300 likes | 441 Views
SECURITY REQUIREMENTS MODELS: A SURVEY AND COMPARISON. Ing. Abel E. Fornaris, Dr. Eduardo Fdez-Medina GSyA Research Group Escuela Superior de Informática Universidad Castilla-La Mancha, Ciudad Real, España. Content. Agenda. Introduction Systematic Literature Review (SLR) development
E N D
SECURITY REQUIREMENTS MODELS: A SURVEY AND COMPARISON Ing. Abel E. Fornaris, Dr. Eduardo Fdez-Medina GSyA Research Group Escuela Superior de Informática Universidad Castilla-La Mancha, Ciudad Real, España.
Content Agenda • Introduction • Systematic Literature Review (SLR) development • SLR Planning • SLR Results • Results Analysis and Discussion • Conclusions • Acknowledgements
Introduction Security, SRE, SR models. • Security as animportantissue: - Incidence of misuse of assets. Worldwide accessibility of the Internet and the automation of systems. • Interest in security engineering community: - Series of strategies focused on securing the applications. Focused primarily on design and implementation stage. • Model driven approaches suffer the same problem. • Response: • Initiatives such as MDS, however. • Security requirement engineering to produce methodologies, processes, frameworks to integrate security from early phases of development. • They use: • Artifacts, languages, techniques, diagrams; models in general. These can be used in an isolated way too.
Introduction Need for the SLR and objective • Problems with these models: • Too many, covering different security requirements, different notation, hard to learn, no common view. • No SLR found covering these models: • Each author proposes a model. Existing surveys and comparisons not in a systematic way. Many studies related to methodologies, processes and frameworks. • Systematic Literature Review (SLR) proposed: • Identify models and surveys/comparisons amongst them. Need for their integration. • Ultimate objective: • Integrate - create links - propose new model(s), to be part of a model driven development (MDD).
SLR development SLR Planning • SLR questions: • Which artifacts, languages, techniques, diagrams, models in general, are currently used to elicit security requirements from the early stages of secure software development as being part, or not, of the different methodologies, processes and frameworks? • Which studies propose comparisons and surveys amongst them? • Expected results: • Identification and description of the different models used in security requirements engineering, as well as their surveys/comparisons. • Main application areas: • Secure software development and software requirements engineering and also security experts and requirements engineers, MDS researchers.
SLR development SLR Planning - Sources • Sources available in Universidad de Castilla – La Mancha, digital libraries. • Sources used: • Scopus Digital Library • Springer Digital Library • Science@Direct Digital Library • ACM Digital Library • IEEE Computer Digital Library • Basic search string: • “Security AND Requirement AND (Engineer OR Engineering) AND (Model OR Diagram OR Artifact OR Method OR Language OR Technique)”
SLR development SLR Results – Models to specify attacks or vulnerabilities • Attack Trees [Schneier, B. (2000)] • Model with a tree structure. • Used to calculate the risk and cost of potential attacks and their countermeasures.
SLR development SLR Results – Models to specify attacks or vulnerabilities • Abuse Frames [Lin, L., B. Nuseibeh, et al. (2003)] • Represent security threats and derive SR by defining anti-requirements as action to subvert these SR. • Share notation with regular problem frames. • Related to domains: Machine, victim, malicious user. • Critical assets must be defined.
SLR development SLR Results – Models to specify attacks or vulnerabilities • Abuser Stories [Peeters, J. (2005)] • Plain text stories of how attackers abuse the system. These are agile counterparts to abuse cases. • Lightweight, low-effort and informal. • Provide traceability to SR. • Should be written by customers, together with developers.
SLR development SLR Results – Models to specify attacks or vulnerabilities • AsmL, AsmLSec [Graves, M. and M. Zulkernine (2006) and Raihan, M. and M. Zulkernine (2007)] • AsmL is an extended finite state machine-based executable software specification language. • Also used to specify attack scenarios in extensions such as AsmLSec. • AsmLSec based on states, events and transitions.
SLR development SLR Results – Model extensions to specify attacks or vulnerabilities • Misuse Cases [Sindre, G. and A. L. Opdahl (2005)] • Extended UML use case to represent undesirable behavior of the software. • Special “mis-actor”. • Related to use cases using “prevent”, “detect”, “include”.
SLR development SLR Results – Model extensions to specify attacks or vulnerabilities • Mal-Activity Diagrams [Sindre, G. (2007)] • Standard UML activity diagram to capture malicious activities and actors using the same syntax and semantics.
SLR development SLR Results – Model extensions to specify attacks or vulnerabilities • Abuse Cases [McDermott, J. and C. Fox (1999)] • Standard UML use case representing complete harmful actions in the system. • Text details about actors, skills and objective should be stated. • All potential harmful interactions should be specified. Tree structure to specify all possible attacks. • Useful for stakeholders understanding.
SLR development SLR Results – Model extensions to specify attacks or vulnerabilities • UMLIntr [Hussein, M. and M. Zulkernine (2006)] • UML profile to deal with attacks using several stereotyped, tagged artifacts. • Attacks divided in 4 stereotyped packages.
SLR development SLR Results – Model extensions to specify attacks or vulnerabilities • UML State Charts for Security [Zulkernine, Graves, et al. (2007)] • Based on extended finite state machines and some of their important constituents are states, transitions, conditions, actions, and events. Represent system behaviour. • Highlight: Ability to represent complex multiple step attacks. • Easily understandable and communicated
SLR development SLR Results SLR Results - Models to represent security requirements • Security Problem Frames [Jackson (2001), Hatebur, D., M. Heisel, et al. (2006)] • Kinds of patterns to represent threat models and SR from them. • Described by frame diagrams. • Objective: Build a machine to improve environment behavior.
SLR development SLR Results SLR Results - Models to represent security requirements • Barrier Analysis Diagrams [Jennex, M. E. (2005)] • Graphical method of identifying and documenting SR by pointing out threats combined with defense in depth concept. • Uses: The threat, the chain of barriers designed to prevent the threat, and the asset being protected. • Meta-notation to add security details.
SLR development SLR Results SLR Results - Models to represent security requirements • Constraints [Haley, C. B., R. Laney, et al. (2008)] • SR considered in terms of constraints that operationalize as security goals. • Which goals apply to which functional requirements, assets identified.
SLR development SLR Results - Models to represent security requirements • SI* [Zannone, N. (2009) and Massacci, F., J. Mylopoulos, et al. (2010)] • Modeling language based on social modeling language i* to capture SR from the organizational point of view. • Employ basic primitives: actor, goal, task, resource and social dependency between two actors. • Enhances i* with four main notions: Permission, delegation, trust, and supervision.
SLR development SLR Results SLR Results – Models extensions to represent security requirements • Secure Tropos [Mouratidis, H. and P. Giorgini (2007)] • Tropos methodology extension to represent SR as constraints. • Based on i*. Concepts of actor, goal, soft goal, task, resource, security constraint, etc.
SLR development SLR Results SLR Results – Models extensions to represent security requirements • Security use cases [Firesmith, D. G. (2003)] • Standard UML use cases . • Complement misuse cases in order to represent SR.
SLR development SLR Results SLR Results – Models extensions to represent security requirements • UMLSec [Juerjens, J. (2005)] • Extension to several UML artifacts with stereotypes, tags and constraints to represent SR. • 21 stereotypes / 7 with tags, 9 with constraints.
SLR development SLR Results SLR Results – Models extensions to represent security requirements • SecureUML [Lodderstedt, T., D. A. Basin, et al. (2002)] • Stereotyped UML class diagram to represent role based access control. • Defines OMG’s metamodel. OCL for resources, actions and permissions.
SLR development SLR Results SLR Results – Models extensions to represent security requirements • GridUCSec-Profile[Rosado et al. (2010)] • UML profile using stereotyped secure use cases for grid systems. • UML metamodel redefined.
SLR development Results Analysis and Discussion • HLA shows most proposals have aligments somehow. Methodologies as higher level. • Some of these aligned models lack strong formal definition (FD), some still have metamodels, there is hope for transformations in MDA approach. • ScAidentifies“popularity”. Popular models as basis to other analysis. See unpopular too, since they are new. Lack of empirical testing (ET) in “unpopular-new” and “weak” models. Several cases of study and experiment in strong ones. • No general ability to specify constraints (CTR) in models. Problem in model strength. • Popular ones have automated tools (AT), most of the models are not standard-aligned.
SLR development Results Analysis and Discussion • Quality Model for the Security in a Software Product. Part of MEDUSAS project. Paper accepted for RECSI 2010
SLR development Results Analysis and Discussion • Depending on purpose have higher or lower support for attack detection. • Confidentiality, integrity, availabilitypopularly or potentially supported. • Safety potentially included by most models somehow. • Models to directly elicit SR tend to include authenticity. • Non-repudiation and accountabilitynot so widelysupported.
Conclusions …and future work… • Great number of models to elicit SR or to represent attacks/vulnerabilities in order to elicit those requirements. • Each model has its own characteristics and covers certain aspects of security. None of them is a complete solution to all possible scenarios. • Identified the need and viability for an unified, unique model (taking advantage of existing ones) to elicit ALL possible SR in an MDD approach. • Capacity to obtain these model by means of transformations between existing successful models.
Acknowledgements Research lines and projects • MDD applied to datawarehouses. • Define quality and security metrics for datawarehouses. • Secure software development. • Security Requirement Engineering. • Security Patterns. • BPS (Business Process Security). • Mobile Grid Computing. • Product line software security. • All aligned with MDD. • Security Management. • ISSM (Information Systems Security Management) for SME. • MEDUSAS(IDI-20090557), QUASIMODO(PAC08-0157-0668), SEGMENT(HITO-09-138), SISTEMAS(PII2I09-0150-3135), BUSINESS (PET2008-0136).
Thank you… Debate Questions… and Answers… Abel E. Fornaris Security Requirements Models: A Survey and Comparison