Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Trento, Italy

Published byEstella Nicholson Modified over 6 years ago

Similar presentations

Presentation on theme: "University of Trento, Italy"— Presentation transcript:

1 University of Trento, Italy
DESIGNER WORKSHOP A Quick Introduction to METHODOLOGY AND MODELS FOR SI* Security Fabio Massacci University of Trento, Italy May 2011 eRISE Massacci and Asnar

2 SYSTEM Engineering Something happens here
The art and science of transforming a customer idea of what the system should do into a list of concrete requirements specifications for designing, coding , & testing then From “User Needs” “A general framework for dynamic management of smart card services where one or more global service applications may be present on a card to provide services to other applications.” Something happens here To “List of Requirements to be Tested” CARD_SD_MUST_HAVE_TERMINATE_PRIVILEGE CARD_APP_MUST_HAVE_TERMINATE_PRIVILEGE FORBIDDEN_TRANSITION_FROM_OP_READY CARD_APP_NOT_SD/FROM_INITLIALIZED eRISE Massacci and Asnar

3 THALES Eng. Process (super-simplified)
Architectural Design Viewpoints (“System” Model) System Architect (the one closer to the customer…) Risk Analysts Engineeringc Design Viewpoints (Requirements Lists) System Engineer Security Engineer Requirements Engineer Many others (test engineer, software engineer) etc, All actors contribute to develop different aspects of the system and must communicate with each other They use models to communicate and keep viewpoints in synch! eRISE Massacci and Asnar

4 Security And risk Engineering
The art and science of transforming a customer idea of how to protect its assets into a list of concrete requirements specifications for designing, coding & testing them Additional steps and actors in the process Risk Analyst Analyse “system” model proposed by System Architect to find what can hamper (threat) the important objetives (asset/goal) of the system and propose additional security goals (or security requirements) Security Engineer Propose security solutions that address the security requirements within the framework proposed by the System Archtect eRISE Massacci and Asnar

5 Security And risk Engineering
Slide cortesy of Thales Research and Technology testing it Example THALES Process Security Architects eRISE Massacci and Asnar

6 What you are going to Do here
A bit of system architect Your company won a bid, the procurement guys decided to use a system , the marketing guys got you some user needs and you have to understand what’s key A bit of risk analyst You must identify what can compromise the security of the system and deciding what can be done to mitigate them A bit of security engineer And maybe identify some solution But using some research methodology That’s like being a junior consultant… eRISE Massacci and Asnar

7 Enter Socio-Technical Systems
We often have Socio-Technical Systems humans or organizations play a key role for overall achievement of objectives of stakeholders, not just as “users” of a system to be Key Ideas of Goal-Based Requirements Engineering Introduce High-level goals or concrete objectives of Actors describing system-to-be but other relevant partners and Social-relationship among them in terms of goals. Trust relations among them also useful to deal with security Reasoning identify best solution to achieve high-level goals eRISE Massacci and Asnar

8 The overall process Repeat until happy What is interesting here?
Modelling Process Construct a model of the socio-technical system Actors, Goals, Trust, Assignment of responsibilities, risks etc. Reasoning Process Analyze the model to see if we achieve certain qualities E.g. Fulfillment of strategic goals for an actor does not depend on another actor who it is not trusted to do his part of the scheme Refine the model What is interesting here? Security Properties Each socio-technical system has some assets and we want to protect them Confidentiality of some data Integrity of some procedure etc. eRISE Massacci and Asnar

9 Basic Methodology for Single-Actor
eRISE Massacci and Asnar

10 Basic Methodology for Multi-Actor
eRISE Massacci and Asnar

11 The Modelling Process Costruct a Model of the Socio-Technical System
Actors Modelling Identify roles and their relationships (eg organizational structure) Goal Modeling For every actor identify its objectives and eventually refine them until assigned to actors that can achieve them or operationalized into activities of the business processes Social Relationship Modelling During the goal modelling process some goals are assigned/delegated to other actors. Identify Trust relationships Not only we have assigned the goal to them but do we trust them to do it? Etc. eRISE Massacci and Asnar

12 SI* Modeling language Diagrammatical language Agent-oriented language
Concepts + graphical representation Agent-oriented language Agent notion and related concepts are used as building concepts Organization/Business perspective on Security Models are built diagrammatically Graphical Concepts and relations are used to draw (create) models Models represent both Social actors (eg., organizations, humans, institutions) and Technical systems (e.g, software/hardware systems, architectural components, etc) Reasoning determine “Properties” of the models eRISE Massacci and Asnar

13 THE BRITISH ENCYCLOPEDIA SYNDROME
Serious illness affecting all first-time modeller Believes every concept of the modelling language must be used Start mammoth task with first modelling construct encountered quickly get exhausted Deliver bad results at the end. Modelling is expensive: remember Occam’s razor! Entia non sunt multiplicanda praeter necessitatem Identify Target of Analysis first! Use only modelling concept necessary for target and Only those concept you will use for later stages (eg for risk) eRISE Massacci and Asnar

14 CONCEPTS AND GRAPHICAL REPRERESENTATION
Agent/Role Goal Delegation Event …. ….. eRISE Massacci and Asnar

15 Actor: agent and role Agent is an active entity with concrete manifestations and is used to model humans as well as software agents and organizations Es: Bob, Alice, Dr. Paolo Rossi Role is an abstract characterization of the behavior of an active entity within some context Hospital, Operational Unit, Doctor, Patient,… eRISE Massacci and Asnar

16 Goals/Objectives/Requirements
Goal is a state of affair which an actor intends to achieve Es: Prescribe a drug to the patient Used to capture motivations and responsibilities of actors Criteria for the goal satisfaction are well defined Can be decomposed into more detailed Objectives until operational Requirements = in ATM Influence Diagrams Using boxes instead of ovals eRISE Massacci and Asnar

17 Delegation of execution (Dependency)
Transfering of objectives from one actor to another The depender appoints another actor (the dependee) to achieve a goal or furnish a resource (dependum) Bob is not capable to get prescribed by his own, he depends on Alice to achieve his goal. eRISE Massacci and Asnar

18 Trust modeling Trust is a ternary relation representing the expectations that an actor (the trustor) has concerning the behavior of another actor (the trustee). The object (e.g., goal or resource) around which a trust relation centers is called trustum E.g., the patient trust the Operational Unit of the Hospital to manage his/her personal data; the Operational Unit trust the doctors in using the patient’s data Trust of permission: not abuse of the permission Trust of execution: Expected to achieve the goal eRISE Massacci and Asnar

19 Modeling side-effects
How to capture relations among different business objectives? E.g., Archive Prescription sheet in the Drug Reimbursement process may help to Verify Drug Reimbursement Data in the Report Generation phase Contribution link (between goals and tasks) Strong Positive (++) Positive (+) Negative (-) Strong Negative (--) eRISE Massacci and Asnar

20 Reasoning Example Delegations imply a trust relation between the delegator and the delegatee The delegator should trust the delegatee for the delegated goal Untrusted Delegation: delegator does not trust the delegatee Permissions to execute activities or manage resources is assigned with a certain purpose The delegatee receives a resource because he needs to know the content of the resource to achieve a goal Sometimes, actors receive resources they do not use. This security leak is known as need-to-know issue Goal fulfillment (see first slide) eRISE Massacci and Asnar

21 Properties of Design Availability Authorization
verify if actors delegate execution of their objectives to trusted actors verify if requesters can satisfy their objectives, that is, they have assigned their objectives to actors with the capabilities to achieve them verify if requesters are confident to satisfy their objectives Authorization verify if actors delegate the permission on their entitlements to trusted actors verify if owners are confident that their entitlements are not misused verify if actors have the rights to delegate the permission to achieve a service eRISE Massacci and Asnar

22 Properties of Design (II)
Availability & Authorization verify if requesters can achieve their objectives, that is, they have assigned their objectives to actors that have both the permission and capabilities to achieve them verify if requesters are confident to achieve their objectives verify if actors have the permissions necessary to achieve they duties Privacy verify if permission has been granted to actors who actually need such a permission to achieve their duties (Need-to-know principle) This is an important property to fulfill EU legislative privacy requirements eRISE Massacci and Asnar

23 EVENT BASED RISK MODELLING
Risk is defined as an event that has a negative impact on the satisfaction of one or more goals Eg. Delay in sending Reimbursement report to the HealthCare Authority can be considered as a risk as it may hamper the goal Being Reimbursement Unwanted incidents might impact goals eRISE Massacci and Asnar

24 Modelling EVENT-BASED Risks
Goal “thing” that need to be achieved Event “uncertain circumstance” that affect the goal layer Treatment measures to treat events eRISE Massacci and Asnar

25 Target for the day - Rationale
Why we use models? because models allows us to answer more precisely to questions about the quality of final requirements. we can prove fulfillment of strategic goals for an actor does not depend on another untrusted actor (at least at this level of abstraction) We cannot do the same if we just use natural language The type of questions determine the type of models i.e. presence of different constructs that capture different properties. eRISE Massacci and Asnar

26 Target for the day - Rationale
Expressiveness in Models is not free At the beginning you must design our construct and identify reasoning procedures about it Each and every time you draw a constructl for a specific application you must ask a domain expert or a stake- holder whether all real-life situations corresponding to the constructs are actually present eRISE Massacci and Asnar

27 Undergraduate programme in Computer sciences
Si* Tool Modeling Pallet Drawing Area Reasoning eRISE Massacci and Asnar 27

Download ppt "University of Trento, Italy"

Similar presentations

Requirements Engineering Process

Requirements Engineering Process
2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.

2009 – E. Félix Security DSL Toward model-based security engineering: developing a security analysis DSML Véronique Normand, Edith Félix, Thales Research.
The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.

The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.
Sharif University of Technology Session # 7.  Contents  Systems Analysis and Design  Planning the approach  Asking questions and collecting data 

Sharif University of Technology Session # 7.  Contents  Systems Analysis and Design  Planning the approach  Asking questions and collecting data 
socio-organizational issues and stakeholder requirements

socio-organizational issues and stakeholder requirements
1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.

1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.
Architecting secure software systems

Architecting secure software systems
1 Process Engineering A Systems Approach to Process Improvement Jeffrey L. Dutton Jacobs Sverdrup Advanced Systems Group Engineering Performance Improvement.

1 Process Engineering A Systems Approach to Process Improvement Jeffrey L. Dutton Jacobs Sverdrup Advanced Systems Group Engineering Performance Improvement.
1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.

1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 6 Slide 1 Requirements Engineering Processes l Processes used to discover, analyse and.

©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 6 Slide 1 Requirements Engineering Processes l Processes used to discover, analyse and.
Copyright © 2013 Curt Hill The Zachman Framework What is it all about?

Copyright © 2013 Curt Hill The Zachman Framework What is it all about?
3rd Country Training, K.Subieta: System Engineering and Databases. Lecture 3, Slide 1 February 20, 2004 Lecture 3: Introduction to Software Analysis and.

3rd Country Training, K.Subieta: System Engineering and Databases. Lecture 3, Slide 1 February 20, 2004 Lecture 3: Introduction to Software Analysis and.
Odyssey A Reuse Environment based on Domain Models Prepared By: Mahmud Gabareen Eliad Cohen.

Odyssey A Reuse Environment based on Domain Models Prepared By: Mahmud Gabareen Eliad Cohen.
Copyright 2002 Prentice-Hall, Inc. Chapter 2 Object-Oriented Analysis and Design Modern Systems Analysis and Design Third Edition Jeffrey A. Hoffer Joey.

Copyright 2002 Prentice-Hall, Inc. Chapter 2 Object-Oriented Analysis and Design Modern Systems Analysis and Design Third Edition Jeffrey A. Hoffer Joey.
1 Introduction to Software Engineering Lecture 1.

1 Introduction to Software Engineering Lecture 1.
Requirement Engineering for Trust Management : Model, Methodology Reasoning P. Giorgini, F. Massacci, J. Mylopoulos, N. Zannone, “Requirements Engineering.

Requirement Engineering for Trust Management : Model, Methodology Reasoning P. Giorgini, F. Massacci, J. Mylopoulos, N. Zannone, “Requirements Engineering.
Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.

Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.
Search Engine Optimization © HiTech Institute. All rights reserved. Slide 1 Click to edit Master title style What is Business Analysis Body of Knowledge?

Search Engine Optimization © HiTech Institute. All rights reserved. Slide 1 Click to edit Master title style What is Business Analysis Body of Knowledge?
Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall Appendix A Object-Oriented Analysis and Design A.1.

Copyright © 2009 Pearson Education, Inc. Publishing as Prentice Hall Appendix A Object-Oriented Analysis and Design A.1.
M253 Team Work in Distributed Environments Week (3) By Dr. Dina Tbaishat.

M253 Team Work in Distributed Environments Week (3) By Dr. Dina Tbaishat.

Similar presentations

Ads by Google