An Approach for Modeling and Analysis of Security System Architectures Yi Deng, Member, IEEE, Jiacun Wang, Senior Member, IEEE, Jeffrey J.P. Tsai, Fellow, IEEE, and Konstantin Beznosov, Member, IEEE Abstract—Security system architecture governs the composition of components in security systems and interactions between them. It plays a central role in the design of software security systems that ensure secure access to distributed resources in networked environment. In particular, the composition of the systems must consistently assure security policies that it is supposed to enforce. However, there is currently no rigorous and systematic way to predict and assure such critical properties in security system design. In this paper, a systematic approach is introduced to address the problem. We present a methodology for modeling security system architecture and for verifying whether required security constraints are assured by the composition of the components. We introduce the concept of security constraint patterns, which formally specify the generic form of security policies that all implementations of the system architecture must enforce. The analysis of the architecture is driven by the propagation of the global security constraints onto the components in an incremental process. We show that our methodology is both flexible and scalable. It is argued that such a methodology not only ensures the integrity of critical early design decisions, but also provides a framework to guide correct implementations of the design. We demonstrate the methodology through a case study in which we model and analyze the architecture of the Resource Access Decision (RAD) Facility, an OMG standard for application-level authorization service. Index Terms—Software security, security system architecture, access control, authorization service, formal architectural modeling, constraint patterns, formal verification, Petri nets, temporal logic. æ 1 INTRODUCTION S OFTWARE systems today are increasingly interconnected and accessed in networked environment. This trend is greatly accelerated by rapid proliferation of the Internet. As such, software security has emerged as a foremost concern for modern information enterprise. How to design highly dependable security systems that ensure secure access to distributed software and information is an urgent problem. Given the magnitude and complexity of distributed systems and information resources interconnected by the Internet and/or enterprise networks, the design of security systems that protect the systems and resources also becomes an increasingly complex and difficult problem. Access control, for example, must consistently and reliably enforce organization-wide security policies across different applications. Security mechanisms must be efficient enough to be useful. An attractive security system design must effectively support system evolution, such as changes in security policies, user population, and their roles, and changes in applications. Furthermore, software security needs to be achieved at reasonable cost during the development, operation, and evolution of the systems. Security system architecture, which defines the structure of the system, the interaction and coordination among its components, plays a key role in security system design to address the above challenges. Increasingly, security me- chanisms are designed as self-contained components or subsystems outside applications in heterogeneous distrib- uted environment [1], [3], [5], [18], [21], [25], [43]. The separation of security logic from application logic in design simplifies the development of both distributed systems and their security functions and, therefore, makes it easier to enhance their quality. Equally important, it paves the way for uniformly applying security mechanisms across (hetero- geneous) system boundaries, as well as for centralizing security administration and management in an organiza- tion, a traditionally time consuming, costly, and error prone process. Several well-known security system architectures and models, including those in CORBA [5], [31], EJB [19], DCE [18], and DCOM, are cornerstones for designing scalable and flexible security systems in distributed envir- onment. Application level security system models, e.g., those of [3], [15] [21], [22], [33], [43], [44], are expected to gain increasing acceptance. Despite the advances, however, how to analyze the design of security systems to ensure its consistency and integrity is still a largely open problem. In particular, the composition of security systems is not only to make constituent components work together, but also to ensure that the components as a whole behave consistently and guarantee certain end-to-end properties. A critical property, for example, is whether the system consistently assures IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 15, NO. 5, SEPTEMBER/OCTOBER 2003 1099 . Y. Deng is with the School of Computer Science, Florida International University, Miami, FL 33199. E-mail: deng@cs.fiu.edu. . J. Wang is with Nortel Networks at Richardson, Richardson, TX 75082. E-mail: jiacwang@nortelnetworks.com. . J.J.P. Tsai is with the Department of Electrical Engineering and Computer Science, University of Illinois at Chicago, Chicago, IL 60607-7053. E-mail: tsai@eecs.uic.edu. . K. Beznosov is with Concept Five Technologies, 25 Bulington Mall Rd., Bulington, MA 07803. E-mail: beznosov@concept5.com. Manuscript received 12 June 2000; revised 12 Feb. 2001; accepted 14 Feb. 2001. For information on obtaining reprints of this article, please send e-mail to: tkde@computer.org, and reference IEEECS Log Number 112260. 1041-4347/03/$17.00 ß 2003 IEEE Published by the IEEE Computer Society