Enforcing a security pattern in stakeholder goal models

Patterns are useful knowledge about recurring problems and solutions. Detecting a security problem using patterns in requirements models may lead to its early solution. In order to facilitate early detection and resolution of security problems, in this paper, we formally describe a role-based access control (RBAC) as a pattern that may occur in stakeholder requirements models. We also implemented in our goal-oriented modeling tool the formally described pattern using model-driven queries and transformations. Applied to a number of requirements models published in literature, the tool automates the detection and resolution of the security pattern in several goal-oriented stakeholder requirements.

[1]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[2]  K. Supaporn,et al.  An Approach : Constructing the Grammar from Security Pattern , 2007 .

[3]  Fausto Giunchiglia,et al.  Tropos: An Agent-Oriented Software Development Methodology , 2004, Autonomous Agents and Multi-Agent Systems.

[4]  Xavier Franch,et al.  A Goal-Oriented Approach for the Generation and Evaluation of Alternative Architectures , 2007, ECSA.

[5]  Eduardo B. Fernandez,et al.  A pattern language for security models , 2001 .

[6]  Yu Eric Security Design Based on Social Modeling , 2006 .

[7]  Paolo Giorgini,et al.  Secure and dependable patterns in organizations: an empirical approach , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[8]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[9]  Markus Schumacher,et al.  Security Engineering with Patterns: Origins, Theoretical Models, and New Applications , 2003 .

[10]  Lin Liu,et al.  Modelling Trust for System Design Using the i* Strategic Actors Framework , 2000, Trust in Cyber-societies.

[11]  Frank Budinsky,et al.  Eclipse Modeling Framework , 2003 .

[12]  Ian Sommerville,et al.  Software Engineering: (Update) (8th Edition) (International Computer Science) , 2006 .

[13]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[14]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[15]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[16]  Jan Jürjens,et al.  Towards a Comprehensive Framework for Secure Systems Development , 2006, CAiSE.

[17]  Fabio Massacci,et al.  Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation , 2005, Comput. Stand. Interfaces.

[18]  Dongxi Liu,et al.  Towards automatic model synchronization from model transformations , 2007, ASE.

[19]  QWU RGXFWLRQ Linking Patterns and Non-Functional Requirements , 2002 .

[20]  Ian Sommerville,et al.  Software Engineering (7th Edition) , 2004 .

[21]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[22]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[23]  John Mylopoulos,et al.  An Empirical Evaluation of the i* Framework in a Model-Based Software Generation Environment , 2006, CAiSE.

[24]  Arie van Deursen,et al.  Model-driven migration of supervisory machine control architectures , 2006, J. Syst. Softw..

[25]  Jaap Gordijn,et al.  E-service design using i* and e/sup 3/ value modeling , 2006, IEEE Software.

[26]  Yijun Yu,et al.  From goals to aspects: discovering aspects from requirements goal models , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[27]  John Mylopoulos,et al.  Designing Security Requirements Models Through Planning , 2006, CAiSE.

[28]  Bashar Nuseibeh,et al.  The effect of trust assumptions on the elaboration of security requirements , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[29]  Bashar Nuseibeh,et al.  Introducing abuse frames for analysing security requirements , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..