Misuse Cases - PowerPoint PPT Presentation

About This Presentation

Title:

Misuse Cases

Description:

Capturing security requirements through Misuse Cases by Gottorm Sindre and ... Nextag Path(Mon(ag)UCtrl(ag)) State(Ctrl(ag)) such that RUN(ag) = HIST(G) ... – PowerPoint PPT presentation

Number of Views:338

Avg rating:3.0/5.0

Slides: 53

Provided by: csG6

Learn more at: https://cs.gmu.edu

Category:

more less

Transcript and Presenter's Notes

Title: Misuse Cases

1
Misuse Cases

ISA 780/ SWE 623 - 2005
Taken from various papers on the Internet

2
References

Templates for Misuse Case Descriptions by Gottorm
Sindre and Andreas L. Opdahl available at
www.ifi.uib.no/conf/refsq2001/papers/p25.pdf
Capturing security requirements through Misuse
Cases by Gottorm Sindre and Andreas L. Opdahl
available at www.nik.no/2001/21-sindre.pdf
Initial Industrial Experience of Misuse Cases in
Trade-Off Analysis by Ian Alexander, available at
http//easyweb.easynet.co.uk/iany/consultancy/mis
use_cases/misuse_cases_in_tradeoffs.htm
From Misuse cases to Colboration Diagrams by Zaid
Dwaikat and Francesco Parisi-Presicce available
at www.software.org/pub/externalpapers/papers/dwai
kat-2004-1.pdf

3
Papers Sindre and Opdahl

Use cases are helpful in understanding
stakeholder requirements
That is actors execute Use Cases
Who are attackers? Mal-actors
What do they do execute misuse cases

4
(No Transcript)
5
(No Transcript)
6
Misuse Case Templates 1

Name Obtain Password
Summary A crook obtains and uses a password for
e-shop by reading messages sent through a
compromised network.
Author Yours Truly
Date 09-30-2005

7
Misuse Case Template 2

Basic Pathbp0
Bp0-1 A crook hacks a host and installs IP
sniffer
Bp0-2 (and extension point e-1) All packets with
Login, password, etc are intercepted and analyzed
Bp0-3 Thus the crook collects likely username /
password pairs
Bp0-4 The crook uses the stolen username /
password pair to login illegally

8
Misuse Case Template 3

Alternate Paths
Ap1 The crook has SU privileges (changes step
bp0-1)
AP2 The crook intercepts telephone messages from
e-shop operator
(changes bp0-2)
AP3 The crook intercepts e-shop operators
portable devices messages (changes bp0-3)

9
Misuse Case Template 4

Capture Points
CP1 Password does not work changed (bp0-4)
CP2 Password does not work expired (bp0-4)
CP3 Password does not work different IP
address (bp0-4)
CP4 Operator login restricted to special IP
(bp0-4)
CP5 Communication uninterruptible (bp0-2)

10
Misuse Case Template 5

Extension Points
Cp1 Includes misuse case Tap Communications (in
step bp0-2)
Triggers
Tr1 always true
Preconditions
Pc1 Operator has special authority
Pc2 Operator allowed to login over the Internet

11
Misuse Case Template 6

Assumptions
As1 operator uses the network to login (for all
paths)
As2 operator uses home phone to login (for ap2)
As3 operator uses home phone to login (for ap3)

12
Misuse Case Template 7

Worse case threat (post condition)
Wc1 The crook gains operator access
Capture guarantee (post condition)
Cg1 The crook never gets operator access
Related Business Rule
Br1 operator gains full access
Br2 operator is the only full access user

13
Misuse Case Template 8

Potential Mis-user Profile
Highly skilled, possibly a network admin with
criminal intent
Stakeholders and Threats
Sh1 e-shop
Reduce turnover
Lost consumer confidence

14
Misuse Case Template 9

Customer
Privacy violation
Potential economic loss
Scope
Entire business environment
Abstraction Level
Mis-user goals
Precision Level
Focused

15
Methods for Building Misuse Cases

First build Use Cases with actors
Introduce major Misuse Cases
Identify potential relationships between Use
Cases and Misuse Cases

16
Advantages 1

Early focus on security
User / customer
Assurance
Awareness
Analyst creativity
Traceability

17
Advantages 2

Organizing Requirements
Transition to object oriented
Design
Languages
Uniform handling /specification /analysis of
functional and adversarial usage

18
Disadvantages

By itself not a requirements engineering
technique
No knowledge on how to write good quality Misuse
Cases
Use /Misuse case are informal
No clear semantics

19
Elaborating Security Requirements by Construction
of Intentional Anti-Models

Axel van Lamsweerde
Proceedings of the 26th International Conference
on Software Engineering 2004 (ICSE 2004)

20
Papers used for this part

Elaborating Security Requirements by Constructing
Intentional anti-models by Axel van Lamsweerde
proc 26th Int. conf. on Software Eng. 2004
Handling obstacles in goal-oriented requirements
engineering, Axel van Lamsweerde, IEEE Trans on
Soft. Eng, Vol 26, No 10, Oct 2000 P 976-1005
Agent-based tacticles for generating
goal-oriented requirements elaboration, Emmanuel
Leitier and Axel van Lamsweerde, proc 24th Int.
conf. on Software Eng. 2002

21
Security Engineering at the Application Layer
Application Layer

Application Layer
Services like web-based banking
System Layer
Programming languages, SSHTP
Security Protocol Layer
Many standard protocols
Many logics and formalisms
Cryptography Layer
Solid basis for basic constructs

System Layer
Security Protocol Layer
Cryptography
22
Terminology

Goal statement of intent
Has non-functional properties
Quality of Service
Agent active components (human, devices)
Roles an agent does to achieve a goal
Domain Properties descriptions of the
environment, such as physical laws, norms

23
Goals

Organized as AND / OR hierarchies
Said to construct a refinement-abstraction
hierarchy
High level goals are strategic,
Coarse grained with many agents
Low level goals are technical,
Fine grained involving less agents
Requirement terminal goal for one agent

24
Realizability

When does refinement end?
When a goal is relizable
When it can be decomposed into
Monitorable and controllable conditions

25
Monitorability and Controllability

Need to describe agents a bit
An agent ag has
A set of variables it monitors Mon(ag)
A set of variables it controls Ctrl(ag)
A set of state variables in V State(V)
A set of possible sequences over V Path(V)
A goal is a statement G that has a history HIST(G)

26
Realizability

Initag ? State(Ctrl(ag))
Nextag ? Path(Mon(ag)UCtrl(ag)) ?
State(Ctrl(ag))
such that RUN(ag) HIST(G)
Means, that the agent initially begins in a state
that can control itself and
Can transition using any monitorable or
controllable variables so that
the goal and the agent has exactly the same runs

27
Oprationalizing Goals

Writing them as a
synchronized collection of
operations on objects

28
Obstacles

A means to identifying goal violation scenarios
Formalization
O,Dom G Obstruction
Dom O Domain consistency

29
Security Concerns

Security Goals refined to requirements
i.e. a single agent can satisfy them
Environment given by policies
a collection of rules
Attackers mal-agents
Threats goals of attackers
Assets passive objects to be preserved

30
Security Goals

Considered a meta-class
Confidentiality
Integrity
Availability
Privacy
Authenticity
Non-repudiation
Specification requires first order, real time,
linear temporal logic

31
Liner Time Temporal Logic- a short introduction -

Used to reason about time dependent properties
The time flows in a line
------------------------------------?time
flow
0 1 2 3 4
Some properties hold on these time points
commonly known as Kripke Semantics / possible
world semantics
Want to make some statements about time dependent
properties and ensure that they are valid over
all possible interpretations

32
Syntax Terms - 1

A collection of constants referred to as
individuals
a, b, c, ...... etc.
A collection of variables a generic way to
refer to individuals
x, y, z, . etc
A collection of function symbols a way to model
many-one relations
f(x,y,z), g(x,y) etc

33
Syntax Terms - 2

Inductively
Any constant is a term
If t1, tn, are terms and f() is an n-ary
function symbols then f(t1, tn) is a term.
Examples 1,2,3, are constants
x, y, z are variables
gcd(,), min(,) are functions.
So gcd(x,2), min(1,2), gcd(min(2,4),6) are terms

34
Syntax Terms - 3

A term without any variable is said to be
variable free
eg gcd(3,15)
Substitution Can replace any variable with a
term
Replace x in gcd(x,y) with 37 gives gcd(37,y)

35
Syntax Predicates

A collection of predicates referred to as the
time dependent properties of individuals
a(x,y,z), q(x,y,z,)
Called atomic predicates
Example
canD0(fred,passwdFile,write)
At some point of time we want to ensure that Fred
cannot write the password file ever in the future

36
Syntax Connectives - 1

Binary connectives (and) v (or)
Unary connective (not)
Examples
cando(fred,file1,read) cando(mary,write,file2)

37
Syntax Connectives - 2

Unary connectives
? (necessarily i.e. in all futures)
? (possibly i.e. in some future time)
O (in the next time instant)
Binary connective U (untill)
Examples
? cando(fred,file1,read)
? cando(mary,write,file2)
O canD0(fred,passwdFile,write)
cando(fred,file1,read) U cando(mary,write,file2)

38
Semantics what do they mean?

Need to define how to evaluate truth in a model
Model A fully instantiated collection of
predicates for each instance of time

39
Semantics - 2

cando(fred,f1,r)
cando(mary,f2,w)

cando(fred,f1,r) cando(maryf1,r)
0, 1,
2,
3,
cando(fred,f1,r) cando(fred,f2,r)
cando(fred,f1,r) cando(joe,f1,r) cando(jim,f3,x)
40
Semantics Truth Definition -1

Truth is defined for each time-point
Referred to as a world
Symbolized as world
So, 3cando(fred,f1,read) means according to
(someone in the) 3rd time point (or world), Fred
can read file f1

41
Semantics Truth Definition 2

t f iff t f does not hold
Example 2 cando(fred,f1,write)
t f p iff t f and t p
Ex 2 cando(fred,f1,r) cando(fred,f2,r)
t f v p iff t f or t p
Ex 2 cando(fred,f1,r)Vcando(fred,f2,w)

42
Semantics Truth Definition 3

t O f iff Vt1 f
Example 0 O cando(fred,f1,write)
t?f iff t f for all tgtt
Ex 0 ?cando(fred,f1,r)
t ? f iff t, f for some tgtt
Ex 2 ? cando(jim,f3,x)

43
An Extra Connective ?ltd

Means sometimes in the future within a time of d
Example
0 ?lt3 cando(jim,f3,x)

44
Back to Specifying Security Goals

Want to specify
confidentiality, integrity, availability,
privacy, authenticity, non-repudiation
Using
Predicates with special meaning
Connectives of temporal logic
Few more to come

45
More Notations and Abbreviations

Use (P gt Q) to mean ?(p -gt q)
That means in whatever time point P is true then
so is Q
Some epistemic operators
KnowsVag(v) ? ?xKnowsag(xv)
agent ag knows that variable x takes the value v
Knowsag(P) ? Beliefag(P) p
Agent ag knows P if it believes P and P is true

46
Confidentiality

? ag Agent, acc Account, ob Object
Authorized(ag,acc) ? KnowsVag(ob,info)
Says that an agent ag knows any information info
about the object ob iff it is authorized to an
account acc
Notice using typed / many sorted logic

47
An example definition for Authorization

? ag Agent, acc Account Authorized(ag,acc)
?owner(ag,acc)
v proxy(ag,acc)
v manager(ag,acc)
Says that an agent ag is authorized to operate an
account acc iff it is either the owner, or a
proxy or a manager

48
Refining the goal

If the sensitive information about the account is
the pair (acc,pin)
? p Person, acc Account
owner(ag,acc)v
proxy(ag,acc)v
manager(ag,acc) gt
KnowsVp(acc.acc) KnowsVp(acc.pin)
Says any person who is not authorized must not
know the acc and the pin simultaneously

49
Privacy

? ag, ag Agent, ob Object
KnowsVag(ob,info)
ownedBy(ob.info,ag) ag?ag
authorizedBy(ag,ob.info,ag)
Says that an non-owner agent can know information
about an object only is the owner authorized that
information.

50
Integrity

? ag Agent, ob Object, vValue
ob.infov O(ob.info?v)
underControl(ob.info,ag)
gt authorizedBy(ag,ob.info,ag)
OIntegrity(ob.info)
Says that if an information about an object under
control of an agent ag changes, then it must have
been authorized by an owner and retain the
integrity of the object.

51
Availability