Abstract
Cooperating systems typically base decisions on information from their own components as well as on input from other systems. Safety critical decisions based on cooperative reasoning however raise severe concerns to security issues. Here, we address the security requirements elicitation step in the security engineering process for such systems of systems. The method comprises the tracing down of functional dependencies over system component boundaries right onto the origin of information as a functional flow graph. Based on this graph, we systematically deduce comprehensive sets of formally defined authenticity requirements for the given security and dependability objectives. The proposed method thereby avoids premature assumptions on the security architecture’s structure as well as the means by which it is realised. Furthermore, a tool-assisted approach that follows the presented methodology is described.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Avizienis, A., Laprie, J.C., Randell, B., Landwehr, C.E.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Sec. Comput. 1(1), 11–33 (2004)
Bodeau, D.J.: System-of-Systems Security Engineering. In: Proc. of the 10th Annual Computer Security Applications Conference, Orlando, Florida, pp. 228–235. IEEE Computer Society, Los Alamitos (1994)
Eilenberg, S.: Automata, Languages and Machines, vol. A. Academic Press, New York (1974)
Firesmith, D.: Engineering security requirements. Journal of Object Technology 2(1), 53–68 (2003)
Fuchs, A., Rieke, R.: Identification of authenticity requirements in systems of systems by functional security analysis. In: Proceedings of the 2009 IEEE/IFIP Conference on Dependable Systems and Networks Workshop on Architecting Dependable Systems (WADS 2009), Supplementary Volume (2009), http://sit.sit.fraunhofer.de/smv/publications/
Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Requirements engineering meets trust management: Model, methodology, and reasoning. In: Jensen, C., Poslad, S., Dimitrakos, T. (eds.) iTrust 2004. LNCS, vol. 2995, pp. 176–190. Springer, Heidelberg (2004)
Group, T.C.: TCG TPM Specification 1.2 revision 103 (2006), http://www.trustedcomputing.org
Gürgens, S., Ochsenschläger, P., Rudolph, C.: Authenticity and provability - a formal framework. In: Davida, G.I., Frankel, Y., Rees, O. (eds.) InfraSec 2002. LNCS, vol. 2437, pp. 227–245. Springer, Heidelberg (2002)
Haley, C.B., Laney, R.C., Moffett, J.D., Nuseibeh, B.: Security requirements engineering: A framework for representation and analysis. IEEE Trans. Software Eng. 34(1), 133–153 (2008)
Hatebur, D., Heisel, M., Schmidt, H.: A security engineering process based on patterns. In: Proceedings of the International Workshop on Secure Systems Methodologies using Patterns (SPatterns), DEXA 2007, pp. 734–738. IEEE Computer Society, Los Alamitos (2007), http://www.ieee.org/
Hatebur, D., Heisel, M., Schmidt, H.: A pattern system for security requirements engineering. In: Proceedings of the International Conference on Availability, Reliability and Security (AReS), pp. 356–365. IEEE, Los Alamitos (2007), http://www.ieee.org/
Hatebur, D., Heisel, M., Schmidt, H.: Analysis and component-based realization of security requirements. In: Proceedings of the International Conference on Availability, Reliability and Security (AReS), pp. 195–203. IEEE Computer Society Press, Los Alamitos (2008), http://www.ieee.org/
van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, ICSE 2004, pp. 148–157. IEEE Computer Society, Los Alamitos (2004)
Liu, L., Yu, E., Mylopoulos, J.: Analyzing security requirements as relationships among strategic actors. In: 2nd Symposium on Requirements Engineering for Information Security, SREIS 2002 (2002)
Mead, N.R.: How To Compare the Security Quality Requirements Engineering (SQUARE) Method with Other Methods. Tech. Rep. CMU/SEI-2007-TN-021, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA (2007)
Mead, N.R., Hough, E.D.: Security requirements engineering for software systems: Case studies in support of software engineering education. In: Proceedings of the 19th Conference on Software Engineering Education & Training, CSEET 2006, pp. 149–158. IEEE Computer Society, Washington (2006)
Mellado, D., Fernández-Medina, E., Piattini, M.: A common criteria based security requirements engineering process for the development of secure information systems. Comput. Stand. Interfaces 29(2), 244–253 (2007)
Ochsenschläger, P., Repp, J., Rieke, R.: Abstraction and composition – a verification method for co-operating systems. Journal of Experimental and Theoretical Artificial Intelligence 12, 447–459 (2000), http://sit.sit.fraunhofer.de/smv/publications/ ; copyright: ©2000, American Association for Artificial Intelligence, All rights reserved, http://www.aaai.org
Ochsenschläger, P., Rieke, R.: Abstraction based verification of a parameterised policy controlled system. In: International Conference “Mathematical Methods, Models and Architectures for Computer Networks Security” (MMM-ACNS-7). CCIS, vol. 1, Springer, Heidelberg (2007), http://sit.sit.fraunhofer.de/smv/publications/
Ochsenschläger, P., Repp, J., Rieke, R., Nitsche, U.: The SH-Verification Tool Abstraction-Based Verification of Co-operating Systems. Formal Aspects of Computing, The International Journal of Formal Method 11, 1–24 (1999)
Ochsenschläger, P., Rieke, R.: Uniform parameterisation of phase based cooperations. Tech. Rep. SIT-TR-2010/1, Fraunhofer SIT (2010), http://sit.sit.fraunhofer.de/smv/publications/
Papadimitratos, P., Buttyan, L., Hubaux, J.P., Kargl, F., Kung, A., Raya, M.: Architecture for Secure and Private Vehicular Communications. In: IEEE International Conference on ITS Telecommunications (ITST), pp. 1–6. Sophia Antipolis, France (June 2007)
Ruddle, A., Ward, D., Weyl, B., Idrees, S., Roudier, Y., Friedewald, M., Leimbach, T., Fuchs, A., Grgens, S., Henniger, O., Rieke, R., Ritscher, M., Broberg, H., Apvrille, L., Pacalet, R., Pedroza, G.: Security requirements for automotive on-board networks based on dark-side scenarios. EVITA Deliverable D2.3, EVITA project (2009), http://evita-project.org/deliverables.html
Sadeghi, A.R., Stüble, C.: Property-based attestation for computing platforms: caring about properties, not mechanisms. In: Proceedings of the 2004 Workshop on New Security Paradigms, NSPW 2004, pp. 67–77. ACM, New York (2004)
Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: Proceedings of the 13th USENIX Security Symposium. USENIX Association (2004)
Schaub, F., Ma, Z., Kargl, F.: Privacy requirements in vehicular communication systems. In: IEEE International Conference on Privacy, Security, Risk, and Trust (PASSAT 2009), Symposium on Secure Computing (SecureCom 2009), Vancouver, Canada (August 2009), http://doi.ieeecomputersociety.org/10.1109/CSE.2009.135
Shirey, R.: Internet Security Glossary, Version 2. RFC 4949 (Informational) (August 2007), http://www.ietf.org/rfc/rfc4949.txt
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Fuchs, A., Rieke, R. (2010). Identification of Security Requirements in Systems of Systems by Functional Security Analysis. In: Casimiro, A., de Lemos, R., Gacek, C. (eds) Architecting Dependable Systems VII. Lecture Notes in Computer Science, vol 6420. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17245-8_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-17245-8_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17244-1
Online ISBN: 978-3-642-17245-8
eBook Packages: Computer ScienceComputer Science (R0)