast to the case of S&D Patterns, which will be frequently produced by people who did not created the S&D Solutions described in such S&D Patterns, the creators of S&D Implementations will frequently be the creators of the corresponding Executable Components. Finally, S&D Classes are mainly interface definitions that are meant to facilitate application development.


• S&D Classes will be defined by entities mainly interested in interoperability (e.g. industry associations, standardization bodies). S&D Patterns will be produced by independent entities interested in security and dependability (e.g. S&D Companies and Experts, but maybe standardization bodies as well).
However, patterns will not only enhance security and dependability, but also interoperability, as all implementations of an S&D Pattern will be required to conform to the pattern specification. Finally S&D Implementations will be produced by entities interested in the creation of working solutions (commercial solution providers, open source communities, etc).



All these artefacts are represented in the following figure, along with their composing elements and their interrelations.



Fig. 1. Modelling elements and their relations



These new concepts can be useful in two different ways: at design/deployment time and at run time.


In the first case, we must consider that today’s large applications are built by integrating solutions from different sources and at different levels of abstraction. These applications must face the existence of multiple and heterogeneous user interfaces and access devices and the need to respond to the presence of individuals and the context in an intelligent and invisible way.

In this setting, the abovementioned concepts can facilitate the integration of components from different sources in a controlled and secure way, because components will be described by associated S&D Patterns and Integration Schemes that will contain all necessary information in order to allow system engineers to take an informed decision.

Furthermore, the SERENITY Development-time Framework (SDF) helps these engineers in the process of searching and browsing a large catalogue of S&D Artefacts, in order to find the most appropriate one to fulfil the S&D Properties required by the application under development, and to analyse the resulting applications in order to check that the application of the components has been done in a proper way
(for instance, an Integration Scheme can be used to ensure that a “digital signature pattern” and an “asymmetric encryption pattern” can be safely used together by taking care that the keys used on each pattern are different) and that compliance to relevant S&D policies is achieved (for instance, by checking that all information related to the company accounting is always transmitted using a solution belonging to the “ConfidentialCommunication” S&D Class).


In the second case (i.e., during runtime) S&D Patterns and Integration Schemes are used in order to support automated adaptation of the S&D mechanisms to the changing context conditions. To achieve this, it is necessary to have a framework supporting the management of a pattern library and the constant evolution of such patterns, taking into account the context in which they are applied. The SERENITY Runtime Framework (SRF) is able to select the most appropriate S&D solution among the ones available in the S&D Library, based on the end-user requirements and the actual context.


The SRF provides a way to secure interconnected and heterogeneous systems because it provides means for systems to interact and collaborate (each SRF provides a negotiation interface) and to manage the selection, control and monitoring of S&D Solutions represented as S&D Artefacts.


As mentioned above, the key to success in these scenarios is based on capturing security expertise in such a way that it can be supported by automated means. In particular, the assumption that S&D experts will not be able to foresee all possible situations for the operation of the system introduces the need to complement the static analysis performed by the security experts with mechanisms for dynamic supervision that can monitor that the conditions established by the S&D experts are fulfilled during the operation of the system.

SERENITY provides support for the dynamic supervision and adaptation of the security of systems to the changes in ever-changing ecosystems. In this way, SERENITY’s integral model of S&D considers not only static aspects but also dynamic aspects by means of the monitoring mechanism.


4. SERENITY Processes



SERENITY covers all aspects of the development and management of security and dependability components and applications. To achieve such coverage, it includes processes for: (i) the engineering, analysis and characterization of S&D solutions, (ii) the development of applications that incorporate statically or dynamically S&D solutions, (iii) the runtime management of applications that incorporate SERENITY S&D solutions; and (iv) the management of wider organization security and dependability issues by means of S&D Properties and S&D Policies.

The main characteristics of these properties are overviewed below, whilst a more detailed account of their methodological and technical aspects is provided in the subsequent chapters of the book.


4.1 S&D Solution engineering and development



Regarding the lifecycle of S&D Solutions, SERENITY addresses both (i) the creation of new solutions and their characterization as S&D Patterns; and (ii) the description of their real executable implementations (i.e. Executable Components) as S&D Implementations.
In the first place S&D engineers design solutions ranging from cryptographic primitives, to protocols, to complete mechanisms, and up to workflows and organizational structures.

These solutions are then analysed in order to gain knowledge about them, which is finally captured in S&D Artefacts. Therefore, S&D Artefacts contain representations of the knowledge that S&D experts have about these solutions. This process is the missing link in the security engineering chain. Security solutions are normally thoroughly analysed and tested. Different techniques such as formal methods, code inspection, etc. provide rich knowledge about the solutions to those performing those analysis activities. However, after all that effort, the results of the analysis are rarely made available in a carefully organized, precise, complete and usable way.

On the contrary, we tend to make the results available as textual descriptions, by means of technical papers or reports. The consequence of this common practice is that a large part of the security expertise is lost, hidden in the minds of the analysts or in difficult to find and even unreachable documents. The concept of Security Pattern [9, 11, 12] has been an important step towards the solution of this situation. Unfortunately, the formats and description means for security patterns are still too varied. Furthermore, with all previous approaches the security expertise is captured in formats that are not suitable for being exploited by automated means.

In SERENITY a framework for the precise description of security solutions covering both the needs of software engineers during application development and system administrators is provided. Moreover, our solution is specifically designed to support the automated management of security solutions at runtime.


On the other hand, once solutions have been developed and characterized by means of S&D Artefacts, real implementations have to be produced. It is worth noting at this point that Executable Components are not just implementations of the S&D Solution, but more precisely implementations of S&D Patterns. This means that all Executable Components of an S&D Pattern must conform directly to the interface, monitoring capabilities, and any other characteristic described in the S&D Pattern. Of course, they may have differences, such as the specific context conditions that must be met before applying one specific Executable Component, their performance, target platform, programming language, or any other feature not fixed at pattern’s level.

These specific characteristics are captured in S&D Implementations. Therefore, an existing realization of an S&D Solution such as the OpenSSL implementation of the SSL protocol does not qualify “as is” as a SERENITY Executable Component of the SSL_Channel.uma.es S&D Pattern. The main reason is that every Executable Component has to implement specific interfaces to interact with the SRF and with the application using it.

Furthermore, all SERENITY Executable Components must provide support to monitoring by providing specific event capturers defined in the S&D Pattern specification. However, SERENITY provides an API that facilitates the creation of Executable Components. In most cases, an existing implementation of an S&D Solution can be transformed into an Executable Component simply by constructing a wrapper around it.


4.2 Application development



In addition, SERENITY supports the application development process assisting developers in the selection and use of the most appropriate solution fulfilling their requirements. The SERENITY application development process is compatible with most of the current software and system engineering processes. Therefore, it does not require application developers to change their current development practices.

The SERENITY process only assumption on the underlying development process is that the system developers know the security and dependability requirements of their applications and can relate these to S&D Properties.
This process focuses on the mechanisms for search and selection of S&D Solutions at development time. Prior to giving a complete description of the proposed process, it is worth providing a description of the scenario that we intend to address. This scenario can be described as follows:



• Programmers are developing an application and they face the challenge of integrating S&D Solutions that can adequately solve their S&D requirements in every possible run-time context.


• Programmers are not security experts. For instance, they lack enough expertise about cryptography in order to implement security primitives such as encryption, key management, etc. required for securing a specific communication.


• Fortunately, in our model, the previous drawbacks can be overcome thanks to the existence of libraries of well-defined and formally verified S&D Solutions online. They are maintained by different entities, such as security software development companies, open source communities, etc.



Following our approach, the development process of adaptive secure applications, includes the following steps:


Firstly, developers design their application following any existing development process. During this phase the development team must identify all security requirements of the application. For each security requirement identified the developers must analyse which S&D Properties must be fulfilled and the appropriate restrictions and static (i.e. known at development time) context conditions for it. Once developers have identified all S&D Properties, they can use two development strategies:



• Fully-delegated S&D: Developers may fully delegate the provision of the S&D Solutions to the Run-time Framework. Doing this, the SRF, can apply the most suitable S&D Pattern in each situation. Therefore, developers fix the minimum amount of details for their application to work.

These details are the S&D Property required and the interface used to access the services related to the property. For doing this, developers have to identify which S&D Class provides the required S&D Properties with a suitable interface. Later, at run-time, the SRF is able to choose amongst all Executable Components of all S&D Patterns belonging to the selected S&D Class that was fixed by the developers. If at run-time there is no applicable S&D Pattern found, the application will be informed so it can react appropriately.


• Partially fixed S&D: Developers can limit the range of S&D Solutions that can be selected by the SRF at runtime for a particular requirement. In order to do this, developers fix an S&D Pattern or an S&D Implementation for the security requirement at development-time. In this scenario, developers have at their disposal development time S&D Libraries where they can search for S&D Arte-facts. The result of a query for S&D Solutions matching a particular set of S&D Properties and constraints is a list of applicable S&D Solutions.

Of course, in some cases it is possible that the list is empty. It is important to note that the search for a particular S&D Property is very flexible and allows the selection of artefacts providing not only the requested property, but also all other equivalent S&D Properties. For more details on description and reasoning about S&D Properties, the reader can consult reference [16]. If the query is successful, the library returns all S&D Artefacts that fit the developer query.

That is, those artefacts that can be used to fulfil the requirement according to the constraints expressed by the developer. Moreover, in the case of abstract artefacts (S&D Classes and S&D Patterns) the result will include the constraints that need to be checked at run-time.



The type of artefact selected determines the flexibility allowed to the SRF. If developers select an S&D Class, as aforementioned, the SRF can select amongst all Executable Components (represented by S&D Implementations) that correspond to any S&D Pattern belonging to that S&D Class. If developers select an S&D Pattern, the SRF can select amongst all Executable Components that correspond to that S&D Pattern.

Finally, if developers select an S&D Implementation, they do not allow the SRF to do any dynamic selection. However, it is important to note that even in this case there are important advantages of using this approach instead of “hard-coding” the solution in the application. In particular, this approach allows the SRF to monitor the execution of the S&D Implementation and to react to events, for instance, by changing some of its parameters, or by notifying the user.


The result of the application development process is an application that contains calls to Executable Components that are unknown at development time. This is possible thanks to the services offered by the SRF for selection and activation of appropriate Executable Components.


SERENITY provides an API that facilitates the creation of SERENITY aware applications. This API provides the necessary support for applications to interact with the SRF and with Executable Components. For instance, the API provides means for an application to request an Executable Component from the SRF, to access the Executable Component’s operations and to receive notifications from the SRF about the functioning of the Executable Component.


4.3 Runtime management



The runtime management process of SERENITY is concerned with the configuration, automated dynamic selection, use and control of S&D Implementations, according to the requirements of applications and the context conditions which arise during their operation.
After an application is developed, the next step is to deploy it.

To ensure correct deployment, an application must be installed on a platform supported by the SERENITY Runtime Framework (SRF). Note that installation of the application includes the installation of all possible artefacts that can be used at run-time, along of course, with the corresponding Executable Components.


Once the application has been created and deployed in the target environment, it can interact with the SERENITY Runtime Framework. This interaction starts as soon as the application sends a request for a required Executable Component to the SRF. The SRF also activates the monitoring mechanisms to obtain any information that is necessary in order to identify the characteristics of the target system and check context and other conditions associated with its operation and the deployment of different Executable Components by it.

The context and other conditions that need to be checked at runtime are specified within the S&D Patterns and S&D Implementations that have been activated for the application. Initially, the SRF checks the preconditions of these artefacts and if they are satisified, the Executable Component associated with them is recovered from the Runtime S&D library, deployed, and its handler is returned to the application. Form this point onwards, the Executable Components is effectively linked to the application and cab be used by it.


Following the activation of an S&D Pattern and S&D Implementation and the linking of an Executable Component to an application, the SRF also starts the process of monitoring the deployed solution. The monitoring process is based on monitoring rules which are specified in the S&D Patterns that have been activated for the application. These monitoring rules are extracted by the SRF and sent to a monitoring service. This service starts immediately a continuous check of the submitted rules and keeps a record of any violations that it detects for them. The checks are based on events that the SRF collects from different sources.

Typically, these events are generated and sent to the SRF by the Executable Components that have been activated for the given system or by some event captor which is part of the deployment infrastructure of a component (e.g. in cases where an executable component is a web-service communicating with its clients via the SOAP protocol, events that represent invocations and responses from the service may be captured by a SOAP message captor embedded in the server within which the service is deployed).


To obtain the violations of the monitoring rules that it has sent to the monitoring service, the SRF polls this service periodically and extracts descriptions of any violations that may have occurred as well as diagnostic information about them (the latter type of information indicates the likely causes of the violation). The reaction to violations of the monitoring rules depends on actions that have been specified for them within S&D Patterns. In many instances, the reaction to a violation will be the immediate cease of the execution of the Executable Component that has been activated to realize the pattern.

Other actions are however possible including for example, the dispatch of notifications to the administrator of the SRF, the application (see Chapter D3 for more details). The realization of the actions associated with violations may be the responsibility of the SRF, the application, or a human user. When the conditions associated with a particular implementation of an S&D Pattern are violated, for example, but the conditions associated with the pattern itself are satisfied, the SRF can try to find alternative S&D Implementation and Executable Components for the pattern and activate them.

In cases where the conditions of the S&D Pattern are violated, however, and the SRF is unable to find alternatives the operation of the application may need to be aborted following or not confirmation of the application’s user.


4.4 Managing S&D Properties and Policies



The last of the SERENITY processes is related to the definition of S&D Properties and S&D Policies. The definition of S&D Properties is based on the assumption that there will be different interpretations of the concepts that are the core of the S&D Properties, which in turn requires the ability to allow different definitions that express subtle differences of interpretation.

There are many reasons supporting this assumption; for instance, legislation, cultural differences etc.
Regarding the development-time phase, we assume that SERENITY aware system developers have identified and selected the S&D Properties that their applications must fulfil. These S&D Properties result in a set of S&D Solutions to be applied in the target context. This set of S&D Solutions is composed by those S&D Artefacts explicitly related to the requested properties.


In order to provide the developer not only with the exact results matching her queries, but also with those results that, though not explicitly related, implicitly provide the same S&D Properties, reasoning mechanisms have been defined. For instance, given an S&D Property p, it is desirable to find those S&D Properties (e.g. p’, p’’) that semantically imply p as well as those S&D Properties that considered jointly (e.g. p’∧ p’’) imply p. Following this process, not only those solutions providing p will be taken into consideration but also those solutions providing p’, p’’ and p’∧ p’’.


This approach expands the universe of possible solutions to include those catalogued as semantically implied.
The same reasoning holds for S&D Policies, which in SERENITY are defined as a set of rules specifying the application of different S&D Properties to different system elements. Based on the property reasoning mechanisms, we can also define reasoning mechanisms for S&D Policies, which would allow the automated verification of their relations.

By verifying that an S&D Policy P1 implies another policy P2 we demonstrate that P2 complies with P1. If we think of P1 as a policy corresponding to a regulation (e.g. HIPAA) and P2 as the corporate policy of the ACME Company, we have a simple but powerful way to verify compliance.
Moreover, we can also verify that applications comply with a policy.

This is achieved by checking that the protection of the computational elements in the application is managed through calls to the SERENITY framework. The checking of the use of these calls can ensure the use of solutions that fulfill specific S&D properties on specific computational elements, which in turn can ensure the compliance with an S&D policy.


5. SERENITY tools



SERENITY provides a suite of tools to support the processes described in the previous section. In the following we briefly overview them and a more detailed description can be found in the subsequent chapters of this book.
Solution analysis. There is a set of tools designed to support the analysis of S&D Solutions at different levels of abstraction. These tools are loosely coupled with the rest of SERENITY tools.

The main reason is that the output of these tools is knowledge about the solutions, which is precisely the input to the solution description tools. Additionally, the loose-coupling model has the advantage of allowing external tools such as AVISPA or CAPSL to be used for this purpose.
Solution description. The tools for describing solutions support S&D Experts in the expression of their knowledge about the S&D Solutions in a way that is suitable for automated processing, but is also useful for humans (application developers).
SDF. S&D Library
Serenity Development time Framework (SDF).



Application development support. These tools help application developers to manage the calls to the Executable Components providing the S&D services required by the application. At the level of source code, an Eclipse plug-in is provided for this purpose. Additionally, other tools like the SI* tool operate on a higher level allowing the automatic application of S&D patterns to the system model.
S&D Property and S&D Policy management. These mechanisms support the publication and management of S&D Properties and S&D Policies.

In particular, an infrastructure for the semantic interoperability of S&D Properties is provided, which could be considered the backbone of the process described in section 4.4.

Serenity Runtime Framework (SRF). The SRF is the tool that enables the dynamic configuration, binding, monitoring and replacement of S&D mechanisms into applications, thus realising the core of the SERENITY approach. The SRF is implemented as a service running in a device, on top of the operating system, and listening to applications requests.

Applications send requests in order to fulfil their security requirements. These requests, once processed by the SRF, are translated into S&D Solutions that may be used by the application. As a result of the selection process, the SRF instantiates S&D Patterns or Integration Schemes by means of Executable Components and makes them accessible to the applications.
SRFs are specific for each device or system. The SRF has a generic architecture that can be valid for the wide variety of target devices where the SRF will run.

From an external point of view, every instance of the SRF provides interfaces in order to allow interaction with other systems or other SRFs instances. The SRF provides two main interfaces: On one hand, it provides a negotiation interface, used to establish the configuration of the interacting SRFs when two applications supported by different SRFs need to be communicated using the same S&D Solution. On the other hand, SRFs offer a monitoring interface.

External systems interacting with an instance of the SRF will be able to monitor that the behaviour of the framework and the executable components running in it is correct. With these interfaces, we provide support for the dynamic supervision and adaptation of the system’s security to the transformations in ever-changing AmI ecosystems.
Monitoring Framework. The monitoring framework of SERENITY is called EVEREST (EVEnt RESoning Toolkit).

EVEREST provides the rule verification services which are required in order to inform the processes of selecting, activating and deactivating S&D mechanisms for applications at runtime. This monitoring framework is implemented as a service that is accessible to the SRF. As discussed earlier, the SRF provides EVEREST with the rules that need to be monitored at runtime for the different S&D Patterns that have been activated and forwards to it events generated by the different Executable Components that are linked with the application and/or its operational environment, to enable the rule checks.

EVEREST checks these events against the monitoring rules and records property violations. The recorded violations are retrieved by the SRF through a periodic polling process.
EVEREST has been implemented as a generic reasoning engine that can check rules expressed in a special form of Event Calculus, called EC-Assertion. This engine is capable of reasoning with events coming from distributed sources and time-stamped on separate time lines. In addition to basic rule checking capabilities, EVEREST can perform diagnostic analysis.

The objective of diagnostic analysis is to identify the possible causes of rule violations. This analysis is based on abductive and belief based reasoning. Furthermore, EVEREST provides threat detection analysis. The objective of this analysis is the prediction of potential violations of monitoring rules and the estimation of the likelihood of their occurrence. Threat detection analysis is required for certain types of monitoring rules where it is possible to take early action to prevent violations which seem likely but have not occurred yet.



6. Conclusions and further research



SERENITY is addressing the issue of security and dependability in the complex world of Ambient Intelligence. It provides an infrastructure for the development and application of adaptable S&D solutions in dynamic and continuously changing AmI ecosystems. It also provides a set of concepts, methods, processes, and tools that underpin this infrastructure and support S&D experts, S&D engineers, application developers, and system administrators in their tasks.


The benefits of the SERENITY approach have been demonstrated through prototype systems that use the artefacts and infrastructure of SERENITY to solve real S&D problems. The SERENITY artefacts and some of the prototype applications are presented in the following chapters.
The work that has been cartied out in SERENITY has already made significant contributions to the dynamic configuration, deployment, monitoring and adaptation of security and dependability solutions in AmI ecosystems, opening a new path of possibilities. In this path, there are also several new challenges that have emerged.


The first such challenge is to bring together companies and academia in an effort to standardise several aspects of SERENITY. Another challenge is to investigate into effective ways of embedding the SERENITY runtime framework in different micro devices with diverge characteristics.

The development of elaborated coordination mechanisms between different instances of the SERENITY runtime framework that would enable the delegation of tasks across devices and the possibility of dynamic sharing of S&D mechanisms that may be available in different frameworks is also one of the opened challenges of the work carried out in the project.


References



[1] Security Focus. The Largest Community of Security Professionals Available Anywhere http://www.securityfocus.com/


[2] Astalavista.com, One of the world’s most popular and comprehensive computer security web sites http://www.astalavista.com/


[3] James A. Whittaker, Herbert H. Thompson, Herbert Thompson. How to Break Software Security, Addison Wesley, May 9, 2003.


[4] Joshep Yoder and Jeffrey Barcalow. Architectural patterns for enabling application security. PLoP, 1997. 5, 6,7.


[5] D. C. Schmidt. Patterns, Frameworks and Middleware: Their Synergetic Relationships. Invited talk at IEEE/ACM International Conference on Software Engineering, Portland, Oregon, May 3–10, 2003.


[6] Kienzle, D.M., Elder, M.C., “Final Technical Report: Security Patterns for Web Application Development.” (Available at http://www.scrypt.net/~celer/securitypatterns/final%20report.pdf).


[7] IBM’s Security Strategy team. (2004). “Introduction to Business Security Patterns. An IBM White Paper”. Available at http://www-3.ibm.com/security/patterns/intro.pdf. 2004.


[8] Konrad, S., B.H.C. Cheng, Campbell, Laura. A., and Wassermann R., (2003). “Using Security Patterns to Model and Analyze Security Requirements”. Proc. Requirements for High Assurance Systems Workshop (RHAS ’03).


[9] Yoder, J. and Barcalow, J. (2000). “Architectural Patterns for Enabling Application Security”. Pattern Languages of Program Design. 4, 301-336. Reading, MA: Addison Wesley Publishing Company.


[10] Fernandez, E.B., (2000). “Metadata and authorization patterns”. Technical report, Florida Atlantic University


[11] Romanosky, S., (2001). “Security Design Patterns”, Part 1, 1.4.


[12] Fernandez, E.B. and Pan, Rouyi, (2001). “A pattern language for security models”. PLoP’01 Conference.


[13] Torsten, P, Fernandez, E.B., Mehlau, J.I., Pernul, G. (2004). “A pattern system for access control”. 18th IFIP WG 11.3 Conference on Data and Applications Security, (Sitges, Spain).


[14] Wassermann, R. and Cheng, B.H.B., (2003). “Security patterns”. Technical Report MSU-CSE-03-23, Computer Science and Engineering, Michigan State University, (East Lansing, Michigan).


[15] Gamma, E., Helm, R., Johnson, R., and Vlissides, J. (1994). “Design patterns: Elements of Reusable Object-Oriented Software”. Addison-Wesley, 1994


[16] Delessy-Gassant, N., Fernandez. E.B., Rajput. S, and Larrondo-Petrie, M.M., (2004). “Patterns for Application Firewalls”. PLoP’04.


[17] Essmayr, W., Pernul, G., Tjoa, A.M., (1997). “Access controls by object oriented concepts”. Proceedings of 11th IFIP WG 11.3 Working Conference on Database Security.


[18] Fernandez, E. B., (2004). “Two patterns for web services security”. Proc. International Symposium on Web Services and Applications (ISWS’04), (Las Vegas, NV).


[19] Mouratidis, H., Giorgini, P., Schumacher, M., (2003). “Security Patterns for Agent Systems”. In Proceedings of Eighth European Conference on Pattern Languages of Programs, (Irsee, Germany).


[20] Hallstrom, J. O., Soundarajan, N., Tyler, B. (2004). “Monitoring Design Pattern Contracts”. In Proc. of the FSE-12 Workshop on Specification and Verification of Component-Based Systems. pg. 87-94.


[21] Allenby, K., and Kelly, T. (2001). “Deriving Requirements Using Scenarios”. In Proc. Of the 5th IEEE International Symposium on Requirements Engineering. RE’01.


[22] Hallstrom, J. O., Soundarajan, N. (2006). “Pattern-Based System Evolution: A Case-Study”. In the Proc of the 18th International Conference on Software Engineering and Knowledge Engineering. San Francisco Bay, USA.


[23] Mikkonen, T. (1998). “Formalizing design patterns”. In Proc. Of 20th ICSE, pages 115-124. IEEE Computer Society Press.



• A new Security Engineering Approach
  • Introduction
  
  
  Contents:

  The objective of the SERENITY Project is to provide a framework for the automated treatment of security and dependability issues in AmI scenarios. SERENITY has not focused on the definition of a single security engineering process, but on the exploitation of S&D artefacts that can be involved in various and specific security engineering processes.
  
  

  In order to do that the SERENITY Project focuses has two main cornerstones: (i) capturing the specific expertise of security engineers in a way that allows its automated processing; and (ii) providing means to perform run-time monitoring of security and dependability mechanisms.
  
  Some SERENITY contributions, such as the tools developed in the Air Traffic Managements Scenario and the subsystems enabling Reaction Mechanisms, are also applicable in safety critical domains and are relevant for the protection of critical infrastructure.
  
  

  The SERENITY Vision is very flexible and supports different entry points and exploitation strategies depending on the application, the level of design and the types of security requirements to be fullfiled. It has been deployed by means of:
  
  

  1. A set of modelling artefacts used to capture security expertise (called S&D artefacts):
  
  

  We use the term S&D solution to refer to an isolated component that provides a security and/or dependability service to an application. S&D artefacts are used to represent S&D solutions at different levels of abstraction.
  
  The representation of S&D solutions at different levels of abstraction responds to the needs of using them at the different phases of the software development process. It is
  important to highlight that SERENITY does not cover the engineering of security models. Rather, SERENITY assumes that security models and proper solutions are already established: SERENITY S&D artefacts are used to implement and enforce these models These S&D artefacts are presented more in details in the following Sections.
  
  

  2. A development-time framework (the SERENITY Development-time Framework, SDF) supporting:
  
  

  • The development of S&D solutions by means of the aforementioned S&D artefacts. The SDF includes processes and tools used by security experts for the creation of new S&D solutions. S&D solutions developed using the SDF include semantic information related to its informational description and its operational behaviour.
  
  

  • The development of secure applications following the SERENITY approach. These secure applications rely on SERENITY for fulfilling its security and dependability requirements. Applications developed by this way are called SERENITY-aware applications. They include references to SERENITY S&D artefacts. At run-time these references are resolved so that S&D solutions are provided and can be used by applications.
  
  

  The SDF is supported by online repositories populated with S&D artefacts. Security experts use these online repositories in order to store the S&D solutions they develop. And, application developers access to online repositories when they are developing SERENITY-aware applications in order to look for S&D solutions to reference from their applications.
  
  

  3. A Run-time framework, called Serenity Run-time Framework (SRF).
  
  

  The SRF provides support to applications at run-time, by managing S&D solutions and monitoring the systems’ context. SERENITY-aware applications are developed by means of open architectures that
  are complemented at run-time by the SRF.

  The following Sections present S&D Artefacts, and main processes of both SDF and SRF.
  
  

  • Representation of Security Solutions
  
  
  One of the cornerstones of the SERENITY Project is to capture security expertise. This security expertise is represented by means of Security and Dependability (S&D) Solutions. An S&D Solution is an abstract representation of an isolated and independent S&D mechanism.
  
  That is, the representation of an S&D mechanism by means of an S&D Solution includes all elements needed for its implementation and its run-time monitoring. In order to capture all the necessary data five S&D Artefacts have been developed: S&DClasses, S&DPatterns, IntegrationSchemes, S&DImplementations and ExecutableComponents.
  
  These artifacts, depicted in Figure 1, represent S&DSolutions using semantic descriptions at different levels of abstraction. The main reason for using different artefacts, each one for covering an abstraction level, is that some of them are specially designed to be used at development-time, since the others are specially suitable for its use at run-time. Using this approach it is possible to cover the complete life cycles of secure applications, and in particular development and run-time phases.
  
  
  
  

  Figure 1

  
  

  • To start, S&D Classes represent abstractions of a security service that can be provided by different S&D solutions characterized for providing the same S&D Properties and complying with a common interface. At the level of S&D Classes, S&D solution descriptions are very simple, containing some information about the name of the solution, and its creators, the security properties provided, and the interface offered by the solution.
  
  Regarding to the security properties, SERENITY provides a formalism created for representing and reasoning about security properties (called S&D properties), interested readers can refer to [ares2008gimena[Serrano1] ]. S&DClasses are represented in XML files following the structure presented in XSD_for_Classes.
  
  

  • S&D Patterns are detailed descriptions of abstract S&D solutions. As presented in Figure XXX, each S&D Pattern belongs at least to one S&D Class. At this level of abstraction the description of S&D solutions are more detailed than in the previous one (S&D Classes).
  
  These descriptions contain all the information necessary for the selection, instantiation, adaptation, and dynamic application of the security solution represented in the S&D Pattern. Since each S&D Pattern may have a different interface, they contain a specification that allows mapping the abstract calls defined in the S&D Class interface into the specific calls defined by the S&D Pattern interface.
  
  Also, S&D Patterns include behavioural description of the security mechanisms they represent. Besides, they include the pattern semantics, which are related to the semantics of the security properties provided. Finally, S&D Patterns include information about the restrictions imposed by the solution.
  
  It is important to take into account that the S&D Patterns we are using in the SERENITY Project differ from the current concept of patterns in software engineering. S&D Patterns are components containing detailed information about S&D solutions. These components (S&D Patterns) are machine readable. S&DPatterns are represented in XML files formatted using the structure represented in XSD_for_Patterns.
  
  

  • IntegrationSchemes are an especial type of S&DPattern that represent S&D Solutions that are built by combining several S&DPatterns. While S&DPatterns are independent or atomic descriptions of S&D Solutions, IntegrationSchemes describe solutions for complex requirements achieved by the combination of smaller S&D Solutions.
  
  At the level of its representation IntegrationSchemes and S&DPatterns have the same structure, but they differ at the level of its implementation. The implementation of an S&DPattern is the implementation of an S&D mechanism/service.
  
  The implementation of an IntegrationScheme is based on the use of existing S&D solutions implemented by means of existing S&DPatterns (or IntegrationSchemes). Consequently, the implementation of an IntegrationScheme includes references to existing S&D Artefacts.
  
  

  • S&D Implementations represent the components that realize the S&D solutions. S&D Implementations are not real implementations but their representation/description. This is the lower abstraction level, at this level S&D solutions are defined in terms of the technology used in their development and how to make use of it. S&DImplementations are represented using XML files conforming to the structure presented in SDImplementation_XSD.
  
  

  • Finally, Executable Components are the actual implementations (pieces of code) of S&D solutions. The automatic processing of Executable Components is based on the use of the information provided by the S&D artefacts representing the S&D solution implemented by them.
  
  

  S&DClasses, S&DPatterns and S&DImplementations are development-time oriented artefacts, and Executable Components are especially suitable for run-time. Applications security requirements are hardcoded by means of references to development-time oriented artefacts.
  
  Depending on the artefact level of abstraction used by an application developer, at run-time the SRF is more flexible when selecting and intantiating S&D Solutions. This hierarchy facilitates the run-time selection and substitution of S&D Solutions, while facilitates the development process of secure applications.
  
  

  [Serrano1]
  
  

  Antonio Maña and Gimena Pujol. Towards formal speci_cation of abstract security properties. In Proceedings of The Third International Conference on Availability, Reliability and Security (ARES2008), Barcelona, March 2008. IEEE Computer Society Press.
  
  

  • Overview of the Security Engineering Processes
  
  
  The software development following the SERENITY approach is composed of three main processes: (i) development of S&D Solutions by means of S&D Artefacts, (ii) development of secure applications including references to S&D Artefacts, and (iii) run-time provision and monitoring of S&D solutions. This section introduces those three processes.
  
  
  DEVELOPMENT OF S&D SOLUTIONS:
  
  

  The development of S&D Solutions (Figure 2) is supported by the SERENITY Development-time Framework. It comprises the analysis of the S&D service creating a conceptual S&D Solutions that has to be represented using the aforementioned S&D Artefacts. Once, that S&D solutions have been analyzed, the SDF provides tools supporting the representation of the S&D Solution semantics by means of S&D Artefacts.
  
  S&D Patterns are certified and stored in development-time S&D libraries with the rest of the S&D Artefacts. For the development of ExecutableComponent the SERENITY Project provides an API supporting its implementation using Java.
  
  
  
  

  Figure 2: Development of S&D Solutions

  
  
  DEVELOPMENT OF SECURE APPLICATIONS:
  
  

  The Serenity-aware applications are applications specially designed to make use of the security and dependability mechanisms provided by SERENITY. In order to do that, these applications include references to SERENITY security and dependability solutions and to the SRF. The SRF processes these references at run-time, and it provides executable components according to the applications’ requests.
  
  As part of the SERENITY Project there is an API supporting the development of SERENITY-aware applications. This API allows the creation of Java applications. The process is carried out as follows.
  
  

  The development of SERENITY-aware applications is as follows Figure 3. Firstly, programmers design their applications as usual. At the moment they identify an S&D requirement they use online tools in order to identify S&D Properties fulfilling the S&D requirements found. S&D Properties can be accessed by using SERENITY Development-time Framework; particularly S&D Properties are stored in Properties Domain Servers.
  
  Next, using the chosen S&D Properties programmers select S&D Artefacts. The SDF provides tools used to access to Development-time S&D Libraries. Once, that programmers decide the S&D Artefacts to use, they include them into their SERENITY-aware applications code by means of:
  
  

  1. Requests for the selected S&D Artefact.
  2. Accesses to the requested S&D Artefacts functionalities through their interfaces.
  
  

  
  

  Figure 3

  
  
  EXECUTION OF SERENITY-AWARE APPLICATIONS
  
  

  The execution of SERENITY-aware applications is supported by the SERENITY Run-time Framework. The SRF receives SERENITY-aware applications requests. For each, request the SRF perform a selection algorithm that takes into account: (i) the requested S&D Artefact, (ii) the SRF configuration, and (iii) the context conditions.
  
  

  The process (Figure 4) starts by searching in the run-time S&D Library for all S&D Artefacts matching with the received request. This set of S&D Artefacts is ordered using the context conditions and the SRF configuration (the SRF configuration includes information about S&D Authority preferences).
  
  Once, that the S&D Pattern to activate is selected, then the SRF instantiates an ExecutableComponent implementing it. The ExecutableComponents are available to SERENITY-aware Application through a handler received from the SRF. This handler points to the ExecutableComponent.
  
  The SERENITY Project provides an API supporting the creation of Java based SERENITY-aware applications. Programmers use this API to obtain handlers from the SRF, and to access to the ExecutableComponents. During the ExecutableComponent execution the SRF is in charge of monitoring its proper operation. This is done by the evaluation of the associated S&DPattern monitoring rules.
  
  The SRF can react when a monitoring rule is satisfied by performing actions to the ExecutableComponent. One of the possible reaction mechanisms is the emission of a message to the SERENITY-aware application informing that there is a exceptional situation contemplated by the creator of the S&DPattern through a monitoring rule. In this case, the SERENITY-aware application programmers are in charge of taken the appropriated actions.
  
  
  
  

  Figure 4

  
  

  • Advantages of the Proposed Approaches
  
  
  This section highlights the SERENITY development approach main features and its advantages. Compared to current secure systems development approaches SERENITY proposes:
  
  

  1. A clear separation between the development of S&D Solutions and the development of secure applications (SERENITY-aware applications). As presented in Figure 5 there is a development of S&D Solutions and an independent development of SERENITY-aware applications. These two developments are connected through the use of development-time S&D Libraries.
  
  The diagram presented in Figure 5 shows that first, S&D Engineers develop S&D Solutions and they publish their work in the SDF S&D Libraries. Second, application developers search for S&D Solutions in these SDF S&D Libraries in order to find the most appropriate S&D Solutions for their applications. The use of S&D Libraries is a fundamental part of the development applications following the SERENITY approach.
  
  
  
  

  Figure 5

  
  

  2. Additionally, other of the important facts of the development based on SERENITY Frameworks, is that SERENITY-aware applications are designed by means of open architectures. This means that during the development of the applications developers choose S&D Solutions (using the SDF). But they do not need to fix the implementation (S&D Implementations).
  
  At run-time, the SRF assemblies the most appropriate implementation of the S&D Solution chosen by developers. This two step development approach is possible thanks to the separation between SDF and SRF.
  
  

  3. Other of the cornerstones of the SERENITY approach is the monitorization capability. SERENITY introduces a run-time monitoring infrastructure. This monitoring system is based on event calculus and monitoring rules. Each S&D Pattern includes a set of monitoring rules, developed by S&D Engineers. The set of monitoring rules guaranties that the execution of an S&D Solution is secure under certain context conditions. The SRF takes into account the monitoring rules included by S&D Solution creators together with the events produced by the executable components implementing them.
  
  As aforementioned, this monitoring infrastructure is based on the event calculus, in order to do that, the SRF is supported at run-time by a set of monitoring services. Monitoring services base their operation on the monitoring rules, and on the observation of events coming from Executable Components. The SRF uses the results of the monitoring activity in order to react. These reactions could be halt and pause among others.
  
  

• S&D Knowledge Elicitation
  
  
  One of the central elements of the SERENITY framework is a library of security and dependability solutions. Therefore, a large part of the work in SERENITY was concentrated on supporting the knowledge elicitation process by providing specification languages for the exact specification of requirements, tools for modeling and validation of solutions and finally pattern languages to be used for the description of solutions and for making them available to the SERENITY development and run-time frameworks.
  
  

  The main actor in this part of the process is the S&D Solution Developer. This term subsumes all sources for S&D knowledge, developers of S&D solutions and creators of S&D artefacts:
  
  

  • Security expert in research and development
  
  • Standardization bodies for S&D technology
  
  • Implementer for S&D building blocks/services
  
  • Experts for verification, validation, testing and certification
  
  • Experts in legal issues
  
  • others
  
  
  
  This incomplete list of possible actors in this part of the process already shows that a large variety of solutions can be covered by the SERENITY library. Further, any attempt of developing a single methodology and tool-set for all these different actors would not be feasible and probably also not useful. Consequently, within SERENITY three different relevant areas were chosen in which to develop support for S&D solution developers. Solutions are regarded on the organizational level, the level of workflows and services and the level of networks and devices.
  
  For each of these areas languages and tools have been developed within SERENITY and a collection of patterns was produced. These results represent the first step of the SERENITY knowledge elicitation process. A S&D solution developer could use these languages and tools to get a validated solutions that can then be turned into a pattern. This next step is supported by one common pattern description language and a generic properties specification language. Finally, SERENITY pattern specification tools support the actual construction of the patterns.
  
  

  In the following sections of this chapter a brief overview over the different areas is given and links point to relevant publicly available deliverables with more details.
  
  

  Organizational level: Many applications and processes rely on trust relations originating at the organizational level. Therefore, one activity in SERENITY has developed supporting languages and tools for this area: Elicitation of S&D Organizational patterns
  
  

  Workflows and processes: In particular in service-oriented systems, a variety of security and dependability solutions can directly be applied on the level of workflows and services: Elicitation of S&D workflow patterns
  
  

  Network and devices: A wide variety of S&D solutions exist for communication of devices in AmI systems and for protection of these devices: Elicitation of S&D patterns for networks and devices.
  
  

  SERENITY also provides support for the actual pattern specification. A common pattern language and tools for the editing and management of patterns have been developed.
  
  

  • Elicitation Methodology for S&D Organizational Patterns
  
  
  More details on the support for developing organizational patterns can be found in the following deliverables available from the SERENITY website:
  
  

  A1.D2.1 - Security and privacy requirements at organizational level
  
  

  A1.D4.3 - Enhanced version of the verification and customization tool
  
  

  In [1], Yoshioka et al. present a survey on security patterns. When analyzing the
  different contributions around security patterns, we notice that only few research works have addressed the elicitation and specification of S&D patterns at organizational level.
  
  
  What’s an S&D Organizational Pattern
  
  

  The first step in this direction has been proposed by Mouratidis et al. [2]. They have described four security patterns for access control and authentication in a natural language template including context, problems and forces, solution, and rationale. The patterns are described in an informal way and the solution section is accompanied by a number of graphical diagram (though without an associated formal model).
  
  

  In order to describe what is a S& D pattern at organizational level (even if we worked in pure natural language), we must first identify the key issues that needs to be captured. To this extent we branch from [2] and use the concepts of the conceptual modeling language called Secure-i*/(SI*), which unifies Tropos Goal-Risk Model [8] and Secure Tropos [7].
  
  

  A socio-technical system is seen as a set of interacting agents (organizations, humans, systems). Each of them is in charge of a set of goals that must be accomplished whatever happens in the environment. At this level, we are interested only in what is needed to achieve a goal:permissions, allocation of tasks or resources, execution dependencies and trust relations among actors.
  
  We will be more precise on the modelling concepts in the next section. Following our previous evaluations of concrete case studies [3, 4], the high-level description of organizational S&D patterns can use the “containers” of traditional security patterns with the caveat that the content greatly differs from software patterns.
  
  

  Definition 1. An organizational S&D pattern is a triplet {Context, Property, Solution}:
  
  
  – Context: defines the situation and conditions of applicability of the pattern, i.e. a
  socio-technical system;
  
  – Property: is the expression of the needs of a system in terms of S&D properties.
  
  – Solution: specifies how the requirements are achieved;
  
  

  Organizational solutions can be implemented by adding software or hardware components, by adding a a written instruction supplied by a supervisor to a PC to solve a lack of trust or by removing a permission from an untrusted actor or throughout a new assignment of responsibility among the actors involved in the organization.
  
  
  Definition 2. An organizational solution is a list of modifications applied to an initial organizational structure (the context) where the requirements are not fulfilled and that leads to a different socio-technical system where they are fulfilled.
  
  These modifications aim to revise the structure of the organization (when it is possible), the assignment of responsibilities, procedures and policies adopted by the organization itself, or support trust relations that are otherwise missing.

  At this level of abstraction, we deal with high-level properties than Confidentiality, Integrity or Reliability that can also be understood by the humans involved in the process.
  
  
  SI* patterns
  
  

  Security patterns were traditionally described in natural language [16, 11, 10]. In later works [12, 2, 17, 9]. the security patterns are still described by natural language templates structured around problem, solution, and consequences but the solution part was also described by some modeling languages (e.g. UML, Tropos, Petri Nets).
  
  The objective was to make pattern more precise and clear and easier to use for system designers since the pattern’s solution and the system to be are expressed in the same modeling framework. Still, the security requirements are not formally defined in terms of what security properties the pattern provides.
  
  

  Considering our ambitious target of actually deploying S& D patterns at runtime for the critical task of monitoring a patient and reacting in case of emergency, we needed to be more precise in terms of the assurance that a pattern delivers. To this extent SI*[8, 7] has a formal semantics which is based on either Datalog instances or satisfiability with mathematical decision procedures over the reals.
  
  These semantics can be used to formally reasons about the goals and properties delivered by a S& D pattern. The main formal concepts in SI* are: actor, goal, task, resource and dependency. We summarize these components in Figure 1 together with their graphical notation.
  
  
  [image reference is broken]

  In our work, the context and solution must be represented formally, besides natural language description. As we have argued in our definition, the formal S&D properties can now be expressed in terms of undesirable configurations of the socio-technical system that can also be easily explained using a graphical language. The security properties at organizational level are strongly related to the relation of trust and permissions.
  
  

  While this is surely an simplification of possible security relations, one should always bear in mind that (i) these are high-level socio-technical patterns and, most importantly, (ii) we expect these patterns to be discussed and validated by domain experts.
  
  

  Definition 3. A socio-technical systems provide S& D properties if: 1) each goal is provided only by trusted and authorized actors, 2) each resource is managed only by trusted and authorized actors. Such properties are detailed in Fig.2
  
  
  [image reference is broken]
  
  

  The formalization in SI* allows us to verify the fulfillment of S&D requirements formally and automatically. Indeed each agent is in charge of a set of goals to be fulfilled under any circumstance, but the current relations might be so complex that some failures can only be detected by a formal analysis.
  
  
  SI* framework fo eliciting S&D Organizational patterns
  
  

  In the traditional Software Engineering (SE) methods, analysts model system requirements (i.e., functional requirements-FR) and afterwards S&D requirements (i.e., treated as non-functional requirements-NFR) are introduced. This approach is fragile because it could be S&D requirements contradict some FRs (Example 1), are not effective (Example 2), or even FRs themselves might be the source of risks (Example 3). In this section, we use illustrative examples from the Air Traffic Management scenario (ATM).
  
  

  The ATM is the dynamic and integrated management of air traffic flow to minimize delays and congestion while guaranteeing safety and efficiency of operation in the airspace. Air Traffic Controllers (ATCOs) are in charge of issuing instructions to flight crews in order to maintain separation among aircraft. The airspace is statically organized into adjacent volumes, called sectors, and airways.
  
  Each sector has a
  predefined capacity, i.e., the maximum number of flights that can be safely managed, and is operated by a team of two ATCOs, consisting of an Executive Controller (EC) and a Planning Controller (PC), working together as a team and sharing the responsibility for safe and efficient operations within the sector. For further details on the ATM domain and on the role of the ATM Scenario into the SERENITY project
  you can refer to [19].
  
  

  Example 3.1The ATM system must provide necessary data easily for performing any Air Traffic Control (ATC) related activities. As S&D requirement, Air Traffic Controllers (ATCOs) should be authenticated each time they want to use any service provided by an ATM system (i.e., including gathering any data: flight plan, weather, runway, map, etc.).
  
  

  In practice, that S&D requirement obstructs the easiness of ATCOs in obtaining necessary data. Analysts must resolve this contradiction so that neither one of the requirements is sacrificed. For instance, analysts may apply an appropriate authentication mechanism only in critical activities of the ATM system (e.g.,
  controlling aircraft) and not in non-critical activities (e.g., gathering weather data).
  
  

  Example 3.2 Flight plans should be maintained its confidentiality, and typically a encryption techniques is chosen to achieve this requirement.
  
  

  Unfortunately, this security requirement will not be effective because each flight plan is printed in a flight strip for the easiness of ATCOs in controlling aircraft. Therefore, analysts should elicit other requirements to maintain the confidentiality of flight plans while they have been printed.
  
  

  Example 3.3 The ATM system is required to be connected with Internet to provide arrival and departure time in the real time. This requirement is too risky because the system might be severe from hacker attacks.
  
  

  In this example, a functional requirement becomes a source of vulnerability that may compromise the security and dependability of the system.
  
  
  [image reference is broken]
  
  

  Initially, analysts, together with domain-experts, build Si* model following the steps summarized in Table 1. The modeling starts by identifying stakeholders and categorize them into three notions: role, agent, and group. Afterwards, strategic interests of each stakeholder/actor are identified and followed by interdependency among them. In Si*, there are two types of dependencies: an actor (delegater) may
  delegate to another actor (delegatee) to fulfill a goal and a delegater may delegate/give a permission to the delegatee to use a goal.
  
  Note that, the delegatee not necessarily has full capability to fulfill the goal (delegatum), because it could be the case the delegatee does a further delegation. By delegating the fulfillment of a goal, the delegater becomes vulnerable. The delegater can be failed because the delegatee fails to fulfill the delegatum. It is also the case for giving permission to another agent, the delegater takes a risk because the other agent could misuse the resource that has been granted to him. Indeed, the dependability of a system does not only depend on the reliability of a machine, but also depends on the interdependency among agents in the system.
  
  

  Afterwards, analysts identify trust relations among stakeholders. Si* allows us to have a delegation/a permission to untrusted agents. When an agent (source) grants permission to another agent (target), it does not imply that the source agent trusts the target one. Sometimes, the source should grant permission/delegates a goal fulfillment to the one which is un-trusted or distrusted. This situation emerges when an agent must delegate the fulfillment of a goal or give permission in which it does not have any power to choose another agent (e.g., has been defined by the regulator) or it does not have any other option (e.g., no trusted target agents).
  
  

  The above constructs allow designers to capture the requirements model of organizations together with their IT systems. In the graphical representation of this model, objectives, entitlements, and capabilities are represented using request (R), ownership (O), and provide (P) relations, respectively. Permission delegations are represented with edges labeled by (Dp) and execution dependency with edges labeled by (De).
  
  Role, agents and groups are represented by different types of circles, while goals are in oval, tasks in diamond and resources in rectangles.
  Example 4 In case of lack of resources to manage airspace, Robert (supervisor of sectors 1-A, 2-A, and 3-A) may delegate a part of his airspace to other supervisors (Mary). This delegation does not imply that Robert trusts Mary in managing the delegate airspace, but because of the lack of resources.
  
  

  In the ATM scenario, Workers/agents have to cope with complex activities where tight coordination among them are crucial. In particular, where the failure of one subgoal has a bad impact to the satisfaction of another subgoal and compromises the correct functioning of the whole activity.
  
  

  Example 5 Paula and Luke are part of Sector SU-Team which is responsible to achieve “managing aircraft in Sector SU”, and each of the team members is in charge to achieve part of the aircraft management tasks (subgoals). The Si* model associated to this organizational structure is presented in Figure 3.
  
  
  [image reference is broken]
  
  

  References
  
  

  1. Yoshioka, N., Washizaki, H., Maruyama, K.: A survey on security patterns. Progress in Informatics (5) (2008) 35–47 Special issue: The future of software engineering for security and privacy.
  
  

  2. Mouratidis, H., Weiss, M., Giorgini, P.: Security patterns meet agent oriented software engineering: a complementary solution for developing security information systems. In: Proc. of ER’05. (2005)
  
  

  3. Asnar, Y., Bonato, R., Giorgini, P., Massacci, F., Meduri, V., Riccucci, C., , Saidane, A.:
  Secure and dependable patterns in organizations: An empirical approach. (2007)
  
  

  4. Compagna, L., Khoury, P.E., Massacci, F., Thomas, R., Zannone, N.: How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach. In: Proc. of ICAIL ’07. (2007)
  
  

  5. Emery, F., Trist, E.: Socio-technical systems. Management Science, Models and Techniques 2 (1960) 83–97
  
  

  6. Garlan, D., Cheng, S.W., Huang, A.C., Schmerl, B., Steenkiste, P.: Rainbow: architecture-based self-adaptation with reusable infrastructure. Computer 37(10) (Oct. 2004) 46–54
  
  

  7. Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Requirements engineering for trust management: Model, methodology, and reasoning. IJIS 5(4) (2006) 257–274
  
  

  8. Asnar, Y., Giorgini, P., Massacci, F., Zannone, N.: From trust to dependability through risk analysis. (2007)
  
  

  9. Cheng, B.H., Konrad, S., Campbell, L.A., Wassermann, R.: Using security patterns to model and analyze security requirements. In: Proc. of RHAS’03. (2003)
  
  

  10. Yoder, J., Barcalow, J.: Architectural Patterns for Enabling Application Security. In: Proc. of PLoP’97. (1997)
  
  

  11. Schumacher, M., Roedig, U.: Security Engineering with Patterns. (2001)
  
  

  12. Fernandez, E., Pan, R.: A Pattern Language for Security Models. In: Proc. of PLoP’01. (2001)
  
  

  13. Wimmel, G., Wisspeintner, A.: Extended description techniques for security engineering. In: Proc. of Sec’01, Kluwer Academic Publishers (2001) 469–485
  
  

  14. Delessy, N.A., Fernandez, E.B.: A pattern-driven security process for soa applications. In: Proc. of SAC ’08, ACM (2008) 2226–2227
  
  

  15. Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley (1994)
  
  

  16. Schumacher, M.: Security Engineering with Patterns: Origins, Theoretical Models and New Applications. (2003)
  
  

  17. Yu, Y., Kaiya, H., Washizaki, H., Xiong, Y., Hu, Z., Yoshioka, N.: Enforcing a security
  pattern in stakeholder goal models. In: Proc. of QoP ’08, ACM (2008) 9–14
  
  

  18. Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography,. CRC Press (1997)
  
  

  19. S. Campadello, L. Compagna, D. Gidoin, P. Giorgini, S. Holtmanns, J. Latanicki, V. Meduri, J.-C. Pazzaglia, M. Seguran, R. Thomas, and N. Zannone. S&D Requirements Specification. Research report A7.D2.1, SERENITY consortium, July 2006. EU-IST-IP 6th Framework Programme - SERENITY 27587.
  
