Threat scenarios as a means to formally develop secure systems

  • Volkmar Lotz
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1146)


We introduce a new method for the formal development of secure systems that closely corresponds to the way secure systems are developed in practice. It is based on Focus, a general-purpose approach to the design and verification of distributed, interactive systems. Our method utilizes threat scenarios which are the result of threat identification and risk analysis and model those attacks that are of importance to the system's security. We describe the adversary's behaviour and influence on interaction. Given a suitable system specification, threat scenarios can be derived systematically from that specification. Security is defined as a particular relation on threat scenarios and systems. We show the usefulness of our approach by developing an authentic server component, thereby analysing two simple authentication protocols.


Security Formal Methods Threat Identification Risk Analysis Stream Processing Functions Authentication Protocols 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [BLP73]
    D.E. Bell, L. LaPadula: Secure Computer Systems: Mathematical Foundations (NTIS AD-770 768), A Mathematical Model (NTIS AD-771 543), A Refinement of the Mathematical Model (NTIS AD-780 528), MTR 2547 Vol. I–III, ESD-TR-73-278, Mitre Corporation, Bedford MA, 1973Google Scholar
  2. [BLP76]
    D.E. Bell, L. LaPadula: Secure Computer Systems: Unified Exposition and Multics Interpretation, NTIS AD-A023 588, MTR 2997, ESD-TR-75-306, Mitre Corporation, Bedford MA, 1976Google Scholar
  3. [BDD+93]
    M. Broy, F. Dederichs, C. Dendorfer, M. Fuchs, T.F. Gritzner, R. Weber: The Design of Distributed Systems — An Introduction to FOCUS — Revised Version, Technical Report TUM-19202-2, Technische Universität München, 1993Google Scholar
  4. [Br93]
    M. Broy: (Inter-)Action Refinement: The Easy Way, in: M. Broy (Ed.): Program Design Calculi, NATO ASI Series F, Vol. 118, Springer, 1993Google Scholar
  5. [Br95]
    M. Broy: Advanced Component Interface Specification, in: T. Ito, A. Yonezawa (Eds.): Theory and Practice of Parallel Programming, Proceedings TPP '94, Springer LNCS 907, 1995Google Scholar
  6. [BrSt96]
    M. Broy, K. Stølen: Interactive System Design, Book Manuscript, 1996Google Scholar
  7. [BAN89]
    M. Burrows, M. Abadi, R. Needham: A Logic of Authentication, Report 39, Digital Systems Research Center, Palo Alto, 1989Google Scholar
  8. [FFKK93]
    O. Fries, A. Fritsch, V. Kessler, B. Klein (Hrsg.): Sicherheitsmechanismen: Bausteine zur Entwicklung sicherer Systeme, REMO Arbeitsberichte, Oldenbourg Verlag, München 1993 (in German)Google Scholar
  9. [GoMe82]
    J.A. Goguen, J. Meseguer: Security Policies and Security Models, Proc. of the IEEE Symposium on Security and Privacy, 1982, pp. 11–20Google Scholar
  10. [HMS93]
    S. Herda, S. Mund, A. Steinacker (Hrsg.): Szenarien zur Sicherheit informationstechnischer Systeme, REMO Arbeitsberichte, Oldenbourg Verlag, München 1993 (in German)Google Scholar
  11. [ISO92]
    ISO/IEC CD 9798: Information Technology — Security Techniques — Entity Authentication Mechanisms, Part 2: Entity Authentication Using Symmetric Techniques, 1992Google Scholar
  12. [ISO93]
    ISO/IEC DIS 10181-2.2: Information Technology — Open Systems Interconnection — Security Framework for Open Systems: Authentication Framework, 1993Google Scholar
  13. [Jac90]
    J.L. Jacob: Specifying Security Properties, in: C.A.R. Hoare (ed.): Developments in Concurrency and Communications, Addison-Wesley, 1990Google Scholar
  14. [Mea94]
    C. Meadows: The NRL Protocol Analyzer: An Overview, Journal of Logic Programming, Vol. 19, 1994Google Scholar
  15. [Mun93]
    S. Mund: Sicherheitsanforderungen — Sicherheitsmaßnahmen, VIS '93 (Herausgeber: P. Horster, G. Weck), Vieweg Verlag, 1993 (in German)Google Scholar
  16. [RWW94]
    A.W. Roscoe, J.C.P. Woodcock, L. Wulf: Non-interference through Determinism, in: D. Gollmann: Computer Security — ESORICS '94, Springer LNCS 875, 1994Google Scholar
  17. [Sne95]
    E. Snekkenes: Formal Specification and Analysis of Cryptographic Protocols, PhD thesis, 1995Google Scholar
  18. [TeWi89]
    P. Terry, S. Wiseman: A ‘New’ Security Policy Model, Proc. of the IEEE Symposium on Security and Privacy, 1989, pp. 215–228Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1996

Authors and Affiliations

  • Volkmar Lotz
    • 1
  1. 1.Corporate Research and DevelopmentSiemens AGMünchen

Personalised recommendations