1

Structuring Knowledge for a Structuring Knowledge for a Security Trade-offs Knowledge Security Trade-offs Knowledge

BaseBase

Structuring Knowledge for a Structuring Knowledge for a Security Trade-offs Knowledge Security Trade-offs Knowledge

BaseBase

Golnaz ElahiGolnaz Elahi Department of Computer ScienceDepartment of Computer Science

Eric YuEric YuFaculty of Information StudyFaculty of Information Study

University of TorontoUniversity of Toronto

IdentityIdentity, Privacy and Security Initiative Research Privacy and Security Initiative Research SymposiumSymposiumMay 2May 2ndnd 2008 2008

2

Strategic Dependencies among Actors

3

Modelling Strategic Actor Relationships and Rationales

-the i* modelling framework

Strategic Actors: have goals, beliefs, abilities, commitments are semi-autonomous

• freedom of action, constrained by relationships with others

• not fully knowable or controllable• has knowledge to guide action, but only

partially explicit depend on each other

• for goals to be achieved, tasks to be performed, resources to be furnished

4

Strategic Rationales about alternative configurations of relationships with other actors –

Why? How? How else?

5

i* Evaluation Procedure

Semi-automatable propagation of qualitative evaluation labels uses evaluation guidelines and human judgment.

6

Security Trade-offs Modeling and Analysis using i*

Employee

Security

UsabilityConfidentiality

+

Integrity

+

Authenticate to access the host

+

Maintain network address integrity

Access to host remotely

++

Malicious Employee

Commit a fraud

Fraud through local network

(LAN)

Fraud over the Internet

Protect password

Password losing

password

7

Structuring Knowledge for a Structuring Knowledge for a Security Trade-offs Knowledge Security Trade-offs Knowledge

BaseBase

Structuring Knowledge for a Structuring Knowledge for a Security Trade-offs Knowledge Security Trade-offs Knowledge

BaseBase

A Goal-Oriented Approach A Goal-Oriented Approach

8

Problems

9

Security Knowledge Sources

Textbooks Guidelines Standards Checklists Documentation from past projects Security Design Patterns Structured Catalogues &

Knowledge Bases

Excerpt from the NIST 800-36 guidelines

10

Structuring Knowledge**

**

11

Motivations and Questions

What would be a good way to organize and structure knowledge to assist designers in making security trade-offs?

We suggest a Goal-Oriented approach for structuring security trade-offs knowledge.

12

Analyzing the Structure of the Knowledge in the NIST 800-36 Guidelines

Identity-based access control

Identification Authentication

Accountability

And And

And Information System

Information System

Authenticator

Static authentication

Dynamic authentication

Multi-factor authentication

Encryption [authenticator

value]

Security [authentication]

Transit [authenticator]

Store [authenticator]

Authenticate the identity

Provide something

have

Provide something alone know

Sample a personal

characteristic

Identification

And

Authenticator lose

Guessing the password

ImposterImposter

Obtain authenticator

Decrypting the password

--

--

Difficult to guess [authentication]

Difficult to decrypt [authentication]

Difficult to obtain [authentication]

Protected in transit [authentication]

Protected store in system

[authentication]

Easy to use

Low cost

Prevent-

Prevent

--

Some -

Some -Some -

Some -

Quality Goals

Goals

Security Mechanis

m

Actor

Attacker

Attack

Impacts

Vulnerability

13

The KB Schema

Attack

Vulnerability

Asset

Goal

Security Goal

Security Mechanism

Task

System/Individual tasks

Actor

OperationalizeContribute

System/Individual Goal

Malicious Goal

Exploit

AttackerSystem Actor

OperationalizeContribute

HaveHave

Have

Prevent

DetectRecover

Have

Have

ProtectPatch

HaveTarget

The KB Schema

Contribute

Contribute

UseProduce

Contribute

Actors and their goals Mechanisms and

contributions of mechanisms on goals and other mechanisms

Attackers and attacks

Impact of attacks on goals and impact of security mechanisms on attacks

14

Example of Structured Knowledge

Identity-based access control

Identification Authentication

Accountability

And And

And Information System

Information System

Authenticator

Static authentication

Dynamic authentication

Multi-factor authentication

Encryption [authenticator

value]

Security [authentication]

Transit [authenticator]

Store [authenticator]

Authenticate the identity

Provide something

have

Provide something alone know

Sample a personal

characteristic

Identification

And

Authenticator lose

Guessing the password

ImposterImposter

Obtain authenticator

Decrypting the password

--

--

Difficult to guess [authentication]

Difficult to decrypt [authentication]

Difficult to obtain [authentication]

Protected in transit [authentication]

Protected store in system

[authentication]

Easy to use

Low cost

Prevent-

Prevent

--

Some -

Some -Some -

Some -

15

Reusable Unit of Knowledge

Attack

Softgoals

Security mechanism

contribution

Contribution and type (prevent,

detect, recover)

contribution

Actor

Goals

What are the consequences of applying a particular security mechanism on malicious and non-malicious goals and mechanisms?

Which actor or system’s component should employ a particular security mechanism?

16

Reusable Unit of Knowledge

Malicious gaol

Attack

AssetVulnerability

Goal

contribution

Softgoals

contribution

Attacker

•What is the impact of a particular attack on other goals and mechanisms?

•What vulnerabilities exist in a particular asset or mechanism?

•What attacks threaten a particular mechanism, asset, or goal?

•Who may threaten the system?

17

Reusable Unit of Knowledge

What security mechanisms prevent or detect a particular attack or recover the system after the occurrence of the attack?

18

Reusable Unit of Knowledge: Example

Prevent password guessing

Log-in convenience

Password security

Increase the period between login attempts with each unsuccessful

attempt

-

Deny login after a limited number of

failed attempts

Prevent --

--

+

Automated password guessing

Detect --

Prevent -

Detect --

19

Conclusion Trade-offs between competing goals and

the alternative solutions are expressed by relating consequences of applying each alternative to the goals.

The knowledge models enable goal model evaluation techniques to evaluate the goals satisfaction.

During the process modeling, missing points and relationships are discovered.

20

Limitations and Ongoing work

The visual goal-oriented knowledge models are not well scalable This makes the browsing, understating, and

analyzing knowledge expressed in the visual goal models difficult.

Therefore, to solve the scalability problem 1. It is needed to store the goal-oriented knowledge

structure in goal-oriented text formats.2. It is required to have query languages to extract

a fragment of the large chunk of knowledge. 3. The unit of knowledge to extract from the KB

needs to be defined.

21

References: [Mead 05] Mead, N. R., McGraw, G., A portal for software

security, IEEE Security & Privacy, 2(4), 75-79 (2005) [Barnum 05] Barnum, S., McGraw, G., Knowledge for

software security, IEEE Security & Privacy 3(2), 74-78 (2005)

[NIST 800-36] Grance, T., Stevens, M., Myers, M., Guide to Selecting Information Technology Security Products, Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-36 (2003)

[ER07] G. Elahi, E. Yu, A goal oriented approach for modeling and analyzing security trade-offs, In Proceeding of 26th International Conference of Conceptual Modeling, 2007, 375-390.

[RE03] L. Liu, E. Yu, J. Mylopoulos, Security and Privacy Requirements Analysis within a Social Setting. In IEEE Joint Int. Conf. on Requirements Engineering, 2003, 151-161.

Eric Yu: www.fis.utoronto.ca/~yu

Golnaz Elahi: http://www.cs.toronto.edu/~gelahi/