Modeling Security and Privacy Requirements: a Use Case-Driven Approach

Abstract Context: Modern internet-based services, ranging from food-delivery to home-caring, leverage the availability of multiple programmable devices to provide handy services tailored to end-user needs. These services are delivered through an ecosystem of device-specific software components and interfaces (e.g., mobile and wearable device applications). Since they often handle private information (e.g., location and health status), their security and privacy requirements are of crucial importance. Defining and analyzing those requirements is a significant challenge due to the multiple types of software components and devices integrated into software ecosystems. Each software component presents peculiarities that often depend on the context and the devices the component interact with, and that must be considered when dealing with security and privacy requirements. Objective: In this paper, we propose, apply, and assess a modeling method that supports the specification of security and privacy requirements in a structured and analyzable form. Our motivation is that, in many contexts, use cases are common practice for the elicitation of functional requirements and should also be adapted for describing security requirements. Method: We integrate an existing approach for modeling security and privacy requirements in terms of security threats, their mitigations, and their relations to use cases in a misuse case diagram. We introduce new security-related templates, i.e., a mitigation template and a misuse case template for specifying mitigation schemes and misuse case specifications in a structured and analyzable manner. Natural language processing can then be used to automatically report inconsistencies among artifacts and between the templates and specifications. Results: We successfully applied our approach to an industrial healthcare project and report lessons learned and results from structured interviews with engineers. Conclusion: Since our approach supports the precise specification and analysis of security threats, threat scenarios and their mitigations, it also supports decision making and the analysis of compliance to standards.

[1]  Anurag Kumar Jain,et al.  Addressing Security and Privacy Risks in Mobile Applications , 2012, IT Professional.

[2]  Lionel C. Briand,et al.  Facilitating the transition from use case models to analysis models: Approach and experiments , 2013, TSEM.

[3]  Lionel C. Briand,et al.  Applying product line Use case modeling in an industrial automotive embedded system: Lessons learned and a refined approach , 2015, 2015 ACM/IEEE 18th International Conference on Model Driven Engineering Languages and Systems (MODELS).

[4]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[5]  Bashar Nuseibeh,et al.  Introducing abuse frames for analysing security requirements , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[6]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[7]  Daryl Kulak,et al.  Use cases: requirements in context , 2000, SOEN.

[8]  A. Pfitzmann,et al.  A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management , 2010 .

[9]  Lionel C. Briand,et al.  Configuring use case models in product families , 2016, Software & Systems Modeling.

[10]  Ashwini Rao,et al.  Formal analysis of privacy requirements specifications for multi-tier applications , 2013, 2013 21st IEEE International Requirements Engineering Conference (RE).

[11]  Andreas L. Opdahl,et al.  Generalization/specialization as a structuring mechanism for misuse cases , 2002 .

[12]  Bashar Nuseibeh,et al.  Distilling privacy requirements for mobile applications , 2014, ICSE.

[13]  Mehrdad Sabetzadeh,et al.  Automated Checking of Conformance to Requirements Templates Using Natural Language Processing , 2015, IEEE Transactions on Software Engineering.

[14]  Stefanos Gritzalis,et al.  Addressing privacy requirements in system design: the PriS method , 2008, Requirements Engineering.

[15]  Marit Hansen,et al.  Protection Goals for Privacy Engineering , 2015, 2015 IEEE Security and Privacy Workshops.

[16]  Mario Piattini,et al.  A comparison of the Common Criteria with proposals of information systems security requirements , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[17]  I. Alexander,et al.  Misuse cases help to elicit non-functional requirements , 2003 .

[18]  A. N. Oppenheim,et al.  Questionnaire Design, Interviewing and Attitude Measurement , 1992 .

[19]  Ashwini Rao,et al.  Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements , 2014, Requirements Engineering.

[20]  John P. McDermott,et al.  Abuse-case-based assurance arguments , 2001, Seventeenth Annual Computer Security Applications Conference.

[21]  Maritta Heisel,et al.  Analysis and Component-based Realization of Security Requirements , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[22]  Maritta Heisel,et al.  Security Engineering Using Problem Frames , 2006, ETRICS.

[23]  Lionel C. Briand,et al.  Automatic generation of system test cases from use case specifications , 2015, ISSTA.

[24]  Ruzanna Chitchyan,et al.  Discovering "Unknown Known" Security Requirements , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[25]  Seda F. Gürses,et al.  Multilateral security requirements analysis for preserving privacy in ubiquitous environments , 2006 .

[26]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[27]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[28]  Jan Jürjens,et al.  Towards Development of Secure Systems Using UMLsec , 2001, FASE.

[29]  Eric S. K. Yu,et al.  A Goal Oriented Approach for Modeling and Analyzing Security Trade-Offs , 2007, ER.

[30]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[31]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[32]  Daniel Mellado,et al.  A systematic review of security requirements engineering , 2010, Comput. Stand. Interfaces.

[33]  Fabio Massacci,et al.  From Trust to Dependability through Risk Analysis , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[34]  Kristian Beckers,et al.  Comparing Privacy Requirements Engineering Approaches , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[35]  Young-Gab Kim,et al.  Threat scenario-based security risk analysis using use case modeling in information systems , 2012, Secur. Commun. Networks.

[36]  Bashar Nuseibeh,et al.  Picking Battles: The Impact of Trust Assumptions on the Elaboration of Security Requirements , 2004, iTrust.

[37]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[38]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[39]  Mario Piattini,et al.  Applying a Security Requirements Engineering Process , 2006, ESORICS.

