Lin Liu,Eric Yu,John Mylopoulos

2002-01-01

Abstract:Security issues for software systems ultimately concern relationships among social actors – stakeholders, users, potential attackers, etc. -and software acting on their behalf. In assessing vulnerabilities and mitigation measures, actors make strategic decisions to achieve desired levels of security while trading off competing requirements such as costs, performance, usability and so on. This paper explores the explicit modeling of relationships among strategic actors in order to elicit, identify and analyze security requirements. In particular, actor dependency analysis helps in the identification of attackers and their potential threats, while actor goal analysis helps to elicit the dynamic decision making process of system players for security issues. Patterns of relationships at various levels of abstraction (e.g. intentional dependencies among abstract roles) can be studied separately. These patterns can be selectively applied and combined for analyzing specific system configurations. The approach is particularly suitable for new Internet applications where layers of software entities and human roles interact to create complex security challenges. Examples from Peer-to-Peer computing are used to illustrate the proposed framework.

Yuhong Wen,Haihong Zhao,Lin Liu

DOI: https://doi.org/10.1109/RePa.2011.6046726

2011-01-01

Abstract:Security requirements analysis for business information systems in today's networked organization is difficult due to the complexity of the systems and the frequent change in the environment. Thus, it requires security knowledge to be explicitly represented, and well understood by system analysts and designer, which in turn being applied in feasible problem contexts. System requirements are often represented in modelling frameworks with different analytical focus, so security requirements knowledge shall reflect such difference and form an integrated treatment. This paper proposes to use modelling concepts from the i* and PF modeling language to capture recurring patterns of security problems. The main concepts used are actors, assets, and relations such as ownership and permissions. The major contribution of the approach is proposing the specific problem frames such as ownership, authorization, attack and protection, by decomposing a large problem into sub-problems (base frames), then evaluate the potential threats (attacking frames) applicable to each sub-problem by evaluate the compatibility of the two, security analysis is integrated into the system design process from the outset. The proposal can be generalized to the design of defensive measures as well as other NFR treatments. © 2011 IEEE.

Lin Liu,Eric Yu,John Mylopoulos

DOI: https://doi.org/10.1109/compsac.2006.159

2006-01-01

Abstract:Design for security is extremely complicated due to the unique nature of the issue. It requires a thorough understanding about the social setting of the security system. To obtain such understanding, sensible steps to take include identifying the players involved in the system, recognizing their personal preferences, agenda and power in relation to other players, identifying the assets being protected, the vulnerable points at which the systems may fail when attacked. Equally important is to taking rationale steps to predict most likely attackers, knowing their possible motivations, and capabilities enabled by latest the technologies and resource occupations. Only based on integrated analysis on both sides, rationale, informative and efficient tradeoffs on security can be made. Unfortunately, current system development practices treat design decisions on security in an adhoc way, often as an afterthought. This paper proposes to use social modeling concepts to analyze the business and organizational context of systems with regard to security. The main concepts used are actor, role, agent and goal, task, and resource dependencies between actors. The approach encompasses several analysis steps on the functional and non-functional requirements in relevance to security, thus integrating security into the system design process from the outset.

Tong Li,Lin Liu,Golnaz Elahi,Eric Yu,Barrett R. Bryant

DOI: https://doi.org/10.1109/COMPSACW.2010.98

2010-01-01

Abstract:Security analysis is a knowledge intensive process, in which the attackers and the system owners are competing with their knowledge about how the system is built, what are the weakest points of the system, and how to exploit or to protect them. In other words, it is a race of knowledge. In this paper, we present a service security modeling approach based on the agent-oriented requirement modeling framework, i*. In this approach, we first model system actors' rationale for delivery of the service function. Then, we model a malicious actor whose intention is to disable the system functionality by exploiting their knowledge about the service and potential attacks. We assume that attackers have full knowledge about the system, which is the worst case scenario. Finally, the method automatically identifies attack routes across the actors' dependency network based on the available knowledge. We use a recent network attack event to a major Internet service provider to illustrate the approach.

Lirong Dai,Kendra Cooper

2007-01-01

Abstract:There has been a growing interest in investigating methodologies to support the development of secure sys- tems in the software engineering research community. Re- cently, much attention has been focused on the modelling and analysis of security properties for systems at the soft- ware architecture design level. The potential benefits of this architecture level work are substantial: security flaws can be detected and removed earlier in the software de- velopment life-cycle. This reduces development time, re- duces development cost, and improves the quality of the resulting system. As a result of this attention, a wide variety of approaches have been proposed in the literature. At this point, a sur- vey for researchers involved in the problem of systemat- ically modelling and analyzing software architecture de- sign that have security properties would be of value to the community. This paper presents such a survey; it includes a discussion of semi-formal, formal, integrated semi-formal and formal, and aspect-oriented approaches. Comparison criteria are defined including: the kinds of notations used to model the security properties (e.g., Petri nets, temporal logic, etc.), whether the approach supports the manual or automated analysis of security properties, the specific security property modelled (e.g., authenti- cation, role-based access control, etc.), and the kind of example system that has been used to illustrate the ap- proach (information, distributed, etc.).

Eric S. K. Yu,Lin Liu

DOI: https://doi.org/10.1007/3-540-45547-7_11

2000-01-01

Abstract:The i *framework was developed to support requirement analysis and high-level design in an agent-oriented system development paradigm. It models intentional dependency relationships among strategic actors and their rationales. As actors depend on each other for goals to be achieved, tasks to be performed, and resources to be furnished, the trust relationships among these actors need to be considered to reason about the opportunities and vulnerabilities these dependencies bring. The concept of softgoal is used to model quality attributes for which there are no a priori, clear-cut criteria for satisfaction, but are judged by actors as being sufficiently met (≪satisficed≫) on a case-by-case basis. In this paper, trustworthiness is treated as a softgoal to be satisficed from the viewpoint of each stakeholder. Contributions to trustworthiness are considered using a qualitative reasoning approach. Examples from the smart card domain are used to illustrate.

Asif Imran

DOI: https://doi.org/10.1007/978-3-031-36597-3

2023-10-23

Abstract:Software security requirements have been traditionally considered as a non-functional attribute of the software. However, as more software started to provide services online, existing mechanisms of using firewalls and other hardware to secure software have lost their applicability. At the same time, under the current world circumstances, the increase of cyber-attacks on software is ever increasing. As a result, it is important to consider the security requirements of software during its design. To design security in the software, it is important to obtain the views of the developers and managers of the software. Also, it is important to evaluate if their viewpoints match or differ regarding the security. Conducting this communication through a specific model will enable the developers and managers to eliminate any doubts on security design and adopt an effective strategy to build security into the software. In this paper, we analyzed the viewpoints of developers and managers regarding their views on security design. We interviewed a team of 7 developers and 2 managers, who worked in two teams to build a real-life software product that was recently compromised by a cyber-attack. We obtained their views on the reasons for the successful attack by the malware and took their recommendations on the important aspects to consider regarding security. Based on their feedback, we coded their open-ended responses into 4 codes, which we recommended using for other real-life software as well.

Software Engineering,Cryptography and Security,Computers and Society

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ICNDS.2009.94

2009-01-01

Abstract:Access control is always essential for safe and security access to the system resource. Role based access control (RBAC) model is widely used in large enterprise software systems. The quality of the RBAC policy design especially role definition has great impact on the system security policy implementation. In this paper we propose a novel role engineering methods with security KAOS (SKAOS), which guide the engineering process via keeping decomposing the functional requirement objective and combining the system security requirement. SKAOS not only simplifies the system userpsilas involvement in the role engineering process via supplying with the objective decomposition but also reduces the complexity of the operation analysis. After building the objective decomposition and activity analysis diagrams, the role definition can be delivered. We illustrate the effectiveness of our method via analyzing a real world requirement problem.

Guisheng Fan,Huiqun Yu,Liqiong Chen,Dongmei Liu

DOI: https://doi.org/10.1109/apscc.2011.80

2011-01-01

Abstract:Service composition is an important means for integrating the individual Web services to create new value added systems that can satisfy complex requirements. However, it is a challenge to analyze security requirements for those applications due to the uncertainty factors in distributive environment. This paper proposes an approach to modeling and analyzing security requirements of service composition. Petri nets are used to model the different components of service composition, the dynamic matching strategy of service composition is proposed. Aspect-orientation is used to weave the security requirements into service composition, which includes evaluation concern, authorization, security level outputting and access outputting. The operation semantics and related theories of Petri nets help prove its effectiveness and correctness. An example explains the modeling and analyzing process of service composition, and a series of experiments are done to explain that the use of aspects for analyzing security requirements of service composition is more efficient than conventional techniques.

Yijun Yu,Haruhiko Kaiya,Nobukazu Yoshioka,Zhenjiang Hu,Hironori Washizaki,Yingfei Xiong,Amin Hosseinian Far

DOI: https://doi.org/10.4018/ijsse.2017070103

2017-01-01

International Journal of Secure Software Engineering

Abstract:This article describes how earlier detection of security problems and the implementation of solutions would be a cost-effective approach for developing secure software systems. Developing, gathering and sharing similar repeatable programming knowledge and solutions has led to the introduction of Patterns in the 90's. The same concept has been adopted to realise reoccurring security knowledge and hence security patterns. Detecting a security problem using the patterns in requirements models may lead to its early prevention. In this article, the authors have provided an overview of security patterns in the past two decades, followed by a summary of i*/Tropos goal modelling framework. Section 2 outlines model-driven development, meta-models and model transformation, within the context of requirements engineering. They have summarised security access control types, and formally described role-based access control RBAC in particular as a pattern that may occur in the stakeholder requirements models. Then the authors used the i* modelling language and some elements from its constructs-model-driven queries and transformations-to describe the pattern enforcement. This is applied to a number of requirements models within the literature, and the pattern-based transformation tool they designed has automated the detection and resolution of this security pattern in several goal-oriented stakeholder requirements. Finally, the article also reflects on a variety of existing applications and future work.

Golnaz Elahi,Eric Yu,Tong Li,Lin Liu

DOI: https://doi.org/10.1109/compsac.2011.48

2011-01-01

Abstract:Various governmental or academic institutes survey current security trends, and report vulnerabilities, security breaches, and their costs. However, it is unclear whether (and how) practitioners analyze these vulnerabilities and attacks to arrive at security requirements and decide on security solutions. What modeling methods are used for eliciting, analyzing, and documenting security requirements in real-world practice? This paper intends to answer such questions through a survey of security requirements engineering practices. 374 software professionals from 237 International and Chinese firms participated in the survey. The results show businesses often try to consider security from early stages of the development life cycle, however, ultimately, security is left to be built into the system at the implementation phase. We observed that practitioners favour qualitative risk assessment rather than quantitative approaches, and this helps them consider more varieties of factors when comparing alternative security design solutions.

Simon Miller,Susan Appleby,Jonathan M. Garibaldi,Uwe Aickelin

DOI: https://doi.org/10.2139/ssrn.2823280

2013-01-01

International Journal of Secure Software Engineering

Abstract:The task of designing secure software systems is fraught with uncertainty, as data on uncommon attacks is limited, costs are difficult to estimate, and technology and tools are continually changing. Consequently, experts may interpret the security risks posed to a system in different ways, leading to variation in assessment. This paper presents research into measuring the variability in decision making between security professionals, with the ultimate goal of improving the quality of security advice given to software system designers. A set of thirty nine cyber-security experts took part in an exercise in which they independently assessed a realistic system scenario. This study quantifies agreement in the opinions of experts, examines methods of aggregating opinions, and produces an assessment of attacks from ratings of their components. We show that when aggregated, a coherent consensus view of security emerges which can be used to inform decisions made during systems design.

William A. Wulf,Chenxi Wang,darrell m kienzle

DOI: https://doi.org/10.1145/304851.304860

1996-01-01

Abstract:With the rapid growth of the information age, electronic activities of many kinds are becoming more common. The need for protection and security in this environment has never been greater. The conventional approach to security has been to enforce a system-wide policy, but this approach will not work for large distributed systems where entirely new security issues and concerns are emerging.We argue that a new model is needed that shifts the emphasis from "system as enforcer" to user-definable policies in which the cost scales with the degree of security required. Users ought to be able to select the level of security they need and pay only the overhead necessary to achieve it. Moreover, ultimately, they must be responsible for their own security. This research is being carried out in the context of the Legion project. We start by describing the objectives and philosophy of the overall project and then present our conceptual model and tentative implementation plan. A set of technical challenges is also addressed.

