Misuse Cases - PowerPoint PPT Presentation

About This Presentation
Title:

Misuse Cases

Description:

Capturing security requirements through Misuse Cases by Gottorm Sindre and ... Nextag Path(Mon(ag)UCtrl(ag)) State(Ctrl(ag)) such that RUN(ag) = HIST(G) ... – PowerPoint PPT presentation

Number of Views:347
Avg rating:3.0/5.0
Slides: 53
Provided by: csG6
Learn more at: https://cs.gmu.edu
Category:
Tags: cases | misuse | nextag

less

Transcript and Presenter's Notes

Title: Misuse Cases


1
Misuse Cases
  • ISA 780/ SWE 623 - 2005
  • Taken from various papers on the Internet

2
References
  • Templates for Misuse Case Descriptions by Gottorm
    Sindre and Andreas L. Opdahl available at
    www.ifi.uib.no/conf/refsq2001/papers/p25.pdf
  • Capturing security requirements through Misuse
    Cases by Gottorm Sindre and Andreas L. Opdahl
    available at www.nik.no/2001/21-sindre.pdf
  • Initial Industrial Experience of Misuse Cases in
    Trade-Off Analysis by Ian Alexander, available at
    http//easyweb.easynet.co.uk/iany/consultancy/mis
    use_cases/misuse_cases_in_tradeoffs.htm
  • From Misuse cases to Colboration Diagrams by Zaid
    Dwaikat and Francesco Parisi-Presicce available
    at www.software.org/pub/externalpapers/papers/dwai
    kat-2004-1.pdf

3
Papers Sindre and Opdahl
  • Use cases are helpful in understanding
    stakeholder requirements
  • That is actors execute Use Cases
  • Who are attackers? Mal-actors
  • What do they do execute misuse cases

4
(No Transcript)
5
(No Transcript)
6
Misuse Case Templates 1
  • Name Obtain Password
  • Summary A crook obtains and uses a password for
    e-shop by reading messages sent through a
    compromised network.
  • Author Yours Truly
  • Date 09-30-2005

7
Misuse Case Template 2
  • Basic Pathbp0
  • Bp0-1 A crook hacks a host and installs IP
    sniffer
  • Bp0-2 (and extension point e-1) All packets with
    Login, password, etc are intercepted and analyzed
  • Bp0-3 Thus the crook collects likely username /
    password pairs
  • Bp0-4 The crook uses the stolen username /
    password pair to login illegally

8
Misuse Case Template 3
  • Alternate Paths
  • Ap1 The crook has SU privileges (changes step
    bp0-1)
  • AP2 The crook intercepts telephone messages from
    e-shop operator
  • (changes bp0-2)
  • AP3 The crook intercepts e-shop operators
    portable devices messages (changes bp0-3)

9
Misuse Case Template 4
  • Capture Points
  • CP1 Password does not work changed (bp0-4)
  • CP2 Password does not work expired (bp0-4)
  • CP3 Password does not work different IP
    address (bp0-4)
  • CP4 Operator login restricted to special IP
    (bp0-4)
  • CP5 Communication uninterruptible (bp0-2)

10
Misuse Case Template 5
  • Extension Points
  • Cp1 Includes misuse case Tap Communications (in
    step bp0-2)
  • Triggers
  • Tr1 always true
  • Preconditions
  • Pc1 Operator has special authority
  • Pc2 Operator allowed to login over the Internet

11
Misuse Case Template 6
  • Assumptions
  • As1 operator uses the network to login (for all
    paths)
  • As2 operator uses home phone to login (for ap2)
  • As3 operator uses home phone to login (for ap3)

12
Misuse Case Template 7
  • Worse case threat (post condition)
  • Wc1 The crook gains operator access
  • Capture guarantee (post condition)
  • Cg1 The crook never gets operator access
  • Related Business Rule
  • Br1 operator gains full access
  • Br2 operator is the only full access user

13
Misuse Case Template 8
  • Potential Mis-user Profile
  • Highly skilled, possibly a network admin with
    criminal intent
  • Stakeholders and Threats
  • Sh1 e-shop
  • Reduce turnover
  • Lost consumer confidence

14
Misuse Case Template 9
  • Customer
  • Privacy violation
  • Potential economic loss
  • Scope
  • Entire business environment
  • Abstraction Level
  • Mis-user goals
  • Precision Level
  • Focused

15
Methods for Building Misuse Cases
  1. First build Use Cases with actors
  2. Introduce major Misuse Cases
  3. Identify potential relationships between Use
    Cases and Misuse Cases

16
Advantages 1
  • Early focus on security
  • User / customer
  • Assurance
  • Awareness
  • Analyst creativity
  • Traceability

17
Advantages 2
  • Organizing Requirements
  • Transition to object oriented
  • Design
  • Languages
  • Uniform handling /specification /analysis of
    functional and adversarial usage

18
Disadvantages
  • By itself not a requirements engineering
    technique
  • No knowledge on how to write good quality Misuse
    Cases
  • Use /Misuse case are informal
  • No clear semantics

