Riham Hassan

Goal-Oriented, B-Based Formal Derivation of Security Design Specifications from Security Requirements

This paper proposes a requirements-driven security engineering approach for modeling, specifying, and analyzing application-specific security requirements that are formally derived into security design specifications preserving security requirements properties. The approach adopts and non-trivially extends the goal-oriented KAOS (Knowledge Acquisition in automated Specifications) framework developed by Lamsweerde to formally construct a complete, consistent, and clear security requirements model. The resulting model is then extended using the B method to produce security design specifications and further implementation while preserving requirements properties. In our approach, we firstly transform the KAOS requirements model to an abstract B model and secondly, we refine the model using B refinement mechanism to generate design specifications and implementation. This unique treatment of secure software engineering is systematic, constructive and considers security early in the development lifecycle while ensuring no loss of the security requirements properties of completeness, consistency and clarity at later development phases. Moreover, our approach allows for requirement traceability at the various phases of development.

Integrating Formal Analysis and Design to Preserve Security Properties

The use of formal methods has long been advocated in the development of secure systems. Yet, methods for deriving design from requirements that guarantee retention of the intended security properties remain largely unrealized on a repeatable and consistent basis. We present the FADES (Formal Analysis and Design approach for Engineering Security) that integrates KAOS (Knowledge Acquisition in autOmated Specifications) with the B specification language to derive security design specifications and further implementation from security requirements. We demonstrate the capability of the approach to handle changes to security requirements by introducing corrective changes to the security requirements of a case study, the spy network system. The objective is to bridge the gap between formal requirements and design for security requirements. Our initial results show promise with FADES in preserving security properties and detecting security vulnerabilities early during requirements. Encouraged by these, we are more quantitatively assessing the FADES capabilities.

Formal analysis and design for engineering security automated derivation of formal software security specifications from goal-oriented security requirements

Formal methods have long been advocated for the development of provably secure software. However, the lack of formal requirements elaboration and the limited scalability afforded by such methods have led to employing informal or semi-formal methods for large-scale software development. In our effort to produce highly secure software in a systematic, provable and cost-effective manner, the authors have proposed formal analysis and design for engineering security (FADES) as the first goal-oriented software security engineering approach that provides an automated bridge between the goal-oriented semi-formal Knowledge Acquisition for autOmated Specifications (KAOS) framework and the B formal method. Automating the transition from requirements to specifications; considered one of the most difficult steps in the software development lifecycle, is vital to the success of FADES. Further, the automated derivation of a suite of acceptance test cases from the requirements model in FADES provides means to verify security implementation against the requirements model. In this study, the authors propose an automated process using FADES to systematically derive B specifications and a suite of acceptance test cases from goal-oriented security requirements. Further, the authors empirically validate the effectiveness of the FADES automated bridge that paves the grounds for formal design and implementation. The empirical validation involves both security engineering practitioners and experts in formal methods for security. The extensive results obtained demonstrate the effectiveness of the FADES automated bridge in producing secure software in a cost-effective manner.

Formal derivation of security design specifications from security requirements

This paper proposes a requirements-driven security engineering approach for modeling, specifying, and analyzing application-specific security requirements that are formally derived into security design specifications preserving security requirements properties. The approach adopts and non-trivially extends the goal-oriented KAOS (Knowledge Acquisition in automated Specifications) framework developed by Lamsweerde to formally construct a complete, consistent, and clear security requirements model. The resulting model is then extended using the B method to produce security design specifications and further implementation while preserving requirements properties. In our approach, we firstly transform the KAOS requirements model to an abstract B model and secondly, we refine the model using B refinement mechanism to generate design specifications and implementation. This unique treatment of secure software engineering is systematic, constructive and considers security early in the development lifecycle while ensuring no loss of the security requirements properties of completeness, consistency and clarity at later development phases. Moreover, our approach allows for requirement traceability at the various phases of development.

Towards safe and productive development of secure software: FADES and model-based software engineering

Cost effective development of secure software is a key goal for many software organizations as they seek to manage the risks of misbehaving software. Employing Formal Methods (FMs) in the Model-Based Software Engineering (MBSE) paradigm that systematically produces software systems through modeling, simulation, reuse and automation provides a reasonable approach for developing highly secure software in a productive manner. MBSE approaches introduce some complexities at the beginning of the lifecycle, but save substantial time in production and delivery by identifying and resolving defects/errors early and reducing rework. On the other hand, the expertise needed for FMs and the concomitant costs often inhibit their wide employment in securing large and complex software systems. In this paper, we report our experience with Formal Analysis and Design for Engineering Security (FADES) an approach we introduced two years ago at this venue. Through systematic and automated transformation from semiformal requirements specifications to formal design, FADES facilitates embedding FMs into the development lifecycle of secure software systems. We outline the case studies and validation of FADES feasibility for the design and implementation of secure software systems. Promising experience with FADES was a necessary precursor to our work on generalizing FADES and our proposal to direct FADES toward being an MBSE approach. We discuss how the formality, transformation, reuse and automation in FADES may further enhance the MBSE-based production and delivery of secure software.

Goal-Oriented Software Security Engineering: The Electronic Smart Card Case Study

We advocate goal-oriented software securityengineering to produce highly secure software in a constructive,provable and cost-effective manner. Our approach is to couplegoal-oriented semi-formal requirements specifications withformal design and implementation. To this effect, we proposedFADES (Formal Analysis and Design for Engineering Security)in [14] as the first goal-oriented software security engineeringapproach that provides a systematic and automated bridgebetween the goal-directed semi-formal KAOS (KnowledgeAcquisition for autOmated Specifications) framework and the Bformal method to derive formal design and implementation fromsecurity requirements. In this paper, we demonstrate theapplicability of FADES and study its effectiveness through ageneric Electronic Smart Card case study and a comparativeanalysis between FADES and strictly applying formal methods.We use the case study to demonstrate how the goal-orientedformulation of security requirements in FADES paves the wayfor formal design that provably preserves the security properties.Further, the results of the comparison between FADES and Zshow that FADES achieves better requirements completeness,consistency and security quality.