Siv Hilde Houmb

An aspect-oriented methodology for designing secure applications

We propose a methodology, based on aspect-oriented modeling (AOM), for incorporating security mechanisms in an application. The functionality of the application is described using the primary model and the attacks are specified using aspects. The attack aspect is composed with the primary model to obtain the misuse model. The misuse model describes how much the application can be compromised. If the results are unacceptable, then some security mechanism must be incorporated into the application. The security mechanism, modeled as security aspect, is composed with the primary model to obtain the security-treated model. The security-treated model is analyzed to give assurance that it is resilient to the attack.

Estimating ToE Risk Level Using CVSS

Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource effectiveness. Parts of which is to make future-oriented, cost-benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the current and potential risk level is essential to successfully trade-off security and financial aspects. Risk level is the combination of the frequency and impact of a potential unwanted event, often referred to as a security threat or misuse. The paper presents a risk level estimation model that derives risk level as a conditional probability over frequency and impact estimates. The frequency and impact estimates are derived from a set of attributes specified in the Common Vulnerability Scoring System (CVSS). The model works on the level of vulnerabilities (just as the CVSS) and is able to compose vulnerabilities into service levels. The service levels define the potential risk levels and are modelled as a Markov process, which are then used to predict the risk level at a particular time.

Modeling System Integrity Of A Security CriticalSystem Using Colored Petri Nets

Recently, the need for techniques for quantification of security attributes of IKT systems has been raised. This relates both to security requirements in QoS architectures, as well as input to trade-off analysis regarding the design and choice of security mechanisms to comply with an established security policy. Early research in this area has focused on state transition models, such as Markov or semi-Markov models. In the dependability domain these techniques are used to measure values such as mean time between failures (MTBF), and to quantify frequency and consequences of risks. The dynamics of security attacks makes it intractable to use, due to the problems with state explosions. To be able to express the complete state space of a security critical system, one needs to consider not only hardware, operating system. And application/services faults, but also the survivability of the system in terms of intentional and accidental security breaches. This paper builds a stochastic prediction system to estimate the system integrity of a security critical system. The paper makes use of Colored Petri Nets (CPN), a higher-level formalism for stochastic modeling, analysis, and simulation. The prediction system is implemented as a generic and hierarchic CPN model.

Extended eTVRA vs. security checklist: Experiences in a value-web

Security evaluation according to ISO 15408 (Common Criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a Common Criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk analysis (eTVRA) method for the Telecommunication (Telco) domain. eTVRA builds on the security risk management methodology CORAS and is structured in such a way that it provides output that can be directly fed into a Common Criteria security evaluation. In this paper, we evaluate the time and resource efficiency of parts of eTVRA and the quality of the result produced by following eTVRA compared to a more pragmatic approach (Protection Profile-based checklists). We use both approaches to identify and analyze risks of a new SIM card currently under joint development by a small hardware company and a large Telco provider.