Risk and Argument: A Risk Risk and Argument: A Risk - - based based Argumentation Method for Practical Security Argumentation Method for Practical Security Virginia Virginia N. L. N. L. Franqueira Franqueira , , Thein Thein Than Than Tun Tun , , Yijun Yijun Yu, Yu, Roel Roel Wieringa Wieringa and and Bashar Bashar Nuseibeh Nuseibeh Trento Trento - - 02 September 2011 02 September 2011
22
Embed
Risk and Argument: A Risk-based based Argumentation Method ...selab.fbk.eu/re11_download/research/Franqueira-Tun-Yu-Wieringa-Nuseibeh.pdf · Engineering of secure systems is bound
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Risk and Argument: A RiskRisk and Argument: A Risk--basedbased Argumentation Method for Practical SecurityArgumentation Method for Practical Security
VirginiaVirginia N. L. N. L. FranqueiraFranqueira, , TheinThein Than Than TunTun, , YijunYijun Yu, Yu, RoelRoel WieringaWieringa and and BasharBashar NuseibehNuseibeh
Trento Trento -- 02 September 2011 02 September 2011
Consequence & Solution DirectionConsequence & Solution Direction
Our solution: Our solution:
RISARISA ––
RIsk assessmentRIsk assessment in in Security ArgumentationSecurity Argumentation
In practice:In practice: No absolute securityNo absolute security
No 100% security requirements satisfactionNo 100% security requirements satisfaction
Way forward:Way forward: Good enough security satisfactionGood enough security satisfaction
As low as possible level of security riskAs low as possible level of security risk
3/20
From Haley et al. framework to RISA methodFrom Haley et al. framework to RISA methodKey steps from Haley et al. frameworkKey steps from Haley et al. framework
1. Identify1. IdentifyFunctionalFunctional
RequirementsRequirements
3. Identify3. IdentifySecurity Security
RequirementsRequirements
2. Identify2. IdentifySecuritySecurity
GoalsGoals
4. Construct4. ConstructOuterOuter
ArgumentArgument
Steps for risk assessment in RISASteps for risk assessment in RISA
good good enough enough securitysecurity
8. Prioritize8. PrioritizeRisksRisks
7. Mitigate7. MitigateRisksRisks
6. Classify6. ClassifyRisksRisks
5. Identify5. IdentifyRisksRisks
Public SecurityPublic SecurityCataloguesCatalogues
PIN Entry Devices (PED) examplePIN Entry Devices (PED) example
S.Drimer, S.J.Murdoch, and R.Anderson, Thinking Inside the Box: S.Drimer, S.J.Murdoch, and R.Anderson, Thinking Inside the Box: SystemSystem--Level Failures of Tamper Level Failures of Tamper Proofing, in SPProofing, in SP’’2008, IEEE Press, pp. 2812008, IEEE Press, pp. 281--295, 2008.295, 2008.
enclosure of PED components provides enclosure of PED components provides tamper detection & tamper detection & responseresponse mechanisms to resist physical attacksmechanisms to resist physical attacks
encryption/decryption of PINencryption/decryption of PIN ensures that the PIN is ensures that the PIN is encrypted within the PED immediately after PIN entryencrypted within the PED immediately after PIN entry
Risk assessment steps of RISA are supported Risk assessment steps of RISA are supported by the CAPEC & CWE public cataloguesby the CAPEC & CWE public catalogues
Structured argumentationStructured argumentation used to challenge used to challenge behavioralbehavioral premises in premises in practice via risk assessmentpractice via risk assessment
PIN reacheskeypad
claimclaim
Challenged Risk Reference
Premise P2 R1.6: PIN is revealed if sent unencrypted within the PED and the PED enclosure can be tampered
Mitigations restore the satisfaction of security requirements byMitigations restore the satisfaction of security requirements by rebutting rebutting risksrisks
Risk Mitigation
R1.6 & R1.7 & R1.8
M2.4: Any transmission of PIN should use well-vetted encryption algorithms & recommended key sizes
88 77 66 55Cat.Cat.
11 3322 44
System System behavioralbehavioral premisespremises
Empirical data about typical severity of risks or likelihood of Empirical data about typical severity of risks or likelihood of exploit can exploit can also be found in the cataloguesalso be found in the catalogues
Risk Mitigation Typical risk severity
R1.6 & R1.7 & R1.8
M2.4: Any transmission of PIN should use well-vetted encryption algorithms & recommended key sizes
Low to very high
Interpretation of risk severity Interpretation of risk severity depends on many factorsdepends on many factors
88 77 66 55Cat.Cat.
11 3322 44
16/20
10
CWECWE--311311
RISA recursion RISA recursion
Other rounds of argumentation may follow Other rounds of argumentation may follow
recursion stops when the system security is considered goodrecursion stops when the system security is considered good--enough enough and/or resources for analysis of security have been used and/or resources for analysis of security have been used
18/20
8. Prioritize8. PrioritizeRisksRisks
7. Mitigate7. MitigateRisksRisks
6. Classify6. ClassifyRisksRisks
5. Identify5. IdentifyRisksRisks
Public SecurityPublic SecurityCataloguesCatalogues
1. Identify1. IdentifyFunctionalFunctional
RequirementsRequirements
3. Identify3. IdentifySecurity Security
RequirementsRequirements
2. Identify2. IdentifySecuritySecurity
GoalsGoals
4. Construct4. ConstructOuterOuter
ArgumentArgument
good good enough enough securitysecurity
Opportunities for future workOpportunities for future work
Satisfaction analysis (SA) benefits from risk assessment (RA)Satisfaction analysis (SA) benefits from risk assessment (RA)
RA provides systematic input for security argumentation in SARA provides systematic input for security argumentation in SA
RA allows prioritization of arguments and security requirements RA allows prioritization of arguments and security requirements from prioritization of risksfrom prioritization of risks
RA scales the process of argumentation with breadthRA scales the process of argumentation with breadth--first first approachapproach
Risk assessment (RA) benefits from satisfaction analysis (SA)Risk assessment (RA) benefits from satisfaction analysis (SA)
SA provides systematic description of system context: source of SA provides systematic description of system context: source of risksrisks
SA provides top structure for RASA provides top structure for RA
SA argumentation organizes several rounds of RA & facilitates SA argumentation organizes several rounds of RA & facilitates traceabilitytraceability
C. Haley, R. Laney, J. Moffett, and B. Nuseibeh, C. Haley, R. Laney, J. Moffett, and B. Nuseibeh, Security Requirements Engineering: A Framework for Security Requirements Engineering: A Framework for Representation and AnalysisRepresentation and Analysis, IEEE Transactions on Software Engineering, 34(1), pp. 133, IEEE Transactions on Software Engineering, 34(1), pp. 133––153, 2008.153, 2008.
S.ToulminS.Toulmin, , R.RiekeR.Rieke, and , and A.JanikA.Janik, , An Introduction to ReasoningAn Introduction to Reasoning, Macmillan, 1979., Macmillan, 1979.