Your browser does not support JavaScript!
http://iet.metastore.ingenta.com
1887

Formal analysis and design for engineering security automated derivation of formal software security specifications from goal-oriented security requirements

Formal analysis and design for engineering security automated derivation of formal software security specifications from goal-oriented security requirements

For access to this article, please select a purchase option:

Buy article PDF
£12.50
(plus tax if applicable)
Add to cart
Buy Knowledge Pack
10 articles for £75.00
(plus taxes if applicable)
Add to cart

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Name:*
Email:*
Your details
Name:*
Email:*
Department:*
Why are you recommending this title?
Select reason:
 
 
 
 
 
IET Software — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

  • Author(s): R. Hassan 1 ; M. Eltoweissy 2 ; S. Bohner 3 ; S. El-Kassas 4
    • View affiliations
    • Affiliations: 1: Assistant Professor of Computer Science and Information Technology, Arab Academy for Science and Technology (AAST)
      2: Associate Professor of Electrical and Computer Engineering, Virginia Tech
      3: Professor of Computer Science, Rose-Hulman University
      4: Associate Professor of Computer Science, The American University in Cairo
  • Source: Volume 4, Issue 2, April 2010, p. 149 – 160
    DOI:  10.1049/iet-sen.2009.0059 , Print ISSN 1751-8806, Online ISSN 1751-8814
© The Institution of Engineering and Technology
Published

Formal methods have long been advocated for the development of provably secure software. However, the lack of formal requirements elaboration and the limited scalability afforded by such methods have led to employing informal or semi-formal methods for large-scale software development. In our effort to produce highly secure software in a systematic, provable and cost-effective manner, the authors have proposed formal analysis and design for engineering security (FADES) as the first goal-oriented software security engineering approach that provides an automated bridge between the goal-oriented semi-formal Knowledge Acquisition for autOmated Specifications (KAOS) framework and the B formal method. Automating the transition from requirements to specifications; considered one of the most difficult steps in the software development lifecycle, is vital to the success of FADES. Further, the automated derivation of a suite of acceptance test cases from the requirements model in FADES provides means to verify security implementation against the requirements model. In this study, the authors propose an automated process using FADES to systematically derive B specifications and a suite of acceptance test cases from goal-oriented security requirements. Further, the authors empirically validate the effectiveness of the FADES automated bridge that paves the grounds for formal design and implementation. The empirical validation involves both security engineering practitioners and experts in formal methods for security. The extensive results obtained demonstrate the effectiveness of the FADES automated bridge in producing secure software in a cost-effective manner.

Inspec keywords: security of data; formal specification; knowledge acquisition

Other keywords: FADES automated bridge; knowledge acquisition; formal software security specifications; B formal method; engineering security automated derivation design; formal analysis; goal oriented security requirements; large scale software development; automated specifications framework

Subjects: Data security; Formal methods

References

    1. 1)
      • Dromey, R.G.: `From requirements to design: formalizing the key steps', SEFM 2003. Int. Conf. on Software Engineering and Formal Methods. The University of Queensland School of Information Technology and Electrical Engineering, 2003, p. 2.13.
    2. 2)
      • Giorgini, P., Massacci, F., Mylopoulous, J., Zannone, N.: `Requirements engineering meets trust management: model, methodology, and reasoning', Proc. iTrust-04, 2004, (LNCS, 2995), p. 176–190.
    3. 3)
      • Hassan, R., Eltoweissy, M., Bohner, S., El-Kassas, S.: `Goal-oriented software security engineering: the electronic smart card case study', Proc. Int. Symp. on Secure Computing (SecureCom-09) with the IEEE Int. Conf. on Privacy, Security, Risk and Trust (PASSAT-09), 2009, Canada.
    4. 4)
      • http://www.atelierb.eu.
    5. 5)
      • Nakagawa, H., Taguchi, K., Honiden, S.: `Formal specification generator for KAOS', Proc. Int. Conf. on Automated Software Engineering (ASE’07), November 2007.
    6. 6)
      • Mylopoulos, J., Kolp, M., Castro, J.: `UML for agent-oriented software development: the Tropos proposal', Proc. Fourth Int. Conf. on the Unified Modeling Language UML’01, October 2001.
    7. 7)
      • A. Van Lamsweerde , M. Bernardo , P. Inverardi . From system goals to software architecture, Formal methods for software architectures.
    8. 8)
      • A. van Lamsweerde , E. Letier . Handling obstacles in goal-oriented requirements engineering. IEEE Trans. Softw. Eng. (Special Issue on Exception Handling) , 10 , 978 - 1005
    9. 9)
      • J.-R. Abrial . The B book: assigning programs to meanings.
    10. 10)
      • Blackburn, M., Busser, R., Nauman, A.: `Removing requirements defects and automating test', Software Productivity Consortium, 2001.
    11. 11)
      • Hinchey, M.G., Rash, J.L., Rouff, C.A.: `Requirements to design to code: towards a fully formal approach to automatic code generation', NASA Technical Report, January 2005.
    12. 12)
      • Hassan, R.: `Formal analysis and design for engineering security (FADES)', 2009, PhD, Virginia Tech.
    13. 13)
      • http://www.b-core.com.
    14. 14)
      • www.objectiver.com.
    15. 15)
      • van Lamsweerde, A.: `Elaborating security requirements by construction of intentional anti-models', Proc. 26th Int. Conf. on Software Engineering, ICSE’04, May 2004.
    16. 16)
      • Hassan, R., Bohner, S., El-Kassas, S., Eltoweissy, M.: `Goal-oriented, B-based format derivation of security design specifications from security requirements', Symp. on Requirements Engineering for Information Security, March 2008, Spain.
    17. 17)
      • Wilander, J., Gustavsson, J.: `Security requirements – a field study of current practice', Symp. on Requirement Engineering for Information Security (SREIS’ 2005), 2005.
    18. 18)
      • Brandozzi, M., Perry, D.E.: `Transforming goal oriented requirement specifications into architectural prescriptions', First Int. Workshop from Software Requirements to Architectures (STRAW’01), 2001, Toronto, Canada.
    19. 19)
      • J.A. Krosnick , J.P. Robinson , P.R. Shaver , L.S. Wrightsman . (1999) Maximizing questionnaire quality, Measures of political attitudes.
    20. 20)
      • Hassan, R., Bohner, S., El-Kassas, S., Hinchey, M.: `Integrating formal analysis and design to preserve security properties', Proc. HAWAII Int. Conf. on System Sciences, 2009, Hawaii, USA.
    21. 21)
      • D.H. Stone . Design a questionnaire. BMJ , 1264 - 1266
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-sen.2009.0059
Loading

Related content

content/journals/10.1049/iet-sen.2009.0059
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading
Print this page
This is a required field
Please enter a valid email address