A Model-based Repository of Security and Dependability Patterns for Trusted RCES

International audienceThe requirement for higher Security and Dependability (S&D) of systems is continuously increasing, even in domains traditionally not deeply involved in such issues. Nowadays, many practitioners express their worries about current S&D software engineering practices. New recommendations should be considered to ground this discipline on two pillars: solid theory and proven principles. We took the second pillar towards software engineering for embedded system applications, focusing on the problem of integrating S&D by design to foster reuse. Model driven approaches combined with patterns can be extremely helpful to deal with these strong requirements. In this work, we present a framework for trusted Resource Constrained Embedded Systems (RCES) development by design, by defining both a model to represent S&D pattern language and an architecture for development tools. The implementation of a repository of S&D patterns and their complementary property models is discussed in detail

Process and tool support for design patterns with safety requirements

The requirement for higher Security and Dependability (S&D) of systems is continuously increasing, even in domains tradi-tionally not deeply involved in such issues. Nowadays, many practitioners express their worries about current S&D software engineering practices. New recommendations should be considered to ground this discipline on two pillars: solid theory and proven principles. We took the second pillar towards software engineering for embedded system applications, focusing on the problem of integrating S&D by design to foster reuse. In this paper, we propose to combine design patterns and Model Driven Engineering (MDE) techniques for building component-based applications with safety requirements. The resulting modeling framework serves primarily to capture the basic concepts for specifying safety-oriented design patterns, building an S&D pattern system, and maintain safety properties, with existing modeling artifacts, during the engineering process based on the S&D pattern system. As a proof of concept, we are evaluating the feasibility of the framework through the example of the MooN pattern system for building systems having safety requirements: Communication Based Train Control (CBTC)

A Static Verification Framework for Secure Peer-to-Peer Applications

In this paper we present a static verification framework to support the design and verification of secure peer-to-peer applications. The framework supports the specification, modeling, and analysis of security aspects together with the general characteristics of the system, during early stages of the development life-cycle. The approach avoids security issues to be taken into consideration as a separate layer that is added to the system as an afterthought by the use of security protocols. The main functionality supported by the framework are concerned with the modeling of the system together with its security aspects by using an extension of UML, modeling of abuse cases to represent scenarios of attackers and assist with the identification of properties to be verified, specification of properties to be verified in a graphical template language, verification of the models against the properties, and visualization of the results of the verification process

Patterns of information security postures for socio-technical systems and systems-of-systems

This paper describes a proposal to develop patterns of security postures for computer based socio-technical systems and systems-of-systems. Such systems typically span many organisational boundaries, integrating multiple computer systems, infrastructures and organisational processes. The paper describes the motivation for the proposed work, and our approach to the development, specification, integration and validation of security patterns for socio-technical and system-of-system scale systems

An Assurance Framework for Independent Co-assurance of Safety and Security

Integrated safety and security assurance for complex systems is difficult for many technical and socio-technical reasons such as mismatched processes, inadequate information, differing use of language and philosophies, etc.. Many co-assurance techniques rely on disregarding some of these challenges in order to present a unified methodology. Even with this simplification, no methodology has been widely adopted primarily because this approach is unrealistic when met with the complexity of real-world system development. This paper presents an alternate approach by providing a Safety-Security Assurance Framework (SSAF) based on a core set of assurance principles. This is done so that safety and security can be co-assured independently, as opposed to unified co-assurance which has been shown to have significant drawbacks. This also allows for separate processes and expertise from practitioners in each domain. With this structure, the focus is shifted from simplified unification to integration through exchanging the correct information at the right time using synchronisation activities

Issues Affecting Security Design Pattern Engineering

Security Design Patterns present the tried and tested design decisions made by security engineers within a well documented format. Patterns allow for complex security concepts, and mechanisms, to be expressed such that non domain experts can make use of them. Our research is concerned with the development of pattern languages for advanced crypto-systems. From our experience developing pattern languages we have encountered several recurring issues within security design pattern engineering. These issues, if not addressed, will affect the adoption of security design patterns. This paper describes these issues and discusses how they could be addressed