Elaborating complete and consistent requirements for security-critical systems

Abstract

The elaboration of requirements is a crucial step in the development of software-intensive security-critical application. From this stage on, the security engineering process heads towards the implementation of the identified security requirements. A missing, inadequate, imprecise or inconsistent requirement might cause the resulting application to have vulnerabilities, despite the huge amount of work that might be invested in implementing the elaborated security requirements. Vulnerabilities in requirements models notably arise from incompleteness and inconsistency. Incompleteness refers to missing requirements; inconsistency refers to requirements prescribing incompatible behaviors. Inconsistent requirements might give rise to vulnerabilities because they cannot be enforced altogether: one of them will be violated at run time. This thesis proposes three techniques for assisting engineers in the elaboration of complete and consistent requirements through model-based analysis. The two first focus on completeness issues, the last one on consistency. The three techniques build on a specific model-based framework for goal-oriented requirements analysis. They are demonstrated through models of an e-purse system and an e-signature system. The first technique is a formal framework for specifying and analyzing confidentiality concerns. Our framework makes it possible to discover confidentiality violations at requirements engineering time through model checking. The second technique focuses on the responsibility assignment of security requirements. Some agents in the software or in its environment might be malicious or too vulnerable. One should not rely on them in the enforcement of security goals. This technique introduces a security-specific completeness criterion ensuring that the enforcement of security goals only depends on the behavior of agents that are known to be trustworthy or built to be trustworthy. A systematic process is proposed for elaborating requirements models complying with this criterion. The third technique makes it possible to automatically detect goal-level inconsistencies called divergences. Divergences between goals lead to inconsistencies between requirements, and to potential vulnerabilities in the running system.(FSA 3) -- UCL, 200