Abstract
Model-based systems engineering provides a multi-disciplinary approach to developing cyber-physical systems. Due to their high degree of interconnection, security is a key factor for cyber-physical systems and needs to be front-loaded to the beginning of the development. However, there is a lack of model-based systems engineering approaches that enable the early specification of security policies. As a consequence, security requirements frequently remain unspecified and therefore are hard to satisfy in the downstream development phases. In this paper, we propose to integrate model-based systems engineering with the theory of information flow security. We extend systems engineering models to information flow policies, enabling systems engineers to specify the information flow security requirements of a system under development. On refinement of the resulting models, our approach allows to derive security requirements for individual software components. We illustrate our approach using a model-based design of an autonomous car.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alghathbar, K., Farkas, C., Wijesekera, D.: Securing UML information flow using FlowUML. J. Res. Pract. Inf. Technol. 38(1), 111 (2006)
Alur, R., Dill, D.L.: A theory of timed automata. Theor. Comput. Sci. 126(2), 183–235 (1994)
Apvrille, L., Roudier, Y.: Designing safe and secure embedded and cyber-physical systems with SysML-Sec. In: Desfray, P., Filipe, J., Hammoudi, S., Pires, L.F. (eds.) MODELSWARD 2015. CCIS, vol. 580, pp. 293–308. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27869-8_17
Bauereiß, et al.: RIFL 1.1: a common specification language for information-flow requirements. Technical report TUD-CS-2017-0225, TU Darmstadt (2017)
Belloir, N., Chiprianov, V., Ahmad, M., Munier, M., Gallon, L., Bruel, J.: Using relax operators into an MDE security requirement elicitation process for systems of systems. In: ECSA Workshops, pp. 32:1–32:4. ACM (2014)
Chattopadhyay, A., Prakash, A., Shafique, M.: Secure cyber-physical systems: Current trends, tools and open research problems. In: DATE 2017. pp. 1104–1109. IEEE (2017)
Dorociak, R., Dumitrescu, R., Gausemeier, J., Iwanek, P.: Specification technique consens for the description of self-optimizing systems. In: Gausemeier, J., Rammig, F., Schäfer, W. (eds.) Design Methodology for Intelligent Technical Systems, chap. 4.1, pp. 119–127. LNME. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-45435-6_4
Fabian, B., Gürses, S.F., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requir. Eng. 15(1), 7–40 (2010)
Gausemeier, J., Schäfer, W., Greenyer, J., Kahl, S., Pook, S., Rieke, J.: Management of cross-domain model consistency during the development of advanced mechatronic systems. In: ICED 2009, pp. 6:1–6:12. Design Society (2009)
Geismann, J., Gerking, C., Bodden, E.: Towards ensuring security by design in cyber-physical systems engineering processes. In: ICSSP 2018 (2018)
Gerking, C.: Traceability of information flow requirements in cyber-physical systems engineering. In: DS@MoDELS. CEUR Workshop Proceedings, vol. 1735 (2016)
Gerking, C., Schubert, D.: Towards preserving information flow security on architectural composition of cyber-physical systems. In: Cuesta, C.E., Garlan, D., Pérez, J. (eds.) ECSA 2018. LNCS, vol. 11048, pp. 147–155. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00761-4_10
Gerking, C., Schubert, D., Bodden, E.: Model checking the information flow security of real-time systems. In: Payer, M., Rashid, A., Such, J.M. (eds.) ESSoS 2018. LNCS, vol. 10953, pp. 27–43. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-94496-8_3
Giraldo, J., Sarkar, E., Cárdenas, A., Maniatakos, M., Kantarcioglu, M.: Security and privacy in cyber-physical systems: a survey of surveys. IEEE Des. Test 34(4), 7–17 (2017)
Grunske, L., Joyce, D.: Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles. J. Syst. Softw. 81(8), 1327–1345 (2008)
Hachem, J.E., Khalil, T.A., Chiprianov, V., Babar, A., Aniorté, P.: A model driven method to design and analyze secure architectures of systems-of-systems. In: ICECCS 2017, pp. 166–169. IEEE Computer Society (2017)
Hatebur, D., Heisel, M., Jürjens, J., Schmidt, H.: Systematic development of UMLsec design models based on security requirements. In: Giannakopoulou, D., Orejas, F. (eds.) FASE 2011. LNCS, vol. 6603, pp. 232–246. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19811-3_17
Hoisl, B., Sobernig, S., Strembeck, M.: Modeling and enforcing secure object flows in process-driven SOAs: an integrated model-driven approach. Softw. Syst. Model. 13(2), 513–548 (2014)
Houmb, S.H., Islam, S., Knauss, E., Jürjens, J., Schneider, K.: Eliciting security requirements and tracing them to design: an integration of common criteria, heuristics, and UMLsec. Requir. Eng. 15(1), 63–93 (2010)
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005). https://doi.org/10.1007/b137706
Katkalov, K., Stenzel, K., Borek, M., Reif, W.: Modeling information flow properties with UML. In: NTMS 2015. IEEE (2015)
Lemaire, L., Vossaert, J., De Decker, B., Naessens, V.: Extending FAST-CPS for the analysis of data flows in cyber-physical systems. In: Rak, J., Bay, J., Kotenko, I., Popyack, L., Skormin, V., Szczypiorski, K. (eds.) MMM-ACNS 2017. LNCS, vol. 10446, pp. 37–49. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-65127-9_4
Mantel, H.: Information flow control and applications — bridging a gap. In: Oliveira, J.N., Zave, P. (eds.) FME 2001. LNCS, vol. 2021, pp. 153–172. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45251-6_9
Mantel, H.: On the composition of secure systems. In: S&P 2002, pp. 88–101. IEEE (2002)
Mantel, H.: Information flow and noninterference. In: van Tilborg, H.C.A., Jajodia, S. (eds.) Encyclopedia of Cryptography and Security, pp. 605–607. Springer, Heidelberg (2011)
Mellado, D., Blanco, C., Sanchez, L.E., Fernández-Medina, E.: A systematic review of security requirements engineering. Comput. Stand. Interfaces 32(4), 153–165 (2010)
Mohammed, N.M., Niazi, M., Alshayeb, M., Mahmood, S.: Exploring software security approaches in software development lifecycle: a systematic mapping study. Comput. Stand. Interfaces 50, 107–115 (2017)
Mouratidis, H., Giorgini, P., Manson, G.: Integrating security and systems engineering: towards the modelling of secure information systems. In: Eder, J., Missikoff, M. (eds.) CAiSE 2003. LNCS, vol. 2681, pp. 63–78. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-45017-3_7
Nguyen, P.H., Kramer, M.E., Klein, J., Traon, Y.L.: An extensive systematic review on the model-driven development of secure systems. Inf. Softw. Technol. 68, 62–81 (2015)
Object Management Group: OMG System Modeling Language, May 2017. https://www.omg.org/spec/SysML
Ouchani, S., Debbabi, M.: Specification, verification, and quantification of security in model-based systems. Computing 97(7), 691–711 (2015)
Ramos, A.L., Ferreira, J.V., Barceló, J.: Model-based systems engineering: an emerging approach for modern systems. IEEE Trans. Syst. Man Cybern. 42(1), 101–111 (2012)
Ruiz, J.F., Maña, A., Rudolph, C.: An integrated security and systems engineering process and modelling framework. Comput. J. 58(10), 2328–2350 (2015)
Salini, P., Kanmani, S.: Survey and analysis on security requirements engineering. Comput. Electr. Eng. 38(6), 1785–1797 (2012)
Seehusen, F., Solhaug, B., Stølen, K.: Adherence preserving refinement of trace-set properties in STAIRS: exemplified for information flow properties and policies. Softw. Syst. Model. 8(1), 45–65 (2009)
Steward, C., et al.: Software security: The dangerous afterthought. In: ITNG 2012, pp. 815–818. IEEE Computer Society (2012)
Tøndel, I.A., Jaatun, M.G., Meland, P.H.: Security requirements for the rest of us: a survey. IEEE Softw. 25(1), 20–27 (2008)
Tuma, K., Calikli, G., Scandariato, R.: Threat analysis of software systems: a systematic literature review. J. Syst. Softw. 144, 275–294 (2018)
Türpe, S.: The trouble with security requirements. In: RE 2017, pp. 122–133. IEEE Computer Society (2017)
Uzunov, A.V., Fernández, E.B., Falkner, K.: Engineering security into distributed systems: a survey of methodologies. J. Univers. Comput. Sci. 18(20), 2920–3006 (2012)
Vasilevskaya, M., Nadjm-Tehrani, S.: Quantifying risks to data assets using formal metrics in embedded system design. In: Koornneef, F., van Gulijk, C. (eds.) SAFECOMP 2015. LNCS, vol. 9337, pp. 347–361. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24255-2_25
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Gerking, C. (2018). Specification of Information Flow Security Policies in Model-Based Systems Engineering. In: Mazzara, M., Ober, I., Salaün, G. (eds) Software Technologies: Applications and Foundations. STAF 2018. Lecture Notes in Computer Science(), vol 11176. Springer, Cham. https://doi.org/10.1007/978-3-030-04771-9_47
Download citation
DOI: https://doi.org/10.1007/978-3-030-04771-9_47
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-04770-2
Online ISBN: 978-3-030-04771-9
eBook Packages: Computer ScienceComputer Science (R0)