  

  • S&D Knowledge Elicitation for Workflows
  
  
  Th elicitation of security and dependability solutions for workflows and services is supported in SERENITY by a language for the formal and exact specification of S&D requirements for the systems described by workflow specifications and for single services. Furthermore, a security analysis tool (WoSaT) supports the interactive analysis of security solutions on this level.
  Detailed information and examples for the language can be found in
  
  
  A2.D2.3 - Enhanced Specification Language For Workflow S&D Requirements/Properties
  
  
  The WoSaT is described in the report for the final prototype of the tool:
  
  
  A2.D3.4 - Final version of workflow security analysis and verification tool
  
  

  • S&D Knowledge Elicitation for Networks and Devices
  
  
  Scope of SERENITY network and devices patterns
  
  

  The picture above shows some examples of possible S&D solutions for networks and devices. Many more are possible. Only a subset of these possible solutions was covered in SERENITY and patterns have been constructed for this subset. Rather than providing a very large (or complete) set of S&D pattern, one focus of SERENITY was on developing a S&D requirements specification language for networks and devices that provides the means for formally exact specifications of requirements for most of these solutions.
  
  In addition, methods and tools for the validation and verification of S&D solution in the context of AmI scenarios have been developed. Those scenarios are characterized by resource-restricted devices and highly dynamic context changes.
  
  

  The details of the formal S&D requirements specification language together with some examples can be found in deliverable
  
  A3.D2.2 - S&D Requirements for Networks and Devices.
  
  

  Tool support for the analysis of S&D solution first was concentrated on formal models with dynamic context changes and with support for the logical separation of applications and S&D patterns. For the final version of the project, external software and hardware entities where included into the computation of the behaviour of the model.
  
  Thus, the model based analysis can also provide some results on the cjaracteristics of particular devices. This approach was examplarily shown for the trusted platform module (TPM).
  Two different tutorials are provided in the reports for the enhanced and the final prototype of the tools:
  
  

  Network and devices security analysis and verification tools:
  
  A3.D3.2 (tutorial on dynamic AmI scenarios and patterns) and A3.D3.3 (tutorial on the analysis of TPM based solutions).
  
  

  • SERENITY Languages for Pattern Specification
  
  
  A large variety of patterns was developed in SERENITY spanning from organisational over workflow patterns to low-level patterns for communication and devices. In spite of the big differences between the patterns, on common pattern specification language was developed in SERENITY. The XML structures, explanations for the different parameters and fields and examples for the use of the language can be foun in deliverable
  
  A5.D2.5 - Patterns and Integration Schemes Languages (Final Version).
  
  

  In addition to this eneric pattern language, SERENITY also proposes an approach for a unified formal characterisation of S&D properties and property reasoning mechanisms to support the comparision between different specifications for related properties:
  
  A5.D3.2 - Security Properties Specification Language (final version)
  
  and Property Reasoning Mechanisms.
  
  

• Design-Time Exploitation
  • Introduction
  
  
  In this stage, system designers exploit the S&D Knowledge captured in terms of S&D Patterns for designing and developing systems and components. Essentially, there are two different kinds of designer:
  
  
  - S&D components designers that aim at designing (and implementing) reusable hardware and software for providing security-dependable related services (e.g., encryption libraries, SSL libraries, TPM platforms, etc.)
  
  
  - S&D systems designers that aim at designing (and realising) systems for domain specific business goals and weaving known S&D solutions into the fabric of the system. The ultimate goal of these systems is to provide business related services to customers securely and dependably.
  
  

  In this chapter we will revise the support provided by SERENITY for each of these cases. The main element supporting the SERENITY design time services is the SERENITY Development-time Framework, which acts as a repository of proven S&D solutions that the system designers can use to discover the solutions they need in order to fulfil their S&D requirements.
  
  

  One important aspect to highlight is that this stage bridges the gap between requirements and solutions. In fact, the input to the queries sent to the SDF is based on the concept of S&D Property, which is directly related to S&D Requirements. Recall from chapter …. that we defined S&D Requirement ….
  
  

  The SDF takes the S&D Property required by the system developers (along with any other additional information provided) and returns a set of S&D Artefacts that can fulfil that S&D Property (either directly, or because they fulfil another S&D Property that implies the one required).
  
  System developers then fix the level of flexibility they want to allow at runtime, depending on the selected artefact. In some cases it is even possible that the developers decide to hardcode the solution into their application. Although this looses some of the SERENITY capabilities (dynamic selection and replacement), this process stillprovides advantages over traditional engineering processes.
  
  

  • SDF
  
  
  The SDF provides a framework that allows programmers to build secure and dependable applications to use in AmI ecosystems. It provides programmers the flexibility to state their S&D requirements and define generic S&DSolutions instead of explicitly hard-coding security into the applications.
  
  This allows the applications to define the precise artifacts they are going to use during run-time, according to their context at the time of execution. Prior to giving a complete description of the development process proposed and the capabilities the SDF provides, it is worth providing a description of the scenario which we are attempting to address, that of a programmer. This scenario has the following features:
  
  
  ⎯ The programmer is developing an AmI application, this arises the first challenge.
  
  
  ⎯ The programmer is not a security expert, for instance, he does not know anything about securing a communication.
  
  
  ⎯ There are well-known S&DSolutions libraries on-line. They are maintained by security software development companies.
  
  
  The development process of secure applications, following the proposed approach, includes the following steps (the overall process is depicted in the UML activity diagram presented in Figure 3 - “Development Business Process Model”. Firstly, the developer has to design his application by following a normal development process.
  
  During this phase, the development team must identify all S&D requirements of the application. For each security requirement identified the developer must analyse which S&DProperties must be fulfilled. Once, the developer has decided all S&D Properties, he is able to choose between two models:
  
  
  ⎯ Case A: The developer may absolutely rely on the SERENITY Runtime Framework (SRF). Doing this, the SRF can apply the most suitable S&DPattern in each situation. The application can provide the SRF with the name of an S&DClass, S&DPattern or S&DImplementation. At run-time, the SRF is able to choose amongst all S&DPatterns that are required by the application. If at run-time there is no applicable S&DPattern found, the application will be informed.
  
  
  ⎯ Case B: The developer could limit the range of applicable S&DPatterns for a particular S&D requirement. In order to do this, the developer can fix at development time an S&DPattern with a S&D requirement. In this scenario, developers have at their disposal development time S&DLibraries where they can perform S&DSolutions searches. In this case, the developer makes use of an IDE or a specific tool. These tools are able to look for S&DSolutions (at all levels of abstraction) by matching them with the user’s desired S&D Properties. The inquiry for S&DSolutions matching a particular set of S&D Properties can result in either a successful query or a negative one.
  
  
  • If successful, the development S&DLibrary will return several S&DPatterns that the programmer can apply in order to fulfil the S&D requirement. The search process is iterative in the sense that given a set of S&D Properties, the S&DLibrary returns S&DClasses, given a set of S&DClasses the S&DLibrary returns S&DPatterns (or IntegrationSchemes) and given a set of S&DPatterns the S&DLibrary returns S&DImplementations.
  
  Depending on the abstraction level of the S&DSolution applied, the SRF can choose amongst different S&DSolutions at lower abstraction levels rather than restricting only to the selected S&DSolution. By doing this, when the developer matches a requirement with an S&DClass, which is at the highest abstraction level, the SRF is able to choose (taking into consideration only the context) amongst all available S&DPatterns that belongs to the S&DClass selected. The same is applicable to S&DPatterns and S&DImplementation, since each S&DPattern can have several S&DImplementations.
  
  
  • If an S&DPattern providing the desirable S&D Property (or S&D Properties) does not exist, a new S&DPattern can be developed. The S&DPattern development process can be found at Figure 4 –“New Pattern Business Process Model”. As a result of this development process a new S&DPattern is produced and added to the SDF S&D Library.
  
  
  ⎯ Finally, once the ambient intelligence application is almost finished, the last step is to deploy it. In order to do a correct deployment, the application must be installed in a device with a SRF. Firstly, the developer has to install the application and then update the SRF with the S&DPatterns selected during the development time. The SRF, as shown in Section 5. “Serenity Runtime Framework (SRF)”, counts on a small S&DPatterns library, called SRF S&D Library.
  
  
  This S&D Library has three main features:
  
  
  1. What and how to store. This library is able to store different kinds of items (S&DClasses, S&DPatterns, IntegrationSchemes and S&DImplementations) along with their relations. While these elements differ and need to be stored separately, their relations need to be maintained. From this point of view, these elements can be stored as trees where the same level solutions represent the same level of abstraction.
  
  The resulting trees are very complex, mainly because:
  
  
  • Each S&DPattern may belong to several S&DClasses, transforming our tree into a graph.
  
  
  • While IntegrationSchemes are at the same level with S&DPatterns, they combine several items of this level. This also results into a graph.
  
  
  2. How to search. Usually, developers will ask for different things, sometimes requesting S&DPatterns while other times searching for S&DClasses or S&DImplementations. Because of this the interface language needs to be rich enough to capture all kinds of searches.
  
  
  3. Where to search. Probably, SDF S&D Libraries will be available to developers via the Internet (or intranet). But, taking into consideration that S&DSolutions are one of the most sensible part of an application, security mechanisms have to be applied.
  Since each S&DSolution provides one or more S&D Properties, the programmer can use these desired S&D Properties to acquire the appropriate S&DSolutions. To achieve this, the SDF S&D Library includes a logical engine that performs S&D Properties reasoning.
  
  
  Access to the S&D Library is provided through two means, either using our developed application or through Web Service APIs. The first one allows security engineers to perform either textual search for specific artifacts and S&D requirements or visually browse through the existing repository, as shown in Figure 1 “Application developed to access to the S&D Library”. The Web Service APIs allow software agents, and software components in general, to have access to the development-time S&D Library during development-time.
  
  

  
  

  Figure 1 – Application developed to access to the S&D Library

  
  
  2.1.2. Activity Diagrams
  
  

  The following activity diagrams show the development and new pattern business processes explained in section 2.1.2.1.
  
  
  2.1.2.1. Development Business Process Model
  
  
  
  

  Figure 2 – Development Business Process Model

  
  
  2.1.2.2. New Pattern Business Process Model
  
  
  
  

  Figure 3 – New Pattern Business Process Model

  
  
  2.2- S&D Library
  
  

  One of the major contributions of the SERENITY project is the design time S&D library. The S&D patterns are defined, created and validated by S&D experts and this knowledge is made available to system designers through the SDF.
  
  
  2.3- Examples : S&D Patterns
  
  
  2.3.1- Organizational Patterns
  
  

  At the organizational level, the system is seen as a set of interacting agents (organizations/humans/Software-Hardware components). Each of them is in charge of a set of goals that must be accomplished whatever happens in the system and its environment.
  
  

  Patterns are defined in general terms as they should be applicable in different application domains. The organizational S&D patterns in the SERENITY pattern library are elicited using SI* [1], a modeling language for designing secure socio-technical systems and described using the SERENITY Patterns language.
  
  

  At this level, we are interested only in what is needed to achieve a goal: resources, actors, tasks, and subgoals (tasks allocation and resource allocation in order to achieve a goal) with the needed permissions, delegations or trust relations. We do not detail the process to achieve this goal, because these details are addressed at workflows or communication levels. An organizational solution corresponds to a list of modifications applied to an initial organizational structure where the requirements are not fulfilled and that leads to a different organizational structure where they are fulfilled.
  
  These modifications aim to revise the structure of the organization (when it is possible) or the procedures and policies adopted by the organization itself. Organizational solutions can be various and can be implemented by adding software or hardware components, for example by adding a document signed by two actors to solve a lack of trust or again throughout a new distribution of efforts among the actors involved in the organizational.
  
  

  In this section, we present few examples of organizational patterns, more detailed example can be find in the deliverable A1.D3.3 (www.serenity-project.org).
  
  

  Example: Proof of fulfillment for non repudiation
  
  

  To accomplish its daily tasks an organization exploits its social infrastructure by decomposing each task into sub-tasks that are then distributed/delegated among groups of actors having pre-de ned relations. For those tasks and sub-tasks considered critical for the organization, a simple statement of delegation is not su cient to release the responsibility of the task from one actor to another. In such cases, the employer might want a non-repudiable acknowledgment from the executor to have proof that the latter has explicitly taken the responsibility of executing the task.
  
  

  • Context. The Employer requests the achievement of a commitment and delegates its execution to the Executor, but the former has no warranties that the latter takes the responsibility of achieving the commitment. An SI* diagram representing the context is presented in Figure 1(a).
  
  

  • S&D requirements: In order to build the missing Trust between the Delegator and the delegatee, the Delegator shall have evidence (resource Proof of Commitment) that the Executor cannot repudiate his commitment. The ultimate objective of the pattern is to build a trust relation between the Delegator and the Executor for the achievement of the commitments. In Datalog:
  
  

  • fail non repudiation(A,B,S) :- del exec(A,B,S), not entrust exec(A,B,S)
  
  

  • Trust is established by providing the proof of fulfillment:
  
  entrust exec(A,B,S) :- provide proof of fulfillment(A,B,S,TP)
  
  provide proof of fulfillment(A,B,S,TP) :- provides(B,PoF), proof of fulfillment(PoF,S),
  
  entrust exec(TP,B,PoF), entrust exec(A,TP,PoF)
  
  

  • Solution. The Employer re nes the commitment into two sub parts. The rst part is used to check the evidence about responsibilities taken by the Executor and the second represents the actual desire of ful lling the commitment. To achieve the commitment, the Employer delegates the execution of the commitment to the Executor together with a request for a proof of commitment. Once received, this proof ensures the Employer that the Executor has taken the responsibility of the commitment. This establishes a trust relationship between them. In case the Executor fails to achieve the commitment, the Employer can rely on the proof of commitment. A SI* diagram of the solution is presented in Figure 1(b). For the sake of simplicity, we have assumed a trust relation (Te) between the Employer and the Executor for the proof of commitment. Actually, this relation \hides” the mechanism used to justify its presence in the model.
  
  

  • Consequences. The proof of commitment is very important; especially if the Executor does something wrong in the execution of the commitment, since it is the only means by which the Employer can discharge itself from any liability.
  
  

  SI* Models for Non repudiation pattern
  
  

  This pattern needs to be expressed into the SERENITY patterns language in order to be accessible and exploitable using the SDF. The A1 Static analysis tool presented in the next section facilitates the translation from SI* to the SERENITY Patterns Description Language.
  
  

  This is the description of Non Repudiation Pattern in the SERENITY Pattern Language
  
  
  S&D Pattern: NonRepudiation.teamworks.serenity-project.org
  
  
  1 Creator
  
  Name SERENITY.UNITN
  
  Date Timestamp 2007-12-22
  
  
  2 Timestamp …
  
  
  3 TrustMechanisms …signature…
  
  
  4 PatternFeatures
  
  Feature Ensures non-repudiation of the fulfilment of a service
  
  
  5 Provided Properties
  
  Property
  
  ID non_repudiation.serenity.unitn
  
  Timestamp …
  
  
  6 Interface
  
  Operations
  
  

  Operation add_resource
  
  Definition:
  
  define function add_resource
  
  Input label:label: in String, owner:in actor,
  
  providers:in list_actors, requesters:in list_actors
  
  #add new resource
  
  Enddefine
  
  

  Operation del_exec
  
  Definition:
  
  define function del_exec
  
  Input A:actor,B:actor,X:goal/resource/task
  
  #A delegates the execution of X to B
  
  Enddefine
  
  

  Operation delete_del_exec
  
  Definition:
  
  define function delete_del_exec
  
  Input delegatee:in actor,
  delegator: in actor, delegated:goal/resource/task
  
  #delete delegation of execution relation
  
  Enddefine
  
  

  Operation decompose
  
  Definition:
  
  define function decompose
  
  Input X:goal/resource/task,
  X1: goal/resource/task in list_goals
  
  #decompose a goal/task/or resource
  
  Enddefine
  
  

  Operation means_end
  
  Definition:
  
  define function means_end
  
  Input Means:goal/resource/task, End: goal/resource/task
  
  #define means_end relation
  
  Enddefine
  
  

  Operation establish_trust_exec
  
  Definition:
  
  define function establish_trust_exec
  
  Input A:actor,B:actor,X:goal/resource/task
  
  #establish or ensures trust of execution relation between A and B for X
  
  Enddefine
  
  
  7 ClassAdaptors
  
  Class non_repudiation.serenity.unitn
  
  Adaptor
  
  

  define function ProvideProofOfFulfilment
  
  input Benefiter, Executor: role, Fulfilment,
  
  CheckEvidenceOfFulfilment, FulfilmentOfCommittment: goal
  
  output ProofOfFulfilment: resource
  
  #step 1: request proof of fulfilment
  
  add_resource(”Proof of fulfilment”, Executor, {Executor}, {Benefiter})
  
  del_exec(Benefiter,Executor, ProofOfFulfilment)
  
  #step 2: re-establish fulfilment dependencies
  
  decompose(Fulfilment, CheckEvidenceOfFulfilment, FulfilmentOfCommittment)
  
  establish_trust_exec(Benefiter,Executor, ProofOfFulfilment)
  
  establish_trust_exec(Benefiter,Executor, FulfilmentOfCommittment)
  
  means_end(ProofOfFulfilment, CheckEvidenceOfFulfilment)
  
  delete_del_exec (Benefiter,Executor, Fulfilment)
  
  del_exec (Benefiter,Executor, ProofOfFulfilment)
  
  del_exec(Benefiter,Executor, FulfilmentOfCommittment)
  
  Enddefine
  
  
  8 Parts
  
  Part
  
  
  9 Parameters
  
  Parameter Role Benefiter
  
  Parameter Role Executor
  
  Parameter Goal Fulfilment
  
  Parameter Goal CheckEvidenceOfFulfilment
  
  Parameter Goal FulfilmentOfCommittment
  
  Parameter Resource ProofOfFulfilment
  
  
  10 Pre-Conditions
  
  Parameters-pre-conditions
  
  Benefiter requests Fulfilment
  
  Benefiter delegates to Executor the execution of Fulfilment
  
  Solution pre-conditions
  
  
  11 Static Tests Performed
  
  Test Datalog
  
  Conditions of test
  
  Attack models considered
  
  
  12 System Configuration
  
  
  13 Monitoring
  
  Monitor
  
  Type
  
  Monitoring Formulae
  
  Event:
  
  Action:
  
  Event:
  
  Action:
  
  Event:
  
  Action:
  
  
  14 Comments
  
  This pattern is meant to increase the reliability of an organization by ensuring the fulfilment of services by its actors.
  
  

  2.3.2- Legal Patterns
  
  

  Legal patterns constitute a specific type of an organizational pattern. Their aim is to provide solutions for legal problems related to organizational structures of systems, provision of services, delegation of tasks, etc. These legal problems are represented either by a lack of compliance with legal requirements, or by a lack of legal certainty. Legal patterns then solve either type of the problems and, therefore, provide the property of compliance with law or the property of legal certainty.
  
  

  Compliance with law, or, more precisely, compliance with legal requirements, can be simply described as obeying rules set down in law. In the legal theory, compliance with relevant rules is identified as the primary obligation. Violation of this obligation is then prevented by setting down secondary obligations that are characteristic with imposing sanctions (a secondary obligation is usually called liability). As SERENITY is a European project, it has been decided that provided solutions will respect European legislation, i.e. the common legal denominator of EC Member states. Consequently, the SERENITY legal patterns are mainly based on the relevant European directives.
  
  These are:
  
  
  - Data Protection Directive (DPD) : this directive provides technologically neutral general rules on protection of personal data, i.e. “any information relating to an identified or identifiable natural person” (Art. 2(a) DPD). The directive defines legitimate grounds and basic principles for processing of the personal data and sets down, among others, rights of data subjects.
  
  
  - Directive on Privacy and Electronic Communications (DPEC) : this directive complements the DPD with specific rules for processing personal data in the sphere of electronic communications, namely the directive applies “to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the European Community” (Art. 3 par. 1 DPEC).
  
  
  - Data Retention Directive (DRD) : this directive introduces the obligation of providers of publicly available electronic communications services and/or public communications networks to retain and store special categories of data relating to special services.
  
  

  Legal certainty is a wide legal concept that can be defined for example as the certainty about subjects’ rights and obligations that are set down in different sources of law, such as laws, contracts, or other legal documents. Legal certainty, however, also relates to the guarantee of legitimate enforcement of rights and obligations. Some of the SERENITY legal patterns help to ensure legal certainty by providing a solution which constitutes a system of evidence and, therefore, contributes to clarity of legal relations.
  
  

  The life-cycle of legal patterns starts with their elicitation. Legal specialists analyze relevant legislation and identify requirements that can be formalized in one pattern. Initially, the legal pattern is written in a natural language. Later, the pattern is formalized by a software engineer who creates the equivalent Tropos model. This model is validated through discussion of both the software engineer and the legal expert about the correspondence of the model to the legislation. Finally, the validated pattern is coded and can be applied. What concerns their implementation, legal patterns may, for example, display guidelines for an operator or add some instrument (for instance, a model contract) that is then implemented by the respective legal pattern.
  
  

  The structure of a legal pattern contains description of the Context, identification of the Problem and the Property to be provided, the Solution, and the Monitoring Rules. The Context defines, among others, goals, actors, and resources. The Problem is identified either as a necessity to achieve legal compliance, or to provide legal certainty (Property). The Solution then describes identified legal requirements, or ways how to achieve legal certainty. The Monitoring Rules then constitute a list of items that must be continually checked while applying the pattern so the property is provided at all times.
  
  

  Example: Restricting Access to the Personal Data of the Data Subject for Ensuring Need-to-Know
  
  

  This pattern ensures that processing of personal data will be compliant with the Data Protection Directive.
  
  

  Context.
  
  Actors Data subject, data controller, data processor.
  
  Goals Delegation of processing of the personal data to the data processor by the data controller
  
  Resource Data subject’s consent to the data controller to process his personal data.
  
  

  Problem. Data Protection Directive requires that data must not be excessive in relation to the purposes for which they are processed.
  
  

  Property. Compliance with law.
  
  

  Solution. Only the part of the personal data which is necessary for fulfillment of the purpose of delegation is made accessible to the data processor.
  
  

  • Design Time Exploitation and Supporting Tools
  
  
  The Si* tool (http://sesa.dit.unitn.it/sistar_tool/) is a plugin for the Eclipse platform that provides specific functionalities as Tropos diagram drawing, ASP analysis, Goal Risk Analysis, etc. In order to perform formal analysis, the Si* Tool supports the automatic transformation of graphical models into formal specifications. Currently only the Answer Set Programming (ASP) for security verification is supported. This transformation is automatically performed by the ASP Translator module.
  
  This module is responsible for the translation of graphical models into the corresponding formal specifications and the translation into graphical signs of the formal analysis results. The formal analysis performed using the ASP paradigm aims at verifying the compliance of system requirements with properties such as Availability, Authorization, etc.
  
  

  The SI* static analysis tool proposes thne following features:
  
  
  - Creating Tropos/Secure Tropos diagrams: the system and the patterns are both modeled using SI*
  (link to video)
  
  
  - Planning component: As it is apparent from the previous section, in Tropos/Secure Tropos, system requirements are conceived as networks of delegations among actors. The task of constructing such networks can be framed as a planning problem: selecting a suitable system design corresponds to selecting a plan that satisfies the goals of organizational and software actors. In S&D tool, we implement this idea by using AI planning algorithms to facilitate the requirements models construction.
  (Link to video)
  
  
  - ASP Analysis: In order to perform formal analysis, the Serenity Tool supports the automatic transformation of graphical models into formal specifications. Currently only the Answer Set Programming (ASP) for security verification is supported. This transformation is automatically performed by the ASP Translator module.
  
  This module is responsible for the translation of graphical models into the corresponding formal specifications and the translation into graphical signs of the formal analysis results. The formal analysis performed using the ASP paradigm aims at verifying the compliance of system requirements with properties such as Availability, Authorization, etc.
  (link to video)
  
  
  - Risk Analysis: The Goal Risk framework is developed to reason about risk in the requirement model, namely Tropos model. Conceptually, the framework consists of three layers: strategic, event, and treatment layer. The strategic layer models the interest of stakeholders; the event layer depicts uncertain events that affect the strategic layer; in case the risk is unacceptable then any countermeasure should be introduced in the treatment layer.
  (Link to video)
  
  
  - Patterns’ management: The tool offers 3 functionalities for : 1) generation the XML based SERENITY Patterns Description language, (link to video) 2) creating a pattern in terms of an object including Tropos models for context and solution, ASP specification of the provided properties and XML schema to be in cluded in the SDF library (link to video) and 3)application of the pattern to the system to be (link to video)
  
  

  • Development Time Support
  
  
  1. Languages for implementation of S&D Solutions
  
  

  This section presents the end-user language supporting the implementation of Executable Components (EC). EC are the realization of the S&D Solutions code level. The SRF instantiates ECs when it receives requests coming from SERENITY-aware applications.
  
  
  
  

  Figure 1 - Component diagram showing EC and SERENITY-aware applications interfaces

  
  

  The development of ECs requires the implementation of several interfaces. As presented in Figure 1 involves the implementation of several interfaces. First, the “ECcontrol” interface, this interface is used by the SRF in order to control the execution of the EC. Second, the “ECmonitoring” interface.
  
