Finding and resolving security misusability with misusability cases

Although widely used for both security and usability concerns, scenarios used in security design may not necessarily inform the design of usability, and vice-versa. One way of using scenarios to bridge security and usability involves explicitly describing how design decisions can lead to users inadvertently exploiting vulnerabilities to carry out their production tasks. This paper describes how misusability cases, scenarios that describe how design decisions may lead to usability problems subsequently leading to system misuse, address this problem. We describe the related work upon which misusability cases are based before presenting the approach, and illustrating its application using a case study example. Finally, we describe some findings from this approach that further inform the design of usable and secure systems.     

From misuse cases to mal-activity diagrams: bridging the gap between functional security analysis and design

Secure software engineering is concerned with developing software systems that will continue delivering its intended functionality despite a multitude of harmful software technologies that can attack these systems from anywhere and at anytime. Misuse cases and mal-activity diagrams are two techniques to model functional security requirements address security concerns early in the development life cycle. This allows system designers to equip their systems with security mechanisms built within system design rather than relying on external defensive mechanisms. In a model-driven engineering process, misuse cases are expected to drive the construction of mal-activity diagrams. However, a systematic approach to transform misuse cases into mal-activity diagrams is missing. Therefore, this process remains dependent on human skill and judgment, which raises the risk of developing mal-activity diagrams that are inconsistent with the security requirements described in misuse cases, leading to the development of an insecure system. This paper presents an authoring structure for misuse cases and a transformation technique to systematically perform this desired model transformation. A study was conducted to evaluate the proposed technique using 46 attack stories outlined in a book by a former well-known hacker (Mitnick and Simon in The art of deception: controlling the human element of security, Wiley, Indianapolis, 2002). The results indicate that applying the proposed technique produces correct mal-activity diagrams from misuse cases.     

Towards an Ontological Approach to Information System Security and Safety Requirement Modeling and Reuse

ABSTRACT

Misuse cases are currently used to identify safety and security threats and subsequently capture safety and security requirements. There is limited consensus to the precise meaning of the basic terminology used for use/misuse case concepts. This paper delves into the use of ontology for the formal representation of the use-misuse case domain knowledge for eliciting safety and security requirements. We classify misuse cases into different category to reflect different type of misusers. This will allow participants during the requirement engineering stage to have a common understanding of the problem domain. We enhanced the misuse case domain to include abusive misuse case and vulnerable use case in order to boost the elicitation of safety requirements. The proposed ontological approach will allow developer to share and reuse the knowledge represented in the ontology thereby avoiding ambiguity and inconsistency in capturing safety and security requirements. OWL protégé 3.3.1 editor was used for the ontology coding. An illustration of the use of the ontology is given with examples from the health care information system.     

Towards developing consistent misuse case models

Secure software development should begin at the early stages of the development life cycle. Misuse case modeling is a technique that stems from traditional use case modeling, which facilitates the elicitation and modeling functional security requirements at the requirements phase. Misuse case modeling is an effective vehicle to potentially identify a large subset of these threats. It is therefore crucial to develop high quality misuse case models otherwise end system developed will be vulnerable to security threats. Templates to describe misuse cases are populated with syntax-free natural language content. The inherent ambiguity of syntax-free natural language coupled with the crucial role of misuse case models in development can have a very detrimental effect. This paper proposes a structure that will guide misuse case authors towards developing consistent misuse case models. This paper also presents a process that utilizes this structure to ensure the consistency of misuse case models as they evolve, eliminating potential damages caused by inconsistencies. A tool was developed to provide automation support for the proposed structure and process. The feasibility and application of this approach were demonstrated using two real-world case studies.     

The application of use cases in systems analysis and design specification

This paper begins by reviewing the application of use cases in the analysis and design phases of software development. At present, a use case derived in analysis is generally mapped into design through the synthesis of object behaviour for all scenarios associated with the use case. Hence the use case level of abstraction is not directly used in this process and a semantic gap exists between analysis and design. With informal textually based use case definitions this is to be expected, however, if the use cases themselves are given a more concrete structure, for example in the form of a statechart, then their direct use becomes more feasible.In this paper we therefore investigate the application of use case structures in the initial design phases of software development. A novel approach is proposed that applies a state based use case model directly to each object in the design architecture. This requires the derivation of a set of repeatable refinement procedures, which remove redundancy and allow the assignment of behaviour to objects with respect to their responsibilities. It is then shown how such procedures may be used in design, filling the semantic gap between analysis and design. By applying the procedures to a case study we identify and evaluate the characteristics of the mapping from use case model to object behaviour and review our approach with respect to other methods. It is concluded that state based use case structures not only represent a succinct analysis format, but may also be used to map analysis models directly into the design process.     

