Approaches to Modelling Security Scenarios with Domain-Specific Languages

Many security scenarios involve both network and cryptographic protocols and the interactions of different human participants in a real-world environment. Modelling these scenarios is complex, in part due to the imprecision and under-specification of the tasks and properties involved. We present work-in-progress on a domain-specific modelling approach for such scenarios; the approach is intended to support coarse-grained state exploration, and incorporates a classification of elements complementary to computer protocols, such as the creation, personalisation, modification and transport of identity tokens. We propose the construction of a domain-specific language for capturing these elements, which will in turn support domain-specific analyses related to the reliability and modifiability of said scenarios.

[1]  Iluminada Baturone,et al.  Xfuzzy 3.0: a development environment for fuzzy systems , 2001, EUSFLAT Conf..

[2]  Marta Z. Kwiatkowska,et al.  PRISM: Probabilistic Symbolic Model Checker , 2002, Computer Performance Evaluation / TOOLS.

[3]  Arie van Deursen,et al.  Domain-specific languages: an annotated bibliography , 2000, SIGP.

[4]  Eelco Visser,et al.  Code Generation by Model Transformation , 2008, ICMT@TOOLS.

[5]  Eric Van Wyk,et al.  Forwarding in Attribute Grammars for Modular Language Design , 2002, CC.

[6]  Annabelle McIver,et al.  Probabilistic predicate transformers , 1996, TOPL.

[7]  Carroll Morgan,et al.  The Challenge of Probabilistic Event B - Extended Abstract , 2005, ZB.

[8]  Paul Hudak,et al.  Modular domain specific languages and tools , 1998, Proceedings. Fifth International Conference on Software Reuse (Cat. No.98TB100203).

[9]  Ramon Puigjaner,et al.  Computer Performance Evaluation , 2000, Lecture Notes in Computer Science.

[10]  Steve A. Schneider,et al.  ZB 2005: Formal Specification and Development in Z and B, 4th International Conference of B and Z Users, Guildford, UK, April 13-15, 2005, Proceedings , 2005, ZB.

[11]  Perdita Stevens A Simple Game-Theoretic Approach to Checkonly QVT Relations , 2009, ICMT@TOOLS.

[12]  Eelco Visser,et al.  Concrete syntax for objects: domain-specific language embedding and assimilation without restrictions , 2004, OOPSLA '04.

[13]  Jean-Raymond Abrial,et al.  Modeling in event-b - system and software engineering by Jean-Raymond Abrial , 2010, SOEN.

[14]  Martin Fowler,et al.  Domain-Specific Languages , 2010, The Addison-Wesley signature series.

[15]  A. W. Roscoe,et al.  Using CSP to Detect Errors in the TMN Protocol , 1997, IEEE Trans. Software Eng..

[16]  Raphael C.-W. Phan Review of Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Edition by Ross J. Anderson , 2009, Cryptologia.

[17]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[18]  Mary Beth Rosson,et al.  Scenario-based design , 2002 .

[19]  Richard F. Paige,et al.  Lazy Exploration and Checking of CSP Models with CSPsim , 2007, Communicating Process Architectures Conference.

[20]  Lotfi A. Zadeh,et al.  Fuzzy Sets , 1996, Inf. Control..

[21]  Eelco Visser,et al.  Code generation by model transformation: a case study in transformation modularity , 2008, Software & Systems Modeling.

[22]  Marsha Chechik,et al.  A framework for multi-valued reasoning over inconsistent viewpoints , 2001, Proceedings of the 23rd International Conference on Software Engineering. ICSE 2001.

[23]  Andrea Maggiolo-Schettini,et al.  Parametric probabilistic transition systems for system design and analysis , 2007, Formal Aspects of Computing.

[24]  Jean Everson Martina,et al.  A Proposed Framework for Analysing Security Ceremonies , 2012, SECRYPT.