  This interface is used by the EC for sending events to the SRF. The SRF forwards events received to the corresponding Monitoring Services. Finally, ECs have to implement the “ECaccessPoint” interface. SERENITY-aware applications use this interface in order to access to the ECs functionalities. The implementation of all these interfaces requires technical knowledge about SERENITY, particularly, about the SRF interfaces.
  
  
  Additionally, EC programmers have to implement “Event Capturers”. Events capturers are parts of the EC in charge of creating and sending events to the SRF.
  
  
  In order to assist the programmers, this section presents an infrastructure that allows the development of the EC in an easy way. This section is divided in three parts: section 1.1 presents the infrastructure from a point of view independent of the platform, in this way we propose the concepts that on the basis of the implementation of the infrastructure in any platform. Section 1.2 presents a Java implementation of this infrastructure and finally, in section 1.3, we present an example. The example presents the implementation of an EC using the Java implementation of the proposed infrastructure.
  
  
  1.1. API library for development of S&D Solutions
  
  

  Figure 2 presents the infrastructure of the library supporting the executable component development. The most important components are:
  
  
  ⎯ The class SerenityExecutableComponent_AP provides an interface (“ECaccessPoint”) to offer the executable component functionalities to Serenity-aware applications. Applications use this interface to access the security services provided by ECs. In order to do that, applications perform calls to S&D Class/Patterns, interface as they are described in the S&D Class/Pattern descriptions. These calls are translated into calls at the level of EC.
  
  
  ⎯ The ECcontrol interface communicates the SRF to the EC. The SRF uses this bidirectional interface to control the execution of the EC. The SRF can halt, restart, pause or resume the execution of ECs. Besides, ECs use it in order to send information about their execution to the SRF. This interface is available as long as the EC is in execution because it is used to interchange information with the SRF.
  
  
  ⎯ The EventSenderWS and EventSenderSocket. These components perform the same action but using different methods, they send events. The EventSenderWS uses web services technology and the EventSenderSocket uses TCP/IP sockets. These two classes provide the client side of the EventReceiver interface offered by the SRF. This component is used by ECs to send events to the SRF.
  
  
  ⎯ There are two ways of develop events capturers using the proposed API, they are based on the extension of the EventCapturerWS and the EventCapturerSocket classes. As the aforementioned EventSenderWS and EventSenderSocket classes, these components use web services or sockets to implement event submission components. These two components encapsulate event collection related functionalities. The EventCapturerWS component is supported by the aforementioned EventSenderWS component. On the contrary, the EventCapturerSocket component is supported by the EventSenderSocket component.
  
  An EC may have one or more EventCaptures. Developers implement them as EventCapturerSocket or EventCapturerWS. ECs can send events directly to the SRF using the EventSenderWS or EventSenderSocket classes. But, the purpose of event capturers (web services version or socket version) is the submission of events in parallel to the execution of EC. The existence of a specific class to represent event capturers is justified by the importance and specificity of the monitoring activity in the SERENITY model. Besides, sometimes there is the necessity of separate the event submission process from the normal logic of the EC.
  
  
  ⎯ The SRNTEvent package completes the library by providing event management functionalities. The events provided by this package are SERENITY compliance, so the SRF and the monitoring services can deal with them.
  
  
  
  

  Figure 2 - Infrastructure supporting the EC development

  
  
  1.2. Java implementation of the API supporting S&D Solution implementation
  
  

  This section presents a Java implementation of the aforementioned library. At the end of the Section it is presented an example of how to implement an EC using this Java API.
  
  
  This implementation is provided by means of two Java packages. One of the packages implements the events management’s functionalities, while the second one contains the classes to build ECs. Figure 3 presents these packages and their relation.
  
  
  
  

  Figure 3 - Java packages implementing the EC infrastructure

  
  

  Figure 4 presents the detailed structure of the above mentioned packages. On the one hand, the package “serenity.Event” includes classes for managing the events lifecycle. On the other hand, the package “serenity.executablecomponentlibrary” includes classes for developing EC. These packages implements the infrastructure presented in the previous subsection.
  
  
  
  

  Figure 4 - Java Packages containing classes for EC development.

  
  

  Figure 5 presents a class diagram showing the classes included in the “serenity.executablecomponentlibrary” package. As aforementioned, there is a class for every component of the infrastructure. The SerenityExecutableComponent_AP is the most important class of the package. Programmers extend this class in order to develop an EC. As shown in the Figure 5, objects of this class may be associated to one or more event capturer objects.
  
  There are two ways for develop event capturers: the EventCapturerSocket class or EventCapturerWS class. Both classes are used to send events to the SRF. Additionally, ECs may send events directly to the SRF without using events capturers, in order to do that the methods “sendEventBySocket” and “sendEventByWS” are accessible from the SerenityExecutableComponent_AP class.
  
  The two classes implementing event capturers has the same structure and methods. In this manner the development of event capturers is friendlier. The most important method of the SerenityExecutableComponent_AP class is the “executeEC” one. This method has to be redefined to implement the specific functionalities that the EC under development. This method is supported by methods “openInterface”, “receiveCall”, and “closeInterface”.
  
  These three methods let programmers to open and close the interface offered to applications. Besides, these methods are used to receive operation calls coming from applications. The method “receiveCall” has to be redefined in order to implement the interface described in the corresponding S&D Pattern. Generally, the “receiveCall” method works as a translator between S&D Pattern interface operation calls and EC methods.
  
  
  The SRF_EC_AccessPoint class is a thread encapsulating the communication between the EC and the SRF. For the case of our implementation this communication is implemented by means of TCP/IP sockets. Of course, for other environments this can change.
  The EventCapturerWS and EventCapturerSocket classes implement most of the functionalities needed to perform the tedious event reporting tasks.
  
  As aforementioned, the difference between these classes are that the EventCapturerWS uses web services for the communication to the SRF and the EventCapturerSocket uses sockets. Programmers have to extend these classes in order to create their events capturers. For every event capturer extending the one of these classes the programmer redefines the method “execute” in order to realize the event capturer logic. The execution of event capturers is parallel to the execution of the EC; there is a thread for every event capturer.
  
  
  
  

  Figure 5 - Classes included in the Serenity.executable component package.

  
  

  Figure 6 shows the classes included in the package “serenity.Event”. Every class has both “set” and “get” methods allowing the access to attributes. There is an attribute per event field. A complete description of the event fields can be found in [1]. Events are created by instantiations of the SRNTEvent class. The constructors of the SRNTEvent accept as parameters references to XML files with XML serialization of events, and strings representing events in XML format.
  
  By doing this, programmers can maintain the general structure of their events in a file, and prior to its submission to the SRF they can change the fields according to the data they want to send. The information stored in the SRNTEvent class can be translated to string type (as strings in XML format) by using the method “toString”. The events XML of the events are validated using the XML schema definition file “Event.xsl”, the library does this validation internally.
  
  
  
  

  Figure 6 - Classes in the serenity.Events package

  
  
  1.3. Example of a Java S&D Solution (an executable component)
  
  

  This section presents an example intended to provide the necessary background for programmers to develop a SERENITY EC. For this purpose, we use the Java package presented in the previous subsection. The EC we provide as example is a Java implementation of the encryption method DES. It provides encrypt and decrypt functionalities. As aforementioned, in order to create the EC according to the proposed library the programmer extends the class SerenityExecutableComponent_AP. The SerenityExecutableComponent_AP class includes all EC functionalities related to the communication to the SRF. So the programmer can concentrate on:
  
  
  ⎯ S&D solution functionalities implemented in the EC.
  
  
  ⎯ Interface offered to SERENITY-aware applications.
  
  
  ⎯ Events captured associated to the execution of the EC.
  
  
  The following piece of code (see Table 1) presents the implementation of the class realising the “DESEncryptUMA” EC.
  First of all, when an EC is instantiated it starts by executing the “executeEC” method. Consequently, the programmer must provide the main functionality of the EC in this method. This is the place to declare and initialise all event capturers related to the EC. In this case the “DESEncryptUMA” EC creates only one event capturer called “EvCObservable”.
  
  Since, all event capturers make use of the interface offered by the SRF in order to transmit events, the events capturers are provided with a reference to the object encapsulating this interface, this object is “evSender”. The EC offers the S&D solution interface to SERENITY-aware applications by executing the “openInterface” method. Doing this, the programmer controls when the SERENITY-aware application is able, or not, to access the offered interface.
  
  
  Next, the interface is offered so the EC waits for incoming operation calls by using the “receiveCall” method. As the presented in table 1, this method has the responsibility of associating the calls made by SERENITY-aware applications to methods implemented by the EC. This example has two operations.
  
  They are called “Encrypt” and “Decrypt”, so the receiveCall method relates the received string “Encrypt” to the method “encrypt”, and the string “Decrypt” to the method “decrypt”. These two methods are implemented in the EC main class. They implement the “Encrypt” and “Decrypt” functionality offered by this S&D Solution. Finally, in order to return information to the SERENITY-aware application, the programmer makes use of the “sendResponse” method.
  
  
  Regarding to the monitorization, the EC includes a method to send events to the SRF. This method is called “sendEvent”. The “sendEvent” method has a parameter indicating the event to send. This parameters is of type SRNTEvent.
  
  
  package serenity.executablecomponent;
  
  

  import java.security.InvalidAlgorithmParameterException;
  
  import java.security.InvalidKeyException;
  
  import java.security.NoSuchAlgorithmException;
  
  import java.security.spec.InvalidKeySpecException;
  
  import javax.crypto.BadPaddingException;
  
  import javax.crypto.Cipher;
  
  import javax.crypto.IllegalBlockSizeException;
  
  import javax.crypto.NoSuchPaddingException;
  
  import javax.crypto.SecretKey;
  
  import javax.crypto.SecretKeyFactory;
  
  import javax.crypto.spec.*;
  
  import serenity.Event.SRNTEvent;
  
  import serenity.executablecomponentlibrary.SerenityExecutableComponent_AP;
  
  

  public class DESEncryptUMA extends SerenityExecutableComponent_AP {
  
  String execComponentId = “Default”;
  
  private PBEKeySpec pbeKeySpec;
  
  private PBEParameterSpec pbeParamSpec;
  
  private SecretKeyFactory keyFac;
  
  private SecretKey pbeKey;
  
  private Cipher pbeCipher, pbeDecipher;
  
  private String keycode = “com.sun.crypto.provider.DESedeKey@4f964b68″;
  
  private String algorithm = “PBEWithMD5AndDES”;
  
  private String codingerror = (”Received line encrypted with other algorithm”);
  
  private String bytecodingerror = null;
  
  private Observable EvCObservable;
  
  

  public DESEncryptUMA (String execCompID, String SRFaddress, int port, int evtPort, int
  
  cPort, String evtMngrWSEndpoint) {
  
  super(execCompID, SRFaddress, port, evtPort, cPort, evtMngrWSEndpoint);
  
  System.out.println(”EC DESEncrypt created. \nID ” + execCompID + “\nPort ” + port
  
  + “\nSRFAddress ” + SRFaddress + “\nSRFListeningPort ” + evtPort +
  
  “\nSRFControlPort ” + cPort + “\nSRFEventManagerWS endpoint ” +
  
  evtMngrWSEndpoint);
  
  try {
  
  init();
  
  } catch (Exception e) {
  
  System.out.println(”DESEncryptUMA error: ” + e.getMessage());
  
  }
  
  }
  
  /**
  * @throws NoSuchAlgorithmException
  
  * @throws InvalidKeySpecException
  
  * @throws NoSuchPaddingException
  
  * @throws InvalidKeyException
  
  * @throws InvalidAlgorithmParameterException
  
  */
  
  

  private void init() throws NoSuchAlgorithmException,
  
  InvalidKeySpecException, NoSuchPaddingException,
  
  InvalidKeyException, InvalidAlgorithmParameterException {
  
  // Salt
  
  byte[] salt = {
  
  (byte) 0xc7, (byte) 0×73, (byte) 0×21, (byte) 0×8c,
  
  (byte) 0×7e, (byte) 0xc8, (byte) 0xee, (byte) 0×99
  
  };
  
  // Iteration count
  
  int count = 16;
  
  // Create PBE parameter set
  
  pbeParamSpec = new PBEParameterSpec(salt, count);
  
  // Convert the password into a
  
  // SecretKey object, using a PBE key
  
  // factory.
  
  char[] pass = keycode.toCharArray();
  
  pbeKeySpec = new PBEKeySpec(pass);
  
  keyFac = SecretKeyFactory.getInstance(algorithm);
  
  pbeKey = keyFac.generateSecret(pbeKeySpec);
  
  // Create PBE Cipher
  
  pbeCipher = Cipher.getInstance(algorithm);
  
  pbeCipher.init(Cipher.ENCRYPT_MODE, pbeKey, pbeParamSpec);
  
  pbeDecipher = Cipher.getInstance(algorithm);
  
  pbeDecipher.init(Cipher.DECRYPT_MODE, pbeKey, pbeParamSpec);
  
  }
  
  
  public void executeEC() {
  
  this.openInterface();
  
  while((this.receiveCall() != -1)) {
  
  }
  
  this.closeEC();
  
  }
  
  
  public int receiveCall() {
  
  receiveOperation();
  
  if(this.getCurrentInstruction().equals(”Encrypt”)) {
  
  //Get the text
  
  String s = (String)this.getInstructionParameter(”Text”);
  
  byte[] bytes = s.getBytes();
  
  this.encrypt(bytes);
  
  return 0;
  
  }
  
  else if(this.getCurrentInstruction().equals(”Decrypt”)) {
  
  //Get the text
  
  byte[] parameter = (byte[])this.getInstructionParameter(”ciphertext”);
  
  this.decrypt(parameter);
  
  return 0;
  
  }
  
  else if(this.getCurrentInstruction().equals(”Close”)) {
  
  byte[] b = null;
  
  //Need to send a response to the application
  
  this.sendResponse(b);
  
  this.closeInterface();
  
  return -1;
  
  }
  
  return 0;
  
  }
  
  
  public void encrypt (byte[] input) {
  
  byte[] ciphertext = null;
  
  try {
  
  SRNTEvent event = new SRNTEvent();
  
  event.createEventXML(”C:\\sampleEvent.xml”);
  
  System.out.println(”Event created”);
  
  this.sendEventBySocket(event.toString());
  
  System.out.println(”Event sended”);
  
  this.init();
  
  ciphertext = pbeCipher.doFinal(input);
  
  this.sendResponse(ciphertext);
  
  }
  
  catch (Exception e) {
  
  System.out.println(”Exception encrypt PBEWithMD5AndDES :” + e.getMessage());
  
  }
  
  }
  
  
  public void decrypt (byte[] ciphertext) {
  
  try {
  
  this.init();
  
  bytecodingerror = new String(codingerror.getBytes(),”UTF-8″);
  
  byte[] deciphertext = pbeDecipher.doFinal(ciphertext);
  
  String res = new String(deciphertext, “UTF-8″);
  
  this.sendResponse(res.getBytes());
  
  }
  
  catch (IllegalBlockSizeException es) {
  
  this.sendResponse(bytecodingerror.getBytes());
  
  }
  
  catch (BadPaddingException ep) {
  
  this.sendResponse(bytecodingerror.getBytes());
  
  }
  
  catch (Exception e) {
  
  System.out.println(”Exception decrypt PBEWithMD5AndDES :” + e.getMessage());
  
  }
  
  }
  
  
  public static void main(String[] args) {
  
  //We create the ExecComponent
  
  DESEncryptUMA desEncrypt = new DESEncryptUMA(args[0],args[1],Integer.parseInt(args[2]),
  
  Integer.parseInt(args[3]), Integer.parseInt(args[4]), args[5]);
  
  desEncrypt.executeEC();
  
  }
  
  
  @Override
  
  public void restartEC() {
  
  // TODO Auto-generated method stub
  
  reinitEC();
  
  }
  
  
  @Override
  
  public void stopEC() {
  
  // TODO Auto-generated method stub
  
  closeEC();
  
  }
  
  }
  
  

  Table 1 - Example of the Java implementation of an executable component.
  
  

  With reference to events capturers, the proposed Java package includes an abstract class to be extended for the implementation of events capturers. Table 2 presents an example of an event capturer developed for this example EC. Classes extending the EventCapturerWS or EventCapturerSocket classes must redefine the “execute” method. This method is executed when the event capturer is created. The purpose of this method is to implement the event capturer functionalities. As a general rule, events capturers include the code for checking something in the system, and the code for submission of events containing information about this checking. Events capturers use the method sendEvent in order to send events to the SRF.
  
  
  import serenity.executablecomponentlibrary.EventCapturerSocket;
  
  import serenity.executablecomponentlibrary.EventSenderSocket;
  
  

  public class Observable extends EventCapturerSocket {
  
  public Observable(EventSenderSocket evS) {
  
  super(evS);
  
  }
  
  

  @Override
  
  public void execute(String arg0) {
  
  // Here you code how to get information to create events
  
  this.sendEvent(“XML Event”);
  
  }
  
  public void run() {
  
  }
  
  }
  
  

  Table 2 - Java implementation of an event capturer EventCapturerSocket class
  
  
  2. Development process for Serenity-aware applications
  
  

  The SERENITY-aware applications are applications specially designed to make use of the security and dependability mechanisms provided by SERENITY. In order to do that, these applications include references to SERENITY S&D Solutions and to the SRF. At run-time each reference to a S&D Solution is translated to a S&D Solution request (called “SDRequest”). The SRF processes SDRequest, and it provides ECs according to applications’ requests. The development of ECs has been presented in Section 1. This section presents the development of SERENITY-aware applications.
  
  
  The creation of SERENITY-aware applications is divided in two phases. First of all, during the development-time, developers include references to the S&D Solutions supporting the application by means of references to S&D Classes, S&D Patterns and S&D Implementations and their interfaces. According to the hierarchy of S&D Artefacts, there are several ECs implementing each S&D Class or S&D Patterns functionalities; consequently, these designs are open. Later, at run-time, the SRF completes these open designs by means of assembly ECs. In order to choose the EC to associate to each application requirement the SRF processes applications’ requests and instantiates ECs according them. The SRF performs the most accuracy selection of ECs thanks to the use of context information.
  
  
  This Section presents several end-user languages oriented to develop SERENITY-aware applications. Firstly, it introduces an UML based approach for producing SERENITY-aware applications models. Secondly, it presents an application programming interface (API) for the implementation of SERENITY-aware applications. The API is presented in two steps. First it is presented from a platform independent point of view. Second, we present the Java implementation of the API.
  
  
  2.1 Languages for design and modelling
  
  

  SERENITY-aware application developers are one of the “end-users” of the SERENITY Framework, since they access to the SRF through the applications they develop. In this subsection two ways of modelling SERENITY-aware applications requirements are presented.
  The first language presented is called “S&D requirement specification language”. It is oriented to the early stage of development process of SERENITY-aware applications, S&D requirements are identified and need to be specified. The S&D requirement specification language has the following features:
  
  
  ⎯ In SERENITY, the application developers are assumed as to have no strong expertise in S&D mechanisms and techniques. Given such an assumption, the S&D requirement specification language should not include details about S&D mechanisms and techniques. It is important to note, however, that it is required that they are able to identify the security properties that they need.
  
  
  ⎯ In order to improve the applicability of the language, we define it as independent of the modelling language. A specification written in this language is pure text. The application developer can determine his/her way to include this text specification into the development process, if necessary (e.g. by providing IDE plug-ins).
  The S&D requirement specifications are used to query the Serenity S&D Library. As a result, a set of potential S&D Artefacts fulfilling the S&D requirements are obtained.
  
  
  Once they identify the necessary S&D Artefacts, developers create their SERENITY-aware applications using these S&D Artefacts. As with normal applications, the development process of SERENITY-aware applications will usually include a design phase. Generally, development teams use modelling languages (such as UML [2] or Tropos [3]) in order to create specifications of the application under development. This subsection ends by presenting an UML extension for the design of SERENITY-aware applications. This extension is based on the use of UML profiles [4]. Using this UML extension, designers are able to use UML tools in order to model SERENITY-aware applications.
  
  
  2.1.1. S&D Requirements Specification Language
  
  
  2.1.1.1. A semantic ontology-based approach
  
  

  The profile of software developer consists of either ‘coding’ skills for software development tasks, or ‘designer’ skills for taking responsibility of designing several programming tasks. In both cases their contribution is more functional-oriented rather than non-functional (security). The tight deadlines imposed by functional requirements neither allow nor motivate software developers to learn and apply security solutions during their work. Errors produced by software developers open flaws in the business applications and exposes their vulnerabilities.
  
  This justifies the need of an ontological interface to the security pattern. Adopting an ontology-based approach for fetching security patterns to software developers is obviously more realistic than sound and correct. Semantic queries attempt to help users to obtain or manipulate data in a database without knowing its detailed syntactic structure. As opposed to syntactic queries (e.g. XPath and XQuery queries) or declarative queries (e.g. SQL), semantic queries enable retrieval of both explicitly and implicitly derived information based on syntactic and semantic information contained in the database. In the end, the objective of our work is to allow software developers to describe what security problems they are facing without having to know in details how the security problems are actually represented. These arguments are in favour of an ontology based approach.
  
  
  2.1.1.2. Language Structure
  
  

  The basic element of an S&D requirement specification is a “Clause”. An S&D requirement specification is a set of clauses connected by logical operators, such as “AND” and “OR”. Each clause specifies an aspect of the S&D requirement, such as S&D property, application context, related threat model, computational feature, creator, etc.
  
  
  For instance, a system developer realizes that the communications between client side and server side in the system need to be secured. The expected security properties are confidentiality and non-repudiation. As the system developer is not a security expert, providing the formal definition of the expected confidentiality and non-repudiation is out of his/her capability. In the system under development, the server side will provide a web services. The client side runs in a sensor, so low cost solutions are expected. Due to company policy, S&D artefacts created by XYZ.com are not expected to be used. In this case, the S&D requirement specification is as follows:
  
  
  PROPERTY LIKE Confidentiality AND Non-repudiation
  AND CONTEXT IS Web-service
  AND COMPUTATIONAL FEATURE IS Low-cost
  AND CREATOR IS NOT xyz.com
  
  

  The formal definition (e.g., BNF) of the language is to be defined in the next version of this deliverable.
  
  
  2.1.1.3. Property Clause
  
  

  The expected S&D properties are expressed in property clause, which starts with the keyword “PROPERTY”. A more detailed description will be included in the next version of this deliverable.
  
  
  2.1.1.4. Context Clause
  
  

  The expected application context of S&D artefacts is expressed in context clause, which starts with the keyword “CONTEXT”. Context is an important aspect to be considered when applying S&D artefacts. At the same time, context is very general in the sense that many things can be considered as context, e.g., operating system, programming platform, system architecture, related S&D artefacts, etc. How to define the context clause needs to be further investigated.
  
  
  2.1.1.5. Other Clauses
  
  

  More clauses are needed to express S&D requirements. For example, the envisaged attack model can be “Buffer Overflows”, “Cross-Site Scripting”, or “SQL Injection”. These clauses will be defined according to the requirements of the Serenity scenarios.
  
  
  2.1.2. UML design of Serenity-aware applications
  
  

  This subsection is devoted to present a language for the creation of UML designs of SERENITY-aware applications. It presents two UML extensions; both of them are based on UML profiles. In the first place, we present a UML profile devoted to S&D Properties [5]. This UML profile allows including references to S&D Properties in UML diagrams. Secondly, we present a UML profile for the expression of S&D Artefacts (in this Section we use the term S&D artefact to refer to S&D Classes, S&D Patterns, and S&D Implementations indistinctly). This profile, called “S&D Solutions profile”, is used to create UML models of SERENITY-aware applications including S&D Solutions.
  
  
  The “S&D Properties profile” includes two stereotypes: (i) “S&DProperty” to be applied to classes and (ii) “Requires” to be applied to associations. Using this profile we can create a model expressing that a particular element in a UML diagram “Requires” a specific S&D Property stereotyped as “S&DProperty”. Figure 7 presents this UML profile.
  
  
  
  

  Figure 7 - UML Profile for the inclusion of S&D Properties

  
  

  The S&D Solutions profile, shown in Figure 8, includes four stereotypes. With reference to S&D Solution, it includes one stereotype for each S&D artefacts representing S&D Solutions. That is to say, three stereotypes: “S&DClass”, “S&DPattern”, and “S&DImplementation” to be applied to class elements. Apart from this, the profile includes a stereotype called “Secure” to be applied to associations. Using these stereotypes one can express that an S&D Solution (stereotyped as “S&DClass”, “S&DPattern” or “S&DImplementation” depending on the level of S&D Solution the designer uses) “Secures” a particular element in an UML diagram.
  
  
  
  

  Figure 8 - UML profile for the expression of S&D Solutions.

  
  

  The greatest advantage of using two different profiles, each one covering a different type of artefacts (S&D Properties and S&D Solutions), is that this allows designers to address both the business model and the design models of SERENITY-aware applications. Consequently, SERENITY-aware applications can be modelled at several levels of abstraction. This aspect is important taking into account that the approach can be adapted to be included in the most of modern software engineering development processes.
  
  
  2.2. Languages for implementation of Serenity-aware applications
  
  

  SERENITY-aware application programmers have to carry out several specific tasks in order to manage S&D Solutions from their applications. These tasks include accessing both SRF and S&D Solutions interfaces. The main disadvantage of these tasks is that they increase the technical knowledge required from programmers. This section presents an API supporting the development of SERENITY-aware applications. This API encapsulates both SRF and S&D Solutions technical details, allowing an easy access to their functionalities. This API is presented in two steps. Firstly an abstract model of the library is presented. This abstract model shows the main components and their responsibilities. Secondly, as in the previous case, the section ends by presenting a Java implementation of the API.
  
  
  2.2.1. API for development of Serenity-aware applications
  
  

  This section introduces a library supporting the development of SERENITY-aware applications. SERENITY-aware application programmers make use of this library with two main purposes (i) to request S&D Solutions from the SRF, and (ii) to access the functionalities provided by S&D Solutions. In order to do that, SERENITY-aware applications use two interfaces. The first one is provided by the SRF, called SRFRequest interface. And the second one provided by ECs implementing S&D Solutions (called ECaccessPoint interface).
  Figure 9 presents the main components of the library and the interfaces they encapsulate.
  
