Misuse Cases

1
Misuse Cases

• ISA 780/ SWE 623 - 2005
• Taken from various papers on the Internet

2
References

• Templates for Misuse Case Descriptions by Gottorm
  Sindre and Andreas L. Opdahl available at
  www.ifi.uib.no/conf/refsq2001/papers/p25.pdf
• Capturing security requirements through Misuse
  Cases by Gottorm Sindre and Andreas L. Opdahl
  available at www.nik.no/2001/21-sindre.pdf
• Initial Industrial Experience of Misuse Cases in
  Trade-Off Analysis by Ian Alexander, available at
  http//easyweb.easynet.co.uk/iany/consultancy/mis
  use_cases/misuse_cases_in_tradeoffs.htm
• From Misuse cases to Colboration Diagrams by Zaid
  Dwaikat and Francesco Parisi-Presicce available
  at www.software.org/pub/externalpapers/papers/dwai
  kat-2004-1.pdf

3
Papers Sindre and Opdahl

• Use cases are helpful in understanding
  stakeholder requirements
• That is actors execute Use Cases
• Who are attackers? Mal-actors
• What do they do execute misuse cases

4
(No Transcript)
5
(No Transcript)
6
Misuse Case Templates 1

• Name Obtain Password
• Summary A crook obtains and uses a password for
  e-shop by reading messages sent through a
  compromised network.
• Author Yours Truly
• Date 09-30-2005

7
Misuse Case Template 2

• Basic Pathbp0
• Bp0-1 A crook hacks a host and installs IP
  sniffer
• Bp0-2 (and extension point e-1) All packets with
  Login, password, etc are intercepted and analyzed
• Bp0-3 Thus the crook collects likely username /
  password pairs
• Bp0-4 The crook uses the stolen username /
  password pair to login illegally

8
Misuse Case Template 3

• Alternate Paths
• Ap1 The crook has SU privileges (changes step
  bp0-1)
• AP2 The crook intercepts telephone messages from
  e-shop operator
• (changes bp0-2)
• AP3 The crook intercepts e-shop operators
  portable devices messages (changes bp0-3)

9
Misuse Case Template 4

• Capture Points
• CP1 Password does not work changed (bp0-4)
• CP2 Password does not work expired (bp0-4)
• CP3 Password does not work different IP
  address (bp0-4)
• CP4 Operator login restricted to special IP
  (bp0-4)
• CP5 Communication uninterruptible (bp0-2)

10
Misuse Case Template 5

• Extension Points
• Cp1 Includes misuse case Tap Communications (in
  step bp0-2)
• Triggers
• Tr1 always true
• Preconditions
• Pc1 Operator has special authority
• Pc2 Operator allowed to login over the Internet

11
Misuse Case Template 6

• Assumptions
• As1 operator uses the network to login (for all
  paths)
• As2 operator uses home phone to login (for ap2)
• As3 operator uses home phone to login (for ap3)

12
Misuse Case Template 7

• Worse case threat (post condition)
• Wc1 The crook gains operator access
• Capture guarantee (post condition)
• Cg1 The crook never gets operator access
• Related Business Rule
• Br1 operator gains full access
• Br2 operator is the only full access user

13
Misuse Case Template 8

• Potential Mis-user Profile
• Highly skilled, possibly a network admin with
  criminal intent
• Stakeholders and Threats
• Sh1 e-shop
• Reduce turnover
• Lost consumer confidence

14
Misuse Case Template 9

• Customer
• Privacy violation
• Potential economic loss
• Scope
• Entire business environment
• Abstraction Level
• Mis-user goals
• Precision Level
• Focused

15
Methods for Building Misuse Cases

1. First build Use Cases with actors
2. Introduce major Misuse Cases
3. Identify potential relationships between Use
   Cases and Misuse Cases

16
Advantages 1

• Early focus on security
• User / customer
• Assurance
• Awareness
• Analyst creativity
• Traceability

17
Advantages 2

• Organizing Requirements
• Transition to object oriented
• Design
• Languages
• Uniform handling /specification /analysis of
  functional and adversarial usage

18
Disadvantages

• By itself not a requirements engineering
  technique
• No knowledge on how to write good quality Misuse
  Cases
• Use /Misuse case are informal
• No clear semantics

19
Elaborating Security Requirements by Construction
of Intentional Anti-Models

• Axel van Lamsweerde
• Proceedings of the 26th International Conference
  on Software Engineering 2004 (ICSE 2004)

