research-article

Enforcing a security pattern in stakeholder goal models

Authors:

Haruhiko Kaiya,

Hironori Washizaki,

Nobukazu YoshiokaAuthors Info & Claims

QoP '08: Proceedings of the 4th ACM workshop on Quality of protection

Pages 9 - 14

https://doi.org/10.1145/1456362.1456366

Published: 27 October 2008 Publication History

Abstract

Patterns are useful knowledge about recurring problems and solutions. Detecting a security problem using patterns in requirements models may lead to its early solution. In order to facilitate early detection and resolution of security problems, in this paper, we formally describe a role-based access control (RBAC) as a pattern that may occur in stakeholder requirements models. We also implemented in our goal-oriented modeling tool the formally described pattern using model-driven queries and transformations. Applied to a number of requirements models published in literature, the tool automates the detection and resolution of the security pattern in several goal-oriented stakeholder requirements.

References

[1]

E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design patterns: elements of reusable object-oriented software. Addison-Wesley, 1995.

Digital Library

[2]

E. B. Fernandez and R. Pan. A pattern language for security models. In Proc. of Conference on Pattern Languages of Programs (PLoP), 2001.

[3]

I. Sommerville. Software Engineering. Addison-Wesley, 2006.

Digital Library

[4]

Lin Liu, Eric Yu, and John Mylopoulos. Security and privacy requirements analysis within a social setting. In Proc. of International Conference on Requirements Engineering (RE), pages 151--161, 2003.

Digital Library

[5]

Charles Haley, Robin Laney, Jonathan Moffett, and Bashar Nuseibeh. Security requirements engineering: A framework for representation and analysis. IEEE Trans. Softw. Eng. (TSE), 34(1):133--153, 2008.

Digital Library

[6]

P. Giorgini, F. Massacci, J. Mylopoulos, and N. Zannone. Modeling Security Requirements Through Ownership, Permission and Delegation. In Proc. of RE, volume 5, 2005.

Digital Library

[7]

CB Haley, RC Laney, JD Moffett, and B. Nuseibeh. The effect of trust assumptions on the elaboration of security requirements. In Proc. of RE, pages 102--111, 2004.

Digital Library

[8]

A. van Lamsweerde. Elaborating security requirements by construction of intentional anti-models. In Proc. of International Conference on Software Engineering (ICSE), pages 148--157, 2004.

Digital Library

[9]

G. Sindre and A.L. Opdahl. Eliciting security requirements with misuse cases. Requirements Engineering, 10(1):34--44, 2005.

Digital Library

[10]

L. Lin, B. Nuseibeh, D. Ince, M. Jackson, and J. Moffett. Introducing abuse frames for analysing security requirements. In Proc. of RE, pages 371--372, 2003.

Digital Library

[11]

F. Massacci, M. Prest, and N. Zannone. Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation. Computer Standards & Interfaces, 27(5):445--455, 2005.

Digital Library

[12]

Y. Asnar, P. Giorgini, F. Massacci, A. Saidane, R. Bonato, V. Meduri, and C. Riccucci. Secure and Dependable Patterns in Organizations: An Empirical Approach. In Proc. of RE, pages 287--292, 2007.

[13]

E.S.K. Yu. Modelling strategic relationships for process reengineering. PhD thesis, University of Toronto Toronto, Ont., Canada, Canada, 1996.

Digital Library

[14]

P. Bresciani, A. Perini, P. Giorgini, F. Giunchiglia, and J. Mylopoulos. Tropos: An Agent-Oriented Software Development Methodology. Autonomous Agents and Multi-Agent Systems, 8(3):203--236, 2004.

Digital Library

[15]

Bas Graaf, Sven Weber, and Arie van Deursen. Model-driven migration of supervisory machine control architectures. J. Syst. Softw., 81(4):517--535, 2008.

Digital Library

[16]

F. Budinsky, S.A. Brodsky, and E. Merks. Eclipse Modeling Framework. Pearson Education, 2003.

Digital Library

[17]

David F. Ferraiolo, Ravi Sandhu, Serban Gavrila, D. Richard Kuhn, and Ramaswamy Chandramouli. Proposed nist standard for role-based access control. ACM Transactions on Information and System Security, 4(3):224--274, Aug. 2001.