[40]  S. Kanmani,et al.  Survey and analysis on Security Requirements Engineering , 2012, Comput. Electr. Eng..

[41]  Isabelle Comyn-Wattiau,et al.  Reusable knowledge in security requirements engineering: a systematic mapping study , 2015, Requirements Engineering.

[42]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.

[43]  Duminda Wijesekera,et al.  Executable misuse cases for modeling security concerns , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[44]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.

[45]  Andreas L. Opdahl,et al.  Templates for Misuse Case Description , 2001 .

[46]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[47]  Bashar Nuseibeh,et al.  Misuse case techniques for mobile privacy , 2011 .

[48]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[49]  Ivar Jacobson,et al.  Object-oriented software engineering - a use case driven approach , 1993, TOOLS.

[50]  Lillian. Rostad An extended misuse case notation: Including vulnerabilities and the insider threat , 2006 .

[51]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[52]  A. Strauss,et al.  The Discovery of Grounded Theory , 1967 .

[53]  I. Hogganvik,et al.  Model-based security analysis in seven steps — a guided tour to the CORAS method , 2007 .

[54]  Lennart E. Nacke,et al.  From game design elements to gamefulness: defining "gamification" , 2011, MindTrek.

[55]  A. Opdahl,et al.  A Reuse-Based Approach to Determining Secur ity Requirements , 2003 .

[56]  Jürgen Großmann,et al.  Combining Security Risk Assessment and Security Testing Based on Standards , 2015, RISK.

[57]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[58]  Lionel C. Briand,et al.  Incremental Reconfiguration of Product Specific Use Case Models for Evolving Configuration Decisions , 2017, REFSQ.

[59]  Alistair Cockburn,et al.  Writing Effective Use Cases , 2000 .

[60]  Sven Türpe,et al.  The Trouble with Security Requirements , 2017, 2017 IEEE 25th International Requirements Engineering Conference (RE).

[61]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[62]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[63]  Bashar Nuseibeh,et al.  Using abuse frames to bound the scope of security problems , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[64]  Eduardo Fernández-Medina,et al.  Applying a UML Extension to Build Use Cases Diagrams in a Secure Mobile Grid Application , 2009, ER Workshops.

[65]  Ruzanna Chitchyan,et al.  Privacy Requirements: Present & Future , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering: Software Engineering in Society Track (ICSE-SEIS).

[66]  Michael A. Jackson,et al.  Problem Frames - Analysing and Structuring Software Development Problems , 2000 .

[67]  Axel van Lamsweerde,et al.  Requirements Engineering: From System Goals to UML Models to Software Specifications , 2009 .

[68]  John Mylopoulos,et al.  Goal-driven risk assessment in requirements engineering , 2011, Requirements Engineering.

[69]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[70]  James A. Landay,et al.  Privacy risk models for designing privacy-sensitive ubiquitous computing systems , 2004, DIS '04.

[71]  Daniel J. Solove A Taxonomy of Privacy , 2006 .

[72]  Thomas Santen,et al.  Contextualizing Security Goals: A Method for Multilateral Security Requirements Elicitation , 2006, Sicherheit.

[73]  Indrakshi Ray,et al.  Verifiable composition of access control and application features , 2005, SACMAT '05.

[74]  Mehrdad Sabetzadeh,et al.  NARCIA: an automated tool for change impact analysis in natural language requirements , 2015, ESEC/SIGSOFT FSE.

[75]  Chunhui Wang,et al.  UMTG: a toolset to automatically generate system test cases from use case specifications , 2015, ESEC/SIGSOFT FSE.

[76]  Eric Dubois,et al.  Requirements Engineering for Improving Business/IT Alignment in Security Risk Management Methods , 2007, IESA.

[77]  Mohamed El-Attar,et al.  Using SMCD to reduce inconsistencies in misuse case models: A subject-based empirical evaluation , 2014, J. Syst. Softw..

[78]  Lorrie Faith Cranor,et al.  Engineering Privacy , 2009, IEEE Transactions on Software Engineering.

[79]  Mohamed El-Attar,et al.  Towards developing consistent misuse case models , 2012, J. Syst. Softw..

[80]  Frank Armour,et al.  Advanced Use Case Modeling: Software Systems , 2000 .

[81]  Bashar Nuseibeh,et al.  Automating trade-off analysis of security requirements , 2016, Requirements Engineering.

[82]  Axel van Lamsweerde,et al.  Assessing requirements-related risks through probabilistic goals and obstacles , 2013, Requirements Engineering.

[83]  Lionel C. Briand,et al.  PUMConf: a tool to configure product specific use case and domain models in a product line , 2016, SIGSOFT FSE.

[84]  Andreas L. Opdahl,et al.  Experimental comparison of attack trees and misuse cases for security threat identification , 2009, Inf. Softw. Technol..

[85]  Craig Larman,et al.  Applying UML and Patterns: An Introduction to Object-Oriented Analysis and Design and the Unified Process , 2001 .

[86]  Ian F. Alexander,et al.  Initial industrial experience of misuse cases in trade-off analysis , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[87]  Mehrdad Sabetzadeh,et al.  Change impact analysis for Natural Language requirements: An NLP approach , 2015, 2015 IEEE 23rd International Requirements Engineering Conference (RE).

[88]  Lionel C. Briand,et al.  A Change Management Approach in Product Lines for Use Case-Driven Development and Testing , 2017, REFSQ Workshops.

[89]  Lionel C. Briand,et al.  Change Impact Analysis for Evolving Configuration Decisions in Product Line Use Case Models , 2019, 2019 IEEE/ACM 10th International Symposium on Software and Systems Traceability (SST).