Presentation is loading. Please wait.

Presentation is loading. Please wait.

Requirements Engineering meets Trust Management

Published byPaolina Tosi Modified over 6 years ago

Similar presentations

Presentation on theme: "Requirements Engineering meets Trust Management"— Presentation transcript:

1 Requirements Engineering meets Trust Management
P. Giorgini N. Zannone F.Massacci J. Mylopoulos Presented by Fabio Massacci (DIT - University of Trento - (Create-NET -

2 Talk Outline Requirements Eng. for Security & Trust
i*/Tropos RE Methodology Security-Aware Tropos Informal Model Methodology Formal Model Verification Future Work and Conclusions 2/17

3 Requirements Eng. for Security & Trust I
UML Proposals Model-Driven Architecture [Basin et al.] UMLsec - [Juriens] Early Requirements Proposals Anti-requirements [van Lamsweerde et al., Crook et al.], Problem-Frames [Hall et al.] Security Patterns [Giorgini & Mouratidis] Privacy Modelling [Liu et al., Spafford] 3/17

4 Requirements Eng. Security & Trust II
UML Pros and Cons Well-known even if meta-level extension not standardized Effective - MDA -> automatic configuration of system “Too Late” - model of system rather than organization An average doc for “Security Policy and Security Management” (compulsory for italian public administration) is 30% on ICT systems - 70% on paper or organizational requirements Worse for privacy legislation Early requirements Pros and Cons Capture organizational structure Modelling done at object-level (almost no extension) “Too Functional” - Security is modelled explicitly and in parallel with the actual functional model 4/17

5 Requirements Eng. Security & Trust III
Where’s trust? Most approaches focus on “modelling and implementing” security and privacy services The choice of Security services derives from (implicit) (dis)trust relationships linked to some functional goals Emerged if explantion for choices of security services is sought Somebody must have already analyzed the requirements and found out that we do/don’t trust somebody and so we need security services Security&Privacy requirements are “late requirements” Modelling Trust/Functional Model together In MDA spirit appropriate security services should be automatically derived from trust requirements Derive Trust Management Credentials from Functional requirements + Trust/Ownership realtions 5/17

6 i* - Tropos Methodology I
Agent-Oriented RE Methodology Agents, Roles Goals, Tasks, Resources Dependency among agents (A depends on B on G, if A wants G to be done and B agrees to look after that) Goal Decomposition (AND/OR, positive, negative contribution) Easy to Understand by Users for Early RE Good for Modelling Organizations Formal Reasoning Tools Available 6/17

7 i* - Tropos Methodology II
Limitation Mindset is Cooperative Information Systems Only Functional Requirements, No trust at language level Major assumption is that if you provide a service you have also the authority to decide who can use it Life is complicated… Req: Data analysis of donated placenta managed by Institute’s XXX IS and should be searched by authorized researcher Req: Decision to grant placenta cells usage for bone marrow transplant by the trusted XXX board Law: Genetic data belongs to the donor patient Law: Donor have access to (some) cells for her own family if she so required at time of donation Authorized by who? Trusted by who? When permissions are gathered? 7/17

8 Security-Aware Tropos - Informal Model
Add-ons Distinction between wanting/offering/owning a goal Trust relationship on Agent/goals/Agents Some agents want some goal/task to be done Hospital doctor wants to consult medical record Other agents offer this goal/task Nephrology ward locker stores medical records Another agent owns this goal/task Patient owns the medical record Agents trust other agents on the goal Patient trust Hospital to store medical record 8/17

9 Security-Aware Tropos - Informal II
Use Diagram to communicate requirements Nice drawing with ovals and arrows Model Dependency and Trust Relationships Hosp Deleg Clinician Trust Owns Patient Obtain Medical Treatment Clinician Hospital Analys Pers. Data Dep Dep And now derive permissions automatically 9/17

10 Security-Aware Tropos - Informal III
10/17

11 Security-Aware Tropos - Informal IV
Beware: NOT all “permissions” and “auth. processes” are mapped onto digital certificates Remember Fabio’s “Real-Life Dominance Rule” Some “credentials” will be papers signed by an individual Others corresponds to oral or physical permissions Examples Permission to use genetic data for research and “self” usage (collected on the day of childbirth…) Parents’ or Guardian approval for clinical data to be used in case of unexpected outcome in “wet” surgery University visiting professor’s request for temp. IP address 11/17

12 Security-Aware Tropos - Methodology
Design Functional Dependency Model Design Trust/Ownership Model Refinements by Goal Decomposition Goal (Functional) Delegation to other agents Modify Trust Relationship Design /Synth Trust Management Implementation Goal (Permission) Delegation to other agents (Computer Supported) Analysis Goal Fulfillment (Functional Delegation Chain) Trusted Execution (Trust Chain Match Funct. Deleg. Chain) Trusted Delegation (Trust Chain Match Permis. Deleg. Chain) 12/17

13 Security-Aware Tropos - Formal Model
Semi-formal Analysis Annotate diagrams with formulae Partial checks at type level Eliminate already many errors in the chains Formal Analysis Full model at instance level Define instances of agents and goals instantiate delegation in many ways Finite State Model checking and (to be done) infinite state analysis Allows Discovery of subtler relationships between parties Patient trusts “her” clinician, and hospital Analys relationships with third parties Delegation of permissions can create unexpected breach of trust “natural & simple” permission chain may not match “natural” trust chain 13/17

14 Security-Aware Tropos -Formal Model II
Possible models Linear Temporal Logic Answer-Set Programs (Datalog with constraints) Used also for some Trust Management Language (RT) Formulae Delegation -> delegate(Alice, Goal, Bob, Depth) Depth is for depth of re-delegation Ownership -> owns(Alice, Goal) Axioms delChain(A,G,B,D) :- delegate(A,G,C,D1), D1>1, #succ(D1,D2), delChain(C,G,B,D3), D2>=D3. trustFull(hospital, Record, medicalIS) :- isRecord(Record). trustFull(hospital, Record, Agent) :- isClinician(Agent), isRecord(Record). 14/17

