Abstract
We propose a semantic paradigm for component-based specification supporting the documentation of security risk behaviour. By security risk, we mean behaviour that constitutes a risk with regard to ICT security aspects, such as confidentiality, integrity and availability. The purpose of this work is to investigate the nature of security risk in the setting of component-based system development. A better understanding of security risk at the level of components facilitates the prediction of risks related to introducing a new component into a system. The semantic paradigm provides a first step towards integrating security risk analysis into the system development process.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Brændeland, G., Stølen, K.: Using model-based security analysis in component-oriented system development. A case-based evaluation. In: Proceedings of the second Workshop on Quality of Protection (QoP 2006), 2006 (to appear)
Cheesman, J., Daniels, J.: UML Components. A simple process for specifying component-based software. Component software series. Addison-Wesley, Reading (2001)
den Braber, F., Dimitrakos, T., Gran, B.A., Lund, M.S., Stølen, K., Aagedal, J.Ø.: UML and the Unified Process, chapter The CORAS methodology: model-based risk management using UML and UP, pp. 332–357. IRM Press (2003)
Fenton, N., Neil, M.: Combining evidence in risk analysis using bayesian networks. Agena White Paper W0704/01 (2004)
Haugen, Ø., Husa, K.E., Runde, R.K., Stølen, K.: Why timed sequence diagrams require three-event semantics. Technical Report 309, University of Oslo, Department of Informatics (2004)
Haugen, Ø., Stølen, K.: STAIRS – steps to analyze interactions with refinement semantics. In: Stevens, P., Whittle, J., Booch, G. (eds.) UML 2003 LNCS, vol. 2863, pp. 388–402. Springer, Heidelberg (2003)
Hogganvik, I., Stølen, K.: On the comprehension of security risk scenarios. In: IWPC 2005. 13th International Workshop on Program Comprehension, pp. 115–124. IEEE Computer Society, Los Alamitos (2005)
Huseby, S.H.: Innocent code. A security wake-up call for web programmers. Wiley, Chichester (2004)
ISO/IEC.: Information technology – Code of practice for information security management. ISO/IEC 17799:2000
ISO/IEC.: Risk management – Vocabulary – Guidelines for use in standards, ISO/IEC Guide 73:2002 (2002)
ISO/IEC.: Information Technology – Security techniques – Management of information and communications technology security – Part 1: Concepts and models for information and communications technology security management, ISO/IEC 13335-1:2004 (2004)
Jøsang, A., Presti, S.L.: Analysing the relationship between risk and trust. In: Jensen, C., Poslad, S., Dimitrakos, T. (eds.) iTrust 2004. LNCS, vol. 2995, pp. 135–145. Springer, Heidelberg (2004)
Jürjens, J. (ed.): Secure systems develoment with UML. Springer, Heidelberg (2005)
Khan, K.M., Han, J.: A process framework for characterising security properties of component-based software systems. In: Australian Software Engineering Conference, pp. 358–367. IEEE Computer Society, Los Alamitos (2004)
Lau, K.-K., Wang, Z.: A taxonomy of software component models. In: Proc. 31st Euromicro Conference, pp. 88–95. IEEE Computer Society Press, Los Alamitos (2005)
Lodderstedt, T., Basin, D.A., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002 - The Unified Modeling Language. Model Engineering, Concepts, and Tools. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
Refsdal, A., Runde, R.K., Stølen, K.: Underspecification, inherent nondeterminism and probability in sequence diagrams. In: Gorrieri, R., Wehrheim, H. (eds.) FMOODS 2006. LNCS, vol. 4037, pp. 138–155. Springer, Heidelberg (2006)
Rumbaugh, J., Jacobsen, I., Booch, G.: The unified modeling language reference manual. Addison-Wesley, Reading (2005)
Runde, R.K., Haugen, Ø., Stølen, K.: Refining UML interactions with underspecification and nondeterminism. Nordic Journal of Computing (2005)
Winamp skin file arbitrary code execution vulnerability. Secunia Advisory: SA12381. Secunia (2006)
Seehusen, F., Stølen, K.: Information flow property preserving transformation of uml interaction diagrams. In: SACMAT 2006. 11th ACM Symposium on Access Control Models and Technologies, pp. 150–159. ACM, New York (2006)
Standards Australia: Standards New Zealand. Australian/New Zealand Standard. Risk Management, AS/NZS 4360:2004 (2004)
Standards Australia: Standards New Zealand. Information security risk management guidelines, HB 231:2004 (2004)
Szyperski, C., Pfister, C.: Workshop on component-oriented programming. In: Mülhauser, M. (ed.) Special Issues in Object-Oriented Programming – ECOOP 1996 Workshop Reader, dpunkt Verlag, pp. 127–130 (1997)
Verdon, D., McGraw, G.: Risk analysis in software design. IEEE Security & Privacy 2(4), 79–84 (2004)
Zakinthinos, A., Lee, E.S.: A general theory of security properties. In: IEEE Symposium on Security and Privacy, pp. 94–102. IEEE Computer Society, Los Alamitos (1997)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Brændeland, G., Stølen, K. (2007). A Semantic Paradigm for Component-Based Specification Integrating a Notion of Security Risk. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds) Formal Aspects in Security and Trust. FAST 2006. Lecture Notes in Computer Science, vol 4691. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75227-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-540-75227-1_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75226-4
Online ISBN: 978-3-540-75227-1
eBook Packages: Computer ScienceComputer Science (R0)