Capturing, Organizing, and Reusing Knowledge of NFRs: An NFR Pattern Approach Sam Supakkul 1 Tom Hill 2 Ebenezer Akin Oladimeji 3 Lawrence Chung 1 1 The

Capturing, Organizing, and Reusing Knowledge of NFRs:

An NFR Pattern Approach

Sam Supakkul1

Tom Hill2

Ebenezer Akin Oladimeji3

Lawrence Chung1

1The University of Texas at Dallas2 EDS, an HP company3 Verizon Communications

Security = “bad things to be prevented” *

* C. Haley and B. Nuseibeh, IEEE TSE, 2008

Hackerin a parking lot outside a Marshalls store in Miami

Co-conspirators in Europe

· 45.7 million stolen credit cards· Class-action lawsuit by nearly 300 affected banks· Cost TJX $1 billion over 5 years excluding lawsuit

To prevent such incident, we need to know:Meaning of credit card security?Problems suffered by TJX?Root causes of those problems?Mitigation alternatives of the problems and their causes?Choosing and developing the mitigations with consideration of other organizational needs?

The TJX incident, the largest credit card theft in history

Difficult to get technical details from case reports

Retail Transaction System

TJX Corporate Network

Internet

Hackerin a parking lot outside a Marshalls store in Miami

Co-conspirators in Europe

1

1 A hacker broke WEP encryption to access the wireless network

2

3 The hacker transferred files containing credit card info to his laptop and to co-conspirators in Europe

ID / Password

2

The hacker masqueraded as a valid user using intercepted ID and password

ID / PasswordTJX

StoreWi-Fi

Customer Cashier

Back Office User

WEP

3

3

The TJX case attack scenario

Developed after:• reading over 30 articles• studying computer security• educated assumptions

Problem: Lack of security knowledge

Problem: Difficult to possess necessary NFRs related knowledge

Domain Independent

Goal

Means

Domain Specific

Requirements

Running System

Problem

Solution

security = confidentiality, integrity, and availability?

2-factor authentication?

WEP hacking

remote user masquerading

security modeled as goals

architecture and design for 2-factor authentication

strong passwords?

general definition of security problem frames for 2-factor

authentication

security = confidentiality?

2-factor authentication?

strong passwords?

specific definition of security for credit card industry

A solution: Applying NFRs knowledge captured as patterns

Unauthorized access [Intranet(Computing facility)]

Unauthorized access [Server(Computing facility)]

Malicious transfer [Paymentcard info]

TJX problems [Paymentcard info]

.

Sec u rit y [Pa y m ent ca rdi nform a tio n]

Co nfi dent ia l it y

e q l

Pr iv a c y

e q l

.

P a ym en t ca rd in f o rm a t io n




TJ X problems [Paymentcard info]

.

Reset compromised passwords

Disable compromised useraccounts

Two-factor authentication

RADIUS or TACACS userauthentication

Password + token Password + biometrics

Password encryption

++

Availability [Server]_ _

Usability [Server]_

Cost_ _

++

++

++

+

+

+





.

+W

+W

+W

Availability [Authentication]

RSA ACE server with SecurIDtokens

Vasco Digipass

CRYPTOcard KT-1++

Interoperability [othersoftware]

++

Interoperability [Unixlogin/SSH]

Interoperability [Weblogin/Apache, IIS]

Interoperability [VPN]

Interoperability [LDAP]

++

++

++

Interoperability [Windowslogin]++ +

++

_ _

++

_ _

Availability [AuthenticationServer]

Availability [Token]

++

++

++

++

++

++

++

_++

Availability [Synchronizedtoken]

Availability [Token operatinglife]

++

_

_






Password encryption

++


Usability [Server]_

Cost_ _

++

++

++

+

+

+





.

+W

+W

+W

Security [Payment cardinformation]

Confidentiality

eql

Privacy

eql

.


Confidentiality

eql

Privacy

eql

.





.