15 Security-Aware Tropos - Reasoning
For any delegation step there is also a trust step For any delegation chain is there a trust chain? Not implied by the first (illegal delegation steps, or trust has different depth than actual delegation of permission) hospital gives undbounded delegation to clinician to consult colleagues to consult colleagues etc. Patient trust (derived from trust in hospital) stops at first consultancy. Procedure should go back to patient who should get back to hospital to get additional consultancy and then get back to first consultant Does somebody fulfils a goal for which he has no permission? Delegation of Permission does NOT start with legitimate owner of data Hospital authorizes doctor but has not got patient authorization 15/17

16 Security-Aware Tropos - Reasoning II
Effective Datalog Implementation DLV (TU Wien) Generate Instance (semi-automatic) Ask queries (SQL frontend) Consistency/Inconsistency Find all Agents/Goals satisfying bad property Find Missing properties Abduction of missing edges in trust chain Usefulness Must be grounded first, so if no error found no guarantee yet that model is correct (maybe larger instance will do) Mostly useful as debugging tool for supporting Requirements Engineer 16/17

17 Future Works and Conclusions
Integrated Modelling of Trust/Functional Reqs Greater expressivity and flexibility Explain “Why” and not also “How” Formal reasoning possible Does functional delegation chain match trust chain? Future Works Automatic derivation of Trust-Management credentials for RT [EuroPKI-2004] Natural way to model privacy requirements [ISPW-2004] What if you must delegate (functional goals) to somebody you don’t trust? Integrating time: trust and reputation changes over time 17/17

Download ppt "Requirements Engineering meets Trust Management"

Similar presentations

Configuration management

Configuration management
Configuration management

Configuration management
Giorgini P., EuroPKI 20041 Filling the gap between Requirements Engineering and Public Key/Trust Management Infrastructures Paolo Giorgini Department of.

Giorgini P., EuroPKI Filling the gap between Requirements Engineering and Public Key/Trust Management Infrastructures Paolo Giorgini Department of.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Developing MAS The GAIA Methodology A Brief Summary by António Castro and Prof. Eugénio Oliveira.

Developing MAS The GAIA Methodology A Brief Summary by António Castro and Prof. Eugénio Oliveira.
AOSE-2003, Melbourne July 15 th 1 Agent Oriented modeling by interleaving formal and informal analysis Anna Perini 1, Marco Pistore 2,1, Marco Roveri 1,

AOSE-2003, Melbourne July 15 th 1 Agent Oriented modeling by interleaving formal and informal analysis Anna Perini 1, Marco Pistore 2,1, Marco Roveri 1,
Expert Systems Infsy 540 Dr. Ocker. Expert Systems n computer systems which try to mimic human expertise n produce a decision that does not require judgment.

Expert Systems Infsy 540 Dr. Ocker. Expert Systems n computer systems which try to mimic human expertise n produce a decision that does not require judgment.
1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.

1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.
Where Results Begin. “We don’t have a health care delivery system in this country. We have an expensive plethora of uncoordinated, unlinked, economically.

Where Results Begin. “We don’t have a health care delivery system in this country. We have an expensive plethora of uncoordinated, unlinked, economically.
SecureTropos ST-Tool A CASE tool for security-aware software requirements analysis Departement of Information and Communication Technology – University.

SecureTropos ST-Tool A CASE tool for security-aware software requirements analysis Departement of Information and Communication Technology – University.
Università degli Studi di Trento Modeling Security Requirements Through Ownership, Permission and Delegation A comedy in 10 acts plus an epilogue starring.

Università degli Studi di Trento Modeling Security Requirements Through Ownership, Permission and Delegation A comedy in 10 acts plus an epilogue starring.
Università degli Studi di Trento Privacy is Linking Permission to Purpose F.MassacciN. Zannone Presented by Fabio Massacci (DIT - University of Trento.

Università degli Studi di Trento Privacy is Linking Permission to Purpose F.MassacciN. Zannone Presented by Fabio Massacci (DIT - University of Trento.
1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.

1 A pattern language for security models Eduardo B. Fernandez and Rouyi Pan Presented by Liping Cai 03/15/2006.
Configuration Management (CM)

Configuration Management (CM)
Università degli Studi di Trento Modeling Security Requirements Through Ownership, Permission and Delegation P. Giorgini F.Massacci J. Mylopoulos N. Zannone.

Università degli Studi di Trento Modeling Security Requirements Through Ownership, Permission and Delegation P. Giorgini F.Massacci J. Mylopoulos N. Zannone.
1 Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework ¹ Dep. of Information and Communication Technology,

1 Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework ¹ Dep. of Information and Communication Technology,
Database Design and Management CPTG 424. 10/23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,

Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
Requirement Engineering for Trust Management : Model, Methodology Reasoning P. Giorgini, F. Massacci, J. Mylopoulos, N. Zannone, “Requirements Engineering.

Requirement Engineering for Trust Management : Model, Methodology Reasoning P. Giorgini, F. Massacci, J. Mylopoulos, N. Zannone, “Requirements Engineering.
1 What is OO Design? OO Design is a process of invention, where developers create the abstractions necessary to meet the system’s requirements OO Design.

1 What is OO Design? OO Design is a process of invention, where developers create the abstractions necessary to meet the system’s requirements OO Design.
Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05.

Policy-Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, Wolfgang Nejdl Semantic Web Policy Workshop, ISWC’05.

Similar presentations

Ads by Google