Michael P. Zeleznik, Ph.D. zeleznik@sayasystems.com

Security Design in
Distributed Computing Applications

Michael P. Zeleznik

Ph.D. Dissertation
Computer Science Department
University of Utah


The software developer designing a security architecture for a distributed application is often faced with practical constraints that further complicate an already difficult task. These include limited resources and conflicting requirements. The goal will often be to simply provide as much effective security as possible, targeted at the end-user security needs. To achieve this goal, the developer must be able to systematically determine where security problems exist, understand the impact of security mechanisms as they are designed, determine which problems have and have not been addressed, explore alternative designs, and build on the architecture in the future.

Current approaches to secure system design do not meet these requirements. Although much is understood about many aspects of computer security, little attention has been given to the the issue of how to integrate this knowledge into a design process; of how to generate and maintain a security architecture in a systematic, predictable manner.

In this dissertation, this issue is examined in the context of a distributed information retrieval system. The security design problem is analyzed, defining and characterizing its underlying causes and the tools desirable to address it. This is followed by a classification and analysis of current security design approaches in relation to this problem, including a detailed case history of our efforts to employ risk management paradigms, demonstrating their strengths and limitations.

A new security design methodology is then presented, which provides the desired tools. All aspects of the application, supporting software, hardware, physical environments, and attack scenarios are modeled in a unified, object-oriented manner. An information flow analysis is applied to automatically discover security violations. Safeguards can then be modeled and added to the flow analysis to readily assess their effects and interrelationships. Although the developer must create the application-specific models, the remaining models such as those for the operating system, hardware, environments, and attack scenarios are application-independent, and can evolve over time to represent generic security knowledge bases. These can be utilized by any developer employing this design methodology, regardless of their security background.

Slides: Overview of Dissertation
Slides: Overview of Security Design Methodology only
Full Dissertation (PDF) (1.2 MB)

Copyright 2015 Michael P. Zeleznik Web design by Saya Systems Inc.