Abstract
Attacks on unsecured systems result in important loses. Many of the causes are related to non-conformance of system architecture and implementation to the requirements. To reduce these conformity problems, Model Driven Engineering proposes using modelling languages for defining requirements and architecture and model transformations between them. We therefore introduce a modelling language extension/ profile for defining system requirements with basic security requirement concepts. We also formalize the model transformation between this profile and a security formal verification method. We exemplify our approach on a medical case study.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, New York (2001)
Kleppe, A., Warmer, J., Bast, W.: MDA Explained-the Model Driven Architecture: Practice and Promise. Addison-Wesley, Boston (2003)
Miége, A.: Definition of a formal framework for specifying security policies. The Or-BAC model and extensions, Ph.D. Thesis (2005)
Jürjens, J.: UMLsec: extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)
Cuppens, F., Miège, A.: Modelling contexts in the Or-BAC model. In: 19th Annual Computer Security Applications Conference, December 2003
Cuppens, F., Cuppens-Boulahia, N., Miège, A.: Inheritance hierarchies in the Or-BAC model and application in a network environment. In: Second Foundations of Computer Security Workshop (FCS 2004) (2004)
Ben Ghorbel, M., Cuppens, F., Cuppens-Boulahia, N., Bouhoula, A.: Managing delegation in access control models. In: 15th International Conference on Advanced Computing and Communication (ADCOM 2007), Inde (2007)
Elrakaiby, Y., Cuppens, F., Cuppens-Boulahia, N.: Formal enforcement and management of obligation policies. Data Knowl. Eng. 71(1), 127–147 (2012)
Autrel, F., Cuppens, F., Cuppens-Boulahia, N., Coma, C.: MotOrBAC 2: a security policy tool. In: Third Joint Conference on Security in Networks Architectures and Security of Information Systems (SARSSI) (2008)
Muñante, D., Gallon, L., Aniorté, P.: An approach based on Model-driven Engineering to define Security Policies using the access control model OrBAC. In: The Eight International Workshop on Frontiers in Availability, Reliability and Security (FARES) (2013)
Muñante, D., Gallon, L., Aniorté, P.: MoDELO: a MOdel-Driven sEcurity poLicy approach based on Orbac. In: 8ème Conférence sur la Sécurité des Architectures Réseaux et des Systèmes d’Information (SARSII) (2013)
Muñante, D., Chiprianov, V., Gallon, L., Aniorté, P.: A review of security requirements engineering methods with respect to risk analysis and model-driven engineering. In: Teufel, S., Min, T.A., You, I., Weippl, E. (eds.) CD-ARES 2014. LNCS, vol. 8708, pp. 79–93. Springer, Heidelberg (2014)
Lin, L., Nuseibeh, B., Ince, D., Jackson, M.: Using abuse frames to bound the scope of security problems. In: Proceedings of the 12th IEEE International Conference on Requirements Engineering (RE 2004), pp. 354–355. IEEE Computer Society (2004)
Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. J. 10(1), 34–44 (2005)
Sindre, G.: Mal-activity diagrams for capturing attacks on business processes. In: Heymans, P., Sawyer, P. (eds.) REFSQ 2007. LNCS, vol. 4542, pp. 355–366. Springer, Heidelberg (2007)
van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, pp. 148–157, 23–28 May 2004
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)
Elahi, G., Yu, E.: A goal oriented approach for modeling and analyzing security trade-offs. University of Toronto. Technical report (2007)
Anton, A.I., Earp, J.B.: Strategies for developing policies and requirements for secure electronic commerce systems. North Carolina State University. Technical report (2000)
Braber, F., Hogganvik, I., Lund, M.S., Stolen, K., Vraalsen, F.: Model-based security analysis in seven steps-a guided tour to the CORAS method. BT Technol. J. 25(1), 101–117 (2007)
Asnar, Y., Giorgini, Y.P., Massacci, F., Zannone, N.: From trust to dependability through risk analysis. In: Proceedings of the International Conference on Availability, Reliability and Security (AReS), pp. 19–26. IEEE Computer Society (2007)
Mayer, N., Rifaut, A., Dubois, E.: Towards a risk-based security requirements engineering framework. In: Proceedings of the 11th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ 2005), in Conjunction with the 17th Conference on Advanced Information Systems Engineering (CAiSE 2005) (2005)
Massacci, F., Zannone, N.: A model-driven approach for the specification and analysis of access control policies. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol. 5332, pp. 1087–1103. Springer, Heidelberg (2008)
Ledru, Y., Richier, J., Idani, A., Labiadh, M.: From KAOS to RBAC: a case study in designing access control rules from a requirements analysis. In: 6ème Conf. sur la Sécurité des Architectures Réseaux et des Systèmes d’Information (SARSSI 2011) (2011)
Mouratidis, H., Jürjens, J., Fox, J.: Towards a comprehensive framework for secure systems development. In: Martinez, F.H., Pohl, K. (eds.) CAiSE 2006. LNCS, vol. 4001, pp. 48–62. Springer, Heidelberg (2006)
Graa, M., Cuppens-Boulahia, N., Autrel, F., Azkia, H., Cuppens, F., Coatrieux, G., Cavalli, A., Mammar, A.: Using requirements engineering in an automatic security policy derivation process. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds.) DPM 2011 and SETOP 2011. LNCS, vol. 7122, pp. 155–172. Springer, Heidelberg (2012)
Hatebur, D., Heisel, M., Jürjens, J., Schmidt, H.: Systematic development of UMLsec design models based on security requirements. In: Giannakopoulou, D., Orejas, F. (eds.) FASE 2011. LNCS, vol. 6603, pp. 232–246. Springer, Heidelberg (2011)
Yu, E.: Modelling strategic relationships for process reengineering. Ph.D. thesis, University of Toronto (1995)
Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requir. Eng. 15(1), 41–62 (2010)
Sandhu, J.R., Coyne, E.J., Feinstein, H.J., Youman, C.E.: Role-based access control models. IEEE Comput. 29, 38–47 (1996)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Arzapalo, D.M., Chiprianov, V., Gallon, L., Aniorté, P. (2015). A Model-Driven Security Requirements Approach to Deduce Security Policies Based on OrBAC. In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham. https://doi.org/10.1007/978-3-319-16745-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-16745-9_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16744-2
Online ISBN: 978-3-319-16745-9
eBook Packages: Computer ScienceComputer Science (R0)