  
  ⎯ The SRF_AP_AccessPoint class encapsulates the “SRFRequest” interface, provided by the SRF. This interface is used to send S&D Solution requests to the SRF. These requests, called SDRequests, once processed by the SRF result in ECs ready to be accessed by applications. This component provides the first function to the library: the “requestSolution” function. This function has only one parameter which is a text string representing S&D Solution requested, and returns an ECHandler component (see below). There exists an alternative way to call this method by using as parameter an object of type SDRequest. This object presents an alternative way of express SDRequest without using strings. SDRequests include the S&D Artefact requested to the SRF by using a formatted text string. This format is presented in Table 3 (using EBNF notation [6]). In SDrequests, the type of S&D Solution identifies the type the requested artefact, using ‘C’ for S&DClasses, ‘P’ for S&DPatterns, and ‘I’ for S&DImplementations.
  
  
  ⎯ The ReactionListener class encapsulates the SRF reaction subsystem. The SRF uses this subsystem to send messages to applications as result of the monitorization activity. Each application is associated to one instance of this class when it requests an EC. The ReactionListener class is a thread that waits until it receives a message from the SRF and then executes a method of the application class. It is a way to notify applications that ECs have malfunctioned.
  
  

  ::= ‘:’
  
  

  ::= ‘C’ | ‘P’ | ‘I’
  
  ::=
  
  

  ::= ()*
  
  ::= ‘.’(’.’)*
  
  

  ::= ()*
  
  

  ::= |
  
  

  ::= ‘a’ | ‘b’ |…| ‘z’ | ‘A’ | ‘B’ |…| ‘Z’
  
  ::= ‘0′ | ‘1′ |…| ‘9′
  
  

  Table 3 - EBNF format for SDrequests.
  
  

  ⎯ The SerenityExecutableComponent_AP component encapsulates the use of ECs. This component provides a second functionality to the library, This functionality is implemented by two different methods: “callOperation” and “callOperationObject”. These methods are used in order to access to ECs interface, and they present the same operational behaviour but they have different parameters. The “callOperation” works with parameters of type string. On the contrary, the “callOperationObject” works with parameters of type object. The SerenityExecutableComponent_AP component manages internally the ECHandler corresponding to the EC it encapsulates.
  
  
  ⎯ The development of an application using the API is based on the extension of SerenityApplication class. Doing this, our application inherits the methods for capturing the ReactionListener operations.
  
  
  
  

  Figure 9 - proposed infrastructure for supporting Serenity-aware applications.

  
  

  Figure 10 presents a sequence diagram showing how a SERENITY-aware application makes use of the library. Note that in this case, the SerenityExecutableComponent_AP is encapsulating the access to both the SRF and the EC. This strategy facilitates the understanding of the concept of S&D Solutions by programmers, since they only need to use one class to manage them.
  
  
  
  

  Figure 10 - Sequence diagram showing the instantiation of an Executable Component.

  
  

  The sequence diagram shown in Figure 10 starts with the application. For this case, “Application A”, creates an objecto of type SRF_AP_AccessPoint. This object creates the communication link to the SRF. A detailed description of the interface provided by the SRF can be found in deliverable A6.D4.1 [7]. When “Application A” needs the functionalities provided by an S&D Solution, it creates an instance of the SerenityExecutableComponent_AP class. This class accepts both the SRF_AP_AccessPoint reference and the SDRequest when it is created. The SerenityExecutableComponent_AP component uses the SRF_AP_AccessPoint to send the SDRequest to the SRF. SDRequests are processed by the SRF resulting on the instantiation of an EC, represented as a handler (e.g. OS process ID, WS…).
  
  The SRF returns the relevant data of this OS_Handler to the SRF_AP_AccessPoint. This information is encapsulated in an object of type ECHandler. Consequently, the SRF_ AP_AccessPoint creates an ECHandler, so that the application, by means of the SerenityExecutableComponent_AP, can use it.
  Once all these components have been created, “Application A” can access the “Executable Component A” interface by means of the SerenityExecutableComponent_AP which acts as a proxy. In order to do that “Application A” uses the callOperation method.
  
  
  2.2.2. Java implementation of the proposed API
  
  

  This section presents a Java implementation of the aforementioned infrastructure. At the end of the section an example of how this implementation is used to develop a simple SERENITY-aware application is presented.
  This implementation is provided by means of a Java package containing the following classes. SerenityExecutableComponent_AP, SRF_AP_AccessPoint, ReactionListener, and SerenityApplication. Figure 11 presents the organization of these Java classes.
  
  
  
  

  Figure 11 - Java Package containing classes for Serenity-aware application development.

  
  

  Figure 12 presents a detailed class diagram showing the classes and features included in the package. As mentioned, the SRF_AP_AccessPoint has two methods and a constructor. The constructor accepts as parameter a SerenityApplication object. The two methods work the same. Their only difference is that they use different parameters. One of them uses a request expressed as a String type and the other one uses a request expressed as an SDRequest object.
  
  Both of them return an ECHandler object.
  The SerenityApplication class has only one method called executeReaction. This method has as parameter of type String that is the message received from the SRF. The SERENITY-aware applications have to extend this class.
  The ReactionListener class is automatically instantiated by the SRF_AP_AccessPoint. This class has a constructor that uses as parameters a reference to the application. The ReactionListener extends the Thread class so it has a run method. This method wait until it receives a message from the SRF and it executes a method of the application class. When it receives a message form the SRF sends it to the application.
  
  
  Finally, the SerenityExecutableComponent_AP class, which provides access to ECs, has three methods and three constructors. The different constructors use different values as parameters. The main constructor has the following parameters: a SRF_AP_AccessPoint object, a request described as a String type, the EC instantiation parameters of type String and the preferences of type String. Regarding the other two constructors, one of them accepts as parameter an objecto of type ECHandler, and the other one has two parameters: the connection port (TCP/IP) and an identifier for the EC.
  
  
  The “callOperation” and “callOperationObject” methods work the same but they return objects of different types. The “callOperation” returns a string of bytes and the “callOperationObject” returns a serializable object. Finally, the method called “close” is used by SERENITY-aware applications to finish the use the EC.
  
  
  
  

  Figure 12 - Detailed class diagram showing the Java implementation of the Serenity-aware application API.

  
  
  2.2.2.1. Example of a Java Serenity-aware application
  
  

  This section presents the development of a SERENITY-aware Application. For this purpose, we use the Java package presented in the previous subsection.
  
  
  The application presented in this example relies on an encryption and decryption S&D solution in order to encrypt and decrypt a text. The application presents the following behaviour: first it encrypts the text. Second it shows the encrypted text to the user. Third, it decrypts the encrypted text. And finally, it shows the decrypted text to the user.
  From the application point of view, it only needs to:
  
  
  ⎯ Create the connection with the SRF by means of the SRF_AP_AccessPoint class.
  
  
  ⎯ Request the encryption S&D Pattern.
  
  
  ⎯ Invoke a call from S&D Pattern interface (the application do it twice, firstly calling the encryption method and later calling the decryption method).
  
  
  For the given example, we assume that the SRF supporting our SERENITY-aware application comes along with an S&D Library that contains at least the following S&D Artefacts:
  
  
  ⎯ An S&D Class called Encrypt.uma.es.
  
  
  ⎯ An S&D Pattern called DESEncrypt.uma.es.
  
  
  ⎯ An S&D Implementation called DESEncryptJava.uma.es.
  
  
  The SRF contains the EC implementing the S&D Implementation as well. The relations between these S&D Artefacts are shown in Figure 13.
  
  
  
  
  

  Figure 13 – S&D Artifacts in the SRF’s S&D Library.

  
  

  The Java code presented in Table 4 shows the implementation of the application. The interfaces of the S&D Class and the S&D Pattern used in this example propose the same functions. Thanks to this, programmers can use the same operation call no matter what type of artefact they asked for. There are three possible SDRequest applicable to the given example:
  
  
  ⎯ Asking for an S&D Class: “C: Encrypt.uma.es”
  
  
  ⎯ Asking for an S&D Pattern: “P: DESEncrypt.uma.es”
  
  
  ⎯ Asking for an S&D Implementation: “I: DESEncryptJava.uma.es”
  
  
  References
  
  

  [1] K. Mahbub, G. Spanoudakis, C. Kloukinas. V2 of Dynamic Validation Prototype. Serenity Public Report A4.D3.3, 2007.
  
  

  [2] ISO/IEC. Unified Modeling Language (UML). Version 1.4.2. International Standard ISO/IEC 19501.
  
  

  [3] P. Bresciani, P. Giorgini, F. Giunchiglia, J. Mylopoulos, A. Perini. TROPOS: An Agent-Oriented Software Development Methodology. Journal of Autonomous Agents and Multi-Agent Systems. Kluwer Academic Publishers Volume 8, Issue 3, Pages 203 - 236, May 2004.
  
  

  [4] Fuentes-Fernández. L., Vallecillo. A. “An Introduction to UML Profiles”. UML and Model Engineering April 2004.
  
  

  [5] A. Maña, A. Muñoz, F. Sanchez-Cid, D. Serrano Valero, G. Pujol, S. Torres, S. Güergens, C. Rudolph, A. Saidane, F. Dalpiaz, F. Massacci, P. Soria Rodriguez. Security properties specification language. Serenity Public Report A5.D3.1, 2007.
  
  

  [6] ISO/IEC. EBNF notation. International Standard ISO/IEC 14977:1996(E).
  
  

  [7] Beatriz Gallego-Nicasio, Ana Piñuela. Security Manager. Serenity Public Prototype report A6.D4.1, 2008.
  
  

  • S&D Solution Development Support
  
  
  1. Languages for implementation of S&D Solutions
  
  

  This section presents the end-user language supporting the implementation of Executable Components (EC). EC are the realization of the S&D Solutions code level. The SRF instantiates ECs when it receives requests coming from SERENITY-aware applications.
  
  
  
  

  Figure 1 - Component diagram showing EC and SERENITY-aware applications interfaces

  
  

  The development of ECs requires the implementation of several interfaces. As presented in Figure 1 involves the implementation of several interfaces. First, the “ECcontrol” interface, this interface is used by the SRF in order to control the execution of the EC. Second, the “ECmonitoring” interface. This interface is used by the EC for sending events to the SRF.
  
  The SRF forwards events received to the corresponding Monitoring Services. Finally, ECs have to implement the “ECaccessPoint” interface. SERENITY-aware applications use this interface in order to access to the ECs functionalities. The implementation of all these interfaces requires technical knowledge about SERENITY, particularly, about the SRF interfaces.
  
  
  Additionally, EC programmers have to implement “Event Capturers”. Events capturers are parts of the EC in charge of creating and sending events to the SRF.
  
  
  In order to assist the programmers, this section presents an infrastructure that allows the development of the EC in an easy way. This section is divided in three parts: section 1.1 presents the infrastructure from a point of view independent of the platform, in this way we propose the concepts that on the basis of the implementation of the infrastructure in any platform. Section 1.2 presents a Java implementation of this infrastructure and finally, in section 1.3, we present an example. The example presents the implementation of an EC using the Java implementation of the proposed infrastructure.
  
  
  1.1. API library for development of S&D Solutions
  
  

  Figure 2 presents the infrastructure of the library supporting the executable component development. The most important components are:
  
  
  ⎯ The class SerenityExecutableComponent_AP provides an interface (“ECaccessPoint”) to offer the executable component functionalities to Serenity-aware applications. Applications use this interface to access the security services provided by ECs. In order to do that, applications perform calls to S&D Class/Patterns, interface as they are described in the S&D Class/Pattern descriptions. These calls are translated into calls at the level of EC.
  
  
  ⎯ The ECcontrol interface communicates the SRF to the EC. The SRF uses this bidirectional interface to control the execution of the EC. The SRF can halt, restart, pause or resume the execution of ECs. Besides, ECs use it in order to send information about their execution to the SRF. This interface is available as long as the EC is in execution because it is used to interchange information with the SRF.
  
  
  ⎯ The EventSenderWS and EventSenderSocket. These components perform the same action but using different methods, they send events. The EventSenderWS uses web services technology and the EventSenderSocket uses TCP/IP sockets. These two classes provide the client side of the EventReceiver interface offered by the SRF. This component is used by ECs to send events to the SRF.
  
  
  ⎯ There are two ways of develop events capturers using the proposed API, they are based on the extension of the EventCapturerWS and the EventCapturerSocket classes. As the aforementioned EventSenderWS and EventSenderSocket classes, these components use web services or sockets to implement event submission components. These two components encapsulate event collection related functionalities. The EventCapturerWS component is supported by the aforementioned EventSenderWS component. On the contrary, the EventCapturerSocket component is supported by the EventSenderSocket component.
  
  An EC may have one or more EventCaptures. Developers implement them as EventCapturerSocket or EventCapturerWS. ECs can send events directly to the SRF using the EventSenderWS or EventSenderSocket classes. But, the purpose of event capturers (web services version or socket version) is the submission of events in parallel to the execution of EC. The existence of a specific class to represent event capturers is justified by the importance and specificity of the monitoring activity in the SERENITY model. Besides, sometimes there is the necessity of separate the event submission process from the normal logic of the EC.
  
  
  ⎯ The SRNTEvent package completes the library by providing event management functionalities. The events provided by this package are SERENITY compliance, so the SRF and the monitoring services can deal with them.
  
  
  
  

  Figure 2 - Infrastructure supporting the EC development

  
  
  1.2. Java implementation of the API supporting S&D Solution implementation
  
  

  This section presents a Java implementation of the aforementioned library. At the end of the Section it is presented an example of how to implement an EC using this Java API.
  This implementation is provided by means of two Java packages. One of the packages implements the events management’s functionalities, while the second one contains the classes to build ECs. Figure 3 presents these packages and their relation.
  
  
  
  

  Figure 3 - Java packages implementing the EC infrastructure

  
  

  Figure 4 presents the detailed structure of the above mentioned packages. On the one hand, the package “serenity.Event” includes classes for managing the events lifecycle. On the other hand, the package “serenity.executablecomponentlibrary” includes classes for developing EC. These packages implements the infrastructure presented in the previous subsection.
  
  
  
  

  Figure 4 - Java Packages containing classes for EC development.

  
  

  Figure 5 presents a class diagram showing the classes included in the “serenity.executablecomponentlibrary” package. As aforementioned, there is a class for every component of the infrastructure. The SerenityExecutableComponent_AP is the most important class of the package. Programmers extend this class in order to develop an EC. As shown in the Figure 5, objects of this class may be associated to one or more event capturer objects. There are two ways for develop event capturers: the EventCapturerSocket class or EventCapturerWS class.
  
  Both classes are used to send events to the SRF. Additionally, ECs may send events directly to the SRF without using events capturers, in order to do that the methods “sendEventBySocket” and “sendEventByWS” are accessible from the SerenityExecutableComponent_AP class. The two classes implementing event capturers has the same structure and methods. In this manner the development of event capturers is friendlier. The most important method of the SerenityExecutableComponent_AP class is the “executeEC” one. This method has to be redefined to implement the specific functionalities that the EC under development.
  
  This method is supported by methods “openInterface”, “receiveCall”, and “closeInterface”. These three methods let programmers to open and close the interface offered to applications. Besides, these methods are used to receive operation calls coming from applications. The method “receiveCall” has to be redefined in order to implement the interface described in the corresponding S&D Pattern. Generally, the “receiveCall” method works as a translator between S&D Pattern interface operation calls and EC methods.
  
  
  The SRF_EC_AccessPoint class is a thread encapsulating the communication between the EC and the SRF. For the case of our implementation this communication is implemented by means of TCP/IP sockets. Of course, for other environments this can change.
  The EventCapturerWS and EventCapturerSocket classes implement most of the functionalities needed to perform the tedious event reporting tasks.
  
  As aforementioned, the difference between these classes are that the EventCapturerWS uses web services for the communication to the SRF and the EventCapturerSocket uses sockets. Programmers have to extend these classes in order to create their events capturers. For every event capturer extending the one of these classes the programmer redefines the method “execute” in order to realize the event capturer logic. The execution of event capturers is parallel to the execution of the EC; there is a thread for every event capturer.
  
  
  
  

  Figure 5 - Classes included in the Serenity.executable component package.

  
  

  Figure 6 shows the classes included in the package “serenity.Event”. Every class has both “set” and “get” methods allowing the access to attributes. There is an attribute per event field. A complete description of the event fields can be found in [1]. Events are created by instantiations of the SRNTEvent class. The constructors of the SRNTEvent accept as parameters references to XML files with XML serialization of events, and strings representing events in XML format.
  
  By doing this, programmers can maintain the general structure of their events in a file, and prior to its submission to the SRF they can change the fields according to the data they want to send. The information stored in the SRNTEvent class can be translated to string type (as strings in XML format) by using the method “toString”. The events XML of the events are validated using the XML schema definition file “Event.xsl”, the library does this validation internally.
  
  
  
  

  Figure 6 - Classes in the serenity.Events package

  
  
  1.3. Example of a Java S&D Solution (an executable component)
  
  

  This section presents an example intended to provide the necessary background for programmers to develop a SERENITY EC. For this purpose, we use the Java package presented in the previous subsection. The EC we provide as example is a Java implementation of the encryption method DES. It provides encrypt and decrypt functionalities. As aforementioned, in order to create the EC according to the proposed library the programmer extends the class SerenityExecutableComponent_AP. The SerenityExecutableComponent_AP class includes all EC functionalities related to the communication to the SRF. So the programmer can concentrate on:
  
  
  ⎯ S&D solution functionalities implemented in the EC.
  
  
  ⎯ Interface offered to SERENITY-aware applications.
  
  
  ⎯ Events captured associated to the execution of the EC.
  
  
  The following piece of code (see Table 1) presents the implementation of the class realising the “DESEncryptUMA” EC.
  First of all, when an EC is instantiated it starts by executing the “executeEC” method. Consequently, the programmer must provide the main functionality of the EC in this method. This is the place to declare and initialise all event capturers related to the EC. In this case the “DESEncryptUMA” EC creates only one event capturer called “EvCObservable”. Since, all event capturers make use of the interface offered by the SRF in order to transmit events, the events capturers are provided with a reference to the object encapsulating this interface, this object is “evSender”. The EC offers the S&D solution interface to SERENITY-aware applications by executing the “openInterface” method. Doing this, the programmer controls when the SERENITY-aware application is able, or not, to access the offered interface.
  
  
  Next, the interface is offered so the EC waits for incoming operation calls by using the “receiveCall” method. As the presented in table 1, this method has the responsibility of associating the calls made by SERENITY-aware applications to methods implemented by the EC. This example has two operations. They are called “Encrypt” and “Decrypt”, so the receiveCall method relates the received string “Encrypt” to the method “encrypt”, and the string “Decrypt” to the method “decrypt”. These two methods are implemented in the EC main class. They implement the “Encrypt” and “Decrypt” functionality offered by this S&D Solution. Finally, in order to return information to the SERENITY-aware application, the programmer makes use of the “sendResponse” method.
  
  
  Regarding to the monitorization, the EC includes a method to send events to the SRF. This method is called “sendEvent”. The “sendEvent” method has a parameter indicating the event to send. This parameters is of type SRNTEvent.
  
  
  package serenity.executablecomponent;
  
  

  import java.security.InvalidAlgorithmParameterException;
  
  import java.security.InvalidKeyException;
  
  import java.security.NoSuchAlgorithmException;
  
  import java.security.spec.InvalidKeySpecException;
  
  import javax.crypto.BadPaddingException;
  
  import javax.crypto.Cipher;
  
  import javax.crypto.IllegalBlockSizeException;
  
  import javax.crypto.NoSuchPaddingException;
  
  import javax.crypto.SecretKey;
  
  import javax.crypto.SecretKeyFactory;
  
  import javax.crypto.spec.*;
  
  import serenity.Event.SRNTEvent;
  
  import serenity.executablecomponentlibrary.SerenityExecutableComponent_AP;
  
  

  public class DESEncryptUMA extends SerenityExecutableComponent_AP {
  
  String execComponentId = “Default”;
  
  private PBEKeySpec pbeKeySpec;
  
  private PBEParameterSpec pbeParamSpec;
  
  private SecretKeyFactory keyFac;
  
  private SecretKey pbeKey;
  
  private Cipher pbeCipher, pbeDecipher;
  
  private String keycode = “com.sun.crypto.provider.DESedeKey@4f964b68″;
  
  private String algorithm = “PBEWithMD5AndDES”;
  
  private String codingerror = (”Received line encrypted with other algorithm”);
  
  private String bytecodingerror = null;
  
  private Observable EvCObservable;
  
  

  public DESEncryptUMA (String execCompID, String SRFaddress, int port, int evtPort, int
  
  cPort, String evtMngrWSEndpoint) {
  
  super(execCompID, SRFaddress, port, evtPort, cPort, evtMngrWSEndpoint);
  
  System.out.println(”EC DESEncrypt created. \nID ” + execCompID + “\nPort ” + port
  
  + “\nSRFAddress ” + SRFaddress + “\nSRFListeningPort ” + evtPort +
  
  “\nSRFControlPort ” + cPort + “\nSRFEventManagerWS endpoint ” +
  
  evtMngrWSEndpoint);
  
  try {
  
  init();
  
  } catch (Exception e) {
  
  System.out.println(”DESEncryptUMA error: ” + e.getMessage());
  
  }
  
  }
  
  
  /**
  * @throws NoSuchAlgorithmException
  
  * @throws InvalidKeySpecException
  
  * @throws NoSuchPaddingException
  
  * @throws InvalidKeyException
  
  * @throws InvalidAlgorithmParameterException
  
  */
  
  

  private void init() throws NoSuchAlgorithmException,
  
  InvalidKeySpecException, NoSuchPaddingException,
  
  InvalidKeyException, InvalidAlgorithmParameterException {
  
  // Salt
  
  byte[] salt = {
  
  (byte) 0xc7, (byte) 0×73, (byte) 0×21, (byte) 0×8c,
  
  (byte) 0×7e, (byte) 0xc8, (byte) 0xee, (byte) 0×99
  
  };
  
  // Iteration count
  
  int count = 16;
  
  // Create PBE parameter set
  
  pbeParamSpec = new PBEParameterSpec(salt, count);
  
  // Convert the password into a
  
  // SecretKey object, using a PBE key
  
  // factory.
  
  char[] pass = keycode.toCharArray();
  
  pbeKeySpec = new PBEKeySpec(pass);
  
  keyFac = SecretKeyFactory.getInstance(algorithm);
  
  pbeKey = keyFac.generateSecret(pbeKeySpec);
  
  // Create PBE Cipher
  
  pbeCipher = Cipher.getInstance(algorithm);
  
  pbeCipher.init(Cipher.ENCRYPT_MODE, pbeKey, pbeParamSpec);
  
  pbeDecipher = Cipher.getInstance(algorithm);
  
  pbeDecipher.init(Cipher.DECRYPT_MODE, pbeKey, pbeParamSpec);
  
  }
  
  
  public void executeEC() {
  
  this.openInterface();
  
  while((this.receiveCall() != -1)) {
  
  }
  
  this.closeEC();
  
  }
  
  
  public int receiveCall() {
  
  receiveOperation();
  
  if(this.getCurrentInstruction().equals(”Encrypt”)) {
  
  //Get the text
  
  String s = (String)this.getInstructionParameter(”Text”);
  
  byte[] bytes = s.getBytes();
  
  this.encrypt(bytes);
  
  return 0;
  
  }
  
  else if(this.getCurrentInstruction().equals(”Decrypt”)) {
  
  //Get the text
  
  byte[] parameter = (byte[])this.getInstructionParameter(”ciphertext”);
  
  this.decrypt(parameter);
  
  return 0;
  
  }
  
  else if(this.getCurrentInstruction().equals(”Close”)) {
  
  byte[] b = null;
  
  //Need to send a response to the application
  
  this.sendResponse(b);
  
  this.closeInterface();
  
  return -1;
  
  }
  
  return 0;
  
  }
  
  
  public void encrypt (byte[] input) {
  
  byte[] ciphertext = null;
  
  try {
  
  SRNTEvent event = new SRNTEvent();
  
  event.createEventXML(”C:\\sampleEvent.xml”);
  
  System.out.println(”Event created”);
  
  this.sendEventBySocket(event.toString());
  
  System.out.println(”Event sended”);
  
  this.init();
  
  ciphertext = pbeCipher.doFinal(input);
  
  this.sendResponse(ciphertext);
  
  }
  
  catch (Exception e) {
  
  System.out.println(”Exception encrypt PBEWithMD5AndDES :” + e.getMessage());
  
  }
  
  }
  
  
  public void decrypt (byte[] ciphertext) {
  
  try {
  
  this.init();
  
  bytecodingerror = new String(codingerror.getBytes(),”UTF-8″);
  
  byte[] deciphertext = pbeDecipher.doFinal(ciphertext);
  
  String res = new String(deciphertext, “UTF-8″);
  
  this.sendResponse(res.getBytes());
  
  }
  
  catch (IllegalBlockSizeException es) {
  
  this.sendResponse(bytecodingerror.getBytes());
  
  }
  
  catch (BadPaddingException ep) {
  
  this.sendResponse(bytecodingerror.getBytes());
  
  }
  
  catch (Exception e) {
  
  System.out.println(”Exception decrypt PBEWithMD5AndDES :” + e.getMessage());
  
  }
  
  }
  
  
  public static void main(String[] args) {
  
  //We create the ExecComponent
  
  DESEncryptUMA desEncrypt = new DESEncryptUMA(args[0],args[1],Integer.parseInt(args[2]),
  
  Integer.parseInt(args[3]), Integer.parseInt(args[4]), args[5]);
  
  desEncrypt.executeEC();
  
  }
  
  
  @Override
  
  public void restartEC() {
  
  // TODO Auto-generated method stub
  
  reinitEC();
  
  }
  
  
  @Override
  
  public void stopEC() {
  
  // TODO Auto-generated method stub
  
  closeEC();
  
  }
  
  }
  
  

  Table 1 - Example of the Java implementation of an executable component.
  
