Towards the model-driven engineering of security requirements for embedded systems

This paper discusses why and how security requirements engineering must be adapted to the model-driven approach usually adopted to design and develop embedded systems. In particular, we discuss to what extent the elicitation of security requirements and the Y-chart partitioning approach, a central design methodology in embedded systems, can mutually enrich each other. We also show how SysML, which is already commonly used to engineer requirements in embedded systems, can also represent security requirements, assets, and threats with only a few extensions and thus support a more comprehensive requirements engineering methodology. We illustrate the use of our overall methodology and toolkit with examples from the automotive embedded system field in order to demonstrate the relevance of our approach.

[1]  John Mylopoulos,et al.  Goal-driven risk assessment in requirements engineering , 2011, Requirements Engineering.

[2]  Axel van Lamsweerde Engineering Requirements for System Reliability and Security , 2007 .

[3]  Bruno Blanchet,et al.  Automatic verification of correspondences for security protocols , 2008, J. Comput. Secur..

[4]  Ludovic Apvrille,et al.  Prototyping an Embedded Automotive System from its UML/SysML Models , 2012 .

[5]  Eric S. K. Yu,et al.  A Goal Oriented Approach for Modeling and Analyzing Security Trade-Offs , 2007, ER.

[6]  Bashar Nuseibeh,et al.  Weaving Together Requirements and Architectures , 2001, Computer.

[7]  Andrei Costin,et al.  Ghost in the Air(Traffic): On insecurity of ADS-B protocol and practical attacks on ADS-B devices , 2012 .

[8]  Jan Jürjens,et al.  An Integrated Security Verification and Security Solution Design Trade-Off Analysis Approach , 2008 .

[9]  Seok-Won Lee Probabilistic Risk Assessment for Security Requirements: A Preliminary Study , 2011, 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement.

[10]  Manfred Broy Requirements Engineering for Embedded Systems) , 2003 .

[11]  Rabéa Ameur-Boulifa,et al.  A UML-based Environment for System Design Space Exploration , 2006, 2006 13th IEEE International Conference on Electronics, Circuits and Systems.

[12]  Guy Gogniat,et al.  A co-design approach for embedded system modeling and code generation with UML and MARTE , 2009, 2009 Design, Automation & Test in Europe Conference & Exhibition.

[13]  Bashar Nuseibeh,et al.  On the role of primary and secondary assets in adaptive security: An application in smart grids , 2012, 2012 7th International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS).

[14]  Luciano Lavagno,et al.  Metropolis: An Integrated Electronic System Design Environment , 2003, Computer.

[15]  Bashar Nuseibeh,et al.  Security Requirements Engineering for Evolving Software Systems: A Survey , 2010, Int. J. Secur. Softw. Eng..

[16]  Bashar Nuseibeh,et al.  Requirements-driven adaptive security: Protecting variable assets at runtime , 2012, 2012 20th IEEE International Requirements Engineering Conference (RE).

[17]  Tim Weilkiens SysML—The Systems Modeling Language , 2008 .

[18]  Muhammad Sabir Idrees,et al.  A Formal Methodology Applied to Secure Over-the-Air Automotive Applications , 2011, 2011 IEEE Vehicular Technology Conference (VTC Fall).

[19]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[20]  Eva Geisberger,et al.  Interdisciplinary Requirements Analysis Using the Model-based RM Tool AUTORAID , 2006, International Automotive Requirements Engineering Workshop (AURE'06 - RE'06 Workshop).

[21]  Hagai Bar-El Intra-Vehicle Information Security Framework , 2009 .

[22]  Ludovic Apvrille,et al.  Security requirements for automotive on-board networks , 2009, 2009 9th International Conference on Intelligent Transport Systems Telecommunications, (ITST).

[23]  Andrew Huang,et al.  Keeping Secrets in Hardware: The Microsoft Xbox™ Case Study , 2002, CHES.

[24]  Gabriel Pedroza,et al.  AVATAR: A SysML Environment for the Formal Verification of Safety and Security Properties , 2011, 2011 11th Annual International Conference on New Technologies of Distributed Systems.

[25]  Michael von der Beeck,et al.  Model based requirements engineering for embedded software , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[26]  Arnaud Albinet,et al.  Requirement traceability in safety critical systems , 2010, EDCC-CARS.

[27]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[28]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .