Automated Software Engineering

, Volume 14, Issue 3, pp 341–364 | Cite as

Computer-aided Support for Secure Tropos

  • Fabio Massacci
  • John Mylopoulos
  • Nicola Zannone


In earlier work, we have introduced Secure Tropos, a requirements engineering methodology that extends the Tropos methodology and is intended for the design and analysis of security requirements. This paper briefly recaps the concepts proposed for capturing security aspects, and presents an implemented graphical CASE tool that supports the Secure Tropos methodology. Specifically, the tool supports the creation of Secure Tropos models, their translation to formal specifications, as well as the analysis of these specifications to ensure that they comply with specific security properties. Apart from presenting the tool, the paper also presents a two-tier evaluation consisting of two case studies and an experimental evaluation of the tool’s scalability.


Security requirements engineering CASE tools Automated reasoning 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In: Proc. of VLDB’02, pp. 143–154. Kaufmann, Los Altos (2002) Google Scholar
  2. Alpern, B., Schneider, F.B.: Recognizing safety and liveness. Technical Report TR86-727, Cornell University, Computer Science Department (1986) Google Scholar
  3. Anderson, R.: Why cryptosystems fail. Commun. ACM 37(11), 32–40 (1994) CrossRefGoogle Scholar
  4. Asnar, Y., Bonato, R., Bryl, V., Compagna, L., Dolinar, K., Giorgini, P., Holtmanns, S., Klobucar, T., Lanzi, P., Latanicki, J., Massacci, F., Meduri, V., Porekar, J., Riccucci, C., Saidane, A., Seguran, M., Yautsiukhin, A., Zannone, N.: Security and privacy requirements at organizational level. Research report A1.D2.1, SERENITY consortium (2006) Google Scholar
  5. Association Cambiste Internationale: The model code: the international code of conduct and practice for the financial markets (2005).
  6. Avizienis, A., Laprie, J.-C., Randell, B., Landwehr, C.E.: Basic concepts and taxonomy of dependable and secure computing. IEEE Trans. Dependable Secur. Comput. 1(1), 11–33 (2004) CrossRefGoogle Scholar
  7. Basin, D., Doser, J., Lodderstedt, T.: Model driven security: from UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol. 15(1), 39–91 (2006) CrossRefGoogle Scholar
  8. Bauer, L., Ligatti, J., Walker, D.: More enforceable security policies. In: Proc. of FCS’02 (2002) Google Scholar
  9. Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A.: TROPOS: an agent-oriented software development methodology. J. Auton. Agents Multi-Agent Syst. 8(3), 203–236 (2004) CrossRefGoogle Scholar
  10. Buckingham Shum, S.J., Selvin, A.M., Sierhuis, M., Conklin, J., Haley, C.B., Nuseibeh, B.: Hypermedia support for argumentation-based rationale: 15 years on from gIBIS and QOC. In: Rationale Management in Software Engineering, pp. 105–126. Springer, Berlin (2006) Google Scholar
  11. Chung, L.K., Nixon, B.A., Yu, E., Mylopoulos, J.: Non-Functional Requirements in Software Engineering. Kluwer, Dordrecht (2000) zbMATHGoogle Scholar
  12. Dardenne, A., van Lamsweerde, A., Fickas, S.: Goal-directed requirements acquisition. Sci. Comput. Prog. 20, 3–50 (1993) zbMATHCrossRefGoogle Scholar
  13. Darimont, R., Delor, E., Massonet, P., van Lamsweerde, A.: GRAIL/KAOS: an environment for goal-driven requirements engineering. In: Proc. of ICSE’97, pp. 612–613. ACM Press, New York (1997) Google Scholar
  14. De Landtsheer, R., van Lamsweerde, A.: Reasoning about confidentiality at requirements engineering time. In: Proc. of ESEC/FSE’05, pp. 41–49. ACM Press, New York (2005) Google Scholar
  15. den Braber, F., Dimitrakos, T., Gran, B.A., Lund, M.S., Stølen, K., Aagedal, J.Ø.: The CORAS methodology: model-based risk assessment using UML and UP. In: UML and the Unified Process, pp. 332–357. Idea Group Publishing, New York (2003) Google Scholar
  16. Ernst, N.A., Yu, Y., Mylopoulos, J.: Visualizing non-functional requirements. In: Proc. of REV’06, p. 2. IEEE Press, New York (2006) Google Scholar
  17. Fickas, S., Nagarajan, P.: Critiquing software specifications. IEEE Softw. 5(6), 37–47 (1988) CrossRefGoogle Scholar
  18. Fuxman, A., Liu, L., Mylopoulos, J., Pistore, M., Roveri, M., Traverso, P.: Specifying and analyzing early requirements in tropos. Requir. Eng. J. 9(2), 132–150 (2004) CrossRefGoogle Scholar
  19. Gelfond, M., Lifschitz, V.: The stable model semantics for logic programming. In: Proc. of ICLP’88, pp. 1070–1080. MIT Press, Cambridge (1988) Google Scholar
  20. Gelfond, M., Lifschitz, V.: Classical negation in logic programs and disjunctive databases. New Gener. Comput. 9(3/4), 365–386 (1991) CrossRefGoogle Scholar
  21. Germeau, F., Leduc, G.: Model-based design and verification of security protocols using LOTOS. In: Proc. of the DIMACS Workshop on Design and Formal Verification of Security Protocols (1997) Google Scholar
  22. Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modelling social and individual trust in requirements engineering methodologies. In: Proc. of iTrust’05. Lecture Notes in Computer Science, vol. 3477, pp. 161–176. Springer, Berlin (2005a) Google Scholar
  23. Giorgini, P., Massacci, F., Zannone, N.: Security and trust requirements engineering. In: FOSAD 2004/2005. Lecture Notes in Computer Science, vol. 3655, pp. 237–272. Springer, Berlin (2005b) Google Scholar
  24. Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Requirements engineering for trust management: model, methodology, and reasoning. Int. J. Inform. Sec. 5(4), 257–274 (2006) CrossRefGoogle Scholar
  25. Gravell, A.M., Henderson, P.: Executing formal specifications need not be harmful. IEE/BCS Softw. Eng. J. 11(2), 104–110 (1996) CrossRefGoogle Scholar
  26. Haley, C.B., Moffett, J., Laney, R., Nuseibeh, B.: Arguing security: validating security requirements using structured argumentation. In: Proc. of SREIS’05 (2005) Google Scholar
  27. Heitmeyer, C.L., Kirby, J., Labaw, B.G., Bharadwaj, R.: SCR*: A toolset for specifying and analyzing software requirements. In: Proc. of CAV’98, pp. 526–531. Springer, Berlin (1998) Google Scholar
  28. House of Lords, P.: Prince Jefri Bolkiah vs KPMG. 1 All ER 517 (1999). Available on
  29. Jackson, D.: Alloy: a lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. 11(2), 256–290 (2002) CrossRefGoogle Scholar
  30. Johnson, C.W.: V2: using violation and vulnerability analysis to understand the root causes of complex security incidents. Submitted to ACM Trans. Inf. Syst. Secur. (2006) Google Scholar
  31. Jorion, P.: Value-at-Risk: The New Benchmark for Managing Financial Risk. McGraw–Hill, New York (2000) Google Scholar
  32. Jürjens, J.: Secure Systems Development with UML. Springer, Berlin (2004) Google Scholar
  33. Leone, N., Pfeifer, G., Faber, W., Eiter, T., Gottlob, G., Perri, S., Scarcello, F.: The DLV system for knowledge representation and reasoning. ACM Trans. Comput. Log. 7(3), 499–562 (2006) CrossRefMathSciNetGoogle Scholar
  34. Lierler, Y.: Disjunctive answer set programming via satisfiability. In: Proc. of the 3rd Int. Workshop on Answer Set Prog.: Adv. in Theory and Implementation, CEUR Workshop Proceedings. CEUR-WS. org, vol. 142 (2005) Google Scholar
  35. Lin, F., Zhao, Y.: ASSAT: computing answer sets of a logic program by SAT solvers. In: Proc. of the 18th Nat. Conf. on Artif. Intell, pp. 112–117. AAAI Press, Menlo Park (2002) Google Scholar
  36. Liu, L., Yu, E.S.K., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proc. of RE’03, pp. 151–161. IEEE Press, New York (2003) Google Scholar
  37. Maiden, N., Sutcliffe, A.: Exploiting reusable specifications through analogy. CACM 35(4), 55–64 (1992) Google Scholar
  38. Massacci, F., Prest, M., Zannone, N.: Using a security requirements engineering methodology in practice: the compliance with the Italian data protection legislation. Comput. Stand. Interfaces 27(5), 445–455 (2005) CrossRefGoogle Scholar
  39. Massacci, F., Zannone, N.: Detecting conflicts between functional and security requirements with secure tropos: John Rusnak and the Allied Irish Bank. Technical Report DIT-06-002, University of Trento (2006) Google Scholar
  40. McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. In: Proc. of ACSAC’99, pp. 55–66. IEEE Press, New York (1999) Google Scholar
  41. National Security Agency: Information Assurance Technical Framework (IATF). Release 3.1 (2002) Google Scholar
  42. Niemelä, I., Simons, P.: Efficient implementation of the well-founded and stable model semantics. In: Proc. of JICSLP’96, pp. 289–303. MIT Press, Cambridge (1996) Google Scholar
  43. Niemelä, I., Simons, P., Syrjänen, T.: Smodels: a system for answer set programming. In: Proc. of the 8th Int. Workshop on Non-Monotonic Reas. (2000) Google Scholar
  44. Nuseibeh, B., Easterbrook, S.: Requirements engineering: a roadmap. In: Proc. of ICSE’00, pp. 35–46. ACM Press, New York (2000) Google Scholar
  45. Onabajo, A., Jahnke, J.H.: Modeling and reasoning for confidentiality requirements in software development. In: Proc. of ECBS’06, pp. 460–467. IEEE Press, New York (2006) Google Scholar
  46. Perini, A., Susi, A.: Developing tools for agent-oriented visual modeling. In: Proc. of MATES’04. Lecture Notes in Computer Science, vol. 3187, pp. 169–182. Springer, Berlin (2004) Google Scholar
  47. Promontory Financial Group, Wachtell, Lipton, Rosen, Katz: Report to the Board and Directors of Allied Irish Bank P.L.C., Allfirst Financial Inc., and Allfirst Bank Concerning Currency Trading Losses (2003) Google Scholar
  48. Rifaut, A., Massonet, P., Molderez, J.-F., Ponsard, C., Stadnik, P., van Lamsweerde, A., Hung, T.V.: FAUST: formal analysis using specification tools. In: Proc. of RE’03, p. 350. IEEE Press, New York (2003) Google Scholar
  49. Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975) CrossRefGoogle Scholar
  50. Schätz, B., Pretschner, A., Huber, F., Philipps, J.: Model-based development of embedded systems. In: Proc. of OOIS’02. Lecture Notes in Computer Science, vol. 2426, pp. 298–312. Springer, Berlin (2002) Google Scholar
  51. Schneider, F.B.: Decomposing properties into safety and liveness. Technical Report TR87-874, Cornell University, Computer Science Department (1987) Google Scholar
  52. Selvin, A.M., Buckingham Shum, S.J.: Hypermedia as a productivity tool for doctoral research. New Rev. Hypermedia Multimedia 11(1), 91–101 (2005) CrossRefGoogle Scholar
  53. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. J. 10(1), 34–44 (2005) CrossRefGoogle Scholar
  54. Stamatelatos, M., Vesely, W., Dugan, J., Fragola, J., Minarick, J., Railsback, J.: Fault Tree Handbook with Aerospace Applications. NASA, Washington (2002) Google Scholar
  55. US Department of Justice: United States of America v. John M. Rusnak. SMS/SD/USAO #2002R02005. (2002).
  56. van Gelder, A.: The alternating fixpoint of logic programs with negation. In: Proc. of PODS’89, pp. 1–10. ACM Press, New York (1989) Google Scholar
  57. van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proc. of ICSE’04, pp. 148–157. IEEE Press, New York (2004) Google Scholar
  58. van Lamsweerde, A., Letier, E.: Handling obstacles in goal-oriented requirements engineering. IEEE Trans. Softw. Eng. 26(10), 978–1005 (2000) CrossRefGoogle Scholar
  59. Yu, E.: Modelling strategic relationships for process reengineering. PhD thesis, University of Toronto (1995) Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2007

Authors and Affiliations

  • Fabio Massacci
    • 1
  • John Mylopoulos
    • 1
  • Nicola Zannone
    • 1
  1. 1.Department of Information and Communication TechnologyUniversity of TrentoTrentoItaly

Personalised recommendations