Abstract
Developers of critical systems need to address several quality properties, such as security and performance, in the early stages of the development cycle to ensure that the system under construction meets its requirements. Sometimes quality properties conflict with each other and/or with the system’s functionalities, so the developers need to make trade-off decisions. Unreasonable costs, added developer resources and tight project schedules may be other reasons for having to trade-off between alternative solutions. In the context of Model-Driven Development, the analysis of quality properties is done by transforming software design models into different analysis models based on various formalisms, which are then analyzed with existing tools. A major challenge is to integrate different models, transformations and tools into a consistent and coherent process. In this chapter the authors present a methodology called Aspect-Oriented Risk Driven Development (AORDD), which integrates the analysis of two quality properties, namely security and performance, into the development process of critical systems. Each quality property is analyzed separately, and then all results are input to a trade-off analysis that identifies conflicts between the properties. Trade-off analysis aims at supporting designers and developers in choosing the security and performance solutions that best fit their needs, without introducing unacceptable development delays or costs. The security analysis consists of identifying the assets (critical components, such as sensitive information) of an application and the attacks that can compromise these assets, and formally analyzing whether these attacks are actually possible using the tools UML2Alloy and Alloy Analyzer. If the system is vulnerable to the attack, some security solution, modeled as an aspect according to Aspect Oriented Modeling (AOM), is added to the system. The analysis must be repeated to ensure that the resulting system is secure. Performance analysis is accomplished using Layered Queuing Network (LQN) models. Annotated system models are transformed into LQN models and performance experiments are executed on them. If the performance results are unacceptable, the system design has to be changed and the analysis repeated. Finally, the results of the security and performance analysis are input to the system quality property trade-off analysis, which is implemented as a Bayesian Belief Network (BBN) topology, and which also takes as input external parameters, such as time to market and budget constraints. The results of the trade-off analysis help identify how well a particular design meets performance, security and other project goals, which, in turn, can guide the developer in making informed design decisions. The approach is illustrated using a transactional web e-commerce benchmark (TPC-W) originally developed by the Transaction Processing Performance Council.
TopIntroduction
Developers of critical systems need to address several quality properties in the early stages of the development cycle, to ensure that the system under construction meets its requirements. Basing design decisions on quality analysis results early during system design can help avoid drastic and expensive changes in later development stages. In the context of Model-Driven Development, the analysis of quality properties is done by transforming software design models into different analysis models based on various formalisms, which are then analyzed with existing tools. The challenge consists in integrating different models, transformations and tools into a coherent development process.
Sometimes quality properties conflict with each other and/or with the system’s functionalities, so the developers need to make trade-off decisions. For example, security and performance qualities were conflicting in the redesign of the Secure Sockets Layer (SSL) protocol proposed in Apostolopoulos et al. (1999). The proposed version achieved its goal of reducing SSL server performance cost, but violated the goal of providing a secure connection (see Jürjens (2005) for more details).
Performance and security goals are often at odds with each other. Customers want easy, secure access to systems, and a delay-free experience. However, this may not be feasible, and designers must make trade-off decisions that optimize parts of the system for one quality property over the other, or balance the quality properties. Financial considerations play a major role in these decisions since development resources and budget most often are limited. Software development approaches that support systematic trade-off analysis are most likely to produce flexible, robust architectural designs that meet both security and performance goals over the lifetime of the software.
In this chapter we present a methodology called Aspect-Oriented Risk Driven Development (AORDD), which integrates the analysis of two quality properties, security and performance, into the development process of critical systems. Each quality property is modeled and analyzed separately, and then all results are input to a system quality property trade-off analysis. The modeling language used is UML (OMG (2007) and OMG (2007-1)). Our approach uses Aspect-Oriented Modeling (AOM) techniques (see France et. al. (2004), Georg et. al. (2008)), to model security concerns separately as aspects, and to systematically experiment with alternative ways of addressing them. AOM techniques enable designers to quickly change the system design to incorporate additional or alternative security treatment designs prior to security analyses. Designers can therefore more easily search for a solution design that provides adequate protection (France et al. (2004-1), Straw et al. (2004), and Woodside et al. (2009)).
AORDD security analysis is carried out to determine how resilient a system design is to various attacks. The analysis involves transforming the UML models into Alloy (Bordbar and Anastasakis (2005) and Anastasakis et al. (2008)) and using the Alloy Analyzer (Alloy (2008)) to test security assertions. AORDD performance analysis of alternative designs is explored using the toolset developed by the Performance by Unified Model Analysis (PUMA) project, which takes as input UML models with performance annotations (Woodside et al. (2005) and Petriu and Woodside (2004)). Although the toolset can transform annotated UML models into different types of performance models, we use it to create Layered Queuing Network (LQN) models which allow us to analyze the system from a capacity viewpoint (e.g. mean response time for a given workload), rather than a strict deadline viewpoint (which requires scheduling analysis).