Skip to main content
SpringerLink
Log in

Specification of Information Flow Security Policies in Model-Based Systems Engineering

  • Conference paper
  • First Online:
Software Technologies: Applications and Foundations (STAF 2018)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 11176))

  • 1006 Accesses

Abstract

Model-based systems engineering provides a multi-disciplinary approach to developing cyber-physical systems. Due to their high degree of interconnection, security is a key factor for cyber-physical systems and needs to be front-loaded to the beginning of the development. However, there is a lack of model-based systems engineering approaches that enable the early specification of security policies. As a consequence, security requirements frequently remain unspecified and therefore are hard to satisfy in the downstream development phases. In this paper, we propose to integrate model-based systems engineering with the theory of information flow security. We extend systems engineering models to information flow policies, enabling systems engineers to specify the information flow security requirements of a system under development. On refinement of the resulting models, our approach allows to derive security requirements for individual software components. We illustrate our approach using a model-based design of an autonomous car.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Alghathbar, K., Farkas, C., Wijesekera, D.: Securing UML information flow using FlowUML. J. Res. Pract. Inf. Technol. 38(1), 111 (2006)

    Google Scholar 

  2. Alur, R., Dill, D.L.: A theory of timed automata. Theor. Comput. Sci. 126(2), 183–235 (1994)

    Article  MathSciNet  Google Scholar 

  3. Apvrille, L., Roudier, Y.: Designing safe and secure embedded and cyber-physical systems with SysML-Sec. In: Desfray, P., Filipe, J., Hammoudi, S., Pires, L.F. (eds.) MODELSWARD 2015. CCIS, vol. 580, pp. 293–308. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27869-8_17

    Chapter  Google Scholar 

  4. Bauereiß, et al.: RIFL 1.1: a common specification language for information-flow requirements. Technical report TUD-CS-2017-0225, TU Darmstadt (2017)

    Google Scholar 

  5. Belloir, N., Chiprianov, V., Ahmad, M., Munier, M., Gallon, L., Bruel, J.: Using relax operators into an MDE security requirement elicitation process for systems of systems. In: ECSA Workshops, pp. 32:1–32:4. ACM (2014)

    Google Scholar 

  6. Chattopadhyay, A., Prakash, A., Shafique, M.: Secure cyber-physical systems: Current trends, tools and open research problems. In: DATE 2017. pp. 1104–1109. IEEE (2017)

    Google Scholar 

  7. Dorociak, R., Dumitrescu, R., Gausemeier, J., Iwanek, P.: Specification technique consens for the description of self-optimizing systems. In: Gausemeier, J., Rammig, F., Schäfer, W. (eds.) Design Methodology for Intelligent Technical Systems, chap. 4.1, pp. 119–127. LNME. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-45435-6_4

    Google Scholar 

  8. Fabian, B., Gürses, S.F., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requir. Eng. 15(1), 7–40 (2010)

    Article  Google Scholar 

  9. Gausemeier, J., Schäfer, W., Greenyer, J., Kahl, S., Pook, S., Rieke, J.: Management of cross-domain model consistency during the development of advanced mechatronic systems. In: ICED 2009, pp. 6:1–6:12. Design Society (2009)

    Google Scholar 

  10. Geismann, J., Gerking, C., Bodden, E.: Towards ensuring security by design in cyber-physical systems engineering processes. In: ICSSP 2018 (2018)

    Google Scholar 

  11. Gerking, C.: Traceability of information flow requirements in cyber-physical systems engineering. In: DS@MoDELS. CEUR Workshop Proceedings, vol. 1735 (2016)

    Google Scholar 

  12. Gerking, C., Schubert, D.: Towards preserving information flow security on architectural composition of cyber-physical systems. In: Cuesta, C.E., Garlan, D., Pérez, J. (eds.) ECSA 2018. LNCS, vol. 11048, pp. 147–155. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00761-4_10

    Chapter  Google Scholar 

  13. Gerking, C., Schubert, D., Bodden, E.: Model checking the information flow security of real-time systems. In: Payer, M., Rashid, A., Such, J.M. (eds.) ESSoS 2018. LNCS, vol. 10953, pp. 27–43. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-94496-8_3

    Chapter  Google Scholar 

  14. Giraldo, J., Sarkar, E., Cárdenas, A., Maniatakos, M., Kantarcioglu, M.: Security and privacy in cyber-physical systems: a survey of surveys. IEEE Des. Test 34(4), 7–17 (2017)

    Article  Google Scholar 

  15. Grunske, L., Joyce, D.: Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles. J. Syst. Softw. 81(8), 1327–1345 (2008)

    Article  Google Scholar 

  16. Hachem, J.E., Khalil, T.A., Chiprianov, V., Babar, A., Aniorté, P.: A model driven method to design and analyze secure architectures of systems-of-systems. In: ICECCS 2017, pp. 166–169. IEEE Computer Society (2017)

    Google Scholar 

  17. Hatebur, D., Heisel, M., Jürjens, J., Schmidt, H.: Systematic development of UMLsec design models based on security requirements. In: Giannakopoulou, D., Orejas, F. (eds.) FASE 2011. LNCS, vol. 6603, pp. 232–246. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19811-3_17

    Chapter  Google Scholar 

  18. Hoisl, B., Sobernig, S., Strembeck, M.: Modeling and enforcing secure object flows in process-driven SOAs: an integrated model-driven approach. Softw. Syst. Model. 13(2), 513–548 (2014)

    Article  Google Scholar 

  19. Houmb, S.H., Islam, S., Knauss, E., Jürjens, J., Schneider, K.: Eliciting security requirements and tracing them to design: an integration of common criteria, heuristics, and UMLsec. Requir. Eng. 15(1), 63–93 (2010)

    Article  Google Scholar 

  20. Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005). https://doi.org/10.1007/b137706

    Book  MATH  Google Scholar 

  21. Katkalov, K., Stenzel, K., Borek, M., Reif, W.: Modeling information flow properties with UML. In: NTMS 2015. IEEE (2015)

    Google Scholar 

  22. Lemaire, L., Vossaert, J., De Decker, B., Naessens, V.: Extending FAST-CPS for the analysis of data flows in cyber-physical systems. In: Rak, J., Bay, J., Kotenko, I., Popyack, L., Skormin, V., Szczypiorski, K. (eds.) MMM-ACNS 2017. LNCS, vol. 10446, pp. 37–49. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-65127-9_4

    Chapter  Google Scholar 

  23. Mantel, H.: Information flow control and applications — bridging a gap. In: Oliveira, J.N., Zave, P. (eds.) FME 2001. LNCS, vol. 2021, pp. 153–172. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45251-6_9

    Chapter  Google Scholar 

  24. Mantel, H.: On the composition of secure systems. In: S&P 2002, pp. 88–101. IEEE (2002)

    Google Scholar 

  25. Mantel, H.: Information flow and noninterference. In: van Tilborg, H.C.A., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, pp. 605–607. Springer, Heidelberg (2011)

    Google Scholar 

  26. Mellado, D., Blanco, C., Sanchez, L.E., Fernández-Medina, E.: A systematic review of security requirements engineering. Comput. Stand. Interfaces 32(4), 153–165 (2010)

    Article  Google Scholar 

  27. Mohammed, N.M., Niazi, M., Alshayeb, M., Mahmood, S.: Exploring software security approaches in software development lifecycle: a systematic mapping study. Comput. Stand. Interfaces 50, 107–115 (2017)

    Article  Google Scholar 

  28. Mouratidis, H., Giorgini, P., Manson, G.: Integrating security and systems engineering: towards the modelling of secure information systems. In: Eder, J., Missikoff, M. (eds.) CAiSE 2003. LNCS, vol. 2681, pp. 63–78. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-45017-3_7

    Chapter  Google Scholar 

  29. Nguyen, P.H., Kramer, M.E., Klein, J., Traon, Y.L.: An extensive systematic review on the model-driven development of secure systems. Inf. Softw. Technol. 68, 62–81 (2015)

    Article  Google Scholar 

  30. Object Management Group: OMG System Modeling Language, May 2017. https://www.omg.org/spec/SysML

  31. Ouchani, S., Debbabi, M.: Specification, verification, and quantification of security in model-based systems. Computing 97(7), 691–711 (2015)

    Article  MathSciNet  Google Scholar 

  32. Ramos, A.L., Ferreira, J.V., Barceló, J.: Model-based systems engineering: an emerging approach for modern systems. IEEE Trans. Syst. Man Cybern. 42(1), 101–111 (2012)

    Article  Google Scholar 

  33. Ruiz, J.F., Maña, A., Rudolph, C.: An integrated security and systems engineering process and modelling framework. Comput. J. 58(10), 2328–2350 (2015)

    Article  Google Scholar 

  34. Salini, P., Kanmani, S.: Survey and analysis on security requirements engineering. Comput. Electr. Eng. 38(6), 1785–1797 (2012)

    Article  Google Scholar 

  35. Seehusen, F., Solhaug, B., Stølen, K.: Adherence preserving refinement of trace-set properties in STAIRS: exemplified for information flow properties and policies. Softw. Syst. Model. 8(1), 45–65 (2009)

    Article  Google Scholar 

  36. Steward, C., et al.: Software security: The dangerous afterthought. In: ITNG 2012, pp. 815–818. IEEE Computer Society (2012)

    Google Scholar 

  37. Tøndel, I.A., Jaatun, M.G., Meland, P.H.: Security requirements for the rest of us: a survey. IEEE Softw. 25(1), 20–27 (2008)

    Article  Google Scholar 

  38. Tuma, K., Calikli, G., Scandariato, R.: Threat analysis of software systems: a systematic literature review. J. Syst. Softw. 144, 275–294 (2018)

    Article  Google Scholar 

  39. Türpe, S.: The trouble with security requirements. In: RE 2017, pp. 122–133. IEEE Computer Society (2017)

    Google Scholar 

  40. Uzunov, A.V., Fernández, E.B., Falkner, K.: Engineering security into distributed systems: a survey of methodologies. J. Univers. Comput. Sci. 18(20), 2920–3006 (2012)

    Google Scholar 

  41. Vasilevskaya, M., Nadjm-Tehrani, S.: Quantifying risks to data assets using formal metrics in embedded system design. In: Koornneef, F., van Gulijk, C. (eds.) SAFECOMP 2015. LNCS, vol. 9337, pp. 347–361. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24255-2_25

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Paderborn University, Heinz Nixdorf Institute, Paderborn, Germany

    Christopher Gerking

Authors
  1. Christopher Gerking
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christopher Gerking .

Editor information

Editors and Affiliations

  1. Innopolis University, Innopolis, Russia

    Manuel Mazzara

  2. University of Toulouse, Toulouse Cedex 9, France

    Iulian Ober

  3. Grenoble Alpes University, Montbonnot, France

    Gwen Salaün

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gerking, C. (2018). Specification of Information Flow Security Policies in Model-Based Systems Engineering. In: Mazzara, M., Ober, I., Salaün, G. (eds) Software Technologies: Applications and Foundations. STAF 2018. Lecture Notes in Computer Science(), vol 11176. Springer, Cham. https://doi.org/10.1007/978-3-030-04771-9_47

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-04771-9_47

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-04770-2

  • Online ISBN: 978-3-030-04771-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation