Post on 28-Dec-2015
Capturing, Organizing, and Reusing Knowledge of NFRs:
An NFR Pattern Approach
Sam Supakkul1
Tom Hill2
Ebenezer Akin Oladimeji3
Lawrence Chung1
1The University of Texas at Dallas2 EDS, an HP company3 Verizon Communications
Security = “bad things to be prevented” *
* C. Haley and B. Nuseibeh, IEEE TSE, 2008
Hackerin a parking lot outside a Marshalls store in Miami
Co-conspirators in Europe
· 45.7 million stolen credit cards· Class-action lawsuit by nearly 300 affected banks· Cost TJX $1 billion over 5 years excluding lawsuit
To prevent such incident, we need to know:Meaning of credit card security?Problems suffered by TJX?Root causes of those problems?Mitigation alternatives of the problems and their causes?Choosing and developing the mitigations with consideration of other organizational needs?
The TJX incident, the largest credit card theft in history
Difficult to get technical details from case reports
Retail Transaction System
TJX Corporate Network
Internet
Hackerin a parking lot outside a Marshalls store in Miami
Co-conspirators in Europe
1
1 A hacker broke WEP encryption to access the wireless network
2
3 The hacker transferred files containing credit card info to his laptop and to co-conspirators in Europe
ID / Password
2
The hacker masqueraded as a valid user using intercepted ID and password
ID / PasswordTJX
StoreWi-Fi
Customer Cashier
Back Office User
WEP
3
3
The TJX case attack scenario
Developed after:• reading over 30 articles• studying computer security• educated assumptions
Problem: Lack of security knowledge
Problem: Difficult to possess necessary NFRs related knowledge
Domain Independent
Goal
Means
Domain Specific
Requirements
Running System
Problem
Solution
security = confidentiality, integrity, and availability?
2-factor authentication?
WEP hacking
remote user masquerading
security modeled as goals
architecture and design for 2-factor authentication
strong passwords?
general definition of security problem frames for 2-factor
authentication
security = confidentiality?
2-factor authentication?
strong passwords?
specific definition of security for credit card industry
A solution: Applying NFRs knowledge captured as patterns
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJX problems [Paymentcard info]
.
Sec u rit y [Pa y m ent ca rdi nform a tio n]
Co nfi dent ia l it y
e q l
Pr iv a c y
e q l
.
P a ym en t ca rd in f o rm a t io n
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJ X problems [Paymentcard info]
.
Reset compromised passwords
Disable compromised useraccounts
Two-factor authentication
RADIUS or TACACS userauthentication
Password + token Password + biometrics
Password encryption
++
Availability [Server]_ _
Usability [Server]_
Cost_ _
++
++
++
+
+
+
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJ X problems [Paymentcard info]
.
+W
+W
+W
Availability [Authentication]
RSA ACE server with SecurIDtokens
Vasco Digipass
CRYPTOcard KT-1++
Interoperability [othersoftware]
++
Interoperability [Unixlogin/SSH]
Interoperability [Weblogin/Apache, IIS]
Interoperability [VPN]
Interoperability [LDAP]
++
++
++
Interoperability [Windowslogin]++ +
++
_ _
++
_ _
Availability [AuthenticationServer]
Availability [Token]
++
++
++
++
++
++
++
_++
Availability [Synchronizedtoken]
Availability [Token operatinglife]
++
_
_
Reset compromised passwords
Disable compromised useraccounts
Two-factor authentication
RADIUS or TACACS userauthentication
Password + token Password + biometrics
Password encryption
++
Availability [Server]_ _
Usability [Server]_
Cost_ _
++
++
++
+
+
+
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJ X problems [Paymentcard info]
.
+W
+W
+W
Security [Payment cardinformation]
Confidentiality
eql
Privacy
eql
.
Security [Payment cardinformation]
Confidentiality
eql
Privacy
eql
.
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJX problems [Paymentcard info]
.
Goal Pattern
Problem Pattern
Causal AttributionPattern
Reset compromised passwords
Disable compromised useraccounts
Two-factor authentication
RADIUS or TACACS userauthentication
Password + token Password + biometrics
Password encryption
++
Masquerading user login
_
_
Unauthorized access [server]
_ _
Availability [Server]
_ _
Usability [Server]
_
Cost
_ _
++
++
++
+
+
+
Transmission of ID andpassword in clear textis easily interceptable
_ _
.