  

  With reference to events capturers, the proposed Java package includes an abstract class to be extended for the implementation of events capturers. Table 2 presents an example of an event capturer developed for this example EC. Classes extending the EventCapturerWS or EventCapturerSocket classes must redefine the “execute” method.
  
  This method is executed when the event capturer is created. The purpose of this method is to implement the event capturer functionalities. As a general rule, events capturers include the code for checking something in the system, and the code for submission of events containing information about this checking. Events capturers use the method sendEvent in order to send events to the SRF.
  
  
  import serenity.executablecomponentlibrary.EventCapturerSocket;
  
  import serenity.executablecomponentlibrary.EventSenderSocket;
  
  

  public class Observable extends EventCapturerSocket {
  
  public Observable(EventSenderSocket evS) {
  
  super(evS);
  
  }
  
  

  @Override
  
  public void execute(String arg0) {
  
  // Here you code how to get information to create events
  
  this.sendEvent(“XML Event”);
  
  }
  
  
  public void run() {
  
  }
  
  }
  
  

  Table 2 - Java implementation of an event capturer EventCapturerSocket class
  
  
  References
  
  

  [1] K. Mahbub, G. Spanoudakis, C. Kloukinas. V2 of Dynamic Validation Prototype. Serenity Public Report A4.D3.3, 2007.
  
  

  • Application Development Support
  
  
  1. Development process for Serenity-aware applications
  
  

  The SERENITY-aware applications are applications specially designed to make use of the security and dependability mechanisms provided by SERENITY. In order to do that, these applications include references to SERENITY S&D Solutions and to the SRF. At run-time each reference to a S&D Solution is translated to a S&D Solution request (called “SDRequest”). The SRF processes SDRequest, and it provides ECs according to applications’ requests. The development of ECs has been presented in Section 1. This section presents the development of SERENITY-aware applications.
  
  
  The creation of SERENITY-aware applications is divided in two phases. First of all, during the development-time, developers include references to the S&D Solutions supporting the application by means of references to S&D Classes, S&D Patterns and S&D Implementations and their interfaces. According to the hierarchy of S&D Artefacts, there are several ECs implementing each S&D Class or S&D Patterns functionalities; consequently, these designs are open. Later, at run-time, the SRF completes these open designs by means of assembly ECs. In order to choose the EC to associate to each application requirement the SRF processes applications’ requests and instantiates ECs according them. The SRF performs the most accuracy selection of ECs thanks to the use of context information.
  
  
  This Section presents several end-user languages oriented to develop SERENITY-aware applications. Firstly, it introduces an UML based approach for producing SERENITY-aware applications models. Secondly, it presents an application programming interface (API) for the implementation of SERENITY-aware applications. The API is presented in two steps. First it is presented from a platform independent point of view. Second, we present the Java implementation of the API.
  
  
  1.1 Languages for design and modelling
  
  

  SERENITY-aware application developers are one of the “end-users” of the SERENITY Framework, since they access to the SRF through the applications they develop. In this subsection two ways of modelling SERENITY-aware applications requirements are presented.
  The first language presented is called “S&D requirement specification language”. It is oriented to the early stage of development process of SERENITY-aware applications, S&D requirements are identified and need to be specified. The S&D requirement specification language has the following features:
  
  
  ⎯ In SERENITY, the application developers are assumed as to have no strong expertise in S&D mechanisms and techniques. Given such an assumption, the S&D requirement specification language should not include details about S&D mechanisms and techniques. It is important to note, however, that it is required that they are able to identify the security properties that they need.
  
  
  ⎯ In order to improve the applicability of the language, we define it as independent of the modelling language. A specification written in this language is pure text. The application developer can determine his/her way to include this text specification into the development process, if necessary (e.g. by providing IDE plug-ins).
  The S&D requirement specifications are used to query the Serenity S&D Library. As a result, a set of potential S&D Artefacts fulfilling the S&D requirements are obtained.
  
  
  Once they identify the necessary S&D Artefacts, developers create their SERENITY-aware applications using these S&D Artefacts. As with normal applications, the development process of SERENITY-aware applications will usually include a design phase. Generally, development teams use modelling languages (such as UML [1] or Tropos [2]) in order to create specifications of the application under development. This subsection ends by presenting an UML extension for the design of SERENITY-aware applications. This extension is based on the use of UML profiles [3]. Using this UML extension, designers are able to use UML tools in order to model SERENITY-aware applications.
  
  
  1.1.1. S&D Requirements Specification Language
  
  
  1.1.1.1. A semantic ontology-based approach
  
  

  The profile of software developer consists of either ‘coding’ skills for software development tasks, or ‘designer’ skills for taking responsibility of designing several programming tasks. In both cases their contribution is more functional-oriented rather than non-functional (security). The tight deadlines imposed by functional requirements neither allow nor motivate software developers to learn and apply security solutions during their work. Errors produced by software developers open flaws in the business applications and exposes their vulnerabilities.
  
  This justifies the need of an ontological interface to the security pattern. Adopting an ontology-based approach for fetching security patterns to software developers is obviously more realistic than sound and correct. Semantic queries attempt to help users to obtain or manipulate data in a database without knowing its detailed syntactic structure. As opposed to syntactic queries (e.g. XPath and XQuery queries) or declarative queries (e.g. SQL), semantic queries enable retrieval of both explicitly and implicitly derived information based on syntactic and semantic information contained in the database. In the end, the objective of our work is to allow software developers to describe what security problems they are facing without having to know in details how the security problems are actually represented. These arguments are in favour of an ontology based approach.
  
  
  1.1.1.2. Language Structure
  
  

  The basic element of an S&D requirement specification is a “Clause”. An S&D requirement specification is a set of clauses connected by logical operators, such as “AND” and “OR”. Each clause specifies an aspect of the S&D requirement, such as S&D property, application context, related threat model, computational feature, creator, etc.
  
  
  For instance, a system developer realizes that the communications between client side and server side in the system need to be secured. The expected security properties are confidentiality and non-repudiation. As the system developer is not a security expert, providing the formal definition of the expected confidentiality and non-repudiation is out of his/her capability. In the system under development, the server side will provide a web services. The client side runs in a sensor, so low cost solutions are expected. Due to company policy, S&D artefacts created by XYZ.com are not expected to be used. In this case, the S&D requirement specification is as follows:
  
  
  PROPERTY LIKE Confidentiality AND Non-repudiation
  AND CONTEXT IS Web-service
  AND COMPUTATIONAL FEATURE IS Low-cost
  AND CREATOR IS NOT xyz.com
  
  

  The formal definition (e.g., BNF) of the language is to be defined in the next version of this deliverable.
  
  
  1.1.1.3. Property Clause
  
  

  The expected S&D properties are expressed in property clause, which starts with the keyword “PROPERTY”. A more detailed description will be included in the next version of this deliverable.
  
  
  1.1.1.4. Context Clause
  
  

  The expected application context of S&D artefacts is expressed in context clause, which starts with the keyword “CONTEXT”. Context is an important aspect to be considered when applying S&D artefacts. At the same time, context is very general in the sense that many things can be considered as context, e.g., operating system, programming platform, system architecture, related S&D artefacts, etc. How to define the context clause needs to be further investigated.
  
  
  1.1.1.5. Other Clauses
  
  

  More clauses are needed to express S&D requirements. For example, the envisaged attack model can be “Buffer Overflows”, “Cross-Site Scripting”, or “SQL Injection”. These clauses will be defined according to the requirements of the Serenity scenarios.
  
  
  1.1.2. UML design of Serenity-aware applications
  
  

  This subsection is devoted to present a language for the creation of UML designs of SERENITY-aware applications. It presents two UML extensions; both of them are based on UML profiles. In the first place, we present a UML profile devoted to S&D Properties [4]. This UML profile allows including references to S&D Properties in UML diagrams. Secondly, we present a UML profile for the expression of S&D Artefacts (in this Section we use the term S&D artefact to refer to S&D Classes, S&D Patterns, and S&D Implementations indistinctly). This profile, called “S&D Solutions profile”, is used to create UML models of SERENITY-aware applications including S&D Solutions.
  
  
  The “S&D Properties profile” includes two stereotypes: (i) “S&DProperty” to be applied to classes and (ii) “Requires” to be applied to associations. Using this profile we can create a model expressing that a particular element in a UML diagram “Requires” a specific S&D Property stereotyped as “S&DProperty”. Figure 1 presents this UML profile.
  
  
  
  

  Figure 1 - UML Profile for the inclusion of S&D Properties

  
  

  The S&D Solutions profile, shown in Figure 2, includes four stereotypes. With reference to S&D Solution, it includes one stereotype for each S&D artefacts representing S&D Solutions. That is to say, three stereotypes: “S&DClass”, “S&DPattern”, and “S&DImplementation” to be applied to class elements. Apart from this, the profile includes a stereotype called “Secure” to be applied to associations. Using these stereotypes one can express that an S&D Solution (stereotyped as “S&DClass”, “S&DPattern” or “S&DImplementation” depending on the level of S&D Solution the designer uses) “Secures” a particular element in an UML diagram.
  
  
  
  

  Figure 2 - UML profile for the expression of S&D Solutions.

  
  

  The greatest advantage of using two different profiles, each one covering a different type of artefacts (S&D Properties and S&D Solutions), is that this allows designers to address both the business model and the design models of SERENITY-aware applications. Consequently, SERENITY-aware applications can be modelled at several levels of abstraction. This aspect is important taking into account that the approach can be adapted to be included in the most of modern software engineering development processes.
  
  
  1.2. Languages for implementation of Serenity-aware applications
  
  

  SERENITY-aware application programmers have to carry out several specific tasks in order to manage S&D Solutions from their applications. These tasks include accessing both SRF and S&D Solutions interfaces. The main disadvantage of these tasks is that they increase the technical knowledge required from programmers. This section presents an API supporting the development of SERENITY-aware applications.
  
  This API encapsulates both SRF and S&D Solutions technical details, allowing an easy access to their functionalities. This API is presented in two steps. Firstly an abstract model of the library is presented. This abstract model shows the main components and their responsibilities. Secondly, as in the previous case, the section ends by presenting a Java implementation of the API.
  
  
  1.2.1. API for development of Serenity-aware applications
  
  

  This section introduces a library supporting the development of SERENITY-aware applications. SERENITY-aware application programmers make use of this library with two main purposes (i) to request S&D Solutions from the SRF, and (ii) to access the functionalities provided by S&D Solutions. In order to do that, SERENITY-aware applications use two interfaces. The first one is provided by the SRF, called SRFRequest interface. And the second one provided by ECs implementing S&D Solutions (called ECaccessPoint interface).
  Figure 9 presents the main components of the library and the interfaces they encapsulate.
  
  
  ⎯ The SRF_AP_AccessPoint class encapsulates the “SRFRequest” interface, provided by the SRF. This interface is used to send S&D Solution requests to the SRF. These requests, called SDRequests, once processed by the SRF result in ECs ready to be accessed by applications. This component provides the first function to the library: the “requestSolution” function. This function has only one parameter which is a text string representing S&D Solution requested, and returns an ECHandler component (see below). There exists an alternative way to call this method by using as parameter an object of type SDRequest. This object presents an alternative way of express SDRequest without using strings. SDRequests include the S&D Artefact requested to the SRF by using a formatted text string. This format is presented in Table 1 (using EBNF notation [5]). In SDrequests, the type of S&D Solution identifies the type the requested artefact, using ‘C’ for S&DClasses, ‘P’ for S&DPatterns, and ‘I’ for S&DImplementations.
  
  
  ⎯ The ReactionListener class encapsulates the SRF reaction subsystem. The SRF uses this subsystem to send messages to applications as result of the monitorization activity. Each application is associated to one instance of this class when it requests an EC. The ReactionListener class is a thread that waits until it receives a message from the SRF and then executes a method of the application class. It is a way to notify applications that ECs have malfunctioned.
  
  

  ::= ‘:’
  
  

  ::= ‘C’ | ‘P’ | ‘I’
  
  ::=
  
  

  ::= ()*
  
  ::= ‘.’(’.’)*
  
  

  ::= ()*
  
  

  ::= |
  
  

  ::= ‘a’ | ‘b’ |…| ‘z’ | ‘A’ | ‘B’ |…| ‘Z’
  
  ::= ‘0′ | ‘1′ |…| ‘9′
  
  

  Table 1 - EBNF format for SDrequests.
  
  

  ⎯ The SerenityExecutableComponent_AP component encapsulates the use of ECs. This component provides a second functionality to the library, This functionality is implemented by two different methods: “callOperation” and “callOperationObject”. These methods are used in order to access to ECs interface, and they present the same operational behaviour but they have different parameters. The “callOperation” works with parameters of type string. On the contrary, the “callOperationObject” works with parameters of type object. The SerenityExecutableComponent_AP component manages internally the ECHandler corresponding to the EC it encapsulates.
  
  
  ⎯ The development of an application using the API is based on the extension of SerenityApplication class. Doing this, our application inherits the methods for capturing the ReactionListener operations.
  
  
  
  

  Figure 3 - Proposed infrastructure for supporting Serenity-aware applications.

  
  

  Figure 4 presents a sequence diagram showing how a SERENITY-aware application makes use of the library. Note that in this case, the SerenityExecutableComponent_AP is encapsulating the access to both the SRF and the EC. This strategy facilitates the understanding of the concept of S&D Solutions by programmers, since they only need to use one class to manage them.
  
  
  
  

  Figure 4 - Sequence diagram showing the instantiation of an Executable Component.

  
  

  The sequence diagram shown in Figure 4 starts with the application. For this case, “Application A”, creates an objecto of type SRF_AP_AccessPoint. This object creates the communication link to the SRF. A detailed description of the interface provided by the SRF can be found in deliverable A6.D4.1 [6]. When “Application A” needs the functionalities provided by an S&D Solution, it creates an instance of the SerenityExecutableComponent_AP class. This class accepts both the SRF_AP_AccessPoint reference and the SDRequest when it is created.
  
  The SerenityExecutableComponent_AP component uses the SRF_AP_AccessPoint to send the SDRequest to the SRF. SDRequests are processed by the SRF resulting on the instantiation of an EC, represented as a handler (e.g. OS process ID, WS…). The SRF returns the relevant data of this OS_Handler to the SRF_AP_AccessPoint. This information is encapsulated in an object of type ECHandler. Consequently, the SRF_ AP_AccessPoint creates an ECHandler, so that the application, by means of the SerenityExecutableComponent_AP, can use it.
  
  
  Once all these components have been created, “Application A” can access the “Executable Component A” interface by means of the SerenityExecutableComponent_AP which acts as a proxy. In order to do that “Application A” uses the callOperation method.
  
  
  1.2.2. Java implementation of the proposed API
  
  

  This section presents a Java implementation of the aforementioned infrastructure. At the end of the section an example of how this implementation is used to develop a simple SERENITY-aware application is presented.
  This implementation is provided by means of a Java package containing the following classes. SerenityExecutableComponent_AP, SRF_AP_AccessPoint, ReactionListener, and SerenityApplication. Figure 5 presents the organization of these Java classes.
  
  
  
  

  Figure 5 - Java Package containing classes for Serenity-aware application development.

  
  

  Figure 6 presents a detailed class diagram showing the classes and features included in the package. As mentioned, the SRF_AP_AccessPoint has two methods and a constructor. The constructor accepts as parameter a SerenityApplication object. The two methods work the same. Their only difference is that they use different parameters. One of them uses a request expressed as a String type and the other one uses a request expressed as an SDRequest object. Both of them return an ECHandler object.
  The SerenityApplication class has only one method called executeReaction. This method has as parameter of type String that is the message received from the SRF. The SERENITY-aware applications have to extend this class.
  
  
  The ReactionListener class is automatically instantiated by the SRF_AP_AccessPoint. This class has a constructor that uses as parameters a reference to the application. The ReactionListener extends the Thread class so it has a run method. This method wait until it receives a message from the SRF and it executes a method of the application class. When it receives a message form the SRF sends it to the application.
  
  
  Finally, the SerenityExecutableComponent_AP class, which provides access to ECs, has three methods and three constructors. The different constructors use different values as parameters. The main constructor has the following parameters: a SRF_AP_AccessPoint object, a request described as a String type, the EC instantiation parameters of type String and the preferences of type String. Regarding the other two constructors, one of them accepts as parameter an objecto of type ECHandler, and the other one has two parameters: the connection port (TCP/IP) and an identifier for the EC.
  
  
  The “callOperation” and “callOperationObject” methods work the same but they return objects of different types. The “callOperation” returns a string of bytes and the “callOperationObject” returns a serializable object. Finally, the method called “close” is used by SERENITY-aware applications to finish the use the EC.
  
  
  
  

  Figure 6 - Detailed class diagram showing the Java implementation of the Serenity-aware application API.

  
  
  1.2.2.1. Example of a Java Serenity-aware application
  
  

  This section presents the development of a SERENITY-aware Application. For this purpose, we use the Java package presented in the previous subsection.
  
  
  The application presented in this example relies on an encryption and decryption S&D solution in order to encrypt and decrypt a text. The application presents the following behaviour: first it encrypts the text. Second it shows the encrypted text to the user. Third, it decrypts the encrypted text. And finally, it shows the decrypted text to the user.
  
  
  From the application point of view, it only needs to:
  
  
  ⎯ Create the connection with the SRF by means of the SRF_AP_AccessPoint class.
  
  
  ⎯ Request the encryption S&D Pattern.
  
  
  ⎯ Invoke a call from S&D Pattern interface (the application do it twice, firstly calling the encryption method and later calling the decryption method).
  
  
  For the given example, we assume that the SRF supporting our SERENITY-aware application comes along with an S&D Library that contains at least the following S&D Artefacts:
  
  
  ⎯ An S&D Class called Encrypt.uma.es.
  
  
  ⎯ An S&D Pattern called DESEncrypt.uma.es.
  
  
  ⎯ An S&D Implementation called DESEncryptJava.uma.es.
  
  
  The SRF contains the EC implementing the S&D Implementation as well. The relations between these S&D Artefacts are shown in Figure 7.
  
  
  
  
  

  Figure 7 – S&D Artifacts in the SRF’s S&D Library.

  
  

  The Java code presented in Table 2 shows the implementation of the application. The interfaces of the S&D Class and the S&D Pattern used in this example propose the same functions. Thanks to this, programmers can use the same operation call no matter what type of artefact they asked for.
  
  There are three possible SDRequest applicable to the given example:
  
  
  ⎯ Asking for an S&D Class: “C: Encrypt.uma.es”
  
  
  ⎯ Asking for an S&D Pattern: “P: DESEncrypt.uma.es”
  
  
  ⎯ Asking for an S&D Implementation: “I: DESEncryptJava.uma.es”
  
  
  import java.io.IOException;
  
  import java.io.Serializable;
  
  import java.net.UnknownHostException;
  
  import java.util.Map;
  
  import java.util.TreeMap;
  
  import serenity.applicationSupportLibrary.*;
  
  

  public class SerenitySimpleApplication extends SerenityApplication {
  

  protected static Map argsListE = new TreeMap();
  
  protected static Map argsListD = new TreeMap();
  
  public static SerenityExecutableComponent_AP myEC = null;
  
  byte[] eb,db = null;
  

  public SerenitySimpleApplication() {
  
  SRF_AP_AccessPoint mySRF = new SRF_AP_AccessPoint(this);
  

  try {
  
  myEC = new SerenityExecutableComponent_AP(mySRF, “P:DESEncrypt.uma.es”,null,null);
  
  argsListE = new TreeMap();
  
  argsListE.put(”Text”, “This is a string test”);
  
  

  Thread.sleep(5000);
  
  eb = myEC.callOperation(”Encrypt”, argsListE);
  
  

  if(eb != null) {
  
  System.out.println(”Encryption success!”);
  
  }
  
  else {
  
  System.out.println(”Encryption failed”);
  
  myEC.close();
  
  System.exit(0);
  
  }
  
  System.out.println(”Encrypted String: ” + new String(eb,”UTF-8″));
  
  argsListE.put(”ciphertext”, eb);
  
  byte[] db = myEC.callOperation(”Decrypt”, argsListE);
  
  

  if(db != null) {
  
  System.out.println(”Decryption success!”);
  
  System.out.println(new String(db,”UTF-8″));
  
  }
  
  else {
  
  System.out.println(”Decryption failed”);
  
  myEC.close();
  
  System.exit(0);
  
  }
  

  myEC.close();
  

  } catch (UnknownHostException e) {
  
  // TODO Auto-generated catch block
  
  e.printStackTrace();
  
  } catch (IOException e) {
  
  // TODO Auto-generated catch block
  
  e.printStackTrace();
  
  } catch (Throwable e) {
  
  // TODO Auto-generated catch block
  
  e.printStackTrace();
  
  }
  
  }
  
  

  public static void main(String[] args) {
  
  @SuppressWarnings(”unused”)
  
  SerenitySimpleApplication serenapp = new SerenitySimpleApplication();
  
  System.exit(0);
  
  }
  

  }
  
  

  Table 2 – Java implementation of a Serenity-aware application
  
  
  References
  
  

  [1] ISO/IEC. Unified Modeling Language (UML). Version 1.4.2. International Standard ISO/IEC 19501.
  
  

  [2] P. Bresciani, P. Giorgini, F. Giunchiglia, J. Mylopoulos, A. Perini. TROPOS: An Agent-Oriented Software Development Methodology. Journal of Autonomous Agents and Multi-Agent Systems. Kluwer Academic Publishers Volume 8, Issue 3, Pages 203 - 236, May 2004.
  
  

  [3] Fuentes-Fernández. L., Vallecillo. A. “An Introduction to UML Profiles”. UML and Model Engineering April 2004.
  
  

  [4] A. Maña, A. Muñoz, F. Sanchez-Cid, D. Serrano Valero, G. Pujol, S. Torres, S. Güergens, C. Rudolph, A. Saidane, F. Dalpiaz, F. Massacci, P. Soria Rodriguez. Security properties specification language. Serenity Public Report A5.D3.1, 2007.
  
  

  [5] ISO/IEC. EBNF notation. International Standard ISO/IEC 14977:1996(E).
  
  

  [6] Beatriz Gallego-Nicasio, Ana Piñuela. Security Manager. Serenity Public Prototype report A6.D4.1, 2008.
  
  

  • Conclusions
  
  
  References

• Run-Time Exploitation
  • Before running the SERENITY Runtime Framework
  
  
  In order to obtain the best results of the SRF, it is necessary to properly install and configure each instance of the framework. These tasks are usually performed by the SRF Authority through the SRF Console, but also would require customizing some configuration files specially to set up certain environmental and technical aspects.
  In the following sections, we are explaining some of the concepts and processes that are required to look at, before start using the SRF.
  
  
  SRF and AmI environments
  
  
  Applications, S&D Requirements and S&DSolutions (from the SRF point of view)
  
  
  Interfaces
  
  

  • Run-Time Exploitation
  
  
  Beatriz Gallego-Nicasio Crespo (1)
  
  (1) Atos Origin, Spain
  
  

  The SERENITY Runtime Framework (SRF) provides support for applications at runtime, by managing S&D Solutions and monitoring the systems’ context. The main functionality of the SRF, amongst others, is to provide S&D Solutions, by means of Executable Components, in response to applications security requirements.
  The SRF is implemented as a service running in a device, on top of the operating system, and listening to applications requests. Applications send requests for S&D Solutions in order to fulfil their security requirements.
  
  Upon receiving a request, and after a selection process, the SRF instantiates security solutions by means of an Executable Component, a software/hardware component that is usable by the application. Finally, in order to guarantee that the selected security solutions are working properly, the SRF includes mechanisms to monitor the operation of the S&D Solution’s Executable Component.
  
  
  Before running the SERENITY Runtime Framework
  
  
  
  Maintenance of the SRF
  
  
  Monitoring the execution
  
  

  • SRF and AmI environments
  
  
  Future Ambient Intelligence (AmI) environments will contain a large number of heterogeneous computing and communication infrastructures and devices providing new functionalities, enhance productivity, and facilitate everyday tasks. In the new AmI scenarios, not only systems but also applications will have to make effective use of the resources that are available on-the-fly, and adapt to different hardware and software, and even firmware configurations.
  
  
  The concepts of system and application as we know them today will disappear, evolving from static architectures with well-defined pieces of hardware, software, communication links, limits and owners, to architectures that will be sensitive, adaptive, context-aware and responsive to users’ needs and habits. These AmI ecosystems will offer highly distributed dynamic services in environments that will be heterogeneous, large scale and nomadic, where computing nodes will be omnipresent and communications infrastructures will be dynamically assembled.
  
  
  The aim of SERENITY is to enhance security and dependability for AmI ecosystems by providing a framework supporting the automated integration, configuration, monitoring and adaptation of security and dependability (S&D) mechanisms for such ecosystems.
  
  
  Providing S&D in AmI ecosystems requires the dynamic application of the expertise of security engineers. SERENITY will capture this expertise and make it available, supported by automated tools, to the AmI ecosystems. It is our belief that S&D Patterns and Integration Schemes provide the best means to capture this expertise. We envisage that this framework will be used by systems that will delegate the implementation and monitoring of security mechanisms, and system providers or end-users that need to control their security requirements.
  
  
  As part of the SERENITY framework, it has been developed the SERENITY Runtime Framework (SRF) which provides support to applications at run-time, by managing S&D solutions and monitoring the systems’ context. At run-time the SRF completes SERENITY-aware application architectures applying security services.
  
  
  The SRF is implemented as a service running in a device, on top of the operating system, and listening to applications requests. Applications send requests in order to fulfil their security requirements. These requests, once processed by the SRF, are translated into S&D Solutions that may be used by the application. In order to do that, the SRF performs a selection process resulting in the instantiation of security solutions by means of Executable Components. Executable Components other the S&D Patterns or S&D Classes interface to application, depending on the S&D artefact requested.
  