Digital Library

[18]

E. Yu and L. Liu. Modelling Trust for System Design Using the i* Strategic Actors Framework. In Trust in Cyber-Societies-Integrating the Human and Artificial Perspectives, pages 175--194, 2001.

Digital Library

[19]

L. Liu, E. Yu, and J. Mylopoulos. Security Design Based on Social Modeling. pages 71--78, 2006.

[20]

Yijun Yu, Julio Cesar Sampaio do Prado Leite, and John Mylopoulos. From goals to aspects: Discovering aspects from goal models. In Proc. of RE, pages 38--47, 2004.

Digital Library

[21]

Jaap Gordijn, Eric Yu, and Bas van der Raadt. e-service design using i* and e3value modeling. IEEE Software, 2006.

Digital Library

[22]

Hugo Estrada et al. An empirical evaluation of the i* framework in a model-based software generation environment. In Proc. of CAiSE, pages 513--527, 2006.

[23]

Volha Bryl, Fabio Massacci, John Mylopoulos, and Nicola Zannone. Designing security requirements models through planning. In Proc. of CAiSE, 2006.

Digital Library

[24]

Haralambos Mouratidis, Jan Jurjens, and Jorge Fox. Towards a comprehensive framework for secure systems development. In Proc. of CAiSE, 2006.

Digital Library

[25]

Markus Schumacher. Security Engineering with Patterns: Origins, Theoretical Model, and New Applications. LNCS, Vol.2754, Springer, 2003.

Digital Library

[26]

Thongchai Rojkangsadan Kawin Supaporn, Nakornthip Prompoon. An Approach: Constructing the Grammar from Security Pattern. In Proc. of International Joint Conference on Computer Science and Software Engineering (JCSSE2007), 2007.

[27]

Ivan Araujo and Michael Weiss. Linking Patterns and Non-Functional Requirements. In Proc. of PLoP, 2002.

[28]

Xavier Franch Gemma Grau. A Goal-Oriented Approach for the Generation and Evaluation of Alternative Architectures. In Proc. of European Conference on Software Architecture (ECSA), 2007.

[29]

Yingfei Xiong, Dongxi Liu, Zhenjiang Hu, Haiyan Zhao, Masato Takeichi, and Hong Mei. Towards automatic model synchronization from model transformations. In Proc. of IEEE/ACM International Conference on Automated Software Engineering (ASE), pages 164--173, 2007.

Digital Library

Cited By

Shreeve BGralha CRashid AAraújo JGoulão M(2023)Making Sense of the Unknown: How Managers Make Cyber Security DecisionsACM Transactions on Software Engineering and Methodology10.1145/354868232:4(1-33)Online publication date: 27-May-2023
https://dl.acm.org/doi/10.1145/3548682
Washizaki HXia TKamata NFukazawa YKanuka HKato TYoshino MOkubo TOgata SKaiya HHazeyama ATanaka TYoshioka NPriyalakshmi G(2021)Systematic Literature Review of Security Pattern ResearchInformation10.3390/info1201003612:1(36)Online publication date: 16-Jan-2021
https://doi.org/10.3390/info12010036
Maher ZShah AShaikh HRahu GButt PChandio SShaikh S(2018)A Methodology for Modeling and Analysis of Secure Systems Using Security Patterns and Mitigation Use Cases2018 7th International Conference on Computer and Communication Engineering (ICCCE)10.1109/ICCCE.2018.8539339(268-273)Online publication date: Sep-2018
https://doi.org/10.1109/ICCCE.2018.8539339
Show More Cited By

Index Terms

Enforcing a security pattern in stakeholder goal models
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Goal Modelling for Security Problem Matching and Pattern Enforcement

This article describes how earlier detection of security problems and the implementation of solutions would be a cost-effective approach for developing secure software systems. Developing, gathering and sharing similar repeatable programming knowledge ...
GRL goal analysis using zero-sum game theory

In Requirements Engineering (RE), goal models are used to represent stakeholder objectives, which are also known as system requirements or system goals. Stakeholder requirements are of two types: functional requirements and non-functional ...
Problem-oriented security patterns for requirements engineering
EuroPLoP '14: Proceedings of the 19th European Conference on Pattern Languages of Programs

Security is one essential quality requirement that needs to be addressed during the software development process. While quality requirements such as security are supposed to be the architectural drivers, architecture solutions such as security patterns ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

QoP '08: Proceedings of the 4th ACM workshop on Quality of protection

October 2008

84 pages

ISBN:9781605583211

DOI:10.1145/1456362

Program Chairs:
Andy Ozment
SINTEF, NO
,
Ketil Stølen
SINTEF, NO

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS08

Sponsor:

CCS08: 15th ACM Conference on Computer and Communications Security 2008

October 27, 2008

Virginia, Alexandria, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
378
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Shreeve BGralha CRashid AAraújo JGoulão M(2023)Making Sense of the Unknown: How Managers Make Cyber Security DecisionsACM Transactions on Software Engineering and Methodology10.1145/354868232:4(1-33)Online publication date: 27-May-2023
https://dl.acm.org/doi/10.1145/3548682
Washizaki HXia TKamata NFukazawa YKanuka HKato TYoshino MOkubo TOgata SKaiya HHazeyama ATanaka TYoshioka NPriyalakshmi G(2021)Systematic Literature Review of Security Pattern ResearchInformation10.3390/info1201003612:1(36)Online publication date: 16-Jan-2021
https://doi.org/10.3390/info12010036
Maher ZShah AShaikh HRahu GButt PChandio SShaikh S(2018)A Methodology for Modeling and Analysis of Secure Systems Using Security Patterns and Mitigation Use Cases2018 7th International Conference on Computer and Communication Engineering (ICCCE)10.1109/ICCCE.2018.8539339(268-273)Online publication date: Sep-2018
https://doi.org/10.1109/ICCCE.2018.8539339
Washizaki HYu YKaiya HYoshioka NHu ZXiong YHosseinian-Far A(2017)Goal Modelling for Security Problem Matching and Pattern EnforcementInternational Journal of Secure Software Engineering10.4018/IJSSE.20170701038:3(42-57)Online publication date: 1-Jul-2017
https://dl.acm.org/doi/10.4018/IJSSE.2017070103
Washizaki H(2017)Security patterns: Research direction, metamodel, application and verification2017 International Workshop on Big Data and Information Security (IWBIS)10.1109/IWBIS.2017.8275094(1-4)Online publication date: Sep-2017
https://doi.org/10.1109/IWBIS.2017.8275094
Rashid ANaqvi SRamdhany REdwards MChitchyan RBabar MDillon LVisser WWilliams L(2016)Discovering "unknown known" security requirementsProceedings of the 38th International Conference on Software Engineering10.1145/2884781.2884785(866-876)Online publication date: 14-May-2016
https://dl.acm.org/doi/10.1145/2884781.2884785
Li THorkoff JMylopoulos J(2015)Analyzing and Enforcing Security Mechanisms on Requirements SpecificationsRequirements Engineering: Foundation for Software Quality10.1007/978-3-319-16101-3_8(115-131)Online publication date: 14-Mar-2015
https://doi.org/10.1007/978-3-319-16101-3_8
Bouaziz RKallel SCoulette B(2014)A Collaborative Process for Developing Secure Component Based ApplicationsProceedings of the 2014 IEEE 23rd International WETICE Conference10.1109/WETICE.2014.82(306-311)Online publication date: 23-Jun-2014
https://dl.acm.org/doi/10.1109/WETICE.2014.82
Li THorkoff JMylopoulos J(2014)Integrating Security Patterns with Security Requirements Analysis Using Contextual Goal ModelsThe Practice of Enterprise Modeling10.1007/978-3-662-45501-2_15(208-223)Online publication date: 2014
https://doi.org/10.1007/978-3-662-45501-2_15
Bouaziz RKallel SCoulette B(2013)An Engineering Process for Security Patterns Application in Component Based ModelsProceedings of the 2013 Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises10.1109/WETICE.2013.27(231-236)Online publication date: 17-Jun-2013
https://dl.acm.org/doi/10.1109/WETICE.2013.27
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten