Skip to main content

Automating the Assembly of Security Assurance Case Fragments

Part of the Lecture Notes in Computer Science book series (LNPSE,volume 12852)

Abstract

This paper presents an approach and tools for automatic generation of security assurance case fragments using patterns for arguing the security of cyber physical systems. The fragments are generated using augmented Goal Structuring Notation (GSN) and can succinctly convey a system’s resilience to cyber-threats specified in MITRE’s Common Attack Pattern Enumeration and Classification (CAPEC). The GSN schema has been augmented with additional metadata that can be used for visually tracing back to component-level CAPEC threats from higher-level cyber security claims, enabling designers to easily locate flaws in a model when one or more claims cannot be substantiated. An implementation of the approach as a part of the Verification Evidence and Resilient Design in Anticipation of Cybersecurity Threats (VERDICT) toolchain has also been demonstrated along with a case study of a package delivery drone.

Keywords

  • Security assurance cases
  • Assurance case patterns
  • GSN
  • Security analysis of system architecture
  • Attack-defense tree
  • MITRE’s CAPEC threats and NIST-800-53 controls

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-83903-1_7
  • Chapter length: 14 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   64.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-83903-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   84.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.

Notes

  1. 1.

    For more details, visit https://github.com/ge-high-assurance/VERDICT.

References

  1. Common Attack Pattern Enumeration and Classification (CAPEC) (2017). https://capec.mitre.org

  2. Security and Privacy Controls for Information Systems and Organizations (2017)

    Google Scholar 

  3. Agudo, I., Vivas, J.L., López, J.: Security assurance during the software development cycle. In: Proceedings of the International Conference on Computer Systems and Technologies and Workshop for PhD Students in Computing, pp. 1–6 (2009)

    Google Scholar 

  4. Alexander, R., Hawkins, R., Kelly, T.: Security Assurance Cases: Motivation and the State of the Art. The University of York, York (2011)

    Google Scholar 

  5. Bagheri, H., Kang, E., Mansoor, N.: Synthesis of assurance cases for software certification. In: Proceedings of the International Conference on Software Engineering (2020)

    Google Scholar 

  6. Basir, N., Denney, E., Fischer, B.: Deriving safety cases for hierarchical structure in model-based development. In: Schoitsch, E. (ed.) SAFECOMP 2010. LNCS, vol. 6351, pp. 68–81. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15651-9_6

    CrossRef  Google Scholar 

  7. Bloomfield, R., Netkachova, K.: Building blocks for assurance cases. In: 2014 IEEE International Symposium on Software Reliability Engineering Workshops, pp. 186–191. IEEE (2014)

    Google Scholar 

  8. Bloomfield, R., Rushby, J.: Assurance 2.0: A manifesto (2020)

    Google Scholar 

  9. Cheah, M., Shaikh, S.A., Bryans, J., Wooderson, P.: Building an automotive security assurance case using systematic security evaluations. Comput. Secur. 77, 360–379 (2018)

    CrossRef  Google Scholar 

  10. Crapo, A., Moitra, A.: Toward a unified English-like representation of semantic models, data, and graph patterns for subject matter experts. Int. J. Semant. Comput. 7(03), 215–236 (2013)

    CrossRef  Google Scholar 

  11. De La Vara, J., Parra, E., Ruiz, A., Gallina, B.: The amass tool platform: an innovative solution for assurance and certification of cyber-physical systems. In: Joint 26th International Conference on Requirements Engineering: Foundation for Software Quality Workshops, Pisa, Italy, vol. 2584. CEUR-WS (2020)

    Google Scholar 

  12. Denney, E., Pai, G.: A methodology for the development of assurance arguments for unmanned aircraft systems. In: 33rd International System Safety Conference (ISSC 2015) (2015)

    Google Scholar 

  13. Denney, E., Pai, G.: Automating the assembly of aviation safety cases. IEEE Trans. Reliab. 63(4), 830–849 (2014)

    CrossRef  Google Scholar 

  14. Denney, E., Pai, G.: Tool support for assurance case development. Autom. Softw. Eng. 25(3), 435–499 (2017). https://doi.org/10.1007/s10515-017-0230-5

    CrossRef  Google Scholar 

  15. Denney, E., Pai, G., Pohl, J.: AdvoCATE: an assurance case automation toolset. In: Ortmeier, F., Daniel, P. (eds.) SAFECOMP 2012. LNCS, vol. 7613, pp. 8–21. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33675-1_2

    CrossRef  Google Scholar 

  16. Feiler, P.: The Open Source AADL Tool Environment (OSATE). Technical report, Carnegie Mellon University (2019)

    Google Scholar 

  17. Feiler, P.H., Gluch, D.P.: Model-Based Engineering with AADL: An Introduction to the SAE Architecture Analysis & Design Language. Addison-Wesley, Boston (2012)

