Preservation of Policy Adherence under Refinement

-Policy-based management is an approach to the management of systems with respect to issues such as security, access control and trust by the enforcement of policy rules. This paper addresses the problem of integrating the requirements imposed by a policy with the system development process. In order to take a policy specification into account in the development of a system specification, the notion of policy adherence is formalized as a relation between policy specifications and system specifications. Adherence of a system specification to a policy specification means that the former satisfies the latter. The integrated development process is supported by refinement, where both the policy specification and the system specification may be developed under any number of refinement steps. This paper characterizes the conditions under which adherence is preserved under refinement and identifies development rules that guarantee adherence preservation. By results of transitivity and compositionality the integrated development process and the analysis tasks can be conducted in a stepwise and modular way, thereby facilitating development. Oppdragsgiver: Research Council of Norwa

An Approach to Select Cost-Effective Risk Countermeasures Exemplified in CORAS

Risk is unavoidable in business and risk management is needed amongst others to set up good security policies. Once the risks are evaluated, the next step is to decide how they should be treated. This involves managers making decisions on proper countermeasures to be implemented to mitigate the risks. The countermeasure expenditure, together with its ability to mitigate risks, is factors that affect the selection. While many approaches have been proposed to perform risk analysis, there has been less focus on delivering the prescriptive and specific information that managers require to select cost-effective countermeasures. This paper proposes a generic approach to integrate the cost assessment into risk analysis to aid such decision making. The approach makes use of a risk model which has been annotated with potential countermeasures, estimates for their cost and effect. A calculus is then employed to reason about this model in order to support decision in terms of decision diagrams. We exemplify the instantiation of the generic approach in the CORAS method for security risk analysis.Comment: 33 page

How to transform UML neg into a useful construct

In UML, the operator neg is used to specify negative, or unwanted, system behaviour. We agree that being able to specify negative behaviour is important. However, the UML neg is currently not wellsuited for this purpose, the main problem being that a single operator is used with several different meanings depending on the context. In this paper we investigate some alternative definitions of neg. We also propose a solution in which neg is replaced by two new operators for specifying negative behaviour

Relating computer systems to sequence diagrams with underspecification, inherent nondeterminism and probabilistic choice : Part 1

Having a sequence diagram specification and a computer system, we need to answer the question: Is the system compliant with the sequence diagram specification in the desired way? We present a procedure for answering this question for three variations of sequence diagrams.The procedure is independent of the choice of programming language used for the system. The semantics of sequence diagrams is denotational and based on traces. In order to answer the initial question, the procedure starts by obtaining the trace-set of the system by e.g. testing, and then transforming this into the same semantic model as that used for the sequence diagram. In addition to extending our earlier work on refinement relations for sequence diagrams, we define conformance relations relating systems to sequence diagrams. The work is split in two parts. This paper presents part 1, in which we introduce the necessary definitions for using the compliance checking procedure on sequence diagrams with underspecification and sequence diagrams with inherent nondeterminism. In part 2 [RRS07], we present the definitions for using the procedure on sequence diagrams with probabilistic choice

The pragmatics of STAIRS

STAIRS is a method for the compositional development of interactions in the setting of UML 2.0. In addition to defining denotational trace semantics for the main aspects of interactions, STAIRS focuses on how interactions may be developed through successive refinement steps. In this tutorial paper, we concentrate on explaining the practical relevance of STAIRS. Guidelines are given on how to create interactions using the different STAIRS operators, and how these may be refined. The pragmatics is illustrated by a running example

Refining UML interactions with underspecification and nondeterminism

STAIRS is an approach to the compositional development of UML interactions, such as sequence diagrams and interaction overview diagrams. An important aspect of STAIRS is the ability to distinguish between underspecification and inherent nondeterminism through the use of potential and mandatory alternatives. This paper investigates this distinction in more detail. Refinement notions explain when (and how) both kinds of nondeterminism may be reduced during the development process. In particular, in this paper we extend STAIRS with guards, which may be used to specify the choice between alternatives. Finally, we introduce the notion of an implementation and define what it means for an implementation to be correct with respect to a specification

Specification and Refinement of Soft Real-time Requirements Using Sequence Diagrams

Soft real-time requirements are often related to communication in distributed systems. Therefore it is interesting to understand how UML sequence diagrams can be used to specify such requirements. We propose a way of integrating soft real-time requirements in sequence diagram specifications by adding probabilities to timed sequence diagrams. Our approach builds on timed STAIRS, which is an approach to the compositional and incremental development of sequence diagrams supporting specification of mandatory as well as potential behavior

Using model-driven risk analysis in component-based development

Modular system development causes challenges for security and safety as upgraded subcomponents may interact with the system in unforeseen ways. Due to their lack of modularity, conventional risk analysis methods are poorly suited to address these challenges. We propose to adjust an existing method for model-based risk analysis into a method for component-based risk analysis. We also propose a stepwise integration of the componentbased risk analysis method into a component-based development process. By using the same kinds of description techniques to specify functional behaviour and risks, we may achieve upgrading of risk analysis documentation as an integrated part of component composition and refinement

A semantic paradigm for component-based specification integrating a notion of security risk

We propose a semantic paradigm for component-based specification supporting the documentation of security risk behaviour. By security risk, we mean behaviour that constitutes a risk with regard to ICT security aspects, such as confidentiality, integrity and availability. The purpose of this work is to investigate the nature of security risk in the setting of component-based system development. A better understanding of security risk at the level of components facilitates the prediction of risks related to introducing a new component into a system. The semantic paradigm provides a first step towards integrating security risk analysis into the system development process