Skip to main content
SpringerLink
Log in

A Model-Driven Security Requirements Approach to Deduce Security Policies Based on OrBAC

  • Conference paper
  • First Online:
Information Security and Cryptology (Inscrypt 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8957))

Included in the following conference series:

Abstract

Attacks on unsecured systems result in important loses. Many of the causes are related to non-conformance of system architecture and implementation to the requirements. To reduce these conformity problems, Model Driven Engineering proposes using modelling languages for defining requirements and architecture and model transformations between them. We therefore introduce a modelling language extension/ profile for defining system requirements with basic security requirement concepts. We also formalize the model transformation between this profile and a security formal verification method. We exemplify our approach on a medical case study.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, New York (2001)

    Google Scholar 

  2. Kleppe, A., Warmer, J., Bast, W.: MDA Explained-the Model Driven Architecture: Practice and Promise. Addison-Wesley, Boston (2003)

    Google Scholar 

  3. Miége, A.: Definition of a formal framework for specifying security policies. The Or-BAC model and extensions, Ph.D. Thesis (2005)

    Google Scholar 

  4. Jürjens, J.: UMLsec: extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  5. Cuppens, F., Miège, A.: Modelling contexts in the Or-BAC model. In: 19th Annual Computer Security Applications Conference, December 2003

    Google Scholar 

  6. Cuppens, F., Cuppens-Boulahia, N., Miège, A.: Inheritance hierarchies in the Or-BAC model and application in a network environment. In: Second Foundations of Computer Security Workshop (FCS 2004) (2004)

    Google Scholar 

  7. Ben Ghorbel, M., Cuppens, F., Cuppens-Boulahia, N., Bouhoula, A.: Managing delegation in access control models. In: 15th International Conference on Advanced Computing and Communication (ADCOM 2007), Inde (2007)

    Google Scholar 

  8. Elrakaiby, Y., Cuppens, F., Cuppens-Boulahia, N.: Formal enforcement and management of obligation policies. Data Knowl. Eng. 71(1), 127–147 (2012)

    Article  Google Scholar 

  9. Autrel, F., Cuppens, F., Cuppens-Boulahia, N., Coma, C.: MotOrBAC 2: a security policy tool. In: Third Joint Conference on Security in Networks Architectures and Security of Information Systems (SARSSI) (2008)

    Google Scholar 

  10. Muñante, D., Gallon, L., Aniorté, P.: An approach based on Model-driven Engineering to define Security Policies using the access control model OrBAC. In: The Eight International Workshop on Frontiers in Availability, Reliability and Security (FARES) (2013)

    Google Scholar 

  11. Muñante, D., Gallon, L., Aniorté, P.: MoDELO: a MOdel-Driven sEcurity poLicy approach based on Orbac. In: 8ème Conférence sur la Sécurité des Architectures Réseaux et des Systèmes d’Information (SARSII) (2013)

    Google Scholar 

  12. Muñante, D., Chiprianov, V., Gallon, L., Aniorté, P.: A review of security requirements engineering methods with respect to risk analysis and model-driven engineering. In: Teufel, S., Min, T.A., You, I., Weippl, E. (eds.) CD-ARES 2014. LNCS, vol. 8708, pp. 79–93. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  13. Lin, L., Nuseibeh, B., Ince, D., Jackson, M.: Using abuse frames to bound the scope of security problems. In: Proceedings of the 12th IEEE International Conference on Requirements Engineering (RE 2004), pp. 354–355. IEEE Computer Society (2004)

    Google Scholar 

  14. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. J. 10(1), 34–44 (2005)

    Article  Google Scholar 

  15. Sindre, G.: Mal-activity diagrams for capturing attacks on business processes. In: Heymans, P., Sawyer, P. (eds.) REFSQ 2007. LNCS, vol. 4542, pp. 355–366. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  16. van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, pp. 148–157, 23–28 May 2004

    Google Scholar 

  17. Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)

    Article  Google Scholar 

  18. Elahi, G., Yu, E.: A goal oriented approach for modeling and analyzing security trade-offs. University of Toronto. Technical report (2007)

    Google Scholar 

  19. Anton, A.I., Earp, J.B.: Strategies for developing policies and requirements for secure electronic commerce systems. North Carolina State University. Technical report (2000)

    Google Scholar 

  20. Braber, F., Hogganvik, I., Lund, M.S., Stolen, K., Vraalsen, F.: Model-based security analysis in seven steps-a guided tour to the CORAS method. BT Technol. J. 25(1), 101–117 (2007)

    Article  Google Scholar 

  21. Asnar, Y., Giorgini, Y.P., Massacci, F., Zannone, N.: From trust to dependability through risk analysis. In: Proceedings of the International Conference on Availability, Reliability and Security (AReS), pp. 19–26. IEEE Computer Society (2007)

    Google Scholar 

  22. Mayer, N., Rifaut, A., Dubois, E.: Towards a risk-based security requirements engineering framework. In: Proceedings of the 11th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ 2005), in Conjunction with the 17th Conference on Advanced Information Systems Engineering (CAiSE 2005) (2005)

    Google Scholar 

  23. Massacci, F., Zannone, N.: A model-driven approach for the specification and analysis of access control policies. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol. 5332, pp. 1087–1103. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  24. Ledru, Y., Richier, J., Idani, A., Labiadh, M.: From KAOS to RBAC: a case study in designing access control rules from a requirements analysis. In: 6ème Conf. sur la Sécurité des Architectures Réseaux et des Systèmes d’Information (SARSSI 2011) (2011)

    Google Scholar 

  25. Mouratidis, H., Jürjens, J., Fox, J.: Towards a comprehensive framework for secure systems development. In: Martinez, F.H., Pohl, K. (eds.) CAiSE 2006. LNCS, vol. 4001, pp. 48–62. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  26. Graa, M., Cuppens-Boulahia, N., Autrel, F., Azkia, H., Cuppens, F., Coatrieux, G., Cavalli, A., Mammar, A.: Using requirements engineering in an automatic security policy derivation process. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds.) DPM 2011 and SETOP 2011. LNCS, vol. 7122, pp. 155–172. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  27. Hatebur, D., Heisel, M., Jürjens, J., Schmidt, H.: Systematic development of UMLsec design models based on security requirements. In: Giannakopoulou, D., Orejas, F. (eds.) FASE 2011. LNCS, vol. 6603, pp. 232–246. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  28. Yu, E.: Modelling strategic relationships for process reengineering. Ph.D. thesis, University of Toronto (1995)

    Google Scholar 

  29. Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requir. Eng. 15(1), 41–62 (2010)

    Article  Google Scholar 

  30. Sandhu, J.R., Coyne, E.J., Feinstein, H.J., Youman, C.E.: Role-based access control models. IEEE Comput. 29, 38–47 (1996)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. LIUPPA, Université de Pau et des Pays de l’Adour, 64000, Pau, France

    Denisse Muñante Arzapalo, Vanea Chiprianov, Laurent Gallon & Philippe Aniorté

Authors
  1. Denisse Muñante Arzapalo
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vanea Chiprianov
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Laurent Gallon
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Philippe Aniorté
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vanea Chiprianov .

Editor information

Editors and Affiliations

  1. SKLOIS, Institute of Engineering, Chinese Academy of Sciences, Beijing, China

    Dongdai Lin

  2. Computer Science Department, Columbia University, New York, New York, USA

    Moti Yung

  3. Infocomm Security Department, Institute for Infocomm Research, Singapore, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Arzapalo, D.M., Chiprianov, V., Gallon, L., Aniorté, P. (2015). A Model-Driven Security Requirements Approach to Deduce Security Policies Based on OrBAC. In: Lin, D., Yung, M., Zhou, J. (eds) Information Security and Cryptology. Inscrypt 2014. Lecture Notes in Computer Science(), vol 8957. Springer, Cham. https://doi.org/10.1007/978-3-319-16745-9_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-16745-9_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-16744-2

  • Online ISBN: 978-3-319-16745-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation