Università degli Studi di Trento How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach L. Compagna, P. El Khoury F. Massacci , N. Zannone R. Thomas Security Research Dept. Informatics and TLC Dept. of Law SAP Univ of Trento Univ. of Leuven www.massacci.org www.tropos-project.org www.serenity-project.org
Università degli Studi di Trento Outline • What is the Problem? – Address Regulatory Compliance Demands – Organizational Patterns • Which is the Solution? – Graphical requirements Engineer Methodology • Smart Items For Health Care – An Example of a Pattern • Conclusion & Future Work
Università degli Studi di Trento What’s the Problem? • Emerging trends in Security Enginering – Security solutions can longer be best effort – Must show verifiable evidence with …. • Regulatory Compliance – SOX/Basel II/EU Privacy Directive • Industry Compliance – ISO 17799, ITIL Security Management.. • Usage of SOA Mandatory – WS-Security, WS-Trust, WS-Federations • Audit/Certification – CC formal models, verification of the model
Università degli Studi di Trento What’s the Solution? • Security & Privacy Patterns for Organisation – Security patterns are security best practices presented in template format – Validated by Experts – Patterns can provide implementations • From rule of procedures to running code • Concept widely used in Software Patterns – Large repositories are available – Model-Based Transformatioon available for different languages
Università degli Studi di Trento So what is the problem? Ask a toad what beauty is, the to kalon? He will answer you that it is his toad wife with two great round eyes issuing from her little head, a wide, flat mouth, a yellow belly, a brown back. . . . Interrogate the devil; he will tell you that beauty is a pair of horns, four claws and a tail. Voltaire, Philosophical Dictionary (1764)
Università degli Studi di Trento To Design a Security Pattern • Ask a lawyer 17(4)1 For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 17(1) shall be in writing or in another equivalent form. • Ask a computer engineer <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue> FLuQTa/LqDIZ5F2JSaMRHSRuaiQ= </DigestValue> </SignedInfo> • Ask a formal methods expert Fail_NonRepudiation(A,B,S) :- del_exec(A,B,S), not entrust_exec(A,B,S) entrust_exec (A,B,S) :- trust(A,B,S). entrust_exec (A,B,S) :- prove_fulfillment(A, B, S, TP) prove_fulfillment(A, B,S, TP) :- provides(B, PoF), proof_of_fulfillment(PoF, S), entrust_exec(TP, B, PoF), entrust_exec(A, TP, PoF)
Università degli Studi di Trento Lingua Franca… • Software Patterns work because they essentially are by toads only – The difference between C++, Java, C#, Eiffel, Perl, Python etc is negligible compared to the ones just made • Security Patterns needs integration of different “languages” • Idea: a picture is worth a thousand words – Provided you are able to get the picture from the words and the words back from the picture
Università degli Studi di Trento Smart Items For Health Care Bob feels smart e-health Steps: ERC MERC giddy T-shirt terminal 2.Bob feels giddy and sends via his e-health Faintness alert terminal a request for assistance to MERC. (1) Request for 3.MERC receives the request and, since Bob’s medicine doctor is in vacation, redirects it to Charlie. delivery (4) 4.Charlie analyses Bob’s medical data and Send e-prescription (3) Request history and sends to Bob an e-prescription. (2) Request 5.Bob requests MERC for a medicine delivery. Deliver the (5) medicine 6.MERC selects Alison to execute this task, Charlie’s e- (7) sends a message to her to which she health promptly acknowledge receiving then back terminal the data for accomplishing this activity. 7.Alison goes to the pharmacy and after a successful credentials exchange, she gets the medicine from the pharmacist. Get 8.Alison delivers the medicine to Bob. medicine e-health Alison Pharmacist's (6) terminal computer Notes: the request would have been sent to Bob’s doctor, but he is in vacation and thus a doctor discovery Notes: Charlie retrieves Bob’s medical data and history by using his e-health terminal to query ERC. The e- Notes: Bob feels weak and instead of driving to the pharmacy to get the medicine, he prefers to be supported Notes: as the others Alison is equipped with an e-health terminal that she uses to communicate with the others Notes: the credentials exchange is between Alison’s e-health terminal and the pharmacist’s computer. Besides Notes: this last step involves an exchange of electronic credential between Bob and Alison. Their e-health Notes: This request is completed with Bob’s medical data automatically retrieved by his e-health terminal by process is activated. In the group of doctors able to substitute Bob’s doctor, Charlie is the first to answer. prescription is sent from Charlie’s e-health terminal to Bob’s e-health terminal. health actors. In the data she receives from ERC there’ll be, properly protected, the e-prescription done for the validity of the e-prescription, Alison authorization to get the medicine in behalf of Bob needs to be checked. terminals are used at this purpose. by the ERC for this task. means of a query to his smart T-shirt Bob.
Università degli Studi di Trento Goal-Based Req. Engineering • Graphical Requirement Language SI* – Agents, Roles, Relations among them – Execution, Delegation of Permissions • Legal text – (semi) automatic extraction of graphical model from Natural Language description • Logical Formulae – Experts provide general axioms and property descriptions – Instances added automatically from graphical model • Executable Business Process – (Semi) automatic BPEL generation from graphical model
Università degli Studi di Trento Pattern Design and Validation Semantics Template Lawyer describes Software Engineer patterns Refine Patterns NL2SI* transformation Security Engineer Graphical SI* Model Modifies Patterns Graphical BPEL Editing Tool CAiSE Tool Formal Logic BPEL Skeleton Automated Reasoning Tool SI* Interpretation of Logical Result Axioms and Rules
Università degli Studi di Trento Non repudiation requirement presented in SI* The Employer (MERC) shall have evidence that the Executor (Alison) cannot repudiate her commitment. MERC Delivery of Request medicine to Bob e-health Alison terminal
Università degli Studi di Trento What is an organizative security pattern? What is an organizative security pattern? Security Requirements NOT fulfilled Fulfilled Initial organizational structure Security Revised organizational structure Pattern Agents • Agents • Add/Remove Agents Agents • Resources Resources • Add/Remove Add/Remove Resources Resources • Tasks Tasks • Add/Remove Add/Remove Tasks Tasks • Relations: delegation, trust… Relations: delegation, trust… • Add/Remove Add/Remove Relations Relations Context Solution SI* MODELS 12
Università degli Studi di Trento Non repudiation pattern Non repudiation pattern [Context and Requirement] [Context, Requirement and Solution] Context : The Employer requests the achievement of a commitment and delegates its execution to the Executor. Requirement : the former has no Solution : The Employer refines the commi- warranties that the latter takes the tment into two sub parts. responsibility of achieving the commitment 3. Check the evidence about responsibilities taken by the Executor. 4. Represents the actual desire of fulfilling the commitment.
Università degli Studi di Trento Conclusion & Future Work • System designers are usually neither security nor legal experts – Graphical RE notation useful common ground • Idea: a picture is worth a thousand words – Provided you are able to get the picture from the words and the words back from the picture • Future Work – Improving model construction from NL – Reasoning capability only detect failed properties, should also suggest what is missing to satusfy them – Apply to other domains • Ack – Supported by the EU through the EU-IST-IP SERENITY
Recommend
More recommend