Lin Liu,Eric Yu,John Mylopoulos

DOI: https://doi.org/10.1109/compsac.2006.159

2006-01-01

Abstract:Design for security is extremely complicated due to the unique nature of the issue. It requires a thorough understanding about the social setting of the security system. To obtain such understanding, sensible steps to take include identifying the players involved in the system, recognizing their personal preferences, agenda and power in relation to other players, identifying the assets being protected, the vulnerable points at which the systems may fail when attacked. Equally important is to taking rationale steps to predict most likely attackers, knowing their possible motivations, and capabilities enabled by latest the technologies and resource occupations. Only based on integrated analysis on both sides, rationale, informative and efficient tradeoffs on security can be made. Unfortunately, current system development practices treat design decisions on security in an adhoc way, often as an afterthought. This paper proposes to use social modeling concepts to analyze the business and organizational context of systems with regard to security. The main concepts used are actor, role, agent and goal, task, and resource dependencies between actors. The approach encompasses several analysis steps on the functional and non-functional requirements in relevance to security, thus integrating security into the system design process from the outset.

Muhammad Sabir Idrees,Yves Roudier,Ludovic Apvrille

DOI: https://doi.org/10.48550/arXiv.1410.4305

2014-10-16

Cryptography and Security

Abstract:Security attacks are hard to understand, often expressed with unfriendly and limited details, making it difficult for security experts and for security analysts to create intelligible security specifications. For instance, to explain Why (attack objective), What (i.e., system assets, goals, etc.), and How (attack method), adversary achieved his attack goals. We introduce in this paper a security attack meta-model for our SysML-Sec framework, developed to improve the threat identification and modeling through the explicit representation of security concerns with knowledge representation techniques. Our proposed meta-model enables the specification of these concerns through ontological concepts which define the semantics of the security artifacts and introduced using SysML-Sec diagrams. This meta-model also enables representing the relationships that tie several such concepts together. This representation is then used for reasoning about the knowledge introduced by system designers as well as security experts through the graphical environment of the SysML-Sec framework.

Ludovic Apvrille,Yves Roudier

DOI: https://doi.org/10.4204/EPTCS.148.2

2014-04-08

Abstract:We introduce SysML-Sec, a SysML-based Model-Driven Engineering environment aimed at fostering the collaboration between system designers and security experts at all methodological stages of the development of an embedded system. A central issue in the design of an embedded system is the definition of the hardware/software partitioning of the architecture of the system, which should take place as early as possible. SysML-Sec aims to extend the relevance of this analysis through the integration of security requirements and threats. In particular, we propose an agile methodology whose aim is to assess early on the impact of the security requirements and of the security mechanisms designed to satisfy them over the safety of the system. Security concerns are captured in a component-centric manner through existing SysML diagrams with only minimal extensions. After the requirements captured are derived into security and cryptographic mechanisms, security properties can be formally verified over this design. To perform the latter, model transformation techniques are implemented in the SysML-Sec toolchain in order to derive a ProVerif specification from the SysML models. An automotive firmware flashing procedure serves as a guiding example throughout our presentation.

Software Engineering,Cryptography and Security

Yepeng Ding,Hiroyuki Sato

DOI: https://doi.org/10.1109/TrustCom60117.2023.00230

2024-06-02

Abstract:Best practices of self-sovereign identity (SSI) are being intensively explored in academia and industry. Reusable solutions obtained from best practices are generalized as architectural patterns for systematic analysis and design reference, which significantly boosts productivity and increases the dependability of future implementations. For security-sensitive projects, architects make architectural decisions with careful consideration of security issues and solutions based on formal analysis and experiment results. In this paper, we propose a model-driven security analysis framework for analyzing architectural patterns of SSI systems with respect to a threat model built on our investigation of real-world security concerns. Our framework mechanizes a modeling language to formalize patterns and threats with security properties in temporal logic and automatically generates programs for verification via model checking. Besides, we present typical vulnerable patterns verified by SecureSSI, a standalone integrated development environment, integrating commonly used pattern and attacker models to practicalize our framework.

Cryptography and Security

Vivek Nigam,Alexander Pretschner,Harald Ruess

DOI: https://doi.org/10.48550/arXiv.1810.04866

2018-10-11

Logic in Computer Science

Abstract:By exploiting the increasing surface attack of systems, cyber-attacks can cause catastrophic events, such as, remotely disable safety mechanisms. This means that in order to avoid hazards, safety and security need to be integrated, exchanging information, such as, key hazards/threats, risk evaluations, mechanisms used. This white paper describes some steps towards this integration by using models. We start by identifying some key technical challenges. Then we demonstrate how models, such as Goal Structured Notation (GSN) for safety and Attack Defense Trees (ADT) for security, can address these challenges. In particular, (1) we demonstrate how to extract in an automated fashion security relevant information from safety assessments by translating GSN-Models into ADTs; (2) We show how security results can impact the confidence of safety assessments; (3) We propose a collaborative development process where safety and security assessments are built by incrementally taking into account safety and security analysis; (4) We describe how to carry out trade-off analysis in an automated fashion, such as identifying when safety and security arguments contradict each other and how to solve such contradictions. We conclude pointing out that these are the first steps towards a wide range of techniques to support Safety and Security Engineering. As a white paper, we avoid being too technical, preferring to illustrate features by using examples and thus being more accessible.

Katja Tuma,Sven Peldszus,Daniel Strüber,Riccardo Scandariato,Jan Jürjens

DOI: https://doi.org/10.1007/s10270-022-00991-5

2022-03-18

Abstract:Abstract It is challenging to verify that the planned security mechanisms are actually implemented in the software. In the context of model-based development, the implemented security mechanisms must capture all intended security properties that were considered in the design models. Assuring this compliance manually is labor intensive and can be error-prone. This work introduces the first semi-automatic technique for secure data flow compliance checks between design models and code. We develop heuristic-based automated mappings between a design-level model (SecDFD, provided by humans) and a code-level representation (Program Model, automatically extracted from the implementation) in order to guide users in discovering compliance violations, and hence, potential security flaws in the code. These mappings enable an automated , and project-specific static analysis of the implementation with respect to the desired security properties of the design model. We developed two types of security compliance checks and evaluated the entire approach on open source Java projects.

computer science, software engineering

Siv Hilde Houmb,Shareeful Islam,Eric Knauss,Jan Jürjens,Kurt Schneider

DOI: https://doi.org/10.1007/s00766-009-0093-9

2009-11-28

Requirements Engineering

Abstract:Building secure systems is difficult for many reasons. This paper deals with two of the main challenges: (i) the lack of security expertise in development teams and (ii) the inadequacy of existing methodologies to support developers who are not security experts. The security standard ISO 14508 Common Criteria (CC) together with secure design techniques such as UMLsec can provide the security expertise, knowledge, and guidelines that are needed. However, security expertise and guidelines are not stated explicitly in the CC. They are rather phrased in security domain terminology and difficult to understand for developers. This means that some general security and secure design expertise are required to fully take advantage of the CC and UMLsec. In addition, there is the problem of tracing security requirements and objectives into solution design, which is needed for proof of requirements fulfilment. This paper describes a security requirements engineering methodology called SecReq. SecReq combines three techniques: the CC, the heuristic requirements editor HeRA, and UMLsec. SecReq makes systematic use of the security engineering knowledge contained in the CC and UMLsec, as well as security-related heuristics in the HeRA tool. The integrated SecReq method supports early detection of security-related issues (HeRA), their systematic refinement guided by the CC, and the ability to trace security requirements into UML design models. A feedback loop helps reusing experience within SecReq and turns the approach into an iterative process for the secure system life-cycle, also in the presence of system evolution.

