Jose Fran. Ruiz

A Methodology for the Analysis and Modeling of Security Threats and Attacks for Systems of Embedded Components

The development of systems based on embedded components is a challenging task because of their distributed, reactive and real-time nature. From a security point of view, embedded devices are basically systems owned by a certain entity, used frequently as part of systems owned by other entities and operated in a potentially hostile environment. The development of security-enhanced systems of embedded components is a difficult task due to different types of threats that may affect such systems, and because the security in systems of embedded devices is currently added as an additional feature when the development is advanced, or avoided as a superfluous characteristic. We present in this paper a methodology for the analysis and modeling of threats and attacks for systems of embedded components. The Intruder Model allows us to describe possible actions a potential intruder can accomplish, depending on his/her capabilities, resources, etc. Using this information, we can define a Threat Model that will specify the threats and attacks that affect different security properties in specific domains.

Development of Applications Based on Security Patterns

Current approaches for software development fail in the integration of security aspects. Usually, this is because of the software complexity and the speci¿c expertise needed for the integration of modern security solutions. In this paper we present the SERENITY Project which proposes a framework addressing this issue. SERENITY is based on the separation of the development of security solutions from the development of secure software supported by these security solutions. Both developments, security solutions and secure applications, are centered on the use of libraries of precise descriptions of reusable security solutions stored in the form of security patterns. This approach ¿ts very well with new emerging scenarios such as ambient intelligence, ubiquitous computing, grids, etc. In this paper we present the development of a secure application based on these ideas, in order to do that, we introduce an Application Programming Interface (API) specially designed for use SERENITY advantages.

A security-focused engineering process for systems of embedded components

Development of systems based on embedded components is a challenging task because of the distributed, reactive and real-time nature of such systems. From a security point of view, it is essential to take into account that frequently embedded devices are basically system components owned by a certain entity, used as part of systems owned by other entities and operated in a potentially hostile environment. Currently, a security engineering process for systems with embedded components that takes these considerations into account does not exist. Although many individual mechanisms to solve specific security problems are already available, the integration of these mechanisms in order to form a coherent system that can satisfy more complex security requirements is not trivial. This paper presents a process, which aims to support embedded systems developers in considering security aspects in the overall engineering process. Particularly, the process provides means to identify and manage security properties and requirements. This security engineering process supports the representation of security aspects and mechanisms in a comprehensive and coherent modeling framework based on the UML metamodel. The process key characteristics are that (i) its suited to the specific needs of systems with embedded components; (ii) it supports the developers in making sound security design decisions; (iii) it encourages the separation of responsibilities between security experts and system designers; and (iv) it integrates reusable security-focused models of embedded components. The main aspect to highlight in the process is that its directed by security properties. We believe that the best approach is to base requirements on the positive expression of properties, as opposed to the negative expression by means of threats and attacks.

A Lifecycle for Data Sharing Agreements: How it Works Out

An electronic Data Sharing Agreement (DSA) is a human-readable, yet machine-processable contract, regulating how organizations and/or individuals share data. In past work, we have shed light on DSA engineering, i.e., the process of studying how data sharing is ruled in traditional legal human-readable contracts and mapping their fields (and rules) into formats that are machine-processable, leading to the transposition of a traditional legal contract into the electronic DSA. However, the definition of an electronic DSA is only the starting point of a complex DSA lifecycle, driving the contract from its creation to (1) an analysis phase, where the DSA rules are checked against conflicts; and (2) a mapping phase, where the analysed rules are transposed into privacy policies expressed in enforceable languages. This paper presents our vision for the architectural definition of a DSA system, where a lifecycle manager orchestrates: an authoring tool for legal experts, policy experts, and end users; an analyser for checking consistency of the DSA rules; a mapper for encoding rules in a low level language amenable for enforcement.

A security engineering process for systems of systems using security patterns

The creation of secure systems of systems is a complex process. A large variety of security expertise and knowledge specific for application domains is required. This is even more important if systems of systems span different application domains. Then, security threats specific to different application-domains need to be considered. One example is integrated systems for industrial production processes that interface office domains with supply chain management systems as well as a production environment. Such integrated systems of systems can perform very efficient and economic processes. However, due to the many and different domain-specific security requirements and threats security engineering needs to support requirements specification and architecture design very early in the development process in order to ensure resilience and safety of the complete system. Working with different domains implies that properties and its functionalities are specific and the engineering process used for modeling and designing the complete system has to be able to work in this context, covering all the possibilities and allowing the use of trusted solutions that are compatible with the ones of different domains. We present in this paper a security engineering process for creating secure systems of systems that cover the necessities presented above by using a series of security artifacts that contain the domain-specific security information (in terms of security properties) and provide security solutions in the form of security patterns. These patterns contain the definition of the software/hardware elements used for providing the required solution and the information of related patterns for different domains, which provides a very helpful functionality for creating a system of systems.

Secure Engineering and Modelling of a Metering Devices System

This paper presents a security engineering process for the modelling of security-sensitive systems using a real use case of metering devices. The process provides a security framework that can be used with other existing processes (such as the agile ones). It helps to develop and model systems bearing in mind their heterogeneity, real-time and dynamic behaviors. Besides, due to the critical nature of some of these systems (nuclear, emergency systems, military, etc.) it provides tools for identifying, working and solving security threats by using the knowledge of domain experts. This is very important because threats, properties, solutions, etc. that are valid or relevant in a given domain, are not applicable to other domains and are subject to constant changes. The security requirements of the systems are fulfilled by means of domain-specific security knowledge. These artefacts contain the specific information of a domain (security properties, elements, assumptions, threats, tests, etc.). The solutions are presented as Security Patterns. Each one describes an implementation solution by using one or several Security Building Blocks (SBBs). The security engineering process presented here describes how to model a security-enhanced system model using a library of domain security knowledge. The process has been developed along with a Magic Draw plugin that covers all the possible functionalities, making the work with the models and the security elements very simple and easy for the user.

A Security Modelling Framework for Systems of Embedded Components

The development of systems based on embedded components is a challenging task because of the distributed, reactive and real-time nature of such systems. From a security point of view, embedded devices are basically systems owned by a certain entity and operated in a potentially hostile environment. Currently, a security engineering process for systems with embedded components that takes these considerations into account does not exist. This paper presents a process, which aims to support the embedded systems developer in integrating the security elements into the overall engineering process. In particular, the proposed process provides means to identify and to consistently and naturally manage security properties and requirements.

Security knowledge representation artifacts for creating secure IT systems

The creation of secure applications is more than ever a complex task because it requires from system engineers increasing levels of knowledge in security requirements, design and implementation. In fact, the fast increasing size and volatility of this knowledge has reached a point in which it is unrealistic to expect that system engineers can keep up to date with it. The most prominent paradigm for addressing this problem is the use of security patterns to communicate security knowledge from experts to system designers. This, and other security artifacts, have proved their utility and benefits in the past years, improving the way security is taken into account by system engineers and developers. On the other hand, these artifacts have some limitations that have prevented them from becoming more widespread. In particular, security patterns are human-oriented and as such heavily based on natural language, which implies intrinsic high degrees of imprecision and ambiguity. In our opinion, we need to make the move from purely human-oriented artifacts to hybrid artifacts that convey information for both humans (engineers and designers) and computer tools (engineering and development environments). Therefore, we have created a new security knowledge representation artifact that aims to cover the needs of system engineers and help them not only in applying a solution, but also in understanding the security aspects of a given domain as a highly-related set of security concepts (e.g. properties, requirements, solutions, etc.). This artifact, called Domain Security Metamodel (DSM), is, as its name suggests, domain-specific and contains information about all security aspects that are relevant in a specific domain (e.g. embedded systems, web services, etc.). The DSM contains security solutions that implement the security properties of the specific domains. That way, when users apply them into their system models the solutions for development time can be integrated directly and naturally. In order to describe our approach in a useful way we use a running example based on the Web Service Security (WS-Security) specification.

An Integrated Security and Systems Engineering Process and Modelling Framework

The modelling, engineering and development of systems with security requirements (which today means all systems) have been the target of different research works that are intended to deal with the increasing complexity of systems and characteristics such as distribution, real-time constraints and heterogeneity and with the need to provide increasing levels of security and privacy for users and businesses. Unfortunately, the situation is that no integral and comprehensive approach has been able to successfully address those challenges and gain acceptance in the industry. In fact, industrial system security engineering is in practice oversimplified, uses inadequate or obsolete solutions and is not treated consistently with the rest of the system engineering to allow an adequate assessment and tracing of the identified security goals, the security decisions made, security mechanisms selected and implemented. As a result, security problems are still too common in most systems. This paper presents a novel engineering process that seamlessly integrates security engineering activities throughout the whole system lifecycle, starting from the very first phases of the engineering process, named integrated security and system engineering process (ISSEP). In order to address the need to use accurate and up-to-date security knowledge by average system engineers, ISSEP follows a separation-of-responsibilities approach. Security knowledge is provided by experts in the form of libraries of engineering artefacts that can then be used by average system engineers in an easy and semi-automatic way. The ISSEP that we present here has been validated in real-world applications by several relevant companies (e.g. RUAG, Technicolor, Mixed Mode, etc.). One of the key points of the ISSEP is that it has been designed to be tool-supported. We have developed different tools to support its application. In particular, the main tool is available as a plugin for MagicDraw that offers support to the different actors in all the steps of the process. An Eclipse-based version is also under development.