A Graphical Approach to Security Risk Analysis

"The CORAS language is a graphical modeling language used to support the security analysis process with its customized diagrams. The language has been developed within the research project "SECURIS" (SINTEF ICT/University of Oslo), where it has been applied and evaluated in seven major industrial field trials. Experiences from the field trials show that the CORAS language has contributed to a more actively involvement of the participants, and it has eased the communication within the analysis group. The language has been found easy to understand and suitable for presentation purposes. With time we have become more and more dependent on various kinds of computerized systems. When the complexity of the systems increases, the number of security risks is likely to increase. Security analyses are often considered complicated and time consuming. A well developed security analysis method should support the analysis process by simplifying communication, interaction and understanding between the participants in the analysis. This thesis describes the development of the CORAS language that is particularly suited for security analyses where "structured brainstorming" is part of the process. Important design decisions are based on empirical investigations. The thesis has resulted in the following artifacts: - A modeling guideline that explains how to draw the different kind of diagrams for each step of the analysis. - Rules for translation which enables consistent translation from graphical diagrams to text. - Concept definitions that contributes to a consistent use of security analysis terms. - An evaluation framework to evaluate and compare the quality of security analysis modeling languages.

Model-Based Security Testing

Security testing aims at validating software system requirements related to security properties like confidentiality, integrity, authentication, authorization, availability, and non-repudiation. Although security testing techniques are available for many years, there has been little approaches that allow for specification of test cases at a higher level of abstraction, for enabling guidance on test identification and specification as well as for automated test generation. Model-based security testing (MBST) is a relatively new field and especially dedicated to the systematic and efficient specification and documentation of security test objectives, security test cases and test suites, as well as to their automated or semi-automated generation. In particular, the combination of security modelling and test generation approaches is still a challenge in research and of high interest for industrial applications. MBST includes e.g. security functional testing, model-based fuzzing, risk- and threat-oriented testing, and the usage of security test patterns. This paper provides a survey on MBST techniques and the related models as well as samples of new methods and tools that are under development in the European ITEA2-project DIAMONDS.Comment: In Proceedings MBT 2012, arXiv:1202.582

Quality Evaluation of the CORAS UmL Profile

-This report contains an evaluation of the CORAS UML profile and consists og two parts:Modeling a benchmarking test called ""the core security risk scenarios"" using the CORAS UML profileAssessing the quality og the CORAS UML profile using a quality evaluation framework for modeling languages.The results shows that it was possible to model almost all the information in the core security risk scenarios with the CORAS UML profile. However, being able to express the core security risk scenarios is not sufficient. The diagrams are characterized by duplication of information, and information that is spread out over several diagrams which makes it difficult to get an overview.In the quality evaluation the CORAS UML profile has been found to include the main security analyses concepts and modeling perspectives, and therefor have a high domain appropriateness factor. It benefits from being based on a well-known and widely used modeling language for which several tools are available. The quality evaluation shows that the main weakness of the UML profile are related to its graphical symbols and and diagram types.The symbols do not always conforme to best practice within symbol design. Some of the diagrams are more confusing than they are explanatory, and they require a substancial effort from the modeler.   Oppdragsgiver: Norges Forskningsrå

Investigating Preferences in Graphical Risk Modeling

-In a security analysis it is often helpful to draw diagrams to illustrate threat and risk scenarios. To ensure the effectiveness of such diagrams, it is essential that they are easily understood by people without training and experience in modeling and security analysis. In this report we present an empirical investigation of the risk modeling preferences among professionals and students in software engineering.The objective of the investigation was to identify the preferred way of refining an existing diagrammatic security risk modeling language without making it more difficult to understand. Our empirical investigation showed that mechanisms like size- and color coding used for conveying particular information in geographical models are less preferred by the subjects compared to textual information labels. The size or color of an element does not in general have any unique interpretation in a diagram, while textual information is more specific and self-explaining. The conclusion is that the subjects tend to prefer the representation where they get the most information without requiring them to interpret any additional graphical means. Oppdragsgiver: Norges Forskningsrå

Structured Semantics for the CORAS Security Risk Modelling Language

-The CORAS security risk modelling language is a customised graphical language for com- munication, documentation and analysis of security threat and risk scenarios. We present a textual syntax and a structured semantics for each of the five different types of CORAS di- agrams, together with step-by-step instructions on how to translate a graphical diagram via the textual syntax into a readable paragraph of English, using the structured semantics. This enables users of the CORAS language to easily extract the precise meaning of a given diagram. The semantics is modular in the sense that the semantics of a diagram can be deduced from the semantics of its elements and relations. Oppdragsgiver: n/