DAISY: a decision support design methodology for complex,experience-centered domains

Users at different levels of domain experience have very different needs. For example, a system designed to assist domain novices may frustrate experts and vice-versa. This is one of several challenges specific to building decision support systems for experience-centered domains. A second challenge in working with complex experience-centered domains is that it is hard for non-experts to understand the domain in order to model it. In this paper we present DAISY, the design aid for intelligent support systems. It is a software design methodology for constructing decision support systems in complex, experience-based domains. DAISY address the specialized challenges of these domains by augmenting existing cognitive engineering methodologies. In particular, DAISY provides a method for identifying the specialized needs of users within a specific range of domain experience. Thus, it can help software designers to understand "What does the domain expert need?" or "What does a trained novice need?" To help system designers manage the complexity of modeling unfamiliar experience-centered domains, it provides a tool called a time/activity matrix. To illustrate each of DAISY's steps, we used the development of a decision support system called Fox. Fox assists expert military planners by rapidly generating alternative plans. This is a cognitively difficult, time critical task with life and death consequences     

Deriving objects from use cases in real-time embedded systems

In recent years, a number of use case-driven processes have emerged for the development of real-time embedded systems. In these processes, once requirements have been defined by use cases, the next step is usually to identify from that use cases, the central objects in the system and describing how they interact with one another. However, identifying objects/classes from the requirements is both a critical and hard task. This is mainly due to the lack of pragmatic technique that steers such a task. In this article, we present a systematic approach to identify objects from the use case model for the real-time embedded systems. After hierarchically decomposing the system into its parts, we first transform the use case structured-text style into an activity diagram, which may be reused in the next development activities. Second, we use the derived activity diagram for identifying objects. With the behavioural model, an object model can be viewed as a first cut at a design model, and is thus an essential input when the system is shaped in design and design implementation.     

A scientific evaluation of the misuse case diagrams visual syntax

ContextMisuse case modeling is a well-known technique in the domain of capturing and specifying functional security requirements. Misuse case modeling provides a mechanism for security analysts to consider and account for security requirements in the early stages of a development process instead of relying on generic defensive mechanisms that are augmented to software systems towards the latter stages of development.ObjectiveMany research contributions in the area of misuse case modeling have been devoted to extending the notation to increase its coverage of additional security related semantics. However, there lacks research that evaluates the perception of misuse case models by its readers. A misread or misinterpreted misuse case model can have dire consequences downstream leading to the development of an insecure system.MethodThis paper presents an assessment of the design of the original misuse case modeling notation based on the Physics of Notations framework. A number of improvements to the notation were suggested. A survey and a controlled experiment were carried out to compare the cognitive effectiveness of the new notation in comparison to the original notation.ResultsThe survey had 55 participants for have mostly indicated that the new notation is more semantically transparent than the original notation. The results of the experiment show that subjects reading diagrams developed using the new notation performed their tasks an average 6 min quicker, while in general the subjects performed their tasks in approximately 14.5 min. The experimental tasks only required subjects reading diagrams and not creating them.ConclusionThe main finding of this paper is that the use of colors and icons has improved the readability of misuse case diagrams. Software engineering notations are usually black and white. It is expected that the readability of other software notations will improve if they utilize colors and icons.     

Security requirement derivation by noun–verb analysis of use–misuse case relationships: a case study using positive train control

Use cases and misuse cases, respectively, state the interactions that an actor can have and a mal-actor be prevented from having with a system. The cases do not specify either the security requirements or the associated attributes that a system must possess to operate in a secure manner. We present an algorithmic, domain-independent approach rooted in verb–noun analysis of use cases and misuse cases to generate system requirements and the associated security attributes. We illustrate the utility of this general five-step method using Positive train control (PTC) (a command and control system used to navigate trains in a railway grid) as a case study. This approach allows the designer to protect against the effect of wireless vulnerabilities on the safety of PTC systems.     

User and design requirements and production of evidence: using incident analysis data to (1) inform user scenarios and bow ties,and (2) generate user and design requirements

This paper reports on an innovative human–machine interaction methodology adopted to assess the case, role and requirements for a new ground collision awareness technology. Specifically, this paper reports on the analysis of ground collision incident data and the subsequent advancement of user scenarios and bow-ties based on this data analysis, for the purpose of generating preliminary user and design requirements for this technology. In so doing, the requirements elicitation and validation methods used in this research are framed from an epistemological perspective. Accordingly, the particular methods adopted are presented and discussed in terms of concepts of evidence, bearing witness and the distinction between facts and values. As such, this paper promotes thinking about evidence-based design practices. Overall, this evidence-based approach aims to improve the development of scenarios and associated problem solving around technology cases, user requirements and user interface design features. The proposed method is useful in terms of bridging the gap from data analysis to design, and validating design decisions. In this regard, it is argued that the generation of user scenarios based on the analysis of incident data (i.e. data coding and statistical analysis), and the reframing of such scenarios in terms of bow-ties for the purpose of requirements/design envisionment, extends existing scenario-based design approaches. Although the use of bow-ties is not new, the advancement of bow-ties from data-driven scenarios is. Specifically, the bow-tie method was applied in a design context, to support problem solving around design decisions, as opposed to formal risk analysis.     

A method and tools for large scale scenarios

Formal scenarios have many uses in requirements engineering, validation, performance modeling, and test generation. Many tools and methodologies can handle scenarios when the number of steps (interleaved inputs and outputs of the target system) is reasonably small. However, scenario based techniques do not scale well with the number of steps, number of actors, and complexity of behaviors and system interactions to be specified in the scenario. First, it is impractically tedious and error-prone to specify thousands of input steps and corresponding expected outputs. Second, even if one can write down such large scale scenarios, confidence in their correctness is naturally low. Third, complex systems requiring large scale scenarios tend to require many such scenarios to adequately cover the behavior space. This paper describes the motivations for and problems of large scale scenarios, as well as the LSS method, which uses automated and semi-automated techniques in describing, maintaining, communicating, and using large scale scenarios in requirements engineering. The method is illustrated in two widely divergent application domains: military live training instrumentation and electronic mail servers. A case study demonstrates the practical and beneficial use of LSS in architectural modeling of a complex, real-world system design. A two page extended abstract of this paper appeared in Proc. 21st ACM/IEEE Intl. Conf. on Software Engineering (ASE 2006).     

Defining Misuse within the Development Process

The software development industry often brings in security at the eleventh hour, right before developers throw the code over the wall--that is, deploy it into production--and ask, "Well, is it secure?" At this point, hilarity--for the objective observers, anyhow--ensues as security personnel work feverishly to shove crypto, firewalls, and all the other mechanisms at their disposal into the most egregious risk areas. This article describes how to create useful misuse cases within the development process, thus avoiding the headaches that can arise toward the end of the cycle.     

Formal Techniques for Analysing Scenarios using Message Sequence Charts

This paper describes light-weight formal techniques based on Message Sequence Charts (MSCs) for capturing and validating early requirements and design. Our focus is on ease of use in specifying, simulating and validating scenarios, and checking their desired properties efficiently. We discuss how the formalism of High Level Message Sequence Charts (HMSCs or MSC'96), can be used to capture scenarios in use cases, thus enabling the use of tools for analysing them. We then present two formal semantics for HMSCs – an intuitive linear time semantics based on runs, and an operational semantics in terms of a labelled transition system. Next we present a way of describing desired properties of use case scenarios using templates, for validating scenarios with respect to informal requirements. The correctness properties of a collection of MSCs can then be established by efficient algorithms for finding paths in a directed graph representing the precedence relation on the events of the MSCs. We have implemented the operational semantics and the verification algorithms in the form of a simulation and verification tool for analysing scenarios.     

Evaluation of a game to teach requirements collection and analysis in software engineering at tertiary education level

A highly important part of software engineering education is requirements collection and analysis which is one of the initial stages of the Database Application Lifecycle and arguably the most important stage of the Software Development Lifecycle. No other conceptual work is as difficult to rectify at a later stage or as damaging to the overall system if performed incorrectly. As software engineering is a field with a reputation for producing graduates who are inappropriately prepared for applying their skills in real life software engineering scenarios, it suggests that traditional educational techniques such as role-play, live-through case studies and paper-based case studies are insufficient preparation and that other approaches are required. To attempt to combat this problem we have developed a games-based learning application to teach requirements collection and analysis at tertiary education level as games-based learning is seen as a highly motivating, engaging form of media and is a rapidly expanding field. This paper will describe the evaluation of the requirements collection and analysis game particularly from a pedagogical perspective. The game will be compared to traditional methods of software engineering education using a pre-test/post-test, control group/experimental group design to assess if the game can act as a suitable supplement to traditional techniques and assess if it can potentially overcome shortcomings. The game will be evaluated in five separate experiments at tertiary education level.     

Comparing attack trees and misuse cases in an industrial setting

The last decade has seen an increasing focus on addressing security already during the earliest stages of system development, such as requirements determination. Attack trees and misuse cases are established techniques for representing security threats along with their potential mitigations. Previous work has compared attack trees and misuse cases in two experiments with students. The present paper instead presents an experiment where industrial practitioners perform the experimental tasks in their workplace. The industrial experiment confirms a central finding from the student experiments: that attack trees tend to help identifying more threats than misuse cases. It also presents a new result: that misuse cases tend to encourage identification of threats associated with earlier development stages than attack trees. The two techniques should therefore be considered complementary and should be used together in practical requirements work.     

一种安全需求分析中的用例漏洞检测方法

提出一种基于攻击模式的用例漏洞检测方法,用于对需求分析人员设计的用例图进行漏洞检测。该方法以形式化用例作为基础,把误用例作为安全攸关信息的载体、设置为用例的特殊属性。通过与用户的交互完成误用例相关属性的信息采集,并进一步运用这些信息计算出用例的误用例指数。将此指数与预定义的攻击模式相关指数进行对比,以此来判断该用例是否与某个特定误用例、某些特定攻击模式相关。从而检测到用例图中的用例漏洞,并在此基础上提出可行建议。     

Uncovering quality-attribute concerns in use case specifications via early aspect mining

Quality-attribute requirements describe constraints on the development and behavior of a software system, and their satisfaction is key for the success of a software project. Detecting and analyzing quality attributes in early development stages provides insights for system design, reduces risks, and ultimately improves the developers’ understanding of the system. A common problem, however, is that quality-attribute information tends to be understated in requirements specifications and scattered across several documents. Thus, making the quality attributes first-class citizens becomes usually a time-consuming task for analysts. Recent developments have made it possible to mine concerns semi-automatically from textual documents. Leveraging on these ideas, we present a semi-automated approach to identify latent quality attributes that works in two stages. First, a mining tool extracts early aspects from use cases, and then these aspects are processed to derive candidate quality attributes. This derivation is based on an ontology of quality-attribute scenarios. We have built a prototype tool called QAMiner to implement our approach. The evaluation of this tool in two case studies from the literature has shown interesting results. As main contribution, we argue that our approach can help analysts to skim requirements documents and quickly produce a list of potential quality attributes for the system.     

Generating model-based test cases from natural language requirements for space application software

Natural Language (NL) deliverables suffer from ambiguity, poor understandability, incompleteness, and inconsistency. Howewer, NL is straightforward and stakeholders are familiar with it to produce their software requirements documents. This paper presents a methodology, SOLIMVA, which aims at model-based test case generation considering NL requirements deliverables. The methodology is supported by a tool that makes it possible to automatically translate NL requirements into Statechart models. Once the Statecharts are derived, another tool, GTSC, is used to generate the test cases. SOLIMVA uses combinatorial designs to identify scenarios for system and acceptance testing, and it requires that a test designer defines the application domain by means of a dictionary. Within the dictionary there is a Semantic Translation Model in which, among other features, a word sense disambiguation method helps in the translation process. Using as a case study a space application software product, we compared SOLIMVA with a previous manual approach developed by an expert under two aspects: test objectives coverage and characteristics of the Executable Test Cases. In the first aspect, the SOLIMVA methodology not only covered the test objectives associated to the expert’s scenarios but also proposed a better strategy with test objectives clearly separated according to the directives of combinatorial designs. The Executable Test Cases derived in accordance with the SOLIMVA methodology not only possessed similar characteristics with the expert’s Executable Test Cases but also predicted behaviors that did not exist in the expert’s strategy. The key benefits from applying the SOLIMVA methodology/tool within a Verification and Validation process are the ease of use and, at the same time, the support of a formal method consequently leading to a potential acceptance of the methodology in complex software projects.