computer science, information systems, software engineering

Lionel Briand,Davide Falessi,Shiva Nejati,Mehrdad Sabetzadeh,Tao Yue

DOI: https://doi.org/10.1145/2559978

IF: 3.685

2014-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:Certifying safety-critical software and ensuring its safety requires checking the conformance between safety requirements and design. Increasingly, the development of safety-critical software relies on modeling, and the System Modeling Language (SysML) is now commonly used in many industry sectors. Inspecting safety conformance by comparing design models against safety requirements requires safety inspectors to browse through large models and is consequently time consuming and error-prone. To address this, we have devised a mechanism to establish traceability between (functional) safety requirements and SysML design models to extract design slices (model fragments) that filter out irrelevant details but keep enough context information for the slices to be easy to inspect and understand. In this article, we report on a controlled experiment assessing the impact of the traceability and slicing mechanism on inspectors' conformance decisions and effort. Results show a significant decrease in effort and an increase in decisions' correctness and level of certainty.

Linzhang Wang,Eric Wong,Dianxiang Xu

DOI: https://doi.org/10.1109/SESS.2007.2

2007-01-01

Abstract:In this paper, we propose a novel threat model-driven security testing approach for detecting undesirable threat behavior at runtime. Threats to security policies are modelled with UML (Unified Modeling Language) sequence diagrams. From a design-level threat model we extract a set of threat traces, each of which is an event sequence that should not occur during the system execution. The same threat model is also used to decide what kind of information should be collected at runtime and to guide the code instrumentation. The instrumented code is recompiled and executed using test cases randomly generated. The execution traces are collected and analyzed to verify whether the aforementioned undesirable threat traces are matched. If an execution trace is an instance of a threat trace, security violations are reported and actions should be taken to mitigate the threat in the system. Thus the linkage between models, code implementations, and security testing are extended to form a systematic methodology that can test certain security policies.

Nacha Chondamrongkul,Jing Sun,Ian Warren

DOI: https://doi.org/10.1016/j.scico.2021.102631

IF: 1.039

2021-01-01

Science of Computer Programming

Abstract:Analysing security in the architecture design of modern software systems is a challenging task. Emerging technologies utilised in building software systems may pose security threats, so software engineers need to consider both the structure and behaviour of architectural styles that employ these supporting technologies. This paper presents an automated approach to security analysis that helps to identify security characteristics at the architectural level. Key techniques used by our approach include the use of metrics, vulnerability identification and attack scenarios. Our modelling is expressive in defining architectural styles and security characteristics. Our analysis approach gives insightful results that allow software engineers to trace through the design to find parts of the system that may be impacted by attacks. We have developed an analysis tool that allows user to seamlessly model the software architecture design and analyse security. The evaluation has been conducted to assess the accuracy and performance of our approach. The results show that our analysis approach performs reasonably well to analyse the security in the architectural design. (C) 2021 Elsevier B.V. All rights reserved.

Amal Ahmed Anda,Daniel Amyot,John Mylopoulos

DOI: https://doi.org/10.3390/modelling4020009

2023-03-30

Modelling

Abstract:Socio-cyber-physical systems (SCPSs) have emerged as networked heterogeneous systems that incorporate social components (e.g., business processes and social networks) along with physical (e.g., Internet-of-Things devices) and software components. Model-driven techniques for building SCPSs need actor and goal models to capture social concerns, whereas system issues are often addressed with the Systems Modeling Language (SysML). Comprehensive traceability between these types of models is essential to support consistency and completeness checks, change management, and impact analysis. However, traceability management between these complementary views is not well supported across SysML tools, particularly when models evolve because SysML does not provide sophisticated out-of-the-box goal modeling capabilities. In our previous work, we proposed a model-based framework, called CGS4Adaptation, that supports basic traceability by importing goal and SysML models into a leading third-party requirement-management system, namely IBM Rational DOORS. In this paper, we present the framework’s traceability management method and its use for automated consistency and completeness checks. Traceability management also includes implicit link detection, thereby, improving the quality of traceability links while better aligning designs with requirements. The method is evaluated using an adaptive SCPS case study involving an IoT-based smart home. The results suggest that the tool-supported method is effective and useful in supporting the traceability management process involving complex goal and SysML models in one environment while saving development time and effort.

