From system goals to intruder anti-goals: attack generation and resolution for security requirements engineering

Caring for security at requirements engineering time is a message that has finally received some attention recently. However, it is not yet very clear how to achieve this systematically through the various stages of the requirements engineering process. We briefly introduce some of the requirements such a process should meet for high assurance to be provided from the resulting requirements product. A constructive approach to security requirements elicitation, modeling and analysis is then outlined as an attempt to address such meta-requirements. The approach is based on a framework we developed before for generating and resolving obstacles to requirements achievement. Our framework integrates intentional obstacles (or "anti- goals") set up by attackers to break security goals. Attack trees are derived systematically through anti-goal refinement until leaf nodes are reached that are software vulnerabilities observable by the attacker or anti- requirements implementable by this attacker. New security requirements are derived by resolution of the attack trees generated thereby.

[1]  Axel van Lamsweerde,et al.  Requirements engineering in the year 00: a research perspective , 2000, Proceedings of the 2000 International Conference on Software Engineering. ICSE 2000 the New Millennium.

[2]  E. Letier,et al.  Goal-Oriented Elaboration of Security Requirements , 2001 .

[3]  M.S. Feather,et al.  Reconciling system requirements and runtime behavior , 1998, Proceedings Ninth International Workshop on Software Specification and Design.

[4]  William N. Robinson,et al.  Requirements interaction management , 2003, CSUR.

[5]  David Lorge Parnas,et al.  Functional Documents for Computer Systems , 1995, Sci. Comput. Program..

[6]  Marc Joye,et al.  On the importance of securing your bins: the garbage-man-in-the-middle attack , 1997, CCS '97.

[7]  Peter Neumann,et al.  Safeware: System Safety and Computers , 1995, SOEN.

[8]  F. Aveling The University of Louvain , 1914 .

[9]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[10]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..

[11]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[12]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[13]  John Mylopoulos,et al.  Non-Functional Requirements in Software Engineering , 2000, International Series in Software Engineering.

[14]  Colin Potts,et al.  Using schematic scenarios to understand user needs , 1995, Symposium on Designing Interactive Systems.

[15]  Peter Van Roy,et al.  Efficient logic variables for distributed computing , 1999, TOPL.

[16]  Eric S. K. Yu,et al.  Modeling organizations for information systems requirements engineering , 1993, [1993] Proceedings of the IEEE International Symposium on Requirements Engineering.

[17]  Jeannette M. Wing A symbiotic relationship between formal methods and security , 1998, Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358).

[18]  Axel van Lamsweerde,et al.  Managing Conflicts in Goal-Driven Requirements Engineering , 1998, IEEE Trans. Software Eng..

[19]  Andreas L. Opdahl,et al.  Templates for Misuse Case Description , 2001 .

[20]  Axel van Lamsweerde,et al.  Deriving operational software specifications from system goals , 2002, SIGSOFT '02/FSE-10.

[21]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[22]  Giovanni Vigna,et al.  Security Testing of the Online Banking Service of a Large International Bank , 2000 .

[23]  Axel van Lamsweerde,et al.  Handling Obstacles in Goal-Oriented Requirements Engineering , 2000, IEEE Trans. Software Eng..

[24]  Edward G. Amoroso,et al.  Fundamentals of computer security technology , 1994 .

[25]  Bashar Nuseibeh,et al.  Introducing abuse frames for analysing security requirements , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[26]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[27]  Andrew P. Moore,et al.  Attack Modeling for Information Security and Survivability , 2001 .

[28]  Jennifer Seberry,et al.  Fundamentals of Computer Security , 2003, Springer Berlin Heidelberg.

[29]  John McLean,et al.  High Assurance Computer Systems: A Research Agenda , 1995 .

[30]  Axel van Lamsweerde,et al.  Goal-Oriented Requirements Engineering: A Guided Tour , 2001, RE.

[31]  Axel van Lamsweerde,et al.  Formal refinement patterns for goal-driven requirements elaboration , 1996, SIGSOFT '96.

[32]  Vasant Honavar,et al.  A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System , 2002, Requirements Engineering.

[33]  Axel van Lamsweerde,et al.  Agent-based tactics for goal-oriented requirements elaboration , 2002, ICSE '02.

[34]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .