D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange

Recommendations

Info

something of value that requires protection, we map a service protected by a soft goal in SI* to an asset in CORAS. • ServiceToTreatment. A service which is related to another service mapped to an asset in a CORAS model, can be mapped to a treatment if the service reduces the likelihood or the consequence of a threat scenario damaging the asset. • TreatmentToTask. A treatment is a security control that should reduce the likelihood or consequence of a threat to an asset which results in a loss of confidentiality, availability, or integrity. Thus, if a treatment is implemented, the confidentiality, integrity or availability of an asset is protected. A treatment in CORAS can therefore be mapped to a task which fulfills the soft goal which specifies the security property that has to be preserved for an asset. These are several examples of possible change propagation scenarios that are supported by these conceptual mappings. In what follows we illustrate some of these scenarios based on the introduction of a new surveillance tool, the Automatic Dependent Surveillance-Broadcasting (ADS-B) into ATM systems. ADS-B provides accurate aircraft position information by using a global navigation satellite system. Figure 3. SI* and CORAS models before change However, ADS-B makes ATM systems vulnerable to new threats. For example, ADS-B transmissions can be easily corrupted: a concrete example is the spoofing of the GPS satellite that provides the GPS signal to determine aircraft position. Let’s first illustrate a change propagation scenario that is based on the ServiceToAsset and TreatmentToTask conceptual mappings. The SI* and CORAS models before change are illustrated in Figure 3. The change we consider first is the introduction of a new actor, the ADS-B, which is intended to increase the accuracy and availability of the surveillance data. Figure 4 illustrates the SI* and CORAS models after the introduction of the ADS-B: the changes that are handled are highlighted in <strong>D.3.3</strong> Algorithms for Incremental Requirements Models Evaluation and Transformation| version 1.19 | page 12/136
grey. The ADS-B introduction requires the addition of the goal Manage ADS-B signal and the resource ADS-B signal. Moreover, since the integrity of the ADS-B signal is critical, introducing a new soft goal Integrity of ADS-B signal specifies this security need. Notice also that because ADS-B signal becomes part of the surveillance data, the soft goal Availability of surveillance data is decomposed into the sub goals Availability of ADS-B signal and Availability of Radar signal. The introduction of the ADS-B actor may affect the risks due to the introduction of the new soft goals. In particular, the soft goal Integrity of ADS-B signal is mapped to a corresponding asset in the CORAS model for which a risk assessment is conducted. As ADS-B is prone to data spoofing, this issue is addressed and identified as an unacceptable risk with respect to integrity. The treatment Apply MD5 checksum is considered, and leads to the addition of a new task Apply MD5 Checksum fulfilling the soft goal Integrity of ADS-B signal in the SI* model. The new soft goal Availability of ADS-B signal is also mapped to the CORAS model as a new aspect of the more general asset Availability of surveillance data. The risk analyst decides not to decompose this asset with respect to ADS-B and radar when assessing the impact of the ADS-B. A new threat scenario Loss of ADS-B signal is identified, but the overall risks with respect to availability of surveillance data do not increase; rather, the likelihood of the threat scenario Failure of A/C tracking decreases from likely to possible (see Figure 3 (b)). Component failure ADS-B Radar Unreliable RDPS ADS-B unreliable Insufficient radar maintenance Attacker Lack of integrity mechanisms RDPS crashes [possible] Loss of ADS-B signal Loss of radar signal in MRT Spoofing of ADS-B signal [rare] Apply MD5 checksum Failure of A/C tracking [possible] Run fault tolerant MRT Degradation of A/C position data [unlikely] Failure in provisioning of surveillance data [possible] major Integrity of ADS-B signal minor Availability of surveillance data Radar ADS-B De RDPS De Manage ADS-B signal Manage radar signal Gather aircraft position Manage ADS-B signal + Integrity of ADS-B signal AND ADS-B signal Manage surveillance data Apply MD5 checksum ADS-B signal Availability of ADS-B signal Availability of surveillance data Surveillance data AND Radar signal + + AND Availability of radar signal Run fault tolerant MRT Figure 4. Post change SI* and CORAS models Another possible scenario of change-driven interplay is based on the ServiceToTreatment and TreatmentToTask conceptual mappings. The introduction of a new actor, the ADS-B, increases the availability of surveillance data. Thus, the likelihood of the threat scenario Failure of A/C tracking in the CORAS model is reduced. Consequently, the risk analyst determines that the treatment Run fault tolerant MRT is no longer needed and therefore removes it from the CORAS model. <strong>D.3.3</strong> Algorithms for Incremental Requirements Models Evaluation and Transformation| version 1.19 | page 13/136
Page 1 and 2: D.3.3 ALGORITHMS FOR INCREMENTAL RE
Page 3 and 4: 1.14 19 January Final 1.15 23 Janua
Page 5 and 6: Index DOCUMENT INFORMATION 1 DOCUME
Page 7 and 8: 1 Introduction This deliverable pre
Page 9 and 10: (Clause 6.4.3) processes of ISO/IEC
Page 11: 3 Orchestrating Requirements and Ri
Page 15 and 16: The security risk manager identifie
Page 17 and 18: are supported by the argumentation
Page 19 and 20: ADS-B Manage ADS-B signal ADS-B sig
Page 21 and 22: the stagnation suite (i.e. obsolete
Page 23 and 24: 5 A framework for modeling and reas
Page 25 and 26: sectors. And there is 42% of probab
Page 27 and 28: SDA(C) = {DA 2 , DA 4 , DA 8 , DA 1
Page 29 and 30: application contexts is saved if th
Page 31 and 32: Figure 14. ATM model state after qu
Page 33 and 34: References [1] Yudis Asnar, Fabio M
Page 35 and 36: Managing Changes with Legacy Securi
Page 37 and 38: Failure in the provisioning of corr
Page 39 and 40: propagated to the system designer a
Page 41 and 42: APPENDIX B D.3.3 Algorithms for Inc
Page 43 and 44: is sometimes difficult, especially
Page 45 and 46: Tactical Monitor air R controller t
Page 47 and 48: protected from harm. Since in CORAS
Page 49 and 50: CModel. The postcondtion checks the
Page 51 and 52: of ADS-B signal and Availability of
Page 53 and 54: extensions to i* to model and analy
Page 55 and 56: 3. Bzivin, J., Dup, G., Jouault, F.
Page 57 and 58: APPENDIX C D.3.3 Algorithms for Inc
Page 59 and 60: steps. Section V demonstrates the R
Page 61 and 62: that should be mitigated by the sys
Page 63 and 64:
CPU value PINconfirmed(PIN, card-de
Page 65 and 66:
TABLE IV PRIORITIZATION OF RISKS FO
Page 67 and 68:
context. We believe that the Common
Page 69 and 70:
Managing Evolution by Orchestrating
Page 71 and 72:
1.1 The Contribution of this Paper
Page 73 and 74:
Fig. 3. Integrated Change Managemen
Page 75 and 76:
The requirement analysis is an iter
Page 77 and 78:
Table 1. Conceptual Interface Requi
Page 79 and 80:
Legend: Goals surrounded by dashed
Page 81 and 82:
Table 5. Test Suite for GP-2.2 Tran
Page 83 and 84:
6. P. K. Chittimalli and M. J. Harr
Page 85 and 86:
Noname manuscript No. (will be inse
Page 87 and 88:
Dealing with Known Unknowns: A Goal
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Understanding How to Manage Require
Page 115 and 116:
Chatzoglou et al. [4] conducted a s
Page 117 and 118:
Evolution Elicitation Probability E
Page 119 and 120:
Table 2. Participants Background Pa
Page 121 and 122:
for the defined success criteria. O
Page 123 and 124:
Fig. 3. Codes Coverage ATM systems,
Page 125 and 126:
The feedbacks provided by the ATM e
Page 127 and 128:
3. P. Carlshamre, K. Sandahl, M. Li
Page 129 and 130:
Quick fix generation for DSMLs Ábe
Page 131 and 132:
• extensibility: the supported li
Page 133 and 134:
Fig. 7. Overview of the Quick fix g
Page 135 and 136:
Fig. 9. Evaluation results (|V(M I
show all

D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?