  
  Integrating the SRF into our AmI systems
  
  
  System designers and architects might like to incorporate SERENITY into their systems, and therefore, they need to know the deployment possibilities the SRF allows, to see which one fits better into their particular scenarios.
  
  
  In this section we give an overview of the deployment scenarios for the SERENITY Run-time architecture. These scenarios are split into two categories. The first is that of distributed devices while the second represents the case of a centralized SRF, controlling multiple devices. In both scenarios we represent both SERENITY enabled and non-SERENITY enabled devices.
  
  
  - Centralized SRF
  
  
  In this case, one SRF is able to perform all of SERENITY’s run-time functionality for a number of devices. This scenario is envisioned for the case of light-weight devices, such as mobile phones and sensors, where a full SRF cannot be deployed due to device restrictions in processing power, memory or battery consumption. This scenario corresponds to the Client-Server architecture, where the SRF should act as the server for the different applications that would be the clients. This approach also assumes the Monitoring Services are deployed in the same machine as the SRF.
  
  
  Centralized SRF deployment model
  
  
  - Distributed SRFs
  
  
  When referring to distributed, we envision each SERENITY-enabled device to host a SERENITY run-time framework. The only element outside the device is the Monitoring Service.
  
  
  SRF distributed deployment model
  
  
  In a distributed architecture approach like this, the probability of collaboration among components is surely high, and scenarios where the deployment of a security solution involves a number of devices playing different roles are very likely to appear. These distributed-S&D Solutions requires support for different applications, running maybe in different devices but within the same S&D Realm, requesting their local SRF the same S&D Solution and interact by means of it, in order to fulfil their common S&D Requirements. The SRF addresses this functional requirement by implementing a Negotiation Protocol.
  
  This protocol establishes the steps a SRF have to take in order to negotiate with a remote SRF, first, the same S&D Pattern (that has to be available in both end’s S&D Libraries), second the appropriate S&D Implementation for each side’s specific environment, and finally to deploy the corresponding EC according to the role it has to play in each side. The following diagram overviews the basic sequence of steps of the protocol:
  
  
  SRF negotiation protocol
  
  
  Let us describe these conceps with a sample scenario:
  
  
  Emergency Healthcare Scenario
  We consider a remote healthcare system that extends traditional Tele-Cardiology applications using the facilities of a domestic house and other intelligent devices. This system should support the discovery, interaction and collaboration among doctors, pharmacists, patients, social workers and emergency medical teams in the health care realm and, in particular, during emergency situations. Patient’s health condition can be monitored through various wearable medical sensors worn as washable smart T-shirts. All these sensors form the Body Sensor Network (BSN).
  
  The measured data are collected and pre-processed by a personal mobile hub such as a Personal Digital Assistant (PDA). Similarly, patient’s house is equipped with a sensor network and a local server, which centrally processes the sensor data for monitoring the activity of the patient and the environmental setting. In the remainder, we refer to it as the smart home. A concrete example of the smart home is the one built by the Domus laboratory at the University of Sherbrooke. The information collected by the BSN and smart home are sent to the Monitoring and Emergency Response Centre (MERC), the organization responsible for the maintenance and storage of patient medical data, such as the Electronic Health Record (EHR).
  
  The MERC processes such data to have a constant snapshot of the patients’ health status so as to promptly initiate proper healthcare procedures when a potential emergency alert is identified. Each actor (e.g., doctors, social workers, etc.) is provided with an eHealth terminal, i.e. a PDA, which runs eHealth software designed to support medical requests and reports in compliance with the MERC. In this setting, the MERC and the other actors within the system have to process collected data and protect them from unauthorized access along the lines set by the actual data protection regulations, like EU Directive 95/46/EC.
  
  
  Among the possible application scenarios in the remote healthcare system, we present an emergency situation. In the case of alert, the rescue request with patient’s location is sent by the MERC to the emergency team asking for assisting the patient. The assigned rescuers are granted access to the patient’s EHR and last medical data collected by the BSN. When the patient is found and rescued, the emergency team sends a notification to the MERC with comments regarding medicines administrated to the patient. The details of this scene are depicted in Figure N through the Web Services and clients’ Graphical User Interfaces orchestrated by the MERC.
  
  
  The communication architecture underlying our e-health prototype is depicted in next figure.Patients’ e-health remote assistance is accomplished by means of a set of workflows properly defined, stored and maintained by the MERC.
  
  
  Communication Architecture for the Smart Items Case Study
  
  
  S&D Pattern for Authorization using XACML
  The e-health prototype so far described addresses the remote assistance capabilities required for patients monitoring, but it does not answer to any the security requirement. For instance, (SOAP) messages exchanged between the doctor’s PDA and the MERC are sent in plain text exposing patient’s sensible data (e.g., Electronic Health Records, Live Vital Data) to the public and by missing any guarantee on the sender’s identity. Specific built-in security mechanisms could be put in place to answer such security requirements, but they would likely be not adaptable to the ambient environment foreseen for this scenario.
  
  
  Let us assume the security requirement is authorization and the S&D pattern which provides the solution is based on eXtensible Access Control Markup Language (XACML). XACML is an access control language used to specify access control policies and request/response. The version captured in the SERENITY Artefacts is a simplified version built on top of three basic entities: Policy Enforcement Point (PEP), the Policy Decision Point (PDP) and the Policy Administration Point (PAP). Figure depicts the underlying model used to capture this authorization solution in SERENITY Artefact.
  
  
  The representation of its SERENITY artefacts is depicted hereafter:
  
  
  S&D Class
  
  

  ProvidedProperties
  
  

  Authorization.
  
  

  InterfaceDefinition
  
  

  authorizationDecision : text
  
  

  authorization(Username : text, Conf igurationParam :text),
  
  

  serviceResponse : text
  
  
  S&D Pattern
  
  

  ImplementationReference
  
  

  Operation:evaluate.
  
  

  Preconditions
  
  

  Authentication S&D Pattern deployed.
  
  
  S&D Implementation
  
  

  Preconditions
  
  

  Apache Tomcat.
  
  
  Selection from SRF
  
  
  This pattern is implemented using SERENITY approach. It requires Apache Tomcat server to safely operate. Figure depicts the sequence diagram of the application call to the authorization using XACML pattern from the SRF library.
  
  
  Sequence Diagram of an Application using XACML Pattern for Authorization
  
  
  In order to be able to use this S&D Pattern, we made our e-Health application SERENITY Aware and we made calls to the SRF using the authorization interface, and binding to it the required parameters. The special characteristics of this security pattern resides in its necessity to provide configuration information as the roles, actions, resources, access control policies and others required for setting up the pattern.
  
  As mentioned in earlier sections of this chapter, the SERENITY Library comprises of several SERENITY Artefacts essentially of S&D Patterns and S&D Implementations. By querying the SERENITY Library for access control requirement on fine-grained resources exposed by means of Web Services, the authorization using XACML S&D Pattern is the most suitable choice. Afterwards we select the S&D Implementation provided by SAP to be used with our SERENITY Aware e-Health Application.
  
  

  • Applications, S&D Requirements and S&DSolutions (from the SRF point of view)
  
  
  The SRF deals with SERENITY-aware applications and with Executable Components (EC) at run-time. This section presents the interactions between the SRF and these systems.
  
  
  Regarding to SERENITY-aware applications the SRF presents two interfaces.
  
  

  • The first interface called SRFRequest is used in order to receive S&D Solution requests. This interface is static and it is used by all SERENITY-aware applications. The SRFRequest interface offers a function for request S&D solutions by means of SDRequests. SDRequests express applications’ S&D requirements. SDRequests include along others the S&D Artefact requested, the role that the application plays in the use of the EC, the address of the interacting SRF just for the case that the request involves the negotiation of the EC with other SRF, and the parameters needed for the EC instantiation.
  
  The SRF processes SDRequests and instantiates ECs according them, this is what it is called “SRF selection process”, and sometimes this selection process involves the negotiation with other SRFs.
  
  

  • The second interface is part of the SRF reaction subsystem. The SRF creates dynamically an instance of this second interface per EC instantiated. This interface is used by the SRF in order to send messages about the EC execution to SERENITY-aware applications. Reaction mechanisms are triggered by the monitorization services as result of the evaluation of monitorization rules.
  
  

  Other of the systems interacting with the SRF are ECs implementing S&D solutions. ECs are instantiated as response to SERENITY-aware applications SDRequests. The SRF manages ECs and they depend on the SRF for their proper operation. In order to do that, there are two interfaces. Figure bellow presents a component diagram showing the SRF main interfaces. This diagram shows both interfaces called ECcontrol and ECmonitoring.
  
  

  • The ECControl is an interface used by the SRF in order to send instructions to the EC. Doing this the SRF is able to halt, pause, and/or resume the EC activity. Usually these instructions are sent as result of the EC monitoring rules evaluation.
  
  

  • The ECmonitoring interface is offered by the SRF for receiving events coming from ECs. These events are produced by ECs and are consumed by the monitoring services. The SRF is in charge of forwarding events to the corresponding monitoring services (note that the SRF can manage several ECs and several monitoring services).
  
  

  The interactions between SRF and these systems can be handled by using two APIs. One of them supports the development of ECs, and the other supporting the development of SERENITY-aware applications. These APIs are presented in deliverable A5.D4.1.
  
  
  Simplified SRF
  
  

  • Interfaces
  
  
  From the outside point of view, every instance of the SRF, as a system, provides interfaces in order to allow interaction with other systems, other SRFs instances and to interact with the end-users as well. With these interfaces, we provide support for the dynamic supervision and adaptation of the system’s security to the transformations in ever-changing AmI ecosystems.
  
  
  The SRF Console
  
  
  The SRF Console is the main interface through which the S&D Manager will contact the S&D Authority at runtime and vice-versa. It will be in the form of a GUI that will allow users to be informed on the configuration of the SRF and on its status.
  
  
  The SRF Console is widely described in this section.
  
  
  Negotiation Interface
  
  
  The negotiation interface is used in order to establish the configuration of the interacting SRFs when two applications supported by different SRFs need to communicated using the same S&DSolution.
  
  
  The Negotiation interface has been thoroughly described in deliverable A6.D4.4.
  
  
  Monitoring Interface
  
  
  External systems interacting with an instance of the SRF will be able to monitor that the behaviour of the framework is correct.
  
  
  Interface to SERENITY Compliant components
  
  
  The SERENITY Compliant components, those that will interact with the SRF will need to implement compatible interfaces in order to communicate and take advantage of SERENITY’s functionality, are the following:
  
  

  • Monitoring Service is in charge of analyzing events and mapping them on monitoring rules in order to identify possible violations and inform the S&D Manager about them.
  
  

  • Application is the main component that will take advantage of the SRF’s functionality. It must be built according to the SERENITY specifications in order to maximize its benefits from using the SRF.
  
  

  • Executable Component implements and executes the security solution described in the pattern and also implements the Event Collectors for all events described inside the pattern’s monitoring rules.
  
  

  The interfaces provided are depicted in the following picture that presents the SRF architecture and the SERENITY Compliant components:
  
  
  Simplified SRF
  
  
  SRFRequest, ECControl and ECMonitoring interfaces have been described with more details in this section.
  
  
  The interface with the Monitoring Service(>Monitoring) is implemented by means of a Web Service provided by the Monitoring Service infrastructe. The interface exposes the following methods:
  
  
  - sendMonitoringRules: to send the Monitoring Rules of a S&D Pattern to the Monitoring Service
  
  
  - checkMonitoringRule: to check the status of a particular Monitoring Rule
  
  
  - sendEventToMonitor: to send an event generated by an EC to the Monitor
  
  
  - startDiagnosis and diagnose: that activates and invokes the diagnosis tool for the Monitoring Service
  
  
  - unsubscribeMonitoringRules: to stop monitoring a set of Monitoring Rules
  
  
  For further information regarding Monitoring Services, please refer to deliverables A4.D3.3 and A4.D5.2.
  
  

  • Maintenance of the SRF
  
  
  AmI environments are, by definition, changeable. Therefore, maintenance tasks are expected to be performed on the SRF very often, in order to keep the abilities of providing the most suitable S&D solutions that fulfils applications S&D requirements over changing context conditions, or maybe, during the process of tuning the system to adapt to a particular realm.
  
  
  This maintenance work is done by the SRF Administrator and also the SRF Authority, in the case of the S&DLibrary updating. It is described in more detail in the following sections.
  
  
  The SRF Console
  
  
  S&D Library maintenance
  
  
  SRF Configuration of runtime parameters
  
  

  • The SRF Console
  
  
  The Serenity Runtime Framework Console is part of the SRF package delivered by A6. As of writing, the last version is 2.1 from October 2008. The Console is briefly presented in A6.D4.4 – SERENITY Framework Implementation as follows:
  
  
  The console is the main interface through which the S&D Manager will contact the S&D Authority at runtime and vice-versa. It is in the form of a GUI that allows users to be informed on the configuration of the SRF and on its status.
  
  
  Figure 1 shows a screenhost of the GUI.
  
  
  
  

  Fig. 1 – Console GUI

  
  
  The console gives you control on three aspects of SRF management:
  
  

  • S&D Solutions Management: add S&D artifacts to the Runtime S&D Library (database), remove them from the library, search (see figure 2) in the library and show them in a tab view;
  
  

  • Framework Configuration: preference rules (preferences on the patterns to be selected, see figure 3), configuration parameters of the SRF, monitoring services available to monitor Executable Components (see figure 4), active patterns (see figure 5), and Event Manager;
  
  

  • Control and Monitoring: detailed view of SRF logs.
  
  
  
  

  Fig. 2 – Search S&D Artifact DialogFig.

  
  
  
  

  Fig. 3 – Preference rules Dialog: select Patterns with Creator Name=”UMA” in a first placeFig.

  
  
  
  

  Fig. 4 – Monitoring Services

  
  
  To run the Console, you need to run the S&D Manager (and the SRF) first. Detailed installation steps are given in A6.D4.4 – SERENITY Framework Implementation, 3. SRF prototype installation and usage guide, and the SRF_v2.1.doc given with the A6 SRF_v2.1 package for more up-to-date instructions.
  
  
  As small comments to the guide aforementioned, first, for local use you need (this is not clearly stated in the guide) to install the Mysql server, create the contextmanager and sdlibrary databases on the server, create a user with all privileges on these and finally load the databases with the SQL scripts from the bbdd.jar archive in the SRF package.
  
  Then the ContextManager.conf and SDLibrary.conf in the SERENITY/conf folder will have to be configured according to this database setup. Second, for the Event Manager and Monitoring web services, install Tomcat 5 and Axis (NOT Axis2 as this does not offer the AdminService requested by EventManager deployment script). You can achieve easy install of Axis by copying its webapps/axis folder (extracted from axis-bin-1_4.zip for the latest version) to Tomcat webapps folder and restart Tomcat. Finally, check the following URL is working: http://localhost:8080/axis/services/AdminService. Do not forget to start the RMI Registry and the SDManager before the Console.
  
  
  A quick example
  
  
  
  

  Fig. 5 – Active Patterns

  
  
  To give an overview of the SRF console features, we’ll go through a quick example. Let us run the SRF Console and try the sample S&D artifacts given in the SRF package. From Tools > Add S&D Artifact menu, add the S&D Artifacts in this order, looking for the XML files with same name in the samples folder: ClassSample1.xml (S&D Class), ClassSample2.xml (S&D Class), SamplePattern1.xml (S&D Pattern) and ImplementationSample1.xml (S&D Implementation).
  
  For each artifact, check the correct radio button according to the type of artifact (see figure 6). Artifacts have to be added in this order as the Console checks for dependencies: ImplementationSample1 depends on Sample Pattern1 that depends on both ClassSample1 and ClassSample2.
  
  
  Now we want to test S&D Request and operations on Executable Components. A5 provides examples in Serenity App/EC dev Support Libs package. Extract the XML examples.rar from Serenity Development Support APIs.zip to get the SD Artifacts XML files, add them to the database with the console as seen earlier: EncryptClass, DESEncryptPattern and DESEncrypt.xml.
  In the A5 package aforementioned, you will also find SerenitySimpleApplication Example.zip that gives you after extraction an Eclipse project structure.
  
  It can be imported as an Eclipse project from the Eclipse main menu: (Eclipse 3.3.2) File > Import, select “Existing projects into workspace” and select the SerenitySimpleApplication folder. Then you need to make sure you have SerenityApplicationDevSupportLibv4.jar and srfLibxaApps.jar as library dependencies (in your build path) of your project (Go to project properties, build path, Add External JARS if necessary). You can get them from Serenity Development Support APIs.zip, inside SerenityLibs\Application with documentation on how to use included libraries for EC and Serenity Application development.
  
  
  
  

  Fig. 6 – Add S&D Artifact

  
  
  Do the same kind of import with DESEncryptExecutableComponent Example.zip , this time make sure you have the JAR dependencies from SerenityLibs\EC of the Development Support APIs (see figure 7). Regenerate a JAR of the EC and deploy it to the execComps path configured in the SDManager conf/sdmanager.conf. The EC folder and JAR name must match the implementationReference/URL given in the SDImplementation (DESEncrypt). Check with your SRF console.
  
  
  
  

  Figure 7

  
  
  To run the application in Eclipse, right-click on src/(default package)/SerenitySimpleApplication.java and select Run as > Java Application.
  
  
  In SRF Console, under SRF Configuration, you should see in Active Patterns: line = SDImplementation: DESEncryptPattern, SDPattern: DESEncrypt. You can also view the S&D request process in the SDManager console output (see figure 8).
  
  
  
  

  Fig. 8 – SDManager output during S&D request

  
  

  • S&D Library maintenance
  
  
  Runtime S&D Library is SRF’s repository for platform specific and device-oriented run-time S&D Artefacts (S&D Classes, Patterns and Implementations). Please note this library is not Design-time S&D Library but a subset of it. Security Administrator (or System Administrator, or final user) must provision the library with an accurate set of S&D Solutions to provide S&D Manager with enough means to cover all the S&D requirements for the device where SRF is installed. This set is not static, and Administrator may need to extend or modify it because several reasons. Among others, we may mention:
  
  
  1. Creating in one shot a perfect set of solutions for a device, specially in AmI environments (handheld dynamic devices, extremely changing conditions, etc.) is virtually impossible: new requirements continuously arise and proper solutions must be added
  
  
  2. Evolution of technology: new technologies may provide better solutions for the same problems. New S&D Patterns implementing those new technologies must replace older ones to improve security.
  
  
  3. Software maintenance: as in standard software, your solutions may presents bugs or improvements and corresponding patches must be applied.
  
  
  A good Library maintenance will be translated in a better SRF performance and consequently in a better S&D requirement addressing.
  
  
  Consider the Communications Prototype where there is a system that manages access to different resources within the office space of an organisation, through a combination of user authentication, device identification and location detection capabilities. This access control system is a Serenity-aware application that works with Serenity-enabled devices (i.e. the device has a SRF). Eventually, company’s IT department identifies a brand new astonishing location technology that provides more accurate results that improve overall security decreasing wrong location rate and potential wrong access denies. From the software point of view, System Administrator needs to:
  
  

  1.
  Get S&D Artefacts and its Executable Component (he can ask S&D Solution developers to develop it, get it from manufacturer, etc.),
  
  
  2.
  Provision de Access Control System Runtime S&D Library and distribute it to Serenity-enabled device owners (employees could download it from corporate intranet, for instance). In any case, both System Administrator and device users can do it easily using SRF Console, described in the previous section.
  
  

  Full details on S&D Library can be found in the Serenity Framework architecture specification [A6.D3.2] and the prototype of the Security Library [A6.D4.2].
  
  

  • SRF Configuration of runtime parameters
  
  
  
  The configuration is also used to store some information referring to the internal operation of the SRF. Doing this, the S&D Authority could adjust the behaviour of several aspects of the SRF by changing this information. For instance you may adjust polling intervals for monitoring services.
  
  
  Along with a proper S&D Library maintenance, the SRF authority must configure and tune SRF runtime parameters in order to obtain optimum results. SRF Configuration of runtime parameters refers mainly to all aspects or general characteristics of the system that needs to be considered by the SRF in the selection of the most appropriate S&D Solution to satisfy an S&D Request. All of them are collected in S&D Configuration section in the S&D Console. We have:
  
  
  · Pattern preference rules: used by the SRF authority to prioritize the use of some S&D Artefacts. This prioritization is based on some of the characteristics of the S&D Pattern XML description. A Pattern Preference Rule is described by the following characteristics:
  
  
  o pattern: this fields refers to the characteristic type of the pattern.
  
  
  o type: this is a relational operator and can be one of the following values: ‘=’, ‘>’, ‘<’, ‘<=’, ‘>=’; and its availability to be chosen depends on the pattern field selected.
  
  
  o value: this field stores the actual value of the characteristic.
  
  
  o priority: this is a number and indicates the numeric priority value.
  
  
  o mandatory: this is a flag that indicates the compulsory nature of the rule for a pattern
  
  
  · S&D Manager configuration: here you can define parameters for your patterns, specifying a name and a value (and optionally a description). These configuration characteristics are taken into account when the SRF has to check the preconditions of S&D Patterns and S&D Implementations and might affect the applicability of certain S&D Artefacts
  
  
  In the same section you can also find monitoring and event capture information, which are covered in next section/chapter separately due to its remarkable importance.
  
  
  Consider again Communication scenario; S&D authority may provision S&D Library with several S&D Artefacts coming from different providers. Let’s say we have a bunch S&D Patterns for the same purpose, some of them developed from TID and some others provided by ACME. S&D Authority considers TID to be a more trusted provider than ACME, and its solutions more reliable an optimized. Then he/she could define a couple of pattern preference rules saying that solutions coming from TID are preferred over ACME’s solutions:
  
  
  Creator Name = tid.es, priority: 2, is Mandatory: false
  
  
  Creator Name = acme.com, priority: 1, is Mandatory: false
  
  
  Please note that with these two rules, all solutions for the same from TID will be selected before the ones provided by ACME.
  
  
  Regarding S&D Configuration, we could assume that main servers in Communication Prototype deployment are running Windows OS. All Executable Components should be developed and optimized for this platform. Then, S&D Authority could improve system’s performance filtering solutions for other platforms, including a new configuration parameter, let’s say “OS” with “Windows” as value. This way selection algorithm would discard artefacts not containing such parameter in its preconditions.
  
  

  • Monitoring the execution
  
  
  S&D Solutions status: events captured, activated patterns, etc.
  
  
  Monitoring Services
  
  
  Reactions performed
  
  
  Log files
  
  

  • S&D Solutions status: events captured, activated patterns, etc.
  
  
  
  Once the SRF has selected the S&D Pattern that fulfills the application requirments, the process of activation starts and several things need to be done before the S&D Solution is ready to be used by the application:
  
  

  - the most appropriated S&D Implementation is selected, based on the environment conditions and other context characteristics checked by the preconditions,
  
  

  - the corresponding Executable Component (EC) is executed,
  
  

  - the handler is created and properly configured to be given back to the application for its use,
  
  

  - the Monitoring Rules of the S&D Pattern are activated.
  
  

  Therefore, there are several changes derived from the S&D Solution deployment process that need to be recorded by updating the Context Manager of the SRF. By doing this, the SRF is able to select the better solution for future application requests in terms of Security & Dependability. The following information is updated in the Context Manager:
  
  

  - activated pattern: information such as the name of the S&D Pattern, the name of the S&D Implementation, the activation date, as well as the location of the executable file corresponding to the EC are stored in the Context Manager database of the SRF, each time an S&D Solution is deployed;
  
  

  - monitoring service: the Context Manager database keeps record of the Monitoring Service in charge of monitoring the execution of the corresponding EC that implements the functionality of the selected S&D Solution;
  
  

  - parameters: the initial parameters used to instantiate the corresponding EC of the selected S&D Solution.
  
  

  The preconditions of a potentially selectable S&D Pattern may need to have another S&D Pattern already running in the system to hold, for instance, that’s why it is very important to update de Context Manager everytime an S&D Solution is deployed in the system. But there is also another use of keeping these information stored in the system: monitoring the system status.
  
  

  It is very useful for the SRF Administrator to have a view of which solutions have already been deployed, what is the monitor in charge of monitoring their execution and which parameters where used to initialize the EC when deployed, etc. in case of any problem or failure occurs, in order find a solution.
  
  

  The SRF Administrator might use any browser to look at the content of the Context Manager database but it also counts on the SRF Console to access this information much more easily. The following picture depicts the SRF Console displaying a list of the current active patterns in the system.
  
  
  SRF Console: Active patterns list
  
  

  For each active pattern, the SRF Administrator can view some extra details such as the activation date, the corresponding EC and also, it is possible to view a list of the reactions that have been performed so far (if that was the case):
  
  

  Active Pattern detailsReactions performed so far
  
  

  The following picture shows the current Monitoring Services that are active. There is also a possibility to view the Monitoring Rules that each monitor is in charge of, by clicking the button “View Monitoring Rules”. A new window is displayed showing the identificator of the rule as well as some identificators of the pattern and EC that the rule corresponds to.
  
  
  SRF Console: Active Monitors and Monitoring Rules
  
  

  Once the S&D Solution is deployed and running in the system, its execution is monitored by the SRF with the support of the Monitoring Service infrastructure.
  
  

  Loads of information are generated during the S&D Solution lifetime encapsulated into Events that are captured by the Event Capturers attached to ECs, sent to the Monitoring Service (throught the SRF) and processed in order to check for any Monitoring Rule violation. The SRF Admnistrator is able to control the status of an S&D Solution, looking at the Event Manager option of the SRF Console. If any Monitoring Rule has been violated, it will be reflected here with a violation code, as depicted bellow:
  
  
  SRF Console: Events Manager view - Monitoring Rule violations
  
  

  This feature of the SRF Console would be very helpful for an SRF Administrator to discard failure reasons when an S&D solution is unexpectedly deactivated. If the SRF Administrator look at the Events Manager table and it appears a Monitoring Rule violation related to the corresponding EC, it could be the case that the violation caused the deactivation of the EC. If not, the SRF Administrator should look for the cause into another direction.
  
