Automated analysis of security requirements through risk-based argumentation

https://doi.org/10.1016/j.jss.2015年04月06日5 Get rights and content

Highlights

  • Included definition of premises.
  • Adjusted the metamodel according to the Toulmin-style arguments.
  • Revised the examples according to the changed metamodel.
  • Added descriptions to Figs. 7 and 8.
  • Fixed typos and improved the language.

Abstract

Computer-based systems are increasingly being exposed to evolving security threats, which often reveal new vulnerabilities. A formal analysis of the evolving threats is difficult due to a number of practical considerations such as incomplete knowledge about the design, limited information about attacks, and constraints on organisational resources. In our earlier work on RISA (RIsk assessment in Security Argumentation), we showed that informal risk assessment can complement the formal analysis of security requirements. In this paper, we integrate the formal and informal assessment of security by proposing a unified meta-model and an automated tool for supporting security argumentation called OpenRISA. Using a uniform representation of risks and arguments, our automated checking of formal arguments can identify relevant risks as rebuttals to those arguments, and identify mitigations from publicly available security catalogues when possible. As a result, security engineers are able to make informed and traceable decisions about the security of their computer-based systems. The application of OpenRISA is illustrated with examples from a PIN Entry Device case study.

Introduction

Security risks evolve in software-intensive systems. Attackers exploit increasing number of vulnerabilities, ranging from cryptographic protocols to human subjects. Introducing new technologies to such systems often imposes security risks with higher likelihood to do harm to the assets. In practice, security is not perfect due to limited resources available to security engineers, uncertainties about the attackers’ skills and commitment, and incomplete knowledge about evolving threats and vulnerabilities.
Recent years found structured argumentation approaches effective to build safety cases (Kelly, 1998) and to reason about both formal and informal descriptions of software systems, to demonstrate compliance to laws and regulations (Burgemeestre, Hulstijn, Tan, 2010, Cyra, Górski, 2007), to trace and justify software design decisions (Potts and Bruns, 1988), to establish confidence in software development (Graydon and Knight, 2008), and to build dependability cases to assure compliance in software development (Huhn and Zechner, 2010).
Extending the work on security argumentation (Haley et al., 2008), we have developed a framework for reasoning about security requirements of the system where abstract properties are important. For instance, it is possible to formally prove that an access control model will deny access to the Human Resource (HR) database by those who do not work in the HR department.
However, real-life phenomena could defy generalisation and abstraction, there the framework needs to support the uses of informal arguments. For instance, many HR employees could share a common password, and when one of the employees leaves the department and the common password is not changed, thus access becomes available to someone who is no longer a member of the HR department.
Through the use of RIsk assessment in Security Argumentation (RISA) method (Franqueira et al., 2011), we have shown how risk assessments iteratively challenge the satisfaction of security requirements. The main limitation of our previous work lies in that the separate models for formal arguments and risk-based arguments, which hinders the automated tool support.
In this work, this limitation is addressed by the means of three contributions of the RISA method. First, we introduce an integrated modelling language to represent risk assessment and arguments uniformly. Second, the OpenRISA tool support extends the OpenArgue (Yu et al., 2011) argumentation tool to perform automated checking of the formal arguments. Third, we incorporate an automated search functionality to match catalogues of security vulnerabilities such as CAPEC (Common Attack Pattern Enumeration and Classification patterns1) and CWE (Common Weakness Enumeration2) with the keywords derived from the arguments. Compared to the previously ad hoc search, the new tool supports a complete coverage of these public catalogues of security expertise.
The OpenRISA approach has presented a research contribution to represent and reason about risks associated with software security requirements. The argumentation part of the work has been evaluated with an industry evaluator at DeepBlue (Yu et al., 2011).
The remainder of the paper is organised as follows. Section 2 reviews relevant background on the satisfaction of security requirements and security arguments, whilst Section 3 reviews related work. Section 4 provides an overview of the RISA method, Section 5 describes the corresponding OpenRISA tool support. Section 6 demonstrates the tool supported method with a PIN Entry Device (PED) example. Section 7 discusses and points to future research and development work. Finally, Section 8 concludes.

Section snippets

Background

The RISA method builds on the notions of satisfaction of security requirements, and outer and inner arguments, introduced by Haley et al. (2008).

Related work

Related work is organised around structured argumentation, including its process and representation, and risk assessment.

The tool-supported RISA method

An overview of the data flow for a security analyst to use the OpenRISA tool supported approach is illustrated in Fig. 5. To support the analyst, the OpenRISA tool has four major components: (1) a model-based editor to help the analyst in eliciting problem diagrams from the description of requirements; (2) the causality (in terms of shared phenomena) in the problem diagrams provides the analyst with an initial set of premises to create the outer arguments, using the OpenRISA argumentation tool;

The OpenRISA tool

This section presents a domain-specific modelling language corresponding to the metamodel of outer arguments, inner arguments and risks assessment shown in Fig. 3. The language presented here extends the argumentation language presented by Yu et al. (2011). This section highlights the syntax and semantics of the integrated argumentation language. It also illustrates the algorithms for checking rebuttals and mitigations in the inner and outer arguments.

The PIN entry device (PED) example

PIN Entry Device (PED) is a type of device widely-deployed and used by consumers to pay for goods with debit or credit smartcards at the Points-Of-Sale (POS).
When using the device, cardholders typically insert their cards, issued by a financial institution, into a card-reader interface of the PED, enter the PIN using the PED’s keypad, and confirm the transaction value via a display on the PED itself. Then smartcard-based systems are expected to authenticate cardholders via the PIN and verify

Discussions

We organise our discussions around two areas: the catalogues search from experience gained with the PED example and short-term future work.

Conclusion

Argumentation approaches organise the evidence for or against the claims of software security. They aim to strike a balance between perfect security and practical limitations. This paper has proposed a tool, OpenRISA, which supports the use of argumentation and risk assessment together to reason about the satisfaction of security requirements. OpenRISA has three main features. First, it supports representing both argumentation and security risk assessment in an integrated modelling language.

Acknowledgments

The work is supported in part by the ERC Advanced Grant 291652 (Adaptive Security And Privacy, http://asap-project.eu), the SFI grant 03/CE2/I303_1, and Sentinels (http://www.sentinels.nl). We would like to thank our colleague Paul Piwek for feedback on earlier draft of the paper.
Yijun Yu graduated from the Department of Computer Science at Fudan University (B.Sc. 1992, M.Sc. 1995, Ph.D. 1998). He was a postdoctoral research fellow at the Department of Electrical Engineering in Ghent University (1999–2002), a lecturer and research associate at the Knowledge Management lab of the Department of Computer Science in University of Toronto (2003–2006). Since October 2006, he has become a Senior Lecturer at the Department of Computing and Communications in The Open University,

References (45)

  • BS ISO/IEC 27005, 2011. Information technology – security techniques – information security risk...
  • BurgemeestreB. et al.

    Value-based argumentation for justifying compliance

    Proceedings of Deontic Logic in Computer Science, DEON’2010

    (2010)
  • Card Payment Group, 2003. PIN entry device protection profile. Common criteria portal....
  • CohenR.

    Analyzing the structure of argumentative discourse

    Comput. Ling.

    (1987)
  • CyraL. et al.

    Supporting compliance with safety standards by trust case templates

    Proceedings of the European Safety and Reliability Conference, ESREL’07

    (2007)
  • DrimerS. et al.

    Thinking inside the box: system-level failures of tamper proofing

    Proceedings of the Symposium on Security and Privacy, SP’2008

    (2008)
  • EricsonC.A.

    Hazard Analysis Techniques for System Safety

    (2005)
  • ErnstN. et al.

    Visualizing non-functional requirements

    Proceedings of the First International Workshop on Requirements Engineering Visualization, REV’06

    (2006)
  • FranqueiraV.N.L. et al.

    Using real option thinking to improve decision making in security investment

    Proceedings of On the Move to Meaningful Internet Systems, OTM’2010

    (2010)
  • FranqueiraV.N.L. et al.

    Risk and argument: a risk-based argumentation method for practical security

    Proceedings of the 19th IEEE International Requirements Engineering Conference, RE’11

    (2011)
  • GraydonP. et al.

    Success Arguments: Establishing Confidence in Software Development

    (Technical report CS-2008-10)

    (July 2008)
  • HakemiA. et al.

    Adapting OCTAVE for risk analysis in legacy system migration

    Trans. Internet Inf. Syst.

    (2014)

    • Cited by (26)

    • Assuring safety in air traffic control systems with argumentation and model checking

      2016, Expert Systems with Applications
      Citation Excerpt :

      The approach of Grossi translates an argumentation framework into a Kripke structure, while in our case we use structured arguments aiming at automatic model repair. OpenRISA framework (Yu, Franqueira, Tun, Wieringa, & Nuseibeh, 2015) integrates informal risk assessment with formal analysis by proposing a modeling language for argumentation and risk assessment. The resulted automated tool applies argumentation in the domain of software security.

    • Analysis of requirements-related arguments in user forums

      2019, Proceedings of the IEEE International Conference on Requirements Engineering

    • Requirements engineering

      2019, Handbook of Software Engineering

    • Canary: Extracting Requirements-Related Information from Online Discussions

      2017, Proceedings 2017 IEEE 25th International Requirements Engineering Conference Re 2017
    View all citing articles on Scopus
    Yijun Yu graduated from the Department of Computer Science at Fudan University (B.Sc. 1992, M.Sc. 1995, Ph.D. 1998). He was a postdoctoral research fellow at the Department of Electrical Engineering in Ghent University (1999–2002), a lecturer and research associate at the Knowledge Management lab of the Department of Computer Science in University of Toronto (2003–2006). Since October 2006, he has become a Senior Lecturer at the Department of Computing and Communications in The Open University, UK. He is a member of the IEEE Computer Society and the British Computer Society. He is interested in engineering automated software tools to solve fundamental and practical problems in the research areas of quality requirements in general, and security and privacy in particular. For more information about him see http://mcs.open.ac.uk/yy66.
    Virginia N. L. Franqueira is currently a senior lecturer at the University of Derby, UK. Prior to that, she held a lecturer position at the University of Central Lancashire (UK), a postdoc research position at the University of Twente (NL), and worked as an information security consultant (UK). She received her Ph.D. in Computer Science from the University of Twente (NL) in 2009, and her M.Sc. from the Federal University of Espirito Santo (BR). She is a member of the IEEE Computer Society and the British Computer Society. Her topics of research interest include security engineering, risk management and estimation, attack modelling and external insider threat. For more information about her see http://www.derby.ac.uk/staff/virginia-franqueira/.
    Thein Than Tun received Ph.D. in software engineering from London Metropolitan University in 2005. Since then, he has held research positions at the Open University (UK), University of Namur (Belgium), and University College London (UK). He is interested in Requirements Engineering approaches, and their application in the development of feature-rich, secure and privacy-sensitive software systems. His research is related to privacy requirements, requirements evolution, argumentation for security, feature interaction, failures of dependable systems and feature modelling. Dr. Tun is a fellow of the British Computer Society. For more information about him see http://mcs.open.ac.uk/ttt23.
    Roel Wieringa is Chair of Information Systems at the University of Twente, the Netherlands. His research interests include requirements engineering, IT security risk assessment, and design science research methodology for software. He has written three books, Requirements Engineering: Frameworks for Understanding (Wiley, 1996), Design Methods for Reactive Systems: Yourdon, Statemate and the UML (Morgan Kaufmann, 2003), and Design Science Methodology for Information Systems and Software Engineering (Springer, 2014). He currently heads the research group of Services, Cybersecurity, and safety at the UT. Find more information at http://wwwhome.ewi.utwente.nl/~roelw/.
    Bashar Nuseibeh is Chair of Computing at The Open University (Director of Research, 2002–2008). Previously, he was a Professor of Software Engineering and Chief Scientist at Lero the Irish Software Engineering Research Centre (2009–2012). He was also an academic member of staff (Reader) in the Department of Computing at Imperial College London and Head of its Software Engineering Laboratory (1990–2001), then continue as a Visiting Professor, and maintain strong research links with the Distributed Software Engineering Group. He is also a Visiting Professor at the National Institute of Informatics, Japan. He is currently holder of a Royal Society-Wolfson Merit Award (2013–2018) and a European Research Council (ERC) Advanced Grant on Adaptive Security and Privacy (2012–2017), and serves as Editor-in-Chief of the IEEE Transaction on Software Engineering (2010–2014). Previously, he held a Senior Research Fellowship from The Royal Academy of Engineering and The Leverhulme Trust (2005–2007) and served as Editor-in-Chief of the Automated Software Engineering Journal (1995–2008). For more information about him see http://mcs.open.ac.uk/ban25.
    View full text
    Copyright © 2015 Elsevier Inc. All rights reserved.