20
Papers used for this part

• Elaborating Security Requirements by Constructing
  Intentional anti-models by Axel van Lamsweerde
  proc 26th Int. conf. on Software Eng. 2004
• Handling obstacles in goal-oriented requirements
  engineering, Axel van Lamsweerde, IEEE Trans on
  Soft. Eng, Vol 26, No 10, Oct 2000 P 976-1005
• Agent-based tacticles for generating
  goal-oriented requirements elaboration, Emmanuel
  Leitier and Axel van Lamsweerde, proc 24th Int.
  conf. on Software Eng. 2002

21
Security Engineering at the Application Layer
Application Layer

• Application Layer
• Services like web-based banking
• System Layer
• Programming languages, SSHTP
• Security Protocol Layer
• Many standard protocols
• Many logics and formalisms
• Cryptography Layer
• Solid basis for basic constructs

System Layer
Security Protocol Layer
Cryptography
22
Terminology

• Goal statement of intent
• Has non-functional properties
• Quality of Service
• Agent active components (human, devices)
• Roles an agent does to achieve a goal
• Domain Properties descriptions of the
  environment, such as physical laws, norms

23
Goals

• Organized as AND / OR hierarchies
• Said to construct a refinement-abstraction
  hierarchy
• High level goals are strategic,
• Coarse grained with many agents
• Low level goals are technical,
• Fine grained involving less agents
• Requirement terminal goal for one agent

24
Realizability

• When does refinement end?
• When a goal is relizable
• When it can be decomposed into
• Monitorable and controllable conditions

25
Monitorability and Controllability

• Need to describe agents a bit
• An agent ag has
• A set of variables it monitors Mon(ag)
• A set of variables it controls Ctrl(ag)
• A set of state variables in V State(V)
• A set of possible sequences over V Path(V)
• A goal is a statement G that has a history HIST(G)

26
Realizability

• Initag ? State(Ctrl(ag))
• Nextag ? Path(Mon(ag)UCtrl(ag)) ?
• State(Ctrl(ag))
• such that RUN(ag) HIST(G)
• Means, that the agent initially begins in a state
  that can control itself and
• Can transition using any monitorable or
  controllable variables so that
• the goal and the agent has exactly the same runs

27
Oprationalizing Goals

• Writing them as a
• synchronized collection of
• operations on objects

28
Obstacles

• A means to identifying goal violation scenarios
• Formalization
• O,Dom G Obstruction
• Dom O Domain consistency

29
Security Concerns

• Security Goals refined to requirements
• i.e. a single agent can satisfy them
• Environment given by policies
• a collection of rules
• Attackers mal-agents
• Threats goals of attackers
• Assets passive objects to be preserved

30
Security Goals

• Considered a meta-class
• Confidentiality
• Integrity
• Availability
• Privacy
• Authenticity
• Non-repudiation
• Specification requires first order, real time,
  linear temporal logic

31
Liner Time Temporal Logic- a short introduction -

• Used to reason about time dependent properties
• The time flows in a line
• ------------------------------------?time
  flow
• 0 1 2 3 4
• Some properties hold on these time points
  commonly known as Kripke Semantics / possible
  world semantics
• Want to make some statements about time dependent
  properties and ensure that they are valid over
  all possible interpretations

32
Syntax Terms - 1

• A collection of constants referred to as
  individuals
• a, b, c, ...... etc.
• A collection of variables a generic way to
  refer to individuals
• x, y, z, . etc
• A collection of function symbols a way to model
  many-one relations
• f(x,y,z), g(x,y) etc

33
Syntax Terms - 2

• Inductively
• Any constant is a term
• If t1, tn, are terms and f() is an n-ary
  function symbols then f(t1, tn) is a term.
• Examples 1,2,3, are constants
• x, y, z are variables
• gcd(,), min(,) are functions.
• So gcd(x,2), min(1,2), gcd(min(2,4),6) are terms

34
Syntax Terms - 3

• A term without any variable is said to be
  variable free
• eg gcd(3,15)
• Substitution Can replace any variable with a
  term
• Replace x in gcd(x,y) with 37 gives gcd(37,y)

35
Syntax Predicates

• A collection of predicates referred to as the
  time dependent properties of individuals
• a(x,y,z), q(x,y,z,)
• Called atomic predicates
• Example
• canD0(fred,passwdFile,write)
• At some point of time we want to ensure that Fred
  cannot write the password file ever in the future

36
Syntax Connectives - 1

• Binary connectives (and) v (or)
• Unary connective (not)
• Examples
• cando(fred,file1,read) cando(mary,write,file2)

37
Syntax Connectives - 2

• Unary connectives
• ? (necessarily i.e. in all futures)
• ? (possibly i.e. in some future time)
• O (in the next time instant)
• Binary connective U (untill)
• Examples
• ? cando(fred,file1,read)
• ? cando(mary,write,file2)
• O canD0(fred,passwdFile,write)
• cando(fred,file1,read) U cando(mary,write,file2)

38
Semantics what do they mean?

• Need to define how to evaluate truth in a model
• Model A fully instantiated collection of
  predicates for each instance of time

39
Semantics - 2

• cando(fred,f1,r)
• cando(mary,f2,w)

cando(fred,f1,r) cando(maryf1,r)
0, 1,
2,
3,
cando(fred,f1,r) cando(fred,f2,r)
cando(fred,f1,r) cando(joe,f1,r) cando(jim,f3,x)
40
Semantics Truth Definition -1

• Truth is defined for each time-point
• Referred to as a world
• Symbolized as world
• So, 3cando(fred,f1,read) means according to
  (someone in the) 3rd time point (or world), Fred
  can read file f1

41
Semantics Truth Definition 2

• t f iff t f does not hold
• Example 2 cando(fred,f1,write)
• t f p iff t f and t p
• Ex 2 cando(fred,f1,r) cando(fred,f2,r)
• t f v p iff t f or t p
• Ex 2 cando(fred,f1,r)Vcando(fred,f2,w)

42
Semantics Truth Definition 3

• t O f iff Vt1 f
• Example 0 O cando(fred,f1,write)
• t?f iff t f for all tgtt
• Ex 0 ?cando(fred,f1,r)
• t ? f iff t, f for some tgtt
• Ex 2 ? cando(jim,f3,x)

43
An Extra Connective ?ltd

• Means sometimes in the future within a time of d
• Example
• 0 ?lt3 cando(jim,f3,x)

44
Back to Specifying Security Goals

• Want to specify
• confidentiality, integrity, availability,
  privacy, authenticity, non-repudiation
• Using
• Predicates with special meaning
• Connectives of temporal logic
• Few more to come

45
More Notations and Abbreviations

• Use (P gt Q) to mean ?(p -gt q)
• That means in whatever time point P is true then
  so is Q
• Some epistemic operators
• KnowsVag(v) ? ?xKnowsag(xv)
• agent ag knows that variable x takes the value v
• Knowsag(P) ? Beliefag(P) p
• Agent ag knows P if it believes P and P is true

46
Confidentiality

• ? ag Agent, acc Account, ob Object
• Authorized(ag,acc) ? KnowsVag(ob,info)
• Says that an agent ag knows any information info
  about the object ob iff it is authorized to an
  account acc
• Notice using typed / many sorted logic

47
An example definition for Authorization

• ? ag Agent, acc Account Authorized(ag,acc)
  ?owner(ag,acc)
• v proxy(ag,acc)
• v manager(ag,acc)
• Says that an agent ag is authorized to operate an
  account acc iff it is either the owner, or a
  proxy or a manager

48
Refining the goal

• If the sensitive information about the account is
  the pair (acc,pin)
• ? p Person, acc Account
• owner(ag,acc)v
• proxy(ag,acc)v
• manager(ag,acc) gt
• KnowsVp(acc.acc) KnowsVp(acc.pin)
• Says any person who is not authorized must not
  know the acc and the pin simultaneously

49
Privacy

• ? ag, ag Agent, ob Object
• KnowsVag(ob,info)
• ownedBy(ob.info,ag) ag?ag
• authorizedBy(ag,ob.info,ag)
• Says that an non-owner agent can know information
  about an object only is the owner authorized that
  information.

50
Integrity

• ? ag Agent, ob Object, vValue
• ob.infov O(ob.info?v)
• underControl(ob.info,ag)
• gt authorizedBy(ag,ob.info,ag)
• OIntegrity(ob.info)
• Says that if an information about an object under
  control of an agent ag changes, then it must have
  been authorized by an owner and retain the
  integrity of the object.

51
Availability

• ? ag Agent, ob Object, vValue
• needs(ag,ob.info)
• Authorized(ag,ob.info)
• gt ?ltd using(ag,ob.info)
• Says that needed, authorized data must be used
  within a bounded amount of time

52
Anti Goals

1. Take the negation of a specification of a a
   security requirement
2. Elicit answers to questions such as who can be
   interested in this?
3. Get high level goals of such an attacker
4. Refine and construct an AND/OR tree from the
   statement.
5. Could be fed into a machine to analyze if the
   anti-goal can be realized
6. Tool support available at http//www.objectiver.co
   m