Alternatives PatternConfidentiality [CorporateServer]
Usability
Cost
Secure passwords
Strong passwords
User education, training,enforcement
ID/password encryption
Stored ID/password encryption
Transmitted ID/passwordencryption
Non-dictionary words
Frequently changed passwords
+
_ _
+_
+
..
Selection Pattern
Availability [Authentication]
Password + token
RSA ACE server with SecurIDtokens
Vasco Digipass
CRYPTOcard KT-1
++
++
++
++
Interoperability [othersoftware]
++
Interoperability [Unixlogin/SSH]
Interoperability [Weblogin/Apache, IIS]
Interoperability [VPN]
Interoperability [LDAP]
++
++
++
Interoperability [Windowslogin]++ +
++
_ _
++
_ _
Availability [AuthenticationServer]
Availability [Token]
++
++
++
++
++
++
++
_++
Availability [Synchronizedtoken]
Availability [Token operatinglife]
++
_
_
..
Requirements Pattern
Final Requirements
Model
Initial Requirements
Model
Meaning of security?
TJX problems?
Causes of problems?
Alternatives?
Tradeoffs?
Requirements, specifications?
Modeling?
Modeling? Modeling? Modeling?
Modeling?
Goal Pattern
Name: FISMA Security ObjectivesObjective: refine SecurityDomain: <none>Model:Known uses: FISMA, US military
FISMA Security Objectives
Security
Integrity
Confidentiality Availability
Privacy Proprietary
Authenticity Non-repudiation
Timeliness Reliability
.
Security
refine
Legend
NFR goal
ANDDecomp.
ORDecomp.
Designdomain
Goal pattern captures a definition of an NFR
Problem pattern
Name: TJX Security ProblemsDomain: Objective: break Privacy[Payment card info]Model:Experiences: TJX
TJX Credit Card Theft
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJX security compromises[Payment card info]
.
Financial
PaymentCard
Problem pattern captures an undesirable situation that can hurt an NFR
DomainInterface
UndesirableSituation
Legend
NFR goal
ANDDecomp.
ORDecomp.
Designdomain
Givendomain
Topic/Context
Causal Attribution Pattern
Name: Unauthorized Server Access CausesDomain: <none>Objective: make Unauthorized Access [Server]Model:Experiences: TJX
Unauthorized Server Access Causes
Causal Attribution pattern captures causes and root causes of a problem
FunctionReference
DomainInterface
Agent FunctionVulnerabilityUndesirable
Situation
Legend
NFR goal
ANDDecomp.
ORDecomp.
Designdomain
Givendomain
Topic/Context
UndesirableOperationMachine
++Make
+HelpContribution
– – –
Break Hurt
Problem classification
Unauthorized Server Access Causes
Undesirable situation
Undesirable operation
Vulnerability
Problem mitigation classification
Unauthorized Server Access Causes
Undesirable situation
Undesirable operation
VulnerabilityChange environment to that with more acceptable risks
Prevent the operation from being realized
Prevent the operation from causing the undesirable situation
Prevent/limit the effect on the goal
Privacy [Credit Card Information]. .
Solution Alternatives PatternName: Unauthorized Server Access MitigationDomain: <none>Objective: hurt Unauthorized access [server]Model:Experiences:
Clear text ID/password Mitigation
Masquerading User Login Mitigation
Unauthorized Server Access Mitigation
Reset compromised passwords
Disable compromised useraccounts
_
_
Unauthorized access [server]
Availability [Server]_ _
Usability [Server]
_
Cost
++
++
.
.
Two-factor authentication
Password + token Password + biometrics
Masquerading user login_ _
Usability [Server]
Cost
_ _
++
+
.++ ++
_
.
Password encryption
Cost
Transmission of ID andpassword in clear textis easily interceptable
_ _.
RADIUS or TACACS remoteauthentication protocol
++
+
Name: Masquerading User Login MitigationDomain: <none>Objective: break Masquerading user loginModel:Experiences:
Name: Clear text ID/password MitigationDomain: <none>Objective: break Clear text ID/password MitigationModel:Experiences:
Alternatives Selection Pattern
Unauthorized Server Access Mitigation
Reset compromised passwords
Disable compromised useraccounts
_
_
Unauthorized access [server]
Availability [Server]
_ _
Usability [Server]
_
Cost
++
++
.
.
Masquerading User Login Mitigation
Two-factor authentication
Password + token Password + biometrics
Masquerading user login_ _
Usability [Server]
Cost
_ _
++
+
.++ ++
_
.
Clear text ID/password Mitigation
Password encryption
Cost
Transmission of ID andpassword in clear textis easily interceptable
_ _.
RADIUS or TACACS remoteauthentication protocol
++
+
Name: Usability Driven Unauthorized Server Access MitigationDomain:Objective: select Unauthorized Server Access Mitigation, Masquerading User Login Mitigation, Clear Text ID/Password MitigationModel:Experiences:
Usability Driven Unauthorized Server Access Mitigation
Usability
Cost
Two-factor authentication
Password + token
_
.++
+
select select select
Result of a selection patternUnauthorized Server Access Causes
TJX Credit Card Theft
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJX security compromises[Payment card info]
.
Unauthorized Server Access Mitigation
Reset compromised passwords
Disable compromised useraccounts
_
_
Unauthorized access [server]
Availability [Server]_ _
Usability [Server]
_
Cost
++
++
.
.
Masquerading User Login Mitigation
Two-factor authentication
Password + token Password + biometrics
Masquerading user login_ _
Usability [Server]
Cost
_ _
++
+
.++ ++
_
.
Clear text ID/password Mitigation
Password encryption
Cost
Transmission of ID andpassword in clear textis easily interceptable
_ _.
RADIUS or TACACS remoteauthentication protocol
++
+
Usability Driven Unauthorized Server Access Mitigation
Usability
Cost
Two-factor authentication
Password + token
_
.++
+ project
FISMA Security Objectives
Security
Integrity
Confidentiality Availability
Privacy Proprietary
Authenticity Non-repudiation
Timeliness Reliability
.
Security
refine
Confidentiality [CorporateServer]
Securing ID and passwords
Unauthorized access [CorporateServer]
Masquarade [Remote loginusing ID/password]
Selection Pattern
Goal Pattern Problem Pattern Casual Pattern
Alternatives Patterns
Requirements Pattern
What are requirements?
Safe [Transport]
Maintain [WCS distancebetween trains]
Maintain [Track segmentspeed limit]
Avoid [Train enteringclosed gate]
++
++
++
Maintain [Safe speed/ accelerationcommanded]
Maintain [Safe commandto following train basedon speed/ position estimates]
Maintain [No sudden stopof preceding train]
Maintain [Safe train responseto command]
Requirements
W R S P M
Assumption
RequirementsGoals assignable to agents in the software-to-be[van Lamsweerde, ICSE00]
Requirements“requirements that indicate what the customerneeds from the system, describedin terms of its effect on the environment”[Gunter, Gunter, Jackson, Zave, IEEE Software 2000]
World
Requirement Specification Program
Machine
RequirementsSpecifications[R. Seater, D. Jackson, IWAAPF’06]
Problem Frames
Requirements Pattern
Name: Strong password requirementsDomain:Objective: make Non-dictionary password, Frequently changed passwordModel:Experiences:
Unauthorized server access cost driven selection
Strong passwords
Non-dictionary passwords
Frequently changed passwords
Maintain passwords - internaldictionary Maintain passwords - external
dictionary
Password periodic changereminder/ enforcer
Time Performance
Maintainability
++
_
_++
Maintain [passwords]
Maintain [periodicallychanged passwords]
Achieve [password changereminder]
Maintain [password usinginternal dictionary]
Maintain [password usingexternal dictionary]
++++
++
++++
Pattern organization
ClassificationInstantiation
Genealization
Specialization
Aggregation
Decomposition
FISMA Security Definition
PCI Security Definition
TJX Security Objectives Pattern
TJX Security Threats PatternUnauthorized Access Mitigations Pattern
TJX Security Pattern
Security Threat Mitigation Meta-Pattern
Unauthorized Server Access Mitigation Pattern
Malicious Data Transfer Mitigation Pattern
Pattern specialization
FISMA Security Objectives
Security [Information]
Integrity
Confidentiality Availability
Privacy Proprietary
Authenticity Non-repudiation
Timeliness Reliability
.
PCI Security Objectives
Security [Payment cardinformation]
Confidentiality
eql
Privacy
eql
.
Information
Payment Card Information
Properties• Specialization of context/topic• More restrictive content
Pattern aggregation
TJX Security Pattern
Card Data Environment
PCI Security Objectives[Credit Card Information]
TJX Threats Unauthorized Server AccessMitigation
S-
S+S-
Two-Factor Problem Frame
++
TJX Threat Causes
S+
Unauthorized IntranetAccess Mitigation
S+
Malicious Data TransferMitigation
S+
S-S-
Two-Factor Use Cases
++
.
.
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJX problems [Paymentcard info]
.
Security [Pa ym ent ca rdinforma tion]
Confidentia lity
eq l
Priv a cy
eq l
.
P aym e nt ca rd in fo rma tio n
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJ X problems [Paymentcard info]
.
Reset compromised passwords
Disable compromised useraccounts
Two-factor authentication
RADIUS or TACACS userauthentication
Password + token Password + biometrics
Password encryption
++
Availability [Server]_ _
Usability [Server]_
Cost_ _
++
++
++
+
+
+
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJX problems [Paymentcard info]
.
+W
+W
+W
Availability [Authentication]
RSA ACE server with SecurIDtokens
Vasco Digipass
CRYPTOcard KT-1++
Interoperability [othersoftware]
++
Interoperability [Unixlogin/ SSH]
Interoperability [Weblogin/ Apache, IIS]
Interoperability [VPN]
Interoperability [LDAP]
++
++
++
Interoperability [Windowslogin]++ +
++
_ _
++
_ _
Availability [AuthenticationServer]
Availability [Token]
++
++
++
++
++
++
++
_++
Availability [Synchronizedtoken]
Availability [Token operatinglife]
++
_
_
Reset compromised passwords
Disable compromised useraccounts
Two-factor authentication
RADIUS or TACACS userauthentication
Password + token Password + biometrics
Password encryption
++
Availability [Server]_ _
Usability [Server]_
Cost_ _
++
++
++
+
+
+
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJX problems [Paymentcard info]
.
+W
+W
+W
Security [Payment cardinformation]
Confidentiality
eql
Privacy
eql
.
Security [Payment cardinformation]
Confidentiality
eql
Privacy
eql
.
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJX problems [Paymentcard info]
.
Goal Pattern
Problem Pattern
Causal AttributionPattern
Reset compromised passwords
Disable compromised useraccounts
Two-factor authentication
RADIUS or TACACS userauthentication
Password + token Password + biometrics
Password encryption
++
Masquerading user login
_
_
Unauthorized access [server]
_ _
Availability [Server]
_ _
Usability [Server]
_
Cost
_ _
++
++
++
+
+
+
Transmission of ID andpassword in clear textis easily interceptable
_ _
.
Alternatives PatternConfidentiality [CorporateServer]
Usability
Cost
Secure passwords
Strong passwords
User education, training,enforcement
ID/password encryption
Stored ID/password encryption
Transmitted ID/passwordencryption
Non-dictionary words
Frequently changed passwords
+
_ _
+_
+
..
Selection Pattern
Availability [Authentication]
Password + token
RSA ACE server with SecurIDtokens
Vasco Digipass
CRYPTOcard KT-1
++
++
++
++
Interoperability [othersoftware]
++
Interoperability [Unixlogin/ SSH]
Interoperability [Weblogin/ Apache, I IS]
Interoperability [VPN]
Interoperability [LDAP]
++
++
++
Interoperability [Windowslogin]++ +
++
_ _
++
_ _
Availability [AuthenticationServer]
Availability [Token]
++
++
++
++
++
++
++
_++
Availability [Synchronizedtoken]
Availability [Token operatinglife]
++
_
_
..
Requirements Pattern
Final Requirements
Model
Initial Requirements
Model
Manual application of multiple patterns-Know which patterns to use-Know which order to apply-But flexible
Pre-assembled patterns into an aggregate pattern-Ready-to-use-More cohesive knowledge-Narrower applicability
Pattern classification/meta-pattern
Unauthorized Intranet Access Mitigation
Security Mitigation Meta-Pattern
context problem solution
forcesasset
context
Undesirable outcome [Asset]
Threat
Vulnerability
Unauthorized Server Access Mitigation Malicious Data Transfer Mitigation
Instance-of
Instance-of
Instance-of
[Supakkul, Hill, Oladimeji, Chung, PLoP09]
Pattern operations
search
PatternCatalog
TopicResults
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJX problems [Paymentcard info]
.
