1 / 30

SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE

SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE. Fabricio Braz 01/25/08. Objective. To present the core idea from the following articles, both based on problem frames: Using trust assumptions with security requirements Analysis and Component-based Realization of Security Requirements

vinaya
Télécharger la présentation

SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE Fabricio Braz 01/25/08

  2. Objective • To present the core idea from the following articles, both based on problem frames: • Using trust assumptions with security requirements • Analysis and Component-based Realization of Security Requirements • Analyze if they show alternatives to evolve our approach (everybody)

  3. SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE Problem FRAMES

  4. Intro (1) • All computing problems involve the interaction between domains • tangible (people, equipment, network) • intangible (information) • has interfaces, defined by the phenomenavisible to others domains

  5. Intro (2) Machine • Performs the transformation tosatisfy the requirement • The interplay of phenomena between the machine and its connected domains define what the machine has to do to satisfy the requirement • Specification expression of the behavior of phenomena visible at the boundary of the domains • Requirements description of the problem to be solved

  6. Intro (3) • Requirements • permit passage from one room to another • physically separate rooms when possible • Specification (it’s up to designer) • different phenomena and its boundaries (how it works) • door, blank, garden maze • R: A Λ F Λ S  R, where A Λ F Λ S must be non-contradirory

  7. Diagrams • Context diagram • Problem diagram • Problem classes (not considered)

  8. Context Diagram • Domains of interest in a system • Their interconnection • The phenomena (events, operation calls, messages) on the interfaces between them

  9. HS Subset System Requirements • Salary, personal, and benefitsinformation shall be able to be entered, changed, and deleted by HR staff. This information is referred to as payroll information • Each employee shall be able to view a subset of his or her own personal and benefitsinformation. • Users shall have access to kiosks located at convenient locations throughout the building and able to display an ‘address list’ subset of personalinformation consisting of any employee’s name, office, and work telephone number • At most 24 hours of modifications to information shall be vulnerable to loss.

  10. Context Diagram of HR Sys

  11. Problem Diagram • Describesa problem in the system, expressed by a requirement. • Projection of the context, showing only the domains or groups of domains of interest to the particular problem. • Kind of problem diagram that describes the problem as one of a known set of problem classes, showing how a given requirement is to be satisfied using the pattern that the problem class represents

  12. HS Subset System Requirements • Salary, personal, and benefits information shall be able to be entered, changed, and deleted by HR staff. This information is referred to as payroll information • Each employee shall be able to view a subset of his or her own personal and benefits information. • Users shall have access to kiosks located at convenient locations throughout the building and able to display an ‘address list’ subset of personal information consisting of any employee’s name, office, and work telephone number • At most 24 hours of modifications to information shall be vulnerable to loss.

  13. Problem Diagram of Display HR System Requirement Requirement Machine Constraining Shared Phenomena Domain

  14. SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE security Requirements

  15. Information Security Buzzwords • Asset • something in the context of the system, tangible or not, that is to be protected • Threat • the potential for abuse of an asset that will cause harm • Vulnerability • weakness in the system that an attack exploits to realize a threat

  16. Security Requirements Definition • Express constraints on the behavior of a system sufficient to satisfy security goals (CIA) • Limit undesired system behavior as much as possible while still satisfying the system’s requirements • Constraints on functional requirements, intended to reduce the scope of vulnerabilities

  17. SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE Using trust assumptions with security requirementsB. Haley and C. Laney and D. Moffett and BasharNuseibeh

  18. Security Requirements • CIA general goals to assets • Actions which violate the goal  threat • performing action X on/to/which asset Y could cause harm Z • HR system • Exposing salary data could reduce employee morale, lowering productivity. • Changing salary data could increase salary costs, lowering earnings. • Exposing addresses (to headhunters) could cause loss of employees, raising costs.

  19. Security Requirements by Problem Frames • Analysis of context or problem diagrams • An threaten asset must be a domain or contained in a domain, or be found in the phenomena • Employ constraints on functionality that ensure that the asset cannot be abused in the way the threat description requires • changes and/or additions to the domains or phenomena: • changing the behavior of the domains in the context, • requiring specific behavior of the machine • adding trust assumptions explaining why undesired behavior is believed not to occur

  20. Display HR System Revisited

  21. Trust Assumptions An assumption by a requirements engineer that, in order to satisfy a security requirement, the membership or specification of a domain can depend on certain properties. The requirements engineer trusts the assumption to be true. These assumed properties or assertions act as domain restrictions; they restrict the domain in some way that contributes to the satisfaction of the security requirement.

  22. Trust Assumptions Purposes • Contribute to the security argument • in the context of the system and with information known at that point, the system is adequately secure • Avoid analysis scope creep (recursive process) • due to domain properties that cannot be verified with the information in hand • One trust assumptions may play a role in satisfying multiple security requirements

  23. Trust Assumptions Example • The computers must operate for at least 8 h in the event of a power failure • Security requirement • adding backup generators to the system • appropriate phenomena would be added so that the machine can detect the power loss, control the generators, detect going beyond 8 h • Should I believe that the generators are attack resistant? Yes Trust Assumption

  24. Trust Assumptions Representation • Identification of the domain being restricted by the trust assumption • Effect of the trust assumption • Narrative description of the restriction(s) • Preconditions • List of security requirements (the constraints) satisfied TA1.1:People Credentials keep private

  25. TAs – Using authentication

  26. TA – Credentials keep private (1) • The dependent domain: People. • Effect: The People domain is restricted to contain individuals who are using their own credentials. • Explanation: Before the restriction, the people domain can contain individuals who have credentials that may or may not have been allocated to them. After application of the restriction, the people domain can contain only individuals who have credentials allocated to them and who are using their own credentials. • Preconditions: This trust assumption depends on TA1.2—that administrators will not expose one person’s credentials to another person.

  27. TA – Credentials keep private (2) • Justification: The employees of this company are all stockholders who stand to benefit greatly from the success of the company, and therefore will respect the security rules out of self interest. The employees are also all security experts who understand at a visceral level the reasons for keeping credentials private. For these reasons we assume that they will not expose their credentials, either accidentally or intentionally. • Security requirements partially satisfied: Address information shall be restricted to employees.

  28. TAs – Using building security

  29. TA – Building Security (1) • The dependent domain: Employees. • The effect: The original People domain is restricted to contain Employees. • Explanation: Before the restriction, the people domain contains individuals, whether or not they can actually enter the building. After application of the restriction, the people domain contains only employees, the permitted occupants of the building. • Preconditions. This trust assumption depends on the existence and operation of a building security system.

  30. TA – Building Security (2) • Justification: The entrances to the building are protected by professional security staff who verify that people entering the building are employees. If a person who is not an employee is permitted entrance, that person is escorted by a member of security staff while in the building. • Security requirements partially satisfied: Address information shall be restricted to employees.

More Related