An assurance case is a body of evidence organized into an argument demonstrating that some claim about a system holds, i.e., is assured. An assurance case is needed when it is important to show that a system exhibits some complex property such as safety, security, or reliability. In this article, our objective is to explain an approach to documenting an assurance case for system security, i.e., a security assurance case or, more succinctly, a security case. ACKNOWLEDGEMENTS: Reviews by Sam Redwine, Andy Moore, Ann Miller, Gary McGraw, Nancy Mead, Bob Ellison, and Pamela Curtis are gratefully acknowledged. INTRODUCTION A security assurance case is similar to a legal case. It presents arguments showing how a top-level claim (such as “The system is acceptably secure”) is supported by objective evidence. Unlike a typical product certification, a security case considers people and processes as well as technology. A case is developed by showing how the top-level claim is supported by subclaims. For example, part of a security assurance case would typically address various sources of security vulnerabilities. Among them, the case would probably claim that a system has none of the common coding defects that lead to security vulnerabilities, including for example buffer overflow vulnerabilities. A subclaim about the 1 Assurance cases were originally used to show that systems satisfied their safety-critical properties. In this usage, they were (and are) called safety cases. The notation and approach used in this article has been used for over a decade in Europe to document why a system is sufficiently safe [Kelly 1998, Kelly 2004]. The application of the concept to reliability was documented in an SAE Standard [SAE 2004]. In this article, we extend the concept to cover system security claims. 2 Buffer overflows have been exploited by attackers more than any other class of vulnerability. Further information about the common coding defects that lead to security vulnerabilities can be found elsewhere on the BSI web site and in the computer security literature [BSI 2007b, BSI 2007c, BSI 2007d, BSI 2007e, Howard 2005, Lipner 2005, McGraw 2006, Seacord 2006, Voas 1997, and Viega 2001]. Charles B. Weinstock
[1]
Charles B. Weinstock,et al.
Evidence of Assurance: Laying the Foundation for a Credible Security Case
,
2014
.
[2]
Tim Kelly,et al.
The Goal Structuring Notation – A Safety Argument Notation
,
2004
.
[3]
Gary McGraw,et al.
Software fault injection: inoculating programs against errors
,
1997
.
[4]
Ken Frazer,et al.
Building secure software: how to avoid security problems the right way
,
2002,
SOEN.
[5]
Andrew P. Moore,et al.
Can We Ever Build Survivable Systems from COTS Components?
,
2002,
CAiSE.
[6]
Andrew P. Moore,et al.
How to Construct Formal Arguments that Persuade Certifiers
,
1999
.
[7]
Steven B. Lipner,et al.
The trustworthy computing security development lifecycle
,
2004,
20th Annual Computer Security Applications Conference.
[8]
Joon S. Park,et al.
Tools for information security assurance arguments
,
2001,
Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.
[9]
Gary McGraw,et al.
Software Security: Building Security In
,
2006,
2006 17th International Symposium on Software Reliability Engineering.
[10]
Sagar Chaki,et al.
Certifying the Absence of Buffer Overflows
,
2006
.
[11]
Robert Andrew Weaver,et al.
The Safety of Software - Constructing and Assuring Arguments
,
2003
.
[12]
Robert C. Seacord,et al.
Secure coding in C and C
,
2005
.