How to capture, model, and verify the knowledge of legal, security, - - PowerPoint PPT Presentation

how to capture model and verify
SMART_READER_LITE
LIVE PREVIEW

How to capture, model, and verify the knowledge of legal, security, - - PowerPoint PPT Presentation

Dec 28, 2023 202 likes •359 views

Universit degli Studi di Trento How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach L. Compagna, P. El Khoury F. Massacci , N. Zannone R. Thomas Security Research Dept.

slide-1
SLIDE 1

Università degli Studi di Trento

How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach

  • Dept. of Law
  • Univ. of Leuven
  • Dept. Informatics and TLC

Univ of Trento Security Research SAP

  • R. Thomas
  • F. Massacci, N. Zannone
  • L. Compagna, P. El Khoury

www.massacci.org www.tropos-project.org www.serenity-project.org

slide-2
SLIDE 2

Università degli Studi di Trento

Outline

  • What is the Problem?

– Address Regulatory Compliance Demands – Organizational Patterns

  • Which is the Solution?

– Graphical requirements Engineer Methodology

  • Smart Items For Health Care

– An Example of a Pattern

  • Conclusion & Future Work
slide-3
SLIDE 3

Università degli Studi di Trento

What’s the Problem?

  • Emerging trends in Security Enginering

– Security solutions can longer be best effort – Must show verifiable evidence with ….

  • Regulatory Compliance

– SOX/Basel II/EU Privacy Directive

  • Industry Compliance

– ISO 17799, ITIL Security Management..

  • Usage of SOA Mandatory

– WS-Security, WS-Trust, WS-Federations

  • Audit/Certification

– CC formal models, verification of the model

slide-4
SLIDE 4

Università degli Studi di Trento

What’s the Solution?

  • Security & Privacy Patterns for Organisation

– Security patterns are security best practices presented in template format – Validated by Experts – Patterns can provide implementations

  • From rule of procedures to running code
  • Concept widely used in Software Patterns

– Large repositories are available – Model-Based Transformatioon available for different languages

slide-5
SLIDE 5

Università degli Studi di Trento

So what is the problem?

Ask a toad what beauty is, the to kalon? He will answer you that it is his toad wife with two great round eyes issuing from her little head, a wide, flat mouth, a yellow belly, a brown back. . . . Interrogate the devil; he will tell you that beauty is a pair of horns, four claws and a tail. Voltaire, Philosophical Dictionary (1764)

slide-6
SLIDE 6

Università degli Studi di Trento

To Design a Security Pattern

  • Ask a lawyer

17(4)1 For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 17(1) shall be in writing or in another equivalent form.

  • Ask a computer engineer

<SignedInfo>

<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Transforms>

<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue> FLuQTa/LqDIZ5F2JSaMRHSRuaiQ= </DigestValue> </SignedInfo>

  • Ask a formal methods expert

Fail_NonRepudiation(A,B,S) :- del_exec(A,B,S), not entrust_exec(A,B,S) entrust_exec (A,B,S) :- trust(A,B,S). entrust_exec (A,B,S) :- prove_fulfillment(A, B, S, TP) prove_fulfillment(A, B,S, TP) :- provides(B, PoF), proof_of_fulfillment(PoF, S), entrust_exec(TP, B, PoF), entrust_exec(A, TP, PoF)

slide-7
SLIDE 7

Università degli Studi di Trento

Lingua Franca…

  • Software Patterns work because they essentially are

by toads only

– The difference between C++, Java, C#, Eiffel, Perl, Python etc is negligible compared to the ones just made

  • Security Patterns needs integration of different

“languages”

  • Idea: a picture is worth a thousand words

– Provided you are able to get the picture from the words and the words back from the picture

slide-8
SLIDE 8

Università degli Studi di Trento ERC Charlie’s e- health terminal Request (2) Request (5) Get medicine (6) Faintness alert (1) Request for medicine delivery (4) Send e-prescription (3) Deliver the medicine (7) Pharmacist's computer Bob feels giddy smart T-shirt e-health terminal e-health terminal Alison Steps: 2.Bob feels giddy and sends via his e-health terminal a request for assistance to MERC. 3.MERC receives the request and, since Bob’s doctor is in vacation, redirects it to Charlie. 4.Charlie analyses Bob’s medical data and history and sends to Bob an e-prescription. 5.Bob requests MERC for a medicine delivery. 6.MERC selects Alison to execute this task, sends a message to her to which she promptly acknowledge receiving then back the data for accomplishing this activity. 7.Alison goes to the pharmacy and after a successful credentials exchange, she gets the medicine from the pharmacist. 8.Alison delivers the medicine to Bob. Notes: This request is completed with Bob’s medical data automatically retrieved by his e-health terminal by means of a query to his smart T-shirt Notes: the request would have been sent to Bob’s doctor, but he is in vacation and thus a doctor discovery process is activated. In the group of doctors able to substitute Bob’s doctor, Charlie is the first to answer. Notes: Charlie retrieves Bob’s medical data and history by using his e-health terminal to query ERC. The e- prescription is sent from Charlie’s e-health terminal to Bob’s e-health terminal. Notes: Bob feels weak and instead of driving to the pharmacy to get the medicine, he prefers to be supported by the ERC for this task. Notes: as the others Alison is equipped with an e-health terminal that she uses to communicate with the others health actors. In the data she receives from ERC there’ll be, properly protected, the e-prescription done for Bob. Notes: the credentials exchange is between Alison’s e-health terminal and the pharmacist’s computer. Besides the validity of the e-prescription, Alison authorization to get the medicine in behalf of Bob needs to be checked. Notes: this last step involves an exchange of electronic credential between Bob and Alison. Their e-health terminals are used at this purpose.

Smart Items For Health Care

MERC

slide-9
SLIDE 9

Università degli Studi di Trento

Goal-Based Req. Engineering

  • Graphical Requirement Language SI*

– Agents, Roles, Relations among them – Execution, Delegation of Permissions

  • Legal text

– (semi) automatic extraction of graphical model from Natural Language description

  • Logical Formulae

– Experts provide general axioms and property descriptions – Instances added automatically from graphical model

  • Executable Business Process

– (Semi) automatic BPEL generation from graphical model

slide-10
SLIDE 10

Università degli Studi di Trento

Pattern Design and Validation

Lawyer describes patterns Semantics Template Graphical SI* Model NL2SI* transformation Security Engineer Modifies Patterns Formal Logic Axioms and Rules Graphical CAiSE Tool Automated Reasoning Tool SI* Interpretation

  • f Logical Result

BPEL Skeleton BPEL Editing Tool Software Engineer Refine Patterns

slide-11
SLIDE 11

Università degli Studi di Trento

Non repudiation requirement presented in SI*

MERC Request Alison e-health terminal Delivery of medicine to Bob

The Employer (MERC) shall have evidence that the Executor (Alison) cannot repudiate her commitment.

slide-12
SLIDE 12

Università degli Studi di Trento

What is an organizative security pattern? What is an organizative security pattern?

12

NOT fulfilled

Security Requirements

Initial organizational structure

  • Agents

Agents

  • Resources

Resources

  • Tasks

Tasks

  • Relations: delegation, trust…

Relations: delegation, trust… Fulfilled Revised organizational structure

  • Add/Remove Agents

Agents

  • Add/Remove

Add/Remove Resources Resources

  • Add/Remove

Add/Remove Tasks Tasks

  • Add/Remove

Add/Remove Relations Relations

Context Solution

Security Pattern

SI* MODELS

slide-13
SLIDE 13

Università degli Studi di Trento

Non repudiation pattern

[Context and Requirement] Non repudiation pattern [Context, Requirement and Solution] Context: The Employer requests the achievement of a commitment and delegates its execution to the Executor. Requirement: the former has no warranties that the latter takes the responsibility of achieving the commitment Solution: The Employer refines the commi- tment into two sub parts.

  • 3. Check the evidence about

responsibilities taken by the Executor.

  • 4. Represents the actual desire of fulfilling

the commitment.

slide-14
SLIDE 14

Università degli Studi di Trento

Conclusion & Future Work

  • System designers are usually neither security nor

legal experts

– Graphical RE notation useful common ground

  • Idea: a picture is worth a thousand words

– Provided you are able to get the picture from the words and the words back from the picture

  • Future Work

– Improving model construction from NL – Reasoning capability only detect failed properties, should also suggest what is missing to satusfy them – Apply to other domains

  • Ack

– Supported by the EU through the EU-IST-IP SERENITY