Martin Kardos,Yuhong Zhao

DOI: https://doi.org/10.1007/1-4020-8149-9_3

2004-01-01

Abstract:System level design incorporating system modeling and formal specification in combination with formal verification can substantially contribute to the correctness and quality of the embedded systems and consequently help reduce the development costs. Ensuring the correctness of the designed system is, of course, a crucial design criterion especially when complex distributed (realtime) embedded systems are considered. Therefore, this paper aims at presenting a verification framework designated for formal verification and validation of UML-based design of embedded systems. It first introduces an approach of using the AsmL language for acquiring formal models of the UML semantics and consequently presents an on-the-fly model checking technique designed to run the formal verification directly over those semantic models.

Deren Yang,Fulin Su,Tao Zhou

DOI: https://doi.org/10.1109/msna.2012.6324609

2012-01-01

Abstract:As a non-core element of UML, robustness analysis bridges the gap between analysis and design in software process, and it is a key technique to realize transformation and trace ability of models in software process. In this paper, the fundamental ideas of robustness analysis were highlighted. The compositions, essence, properties of robustness diagram were explored; and especially an interactive mechanism and corresponding principles for robustness diagram were proposed. The principles, models and corresponding properties of Model Driven Architecture (MDA) software paradigm were studied. And finally the mechanism of applying robustness analysis to MDA software paradigm was explored, the models' representations are detailed, and the way of using robustness diagram were specified. The research is useful to develop modeling tools based on MDA.

Amal Ahmed Anda,Daniel Amyot

DOI: https://doi.org/10.1145/3419804.3420272

2020-10-19

Abstract:Emerging socio-cyber-physical systems integrate social concerns, often captured with goal models, with complex systems, where structure and behavior are often captured in SysML. Traceability between these two types of models is important to reason about consistency, completeness, and the impact of modifications. However, managing traceability during the co-evolution of these two views is not well supported as SysML does not provide sophisticated goal-modeling capabilities out of the box. This paper proposes an approach where the Goal-oriented Requirement Language (GRL) is used to capture and analyze social concerns as a supplement to SysML models, and where traceability is handled via a third-party requirements management system, namely IBM Rational DOORS. The approach is supported with tools automating the import in DOORS of relevant parts of the GRL and SysML models from their respective modeling environments (jUCMNav and No Magic's Cameo Systems Modeler). A traceability information model is proposed to connect elements from GRL and SysML models in a way that enables automating important completeness and consistency checks, even as the models evolve. The approach is illustrated and evaluated with a Smart Home example, with a discussion of benefits and limitations.

Stefano M. Nicoletti,Marijn Peppelman,Christina Kolb,Mariëlle Stoelinga

DOI: https://doi.org/10.48550/arXiv.2106.06272

2023-10-23

Abstract:We survey the state-of-the-art on model-based formalisms for safety and security joint analysis, where safety refers to the absence of unintended failures, and security to absence of malicious attacks. We conduct a thorough literature review and - as a result - we consider fourteen model-based formalisms and compare them with respect to several criteria: (1) Modelling capabilities and Expressiveness: which phenomena can be expressed in these formalisms? To which extent can they capture safety-security interactions? (2) Analytical capabilities: which analysis types are supported? (3) Practical applicability: to what extent have the formalisms been used to analyze small or larger case studies? Furthermore, (1) we present more precise definitions for safety-security dependencies in tree-like formalisms; (2) we showcase the potential of each formalism by modelling the same toy example from the literature and (3) we present our findings and reflect on possible ways to narrow highlighted gaps. In summary, our key findings are the following: (1) the majority of approaches combine tree-like formal models; (2) the exact nature of safety-security interaction is still ill-understood and (3) diverse formalisms can capture different interactions; (4) analyzed formalisms merge modelling constructs from existing safety- and security-specific formalisms, without introducing ad hoc constructs to model safety-security interactions, or (5) metrics to analyze trade offs. Moreover, (6) large case studies representing safety-security interactions are still missing.

Cryptography and Security

Junjie Zhao,Bingfeng Xu,Xinkai Chen,Bo Wang,Gaofeng He

DOI: https://doi.org/10.1109/cbd58033.2022.00055

2022-01-01

Abstract:To solve the problem of an excessive number of component vulnerabilities and limited defense resources in industrial cyber physical systems, a method for analyzing security critical components of system is proposed. Firstly, the components and vulnerability information in the system are modeled based on SysML block definition diagram. Secondly, as SysML block definition diagram is challenging to support direct analysis, a block security dependency graph model is proposed. On this basis, the transformation rules from SysML block definition graph to block security dependency graph are established according to the structure of block definition graph and its vulnerability information. Then, the calculation method of component security importance is proposed, and a security critical component analysis tool is designed and implemented. Finally, an example of a Drone system is given to illustrate the effectiveness of the proposed method. The application of this method can provide theoretical and technical support for selecting key defense components in the industrial cyber physical system.

Yuhong Wen,Haihong Zhao,Lin Liu

DOI: https://doi.org/10.1109/RePa.2011.6046726

2011-01-01

Abstract:Security requirements analysis for business information systems in today's networked organization is difficult due to the complexity of the systems and the frequent change in the environment. Thus, it requires security knowledge to be explicitly represented, and well understood by system analysts and designer, which in turn being applied in feasible problem contexts. System requirements are often represented in modelling frameworks with different analytical focus, so security requirements knowledge shall reflect such difference and form an integrated treatment. This paper proposes to use modelling concepts from the i* and PF modeling language to capture recurring patterns of security problems. The main concepts used are actors, assets, and relations such as ownership and permissions. The major contribution of the approach is proposing the specific problem frames such as ownership, authorization, attack and protection, by decomposing a large problem into sub-problems (base frames), then evaluate the potential threats (attacking frames) applicable to each sub-problem by evaluate the compatibility of the two, security analysis is integrated into the system design process from the outset. The proposal can be generalized to the design of defensive measures as well as other NFR treatments. © 2011 IEEE.

Oluwasefunmi 'Tale Arogundade,Olusola J. Adeniran,Zhi Jin,Xiaoguang Yang

DOI: https://doi.org/10.4018/ijsse.2016070101

2016-01-01

International Journal of Secure Software Engineering

Abstract:Resource allocation decisions can be enhanced by performing risk assessment during the early development phase. In order to improve and maintain the security of the Information System IS, hereafter, there is need to build risk analysis model that can dynamically analyze threat data collected during the operational lifetime of the IS. In this paper the authors propose an ontological approach to accomplishing this goal. They present analyzer model and architecture, an agent-based risk analysis system ARAS which gathers identified threats events, probe them and correlates those using ontologies. It explores both quantitative and qualitative risk analysis techniques using real events data for probability predictions of threats based on an existing designed security ontology. To validate the feasibility of the approach a case study on e-banking system has been conducted. Simulated IDS output serves as input into the risk analysis system. The authors used JADE to implement the agents, protégé OWL to create the ontology and ORACLE 11g SQL developer for the database. Optimistic results were obtained.

Sergej Japs,Harald Anacker

DOI: https://doi.org/10.1017/pds.2021.517

2021-07-27

Proceedings of the Design Society

Abstract:Abstract Cyber-physical systems (CPS), like autonomous vehicles, are intelligent and networked. The development of such systems and its components requires interdisciplinary cooperation between different stakeholders. A lack of system understanding between stakeholders can lead to unidentified and unresolved security threats & safety hazards in early engineering phases, resulting in high costs in product development and potentially compromises compliance with the safety of CPS. Model-based systems engineering (MBSE) improves the system understanding between stakeholders by using models. However, MBSE approaches only partially address security threats & safety hazards. In particular, their integrative consideration is not taken into account. Established security & safety approaches are either only applicable to specific disciplines or only partially consider security threats & safety hazards. In the context of this paper we present a method for the resolution of safety relevant security threats in the system architecture design phase using design patterns. We illustrate our approach with the example of the automotive sector. Finally, we present an evaluation of the method, based on an 8 week project with 67 master students.