19
Elaborating Security Requirements by Construction
of Intentional Anti-Models
  • Axel van Lamsweerde
  • Proceedings of the 26th International Conference
    on Software Engineering 2004 (ICSE 2004)

20
Papers used for this part
  • Elaborating Security Requirements by Constructing
    Intentional anti-models by Axel van Lamsweerde
    proc 26th Int. conf. on Software Eng. 2004
  • Handling obstacles in goal-oriented requirements
    engineering, Axel van Lamsweerde, IEEE Trans on
    Soft. Eng, Vol 26, No 10, Oct 2000 P 976-1005
  • Agent-based tacticles for generating
    goal-oriented requirements elaboration, Emmanuel
    Leitier and Axel van Lamsweerde, proc 24th Int.
    conf. on Software Eng. 2002

21
Security Engineering at the Application Layer
Application Layer
  • Application Layer
  • Services like web-based banking
  • System Layer
  • Programming languages, SSHTP
  • Security Protocol Layer
  • Many standard protocols
  • Many logics and formalisms
  • Cryptography Layer
  • Solid basis for basic constructs

System Layer
Security Protocol Layer
Cryptography
22
Terminology
  • Goal statement of intent
  • Has non-functional properties
  • Quality of Service
  • Agent active components (human, devices)
  • Roles an agent does to achieve a goal
  • Domain Properties descriptions of the
    environment, such as physical laws, norms

23
Goals
  • Organized as AND / OR hierarchies
  • Said to construct a refinement-abstraction
    hierarchy
  • High level goals are strategic,
  • Coarse grained with many agents
  • Low level goals are technical,
  • Fine grained involving less agents
  • Requirement terminal goal for one agent

24
Realizability
  • When does refinement end?
  • When a goal is relizable
  • When it can be decomposed into
  • Monitorable and controllable conditions

25
Monitorability and Controllability
  • Need to describe agents a bit
  • An agent ag has
  • A set of variables it monitors Mon(ag)
  • A set of variables it controls Ctrl(ag)
  • A set of state variables in V State(V)
  • A set of possible sequences over V Path(V)
  • A goal is a statement G that has a history HIST(G)

26
Realizability
  • Initag ? State(Ctrl(ag))
  • Nextag ? Path(Mon(ag)UCtrl(ag)) ?
  • State(Ctrl(ag))
  • such that RUN(ag) HIST(G)
  • Means, that the agent initially begins in a state
    that can control itself and
  • Can transition using any monitorable or
    controllable variables so that
  • the goal and the agent has exactly the same runs

27
Oprationalizing Goals
  • Writing them as a
  • synchronized collection of
  • operations on objects

28
Obstacles
  • A means to identifying goal violation scenarios
  • Formalization
  • O,Dom G Obstruction
  • Dom O Domain consistency

29
Security Concerns
  • Security Goals refined to requirements
  • i.e. a single agent can satisfy them
  • Environment given by policies
  • a collection of rules
  • Attackers mal-agents
  • Threats goals of attackers
  • Assets passive objects to be preserved

30
Security Goals
  • Considered a meta-class
  • Confidentiality
  • Integrity
  • Availability
  • Privacy
  • Authenticity
  • Non-repudiation
  • Specification requires first order, real time,
    linear temporal logic

31
Liner Time Temporal Logic- a short introduction -
  • Used to reason about time dependent properties
  • The time flows in a line
  • ------------------------------------?time
    flow
  • 0 1 2 3 4
  • Some properties hold on these time points
    commonly known as Kripke Semantics / possible
    world semantics
  • Want to make some statements about time dependent
    properties and ensure that they are valid over
    all possible interpretations

32
Syntax Terms - 1
  • A collection of constants referred to as
    individuals
  • a, b, c, ...... etc.
  • A collection of variables a generic way to
    refer to individuals
  • x, y, z, . etc
  • A collection of function symbols a way to model
    many-one relations
  • f(x,y,z), g(x,y) etc

33
Syntax Terms - 2
  • Inductively
  • Any constant is a term
  • If t1, tn, are terms and f() is an n-ary
    function symbols then f(t1, tn) is a term.
  • Examples 1,2,3, are constants
  • x, y, z are variables
  • gcd(,), min(,) are functions.
  • So gcd(x,2), min(1,2), gcd(min(2,4),6) are terms

34
Syntax Terms - 3
  • A term without any variable is said to be
    variable free
  • eg gcd(3,15)
  • Substitution Can replace any variable with a
    term
  • Replace x in gcd(x,y) with 37 gives gcd(37,y)

35
Syntax Predicates
  • A collection of predicates referred to as the
    time dependent properties of individuals
  • a(x,y,z), q(x,y,z,)
  • Called atomic predicates
  • Example
  • canD0(fred,passwdFile,write)
  • At some point of time we want to ensure that Fred
    cannot write the password file ever in the future

36
Syntax Connectives - 1
  • Binary connectives (and) v (or)
  • Unary connective (not)
  • Examples
  • cando(fred,file1,read) cando(mary,write,file2)

37
Syntax Connectives - 2
  • Unary connectives
  • ? (necessarily i.e. in all futures)
  • ? (possibly i.e. in some future time)
  • O (in the next time instant)
  • Binary connective U (untill)
  • Examples
  • ? cando(fred,file1,read)
  • ? cando(mary,write,file2)
  • O canD0(fred,passwdFile,write)
  • cando(fred,file1,read) U cando(mary,write,file2)

38
Semantics what do they mean?
  • Need to define how to evaluate truth in a model
  • Model A fully instantiated collection of
    predicates for each instance of time

39
Semantics - 2
  • cando(fred,f1,r)
  • cando(mary,f2,w)

cando(fred,f1,r) cando(maryf1,r)
0, 1,
2,
3,
cando(fred,f1,r) cando(fred,f2,r)
cando(fred,f1,r) cando(joe,f1,r) cando(jim,f3,x)
40
Semantics Truth Definition -1
  • Truth is defined for each time-point
  • Referred to as a world
  • Symbolized as world
  • So, 3cando(fred,f1,read) means according to
    (someone in the) 3rd time point (or world), Fred
    can read file f1

41
Semantics Truth Definition 2
  • t f iff t f does not hold
  • Example 2 cando(fred,f1,write)
  • t f p iff t f and t p
  • Ex 2 cando(fred,f1,r) cando(fred,f2,r)
  • t f v p iff t f or t p
  • Ex 2 cando(fred,f1,r)Vcando(fred,f2,w)

42
Semantics Truth Definition 3
  • t O f iff Vt1 f
  • Example 0 O cando(fred,f1,write)
  • t?f iff t f for all tgtt
  • Ex 0 ?cando(fred,f1,r)
  • t ? f iff t, f for some tgtt
  • Ex 2 ? cando(jim,f3,x)

43
An Extra Connective ?ltd
  • Means sometimes in the future within a time of d
  • Example
  • 0 ?lt3 cando(jim,f3,x)

44
Back to Specifying Security Goals
  • Want to specify
  • confidentiality, integrity, availability,
    privacy, authenticity, non-repudiation
  • Using
  • Predicates with special meaning
  • Connectives of temporal logic
  • Few more to come

45
More Notations and Abbreviations
  • Use (P gt Q) to mean ?(p -gt q)
  • That means in whatever time point P is true then
    so is Q
  • Some epistemic operators
  • KnowsVag(v) ? ?xKnowsag(xv)
  • agent ag knows that variable x takes the value v
  • Knowsag(P) ? Beliefag(P) p
  • Agent ag knows P if it believes P and P is true

46
Confidentiality
  • ? ag Agent, acc Account, ob Object
  • Authorized(ag,acc) ? KnowsVag(ob,info)
  • Says that an agent ag knows any information info
    about the object ob iff it is authorized to an
    account acc
  • Notice using typed / many sorted logic

47
An example definition for Authorization
  • ? ag Agent, acc Account Authorized(ag,acc)
    ?owner(ag,acc)
  • v proxy(ag,acc)
  • v manager(ag,acc)
  • Says that an agent ag is authorized to operate an
    account acc iff it is either the owner, or a
    proxy or a manager

48
Refining the goal
  • If the sensitive information about the account is
    the pair (acc,pin)
  • ? p Person, acc Account
  • owner(ag,acc)v
  • proxy(ag,acc)v
  • manager(ag,acc) gt
  • KnowsVp(acc.acc) KnowsVp(acc.pin)
  • Says any person who is not authorized must not
    know the acc and the pin simultaneously

49
Privacy
  • ? ag, ag Agent, ob Object
  • KnowsVag(ob,info)
  • ownedBy(ob.info,ag) ag?ag
  • authorizedBy(ag,ob.info,ag)
  • Says that an non-owner agent can know information
    about an object only is the owner authorized that
    information.

50
Integrity
  • ? ag Agent, ob Object, vValue
  • ob.infov O(ob.info?v)
  • underControl(ob.info,ag)
  • gt authorizedBy(ag,ob.info,ag)
  • OIntegrity(ob.info)
  • Says that if an information about an object under
    control of an agent ag changes, then it must have
    been authorized by an owner and retain the
    integrity of the object.

51
Availability
  • ? ag Agent, ob Object, vValue
  • needs(ag,ob.info)
  • Authorized(ag,ob.info)
  • gt ?ltd using(ag,ob.info)
  • Says that needed, authorized data must be used
    within a bounded amount of time

52
Anti Goals
  1. Take the negation of a specification of a a
    security requirement
  2. Elicit answers to questions such as who can be
    interested in this?
  3. Get high level goals of such an attacker
  4. Refine and construct an AND/OR tree from the
    statement.
  5. Could be fed into a machine to analyze if the
    anti-goal can be realized
  6. Tool support available at http//www.objectiver.co
    m
Write a Comment
User Comments (0)
About PowerShow.com