Goal Pattern

Problem Pattern

Causal AttributionPattern






Password encryption

++

Masquerading user login

_

_

Unauthorized access [server]

_ _

Availability [Server]

_ _

Usability [Server]

_

Cost

_ _

++

++

++

+

+

+

Transmission of ID andpassword in clear textis easily interceptable

_ _

.

Alternatives PatternConfidentiality [CorporateServer]

Usability

Cost

Secure passwords

Strong passwords

User education, training,enforcement

ID/password encryption

Stored ID/password encryption

Transmitted ID/passwordencryption

Non-dictionary words

Frequently changed passwords

+

_ _

+_

+

..

Selection Pattern


Password + token


Vasco Digipass

CRYPTOcard KT-1

++

++

++

++


++

Interoperability [Unixlogin/SSH]

Interoperability [Weblogin/Apache, IIS]



++

++

++


++

_ _

++

_ _



++

++

++

++

++

++

++

_++



++

_

_

..

Requirements Pattern

Final Requirements

Model

Initial Requirements

Model

Meaning of security?

TJX problems?

Causes of problems?

Alternatives?

Tradeoffs?

Requirements, specifications?

Modeling?

Modeling? Modeling? Modeling?

Modeling?

Goal Pattern

Name: FISMA Security ObjectivesObjective: refine SecurityDomain: <none>Model:Known uses: FISMA, US military

FISMA Security Objectives

Security

Integrity

Confidentiality Availability

Privacy Proprietary

Authenticity Non-repudiation

Timeliness Reliability

.

Security

refine

Legend

NFR goal

ANDDecomp.

ORDecomp.

Designdomain

Goal pattern captures a definition of an NFR

Problem pattern

Name: TJX Security ProblemsDomain: Objective: break Privacy[Payment card info]Model:Experiences: TJX

TJX Credit Card Theft




TJX security compromises[Payment card info]

.

Financial

PaymentCard

Problem pattern captures an undesirable situation that can hurt an NFR

DomainInterface

UndesirableSituation

Legend

NFR goal

ANDDecomp.

ORDecomp.

Designdomain

Givendomain

Topic/Context

Causal Attribution Pattern

Name: Unauthorized Server Access CausesDomain: <none>Objective: make Unauthorized Access [Server]Model:Experiences: TJX

Unauthorized Server Access Causes

Causal Attribution pattern captures causes and root causes of a problem

FunctionReference

DomainInterface

Agent FunctionVulnerabilityUndesirable

Situation

Legend

NFR goal

ANDDecomp.

ORDecomp.

Designdomain

Givendomain

Topic/Context

UndesirableOperationMachine

++Make

+HelpContribution

– – –

Break Hurt

Problem classification


Undesirable situation

Undesirable operation

Vulnerability

Problem mitigation classification


Undesirable situation

Undesirable operation

VulnerabilityChange environment to that with more acceptable risks

Prevent the operation from being realized

Prevent the operation from causing the undesirable situation

Prevent/limit the effect on the goal

Privacy [Credit Card Information]. .

Solution Alternatives PatternName: Unauthorized Server Access MitigationDomain: <none>Objective: hurt Unauthorized access [server]Model:Experiences:

Clear text ID/password Mitigation

Masquerading User Login Mitigation

Unauthorized Server Access Mitigation



_

_



Usability [Server]

_

Cost

++

++

.

.



Masquerading user login_ _

Usability [Server]

Cost

_ _

++

+

.++ ++

_

.

Password encryption

Cost


_ _.

RADIUS or TACACS remoteauthentication protocol

++

+

Name: Masquerading User Login MitigationDomain: <none>Objective: break Masquerading user loginModel:Experiences:

Name: Clear text ID/password MitigationDomain: <none>Objective: break Clear text ID/password MitigationModel:Experiences:

Alternatives Selection Pattern




_

_



_ _

Usability [Server]

_

Cost

++

++

.

.





Usability [Server]

Cost

_ _

++

+

.++ ++

_

.


