International journal of secure software engineering最新文献

{"title":"A New Method for Writing Assurance Cases","authors":"Y. Matsuno, Shuichiro Yamamoto","doi":"10.4018/JSSE.2013010103","DOIUrl":"https://doi.org/10.4018/JSSE.2013010103","url":null,"abstract":"In this paper, the authors present a new method for writing assurance cases. Assurance cases are documented bodies of evidence that provide a convincing and valid argument that a system is adequately dependable for a given application in a given environment. Assurance cases have been used mostly in the safety field, but are now beginning to be widely applied in other areas. Cyber security is one such area, and recently, assuring security of cyber systems has become crucial. Several methods and various guidelines for writing assurance cases have been used. Unfortunately, only experts are currently able to write assurance cases, and it is still difficult for ordinary engineers to write them. This paper presents a new method for writing assurance cases. The main ideas are that (1) documents generated and used during the system lifecycle must be either used by the assurance cases or must be referred to in the assurance cases, and (2) typical patterns exist for assurance cases, and these patterns have not yet been well discussed. This paper presents the preliminary steps in developing a method for writing assurance cases. The authors also report on a preliminary experiment carried out on a web server demo system.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"402 1","pages":"31-49"},"PeriodicalIF":0.0,"publicationDate":"2013-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78053149","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Role Mining to Assist Authorization Governance: How Far Have We Gone?","authors":"Safaà Hachana, N. Cuppens-Boulahia, F. Cuppens","doi":"10.4018/JSSE.2012100103","DOIUrl":"https://doi.org/10.4018/JSSE.2012100103","url":null,"abstract":"The concept of role has revolutionized the access control systems by making them more efficient and by simplifying their management. Role mining is the discipline of automating the definition of roles in a given access control system. It is a vivid research area, which has attracted a growing interest in the last years. Research on role mining has produced several interesting contributions in this field, and has also raised several related issues toward leveraging them in actual enterprises. This paper is a comprehensive analysis of the main research directions around role mining and the future trends. The authors present the problem of role mining, the current achievements to solve it and the related open issues. With this objective, they define a complete and realistic business process for Role Mining, and the authors sequentially analyze the issues related to each step of the process by investigating the main contributions in the literature. They also point the unhandled issues and we highlight the future perspectives.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"85 1","pages":"45-64"},"PeriodicalIF":0.0,"publicationDate":"2012-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73445672","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Comparative Analysis of Access Control Policy Modeling Approaches","authors":"K. Kumari, T. Chithralekha","doi":"10.4018/jsse.2012100104","DOIUrl":"https://doi.org/10.4018/jsse.2012100104","url":null,"abstract":"Access control policies (ACPs) characterize the high-level rules according to which the access control of a system is regulated. Generally they are defined separately from the functional requirements (FRs) of an application and added to the system as an afterthought after being built. But, many problems arose during the integration of ACPs and FRs. Hence, over the past years, researchers have suggested for the modifying the design phase to include an earlier focus on access control issues through various modeling techniques. This paper reviews the important approaches in ACP modeling and makes a comparative analysis of the advantages and limitations of those techniques especially in addressing complex ACPs. Based on the comparative analysis, this paper presents directions for further work needed in handling the intricate nature of today’s ACPs.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"108 1","pages":"65-83"},"PeriodicalIF":0.0,"publicationDate":"2012-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79393644","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Practical Framework for Policy Composition and Conflict Resolution","authors":"Ousmane Amadou Dia, C. Farkas","doi":"10.4018/JSSE.2012100101","DOIUrl":"https://doi.org/10.4018/JSSE.2012100101","url":null,"abstract":"In collaborative environments where resources must be shared across multiple sites, the access control policies of the participants must be combined in order to define a coherent policy. The relevant challenge in composing access policies is to deal with inconsistencies or modality conflicts. This difficulty exacerbates when the policies to compose are specified independently by different entities with no global power to decide in case of conflicts which entity must take precedence. This paper presents a semi-automated framework called Policy Composition and Conflict Resolution framework (P2CR) to address this issue. They focus on access control policies expressed as XACML statements. The authors propose a three-level conflicts resolution strategy: i) by using metadata added to the policies, ii) by using a defeasible logic theory, and iii) by providing recommendations to the entities owners of the resources. First, they provide a mechanism to add metadata to XACML. Second, they combine the access policies without prioritizing any of the entities involved in the composition. Given the context of the authors’ work, they consider this approach to be more suitable than the current approaches that are mainly negotiation-oriented or assign priorities to the policies. Finally, the resulting composite policy appears flexible and easily adjustable to runtime conflicts. DOI: 10.4018/jsse.2012100101 2 International Journal of Secure Software Engineering, 3(4), 1-26, October-December 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. as well as cloud service provider, abides by the security, compliance and risk management requirements of the others. Thus, to allow the entities to interact safely, their access policies must necessarily be compared and composed. In this paper, leveraging the community clouds as an illustrative example, we address the policy composition problem in a broader scenario in which different entities are interested in composing their independently stated policies while retaining their autonomy i.e., maintaining the control over their resources. A non-trivial challenge generally faced in this context is the occurrence of conflicts. Two access policies may apply to same objects and yield upon request of the objects contradictory evaluation results. Access control systems governed by such policies cannot deterministically decide whether to grant access to the requested objects or to deny the access. Consequently, they may even allow certain users to access resources they are not authorized for or deny the access to the legitimate ones. Thus, to enable access policies in individual systems to unambiguously evaluate users requests, many conflict resolution strategies have been proposed (Reeder, Bauer, Cranor, Reiter, & Vaniea, 2009; Cuppens, CuppensBoulahia, & Ghorbel, 2007; Dong, Russello, & Dulay, 2008; Jajodia, Samarati, Sapino, & Subramanian, 2","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"15 1","pages":"1-26"},"PeriodicalIF":0.0,"publicationDate":"2012-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89710430","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Extraction of an Architectural Model for Least Privilege Analysis","authors":"Bernard Spitz, R. Scandariato, W. Joosen","doi":"10.4018/jsse.2012100102","DOIUrl":"https://doi.org/10.4018/jsse.2012100102","url":null,"abstract":"This paper presents the design and implementation of a prototype tool for the extraction of the so-called Task Execution Model directly from the source code of a software system. The Task Execution Model is an essential building block for the analysis of the least privilege violations in a software architecture (presented in previous work). However, the trustworthiness of the analysis results relies on the correspondence between the analyzed model and the implementation of the system. Therefore, the tool presented here is a key ingredient to provide assurance that the analysis results are significant for the system at hand. DOI: 10.4018/jsse.2012100102 28 International Journal of Secure Software Engineering, 3(4), 27-44, October-December 2012 Copyright © 2012, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. the intended tasks. The TEM is a precise representation of the behavior of a system that is tailored for the purpose of identifying LP violations. When a new system is being developed, an early LP analysis can be done before the system is implemented. In this case, the TEM can be constructed starting from the software architecture documentation, namely the component diagrams, the deployment diagrams, and the sequence diagrams. However, the development of the system might significantly deviate from the architectural design. This also happens after maintenance cycles, as often the documentation is not updated after changes are made. Therefore, the LP analysis needs to be reassessed after the system has been implemented or evolved. In this case, the TEM needs to be constructed starting from the source code, which is a tedious and error prone endeavor. The experience in four medium-sized projects revealed that undocumented behavior in the code of the four systems required the modification of the TEMs, which were initially built starting from the documentation only. The divergence between the documentation and the implementation is particularly detrimental from a security perspective. In fact, the analysis results would have been erroneous if the TEMs would have not been corrected. In our experience, the macro-structures of the design, like components and sub-systems, are in general properly documented. The majority of the inconsistencies are to be found at the level of the invocations among the components. Typically, only the main interactions among components are properly documented and additional communication paths that emerge at later stage (e.g., because of implementation-level optimizations) are missing. The least privilege analysis focuses on the interaction among components and, hence, is particularly affected by these inconsistencies. Therefore, the trustworthiness of the least privilege analysis is at stake if the conformance of the TEM with the final system is not assured. As its main contribution, this paper provides a solution to the problem. We present the desig","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"40 1","pages":"27-44"},"PeriodicalIF":0.0,"publicationDate":"2012-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74421272","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SETER: Towards Architecture-Model Based Security Engineering","authors":"Ayda Saïdane, N. Guelfi","doi":"10.4018/JSSE.2012070102","DOIUrl":"https://doi.org/10.4018/JSSE.2012070102","url":null,"abstract":"The quality of software systems strongly depends on their architecture. For this reason, taking into account security requirements at the architecture level is crucial for the success of secure software development. Today, systems are permanently evolving due to customer needs, technology evolution or maintenance constraints. Thus, a resilient secure system is expected to evolve towards more satisfaction of its security requirements Guelfi 2011. In particular, such evolution process should identify and eliminate faults and vulnerabilities during the development process or runtime. This study focuses on the design phases and aims to propose a resilient software engineering process guaranteeing the development of secure systems that satisfy their critical requirements. During the development process, the system is expected to evolve until reaching satisfactory compliance against its requirements. The satisfaction computation is based on the quantification of failures and degradations. In this paper, the authors propose a novel architecture model-based security testing approach for identifying faults and vulnerabilities. The originality of the proposal resides in the usage of the architecture model for security testing and in coupling security requirements with threat model for generating both security functional test cases and malicious test cases. The assessment of the security requirements' satisfaction and the overall system resilience is based on the test traces analysis. Throughout this study, a client-server system is used as a running example for illustrating the approach.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"29 1","pages":"23-49"},"PeriodicalIF":0.0,"publicationDate":"2012-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78366727","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Formal Modeling and Verification of Security Property in Handel C Program","authors":"Yujian Fu, Jeffery Kulick, Lok K. Yan, S. Drager","doi":"10.4018/jsse.2012070103","DOIUrl":"https://doi.org/10.4018/jsse.2012070103","url":null,"abstract":"Multi-million gate system-on-chip SoC designs easily fit into today's Field Programmable Gate Arrays FPGAs. As FPGAs become more common in safety-critical and mission-critical systems, researchers and designers require information flow guarantees for the FPGAs. Tools for designing a secure system of chips SOCs using FPGAs and new techniques to manage and analyze the security properties precisely are desirable. In this work we propose a formal approach to model, analyze and verify a typical set of security properties-noninterference-of Handel C programs using Petri Nets and model checking. This paper presents a method to model Handel C programs using Predicate Transition Nets, a type of Petri Net, and define security properties on the model, plus a verification approach where security properties are checked. Three steps are used. First, a formal specification on the Handel C description using Petri Nets is extracted. Second, the dynamic noninterference properties with respect to the Handel C program statements are defined on the model. To assist in verification, a translation rule from the Petri Nets specification to the Maude programming language is also defined. Thus, the formal specification can be verified against the system properties using model checking. A case study of the pipeline multiplier is discussed to illustrate the concept and validate the approach.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"40 1","pages":"50-65"},"PeriodicalIF":0.0,"publicationDate":"2012-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78615173","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Advancing Cyber Resilience Analysis with Performance-Based Metrics from Infrastructure Assessments","authors":"E. Vugrin, Jennifer Turgeon","doi":"10.4018/JSSE.2013010105","DOIUrl":"https://doi.org/10.4018/JSSE.2013010105","url":null,"abstract":"Cyber resilience is becoming increasingly recognized as a critical component of comprehensive cybersecurity practices. Current cyber resilience assessment approaches are primarily qualitative methods, making validation of their resilience analyses and enhancement recommendations difficult, if not impossible. The evolution of infrastructure resilience assessment methods has paralleled that of their cyber counterparts. However, the development of performance-based assessment methods has shown promise for overcoming the validation challenge for infrastructure systems. This article describes a hybrid infrastructure resilience assessment approach that combines both qualitative analysis techniques with performance-based metrics. The qualitative component enables identification of system features that limit resilience, and the quantitative metrics can be used to evaluate and confirm the effectiveness of proposed mitigation options. The authors propose adaptation of this methodology for cyber resilience analysis. A case study is presented to demonstrate how the approach could be applied to a hypothetical system. INTRODUCTION AND BACKGROUND Cybersecurity is generally acknowledged as a critical priority within the national, homeland, and business security communities. This sentiment has been echoed at the highest levels of the U.S. government, with President Obama (2009) stating that “cyber threat is one of the most serious economic and national security challenges we face as a nation.” Fortunately, the concept of cybersecurity is not new to the academic and research communities. Eric D. Vugrin Sandia National Laboratories, USA Jennifer Turgeon Sandia National Laboratories, USA","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"7 1","pages":"75-96"},"PeriodicalIF":0.0,"publicationDate":"2012-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82907275","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Model Based Process to Support Security and Privacy Requirements Engineering","authors":"Shareeful Islam, H. Mouratidis, Christos Kalloniatis, Aleksandar Hudic, L. Zechner","doi":"10.4018/jsse.2012070101","DOIUrl":"https://doi.org/10.4018/jsse.2012070101","url":null,"abstract":"Software systems are becoming more complex, interconnected and liable to adopt continuous change and evolution. It's necessary to develop appropriate methods and techniques to ensure security and privacy of such systems. Research efforts that aim to ensure security and privacy of software systems are distinguished through two main categories: 1 the development of requirements engineering methods, and 2 implementation techniques. Approaches that fall in the first category usually aim to address either security or privacy in an implicit way, with emphasis on the security aspects by developing methods to elicit and analyse security and privacy requirements. Works that fall in the latter categories focus specifically on the later stages of the development process irrespective of the organisational context in which the system will be incorporated. This work introduces a model-based process for security and privacy requirements engineering. In particular, the authors' work includes activities which support to identify and analyse security and privacy requirements for the software system. Their purpose process combines concepts from two well-known requirements engineering methods, Secure Tropos and PriS. A real case study from the EU project E-vote, i.e., an Internet based voting system, is employed to demonstrate the applicability of the approach.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"78 1","pages":"1-22"},"PeriodicalIF":0.0,"publicationDate":"2012-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85571962","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Comparing Misuse Case and Mal-Activity Diagrams for Modelling Social Engineering Attacks","authors":"P. Kárpáti, G. Sindre, Raimundas Matulevičius","doi":"10.4018/jsse.2012040103","DOIUrl":"https://doi.org/10.4018/jsse.2012040103","url":null,"abstract":"Understanding the social engineering threat is important in requirements engineering for security-critical information systems. Mal-activity diagrams have been proposed as being better than misuse cases for this purpose, but without any empirical testing. The research question in this study is whether mal-activity diagrams would be more efficient than misuse cases for understanding social engineering attacks and finding prevention measures. After a conceptual comparison of the modelling techniques, a controlled experiment is presented, comparing the efficiency of using the two techniques together with textual descriptions of social engineering attacks. The results were fairly equal, the only significant difference being a slight advantage for mal-activity diagrams concerning perceived ease of use. The study gives new insights into the relative merits of the two techniques, and suggests that the advantage of mal-activity diagrams is smaller than previously assumed. However, more empirical investigations are needed to make detailed conclusions.","PeriodicalId":89158,"journal":{"name":"International journal of secure software engineering","volume":"33 1","pages":"54-73"},"PeriodicalIF":0.0,"publicationDate":"2012-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88875151","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}