Capturing Software Systems Security Requirements

Hassan EL-HadarySupervised by: Dr. Sherif EL-Kassas

Outline• Introduction to Software Security

– Why secure software– Secure Software Development– Security Requirement Engineering

• Problem Statement• Related Work• Thesis Objective• Proposed Approach• Thesis Timeline

Introduction to Software Security

• Why secure software?– Attacker hacks software systems– Vulnerabilities exploited– Cost of attack

Introduction to Software Security:Secure Software Development

• Developing secure software systems

An example for secure software development lifecycle [1]

Introduction to Software Security: Security Requirement Engineering

• Consider security early• Update requirement phase to support

security• Perform Security Requirements

Engineering– Elicit, Analyze, and Validate

Introduction to Software Security: Security requirements

Definition of Security Requirements:

• Positive:– How can we achieve security– What need to be done to achieve security

• Negative:– What must not occur to achieve security

Introduction to Software Security:Security Definitions

Security Threats, Requirements, and Mechanisms relations [2]

Problem Statement

Need to give more effective assistanceto software developers to integrate security in requirement engineeringphase in software development life cycle

Related Work

• Threat Modeling• Misuse Cases• Secure Goal Oriented Requirement

Engineering• Secure Agent Oriented Requirement

Engineering

Threat Modeling

Threat Modeling for Eliciting Security Requirements [3]

Threat Modeling

• Attack Trees

Attack tree [5]

Threat Modeling (Threats Classification – STRIDE [6])

Spoofing access is gained to inaccessible assets using someone else’s credentials.

Tampering Occurs when data is changed when an attack is performed.

Repudiationa user denies performing an action, but the system has no way to prove an action on a user although the user has performed it.

Information disclosure information is disclosed to a user not permitted to see it.

Denial of service a valid users become unable to access resources.

Elevation of privilege a privileged status is gained by an unprivileged user.

Threat Modeling (Threats Ranking – DREAD [6])

Damage Potential The cost of the damage when the threat is exploited.

Reproducibility The rate of reproducing the exploited threat

Exploitability The level of skill needed to exploit this threat

Affected Users The number of affected users

Discoverability The easiness of discovering this threat

Misuse Cases

Example misuse case [7]

Goal Oriented Requirement Engineering (KAOS)

• Goal Graph

KAOS Goal Graph [13]

Secure Goal Oriented Requirement Engineering (KAOS)

• Anti-Models

Anti-model Graph [4]

Secure Agent oriented Requirement Engineering (i*)

• Adapting security to i* [8]

Secure Agent orient based approaches (i*)

• Dependency Diagram:

Thesis Objective

Develop a methodology that assists software developers in eliciting adequate security requirements during the requirement engineering phase that is based on problem frames, abuse frames and security problem frames.

Problem Frames• Introduction to Problem Frames

• Requirement Engineering using Problem Frames

• Adding Security to Problem Frames– Crosscutting threats– Abuse Frames– Security Problem Frames

• Proposed Problem Frame based Methodology

Introduction to Problem Frames

• Generalized Problem Diagram [9]

Introduction to Problem Frames

Requirement Engineering with Problem Frames

• Problem decomposition into subproblems [10]

Problem Context Diagram Problem Frame Diagram for Employee Display Information subproblem

Adding Security to Problem Frames: Crosscutting threats

• Identify Threat: “Unauthorized access to HR data”• Crosscut threat with functional requirement

“Provide HR data requested by User”• Constrain Functional requirement [10]

Adding Security to Problem Frames: Abuse Frames

• Generic Abuse Frame [12]

• Model and analyze threats• Bound scope of security problems

– What attack harms what asset in what subproblem

Adding Security to Problem Frames: Abuse Frames

Abuse Frame for Light Regime editing subproblem [12]

c: The editing commands that are entered by the Operator.d: The edit operations performed by the Regime Editor.e: The effects of the edits on the Light Regime

Adding Security to Problem Frames: Security Problem Frames

SR:= Malicious subject should not be able to derive Sent data and Received data using Transmitted data.

