nach oben

Erschienen in:

2021 | OriginalPaper | Buchkapitel

Automating the Assembly of Security Assurance Case Fragments

verfasst von : Baoluo Meng, Saswata Paul, Abha Moitra, Kit Siu, Michael Durling

Erschienen in: Computer Safety, Reliability, and Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

This paper presents an approach and tools for automatic generation of security assurance case fragments using patterns for arguing the security of cyber physical systems. The fragments are generated using augmented Goal Structuring Notation (GSN) and can succinctly convey a system’s resilience to cyber-threats specified in MITRE’s Common Attack Pattern Enumeration and Classification (CAPEC). The GSN schema has been augmented with additional metadata that can be used for visually tracing back to component-level CAPEC threats from higher-level cyber security claims, enabling designers to easily locate flaws in a model when one or more claims cannot be substantiated. An implementation of the approach as a part of the Verification Evidence and Resilient Design in Anticipation of Cybersecurity Threats (VERDICT) toolchain has also been demonstrated along with a case study of a package delivery drone.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel ISO/SAE 21434-Based Risk Assessment of Security Incidents in Automated Road Vehicles

Nächstes Kapitel Safety Case Maintenance: A Systematic Literature Review

For more details, visit https://github.com/ge-high-assurance/VERDICT.

Common Attack Pattern Enumeration and Classification (CAPEC) (2017). https://capec.mitre.org

Security and Privacy Controls for Information Systems and Organizations (2017)

Agudo, I., Vivas, J.L., López, J.: Security assurance during the software development cycle. In: Proceedings of the International Conference on Computer Systems and Technologies and Workshop for PhD Students in Computing, pp. 1–6 (2009)

Alexander, R., Hawkins, R., Kelly, T.: Security Assurance Cases: Motivation and the State of the Art. The University of York, York (2011)

Bagheri, H., Kang, E., Mansoor, N.: Synthesis of assurance cases for software certification. In: Proceedings of the International Conference on Software Engineering (2020)

Basir, N., Denney, E., Fischer, B.: Deriving safety cases for hierarchical structure in model-based development. In: Schoitsch, E. (ed.) SAFECOMP 2010. LNCS, vol. 6351, pp. 68–81. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15651-9_6CrossRef

Bloomfield, R., Netkachova, K.: Building blocks for assurance cases. In: 2014 IEEE International Symposium on Software Reliability Engineering Workshops, pp. 186–191. IEEE (2014)

Bloomfield, R., Rushby, J.: Assurance 2.0: A manifesto (2020)

Cheah, M., Shaikh, S.A., Bryans, J., Wooderson, P.: Building an automotive security assurance case using systematic security evaluations. Comput. Secur. 77, 360–379 (2018)CrossRef

10.

Crapo, A., Moitra, A.: Toward a unified English-like representation of semantic models, data, and graph patterns for subject matter experts. Int. J. Semant. Comput. 7(03), 215–236 (2013)CrossRef

11.

De La Vara, J., Parra, E., Ruiz, A., Gallina, B.: The amass tool platform: an innovative solution for assurance and certification of cyber-physical systems. In: Joint 26th International Conference on Requirements Engineering: Foundation for Software Quality Workshops, Pisa, Italy, vol. 2584. CEUR-WS (2020)

12.

Denney, E., Pai, G.: A methodology for the development of assurance arguments for unmanned aircraft systems. In: 33rd International System Safety Conference (ISSC 2015) (2015)

13.

Denney, E., Pai, G.: Automating the assembly of aviation safety cases. IEEE Trans. Reliab. 63(4), 830–849 (2014)CrossRef

14.

Denney, E., Pai, G.: Tool support for assurance case development. Autom. Softw. Eng. 25(3), 435–499 (2017). https://doi.org/10.1007/s10515-017-0230-5CrossRef

15.

Denney, E., Pai, G., Pohl, J.: AdvoCATE: an assurance case automation toolset. In: Ortmeier, F., Daniel, P. (eds.) SAFECOMP 2012. LNCS, vol. 7613, pp. 8–21. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33675-1_2CrossRef

16.

Feiler, P.: The Open Source AADL Tool Environment (OSATE). Technical report, Carnegie Mellon University (2019)

17.

Feiler, P.H., Gluch, D.P.: Model-Based Engineering with AADL: An Introduction to the SAE Architecture Analysis & Design Language. Addison-Wesley, Boston (2012)

18.

Feiler, P.H., Gluch, D.P., Hudak, J.J.: The architecture analysis & design language (AADL): An introduction. Technical report, Carnegie Mellon University (2006)

19.

Gacek, A., Backes, J., Cofer, D., Slind, K., Whalen, M.: Resolute: an assurance case language for architecture models. ACM SIGAda Ada Lett. 34(3), 19–28 (2014)CrossRef

20.

Graydon, P.J.: Formal assurance arguments: a solution in search of a problem? In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 517–528. IEEE (2015)

21.

Guerra, S., Sheridan, D.: Compliance with standards or claim-based justification? The interplay and complementarity of the approaches for nuclear software-based systems. In: Proceedings of the Twenty-Second Safety-Critical Systems Symposium, Brighton, UK (2014)

22.

Hawkins, R., Clegg, K., Alexander, R., Kelly, T.: Using a software safety argument pattern catalogue: two case studies. In: Flammini, F., Bologna, S., Vittorini, V. (eds.) SAFECOMP 2011. LNCS, vol. 6894, pp. 185–198. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24270-0_14CrossRef

23.

Kelly, T., Weaver, R.: The goal structuring notation-a safety argument notation. In: Proceedings of the Dependable Systems and Networks 2004 Workshop on Assurance Cases, p. 6. Citeseer (2004)

24.

Kobayashi, N., Morisaki, S., Yamamoto, S.: Mobile security assurance for automotive software through ArchiMate. In: You, I., Leu, F.-Y., Chen, H.-C., Kotenko, I. (eds.) MobiSec 2016. CCIS, vol. 797, pp. 10–20. Springer, Singapore (2018). https://doi.org/10.1007/978-981-10-7850-7_2CrossRef

25.

Meng, B., et al.: Towards developing formalized assurance cases. In: 2020 AIAA/IEEE 39th Digital Avionics Systems Conference (DASC), pp. 1–9 (2020). https://doi.org/10.1109/DASC50938.2020.9256740

26.

Meng, B., et al.: VERDICT: a language and framework for engineering cyber resilient and safe system. Syst. 9(1) (2021). https://doi.org/10.3390/systems9010018. https://www.mdpi.com/2079-8954/9/1/18

27.

Meng, B., Smith, W., Durling, M.: Security threat modeling and automated analysis for system design. SAE Int. J. Transp. Cyber Privacy 4 (2021). https://doi.org/10.4271/11-04-01-0001

28.

Moitra, A., Prince, D., Siu, K., Durling, M., Herencia-Zapana, H.: Threat identification and defense control selection for embedded systems. SAE Int. J. Transp. Cyber. Privacy 3 (2020)

29.

Poreddy, B.R., Corns, S.: Arguing security of generic avionic mission control computer system (MCC) using assurance cases. Proc. Comput. Sci. 6, 499–504 (2011)CrossRef

30.

RTCA-DO: 178c: Software considerations in airborne systems and equipment certification (2011)

31.

Siu, K., Herencia-Zapana, H., Prince, D., Moitra, A.: A model-based framework for analyzing the security of system architectures. In: 2020 Annual Reliability and Maintainability Symposium (RAMS), pp. 1–6. IEEE (2020)

32.

Siu, K., et al.: Architectural and behavioral analysis for cyber security. In: 2019 IEEE/AIAA 38th Digital Avionics Systems Conference (DASC), pp. 1–10. IEEE (2019)

33.

Sommerville, I.: Software Engineering (2011). ISBN-10 137035152, 18

34.

Vivas, J.L., Agudo, I., López, J.: A methodology for security assurance-driven system development. Requir. Eng. 16(1), 55–73 (2011)CrossRef

35.

Wei, R., Kelly, T.P., Dai, X., Zhao, S., Hawkins, R.: Model based system assurance using the structured assurance case metamodel. J. Syst. Softw. 154, 211–233 (2019)CrossRef

Titel: Automating the Assembly of Security Assurance Case Fragments
verfasst von: Baoluo Meng
Saswata Paul
Abha Moitra
Kit Siu
Michael Durling
Verlag: Springer International Publishing
Buch: Computer Safety, Reliability, and Security
Print ISBN: 978-3-030-83902-4

Electronic ISBN: 978-3-030-83903-1

Copyright-Jahr: 2021
DOI: https://doi.org/10.1007/978-3-030-83903-1_7

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner