Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE Fabricio Braz 01/25/08.

Published byDulcie Lawrence Modified over 8 years ago

Similar presentations

Presentation on theme: "SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE Fabricio Braz 01/25/08."— Presentation transcript:

1 SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE Fabricio Braz 01/25/08

2 Objective To present the core idea from the following articles, both based on problem frames: –Using trust assumptions with security requirements –Analysis and Component-based Realization of Security Requirements Analyze if they show alternatives to evolve our approach (everybody)

3 PROBLEM FRAMES SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE

4 Intro (1) All computing problems involve the interaction between domains –tangible (people, equipment, network) –intangible (information) –has interfaces, defined by the phenomena visible to others domains

5 Intro (2) Performs the transformation to satisfy the requirement The interplay of phenomena between the machine and its connected domains define what the machine has to do to satisfy the requirement Specification  expression of the behavior of phenomena visible at the boundary of the domains Requirements  description of the problem to be solved Machine

6 Intro (3) Requirements –permit passage from one room to another –physically separate rooms when possible Specification (it’s up to designer) –different phenomena and its boundaries (how it works) door, blank, garden maze –R: A Λ F Λ S  R, where A Λ F Λ S must be non- contradirory

7 Diagrams Context diagram Problem diagram Problem classes (not considered)

8 Context Diagram Domains of interest in a system Their interconnection The phenomena (events, operation calls, messages) on the interfaces between them

9 HS Subset System Requirements Salary, personal, and benefits information shall be able to be entered, changed, and deleted by HR staff. This information is referred to as payroll information Each employee shall be able to view a subset of his or her own personal and benefits information. Users shall have access to kiosks located at convenient locations throughout the building and able to display an ‘address list’ subset of personal information consisting of any employee’s name, office, and work telephone number At most 24 hours of modifications to information shall be vulnerable to loss.

10 Context Diagram of HR Sys

11 Problem Diagram Describes a problem in the system, expressed by a requirement. Projection of the context, showing only the domains or groups of domains of interest to the particular problem. Kind of problem diagram that describes the problem as one of a known set of problem classes, showing how a given requirement is to be satisfied using the pattern that the problem class represents

12 HS Subset System Requirements Salary, personal, and benefits information shall be able to be entered, changed, and deleted by HR staff. This information is referred to as payroll information Each employee shall be able to view a subset of his or her own personal and benefits information. Users shall have access to kiosks located at convenient locations throughout the building and able to display an ‘address list’ subset of personal information consisting of any employee’s name, office, and work telephone number At most 24 hours of modifications to information shall be vulnerable to loss.

13 Problem Diagram of Display HR System Requirement Requirement Domain Machine Shared Phenomena Constraining

14 SECURITY REQUIREMENTS SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE

15 Information Security Buzzwords Asset –something in the context of the system, tangible or not, that is to be protected Threat –the potential for abuse of an asset that will cause harm Vulnerability –weakness in the system that an attack exploits to realize a threat

16 Security Requirements Definition Express constraints on the behavior of a system sufficient to satisfy security goals (CIA) Limit undesired system behavior as much as possible while still satisfying the system’s requirements Constraints on functional requirements, intended to reduce the scope of vulnerabilities

17 USING TRUST ASSUMPTIONS WITH SECURITY REQUIREMENTS B. HALEY AND C. LANEY AND D. MOFFETT AND BASHAR NUSEIBEH SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE

18 Security Requirements CIA general goals to assets Actions which violate the goal  threat –performing action X on/to/which asset Y could cause harm Z HR system –Exposing salary data could reduce employee morale, lowering productivity. –Changing salary data could increase salary costs, lowering earnings. –Exposing addresses (to headhunters) could cause loss of employees, raising costs.

19 Security Requirements by Problem Frames Analysis of context or problem diagrams –An threaten asset must be a domain or contained in a domain, or be found in the phenomena Employ constraints on functionality that ensure that the asset cannot be abused in the way the threat description requires –changes and/or additions to the domains or phenomena: changing the behavior of the domains in the context, requiring specific behavior of the machine adding trust assumptions explaining why undesired behavior is believed not to occur

20 Display HR System Revisited

21 Trust Assumptions An assumption by a requirements engineer that, in order to satisfy a security requirement, the membership or specification of a domain can depend on certain properties. The requirements engineer trusts the assumption to be true. These assumed properties or assertions act as domain restrictions; they restrict the domain in some way that contributes to the satisfaction of the security requirement.

22 Trust Assumptions Purposes Contribute to the security argument –in the context of the system and with information known at that point, the system is adequately secure Avoid analysis scope creep (recursive process) –due to domain properties that cannot be verified with the information in hand One trust assumptions may play a role in satisfying multiple security requirements

23 Trust Assumptions Example The computers must operate for at least 8 h in the event of a power failure Security requirement –adding backup generators to the system –appropriate phenomena would be added so that the machine can detect the power loss, control the generators, detect going beyond 8 h Should I believe that the generators are attack resistant?

24 Trust Assumptions Representation Identification of the domain being restricted by the trust assumption Effect of the trust assumption Narrative description of the restriction(s) Preconditions List of security requirements (the constraints) satisfied TA1.1:People Credentials keep private

25 TAs – Using authentication

26 TA – Credentials keep private (1) The dependent domain: People. Effect: The People domain is restricted to contain individuals who are using their own credentials. Explanation: Before the restriction, the people domain can contain individuals who have credentials that may or may not have been allocated to them. After application of the restriction, the people domain can contain only individuals who have credentials allocated to them and who are using their own credentials. Preconditions: This trust assumption depends on TA1.2— that administrators will not expose one person’s credentials to another person.

27 TA – Credentials keep private (2) Justification: The employees of this company are all stockholders who stand to benefit greatly from the success of the company, and therefore will respect the security rules out of self interest. The employees are also all security experts who understand at a visceral level the reasons for keeping credentials private. For these reasons we assume that they will not expose their credentials, either accidentally or intentionally. Security requirements partially satisfied: Address information shall be restricted to employees.

28 TAs – Using building security

29 TA – Building Security (1) The dependent domain: Employees. The effect: The original People domain is restricted to contain Employees. Explanation: Before the restriction, the people domain contains individuals, whether or not they can actually enter the building. After application of the restriction, the people domain contains only employees, the permitted occupants of the building. Preconditions. This trust assumption depends on the existence and operation of a building security system.

30 TA – Building Security (2) Justification: The entrances to the building are protected by professional security staff who verify that people entering the building are employees. If a person who is not an employee is permitted entrance, that person is escorted by a member of security staff while in the building. Security requirements partially satisfied: Address information shall be restricted to employees.

Download ppt "SECURITY REQUIREMENT FROM PROBLEM FRAMES PERPECTIVE Fabricio Braz 01/25/08."

Similar presentations

Use Case Diagrams Damian Gordon.

Use Case Diagrams Damian Gordon.
Operating System Security

Operating System Security
Analysis Modeling.

Analysis Modeling.
These handouts and documents with attachments are not final, complete, or definitive instruments. This information is for guidance purposes only. You should.

These handouts and documents with attachments are not final, complete, or definitive instruments. This information is for guidance purposes only. You should.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
OASIS Reference Model for Service Oriented Architecture 1.0

OASIS Reference Model for Service Oriented Architecture 1.0
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Software Testing and Quality Assurance

Software Testing and Quality Assurance
Introducing Computer and Network Security

Introducing Computer and Network Security
The Architecture Design Process

The Architecture Design Process
© 2005 Prentice Hall12-1 Stumpf and Teague Object-Oriented Systems Analysis and Design with UML.

© 2005 Prentice Hall12-1 Stumpf and Teague Object-Oriented Systems Analysis and Design with UML.
Four Dark Corners of Requirements Engineering

Four Dark Corners of Requirements Engineering
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.

Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.
CSC271 Database Systems Lecture # 21. Summary: Previous Lecture  Phases of database SDLC  Prototyping (optional)  Implementation  Data conversion.

CSC271 Database Systems Lecture # 21. Summary: Previous Lecture  Phases of database SDLC  Prototyping (optional)  Implementation  Data conversion.
Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.

Practical IS security design in accordance with Common Criteria Security and Protection of Information 2005 František VOSEJPKA S.ICZ a.s. June 5, 2005.
Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.

Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.
12 NYCRR PART 800.16 PUBLIC EMPLOYER WORKPLACE VIOLENCE PREVENTION PROGRAMS.

12 NYCRR PART PUBLIC EMPLOYER WORKPLACE VIOLENCE PREVENTION PROGRAMS.

Similar presentations

Ads by Google