Automating trade-off analysis of security requirements

A key aspect of engineering secure systems is identifying adequate security requirements to protect critical assets from harm. However, security requirements may compete with other requirements such as cost and usability. For this reason, they may only be satisfied partially and must be traded off against other requirements to achieve “good-enough security”. This paper proposes a novel approach to automate security requirements analysis in order to determine maximum achievable satisfaction level for security requirements and identify trade-offs between security and other requirements. We also propose a pruning algorithm to reduce the search space size in the analysis. We represent security concerns and requirements using asset, threat, and goal models, initially proposed in our previous work. To deal with uncertainty and partial requirements, satisfaction security concerns are quantified by leveraging the notion of composite indicators, which are computed through metric functions based on range normalisation. An SMT solver (Z3) interprets the models and automates the execution of our analyses. We illustrate and evaluate our approach by applying it to a substantive example of a service-based application for exchanging emails.

[1]  Joachim Karlsson,et al.  A Cost-Value Approach for Prioritizing Requirements , 1997, IEEE Softw..

[2]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[3]  David Waltermire,et al.  Specification for Asset Identification 1.1 , 2011 .

[4]  Karen A. Scarfone,et al.  Guidelines on Electronic Mail Security | NIST , 2002 .

[5]  Karen A. Scarfone,et al.  Guidelines on Electronic Mail Security , 2002 .

[6]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[7]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[8]  Julio Cesar Sampaio do Prado Leite,et al.  On Non-Functional Requirements in Software Engineering , 2009, Conceptual Modeling: Foundations and Applications.

[9]  Seok-Won Lee Probabilistic Risk Assessment for Security Requirements: A Preliminary Study , 2011, 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement.

[10]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[11]  Hoh Peter In,et al.  Requirements Negotiation Using Multi-Criteria Preference Analysis , 2004, J. Univers. Comput. Sci..

[12]  Axel van Lamsweerde,et al.  Reasoning about partial goal satisfaction for requirements and design engineering , 2004, SIGSOFT '04/FSE-12.

[13]  Eric S. K. Yu,et al.  Comparison and evaluation of goal-oriented satisfaction analysis techniques , 2013, Requirements Engineering.

[14]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[15]  Martin Glinz,et al.  On Non-Functional Requirements , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[16]  Haruhiko Kaiya,et al.  AGORA: attributed goal-oriented requirements analysis method , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[17]  Barry W. Boehm,et al.  Software requirements as negotiated win conditions , 1994, Proceedings of IEEE International Conference on Requirements Engineering.

[18]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[19]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[20]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[21]  Donald Firesmith,et al.  Specifying Reusable Security Requirements , 2004, J. Object Technol..

[22]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[23]  John Mylopoulos,et al.  Non-Functional Requirements in Software Engineering , 2000, International Series in Software Engineering.

[24]  Daniel Amyot,et al.  Evaluating goal models within the goal‐oriented requirement language , 2010, Int. J. Intell. Syst..

[25]  Axel van Lamsweerde,et al.  Assessing requirements-related risks through probabilistic goals and obstacles , 2013, Requirements Engineering.

[26]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[27]  Tim Menzies,et al.  A Broad, Quantitative Model for Making Early Requirements Decisions , 2008, IEEE Software.

[28]  Axel van Lamsweerde,et al.  Requirements Engineering: From System Goals to UML Models to Software Specifications , 2009 .

[29]  John Mylopoulos,et al.  Goal-driven risk assessment in requirements engineering , 2011, Requirements Engineering.

[30]  Bashar Nuseibeh,et al.  Risk and argument: A risk-based argumentation method for practical security , 2011, 2011 IEEE 19th International Requirements Engineering Conference.

[31]  Eric S. K. Yu,et al.  A Goal Oriented Approach for Modeling and Analyzing Security Trade-Offs , 2007, ER.

[32]  Robert LIN,et al.  NOTE ON FUZZY SETS , 2014 .

[33]  Albert Oliveras,et al.  On SAT Modulo Theories and Optimization Problems , 2006, SAT.

[34]  Bashar Nuseibeh,et al.  Requirements-driven adaptive security: Protecting variable assets at runtime , 2012, 2012 20th IEEE International Requirements Engineering Conference (RE).

[35]  John Yen,et al.  A systematic tradeoff analysis for conflicting imprecise requirements , 1997, Proceedings of ISRE '97: 3rd IEEE International Symposium on Requirements Engineering.

[36]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[37]  Jan Jürjens,et al.  An Integrated Security Verification and Security Solution Design Trade-Off Analysis Approach , 2008 .

[38]  John Mylopoulos,et al.  Formal Reasoning Techniques for Goal Models , 2003, J. Data Semant..

[39]  Emmanuel Letier,et al.  Simulating and optimising design decisions in quantitative goal models , 2011, 2011 IEEE 19th International Requirements Engineering Conference.

[40]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[41]  John Mylopoulos,et al.  Reasoning with Key Performance Indicators , 2011, PoEM.