Password encryption

Cost


_ _.


++

+

Name: Usability Driven Unauthorized Server Access MitigationDomain:Objective: select Unauthorized Server Access Mitigation, Masquerading User Login Mitigation, Clear Text ID/Password MitigationModel:Experiences:

Usability Driven Unauthorized Server Access Mitigation

Usability

Cost


Password + token

_

.++

+

select select select

Result of a selection patternUnauthorized Server Access Causes

TJX Credit Card Theft




TJX security compromises[Payment card info]

.




_

_



Usability [Server]

_

Cost

++

++

.

.





Usability [Server]

Cost

_ _

++

+

.++ ++

_

.


Password encryption

Cost


_ _.


++

+

Usability Driven Unauthorized Server Access Mitigation

Usability

Cost


Password + token

_

.++

+ project


Security

Integrity


Privacy Proprietary



.

Security

refine

Confidentiality [CorporateServer]

Securing ID and passwords

Unauthorized access [CorporateServer]

Masquarade [Remote loginusing ID/password]

Selection Pattern

Goal Pattern Problem Pattern Casual Pattern

Alternatives Patterns


What are requirements?

Safe [Transport]

Maintain [WCS distancebetween trains]

Maintain [Track segmentspeed limit]

Avoid [Train enteringclosed gate]

++

++

++

Maintain [Safe speed/ accelerationcommanded]

Maintain [Safe commandto following train basedon speed/ position estimates]

Maintain [No sudden stopof preceding train]

Maintain [Safe train responseto command]

Requirements

W R S P M

Assumption

RequirementsGoals assignable to agents in the software-to-be[van Lamsweerde, ICSE00]

Requirements“requirements that indicate what the customerneeds from the system, describedin terms of its effect on the environment”[Gunter, Gunter, Jackson, Zave, IEEE Software 2000]

World

Requirement Specification Program

Machine

RequirementsSpecifications[R. Seater, D. Jackson, IWAAPF’06]

Problem Frames


Name: Strong password requirementsDomain:Objective: make Non-dictionary password, Frequently changed passwordModel:Experiences:

Unauthorized server access cost driven selection

Strong passwords

Non-dictionary passwords


Maintain passwords - internaldictionary Maintain passwords - external

dictionary

Password periodic changereminder/ enforcer

Time Performance

Maintainability

++

_

_++

Maintain [passwords]

Maintain [periodicallychanged passwords]

Achieve [password changereminder]

Maintain [password usinginternal dictionary]

Maintain [password usingexternal dictionary]

++++

++

++++

Pattern organization

ClassificationInstantiation

Genealization

Specialization

Aggregation

Decomposition

FISMA Security Definition

PCI Security Definition

TJX Security Objectives Pattern

TJX Security Threats PatternUnauthorized Access Mitigations Pattern

TJX Security Pattern

Security Threat Mitigation Meta-Pattern

Unauthorized Server Access Mitigation Pattern

Malicious Data Transfer Mitigation Pattern

Pattern specialization


Security [Information]

Integrity


Privacy Proprietary



.

PCI Security Objectives


Confidentiality

eql

Privacy

eql

.

Information

Payment Card Information

Properties• Specialization of context/topic• More restrictive content

Pattern aggregation

TJX Security Pattern

Card Data Environment

PCI Security Objectives[Credit Card Information]

TJX Threats Unauthorized Server AccessMitigation

S-

S+S-

Two-Factor Problem Frame

++

TJX Threat Causes

S+

Unauthorized IntranetAccess Mitigation

S+

Malicious Data TransferMitigation

S+

S-S-

Two-Factor Use Cases

++

.

.





.

Security [Pa ym ent ca rdinforma tion]

Confidentia lity

eq l

Priv a cy

eq l

.

P aym e nt ca rd in fo rma tio n





.






Password encryption

++


Usability [Server]_

Cost_ _

++

++

++

+

+

+





.

+W

+W

+W



Vasco Digipass

CRYPTOcard KT-1++


++

Interoperability [Unixlogin/ SSH]

Interoperability [Weblogin/ Apache, IIS]



++

++

++


++

_ _

++

_ _



++

++

++

++

++

++

++

_++



++

_

_






Password encryption

++


Usability [Server]_

Cost_ _

++

++

++

+

+

+





.

+W

+W

+W


Confidentiality

eql

Privacy

eql

.


Confidentiality

eql

Privacy

eql

.





.

Goal Pattern

Problem Pattern







Password encryption

++


_

_


_ _


_ _

Usability [Server]

_

Cost

_ _

++

++

++

+

+

+


_ _

.


Usability

Cost

Secure passwords

Strong passwords







+

_ _

+_

+

..

Selection Pattern


Password + token


Vasco Digipass

CRYPTOcard KT-1

++

++

++

++


++


Interoperability [Weblogin/ Apache, I IS]



++

++

++


++

_ _

++

_ _



++

++

++

++

++

++

++

_++



++

_

_

..


Final Requirements

Model


Model

Manual application of multiple patterns-Know which patterns to use-Know which order to apply-But flexible

Pre-assembled patterns into an aggregate pattern-Ready-to-use-More cohesive knowledge-Narrower applicability

Pattern classification/meta-pattern

Unauthorized Intranet Access Mitigation

Security Mitigation Meta-Pattern

context problem solution

forcesasset

context

Undesirable outcome [Asset]

Threat

Vulnerability

Unauthorized Server Access Mitigation Malicious Data Transfer Mitigation

Instance-of

Instance-of

Instance-of

[Supakkul, Hill, Oladimeji, Chung, PLoP09]

Pattern operations

search

PatternCatalog

TopicResults





.

Security [Pa ym ent ca rdinforma tion]

Confidentia lity

eq l

Priv a cy

eq l

.

P aym e nt ca rd in fo rma tio n





.






Password encryption

++


Usability [Server]_

Cost_ _

++

++

++

+

+

+





.

+W

+W

+W



Vasco Digipass

CRYPTOcard KT-1++


++


Interoperability [Weblogin/ Apache, IIS]



++

++

++


++

_ _

++

_ _



++

++

++

++

++

++

++

_++



++

_

_






Password encryption

++


Usability [Server]_

Cost_ _

++

++

++

+

+

+





.

+W

+W

+W


Confidentiality

eql

Privacy

eql

.


Confidentiality

eql

Privacy

eql

.





.

Goal Pattern

Problem Pattern







Password encryption

++


_

_


_ _


_ _

Usability [Server]

_

Cost

_ _

++

++

++

+

+

+


_ _

.


Usability

Cost

Secure passwords

Strong passwords







+

_ _

+_

+

..

Selection Pattern


Password + token


Vasco Digipass

CRYPTOcard KT-1

++

++

++

++


++


Interoperability [Weblogin/ Apache, I IS]



++

++

++


++

_ _

++

_ _



++

++

++

++

++

++

++

_++



++

_

_

..


Final Requirements

Model


Model

applyM M’

P

Search operation

Apply operationExamples of the apply operation

Conclusion

• Contributions– Capturing and reusing different kinds of NFR

knowledge using patterns– Organization of patterns along the 3 dim.

• Future work– More precise definition of the concepts– Tool support to verify the concepts– More case studies to validate the general

applicability for other NFRs

Capturing, Organizing, and Reusing Knowledge of NFRs:

An NFR Pattern Approach

Sam Supakkul1

Tom Hill2

Ebenezer Akin Oladimeji3

Lawrence Chung1

1The University of Texas at Dallas2 EDS, an HP company3 Verizon Communications

Documents

Capturing, Organizing, and Reusing Knowledge of NFRs: An NFR Pattern Approach Sam Supakkul 1 Tom Hill 2 Ebenezer Akin Oladimeji 3 Lawrence Chung 1 1 The