Zhihao Liu,Qiang Wang,Yongjian Li,Yongxin Zhao

DOI: https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00037

2021-01-01

Abstract:Analyzing safety and security requirements remains a difficult task in the development of real-life network protocols. Although numerous modeling and analyzing methods have been proposed in the past decades, most of them handle safety and security requirements separately without considering their interplay. In this work, we propose a collaborative modeling framework that enables co-analysis of saf...

Zhanwei Hui,Song Huang,Xiaoming Liu,Bin Hu

DOI: https://doi.org/10.4028/www.scientific.net/amm.121-126.1891

2011-01-01

Applied Mechanics and Materials

Abstract:Security requirements engineers usually only need provide with software security requirements, and they unnecessarily specify software security behavior mechanisms, which are critical not only for software security design but also for software security testing. After discussing the relations and differences between security use cases and misuse cases, we provides an integrated model, SETAM, for software security testing requirements, which is based on security function testing use cases and adversary testing use cases..

Clark Thomborson

DOI: https://doi.org/10.1007/978-3-642-04117-4_1

2010-01-01

Abstract:Actors in our general framework for secure systems can exert four types of control over other actors' systems, depending on the tem- porality (prospective vs. retrospective) of the control and on the power relationship (hierarchical vs. peering) between the actors. We make clear distinctions between security, functionality, trust, and distrust by identi- fying two orthogonal properties: feedback and assessment. We distinguish four types of system requirements using two more orthogonal properties: strictness and activity. We use our terminology to describe specialised types of secure systems such as access control systems, Clark-Wilson sys- tems, and the Collaboration Oriented Architecture recently proposed by

Nacha Chondamrongkul,Jing Sun,Ian Warren

DOI: https://doi.org/10.1016/j.scico.2021.102631

IF: 1.039

2021-01-01

Science of Computer Programming

Abstract:Analysing security in the architecture design of modern software systems is a challenging task. Emerging technologies utilised in building software systems may pose security threats, so software engineers need to consider both the structure and behaviour of architectural styles that employ these supporting technologies. This paper presents an automated approach to security analysis that helps to identify security characteristics at the architectural level. Key techniques used by our approach include the use of metrics, vulnerability identification and attack scenarios. Our modelling is expressive in defining architectural styles and security characteristics. Our analysis approach gives insightful results that allow software engineers to trace through the design to find parts of the system that may be impacted by attacks. We have developed an analysis tool that allows user to seamlessly model the software architecture design and analyse security. The evaluation has been conducted to assess the accuracy and performance of our approach. The results show that our analysis approach performs reasonably well to analyse the security in the architectural design. (C) 2021 Elsevier B.V. All rights reserved.

Xiaohu Li,T. Paul Parker,Shouhuai Xu

DOI: https://doi.org/10.1109/aina.2007.138

2007-01-01

Abstract:Traditional security analyses are often geared towards cryptographic primitives or protocols. Although such analyses are absolutely necessary, they do not provide much insight for answering an equally important question: what is the security assurance of a physically or logically networked system when we consider it as a whole? This question is known to be notoriously difficult, and the state-of-the-art is that we know very little about it. In this paper, we make a step towards resolving it with a new modeling approach.

Jing Sun,Ian Warren,Nacha Chondamrongkul

DOI: https://doi.org/10.18293/SEKE2020-024

2020-01-01

Abstract:During the design phase, security as a nonfunctional requirement needs to be analysed to address vulnerabilities in the architecture design. Without such analysis, security vulnerabilities can be propagated to the implementation. However, security analysis is an error-prone task, especially in complex systems that apply blockchain technology. Without proper security controls applied, the interaction among software components and the blockchain may pose security risks. This paper presents a security analysis approach based on a formal model of blockchain-based architecture design. Our approach can automatically identify specific security vulnerabilities and generate informative scenarios that show how attacks may impact the blockchain. We have evaluated our approach with an example system and found it performs well in identifying an extensible class of security vulnerabilities.