  

  • Monitoring Services
  
  
  Ensuring the security and dependability of complex systems operating in highly distributed environments and frequently changing contexts, whilst maintaining system interoperability and adaptability, is one of the major challenges of current research in the area of security and dependability.
  
  This is because, as operational conditions change, the security and dependability mechanisms of a system may become ineffective and, when this happens, the system will need to adapt or replace them to ensure the preservation of the desired security and dependability (S&D) properties.
  
  In such circumstances, the ability to react dynamically requires the monitoring of the operation of the security and dependability mechanisms that are deployed by the system and the identification of conditions indicating the compromise of security and dependability properties. These needs are prominent especially in systems with distributed components that are deployed over changing infrastructures and communicate over heterogeneous and changing networks.
  
  
  The same need arises during the deployment of S&D Patterns by an application. This is because S&D Patterns may specify invariant conditions that need to be satisfied in order to ensure the correct operation of the pattern or because it might be necessary to ensure that the executable components which implement patterns provide correct implementations of the relevant pattern specifications.
  
  
  To address these needs, SERENITY has developed a comprehensive framework supporting the monitoring of security and dependability mechanisms that realise S&D Patterns at runtime, called called EVEREST (EVEnt REaSoning Toolkit). EVEREST is available as a service to the SRF and when an S&D Pattern is activated it undertakes responsibility for checking conditions regarding the runtime operation of the components that implement the pattern.
  
  These conditions are specified within S&D Patterns by monitoring rules expressed in a temporal formal language based on Event Calculus that is integrated in the S&D Pattern specification language of SERENITY. Further information about the specification of rules that can be monitored by EVEREST is available in [3][4][8].
  
  
  EVEREST detects violations of monitoring rules against streams of runtime events, which are sent to it by different and distributed event sources, the Event Captors. Event captors need to report events using a specific XML schema that has been defined in SERENITY and is described in detail in [6][7].
  
  The executable components which realise S&D Patterns have responsibility to provide appropriate event captors in order to enable the monitoring of the rules specified in the patterns that they implement. To assist, however, developers of SERENITY S&D Patterns and their implementations, SERENITY has developed a set of generic event captors that may be possible to use in specific circumstances. These captors are described in [6][7].
  
  

  It should be noted, however, that whilst monitoring is able to detect violations of monitoring rules at runtime, it cannot always provide information that is necessary for understanding the reasons that underpin the violation of a rule and making decisions about what would be an appropriate reaction to it.
  
  Furthermore, it is often necessary to try to predict the possibility of a violation using information about the current state of a system rather than wait until all the information that would enable a definite detection of the violation becomes available. This is because an accurate early prediction can widen the scope of possible reactions to the violation or even provide scope for taking pre-emptive action that prevents the violation. The above two needs, i.e., the needs for diagnosis and prediction, are also addressed by EVEREST.
  
  
  More specifically, EVEREST offers a diagnostic mechanism whose objective is the identification of possible explanations of the violations of monitoring rules that have been detected by the framework in order to aid the selection of appropriate reactions to them.
  
  To generate such explanations, EVEREST uses abductive reasoning. Then, following the identification of possible explanations, the diagnosis mechanism also assesses the plausibility of explanations by identifying any effects that they would have beyond the events that they were generated from and checking whether these effects correspond to events that have been recorded in the event log of the monitoring framework and are genuine.
  
  The assessment of the genuineness of the explanation effects and the validity of explanations is based on the computation of beliefs using functions that we have defined for this purpose. These functions have been defined using the axiomatic framework of the Dempster Shafer theory of evidence. Further information of the diagnosis mechanism of EVEREST is available in [13][14][15].
  
  
  The detection of potential violations of monitoring rules in EVEREST builds upon the basic monitoring and diagnostic capabilities of the framework and is based upon the computation of beliefs that violations of monitoring rules are likely to occur.
  
  The computation of such beliefs is based upon the diagnostic mechanisms of EVEREST which provide the basic assessment of the genuineness of the events received by the framework and historical data about the frequency of co-occurrence of events which are connected by temporal constraints within specific S&D monitoring rules.
  
  These historical data provide the basis for computing beliefs in the potential occurrence or not of an event when another event that it is constrained by has occurred and is known to be genuine. Full details of the threat detection mechanisms of EVEREST are provided in [1].
  
  
  In addition to the sources describing the monitoring mechanisms of SERENITY that have been provided above, the interested reader may find useful
  
  
  1. a tutorial about the basic parts of these mechanisms and their use that is available at [11]
  
  
  2. monitoring templates for basic security properties expressed in the monitoring language of SERENITY [12], and
  
  
  3. a paper describing how monitoring rules may be used as part of security patterns [9]
  
  
  Bibliography
  
  

  [1] Amalio N, Di Giacommo V, Spanoudakis G (2008) Mechanisms for detecting potential S&D threats, Deliverable A4.D4.1, SERENITY Project.
  
  

  [2] Androutsopoulos K, Ballas C, Kloukinas C, Mahbub K, Spanoudakis G (2006) V1 of dynamic validation prototype. Deliverable A4.D3.1, SERENITY Project.
  
  

  [3] Botella A, et al (2008) Patterns and Integration Schemes Languages (Second Version), Deliverable A5.D2.3, SERENITY Project.
  
  

  [4] Botella A, et al (2008) Patterns and Integration Schemes Languages (Second Version), Deliverable A5.D2.5, SERENITY Project.
  
  

  [5] Di Giacomo V, Kloukinas C, Mahbub K, Presenza D, Riccucci C, Spanoudakis G, Tsigritis T (2008) Dynamic Recovery Mechanisms, Deliverable A4.D6.1, SERENITY Project
  
  

  [6] Di Giacommo V, Presenza D, Riccucci C (2007) Extended Set of Information Collection Mechanisms for Run-Time S&D Monitoring. Deliverable A4.D2.4, SERENITY Project,
  
  

  [7] Kloukinas C, Ballas C, Presenza D, Spanoudakis G (2006) Basic Set of Information Collection Mechanisms for Run-Time S&D Monitoring. Deliverable A4.D2.2, SERENITY Project,
  
  

  [8] Kloukinas C, Mahbub K, Spanoudakis G (2007) Evaluation of V1 of Dynamic Validation Prototype, Deliverable A4.D3.2, SERENITY Project,
  
  

  [9] Kloukinas, C. and G. Spanoudakis. A pattern-driven framework for Monitoring Security and Dependability. In TrustBus’07. 210–218. Springer. 2007
  
  

  [10] Mahbub K, Spanoudakis G, Kloukinas C (2007) V2 of dynamic validation prototype. Deliverable A4.D3.3, SERENITY Project.
  
  

  [11] Spanoudakis G (2008) SERENITY: Monitoring Support, Tutorial, EuroTrustAmI 2008, Sophia Antipolis, France, September 2008.
  
  

  [12] Spanoudakis G, Kloukinas C, Androutsopoulos K (2007) Towards security monitoring patterns. In SAC ‘07: ACM symposium on Applied computing. 1518–1525. ACM. 2007Spanoudakis G,
  
  

  [13] Tsigkritis T (2008) 1st Version of Diagnosis Prototype. Deliverable A4.D5.1, SERENITY Project,
  
  

  [14] Spanoudakis G, Tsigkritis T (2008) 2nd Version of Diagnosis Prototype. Deliverable A4.D5.2, SERENITY Project,
  
  

  [15] Tsigkritis T, Spanoudakis G (2008) Diagnosing Runtime Violations of Security and Dependability Properties. Proceedings of 20th International Conference in Software Engineering and Knowledge Engineering, 661-666
  
  

  • Reaction Performed
  
  
  Authomatic Reactions to violations of S&D Patterns Monitoring Rules
  
  
  When it becomes aware of a rule violation or a threat (i.e., a potential violation of a monitoring rule), the SRF needs to know how to deal with the violation. To provide this information, the S&D Pattern creators need to specify the actions that the SRF should perform in response to the violation.
  
  
  An initial analysis of possible types of reaction in response to rule violations has identified a basic set of required actions which are overviewed below. In general, an action is realised through the execution of an operation by the SERENITY runtime framework. This execution is triggered by the violation (or potential violation) of the particular rule that an action is associated with.
  
  It should be noted, however, that this execution does not necessarily happen automatically upon a violation and there might be cases where the SRF should ensure that further conditions are satisfied before taking the action. These conditions will be referred to as “action guard conditions” in the following.
  
  Action guard conditions might be used, for example, to express conditions about the context in which a violation has occurred (as it is known to the SRF), conditions regarding the diagnostic information that is returned by the monitoring framework, or conditions regarding the threat information that is returned by the monitoring framework.
  
  
  Basic Action Types
  
  
  The SERENITY runtime framework (SRF) supports the automatic execution of actions in response to violations or potential violations of monitoring rules that are specified in S&D Patterns (aka “threats”). The actions that should be executed when such violations (or potential violations) occur must be defined within S&D Patterns by the creators of the patterns and be associated with specific monitoring rules. SERENITY offers an initial set of possible such actions. Example of such actions include:
  
  

  • DeactivatePattern() – The result of taking this action is to deactivate the pattern instance that the violation is related to. DeactivatePattern() doesn’t need any arguments since the SRF knows which pattern, pattern instance and rule the monitoring result which has triggered the execution of the action is related to.
  
  

  • RestartPattern() – The result of taking this reaction is to start a new instance of the same pattern. The reaction does not need any arguments since the SRF knows which pattern the monitoting result that has triggered the execution of the action is related to.
  
  

  • NotifySRF(String external_SRF_ID, String Message) – The result of taking this reaction is to notify an external SRF of the violation. The external SRF is identified by the reaction parameter external_SRF_ID. The information that will be sent to the external SRF is determined by the parameter Message.
  
  

  • NotifyApplication(String message) – The result of taking this reaction is to notify the application for which the implementation of the pattern is deployed of the violation. The notification to be sent is determined by the parameter Message.The application to be notified does not need to be identified since the SRF knows it.
  
  

  • Log() – The result of taking this reaction is to log the XML template which has been returned by the monitor to indicate the violation of a specific rule instance and the actions taken up to the point when Log() is executed for the particular violation. Thus, this reaction needs to be listed at the end of the action list for a particular rule and the SRF will need to keep a record of the actions that have been taken up to Log() in order to peform the required logging.
  
  

  Actions as the above are realised by the SRF through the execution of internal operations. This execution is triggered by the violation (or potential violation) of particular rules which an action is associated with. Note however, that the execution of actions in response to rule violations does not necessarily happen automatically upon a violation.
  
  This is because there might be cases where further conditions need to be satisfied before taking the action. Such conditions may be relevant to the context in which a violation has occurred (as it is known to the SRF), diagnostic information that is returned by the monitoring framework along with a violation, or threat information that is returned by the monitoring framework.
  
  
  Thus, the general model of associating actions with rules that has been advocated in SERENITY assumes that each rule may be associated with no, one or more than one actions and the execution of these actions may be further conditioned within the monitoring specification of an S&D pattern using action conditions. This model can be expressed in an abstract form as follows:
  
  
  Rule [ (action1, cnd1), …, (actionN, cndN)]
  
  
  The semantics of this form is that when a monitoring result is obtained for an instance of Rule, the actions actioni (i=1,…,N) will be executed in the exact order of their listing provided that conditions cndi are also satisfied. If the condition cndi that is associated with an action actioni it is not satisfied the action will be ignored. The attachement of conditions to actions enables the specification of actions that will only be executed upon definite violations of rules and actions that will be executed upon the receipt of monitoring results indicating only the potential for a rule violation (threat).
  
  Conditions also enable the specification of conditions based on diagnostic results. An action to deactivate a particular pattern, for example, may be taken only if the diagnosis for a violation has indicated that some of the events which are coming from components that implement the pattern are not genuine (see A4.D5.1). Furthermore, the conditions associated with actions may refer to context information that is available in the SRF but not the monitor and which should be taken into account before reacting in a specific way in response to a rule violation.
  
  
  The language for specifying the actions to be executed following violations of monitoring rules and the guard conditions associated with described in [1].
  
  
  XSD schema for action specification
  
  
  The actions that should be executed following the violation of a rule are expressed using an extension of the monitoring rule specification XSD schema in the S&D pattern specification language. The extended schema enables the specification of zero or more response actions that should be executed when a rule is violated or when a threat exists. It also enables the specification of complex guard conditions for the execution of actions. In this section, we give an overview of this schema whilst a full listing of the schema is available in A4.D6.1.
  
  
  Figure 1 shows the definition of the type formulaType in this schema that is used to specify S&D monitoring rules. As shown in the figure, formulaType has been extended with a new element called action that is of type ActionType. The new element is used to specify the action(s) that may be taken when the SRF obtains a monitoring result for an instance of the particular rule from the monitor and, as shown in the figure, 0 or more action elements can be defined for a rule.
  
  
  The specification of an action includes an id for the action (see attribute actionID) the name of the operation that needs to be executed to realise the action (see element actionOperationName), zero or more variables that need to be passed as arguments to this operation (see the elements variable), and one guard condition (see the element guardCondition). The satisfaction of the latter condition will need to be ensured prior to the execution of the operation realising the action as we discussed above.
  
  
  
  

  Figure 1. Association of actions with rules

  
  
  The guard condition of an action can be specified as an instance of the type logicalExpressionType. The specification of this type is shown in Figure 2. According to this specification, a logical expression can be an (atomic) condition, a logical combination of a condition and another logical expression, or a logical combination of two logical expressions. Logical combinations of conditions and logical expressions are formulated with the use of logical operators (see the element logicalOperator in Figure 2). The current schema supports two logical operators: the classic logic operators AND and OR. An atomic condition within a logical expression is defined by a comparison relation over the values of two operands (operand1 and operand2).
  
  
  As shown in Figure 2, these comparison relations can be defined with the use of the comparison operators: equalTo, notEqualTo, lessThan, greaterThan, lessThanEqualTo, and greaterThanEqualTo. Furthermore, atomic conditions can be negated (see the attribute negated of conditionType).
  
  
  
  
  
  
  
  

  Figure 2. Action conditions

  
  
  The operands in a relational condition can be query operands, arithmetic expressions, or constants as shown in Figure 4. A query operand in a relational condition is a element that must be retrieved from some XML document. Such operands as specified as instances of the type xpathExpressionType which, as shown in Figure 5, are defined by a combination of an xPath expression and a document type.
  
  An xPathExpression in the action language denotes the element that will be retrieved by evaluating the xPath within the document identified in the expression and is used to enable the retrieval of specific elements from specific documents (in the example of Section 2.3 below, xPathExpressions are used to retrieve the maximum likelihood in the genuiness of an event and compare it with some value before taking the action). The document within which the xpath in an xpathExpressionType is to be evaluated is specified by a type and a name (i.e., the actual file name of the relevant XML document).
  
  
  
  

  Figure 3. Condition type

  
  
  
  

  Figure 4. Relational condition operands
  
  
  
  

  Figure 5. Specification of query operands as xPathExpressions

  
  
  In addition to query operands, relational expressions may also take as arguments arithmetic expressions. An arithmetic expression is used to express a computation over a set of numbers and is defined as a sequence of arithmetic operands connected by arithmetic operators (see Figure 6). The operands of an arithmetic expression can be constant numbers or xPathExpressions which result in a numerical value. As shown in Figure 6, the arithmetic operators supported by the action language are the operators plus, minus, multiply and divide.
  
  
  
  
  
  
  
  
  
  
  

  Figure 6. Arithmetic expressions

  
  
  To give some examples of rule actions specifications consider the rule R1 below which specifies an integrity condition for an Air Traffic Control Management System (ATMS):
  
  
  R1:
  
  
  “t1ÎTime, $t2ÎTime.
  
  
  Happens(e(_ID1,_sender1,_receiver1,REQ,signal(_radarID1,
  
  
  _airplaneID1, _airspaceID1),_soure1),t1,R(t1,t1)) Ù
  
  
  HoldsAt(covers(_radarID1,_airspaceID1),t1) Ù
  
  
  HoldsAt(covers(_radarID2,_ airspaceID1), t1)
  
  
  Þ
  
  
  Happens(e(_ID2,_sender2,_receiver1,REQ,signal(_radarID2,
  
  
  _airplaneID1,_airspaceID1),_source1),t2,
  
  
  R(t1,t1+5000))
  
  
  The condition expressed by the rule states that if a radar (_radarID1), which covers a specific airspace, sends a signal event indicating that an airplane (_airplaneID1) is in a particular airspace (_airspace ID1) at some time point t1, every other radar (_radarID2), which covers the same airspace should also send a signal indicating the presence of the plane in it within a certain period of 5000 milliseconds after the receipt of the initial signal.
  
  
  In the following, we provide three examples of actions specified for responding to violations of R1, detected threats for R1, or diagnostic information regarding the genuineness of the events involved in a violation or threat of R1. All actions assume the standard XML form in which the SERENITY monitoring framework reports results to the SRF. The XSD schema that the SERENITY monitoring framework uses to report these results to the SRF is discussed in [1]. Figure 7 shows a monitoring result for rule R1 represented in this schema. The result is a violation of the rule (as the value of the attribute status of the element formula is Inconsistency_Wrt_Recorded_Behaviour) that has been caused by two events, eventID1 and eventID2 with genuineness belief ranges [0.7, 0.9] and [0.1, 0.3], respectively.
  
  
  

  Figure 7 - An example of monitoring results for a specific R1 rule instance

  
  
  The first example action for violations of R1 is the action R1-A1 that is specified in Figure 8. This action is a notification action that reports to the SRF the identifiers of the two events that have caused the violation of R1. The notification is specified in the action by using the basic operation NotifySRF (see the element NotifySRF).
  
  
  This action may be taken in cases that there is a monitoring result indicating a violation of rule R1 with respect to recorded behaviour. This is specified by the guardCondition element in the specification of the action. The condition is specified as an equality between two operands.
  
  
  The first operand, i.e.
  
  
  
  
  
  R1_Result
  
  MonitoringResults
  
  
  
  
  /resultsdesc/results/formula[@status]
  
  
  is a query operand that is computed by evaluating the xPath expression in it (/resultsdesc/results/formula[@status]) against the document R1_Result which is of type MonitoringResults.
  The second operand, i.e.
  
  
  
  
  STRING
  Inconsistency_WRT_Recorded_Behaviour
  
  
  specifies the constant value Inconsistency_WRT_Recorded_Behaviour.
  Thus, the condition requires that an definite violation of the rule (i.e., Inconsistency_WRT_Recorded_Behaviour) must have been detected for the action to be executed.
  
  
  When this condition is satisfied and the action R1-A1 is taken, SRF is notified with the identifier of the events that are related to the violation of the rule instance. The return of these two identifiers is specified by the two variables elements which are specified within the action operation NotifySRF. The value of the first of these variables ( eventId1) value is set to the value of the xPath expression:
  
  
  /resultsdesc/results/formula/body/predicate[1]/happens/ic_term/id/text()
  The above expression returns the identifier of the event matched with the first predicate in the body of R1.
  The second variable (eventId2) has a value that is set to the value of the xPath expression:
  /resultsdesc/results/formula//head/predicate/happens/ic_term/id/text()
  The above expression returns the identifier of the event matched with the predicate in the head of R1.
  
  
  
  NotifySRF
  
  eventId1
  string
  
  /resultsdesc/results/formula/body/predicate[1]
  /happens/ic_term/id/text()
  
  
  
  eventId2
  string
  
  /resultsdesc/results/formula/head/predicate/happens/ic_term/id/text()
  
  
  
  
  
  
  
  
  R1_Result
  
  MonitoringResults
  
  
  
  /resultsdesc/results/formula[@status]
  
  
  
  
  
  STRING
  
  Inconsistency_WRT_Recorded_Behaviour
  
  
  
  
  
  
  
  
  
  
  

  Figure 8 – Action R1-A1

  
  
  The second action (see action element with actionID “R3_A2” in Figure 9) is also an SRF notification action. This action, however, will be taken if the minimum threat likelihood detected for the formula is greater or equal to 0.7. This condition is expressed by the relational condition greaterThan EqualTo between the value obtained by evaluating the xPath
  /resultsdesc/results/formula[@minThreatLikelihood]
  against each monitoring results document that is returned by the monitoring framework for the specific rule and the constant value 0.7.
  
  
  When the action R1-A2 is taken, SRF is notified with the identifier of the R1 instance (instanceId) that the detected monitoring result (threat) refers to.
  
  NotifySRF
  
  instanceId
  string
  
  /resultsdesc/results/formula[@instanceId]
  
  
  
  
  
  
  
  
  R1_Result
  
  MonitoringResults
  
  
  
  /resultsdesc/results/formula[@minThreatLikelihood]
  
  
  
  
  
  DOUBLE
  
  0.7
  
  
  
  
  
  
  
  
  
  
  
  

  Figure 9 – Action R1-A2

  
  
  The third action is specified in Figure 10. This action (Action R1-A3) is a notifyApplication action which notifies the application that is being monitored about a violation of a specific rule.
  
  The guard condition of R1-A3 specifies that the action should be taken in cases where the minimum likelihood (or, equivalently, the genuineness) of the signal event that has been unified with the Happens predicate in the body of rule R1 is greater than 0.4. When this condition is satisfied, the application, which is being monitored, will be notified with the identifier of the radar that generated the relevant signal event (radarId).
  
  NotifyApplication
  
  radarId
  string

  
  /resultsdesc/results/formula/body/predicate[1]
  /happens/ic_term/variable[5]
  /varName[text()="radarID1"]/value
  
  
  
  
  
  
  
  
  R1_Result
  
  MonitoringResults
  
  
  
  /resultsdesc/results/formula/body/predicate[1][@minLikelihood]
  
  
  
  
  
  DOUBLE
  
  0.4
  
  
  
  
  
  
  
  
  
  
  
  

  Figure 10 – Action R1-A3

  
  
  Similarly, the action R1-A4 in Figure 11 is an application notification action. According to its specification in the figure, R1-A4 is taken if the maximum likelihood (or, equivalently, the genuineness plausibility [2]) of the signal event that has been unified with the head predicate of rule R1 is not less than 0.5. Again, in such cases, the application, which is being monitored, will be notified with the identifier of the radar that generated the relevant signal event (radarId) that caused the detection of a the violation.
  
  NotifyApplication
  
  
  
  radarId
  string
  
  /resultsdesc/results/formula/head/predicate
  /happens/ic_term/variable[5]
  /varName[text()="radarID2"]/value
  
  
  
  
  
  
  
  
  R1_Result
  
  MonitoringResults
  
  
  
  /resultsdesc/results/formula/head/predicate[1][@maxLikelihood]
  
  
  
  
  
  DOUBLE
  
  0.3
  
  
  
  
  
  
  
  
  
  
  
  

  Figure 11 – Action R1-A4

  
  
  Bibliography
  
  

  [1] Christos Kloukinas, George Spanoudakis, Theocharis Tsigritis , A4.R6 - Draft Schema for Recovery Actions to be Taken Upon Potential or Definite Violations of Monitoring Rules
  
  

  [2] V.Di Giacomo,Christos Kloukinas, D. Presenza, C. Riccucci, George Spanoudakis, Theocharis Tsigritis (2008) Dynamic Recovery Mechanisms. A4.D6.1, SERENITY Project.
  
  

  [3] George Spanoudakis, Theocharis Tsigritis, (2008) 1st Version of Diagnosis Prototype. Deliverable A4.D5.1, SERENITY Project.
  
  

  • Log files
  
  
  One of the basic tools for any system administrator is a log file. Therefore, the SRF generates several log file types in order to provide the SRF Administrator a mean to track the SRF activity throughout its lifetime.
  
  
  The SRF generate several traces that can be classified as follows:
  
  

  • Traces related with the configuration and status of the SRF.
  
  

  • Traces related with the process of request, selection and activation of an S&DSolution.
  
  

  • Traces specifically reflecting the reaction mechanisms performed by the SRF so far.
  
  

  All these types of traces are splitted over several log files:
  
  

  • srf.log
  
  

  This is the log used by the SRF to dump all the traces related with the process of request, selection and activation of S&D Solutions. Each time the SRF receives an S&D Request, the S&D Selection algorithm is started and all the steps of the process are reflected in this log file.
  
  
  Here is an example of how it looks like:
  
  
  
  
  By looking at this file, the SRF administrator can monitor the execution of the different selection processes and have a real time view of “how the things are going on”.
  
  
  This file is located in the path specified in the parameter “srf_log_path” within the SRF configuration file SERENITY\conf\sdmanager.conf
  
  

  
  

  reactions.log

  
  

  This file is used by the SRF to dump all the reactions performed on a particular S&D Solutions so far. Each time the SRF performs a reaction mechanism as a result of a Monitoring Rule violation, the result template generated by the Diagnosis tool of the Monitoring Services infrastructure, is logged into a dynamic stack maintained by the SRF. Once the SRF is requested to perform the “Log” reaction, it dumps the content of the stack into the reactions.log file.
  
  
  This file is located in the path specified in the parameter “reactions_log_path” within the SRF configuration file SERENITY\conf\sdmanager.conf
  
  
  In order to make it easy to find it, it can be accessed through the SRF Console. The SRF Administrator should select one of the active patterns of the system, and click in the Edit button. In the pop up window that comes up, click on the button “View Reactions” and a new pop up displaying the corresponding list of reactions will appear. The following two pictures illustrates this functionality:
  Active Pattern detailsReactions performed so far
  
  

  • control and monitoring logs
  
  

  These are two sets of files generated by the Java Logger utility.
  
  

  
  

  logInfo files

  
  

  
  

  logError files

  
  

  One log file of each category is generated per day, and can be viewed using the SRF Console, as depicted in the following picture:
  SRF Info Logs
  The content of the selected log file is displayed in the right hand panel of the window, as follows:
  
  
  SRF Error logs
  The information contained in these files are at a very technical low level, showing application exceptions and other programming relevant information that can be of any help in case of an unexpected behaviour or application failure.
  Due to the large number of log files generated by the SRF, it is possible to filter by date the files displayed at the SRF Console.
  Log filtering