Abstract not found

Caring for security at requirements engineering time is a message that has finally received some attention recently. However, it is not yet very clear how to achieve this systematically through the various stages of the requirements engineering process. The paper presents a constructive approach to the modeling, specification and analysis of applicationspecific security requirements. The method is based on a goal-oriented framework for generating and resolving obstacles to goal satisfaction. The extended framework addresses malicious obstacles (called anti-goals) set up by attackers to threaten security goals. Threat trees are built systematically through anti-goal refinement until leaf nodes are derived that are either software vulnerabilities observable by the attacker or anti-requirements implementable by this attacker. New security requirements are then obtained as countermeasures by application of threat resolution operators to the specification of the antirequirements and vulnerabilities revealed by the analysis. The paper also introduces formal epistemic specification constructs and patterns that may be used to support a formal derivation and analysis process. The method is illustrated on a web-based banking system for which subtle attacks have been reported recently.

Testing is an important part of any software development project, and can typically surpass more than half of the development cost. For safety-critical computer based systems, testing is even more important due to stringent reliability and safety requirements. However, most safety-critical computer based systems are real-time systems, and the majority of current testing and debugging techniques have been developed for sequential (non real-time) programs. These techniques are not directly applicable to real-time systems, since they disregard issues of timing and concurrency. This means that existing techniques for reproducible testing and debugging cannot be used. Reproducibility is essential for regression testing and cyclic debugging, where the same test cases are run repeatedly with the intention of verifying modified program code or to track down errors. The current trend of consumer and industrial applications goes from single microcontrollers to sets of distributed micro-controllers, which are even more challenging than handling real-time per-see, since multiple loci of observation and control additionally must be considered. In this thesis we try to remedy these problems by presenting an integrated approach to monitoring, testing, and debugging of distributed real-time systems. For monitoring

The development of techniques for quantitative, model-based evaluation of computer system dependability has a long and rich history. A wide array of model-based evaluation techniques are now available, ranging from combinatorial methods, which are useful for quick, rough-cut analyses, to state-based methods, such as Markov reward models, and detailed, discreteevent simulation. The use of quantitative techniques for security evaluation is much less common, and has typically taken the form of formal analysis of small parts of an overall design, or experimental red team-based approaches. Alone, neither of these approaches is fully satisfactory, and we argue that there is much to be gained through the development of a sound model-based methodology for quantifying the security one can expect from a particular design. In this work, we survey existing model-based techniques for evaluating system dependability, and summarize how they are now being extended to evaluate system security. We find that many techniques from dependability evaluation can be applied in the security domain, but that significant challenges remain, largely due to fundamental differences between the accidental nature of the faults commonly assumed in dependability evaluation, and the intentional, human nature of cyber attacks.

A method for scenario-based requirements engineering is described. The method uses two types of scenario: structure models of " the system context and scripts of system usage. A modelling language is reported for describing scenarios, and heuristics are given to crosscheck dependencies between scenario models and the requirements specification. Heuristics are grouped into several anah,tic treatments that investigate correspondences between users' goals and system fimctions; input events and system processes to deal with them: system output and its destination in the scenario model, and acceptability anah,sis of system output for different stakehoMetw. The method is i/htstrated with a case study taken from the London Ambulance Service report. The prospects for scenario-based requirements engineering and related work are discussed.

Abstract—This paper briefly summarizes software reuse research, discusses major research contributions and unsolved problems, provides pointers to key publications, and introduces four papers selected from The Eighth International Conference on Software

The VIATRA (VIsual Automated model TRAnsformations) framework is the core of a transformation-based verification and validation environment for improving the quality of systems designed using the Unified Modeling Language by automatically checking consistency, completeness, and dependability requirements. In the current paper, we present an overview of (i) the major design goals and decisions, (ii) the underlying formal methodology based on metamodeling and graph transformation (iii) the software architecture based upon the XMI standard, (iv) and several benchmark applications of the VIATRA framework.

For my parents Safety critical computing is a relatively young and rapidly developing technology, which nevertheless is being deployed in applications where a single accident may have extremely severe consequences. The safety record of critical systems presently in service is reasonably good, but increasing expectations of functionality and performance are challenging the capabilities of current design and assessment processes. One specific area where limitations of existing methods are becoming obvious is in the analysis techniques that are used to derive safety requirements and to provide evidence that they have been satisfied. There are significant practical problems in using existing analysis techniques to evaluate computer systems, but few viable new computerspecific methods have been developed. This thesis proposes and evaluates a set of principles for the design of effective techniques to address novel computer system safety analysis requirements. The principles are based on an appreciation of the technical concepts underlying successful existing system level analysis techniques, and of the practical qualities necessary to make a method industrially acceptable. The

reliability, and automatic control. Abstract: How to improve the reliability and availability of the increasingly complex software is a serious challenge as software assumes an increasingly larger role in the critical functions of our society. It is a widely held belief that diversity in software constructions entails robustness. However, is it really true? This paper investigates the relationship between software complexity, reliability, and the resource available for software development. It also presents a forward recovery approach based on the idea of “using simplicity to control complexity ” as a way to improve the robustness of complex software systems. 1

The requirements analysis of critical software components often involves a search for hazardous states and failure modes. This paper describes the integration of a forward search for consequences of reaching these forbidden modes with a backward search for contributing causes. Results are reported from two projects in which theintegrated search method was used to analyze the requirements of critical spacecraft software. The search process was found to be successful in identifying some ambiguous, inconsistent, and missing requirements. More importantly, it identi ed four signi cant, unresolved requirements issues involving complex system interfaces and unanticipated dependencies. The results suggest that recent e orts by researchers to integrate forward and backward search have merit