SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE

Fabricio Braz01/25/08

Objective

• To present the core idea from the following articles, both based on problem frames:– Using trust assumptions with security

requirements– Analysis and Component-based Realization of

Security Requirements• Analyze if they show alternatives to evolve our

approach (everybody)

PROBLEM FRAMESSECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE

Intro (1)

• All computing problems involve the interaction between domains– tangible (people, equipment, network)– intangible (information)– has interfaces, defined by the phenomena visible

to others domains

Intro (2)

• Performs the transformation tosatisfy the requirement

• The interplay of phenomena between the machine and its connected domains define what the machine has to do to satisfy the requirement

• Specification expression of the behavior of phenomena visible at the boundary of the domains

• Requirements description of the problem to be solved

MachineMachine

Intro (3)

• Requirements– permit passage from one room to another– physically separate rooms when possible

• Specification (it’s up to designer) – different phenomena and its boundaries (how it

works)• door, blank, garden maze

– R: A Λ F Λ S R, where A Λ F Λ S must be non-contradirory

Diagrams

• Context diagram• Problem diagram• Problem classes (not considered)

Context Diagram

• Domains of interest in a system• Their interconnection • The phenomena (events, operation calls,

messages) on the interfaces between them

HS Subset System Requirements

• Salary, personal, and benefits information shall be able to be entered, changed, and deleted by HR staff. This information is referred to as payroll information

• Each employee shall be able to view a subset of his or her own personal and benefits information.

• Users shall have access to kiosks located at convenient locations throughout the building and able to display an ‘address list’ subset of personal information consisting of any employee’s name, office, and work telephone number

• At most 24 hours of modifications to information shall be vulnerable to loss.

Context Diagram of HR Sys

Problem Diagram

• Describes a problem in the system, expressed by a requirement.

• Projection of the context, showing only the domains or groups of domains of interest to the particular problem.

• Kind of problem diagram that describes the problem as one of a known set of problem classes, showing how a given requirement is to be satisfied using the pattern that the problem class represents

HS Subset System Requirements

• Salary, personal, and benefits information shall be able to be entered, changed, and deleted by HR staff. This information is referred to as payroll information

• Each employee shall be able to view a subset of his or her own personal and benefits information.

• Users shall have access to kiosks located at convenient locations throughout the building and able to display an ‘address list’ subset of personal information consisting of any employee’s name, office, and work telephone number

• At most 24 hours of modifications to information shall be vulnerable to loss.

Problem Diagram of Display HR System Requirement

RequirementRequirement

DomainDomain

MachineMachine

Shared Phenomena

Shared Phenomena

ConstrainingConstraining

SECURITY REQUIREMENTSSECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE

Information Security Buzzwords

• Asset– something in the context of the system, tangible

or not, that is to be protected• Threat

– the potential for abuse of an asset that will cause harm

• Vulnerability– weakness in the system that an attack exploits to

realize a threat

Security Requirements Definition

• Express constraints on the behavior of a system sufficient to satisfy security goals (CIA)

• Limit undesired system behavior as much as possible while still satisfying the system’s requirements

• Constraints on functional requirements, intended to reduce the scope of vulnerabilities

USING TRUST ASSUMPTIONS WITH SECURITY REQUIREMENTSB. HALEY AND C. LANEY AND D. MOFFETT AND BASHAR NUSEIBEH

SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE

Security Requirements

• CIA general goals to assets• Actions which violate the goal threat

– performing action X on/to/which asset Y could cause harm Z

• HR system – Exposing salary data could reduce employee morale,

lowering productivity.– Changing salary data could increase salary costs,

lowering earnings.– Exposing addresses (to headhunters) could cause loss

of employees, raising costs.

Security Requirements by Problem Frames

• Analysis of context or problem diagrams– An threaten asset must be a domain or contained in a

domain, or be found in the phenomena• Employ constraints on functionality that ensure that

the asset cannot be abused in the way the threat description requires– changes and/or additions to the domains or

phenomena:• changing the behavior of the domains in the context, • requiring specific behavior of the machine• adding trust assumptions explaining why undesired

behavior is believed not to occur

Display HR System Revisited

Trust Assumptions

An assumption by a requirements engineer that, in order to satisfy a security requirement, the

membership or specification of a domain can depend on certain properties. The requirements engineer trusts the assumption to be true. These assumed properties or assertions act as domain

restrictions; they restrict the domain in some way that contributes to the satisfaction of the security

requirement.

Trust Assumptions Purposes

• Contribute to the security argument– in the context of the system and with information

known at that point, the system is adequately secure

• Avoid analysis scope creep (recursive process)– due to domain properties that cannot be verified

with the information in hand• One trust assumptions may play a role in

satisfying multiple security requirements

Trust Assumptions Example

• The computers must operate for at least 8 h in the event of a power failure

• Security requirement– adding backup generators to the system– appropriate phenomena would be added so that

the machine can detect the power loss, control the generators, detect going beyond 8 h

• Should I believe that the generators are attack resistant?

Trust Assumptions Representation

• Identification of the domain being restricted by the trust assumption

• Effect of the trust assumption• Narrative description of the restriction(s)• Preconditions• List of security requirements (the constraints)

satisfiedTA1.1:PeopleCredentials keep private

TAs – Using authentication

TA – Credentials keep private (1)

• The dependent domain: People.• Effect: The People domain is restricted to contain

individuals who are using their own credentials.• Explanation: Before the restriction, the people domain can

contain individuals who have credentials that may or may not have been allocated to them. After application of the restriction, the people domain can contain only individuals who have credentials allocated to them and who are using their own credentials.

• Preconditions: This trust assumption depends on TA1.2—that administrators will not expose one person’s credentials to another person.

TA – Credentials keep private (2)

• Justification: The employees of this company are all stockholders who stand to benefit greatly from the success of the company, and therefore will respect the security rules out of self interest. The employees are also all security experts who understand at a visceral level the reasons for keeping credentials private. For these reasons we assume that they will not expose their credentials, either accidentally or intentionally.

• Security requirements partially satisfied: Address information shall be restricted to employees.

TAs – Using building security

TA – Building Security (1)

• The dependent domain: Employees.• The effect: The original People domain is restricted to

contain Employees.• Explanation: Before the restriction, the people domain

contains individuals, whether or not they can actually enter the building. After application of the restriction, the people domain contains only employees, the permitted occupants of the building.

• Preconditions. This trust assumption depends on the existence and operation of a building security system.

TA – Building Security (2)

• Justification: The entrances to the building are protected by professional security staff who verify that people entering the building are employees. If a person who is not an employee is permitted entrance, that person is escorted by a member of security staff while in the building.

• Security requirements partially satisfied: Address information shall be restricted to employees.