Abstract
Formal methods offer a precise and concise way of expressing system requirements which can be tested and validated with formal proofs techniques. However, their application in the development of security aware industrial systems have been associated with high costs due to the difficulty in integrating the functional and security requirements which are generated in an ad hoc manner. Reducing this cost has been a subject of interest in software requirements engineering research. In this paper we propose a formal technique for concurrent generation of functional and security requirements that can help provide a systematic way of accounting for security requirements while specifying the functional requirements of a software. With this technique, the functional behaviors of the system are precisely defined using the Structured Object-Oriented Formal Language (SOFL). The security rules are systematically explored with the results incorporated into the functional specification as constraints. The resultant specification then defines the system functionality that implies the conformance to the security rules. Such a specification can be used as a firm foundation for implementation and testing of the implementation. We discuss the principle of integrating security rules with functional specifications and present a case study to demonstrate the feasibility of our technique.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Mouratidis, H., Giorgini, P.: Integrating Security and Software Engineering: Advances and Future Visions. Idea Group, Hershey (2006). https://doi.org/10.4018/978-1-59904-147-6
Khan, K.M.: Developing and Evaluating Security-Aware Systems, pp. 14–24. IGI Global, Hershey (2012) ISBN 1-59904-149-9
Mouratidis, H.: Integrating Security and Software Engineering: Advances and Future Visions, pp. 14–24. IGI Publishing, Hershey (2007) ISBN 1-59904-149-9
Nagaraju, V., Fiondella, L., Wandji, T.: A survey of fault and attack tree modeling and analysis for cyber risk management, pp. 1–6 (2017)
Nagoya, F., Liu, S., Hamada, K.: Developing a web dictionary system using the SOFL three-step specification approach. In: 2015 5th International Conference on IT Convergence and Security (ICITCS), pp. 1–5 (2015)
Liu, S.: Formal Engineering for Industrial Software Development Using SOFL Method. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-662-07287-5. ISBN 3-540-20602-7
Huang, H.C., Zhang, Z.K., Cheng, H.W.: Web application security: threats, countermeasures, and pitfalls. Computer 50, 81–85 (2017)
Epstein, P., Sandhu, R.: Towards a UML based approach to role engineering. In: Proceedings of the 4th ACM Workshop on Role-Based Access Control, pp. 75–85 (1999)
Huget, M.P.: Agent UML notation for multiagent system design. IEEE Internet Comput. 8, 63–71 (2004)
Shin, M, Ahn, G.: UML-based representation of role-based access control. In: 9th International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 195–200 (2000)
Kammüller, F., Augusto, J.C., Jones, S.: Security and privacy requirements engineering for human centric IoT systems using eFRIEND and Isabelle. In: 2017 IEEE 15th International Conference on Software Engineering Research, Management and Applications (SERA) (2017)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: a UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_33
Amini, M., Jalili, R.: Multi-level authorisation model and framework for distributed semantic-aware environments. IET Inf. Secur. 4, 301–321 (2010)
Ouedraogo, M., Mouratidis, H., Khadraoui, D., Dubois, E.: An agent-based system to support assurance of security requirements. In: 2010 Fourth International Conference on Secure Software Integration and Reliability Improvement, pp. 78–87 (2010)
Common Criteria Part 2: Security Functional Requirements. The Common Criteria Portal. https://www.commoncriteriaportal.org/cc/. Accessed 28 July 2019
Security Criteria : BITS/Financial Services Roundtable. http://www.bitsinfo.org/security-criteria/. Accessed 28 July 2019
Kumar, R., Stoelinga, M.: Quantitative security and safety analysis with attack-fault trees. In: 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE), pp. 25–32 (2017)
Merkow, M.S., Raghavan, L.: Secure and Resilient Software, Requirements, Test cases and Testing Methods, p. 71. Auerbach Publications, Boston (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Emeka, B., Liu, S. (2020). A Formal Technique for Concurrent Generation of Software’s Functional and Security Requirements in SOFL Specifications. In: Miao, H., Tian, C., Liu, S., Duan, Z. (eds) Structured Object-Oriented Formal Language and Method. SOFL+MSVL 2019. Lecture Notes in Computer Science(), vol 12028. Springer, Cham. https://doi.org/10.1007/978-3-030-41418-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-41418-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41417-7
Online ISBN: 978-3-030-41418-4
eBook Packages: Computer ScienceComputer Science (R0)