Proposed Methodology

cd Approach steps

Use Problem Frames tomodel the system context

and functionalrequirements

Identify System Assets InProblem Frames

Identify threats usingabuse frames

Mitigate threats by constrainingFunctional Requirements or Byadding assumptions about the

env iroment

Instantiate matchedAbuse and SecurityProblem Frame toconstruct security

requirementCrosscut threats withfunctional requirements toidentify v ulnerabilities In

Problem Frames

Search Abuse frame/Security

Problem Frames (SPF) Catalog

Finish

[If found a match]

[No Vulnerabili ty]

[IF did not find a match]

[No threats]

[Found Vulnerability]

Methodology Objectives

• Utilizes different methodologies based on problem frames that complement each other

• Assist the analyst effectively during security requirement elicitation

Challenges

• Construct different abuse frames covering classes of threats

• Link abuse frames with security problem frames into methodology

• Elicit consistent semantic security requirements

• Experiment and evaluate

Experimentation and Evaluation• Case Studies with rich security concerns:

– Confidentiality– Integrity– Availability

• Experiment on case studies of competitive methodologies

• Experiment on case studies modeled by problem frames

Example Case Studies

• Human Resource System

Example Case Studies

• Secure Remote Display System

• Secure Legal Cases System

• Air Traffic Control System

Example Case Studies

• E-Cheque system

Thesis TimelineFall 08 Spring 09

September –November 08

November 08 –January 09

February – April 09

Literature survey and initial methodology development

Refining methodology

Adapting models into methodology

Apply methodology on suitable case studies

Thesis Writing

Questions?

References• [1] A. Apvrille and M. Pourzandi, "Secure Software

Development by Example," IEEE Security &Privacy, vol. 3, no. 4, pp. 10–17, 2005

• [2] D. Firesmith. “Security Use Cases”. Journal of Object Technology, Vol. 2, No. 3, 53-64, 2003

• [3] Suvda Myagmar, Adam J. Lee, and William Yurcik, “Threat Modeling as a Basis for SecurityRequirements”, IEEE Symposium on Requirements Engineering for Information Security (SREIS’05), 2005

References• [4] A. van Lamsweerde, “Elaborating Security

Requirements by Construction of Intentional Anti-models,” Proc. 26th Int’l Conf. Software Eng. (ICSE 04), IEEE CS Press, 2004

• [5] Bruce Schneier, “Attack Trees,” Dr. Dobb's Journal December 1999

• [6] F. Swiderski and W. Snyder. Threat Modeling. Microsoft Press, 2004

References• [7] S. Ardi, David Byres,P. H. Meland,I.A. Tondel,

N.Shahmehri “How Can the Developer Benefit From Security Modeling ”, In Second International Conference on Availability, Reliability and Security(ARES’07), IEEE, 2007

• [8] L. Liu, E. Yu, and J. Mylopoulos. Security and privacy requirements analysis within a social setting. In Proc. of RE’03, pages 151–161, 2003

• [9] M. Jackson. Problem Frames , “Problem Frames and Software Engineering,” Expert Systems, Volume 25, Number 1, pp. 7-8(2), February 2008 M. Jackson. Problem Frames , “Problem Frames and Software Engineering,” Expert Systems, Volume 25, Number 1, pp. 7-8(2), February 2008

References• [10] C.B. Haley, R. Laney, and B. Nuseibeh “Deriving

Security Requirements From Crosscutting Threat Descriptions,” in Proceedings of the Third International Conference on Aspect-Oriented Software Development, Lancaster, UK, March 22–26, 2004

• [11] C.B. Haley, J.D. Moffett, R. Laney, and B. Nuseibeh, “A Framework for Security Requirements Engineering,”Proc. 2006 Software Eng. for Secure Systems Workshop with the 28th Int’l Conf. Software Eng. , 2006

• [12] D. Hatebur, M. Heisel, and H. Schmidt, “A pattern system for security requirements engineering,” in Proceedings of the International Conference on Availability, Reliability and Security (AReS), pp.356-365, IEEE, 2007

References• [12] Lin, L., Nuseibeh, B., Ince, D., Jackson, M., &

Moffett, J. "Introducing Abuse Frames for Analyzing Security Requirements," In Proceedings of the 11th IEEE International Requirements Engineering Conference (RE'03). Monterey CA USA, pp. 371-372, Sep 2003

• [13] A. van Lamsweerde and E. Letier, “Handling Obstacles in Goal-Oriented Requirements Engineering”, IEEE Transactions on Software Engineering, Special Issue on Exception Handling, 2000

• [14] Laurent A. Hermoye and Axel van Lamsweerde, and Dewayne E. Perry. "A Reuse-Based Approach to Security Requirements Engineering", September 2006

References• [15] D. Hatebur, M. Heisel, and H. Schmidt, “A pattern

system for security requirements engineering,” in Proceedings of the International Conference on Availability, Reliability and Security (AReS), pp.356-365, IEEE, 2007

• [16] V. Banagala, “Analysis of Transaction Problems Using the Problem Frames Approach” , in Proc. of ICSE 2006, China, pp. 5-12, 2006