Security [Pa ym ent ca rdinforma tion]
Confidentia lity
eq l
Priv a cy
eq l
.
P aym e nt ca rd in fo rma tio n
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJ X problems [Paymentcard info]
.
Reset compromised passwords
Disable compromised useraccounts
Two-factor authentication
RADIUS or TACACS userauthentication
Password + token Password + biometrics
Password encryption
++
Availability [Server]_ _
Usability [Server]_
Cost_ _
++
++
++
+
+
+
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJX problems [Paymentcard info]
.
+W
+W
+W
Availability [Authentication]
RSA ACE server with SecurIDtokens
Vasco Digipass
CRYPTOcard KT-1++
Interoperability [othersoftware]
++
Interoperability [Unixlogin/ SSH]
Interoperability [Weblogin/ Apache, IIS]
Interoperability [VPN]
Interoperability [LDAP]
++
++
++
Interoperability [Windowslogin]++ +
++
_ _
++
_ _
Availability [AuthenticationServer]
Availability [Token]
++
++
++
++
++
++
++
_++
Availability [Synchronizedtoken]
Availability [Token operatinglife]
++
_
_
Reset compromised passwords
Disable compromised useraccounts
Two-factor authentication
RADIUS or TACACS userauthentication
Password + token Password + biometrics
Password encryption
++
Availability [Server]_ _
Usability [Server]_
Cost_ _
++
++
++
+
+
+
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJX problems [Paymentcard info]
.
+W
+W
+W
Security [Payment cardinformation]
Confidentiality
eql
Privacy
eql
.
Security [Payment cardinformation]
Confidentiality
eql
Privacy
eql
.
Unauthorized access [Intranet(Computing facility)]
Unauthorized access [Server(Computing facility)]
Malicious transfer [Paymentcard info]
TJX problems [Paymentcard info]
.
Goal Pattern
Problem Pattern
Causal AttributionPattern
Reset compromised passwords
Disable compromised useraccounts
Two-factor authentication
RADIUS or TACACS userauthentication
Password + token Password + biometrics
Password encryption
++
Masquerading user login
_
_
Unauthorized access [server]
_ _
Availability [Server]
_ _
Usability [Server]
_
Cost
_ _
++
++
++
+
+
+
Transmission of ID andpassword in clear textis easily interceptable
_ _
.
Alternatives PatternConfidentiality [CorporateServer]
Usability
Cost
Secure passwords
Strong passwords
User education, training,enforcement
ID/password encryption
Stored ID/password encryption
Transmitted ID/passwordencryption
Non-dictionary words
Frequently changed passwords
+
_ _
+_
+
..
Selection Pattern
Availability [Authentication]
Password + token
RSA ACE server with SecurIDtokens
Vasco Digipass
CRYPTOcard KT-1
++
++
++
++
Interoperability [othersoftware]
++
Interoperability [Unixlogin/ SSH]
Interoperability [Weblogin/ Apache, I IS]
Interoperability [VPN]
Interoperability [LDAP]
++
++
++
Interoperability [Windowslogin]++ +
++
_ _
++
_ _
Availability [AuthenticationServer]
Availability [Token]
++
++
++
++
++
++
++
_++
Availability [Synchronizedtoken]
Availability [Token operatinglife]
++
_
_
..
Requirements Pattern
Final Requirements
Model
Initial Requirements
Model
applyM M’
P
Search operation
Apply operationExamples of the apply operation
Conclusion
• Contributions– Capturing and reusing different kinds of NFR
knowledge using patterns– Organization of patterns along the 3 dim.
• Future work– More precise definition of the concepts– Tool support to verify the concepts– More case studies to validate the general
applicability for other NFRs
Capturing, Organizing, and Reusing Knowledge of NFRs:
An NFR Pattern Approach
Sam Supakkul1
Tom Hill2
Ebenezer Akin Oladimeji3
Lawrence Chung1
1The University of Texas at Dallas2 EDS, an HP company3 Verizon Communications