Towards developing consistent misuse case models

Secure software development should begin at the early stages of the development life cycle. Misuse case modeling is a technique that stems from traditional use case modeling, which facilitates the elicitation and modeling functional security requirements at the requirements phase. Misuse case modeling is an effective vehicle to potentially identify a large subset of these threats. It is therefore crucial to develop high quality misuse case models otherwise end system developed will be vulnerable to security threats. Templates to describe misuse cases are populated with syntax-free natural language content. The inherent ambiguity of syntax-free natural language coupled with the crucial role of misuse case models in development can have a very detrimental effect. This paper proposes a structure that will guide misuse case authors towards developing consistent misuse case models. This paper also presents a process that utilizes this structure to ensure the consistency of misuse case models as they evolve, eliminating potential damages caused by inconsistencies. A tool was developed to provide automation support for the proposed structure and process. The feasibility and application of this approach were demonstrated using two real-world case studies.

[1]  Magne Jørgensen,et al.  Quality and Understandability of Use Case Models , 2001, ECOOP.

[2]  Alistair Cockburn,et al.  Writing Effective Use Cases , 2000 .

[3]  Shengbing Ren,et al.  A Prototype Tool for Use Case Refactoring , 2004, ICEIS.

[4]  D. Rosenberg,et al.  Use Case Driven Object Modeling With UML , 1999 .

[5]  Ivar Jacobson,et al.  The Unified Modeling Language User Guide , 1998, J. Database Manag..

[6]  Gregory Butler,et al.  Cascaded refactoring for framework , 2001, SSR '01.

[7]  Florian Michahelles,et al.  Trust and Security in RFID-Based Product Authentication Systems , 2007, IEEE Systems Journal.

[8]  Mohamed El-Attar,et al.  A subject-based empirical evaluation of SSUCD’s performance in reducing inconsistencies in use case models , 2009, Empirical Software Engineering.

[9]  Andreas L. Opdahl,et al.  Generalization/specialization as a structuring mechanism for misuse cases , 2002 .

[10]  Daryl Kulak,et al.  Use cases: requirements in context , 2000, SOEN.

[11]  Periannan Chandrasekaran,et al.  How use case modeling policies have affected the success of various projects (or how to improve use case modeling) , 1997, OOPSLA '97.

[12]  Mohamed El-Attar,et al.  Producing robust use case diagrams via reverse engineering of use case descriptions , 2007, Software & Systems Modeling.

[13]  Mike Bradley,et al.  Use case and business rules: styles of documenting business rules in use cases , 1997, OOPSLA '97.

[14]  James R. McCoy Requirements use case tool (RUT) , 2003, OOPSLA '03.

[15]  Kurt Bittner,et al.  Use Case Modeling , 2002 .

[16]  Ivar Jacobson,et al.  Object-oriented software engineering - a use case driven approach , 1993, TOOLS.

[17]  Gunnar Övergaard,et al.  Use Cases: Patterns and Blueprints , 2004 .

[18]  Ivar Jacobson,et al.  Object-Oriented Software Engineering , 1991, TOOLS.

[19]  W BoyerKenneth Advanced use case modeling , 2002 .

[20]  Andreas L. Opdahl,et al.  Templates for Misuse Case Description , 2001 .

[21]  Philippe Kruchten,et al.  The Rational Unified Process: An Introduction, Second Edition , 2000 .

[22]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[23]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[24]  Philippe Kruchten,et al.  The Rational Unified Process: An Introduction , 1998 .

[25]  Robin J. Harwood,et al.  Use Case Formats: Requirements, Analysis, and Design , 1997, J. Object Oriented Program..

[26]  Ari Jaaksi,et al.  Our Cases with Use Cases , 1998, J. Object Oriented Program..

[27]  Magne Mæhre Industrial experiences with Misuse Cases , 2005 .

[28]  Philippe Kruchten,et al.  The Rational Unified Process Made Easy - A Practitioner's Guide to the RUP , 2003, Addison Wesley object technology series.

[29]  Donald Firesmith Use case modeling guidelines , 1999, Proceedings of Technology of Object-Oriented Languages and Systems - TOOLS 30 (Cat. No.PR00278).

[30]  Tor Stålhane,et al.  A Comparison of Two Approaches to Safety Analysis Based on Use Cases , 2007, ER.

[31]  Ian F. Alexander,et al.  Initial industrial experience of misuse cases in trade-off analysis , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[32]  Larry L. Constantine,et al.  Essential modeling: use cases for user interfaces , 1995, INTR.

[33]  Neil A. M. Maiden,et al.  Guiding use case authoring: results of an empirical study , 1999, Proceedings IEEE International Symposium on Requirements Engineering (Cat. No.PR00188).

[34]  Richard F. Paige,et al.  Principles for modeling language design , 2000, Inf. Softw. Technol..

[35]  Slimane Hammoudi,et al.  Proceedings of the 6th International Conference on Enterprise Information Systems (ICEIS 2004). , 2004 .

[36]  Susan Lilly,et al.  Use case pitfalls: top 10 problems from real projects using use cases , 1999, Proceedings of Technology of Object-Oriented Languages and Systems - TOOLS 30 (Cat. No.PR00278).

[37]  Alistair Cockburn,et al.  Goals and Use Cases , 1997, J. Object Oriented Program..

[38]  Bente Anda,et al.  Towards an inspection technique for use case models , 2002, SEKE '02.