    Google Scholar 

  18. Feiler, P.H., Gluch, D.P., Hudak, J.J.: The architecture analysis & design language (AADL): An introduction. Technical report, Carnegie Mellon University (2006)

    Google Scholar 

  19. Gacek, A., Backes, J., Cofer, D., Slind, K., Whalen, M.: Resolute: an assurance case language for architecture models. ACM SIGAda Ada Lett. 34(3), 19–28 (2014)

    CrossRef  Google Scholar 

  20. Graydon, P.J.: Formal assurance arguments: a solution in search of a problem? In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 517–528. IEEE (2015)

    Google Scholar 

  21. Guerra, S., Sheridan, D.: Compliance with standards or claim-based justification? The interplay and complementarity of the approaches for nuclear software-based systems. In: Proceedings of the Twenty-Second Safety-Critical Systems Symposium, Brighton, UK (2014)

    Google Scholar 

  22. Hawkins, R., Clegg, K., Alexander, R., Kelly, T.: Using a software safety argument pattern catalogue: two case studies. In: Flammini, F., Bologna, S., Vittorini, V. (eds.) SAFECOMP 2011. LNCS, vol. 6894, pp. 185–198. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24270-0_14

    CrossRef  Google Scholar 

  23. Kelly, T., Weaver, R.: The goal structuring notation-a safety argument notation. In: Proceedings of the Dependable Systems and Networks 2004 Workshop on Assurance Cases, p. 6. Citeseer (2004)

    Google Scholar 

  24. Kobayashi, N., Morisaki, S., Yamamoto, S.: Mobile security assurance for automotive software through ArchiMate. In: You, I., Leu, F.-Y., Chen, H.-C., Kotenko, I. (eds.) MobiSec 2016. CCIS, vol. 797, pp. 10–20. Springer, Singapore (2018). https://doi.org/10.1007/978-981-10-7850-7_2

    CrossRef  Google Scholar 

  25. Meng, B., et al.: Towards developing formalized assurance cases. In: 2020 AIAA/IEEE 39th Digital Avionics Systems Conference (DASC), pp. 1–9 (2020). https://doi.org/10.1109/DASC50938.2020.9256740

  26. Meng, B., et al.: VERDICT: a language and framework for engineering cyber resilient and safe system. Syst. 9(1) (2021). https://doi.org/10.3390/systems9010018. https://www.mdpi.com/2079-8954/9/1/18

  27. Meng, B., Smith, W., Durling, M.: Security threat modeling and automated analysis for system design. SAE Int. J. Transp. Cyber Privacy 4 (2021). https://doi.org/10.4271/11-04-01-0001

  28. Moitra, A., Prince, D., Siu, K., Durling, M., Herencia-Zapana, H.: Threat identification and defense control selection for embedded systems. SAE Int. J. Transp. Cyber. Privacy 3 (2020)

    Google Scholar 

  29. Poreddy, B.R., Corns, S.: Arguing security of generic avionic mission control computer system (MCC) using assurance cases. Proc. Comput. Sci. 6, 499–504 (2011)

    CrossRef  Google Scholar 

  30. RTCA-DO: 178c: Software considerations in airborne systems and equipment certification (2011)

    Google Scholar 

  31. Siu, K., Herencia-Zapana, H., Prince, D., Moitra, A.: A model-based framework for analyzing the security of system architectures. In: 2020 Annual Reliability and Maintainability Symposium (RAMS), pp. 1–6. IEEE (2020)

    Google Scholar 

  32. Siu, K., et al.: Architectural and behavioral analysis for cyber security. In: 2019 IEEE/AIAA 38th Digital Avionics Systems Conference (DASC), pp. 1–10. IEEE (2019)

    Google Scholar 

  33. Sommerville, I.: Software Engineering (2011). ISBN-10 137035152, 18

    Google Scholar 

  34. Vivas, J.L., Agudo, I., López, J.: A methodology for security assurance-driven system development. Requir. Eng. 16(1), 55–73 (2011)

    CrossRef  Google Scholar 

  35. Wei, R., Kelly, T.P., Dai, X., Zhao, S., Hawkins, R.: Model based system assurance using the structured assurance case metamodel. J. Syst. Softw. 154, 211–233 (2019)

    CrossRef  Google Scholar 

Download references

Acknowledgement

Distribution Statement “A” (Approved for Public Release, Distribution Unlimited). This research was funded by the Defense Advanced Research Projects Agency (DARPA). The views, opinions and/or findings expressed are those of the authors and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Baoluo Meng .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Meng, B., Paul, S., Moitra, A., Siu, K., Durling, M. (2021). Automating the Assembly of Security Assurance Case Fragments. In: Habli, I., Sujan, M., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2021. Lecture Notes in Computer Science(), vol 12852. Springer, Cham. https://doi.org/10.1007/978-3-030-83903-1_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-83903-1_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-83902-4

  • Online ISBN: 978-3-030-83903-1

  • eBook Packages: Computer ScienceComputer Science (R0)