200 9

– E

. Fél

ix

Security DSL

Toward model-based security engineering: developing a security analysis DSMLVéronique Normand, Edith Félix, Thales Research & Technology

2

200 9

- E

.Fé l

ix

Security DSL

Agenda

Security DSML overview

Introduction

Context and rationale

The prototype security DMSL

Status and perspective

3

200 9

- E

.Fé l

ix

Security DSL

Security DMSL Overview

Context Critical Information System engineering in an industrial environment

New method to support the security risk analysis

Based upon Model-based engineering techniques Security Domain Specific Modelling Language (DMSL)

Security DMSL supports Analysis and assessment of security risks for a system Specification of security requirements

Technology Readiness Level prototype

4

200 9

- E

.Fé l

ix

Security DSL

Introduction

Critical system engineering Involves multiple teams

capture, articulation, trade-off and reconciliation between multiple viewpoints over a system architectural design

System security engineering as a viewpoint

Enhancement of traditional security risk analysis methodologies based on modelling techniques that will allow leveraging detailed knowledge of the targeted system

in close integration with the mainstream system engineering process,

and developing fine grain analyses of the actual risks at stake.

5

200 9

- E

.Fé l

ix

Security DSL

Context and rationale

Stake of risk mitigation Find the right trade-off between risk coverage and costs

State of the art Traditional security risk analysis

EBIOS, Mehari, Octave, etc. based on tables, ie loosing the fine-grained view of the architecture

Critical systems security engineering methodology

Within the scope of current Security DSL Out of the scope of current Security DSL

6

200 9

- E

.Fé l

ix

Enhancing system security methods

System design models

Securityanalysismodel

Real world

System definition Security & Risks analysis

(several system definition viewpoints)

ADVANTAGES• Toward a close

integration of security analysis

and system model• Provides a

management view• Manages finer grain

analyses

Governance

7

200 9

- E

.Fé l

ix

Security DSL

Objectives of the enhancementObjective1: To optimize the qualification

of the risks

and the specification of security requirements

and related security costs,

Objective 2: To optimize the quality and the productivity of security engineering

by capitalizing on data from one study to the next,

by proceeding to automatic calculation and consistency checking.

Objective 3: To optimize the quality and the productivity of security engineering

by sharing common models of the system between system design and security analysis

and thus by working on synchronized and consistent models of the system throughout the design process.

8

200 9

- E

.Fé l

ix

Overall process and actors of secure system engineering

System engineering

process

Security analysis process

System security design

process

System architect

Security architect

Security analyst

Strategic & business analysis process

End user, Customer, Executive

Risk analysis

Security requirements

Business needs

Securitydesign

Systemarchitecture

Referencesecurity

typologies

System models

Before models

9

200 9

- E

.Fé l

ix

System engineering

process

Security analysis process

System security design

process

System architect

Security architect

Security analyst

Reference securitylibrairies

Strategic & business analysis process

End user, Customer, Executive

System architecture model

Risk analysis and security requirements

model

Businessneed model

Target

Overall process and actors of secure system engineering

10

200 9

- E

.Fé l

ix

Model-driven architecting environment

Technical space

System space

Business space

SoS architectural analysis and design

Business processanalysis & design

SoS architecturaltechnical design

Strategic space

Time performance engineering

Management engineering

Securityengineering

Computation independent modelsof the business operational need

Technology independent models of the overall solution architecture

Technology-specific models of the IT integration solution

Business motivation models, capability plan & drivers

Domain Specific Language = a typically small language, designed for a particular domain

higher degree of closeness to specific domain concepts

abstract away from technology / implementation details

complexity encapsulation

domain experts able to understand, validate, develop DSL programs to model their specific domain problems

increase productivity of domain engineers

11

200 9

- E

.Fé l

ix

Security DSL task: interactions & workflow

12

200 9

- E

.Fé l

ix

Security DSL: problematic

GOAL: Rapidly prototype a DSL allowing the support of finer grain, more formal security analyses that exploit formalized system architecture descriptions.

13

200 9

- E

.Fé l

ix

Security DSL

The risk-related meta-model

14

200 9

- E

.Fé l

ix

Security DSL

Linking architecture to risk analysis meta-model

15

200 9

- E

.Fé l

ix

Resulting Security DSL Tool

16

200 9

- E

.Fé l

ix

Security DSL

Comparison to existing work

Focus of the research community on Attack scenarios, vulnerability cause graphs, use and misuse cases, attack

trees Complementary to our work

CORAS supporting brainstorm sessions between security analysis stakeholders does not investigate the integration of the security risk analysis process

with the system engineering process

17

200 9

- E

.Fé l

ix

Security DSL

CURRENT STATUS

a first iteration of work, in the context of a longer-term research work that aims at developing an enhanced model-based method for the security engineering of critical information systems

Proof-of-concept prototype focus on scoping and capturing a relevant meta-model rather than on developing high-quality diagrammatic notations and tooling -

> ergonomics and usability to be enhanced

18

200 9

- E

.Fé l

ix

Security DSL

PERSPECTIVES Enhancing the security analysis DSML in several areas

refinement of the stakes / needs / damages model for a more precise computation of risk severity

Including automated computation formula and consistency checking rules

Integration of the DSML with our system modelling framework support to multi-disciplinary engineering heterogeneous modelling viewpoint integration

Complementing our risk analysis DSML with modelling and tools for supporting security solutions design and verification, thus extending our scope to fully

address our model-based security engineering target